RE: OpenSSL version 0.9.8k released (take#2)

[Greaney, Kevin]

Hi,
In the past, when new releases have been announced,
and particularly those related to a Security Advisory, there
have been diffs of the modules that changed.  These were very
helpful in patching older versions of openssl in situations
where an immediate upgrade was not possible.  Would it be possible
to have those diffs sent out?  Or, could we get some direction
as to which changes we should be looking for in the CVS?  I don't
want to pick up extraneous, unrelated changes.  Any guidance that
you can provide will be greatly appreciated.

Thanks,
Kevin.
 

-Original Message-
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On 
Behalf Of OpenSSL
Sent: Wednesday, March 25, 2009 8:38 AM
To: openssl-...@master.openssl.org; openssl-us...@master.openssl.org
Subject: OpenSSL version 0.9.8k released (take#2)

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


   OpenSSL version 0.9.8k released
   ===

   OpenSSL - The Open Source toolkit for SSL/TLS
   http://www.openssl.org/

   The OpenSSL project team is pleased to announce the release of
   version 0.9.8k of our open source toolkit for SSL/TLS. This new
   OpenSSL version is a moderate security and bugfix release.
   For a complete list of changes, please see
   http://www.openssl.org/source/exp/CHANGES.

   We consider OpenSSL 0.9.8k to be the best version of OpenSSL
   available and we strongly recommend that users of older versions
   upgrade as soon as possible. OpenSSL 0.9.8k is available for
   download via HTTP and FTP from the following master locations (you
   can find the various FTP mirrors under
   http://www.openssl.org/source/mirror.html):

 * http://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file names are:

o openssl-0.9.8k.tar.gz
  Size: 3852259
  MD5 checksum: e555c6d58d276aec7fdc53363e338ab3
  SHA1 checksum: 3ba079f91d3c1ec90a36dcd1d43857165035703f

   The checksums were calculated using the following commands:

openssl md5 openssl-0.9.*.tar.gz
openssl sha1 openssl-0.9.*.tar.gz

   Yours,

   The OpenSSL Project Team...

Mark J. Cox Nils Larsch Ulf Möller
Ralf S. Engelschall Ben Laurie  Andy Polyakov
Dr. Stephen Henson  Richard Levitte Geoff Thorpe
Lutz JänickeBodo Möller



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iQEVAwUBScox0aLSm3vylcdZAQIOMQgAoVI3UZyTsB9+s2eSIEwp3rJWi53ID4Bo
BKLYAkFx8L4Le+5YjoTywhqULdA1ugY3502+s2qAJLHLt4WmC4hdnuzaIvhtkakQ
cW1o59MQ3dVUHqYsBh8CuDUBQj26zxow/10g6QQwObpzBOIMIa4p3Rto0Ktd2N+D
W7+Dt07TFl9h+1TzMTktKymqInszu8DD/Sax3NUHhYZX12Dv6JzNQ7qUHKodeas1
WudvjYDUx9KQpcBQXJPHsqfQjehey/+mIn3rvoOZMcCckVbODIiaosapnaVMUcM2
jCYgRXdTrRmZiARTbUKpD5ZzRramSXCTjop+n4KDcBHFfsUXMskN4A==
=7b3u
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

RE: [CVS] OpenSSL: openssl/crypto/ cryptlib.c

[Greaney, Kevin]

Hi Richard,
Is that a generic Itanium routine or
is that specifically for 32-bit?  The only
reason I ask is that we compile for both 
32 and 64-bit address pointers when putting
together our VMS kit.

Thanks,
Kevin.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Levitte
Sent: Thursday, April 21, 2005 5:10 AM
To: [EMAIL PROTECTED]
Subject: [CVS] OpenSSL: openssl/crypto/ cryptlib.c

  OpenSSL CVS Repository
  http://cvs.openssl.org/
 



  Server: cvs.openssl.org  Name:   Richard Levitte
  Root:   /e/openssl/cvs   Email:  [EMAIL PROTECTED]
  Module: openssl  Date:   21-Apr-2005 11:10:19
  Branch: HEAD Handle: 2005042110101900

  Modified files:
openssl/crypto  cryptlib.c

  Log:
Provide a default OPENSSL_ia32cap_loc for non-Intel platforms where
util/libeay.num is important when building shared libraries, like
VMS.

  Summary:
RevisionChanges Path
1.58+2  -0  openssl/crypto/cryptlib.c
 



  patch -p0 <<'@@ .'
  Index: openssl/crypto/cryptlib.c
 


  $ cvs diff -u -r1.57 -r1.58 cryptlib.c
  --- openssl/crypto/cryptlib.c 13 Apr 2005 15:41:11 -  1.57
  +++ openssl/crypto/cryptlib.c 21 Apr 2005 09:10:19 -  1.58
  @@ -569,6 +569,8 @@
   }
   #endif
   
  +#else
  +unsigned long *OPENSSL_ia32cap_loc(void) { return NULL; }
   #endif
   #if !defined(OPENSSL_CPUID_SETUP)
   void OPENSSL_cpuid_setup(void) {}
  @@ .
__
OpenSSL Project http://www.openssl.org
CVS Repository Commit List [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

FW: Config file questions and UNIQUE_SUBJECT patch.

[Greaney, Kevin]

Retry since it looks like the first one
did not get there.

 

 

-Original Message-
From: Greaney, Kevin 
Sent: Friday, September 03, 2004
8:22 AM
To: '[EMAIL PROTECTED]'
Cc: Greaney, Kevin; Mosteika, Paul
Edward (OpenVMS Engineering)
Subject: Config file questions and
UNIQUE_SUBJECT patch.

 

Hi,

 

While we were
porting to 0.9.7D to our latest VMS product, 

we ran into some
issues with [.APPS]OPENSSL-VMS.CNF.  

The bulleted list
of items highlights each area of concern.

 

· 
Missing field names in OPENSSL-VMS.CNF

 

   In
comparing OPENSSL-VMS.CNF with OPENSSL.CNF,

   it
appears there are a few new items that are not in OPENSSL-VMS.CNF:

 

 
- unique_subject

 
- crlnumber

 
- name_opt

 
- cert_opt

 
- copy_extensions

 
- input_password

 
- output_password

 

· 
Should crlnumber point to a file?

 

   While
the crlnumber is commented out, we were wondering if that

   is
supposed to be pointing to a file similar to SERIAL?

 

· 
Where should name_opt and cert_opt be located?

 

   Both
name_opt and cert_opt point to ca_default.  However, we can 

   not
find a ca_default in the file.  We can find a CA_default, but the

   case
of the leading CA is different.  The other problem here is that

   if we
were to change ca_default to CA_default for these two, the

  
CA_default is located before them in the file.

 

· 
nombrstr vs. nobmp.

 

  
nombrstr appears in the OPENSSL.CNF file, while nobmp appears

   in the
OPENSSL-VMS.CNF file, but they each have the same value.

   Has
nombrstr replaced nobmp?

 

· 
string_mask vs. dirstring_type

 

   The
previous bullet is further confused because string_mask appears in

  
OPENSSL.CNF and nobmp appears in OPENSSL-VMS.CNF.  Is this

  
another case of string_mask replacing dirstring_type?

 

· 
emailAddress_max

 

   The
value has increased from 40 to 64.  I'm assuming we should be

  
putting this change into OPENSSL-VMS.CNF as well.

 

· 
Changes/Diffs 

 

   Two
patch files between 0.9.7D of OPENSSL.CNF and 

  
OPENSSL-VMS.CNF has been included as an attachment.  

   They
highlight the changes that we have outlined above.  

   They
are in a VMS diff format and a Unix diff 

  
format.

 

 

   
While working with the UNIQUE_SUBJECT feature in 0.9.7D,

we ran into a couple of problems.  The set of fixes are
found in

DIFFS.DIFF, include fixes to APPS.C, APPS.H, and CA.C, and

it has been include as an attachment as well.

 

We fixed the situation where signing a
certificate request a second time

would pass the database check, and then fail later on when
it tried to

write it out to the database.  The problem was that it
would try to look

up the certificate with the new serial number, and naturally
not find it.

Then, when it tried to write the certificate to the
database, it would use

the name for the lookup, and fail with “TXT_DB error
number 2”.  In the

case of the error, we added code to clean up the empty file
as well.

 

If you have any questions, please let us know.

 

Thank you.

Kevin

 

Kevin Greaney

OpenVMS Engineering

Hewlett-Packard Company

110 Spit Brook Road

Nashua, NH  03062

 

 

 

 







File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
6   # This definition stops the following lines choking if HOME isn't
7   # defined.
8   HOME= .
9   RANDFILE= $ENV::HOME/.rnd
   10   
   11   # Extra OBJECT IDENTIFIER info:
   12   #oid_file   = $ENV::HOME/.oid
   13   oid_section = new_oids
**
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
6   RANDFILE= $ENV::HOME/.rnd
7   oid_file= $ENV::HOME/.oid
8   oid_section = new_oids


File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
   37   dir = ./demoCA  # Where everything is kept
   38   certs   = $dir/certs# Where the issued certs are kept
   39   crl_dir = $dir/crl  # Where the issued crl are kept
   40   database= $dir/index.txt# database index file.
   41   #unique_subject = no# Set to 'no' to allow creation of
   42   # several ctificates with same subject.
   43   new_certs_dir   = $dir/newcerts # default place for new certs.
   44   
   45   certificate = $dir/cacert.pem   # The CA certificate
   46   serial  = $dir/serial   # The current serial number
   47   #crlnumber  = $dir/crlnumber# the current crl number
   48   # must be commented out to leave a V1 
CRL
   49   crl = $dir/crl.pem  # The current CRL
   50   private_key = $dir/private/cakey.pem# The private key
   51   RANDFILE= $dir/private/.rand# pr

Config file questions and UNIQUE_SUBJECT patch.

[Greaney, Kevin]

Hi,

 

While we were
porting to 0.9.7D to our latest VMS product, 

we ran into some
issues with [.APPS]OPENSSL-VMS.CNF.  

The bulleted list
of items highlights each area of concern.

 

· 
Missing field names in OPENSSL-VMS.CNF

 

   In
comparing OPENSSL-VMS.CNF with OPENSSL.CNF,

   it
appears there are a few new items that are not in OPENSSL-VMS.CNF:

 

  -
unique_subject

  -
crlnumber

  -
name_opt

  -
cert_opt

  -
copy_extensions

  -
input_password

  -
output_password

 

· 
Should crlnumber point to a file?

 

   While
the crlnumber is commented out, we were wondering if that

   is
supposed to be pointing to a file similar to SERIAL?

 

· 
Where should name_opt and cert_opt be located?

 

   Both name_opt
and cert_opt point to ca_default.  However, we can 

   not
find a ca_default in the file.  We can find a CA_default, but the

   case
of the leading CA is different.  The other problem here is that

   if we
were to change ca_default to CA_default for these two, the

   CA_default
is located before them in the file.

 

· 
nombrstr vs. nobmp.

 

   nombrstr
appears in the OPENSSL.CNF file, while nobmp appears

   in the
OPENSSL-VMS.CNF file, but they each have the same value.

   Has nombrstr
replaced nobmp?

 

· 
string_mask vs. dirstring_type

 

   The previous
bullet is further confused because string_mask appears in

  
OPENSSL.CNF and nobmp appears in OPENSSL-VMS.CNF.  Is this

   another
case of string_mask replacing dirstring_type?

 

· 
emailAddress_max

 

   The
value has increased from 40 to 64.  I'm assuming we should be

   putting
this change into OPENSSL-VMS.CNF as well.

 

· 
Changes/Diffs 

 

   Two
patch files between 0.9.7D of OPENSSL.CNF and 

  
OPENSSL-VMS.CNF has been included as an attachment.  

   They
highlight the changes that we have outlined above.  

   They
are in a VMS diff format and a Unix diff 

   format.

 

 

   
While working with the UNIQUE_SUBJECT feature in 0.9.7D,

we ran into a couple of problems.  The set of fixes are
found in

DIFFS.DIFF, include fixes to APPS.C, APPS.H, and CA.C, and

it has been include as an attachment as well.

 

We fixed the situation where signing a
certificate request a second time

would pass the database check, and then fail later on when
it tried to

write it out to the database.  The problem was that it
would try to look

up the certificate with the new serial number, and naturally
not find it.

Then, when it tried to write the certificate to the
database, it would use

the name for the lookup, and fail with “TXT_DB error
number 2”.  In the

case of the error, we added code to clean up the empty file
as well.

 

If you have any questions, please let us know.

 

Thank you.

Kevin

 

Kevin Greaney

OpenVMS Engineering

Hewlett-Packard Company

110 Spit Brook Road

Nashua, NH  03062

 

 

 

 







File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
6   # This definition stops the following lines choking if HOME isn't
7   # defined.
8   HOME= .
9   RANDFILE= $ENV::HOME/.rnd
   10   
   11   # Extra OBJECT IDENTIFIER info:
   12   #oid_file   = $ENV::HOME/.oid
   13   oid_section = new_oids
**
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
6   RANDFILE= $ENV::HOME/.rnd
7   oid_file= $ENV::HOME/.oid
8   oid_section = new_oids


File USERE:[GREANEY.TEMP]OPENSSL.CNF_097D;1
   37   dir = ./demoCA  # Where everything is kept
   38   certs   = $dir/certs# Where the issued certs are kept
   39   crl_dir = $dir/crl  # Where the issued crl are kept
   40   database= $dir/index.txt# database index file.
   41   #unique_subject = no# Set to 'no' to allow creation of
   42   # several ctificates with same subject.
   43   new_certs_dir   = $dir/newcerts # default place for new certs.
   44   
   45   certificate = $dir/cacert.pem   # The CA certificate
   46   serial  = $dir/serial   # The current serial number
   47   #crlnumber  = $dir/crlnumber# the current crl number
   48   # must be commented out to leave a V1 
CRL
   49   crl = $dir/crl.pem  # The current CRL
   50   private_key = $dir/private/cakey.pem# The private key
   51   RANDFILE= $dir/private/.rand# private random number file
   52   
**
File USERE:[GREANEY.TEMP]OPENSSL-VMS.CNF_097D;1
   32   dir = sys\$disk:[.demoCA# Where everything is kept
   33   certs   = $dir.certs]   # Where the issued certs are kept
   34   crl_dir = $dir.crl] # Where the issued crl are kept
   35   datab

Question about OPENSSL_gmtime.

[Greaney, Kevin]

Hi,

    I
have been having some problems with the startdate

and dnddate in my certificates being skewed since I upgraded

from 0.9.6G to 0.9.7D.  I have traced it down to OPENSSL_gmtime,

which is located in O_TIME.C.  My question is should OPENSSL_gmtime

be returning a time in the local time zone, or should it be
returning the

time from the GMT time zone?

 

I wrote up a little  program to test it out, and have
included it.

I am located in the eastern United States, and we are
currently

in Daylight Saving Time, so the difference between my time
zone

and GMT is a -4 hours.  I am also running VMS, and this
happens

on both the VAX and Alpha.  I don’t have access
to Linux, and am

currently trying it out on Windows.

 

In looking at O_TIME.C, there is some code to look at the
time zone

differential and subtract it from the time.  I believe
that you need to be

adding the differential rather than subtracting in VMS case. 
On VMS, 

the differential is store as a negative number west of GMT,
and a 

positive number east of GMT.  This assumes that OPENSSL_gmtime

should be returning the local time and not the GMT time.

 

Thanks,

Kevin Greaney

 

 

Here is a log of my output before the fix:

 

$ run test_time

The current local time (localtime) is: Sun Jul 18 04:06:08 2004

.

The current UTC time (gmtime) is: Sun Jul 18 08:06:08 2004

.

The current UTC time (OPENSSL_gmtime) is: Sun Jul 18 12:06:08 2004

.

$

 

Here is the fix:

 

(VMS style difference)

$ diff o_time.c



File DKA200:[GREANEY]O_TIME.C;2

 
156  
t = *timer + status;

  157

**

File DKA200:[GREANEY]O_TIME.C;1

 
156  
t = *timer - status;

  157



Number of difference sections found: 1

Number of difference records found: 1

DIFFERENCES /IGNORE=()/MERGED=1-

    DKA200:[GREANEY]O_TIME.C;2-

    DKA200:[GREANEY]O_TIME.C;1

$

 

(Unix style difference)

$ diff -u o_time.c;1 o_time.c;2

--- o_time.c;1  Sun Jul 18 05:42:27 2004

+++ o_time.c;2  Sun Jul 18 05:43:38 2004

@@ -153,7 +153,7 @@

   
status = atoi(logvalue);

 

   
/* and use it to move time to GMT */

-  
t = *timer - status;

+  
t = *timer + status;

 

   
/* then convert the result to the time structure */

 #ifndef OPENSSL_THREADS

$

 

And the output with the fix in place:

 

$ run test_time

The current local time (localtime) is: Sun Jul 18 04:05:19 2004

.

The current UTC time (gmtime) is: Sun Jul 18 08:05:19 2004

.

The current UTC time (OPENSSL_gmtime) is: Sun Jul 18 04:05:19 2004

.

$

 

 

 








test_time.c
Description: test_time.c

RE: OpenVMS 8.1 (Eval)

[Greaney, Kevin]

 Hi,
Yes, there is a version of SSL that has
 been ported to OpenVMS for the Itanium platform.
 The current version is based on 0.9.6G plus the 
 security patches.  We are currently working on
 0.9.7D, and it will ship this summer with the
 next version of OpenVMS operating system.

If you have any other questions, feel free
 to contact me directly.

 Thanks,
 Kevin.

Kevin Greaney  SSL for OpenVMS Team
110 Spit Brook RoadOpenVMS Engineering
Nashua, NH  03062  Hewlett-Packard Company
[EMAIL PROTECTED]



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Massimiliano Pala
Sent: Friday, April 02, 2004 4:01 AM
To: [EMAIL PROTECTED]
Subject: OpenVMS 8.1 (Eval)


Hi Guys,

we are currently working on this platform - OpenVMS 8.1, Itanium2 - is
this OS/CPU supported by openssl ?

-- 

C'you,

Massimiliano Pala

--o-
---
Massimiliano Pala [OpenCA Project Manager]
[EMAIL PROTECTED]
  Tel.:   +39 (0)59  270
094
http://www.openca.org   Fax:+39   178  270
2077
http://openca.sourceforge.net   Mobile: +39 (0)347 7222
365

University of Modena and Reggio Emilia
Certification Authority Informations:

Authority Access Point
http://pki.unimo.it
Authority's Certificate:
http://pki.unimo.it/ca/issuers.html
Certificate Revocation List:
http://pki.unimo.it/crl/cacrl.crl
--o-
---
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Unique_Subject in CA.

[Greaney, Kevin]

 Hi,
I found the following text at http://www.openssl.org/docs/apps/ca.html# :

unique_subject 
if the value yes is given, the valid certificate entries in the database must 
have unique subjects. if the value no is given, several valid certificate entries may 
have the exact same subject. The default value is yes, to be compatible with older 
(pre 0.9.8) versions of OpenSSL. However, to make CA certificate roll-over easier, 
it's recommended to use the value no, especially if combined with the -selfsign 
command line option. 

 As I under it, this functionality is going into 0.9.8.  What am I suppose
 to tell my customers in the meantime.  Consider the following from my customer:

Let's assume the following scenario. We create a server certificate and assign a 
lifetime of one year. Server certificates must have the server name in the CN field of 
the subject. The rest of the subject is filled with information about our company. 
Eleven months later, we realize, thate the server certificate will expire the next 
month. So we decide to create a new certificate. It seems logical to me, that we use 
the same subject (we have to use the same DN). With the openssl command line tool we 
are not able to create a new certificate, since it finds the subject string in the 
database and refuses the creation of the new certificate. I can not revoke the 
existing certificate, because then it looses it's validity and my server will not be 
trusted anymore.

 Thanks,
 Kevin.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RSA Blinding patch and a recent snapshot.

[Greaney, Kevin]

Title: RSA Blinding patch and a recent snapshot.







 Hi,

    I downloaded a snapshot recently, openssl-e-0.9.6-stable-SNAP-20030327.tar.gz,

 and was comparing the files [.crypto.rsa]rsa_eay.c AND [.crypto.rsa]rsa_lib.c.  I noticed

 that in rsa_eay.c that the patch used the "positive" when comparing, RSA_FLAG_BLINDING,

 and the snapshot used the negative, RSA_FLAG_NO_BLINDING.  Here is the macro

 BLINDING_HELPER, and it shows the differences:


From the patch:

#define BLINDING_HELPER(rsa, ctx, err_instr) \

 do { \

 if(((rsa)->flags & RSA_FLAG_BLINDING) && \

 ((rsa)->blinding == NULL) && \

 !rsa_eay_blinding(rsa, ctx)) \

 err_instr \

    } while(0)


From the snapshot:

#define BLINDING_HELPER(rsa, ctx, err_instr) \

    do { \

    if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \

    ((rsa)->blinding == NULL) && \

    !rsa_eay_blinding(rsa, ctx)) \

    err_instr \

    } while(0)



    As for RSA_LIB.C, it looks like only part of the patch has been 

 applied to the snapshot.  We call RSA_new_method and it is return is 

 placed into r, but then we simply return r.  We do not check if

 OPENSSL_NO_FORCE_RSA_BLINDING is defined not do we set

 r->flags with RSA_FLAG_BLINDING.


    Have I missed something in the mailing lists that would

 explain these differences?


 Thanks,

 Kevin.



Kevin Greaney  SSL for OpenVMS Team

Hewlett Packard Company OpenVMS Engineering Group

110 Spitbrook Road   

Nashua, NH  03062

(603) 884-5099

OpenSSL Documents OpenSSL command line utility webpage.

[Greaney, Kevin]

Title: OpenSSL Documents OpenSSL command line utility webpage.







 Hi,

    When reviewing the documentation at the OpenSSL Document

 webpage for the OpenSSL command line utility, I noticed that when you

 pick a topic, s_server for example, that it appears you are placed back

 at the OpenSSL command line utility page.  If you scroll down to the

 bottom of that page, however, you see the documentation you were looking

 for.  This makes things rather confusing.


 Thanks,

 Kevin Greaney

RE: [ANNOUNCE] OpenSSL 0.9.7 beta 6 released

[Greaney, Kevin]

 Hi,
Building Beta6 on OpenVMS V7.2-1, with TCP/IP Services V5.0A
 and Compaq C V6.2-008.  I have included the output from the MAKEVMS.COM
 as well as the error log.  I have not had a chance to dig into any of 
 these yet.

 If you need anything further, please don't hesitate to ask.

 Thanks,
 Kevin.



-Original Message-
From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 17, 2002 10:37 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [ANNOUNCE] OpenSSL 0.9.7 beta 6 released


-BEGIN PGP SIGNED MESSAGE-

  The sixth beta release of OpenSSL 0.9.7 is now available from the
  OpenSSL FTP site ftp://ftp.openssl.org/source/>.  This beta
  contains just a few fixes since beta 5.

  This is assumed to be the final beta.  The final release of OpenSSL
  0.9.7 has been rescheduled for somewhere between Friday 2002-12-27
  to Monday 2002-12-30, mostly because of all the holidays around that
  time.  To make sure that it will work correctly, please test beta 6
  thoroughly, for example with your favorite piece of software, and
  please report back to us!  Also, please test on as many platforms as
  you have available and you have time for, especially on less common
  platforms.

  If you're interested in helping further, please join the
  [EMAIL PROTECTED] list, where test requests on specific
  development snapshots will be announced.

  Changes between 0.9.7 beta 5 and 0.9.7 beta 6 include:

  o Solaris shared library fixes.
  o Support for new platforms: Linux 64-bit on Sparc v9
  o Now only builds PIC code when shared library support is
requested.
  o Makes symbolic links to or copies of manuals to cover all
described
functions.
  o Dynamic lock bugfixes.
  o Correct DES header protection macros for better backward
compatibility.

  The full set of changes between 0.9.6{x} and 0.9.7 beta 5 include:

  o New library section OCSP.
  o Complete rewrite of ASN1 code.
  o CRL checking in verify code and openssl utility.
  o Extension copying in 'ca' utility.
  o Flexible display options in 'ca' utility.
  o Provisional support for international characters with UTF8.
  o Support for external crypto devices ('engine') is no longer
a separate distribution.
  o New elliptic curve library section.
  o New AES (Rijndael) library section.
  o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX
64-bit,
Linux x86_64, Linux 64-bit on Sparc v9
  o Extended support for some platforms: VxWorks
  o Enhanced support for shared libraries.
  o Now only builds PIC code when shared library support is
requested.
  o Support for pkg-config.
  o Lots of new manuals.
  o Makes symbolic links to or copies of manuals to cover all
described
functions.
  o Change DES API to clean up the namespace (some applications link
also
against libdes providing similar functions having the same
name).
Provide macros for backward compatibility (will be removed in
the
future).
  o Unify handling of cryptographic algorithms (software and engine)
to be available via EVP routines for asymmetric and symmetric
ciphers.
  o NCONF: new configuration handling routines.
  o Change API to use more 'const' modifiers to improve error
checking
and help optimizers.
  o Finally remove references to RSAref.
  o Reworked parts of the BIGNUM code.
  o Support for new engines: Broadcom ubsec, Accelerated Encryption
Processing, IBM 4758.
  o A few new engines added in the demos area.
  o Extended and corrected OID (object identifier) table.
  o PRNG: query at more locations for a random device, automatic
query for
EGD style random sources at several locations.
  o SSL/TLS: allow optional cipher choice according to server's
preference.
  o SSL/TLS: allow server to explicitly set new session ids.
  o SSL/TLS: support Kerberos cipher suites (RFC2712).
Only supports MIT Kerberos for now.
  o SSL/TLS: allow more precise control of renegotiations and
sessions.
  o SSL/TLS: add callback to retrieve SSL/TLS messages.
  o SSL/TLS: support AES cipher suites (RFC3268).

  The distribution file name is:

  o openssl-0.9.7-beta6.tar.gz
MD5 checksum: 8877ea9643e4d6ac18476bc63015c450

  The checksum was calculated using the following commands:

openssl md5 < openssl-0.9.7-beta5.tar.gz

-BEGIN PGP SIGNATURE-
Version: 2.6.3ia
Charset: noconv

iQEVAwUBPf9EYvTy7ZjgbSyxAQEXDAf/ScZf66H2Xyohs6qrRSLNwuCPIH9QyVCJ
hzV8eZla8ETmzYQBwZY65+MdciBaVSwaSVOGFGgG++ZDXkD4tO7AppUUxacGzw3C
OnzY5NKD5nZrUA7ns7aovBGh+okuozRSOYXendPHkizODnxXy259HtlRZ9vqTY9/
qBPTetptduHzMQadn0mviG6GWUu5m1W5jAFyFY+iD5t2BSilm/LHGQmyOg+1fPdS
WHV/tps

[openssl.org #387] Difference between SSL.H and SYMHACKS.H

[Greaney, Kevin via RT]

 Hi,
 I ran across a difference between SSL.H and SYMHACKS.H:

 In SSL.H, there is:
#define SSL_get_ex_data_X509_STORE_CTX_idx
SSL_get_ex_data_X509_STORE_CTX_i
 This is embedded in about ten lines surrounded by an #ifdef VMS.  SSL.H
also does not include
 SYMHACKS.H, which I thought it would.
 
 In SYMHACKS.H, there is:
#define SSL_get_ex_data_X509_STORE_CTX_idx
SSL_get_ex_d_X509_STORE_CTX_idx

 The redefine in SYMHACKS.H is also the one we find in SSLEAY.NUM.  

 Thanks,
 Kevin

Kevin Greaney  SSL for OpenVMS Team
Hewlett Packard Company OpenVMS Engineering Group
110 Spitbrook Road   
Nashua, NH  03062
(603) 884-5099

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

DES_CBC_CKSUM in SSL and Kerberos.

[Greaney, Kevin]

Title: DES_CBC_CKSUM in SSL and Kerberos.







 Hi,

    I have a customer with a Kerberos V4 application who is trying to decide if they can substitute their existing Kerberos V4 DES encryption capability with SSL's DES encryption support.  When calling DES_CBC_CKSUM() from the Kerberos library, the checksum output buffer and the function's return value read :

    OUTBUF= 1234ABCD...   // char *, 8 Byte checksum

    RetVal   = ABCD // unsigned long, Low order(right half) 4 bytes of 8byte checksum


 When calling SSL's DES_CBC_CKSUM(), the values read:


    OUTBUF= 1234ABCD...   // char *, 8 Byte checksum

    RetVal   = DCBA // unsigned long, Low order(right half) 4 bytes of 8byte checksum


SSL's RetVal produces a checksum error in the KerberosV4 application on return because it is in the oposite byte order than what Kerberos expects.

    The Kerberos and SSL macros used to initialize the return value from the OUTBUF follow respectively:


Kerberos:

#define GET_HALF_BLOCK(lr, ip) \

    (lr) = ((unsigned int)(*(ip)++)) << 24; \

    (lr) |= ((unsigned int)(*(ip)++)) << 16; \

    (lr) |= ((unsigned int)(*(ip)++)) << 8; \

    (lr) |= (unsigned int)(*(ip)++)


SSL:

#define c2l(c,l)   (l =((DES_LONG)(*((c)++)))    , \

 l|=((DES_LONG)(*((c)++)))<< 8L, \

 l|=((DES_LONG)(*((c)++)))<<16L, \

 l|=((DES_LONG)(*((c)++)))<<24L)


    We do not understand why SSL is swapping the bytes when initializing the output longword return value with the c2l macro in the DES_CBC_CKSUM() function.  I have a test program that shows the differences.

 As you can see from the output below, the output is reversed between ssl and krb.

$ run test_cbc_cksum

set key 0

ssl 0x738af841, 0x80 0x16 0xd6 0x6b 0x41 0xf8 0x8a 0x73

krb 0x41f88a7


 I then added a new macro, ksg_c2l, and had it do the same order of shifting as the get_half_block.

They output is now in the correct order.


$ run test_cbc_cksum2

set key 0

ssl 0x738af841, 0x80 0x16 0xd6 0x6b 0x41 0xf8 0x8a 0x73

krb 0x41f88a73

c2l 0x738af841

ksg_c2l 0x41f88a73


 I have included the program with this mail message, and here are the environmental details 

 we were operating in:


    OpenSSL 0.9.6b with Security patches.

    OpenVMS Alpha V7.2

    TCP/IP V5.0A

    DEC C V6.2

    Kerberos V4 and 5


 Thanks,

 Kevin

    

Kevin Greaney  SSL for OpenVMS Team

Hewlett Packard Company OpenVMS Engineering Group

110 Spitbrook Road   

Nashua, NH  03062

(603) 884-5099


 <> 





test_cbc_cksum.c
Description: test_cbc_cksum.c

RAND_VMS.C missing from 0.9.6B.

[Greaney, Kevin]

 Hi,
I noticed that between 0.9.6A and 0.9.6B, the file RAND_VMS.C
 was dropped.  I also noticed that is was missing from CRYPTO-LIB.COM.
 When I checked the CVS system to see when it was removed (and maybe
 where it ended up), I noticed that CRYPTO-LIB.COM still has the reference
 to it.  So, should it be in or should it be out???

 Thank you,
 Kevin Greaney


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: [ANNOUNCEMENT] OpenSSL 0.9.6a Beta 2 released

[Greaney, Kevin]

 Hi Richard,
OpenSSL 0.9.6A Beta 2 [Engine] Built cleanly and passed all tests.
OpenVMS V7.1-2 DEC C V6.0-001

 Kevin.


-Original Message-
From: Richard Levitte [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 13, 2001 12:39 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [ANNOUNCEMENT] OpenSSL 0.9.6a Beta 2 released


The second beta release of OpenSSL 0.9.6a is now available from the
OpenSSL FTP site ftp://ftp.openssl.org/source/>.

OpenSSL 0.9.6a is a bug-fix release of version 0.9.6, and currently
contains 43 documented changes.  Among others, this release should build
on all Windows platforms, which 0.9.6 failed to do.  Just as for version
0.9.6, this one comes in two variants, one containing the now well-known
ENGINE code and one that doesn't.  The tar files are:

openssl-0.9.6a-beta2.tar.gz
openssl-engine-0.9.6a-beta2.tar.gz

The changes since the first beta are:

- made ms/32all.bat and ms/16all.bat to work.
- a few warnings under WIN32 fixed.
- a missing module in the VMS build system was added.
- a memory leak in the error data code was plugged.
- the support for shared libraries changed as in 0.9.7-dev.
  [N.B.: shared library support is still *EXPERIMENTAL* and not
  really supported considering the big number of changes that
  are coming in future versions of OpenSSL]
- a PKCS#12 key generation bug was fixed.
- a few typos were corrected.
- more configuration possibilities for Unixware were added.

If this beta is shown to build and test correctly on all reported platforms,
there will be no need for another beta.  Otherwise, there will be a third
beta.  In any case, that next release is scheduled for Tuesday 2001-03-27.
To
make sure that it will work correctly, please test this version (especially
on
less common platforms), and report any problems to
<[EMAIL PROTECTED]>.

-- 
Richard Levitte [EMAIL PROTECTED]
OpenSSL Project http://www.openssl.org/~levitte/
Software Engineer, Celo Communications: http://www.celocom.com/
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

RE: Please try today's snapshot

[Greaney, Kevin]

 Hi Richard,
Just to let you know, the
openssl-engine-0.9.6-stable-SNAP-20010314.tar.gz can not be
 built on a VMS system with ODS-2 File System.  The file name is too long.
It exceeds the
 39 character filename limit.  I am building
openssl-0.9.6-stable-SNAP-20010314.tar.gz now
 and will let you know the results as soon as I have them.

 Thanks,
 Kevin.



-Original Message-
From: Richard Levitte - VMS Whacker [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 14, 2001 10:28 AM
To: [EMAIL PROTECTED]
Subject: Please try today's snapshot


I'd like those who have reported problems with OpenSSL 0.9.6abeta1 to
try tonights snapshots:

openssl-0.9.6-stable-SNAP-20010314.tar.gz
openssl-engine-0.9.6-stable-SNAP-20010314.tar.gz

Of those reports, only the AIX problem with the engine variant and the
Irix problem have not been dealt with.

-- 
Richard Levitte   \ Spannvägen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken   \ S-168 35  BROMMA  \ T: +46-8-26 52 47
Redakteur@Stacken   \  SWEDEN   \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/

Unsolicited commercial email is subject to an archival fee of $400.
See  for more info.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]