[openssl-dev] OPENSSL_NO_SHA is still useful?
Hi, you think is still necessary to leave in the code #ifndef OPENSSL_NO_SHA and #ifdef OPENSSL_NO_SHA are so many function calls EVP_sha1() (and other similar) that compiling with -DOPENSSL_NO_SHA gives an endless series of errors and warnings. Regards, Antonio ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
[openssl-dev] [PATCH] Debug build configuration for mingw32
Hallo. Attached is a patch that creates a debug configuration to mingw32, and makes Configure usable both on msys and msys2. It's diffed from openssl-1.0.2-stable-SNAP-20150106.tar.gz. I've looked at debug-cygwin debug #defines and used it as a starting point. Thanks. -- Paulo Caetano http://cidebycide.blogspot.pt/ debug-mingw32.patch Description: Binary data ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3562] leading dots in nameConstraints ... bug report and patch
Fixed in 1.0.2 and master. Even tho the commit message says 3662 not 3552 :( OpenSSL_1_0_2-stable 129344a RT3662: Allow leading . in nameConstraints master 77ff1f3 RT3662: Allow leading . in nameConstraints Author: Dr. Stephen Henson st...@openssl.org Date: Tue Jan 6 15:29:28 2015 -0500 RT3662: Allow leading . in nameConstraints Change by SteveH from original by John Denker (in the RT) Reviewed-by: Rich Salz rs...@openssl.org -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3489] [PATCH] DTLS/sctp stored shutdown memory leak
Fixed now, thanks for the report. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL source reformat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi Matt, first of all: THANK YOU! This has been overdue for ages! Just a small tweak that would be nice I'd like to see would be to always have block markers for loops and conditions. The lack of those was one of the many pitfalls with the old source especially as the indentation had been off by one level in contrast to common rules. Including the the block markers (AKA curly brackets) at all times even for single statements has two advantages: - - You always have a block grouping statements to the proper statement - - You won't create a Apple-Style Goto Fail that easily AFAIK indent should support adding all of them automagically; otherwise astyle is another powerful solution. Anyway: BIG THANKS for finally making the code readable*. Kind regards, BenBE. *Comprehensible is a different kettle of fish ;-) Am 05.01.2015 um 13:09 schrieb Matt Caswell: We have previously announced our intention to reformat the entire codebase into a more consistent style (see our roadmap document here: https://www.openssl.org/about/roadmap.html) Since then we have been busy working towards doing that. I'd like to make available for comment a sample reformat. So far I've run it for master and 1.0.2, but the current thinking is that this will also be applied to 1.0.1, 1.0.0 and 0.9.8 (this is necessary to significantly ease the maintenance overhead) I've put the results of the reformat up on my github account here: https://github.com/mattcaswell/openssl The reformat of master is on the sample-master-reformat branch, and the 1.0.2 reformat is on sample-1.0.2-reformat. The style itself is heavily influenced by the Linux Kernel Coding style: https://www.kernel.org/doc/Documentation/CodingStyle Although there are some significant differences - most notably that we are using spaces not tabs for indents, and the indent depth is 4 characters not 8. We will be publishing our own style guide in due course. I'm not looking to open any religious wars here - so I'm not looking for comments on the style itself (e.g. debates about whether 2, 4 or 8 character indents are better (we've already had those!)) - but I'm mainly seeking feedback on anywhere where the reformatting has failed. We've already looked of course...but sometimes many sets of eyes are better! I've also made available the script that was used to do the reformatting. The script is called openssl-format-source and is in the util directory of the branches mentioned above. This script depends on GNU indent being available. It should be executed from the root of the source tree as follows: util/openssl-format-source -v -c . There are also some one-off manual tweaks (both before and after running the script) that need to be done which are present in the sample reformat branches. These are related to multi-line comments which have their own internal formatting - these aren't handled too well. The manual steps should be a one-off exercise though. The hope is that we will be able to re-run the script at regular intervals. Thanks Matt ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJUrB67AAoJEPHTXLno4S6tdR0P/R7MQGYZ5cRErk/55luMZLgi Om9JmXBa4NCKedVVUXLQOlkiWu4Oa3s/J0xezTwzCR5P+B9x0miDUMjm9yKy6g4q t3mhAAiGOKfofLVq7M6iOE72SO2Pd4FTCywVMPuE6p9vAK7o/Gufn/8W52ud8oBb l7O5l2o6B0191q+6v3oLb8zY028FESrJgTDfq4htzvVlOkl3mnzvXP87juyrEzIb Y4FY7DzGi146mkRro3Q3Yb0fQcNTvVajQyAMLsLTRWDSXFs998BFxMih3hlJa+gc SvPi/rjE/gNaRxB3obc0o48hdy3Q7Q6DvpxVqwxb7Y2i3kWwJaCRCcOsEvYhfqkt 5kevKe/exKEyDWtjokWat9alB/Qla6Yb725OjOo4UQvmjT2OwULB9uFoXxig3/H/ oBES33FAAU0Kul4YwmfWb17m2QWeXHcqTITXUuS2zasMxF+2wbgb5o3bcQx7QUnd Fxf4emHb9OVqLdiN7WyNkUBceot2IBB73hud2myfKZS9g71F5hhsdsXvoWp5e3/I Cp1hnD2ViE5hWF4bGbKM7Eom9IeEho1idKCGGhfgRJ2tjweP66ORZnUK+Dz84N7a Je1peZ95uAUCy2F/PI2QFpxgvSU9lHiHGpRoEQRGbCn0N24La6mi0B7APjhWgHXk tiPO8GEKG7W5TGq0thzL =iwE9 -END PGP SIGNATURE- ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3642] Bug in OpenSSL 1.0.1j version: Decode error in TLS 1.2 handshake failure from client
On Fri Dec 26 12:19:01 2014, sameerpjo...@gmail.com wrote: Hi, I see a problem in OpenSSL code and want to confirm if this has been already reported as a bug or not. If the server sends CertificateRequest during TLS handshake in case of TLS1.2, the Client processes this request in method ssl3_get_certificate_request(SSL* s). While processing the request it calls tls1_process_sigalgs() method to process the signature algorithms. In this method tls1_process_sigalgs(), its being checked if the s-cert pointer is NULL . This actually means the check whether the client has its own certificate or not. In case the pointer is NULL, indicating the client does not have certificate, the function returns zero or failure. TLS handshake fails here with decode error owing to SSL_R_SIGNATURE_ALGORITHMS_ERROR. Can you actually produce the above error using s_client/s_server? The s-cert field is not NULL if there is no client certificate: it is a structure which contains certificate related information which is set up in SSL_new(). It should never be NULL hence the Should never happen comment. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
[openssl-dev] [PATCH] timestamping: add digest algorithm selection during response
Dear OpenSSL developers, I made an application which tests various digest and public key algorithms for timestamp generation, and I needed to make some changes to OpenSSL codebase. Here is a small contribution which allows to select the digest algorithm used during signature generation. This patch applies on top of current master (c1669e1). Feel free to give me any feedback on this. A small script is also attached to test this feature, which I executed from apps/ directory. Regards, Jean-Louis.From daf44de2f6ccc548e8c8aa1324970cdc0fc07ac2 Mon Sep 17 00:00:00 2001 From: Jean-Louis Thekekara jean-louis.thekek...@openwide.fr Date: Mon, 5 Jan 2015 17:29:06 +0100 Subject: [PATCH] ts: Add digest algorithm selection during response The previous default digest (sha1) has been kept, but another alternative would be to leave rsign_md = NULL when not defined by the user. It would trigger the following code in PKCS7_add_signature() : if (dgst == NULL) { int def_nid; if (EVP_PKEY_get_default_digest_nid(pkey, def_nid) = 0) goto err; dgst = EVP_get_digestbynid(def_nid); With a RSA key, it is currently sha256. --- apps/ts.c | 36 +--- crypto/ts/ts.h |1 + crypto/ts/ts_rsp_sign.c |2 +- 3 files changed, 31 insertions(+), 8 deletions(-) diff --git a/apps/ts.c b/apps/ts.c index ace13bd..17a3db8 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -98,11 +98,11 @@ static int reply_command(CONF *conf, char *section, char *engine, char *queryfile, char *passin, char *inkey, char *signer, char *chain, const char *policy, char *in, int token_in, char *out, int token_out, - int text); + int text, const EVP_MD *rsign_md); static TS_RESP *read_PKCS7(BIO *in_bio); static TS_RESP *create_response(CONF *conf, const char *section, char *engine, char *queryfile, char *passin, char *inkey, -char *signer, char *chain, const char *policy); +char *signer, char *chain, const char *policy, const EVP_MD *rsign_md); static ASN1_INTEGER * MS_CALLBACK serial_cb(TS_RESP_CTX *ctx, void *data); static ASN1_INTEGER *next_serial(const char *serialfile); static int save_ts_serial(const char *serialfile, ASN1_INTEGER *serial); @@ -133,6 +133,7 @@ int MAIN(int argc, char **argv) char *data = NULL; char *digest = NULL; const EVP_MD *md = NULL; + const EVP_MD *rsign_md = NULL; char *rnd = NULL; char *policy = NULL; int no_nonce = 0; @@ -290,6 +291,17 @@ int MAIN(int argc, char **argv) if (argc-- 1) goto usage; engine = *++argv; } + else if (strcmp(*argv, -rmd) == 0) + { + if (argc-- 1) goto usage; + rsign_md = EVP_get_digestbyname(*++argv); + if (!rsign_md) +{ +BIO_printf(bio_err, Invalid digest : %s.\n, *--argv); +++argv; +goto usage; +} + } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) { /* empty. */ @@ -349,7 +361,7 @@ int MAIN(int argc, char **argv) ret = !reply_command(conf, section, engine, queryfile, password, inkey, signer, chain, policy, - in, token_in, out, token_out, text); + in, token_in, out, token_out, text, rsign_md); break; case CMD_VERIFY: ret = !(((queryfile !data !digest) @@ -375,7 +387,7 @@ int MAIN(int argc, char **argv) BIO_printf(bio_err, or\n ts -reply [-config configfile] [-section tsa_section] [-queryfile request.tsq] [-passin password] - [-signer tsa_cert.pem] [-inkey private_key.pem] + [-signer tsa_cert.pem] [-rmd digest_algo_used_for_response] [-inkey private_key.pem] [-chain certs_file.pem] [-policy object_id] [-in response.tsr] [-token_in] [-out response.tsr] [-token_out] [-text] [-engine id]\n); @@ -675,7 +687,7 @@ static int reply_command(CONF *conf, char *section, char *engine, char *queryfile, char *passin, char *inkey, char *signer, char *chain, const char *policy, char *in, int token_in, - char *out, int token_out, int text) + char *out, int token_out, int text, const EVP_MD *rsign_md) { int ret = 0; TS_RESP *response = NULL; @@ -705,7 +717,7 @@ static int reply_command(CONF *conf, char *section, char *engine, { response = create_response(conf, section, engine, queryfile, passin, inkey, signer, chain, - policy); + policy, rsign_md); if (response) BIO_printf(bio_err, Response has been generated.\n); else @@ -800,7 +812,7 @@ static TS_RESP *read_PKCS7(BIO *in_bio) static TS_RESP *create_response(CONF *conf, const char *section, char *engine, char *queryfile, char *passin, char *inkey, -char *signer, char *chain, const char *policy) +char *signer, char *chain, const char *policy, const EVP_MD *rsign_md) { int ret = 0; TS_RESP *response = NULL; @@ -859,6 +871,16 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine, /* Setting the ESS cert id chain flag if requested. */ if