Re: [openssl-dev] OpenSSL 1.0.2f build issue - unresolved external symbol
Thanks Andy, Michel. I'll give a try again. -- B R , Atul Thosar On 1 March 2016 at 18:30, Andy Polyakov wrote: > > link /nologo /subsystem:console /opt:ref /debug /dll > > /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def > > @C:\Users\athosar\AppData\Local\Temp\nm43EB.tmp > > Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp > > cryptlib.obj : error LNK2001: unresolved external symbol > _OPENSSL_ia32cap_P > > This shouldn't happen if you go for no-asm. Basically it sounds like a > left-over from attempt to build with asm support. In other words start > over from empty directory. > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [PATCH] [openssl.org #2558] make windres controllable via build env var settings
atm, the windres code in openssl is only usable via the cross-compile prefix option unlike all the other build tools. So add support for the standard $RC / $WINDRES env vars as well. --- Configure | 1 + Makefile.in | 2 ++ Makefile.shared | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Configure b/Configure index 080bc06..f5b1257 100755 --- a/Configure +++ b/Configure @@ -888,6 +888,7 @@ $target{ranlib} = $ENV{'RANLIB'} || $target{ranlib} || $default_ranlib; $target{ar} = $ENV{'AR'} || "ar"; $target{arflags} = "" if !defined($target{arflags}); $target{nm} = "nm"; +$target{windres} = $ENV{'RC'} || $ENV{'WINDRES'} || "windres"; # Make sure build_scheme is consistent. $target{build_scheme} = [ $target{build_scheme} ] if ref($target{build_scheme}) ne "ARRAY"; diff --git a/Makefile.in b/Makefile.in index 30f44ff..0830b88 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,6 +103,7 @@ ARFLAGS= {- $target{arflags} -} AR=$(CROSS_COMPILE){- $target{ar} -} $(ARFLAGS) r RANLIB= {- $target{ranlib} -} NM= $(CROSS_COMPILE){- $target{nm} -} +WINDRES= $(CROSS_COMPILE){- $target{windres} -} PERL= {- $config{perl} -} #RM= echo -- RM= rm -f @@ -254,6 +255,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\ SHARED_CFLAG='$(SHARED_CFLAG)' \ AS='$(CC)' ASFLAG='$(CFLAG) -c' \ AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'\ + WINDRES='$(WINDRES)'\ CROSS_COMPILE='$(CROSS_COMPILE)'\ PERL='$(PERL)' DYNAMIC_ENGINES='$(DYNAMIC_ENGINES)' \ SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \ diff --git a/Makefile.shared b/Makefile.shared index 9028960..adcfe40 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -280,7 +280,7 @@ link_shlib.cygwin: echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \ "$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \ $(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \ - $(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \ + $(WINDRES) $(SHARED_RCFLAGS) -o rc.o; \ ALLSYMSFLAGS='-Wl,--whole-archive'; \ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,--enable-auto-image-base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a rc.o"; \ -- 2.6.2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2558 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4367]: FEATURE: Please add -headerpad_max_install_names to LDFLAGS for dynamic libraries on OS X builds
Also worth mentioning: depending on how much magic will be sprinkled from the PERL script... install_name is available on OS X 10.4 and above, which covers the last 10 years or so. Also see "Configure-based open source libraries: current_version and install_name" (http://lists.apple.com/archives/unix-porting/2006/Dec/msg9.html) on the Apple mailing lists. On Tue, Mar 1, 2016 at 10:30 PM, Jeffrey Walton wrote: > OS X side steps the problems with selecting the wrong runtime library > and RPATHs by using something called an install name. Effectively, the > install name should be placed in libcrypto.dylib and libssl.dylib, and > it calls out the fully qualified path name. Programs linked to a > library with an install name will record the library, and dyld(1) will > link to the proper library at runtime. There's no need for tricks like > LD_LIBRARY_PATH on Linux (its called DYLD_LIBRARY_PATH on OS X). > > To make room for an install name that may change (for example, from > PWD to /usr/local/ssl/lib, you need to use the flag > -headerpad_max_install_names on libcrypto.dylib and libssl.dylib. > > To add the icing to the cake, 'make install' should add the following > to its recipe for OS X: > > cp libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > > And: > > cp libssl.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib > install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib > $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4367]: OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'"
For completeness, the same configuration under 32-bit is OK. On Tue, Mar 1, 2016 at 9:54 PM, Jeffrey Walton wrote: > $ make depend && make clean && make > ... > > $ make test > ... > > ../test/recipes/80-test_tsa.t . ok > ../test/recipes/90-test_async.t ... 1/1 > # Failed test 'running asynctest' > # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > # Looks like you failed 1 test of 1. > ../test/recipes/90-test_async.t ... Dubious, test returned 1 > (wstat 256, 0x100) > Failed 1/1 subtests > ... > Test Summary Report > --- > ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=70, Tests=389, 213 wallclock secs ( 1.44 usr 0.75 sys + 166.97 > cusr 45.51 csys = 214.67 CPU) > Result: FAIL > Failed 1/70 test programs. 1/389 subtests failed. > make[1]: *** [tests] Error 255 > > ** > $ KERNEL_BITS=64 ./config no-asm > Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul > 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC > Configuring for darwin64-ppc-cc > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x1014L) > no-asm [option] OPENSSL_NO_ASM > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip > dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) > no-zlib [default] > no-zlib-dynamic [forced] > Configuring for darwin64-ppc-cc > IsMK1MF =no > CC=cc > CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC > LFLAG = > PLIB_LFLAG=-Wl,-search_paths_first > EX_LIBS = > CPUID_OBJ =mem_clr.o > BN_ASM=bn_asm.o > EC_ASM= > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes_core.o aes_cbc.o > BF_ENC=bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4_enc.o rc4_skey.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM = > SHA1_OBJ_ASM = > RMD160_OBJ_ASM= > CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o > MODES_OBJ = > PADLOCK_OBJ = > CHACHA_ENC=chacha_enc.o > POLY1305_OBJ = > PROCESSOR = > RANLIB=/usr/bin/ranlib > ARFLAGS = > PERL =/opt/local/bin//perl5 > > SIXTY_FOUR_BIT_LONG mode > > Configured for darwin64-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4367] FEATURE: Please add -headerpad_max_install_names to LDFLAGS for dynamic libraries on OS X builds
OS X side steps the problems with selecting the wrong runtime library and RPATHs by using something called an install name. Effectively, the install name should be placed in libcrypto.dylib and libssl.dylib, and it calls out the fully qualified path name. Programs linked to a library with an install name will record the library, and dyld(1) will link to the proper library at runtime. There's no need for tricks like LD_LIBRARY_PATH on Linux (its called DYLD_LIBRARY_PATH on OS X). To make room for an install name that may change (for example, from PWD to /usr/local/ssl/lib, you need to use the flag -headerpad_max_install_names on libcrypto.dylib and libssl.dylib. To add the icing to the cake, 'make install' should add the following to its recipe for OS X: cp libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib And: cp libssl.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4366]: OS X 10.5, 64-bit PPC, and chacha-ppc.s:454:Parameter syntax error (parameter 1)
The issue exists with 32-bit builds, too: $ KERNEL_BITS=32 ./config Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin-ppc-cc Configuring OpenSSL version 1.1.0-pre4-dev (0x0x1014L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [forced] Configuring for darwin-ppc-cc IsMK1MF =no CC=cc CFLAG = -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -O3 DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM LFLAG = PLIB_LFLAG=-Wl,-search_paths_first EX_LIBS = CPUID_OBJ =ppccpuid.o ppccap.o BN_ASM=bn-ppc.o ppc-mont.o ppc64-mont.o EC_ASM= DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghashp8-ppc.o PADLOCK_OBJ = CHACHA_ENC=chacha-ppc.o POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o PROCESSOR = RANLIB=/usr/bin/ranlib ARFLAGS = PERL =/opt/local/bin//perl5 THIRTY_TWO_BIT mode BN_LLONG mode Configured for darwin-ppc-cc. On Tue, Mar 1, 2016 at 9:15 PM, Jeffrey Walton wrote: > $ make depend && make clean && make > ... > > cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE > -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc64 > -DB_ENDIAN -O3 -c -o chacha-ppc.o chacha-ppc.s > chacha-ppc.s:454:Parameter syntax error (parameter 1) > make[2]: *** [chacha-ppc.o] Error 1 > make[1]: *** [subdirs] Error 1 > make: *** [build_crypto] Error 1 > > ** > > $ KERNEL_BITS=64 ./config > Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul > 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC > Configuring for darwin64-ppc-cc > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x1014L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip > dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) > no-zlib [default] > no-zlib-dynamic [forced] > Configuring for darwin64-ppc-cc > IsMK1MF =no > CC=cc > CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM > SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG=-Wl,-search_paths_first > EX_LIBS = > CPUID_OBJ =ppccpuid.o ppccap.o > BN_ASM=bn-ppc.o ppc-mont.o ppc64-mont.o > EC_ASM= > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o > BF_ENC=bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4_enc.o rc4_skey.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM = > SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o > sha512p8-ppc.o > RMD160_OBJ_ASM= > CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o > MODES_OBJ =ghashp8-ppc.o > PADLOCK_OBJ = > CHACHA_ENC=chacha-ppc.o >
[openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'"
$ make depend && make clean && make ... $ make test ... ../test/recipes/80-test_tsa.t . ok ../test/recipes/90-test_async.t ... 1/1 # Failed test 'running asynctest' # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. # Looks like you failed 1 test of 1. ../test/recipes/90-test_async.t ... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ... Test Summary Report --- ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=70, Tests=389, 213 wallclock secs ( 1.44 usr 0.75 sys + 166.97 cusr 45.51 csys = 214.67 CPU) Result: FAIL Failed 1/70 test programs. 1/389 subtests failed. make[1]: *** [tests] Error 255 ** $ KERNEL_BITS=64 ./config no-asm Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin64-ppc-cc Configuring OpenSSL version 1.1.0-pre4-dev (0x0x1014L) no-asm [option] OPENSSL_NO_ASM no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [forced] Configuring for darwin64-ppc-cc IsMK1MF =no CC=cc CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC LFLAG = PLIB_LFLAG=-Wl,-search_paths_first EX_LIBS = CPUID_OBJ =mem_clr.o BN_ASM=bn_asm.o EC_ASM= DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ = PADLOCK_OBJ = CHACHA_ENC=chacha_enc.o POLY1305_OBJ = PROCESSOR = RANLIB=/usr/bin/ranlib ARFLAGS = PERL =/opt/local/bin//perl5 SIXTY_FOUR_BIT_LONG mode Configured for darwin64-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4365] OS X 10.5, 64-bit PPC, and chacha-ppc.s:454:Parameter syntax error (parameter 1)
$ make depend && make clean && make ... cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 -c -o chacha-ppc.o chacha-ppc.s chacha-ppc.s:454:Parameter syntax error (parameter 1) make[2]: *** [chacha-ppc.o] Error 1 make[1]: *** [subdirs] Error 1 make: *** [build_crypto] Error 1 ** $ KERNEL_BITS=64 ./config Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin64-ppc-cc Configuring OpenSSL version 1.1.0-pre4-dev (0x0x1014L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace[default] OPENSSL_NO_SSL_TRACE (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test[default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [forced] Configuring for darwin64-ppc-cc IsMK1MF =no CC=cc CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM LFLAG = PLIB_LFLAG=-Wl,-search_paths_first EX_LIBS = CPUID_OBJ =ppccpuid.o ppccap.o BN_ASM=bn-ppc.o ppc-mont.o ppc64-mont.o EC_ASM= DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o BF_ENC=bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghashp8-ppc.o PADLOCK_OBJ = CHACHA_ENC=chacha-ppc.o POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o PROCESSOR = RANLIB=/usr/bin/ranlib ARFLAGS = PERL =/opt/local/bin//perl5 SIXTY_FOUR_BIT_LONG mode Configured for darwin64-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4365 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files
> I'm unclear on what EVP_CIPHER's interface guarantees are, but our EVP_AEAD > APIs are documented to allow in/out buffers to alias as long as out is <= > in. This matches what callers might expect from a naive implementation. > > Our AES-GCM EVP_AEADs, which share code with OpenSSL, have tended to match > this pattern too. For ChaCha, of chacha-{x86,x86_64,armv4,armv8}.pl and the > C implementation, all seem satisfy this (though it's possible I don't have > complete coverage) except for chacha-x86.pl. That one works if in == out, > but not if out is slightly behind. > > We were able to reproduce problems when in = out + 1. The SSE3 code > triggers if the input is at least 256 bytes and the non-SSE3 code if the > input is at least 64 bytes. The non-SSE3 code is because the words in a > block are processed in a slightly funny order (0, 4, 8, 9, 12, 14, 1, 2, 3, > 5, 6, 7, 10, 11, 13, 15). I haven't looked at the SSE3 case carefully, but > I expect it's something similar. It's in 16-byte chunks numbered 0,4,8,12, 1,5,8,13, 2,6,... > Could the blocks perhaps be processed in a more straight-forward ordering, > so that chacha-x86.pl behaves like the other implementations? (It's nice to > avoid bugs that only trigger in one implementation.) Or is this order > necessary for something? It's the order in which amount of references to memory is minimal. But double-check attached. diff --git a/crypto/chacha/asm/chacha-x86.pl b/crypto/chacha/asm/chacha-x86.pl index 850c917..986e7f7 100755 --- a/crypto/chacha/asm/chacha-x86.pl +++ b/crypto/chacha/asm/chacha-x86.pl @@ -19,13 +19,13 @@ # P4 18.6/+84% # Core29.56/+89% 4.83 # Westmere 9.50/+45% 3.35 -# Sandy Bridge 10.5/+47% 3.20 -# Haswell 8.15/+50% 2.83 -# Silvermont 17.4/+36% 8.35 +# Sandy Bridge 10.7/+47% 3.24 +# Haswell 8.22/+50% 2.89 +# Silvermont 17.8/+36% 8.53 # Sledgehammer 10.2/+54% -# Bulldozer13.4/+50% 4.38(*) +# Bulldozer13.5/+50% 4.39(*) # -# (*) Bulldozer actually executes 4xXOP code path that delivers 3.55; +# (*) Bulldozer actually executes 4xXOP code path that delivers 3.50; $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); @@ -238,18 +238,20 @@ if ($xmm) { &xor($a, &DWP(4*0,$b)); # xor with input &xor($b_,&DWP(4*4,$b)); - &mov(&DWP(4*0,"esp"),$a); + &mov(&DWP(4*0,"esp"),$a); # off-load for later write &mov($a,&wparam(0));# load output pointer &xor($c, &DWP(4*8,$b)); &xor($c_,&DWP(4*9,$b)); &xor($d, &DWP(4*12,$b)); &xor($d_,&DWP(4*14,$b)); - &mov(&DWP(4*4,$a),$b_); # write output - &mov(&DWP(4*8,$a),$c); - &mov(&DWP(4*9,$a),$c_); - &mov(&DWP(4*12,$a),$d); - &mov(&DWP(4*14,$a),$d_); + &mov(&DWP(4*4,"esp"),$b_); + &mov($b_,&DWP(4*0,"esp")); + &mov(&DWP(4*8,"esp"),$c); + &mov(&DWP(4*9,"esp"),$c_); + &mov(&DWP(4*12,"esp"),$d); + &mov(&DWP(4*14,"esp"),$d_); + &mov(&DWP(4*0,$a),$b_); # write output in order &mov($b_,&DWP(4*1,"esp")); &mov($c, &DWP(4*2,"esp")); &mov($c_,&DWP(4*3,"esp")); @@ -266,35 +268,45 @@ if ($xmm) { &xor($d, &DWP(4*5,$b)); &xor($d_,&DWP(4*6,$b)); &mov(&DWP(4*1,$a),$b_); + &mov($b_,&DWP(4*4,"esp")); &mov(&DWP(4*2,$a),$c); &mov(&DWP(4*3,$a),$c_); + &mov(&DWP(4*4,$a),$b_); &mov(&DWP(4*5,$a),$d); &mov(&DWP(4*6,$a),$d_); - &mov($b_,&DWP(4*7,"esp")); - &mov($c, &DWP(4*10,"esp")); + &mov($c,&DWP(4*7,"esp")); + &mov($d,&DWP(4*8,"esp")); + &mov($d_,&DWP(4*9,"esp")); + &add($c,&DWP(64+4*7,"esp")); + &mov($b_, &DWP(4*10,"esp")); + &xor($c,&DWP(4*7,$b)); &mov($c_,&DWP(4*11,"esp")); + &mov(&DWP(4*7,$a),$c); + &mov(&DWP(4*8,$a),$d); + &mov(&DWP(4*9,$a),$d_); + + &add($b_, &DWP(64+4*10,"esp")); + &add($c_,&DWP(64+4*11,"esp")); + &xor($b_, &DWP(4*10,$b)); + &xor($c_,&DWP(4*11,$b)); + &mov(&DWP(4*10,$a),$b_); + &mov(&DWP(4*11,$a),$c_); + + &mov($c,&DWP(4*12,"esp")); + &mov($c_,&DWP(4*14,"esp")); &mov($d, &DWP(4*13,"esp")); &mov($d_,&DWP(4*15,"esp")); - &add($b_,&DWP(64+4*7,"esp")); - &add($c, &DWP(64+4*10,"esp")); - &add($c_,&DWP(64+4*11,"esp")); &add($d, &DWP(64+4*13,"esp")); &add($d_,&DWP(64+4*15,"esp")); - &xor($b_,&DWP(4*7,$b)); - &xor($c, &DWP(4*10,$b)); - &xor($c_,&DWP(4*11,$b)); &xor($d, &DWP(4*13,$b)); &xor($d_,&DWP(4*15,$b)); &le
Re: [openssl-dev] PHP openssl ext port for 1.1 - cert->name
On 1 Mar 2016 21:03, "Dr. Stephen Henson" wrote: > > On Tue, Mar 01, 2016, Jakub Zelenka wrote: > > > Hello, > > > > I'm just slowly porting PHP core openssl ext to work with OpenSSL 1.1 and > > just came across one thing that I can't find a function for. > > > > We have got a part in openssl_x509_parse where we display cert->name (cert > > is X509 struct) if it is not NULL: > > > > https://github.com/php/php-src/blob/715a198e1f4f6f79f596963727b1a1c92e7fed1b/ext/openssl/openssl.c#L1998 > > > > The X509 is now opaque and I can't find any function for that which I might > > be missing because it's quite late... :) > > > > I tried to find it using > > > > grep -rn '>name' crypto/x509 > > > > but it doesn't show any function that would return a cert name > > > > Not sure if it's actually useful to show that but I see that the name is > > set in x509_cb when operation is ASN1_OP_D2I_POST > > as X509_NAME_oneline(ret->cert_info.subject, NULL, 0) . > > > > Please could you let me know if there is a function for that or what I > > should use instead? > > > > It isn't really useful. It uses the ancient and quirky X509_NAME_oneline() > function to convert the certificate subject name to an old oneline format > (which mishandles things like multi byte characters). > > If you really want it you can create it using X509_get_subect_name() and > X509_NAME_oneline() directly but you have to free it once you've finished with > it. > Ok great. I will probably do that for now just to keep it as it was and then possibly take a look if we could replace it with something more useful or if we should just remove it. That function needs closer look anyway. Thanks a lot for letting me know! -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine)
On 03/01/2016 04:27 PM, Benjamin Kaduk wrote: > On 03/01/2016 03:18 PM, Brad House wrote: >> On 03/01/2016 02:15 PM, Viktor Dukhovni wrote: >>> On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: >>> >>> The only plausible change from 1.0.2f to 1.0.2g that I see that might >>> be related to this is below. Does it work if you revert this change >>> (patch -R): commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac [snip] >> Confirmed. Reverting that commit fixes the build. >> > > Does the alternate patch from RT #3885 (i.e., from > https://github.com/openssl/openssl/pull/597) cause a similar build breakage? > Confirmed, this alternate patch worked (or at least compiled) fine: https://github.com/akamai/openssl/commit/c4af68c317c025c7d0c4f0495b8115d6426a25be.patch -Brad -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files
If the other EVP ciphers universally allow this then I think we must treat this as a bug, because people may be relying on this behaviour. There is also sporadic documentation in lower-level APIs (AES source and des.pod) that the buffers may overlap. If it's inconsistent then, at the very least, we must document that it is not allowed. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] OpenSSL Security Advisory
> I am a bit surprised with the following assertion concerning CVE-2016-0798 : > (Memory leak in SRP database lookups) > "This issue was discovered on February 23rd 2016..." Yes, Michel, sorry. You did create a ticket: https://rt.openssl.org/Ticket/Display.html?id=4172 Thanks for being so good-natured about the oversight. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine)
On 03/01/2016 03:18 PM, Brad House wrote: > On 03/01/2016 02:15 PM, Viktor Dukhovni wrote: >> On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: >> >> The only plausible change from 1.0.2f to 1.0.2g that I see that might >> be related to this is below. Does it work if you revert this change >> (patch -R): commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac [snip] > Confirmed. Reverting that commit fixes the build. > Does the alternate patch from RT #3885 (i.e., from https://github.com/openssl/openssl/pull/597) cause a similar build breakage? -Ben -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine)
On 03/01/2016 02:15 PM, Viktor Dukhovni wrote: > On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: > >> We have a Mac build system running an older version (10.7), targeting 10.6, >> which is >> using this compiler: >> >> $ cc --version >> i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build >> 5658) (LLVM build 2336.1.00) >> >> >> And while building 1.0.2g released today, we found a build regression for >> x86_64, this >> regression appears to only impact 1.0.2g (1.0.1s also released today is >> unaffected, >> as is the prior 1.0.2f, and 1.0.2g when building 32bit/i386 too is >> unaffected). >> >> The build error is: >> >> cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC >> -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN >> -DHAVE_DLFCN_H -isysroot /Developer/SDKs/MacOSX10.6.sdk/ >> -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -Wall >> -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT >> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >> -I/usr/local//ssl-fips-2.0.11-x86_64/include -DSHA1_ASM -DSHA256_ASM >> -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM >> -DGHASH_ASM -DECP_NISTZ256_ASM -c -o sha1-x86_64.o sha1-x86_64.s >> sha1-x86_64.s:1243:missing or invalid immediate expression `0b00011011' >> taken as 0 >> sha1-x86_64.s:1243:suffix or operands invalid for `pshufd' >> sha1-x86_64.s:1245:missing or invalid immediate expression `0b00011011' >> taken as 0 >> sha1-x86_64.s:1245:suffix or operands invalid for `pshufd' >> sha1-x86_64.s:1395:missing or invalid immediate expression `0b00011011' >> taken as 0 >> sha1-x86_64.s:1395:suffix or operands invalid for `pshufd' >> sha1-x86_64.s:1396:missing or invalid immediate expression `0b00011011' >> taken as 0 >> sha1-x86_64.s:1396:suffix or operands invalid for `pshufd' > > The only plausible change from 1.0.2f to 1.0.2g that I see that > might be related to this is below. Does it work if you revert this > change (patch -R): > > commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac > [snip] Confirmed. Reverting that commit fixes the build. -Brad -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-users] OpenSSL Security Advisory
Hi, I am a bit surprised with the following assertion concerning CVE-2016-0798 : (Memory leak in SRP database lookups) "This issue was discovered on February 23rd 2016..." My opinion is that this issue is known at least since I reported it to you (first in march 2015 !) : https://mta.openssl.org/pipermail/openssl-dev/2015-March/001015.html https://mta.openssl.org/pipermail/openssl-bugs-mod/2015-December/000279.html This is s a further demonstration that I still have to improve my english ! ;-) Regards, Michel. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] PHP openssl ext port for 1.1 - cert->name
On Tue, Mar 01, 2016, Jakub Zelenka wrote: > Hello, > > I'm just slowly porting PHP core openssl ext to work with OpenSSL 1.1 and > just came across one thing that I can't find a function for. > > We have got a part in openssl_x509_parse where we display cert->name (cert > is X509 struct) if it is not NULL: > > https://github.com/php/php-src/blob/715a198e1f4f6f79f596963727b1a1c92e7fed1b/ext/openssl/openssl.c#L1998 > > The X509 is now opaque and I can't find any function for that which I might > be missing because it's quite late... :) > > I tried to find it using > > grep -rn '>name' crypto/x509 > > but it doesn't show any function that would return a cert name > > Not sure if it's actually useful to show that but I see that the name is > set in x509_cb when operation is ASN1_OP_D2I_POST > as X509_NAME_oneline(ret->cert_info.subject, NULL, 0) . > > Please could you let me know if there is a function for that or what I > should use instead? > It isn't really useful. It uses the ancient and quirky X509_NAME_oneline() function to convert the certificate subject name to an old oneline format (which mishandles things like multi byte characters). If you really want it you can create it using X509_get_subect_name() and X509_NAME_oneline() directly but you have to free it once you've finished with it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] PHP openssl ext port for 1.1 - cert->name
Hello, I'm just slowly porting PHP core openssl ext to work with OpenSSL 1.1 and just came across one thing that I can't find a function for. We have got a part in openssl_x509_parse where we display cert->name (cert is X509 struct) if it is not NULL: https://github.com/php/php-src/blob/715a198e1f4f6f79f596963727b1a1c92e7fed1b/ext/openssl/openssl.c#L1998 The X509 is now opaque and I can't find any function for that which I might be missing because it's quite late... :) I tried to find it using grep -rn '>name' crypto/x509 but it doesn't show any function that would return a cert name Not sure if it's actually useful to show that but I see that the name is set in x509_cb when operation is ASN1_OP_D2I_POST as X509_NAME_oneline(ret->cert_info.subject, NULL, 0) . Please could you let me know if there is a function for that or what I should use instead? Thanks a lot Jakub -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL 1.0.2g - make test fails with FIPS -- regression from 1.0.2f
Brad House wrote: It appears OpenSSL 1.0.2g introduced a regression when attempting to run 'make test' on a fips-enabled build on linux. When compiling without FIPS, the tests pass as expected. However, with fips turned on, "make test" fails when trying to use ssl2 it appears. Running 'make test' is a fairly standard practice to try to ensure there were no unexpected failures on a given platform. 1.0.2f is unaffected, as is 1.0.1r. However, 1.0.1s is also impacted. Actually all 1.0.{1|2}* versions are impacted if build is with no-ssl2 and no-ssl3 [SNIP] Roumen -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4364] [PATCH] ASN1_get_object should not accept large universal tags.
See attached. OpenSSL can't actually represent large universal tags because it collides with the V_ASN1_NEG flag, yet it happily parses them in high tag number form. d2i_ASN1_TYPE interprets 1f82020100 as a negative zero, rather than an element with tag [UNIVERSAL 258]. I've intentionally made the patch very conservative, so it only limits universal tags, in case there is worry about someone actually using tag number 258 of another class. (Although I've never seen anything go beyond 31 into high tag number form at all.) Our version of the change has a test: https://boringssl.googlesource.com/boringssl/+/fb2c6f8c8565e1e2d85c24408050c96521acbcdc%5E%21/ It should be straight-forward to adapt (the test barely does anything). I'm not sure how adding a test in OpenSSL works these days, so I leave that to you. David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4364 Please log in as guest with password guest if prompted >From be074e3369ee0754f1413be82d0fa0f5effc8b27 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Tue, 1 Mar 2016 13:58:04 -0500 Subject: [PATCH] ASN1_get_object should not accept large universal tags. The high bits of the type get used for the V_ASN1_NEG bit, so when used with ASN1_ANY/ASN1_TYPE, universal tags become ambiguous. This allows one to create a negative zero, which should be impossible. Impose an upper bound on universal tags accepted by crypto/asn1. See also BoringSSL's https://boringssl.googlesource.com/boringssl/+/fb2c6f8c8565e1e2d85c24408050c96521acbcdc. --- crypto/asn1/asn1_lib.c | 4 include/openssl/asn1.h | 3 +++ 2 files changed, 7 insertions(+) diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index da1ac78..fe1473f 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -126,6 +126,10 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, if (--max == 0) goto err; } + +if (xclass == V_ASN1_UNIVERSAL && tag > V_ASN1_MAX_UNIVERSAL) +goto err; + *ptag = tag; *pclass = xclass; if (!asn1_get_length(&p, &inf, plength, (int)max)) diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index 360914d..aa064d2 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -95,6 +95,9 @@ extern "C" { # define V_ASN1_ANY -4/* used in ASN1 template code */ # define V_ASN1_NEG 0x100/* negative flag */ +/* No supported universal tags may exceed this value, to avoid ambiguity with + * V_ASN1_NEG. */ +# define V_ASN1_MAX_UNIVERSAL0xff # define V_ASN1_UNDEF-1 # define V_ASN1_EOC 0 -- 2.7.0.rc3.207.g0ac5344 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL Security Advisory
Thanks for the test tool and making it available so quickly, we were able to close our DROWN bug ticket less than an hour after opening it! I'm interested in your tlsfuzzer tool (of which this appears to be a part), is there a larger test suite available? Is there any documentation out there? Thanks again .. N Nou Dadoun Senior Firmware Developer, Security Specialist Office: 604.629.5182 ext 2632 Support: 888.281.5182 | avigilon.com Follow Twitter | Follow LinkedIn -Original Message- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Hubert Kario Sent: Tuesday, March 01, 2016 7:22 AM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] OpenSSL Security Advisory Scripts to verify that a server is not vulnerable to DROWN. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4363] [PATCH] Adding missing BN_CTX_(start/end) in crypto/ec/ec_key.c
Hi, This is a patch that uses BN_CTX_start/end to correctly initialize the BN_CTX stack in EC_KEY_set_public_key_affine_coordinates. -Steven -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4363 Please log in as guest with password guest if prompted >From 842278f5f12601d7424cdb516706ef1218b72975 Mon Sep 17 00:00:00 2001 From: Steven Valdez Date: Tue, 1 Mar 2016 13:20:43 -0500 Subject: [PATCH] Adding missing BN_CTX_(start/end) in crypto/ec/ec_key.c --- crypto/ec/ec_key.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 7d8507c..0d6c625 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -360,8 +360,9 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, } ctx = BN_CTX_new(); if (ctx == NULL) -goto err; +return 0; +BN_CTX_start(ctx); point = EC_POINT_new(key->group); if (point == NULL) @@ -416,6 +417,7 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, ok = 1; err: +BN_CTX_end(ctx); BN_CTX_free(ctx); EC_POINT_free(point); return ok; -- 2.7.0.rc3.207.g0ac5344 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files
I'm unclear on what EVP_CIPHER's interface guarantees are, but our EVP_AEAD APIs are documented to allow in/out buffers to alias as long as out is <= in. This matches what callers might expect from a naive implementation. Our AES-GCM EVP_AEADs, which share code with OpenSSL, have tended to match this pattern too. For ChaCha, of chacha-{x86,x86_64,armv4,armv8}.pl and the C implementation, all seem satisfy this (though it's possible I don't have complete coverage) except for chacha-x86.pl. That one works if in == out, but not if out is slightly behind. We were able to reproduce problems when in = out + 1. The SSE3 code triggers if the input is at least 256 bytes and the non-SSE3 code if the input is at least 64 bytes. The non-SSE3 code is because the words in a block are processed in a slightly funny order (0, 4, 8, 9, 12, 14, 1, 2, 3, 5, 6, 7, 10, 11, 13, 15). I haven't looked at the SSE3 case carefully, but I expect it's something similar. Could the blocks perhaps be processed in a more straight-forward ordering, so that chacha-x86.pl behaves like the other implementations? (It's nice to avoid bugs that only trigger in one implementation.) Or is this order necessary for something? David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] Test script failing for OpenSSL-1.0.1s when built as FIPS Capable
Hello, I have run into a problem when I am build OpenSSL-1.0.1s as FIPS Capable. The problem is that the test script is failing. I believe that this maybe because of different behavior in the tests now that the "no-ssl2" flag has been added to the OPTIONS (i.e. SSLv2 has been disabled in OpenSSL, but not in the tests). Details below. Any help would be appreciated. Thanks, Carl Tietjen Micofocus Problem: "make test" is failing because of change to disable SSLv2 Version: openssl-1.0.1s FIPS Module: openssl-fips-ecp-2.0.11 Error message: ... test ssl2 is forbidden in FIPS mode Testing was requested for a disabled protocol. Skipping tests. make[1]: *** [test_ssl] Error 1 make[1]: Leaving directory `/root/FIPS_1.0.1s/openssl-1.0.1s/test' make: *** [tests] Error 2 Make test failed Old messages (i.e. from OpenSSL-1.0.1r build): ... test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 140038414411432:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1720: 140038414411432:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1720: test tls1 ... -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] OpenSSL 1.0.2g - make test fails with FIPS -- regression from 1.0.2f
It appears OpenSSL 1.0.2g introduced a regression when attempting to run 'make test' on a fips-enabled build on linux. When compiling without FIPS, the tests pass as expected. However, with fips turned on, "make test" fails when trying to use ssl2 it appears. Running 'make test' is a fairly standard practice to try to ensure there were no unexpected failures on a given platform. 1.0.2f is unaffected, as is 1.0.1r. However, 1.0.1s is also impacted. Here's the last bit from the failure: ../util/shlib_wrap.sh ./evp_extra_test PASS test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 47614155012464:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1877: 47614155012464:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1877: test ssl2 is forbidden in FIPS mode Testing was requested for a disabled protocol. Skipping tests. gmake[1]: *** [test_ssl] Error 1 gmake[1]: Leaving directory `/home/bhouse/tmp/openssl-1.0.2g/test' gmake: *** [tests] Error 2 -Brad -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4361] IBM POWER VSX optimizations for OpenSSL
See https://openssl.org/community/getting-started.html for a starting point. -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4361 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine)
We have a Mac build system running an older version (10.7), targeting 10.6, which is using this compiler: $ cc --version i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.1.00) And while building 1.0.2g released today, we found a build regression for x86_64, this regression appears to only impact 1.0.2g (1.0.1s also released today is unaffected, as is the prior 1.0.2f, and 1.0.2g when building 32bit/i386 too is unaffected). The build error is: cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -isysroot /Developer/SDKs/MacOSX10.6.sdk/ -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local//ssl-fips-2.0.11-x86_64/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c -o sha1-x86_64.o sha1-x86_64.s sha1-x86_64.s:1243:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1243:suffix or operands invalid for `pshufd' sha1-x86_64.s:1245:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1245:suffix or operands invalid for `pshufd' sha1-x86_64.s:1395:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1395:suffix or operands invalid for `pshufd' sha1-x86_64.s:1396:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1396:suffix or operands invalid for `pshufd' -Brad -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4361] IBM POWER VSX optimizations for OpenSSL
I would like to create a number of enhancement requests for OpenSSL to improve the performance of specific algorithms on IBM POWER using the VSX SIMD instruction set with the possibility of creating financial bounties (through bountysource.com) for the projects. What is the best way open these requests? Should I send email to RT? Should I open issues on Github? Thanks, David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4361 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4347] Fix GCC unused-value warnings with HOST_c2l()
fixed with commit 09977dd thanks! -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4347 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4358] Problems in ocsp.1ssl
fixed thanks. -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4358 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL Security Advisory
Scripts to verify that a server is not vulnerable to DROWN. Two scripts are provided to verify that SSLv2 and all of its ciphers are disabled and that export grade SSLv2 are disabled and can't be forced by client. Reproducer requires Python 2.6 or 3.2 or later, you will also need git to download the sources # Download the reproducer: git clone https://github.com/tomato42/tlsfuzzer cd tlsfuzzer git checkout ssl2 # Download the reproducer dependencies git clone https://github.com/tomato42/tlslite-ng .tlslite-ng ln -s .tlslite-ng/tlslite tlslite pushd .tlslite-ng # likely won't be necessary in near future, code will be merged soon git checkout sslv2 popd git clone https://github.com/warner/python-ecdsa .python-ecdsa ln -s .python-ecdsa/ecdsa ecdsa To verify that an https server at example.com does not support SSLv2 at all, use the following command: PYTHONPATH=. python scripts/test-sslv2-force-export-cipher.py \ -h example.com -p 443 To only verify that the server does not support export grade SSLv2 ciphers, use the following command: PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h example.com \ -p 443 (note, the first script is a superset of the second one) In both cases all the individual tests in the scripts should print "OK" status if the specific cipher is not supported and report "failed: 0" together with exit status of 0 if you want to automate it. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic signature.asc Description: This is a digitally signed message part. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] OpenSSL Security Advisory
ress vulnerability CVE-2015-0293. s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they *displace* encrypted-key bytes. This leads to an efficient divide-and-conquer key recovery attack: if an eavesdropper has intercepted an SSLv2 handshake, they can use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. More importantly, this leads to a more efficient version of DROWN that is effective against non-export ciphersuites, and requires no significant computation. This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf (released March 19th 2015). This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J. Alex Halderman of the University of Michigan. The underlying defect had by then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d (1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf). Bleichenbacher oracle in SSLv2 (CVE-2016-0704) == Severity: Moderate This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2_srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a Bleichenbacher oracle, and could potentially allow more efficient variants of the DROWN attack. This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf (released March 19th 2015). This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J. Alex Halderman of the University of Michigan. The underlying defect had by then already been fixed by Emilia Käsper of OpenSSL on March 4th 2015. The fix for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d (1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf). Note As per our previous announcements and our Release Strategy (https://www.openssl.org/policies/releasestrat.html), support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References == URL for this Security Advisory: https://www.openssl.org/news/secadv/20160301.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJW1Z3XAAoJENnE0m0OYESRFCgH/1UW63/q8J2eApcMxOd7oYcD y0yRRD1SNpbTalYTNRGK2e4VY4iq7ux8ps3Bw9ieTYcRlMqqcHOPjsPEht0oVyZJ nYBfqwkISjRPYDn4mcV+DUsqLqNhakLZsMbkm0DY6GXq/pxolYlNN07NfsKP7WaQ 1Ff9OkVxhuXYZ+6RmbOAt4+61+CggPIpnBNS8B9U6howG9xOLEWo7ELjXlbBHGny W8Jfmc3z4/UlY/f9iod9qYxo1ljNAhQ8Jd+IcNUuOXea15+S8g35AJR42vLVVzyo jQH7vxNqmwqxrQNUHkAVgXNTLsSMJ4vQ4gCHZEe2CAU9xUt8ifeJrIOjxgjAFvI= =7baS -END PGP SIGNATURE- -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] OpenSSL version 1.0.2g published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.2g released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2g.tar.gz Size: 5266102 SHA1 checksum: 36af23887402a5ea4ebef91df8e61654906f58f2 SHA256 checksum: b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2g.tar.gz openssl sha256 openssl-1.0.2g.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJW1Zr6AAoJENnE0m0OYESRegcH/RzJkSQo2TT7wl55DKd5/7a2 3PaUxlNQOxA7E1Z7DAs9rfhox0+GbqaIOASBP+yVyP1+yHafMPuM3mpIQNg1fwT8 Oaxfh84a3XpfNO76xVWoKrgp62jYOaug2kfpnJ53uQuBqbhkjCW48KCxBELQZr9Q CsMy3SHtVwNfQQbOTDEsTjPFRpJ4UYO0EUtLV11Q78Gq4cxwWmOB0UCKJ/ucpUcl K8750Ijz27tWUK2cLOjJPAKQBaz1Rol8k0hZC0/Gtgiq/u+IFlx17HU3Yc2ZjLWu Op4KQ95vNu1icTxKUxfz4af3f/XEvC4ZjEC/2dMfUxy/zktLR4yRoG//xi7v8bg= =ovbL -END PGP SIGNATURE- -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] OpenSSL version 1.0.1s published
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1s released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1s of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1s is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1s.tar.gz Size: 4551210 SHA1 checksum: d027e1a00c26da7fede7d537d5c7718c3cdb4653 SHA256 checksum: e7e81d82f3cd538ab0cdba494006d44aab9dd96b7f6233ce9971fb7c7916d511 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.1s.tar.gz openssl sha256 openssl-1.0.1s.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJW1ZviAAoJENnE0m0OYESRVY8H/javcOAnFG3l1uzYuSrcgHrA 52x/A5gqFOW7rx5KE4jUjahSFePpNahqaR+A9m8dte2pvAJIySSk73z1IChhrtkF 14CALui+okl0KolF098sULmBy/GKoRQmiGMqQHxukXZZ8ihiqtfiEX1yCf0CiH8U crE4fHw50hBRV8BeT8KEE6A29Cpi9LQ0b0I3pPl5k/q0DtkdyNYMRcA7JKrSsI72 X/tyJcHaoAEZaBoVCqdlj/G1qOA/YlDtNfa9lkMZQaLz8wFLlZTo8/obuonVmaPH uJRj3oylvVkGWYIOpq+7jTJxjHlJweRrKbU8+W//rCSPNfbPBvAAQS7q9lKz/SA= =3wfG -END PGP SIGNATURE- -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL 1.0.2f build issue - unresolved external symbol
> link /nologo /subsystem:console /opt:ref /debug /dll > /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def > @C:\Users\athosar\AppData\Local\Temp\nm43EB.tmp > Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp > cryptlib.obj : error LNK2001: unresolved external symbol _OPENSSL_ia32cap_P This shouldn't happen if you go for no-asm. Basically it sounds like a left-over from attempt to build with asm support. In other words start over from empty directory. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm
Hi, > we met crash of openssl (varely, 3 times i have seen) on linux x86_64. > openSSL version is 1.0.1r. > > The stack is as below: > Program terminated with signal 11, Segmentation fault. > Thread 1 (Thread 0x7f0654871700 (LWP 22383)): > #0 0x7f06a2cdddb8 in sha1_block_data_order_ssse3 () > from */libcrypto.so.1.0.0 > #1 0xca62c1d6ca62c1d6 in ?? () > #2 0xca62c1d6ca62c1d6 in ?? () > #3 0xca62c1d6ca62c1d6 in ?? () > > We find the similar issue on https://rt.openssl.org/, the ticket id is 3191 . > Can u help me confirm is it the same issue ? Not with presented information :-( You need to complement it with output from 'info reg' as well as output from 'disass' command till you see => mark pointing at failing instruction. From debugger prompts that is. And since stack back-tracing is problematic here, tell approximately what was going on? I mean did you experience crash with openssl command (which one if so), or is it a web (or some other tls) server facing network? > And where can I get the commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527 ? It was incorporated 1.0.1 since 1.0.1f. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] (no subject)
Hi I am trying to test behaviour of Openssl in resumption rejection case. I am using with Openssl-1.1.0 pre2 version. When using Openssl as client and other ssl library as server, Initially client and server accepts on resumption, later server expects client rejected the resumption and sends server hello with different protocol version and cipher suite. What will be behaviour of Openssl in this case? when I test this on Openssl I get wrong ssl version error. But, When I run same thing on Broingssl, I get no error, handshake was success full with new protocol version. Can someone help me with this? Thank you Durga. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL 1.0.2f build issue - unresolved external symbol
Hi, FWIW, trying the exact same configure commands on OpenSSL 1.0.2f : perl Configure VC-WIN32 no-asm --prefix= ms\do_ms nmake -f ms\ntdll.mak I was NOT able to reproduce the problem under Windows 7 64 bits using Visual Studio 2013 and Perl 5.22.1. Everything goes fine. Michel. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev