Re: [openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

[Short, Todd via RT]

Not strictly necessary; mostly convenience. Decrementing the pointer usually 
requires doing the corresponding  free, which really shouldn’t do anything but 
decrement the refcount if you just got it.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Jun 20, 2016, at 12:18 PM, Rich Salz via RT 
> wrote:

Is this needed? Can your get0 function just call get and decrement the
refcount?

--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3868
Please log in as guest with password guest if prompted



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3868
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3882]

[Short, Todd via RT]

Based on discussion, it does not appear as this will be fixed, and requires an 
unusual set of circumstances for it to happen.
It can probably be closed.

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3882
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3780]

[Short, Todd via RT]

The async changes on master/1.1.0 obsolete this patch.

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3780
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3722]

[Short, Todd via RT]

This could be closed, as it’s now on GitHub: 
https://github.com/openssl/openssl/pull/946
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3722
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3867]

[Short, Todd via RT]

This could be closed, as it’s now on GitHub: 
https://github.com/openssl/openssl/pull/941
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3867
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3877]

[Short, Todd via RT]

This could be closed, as it’s now on GitHub: 
https://github.com/openssl/openssl/pull/941
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3877
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3729]

[Short, Todd via RT]

The changes to master/1.1.0 for pipelining completely break this patch. So, 
there’s little point in trying to add this.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3729
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3724]

[Short, Todd via RT]

The new async feature in master/1.1.0 makes complete breaks this patch. This 
can probably be closed.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3724
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4074] [PATCH] Fixes for when PSK, SRP, SRTP and DTLS1 are disabled

[Short, Todd via RT]

This has been resolved master, and can be closed.

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4074
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4149] Resolved: [PATCH] ssl_set_pkey() unnecessarily updates certificates

[Short, Todd via RT]

I also closed out GH478 (which was a fix for RT4149).
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On May 31, 2016, at 9:29 AM, Matt Caswell via RT 
> wrote:

According to our records, your request has been resolved. If you have any
further questions or concerns, please respond to this message.

--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4149
Please log in as guest with password guest if prompted



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4149
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4509] ECC key generation under valgrind reports: impossible has happened

[Short, Todd via RT]

Valgrind does not necessarily support all instructions, if there’s any 
optimized assembly, you might run into problems.
Are you able to compile a non-assembly version of the OpenSSL library?
Are you able to update to a newer Valgrind?

You also seem to have a version discrepancy in OpenSSL: 1.0.2d-fips and 1.0.2g?
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Apr 12, 2016, at 9:41 AM, Nikos Mavrogiannopoulos via RT 
> wrote:

A part of the gnutls test suite runs under valgrind, and in fedora 23
it occasionally fails, something that I have traced it to softhsm
library and particular hardware.

The failures are due to the softhsm library which uses openssl
underneath and in particular EC key generation. This can be reproduced
using only the openssl tools:

$ openssl version
OpenSSL 1.0.2d-fips 9 Jul 2015

$ valgrind openssl genpkey -algorithm ec  -pkeyopt ec_paramgen_curve:P-256

vex: the `impossible' happened:
   isZeroU
vex storage: T total 270175784 bytes allocated
vex storage: P total 640 bytes allocated

valgrind: the 'impossible' happened:
   LibVEX called failure_exit().

[...]

sched status:
  running_tid=1

Thread 1: status = VgTs_Runnable (lwpid 28037)
==28037==at 0x5B14C80: ecp_nistz256_avx2_select_w7 (in 
/usr/lib64/libcrypto.so.1.0.2g)
==28037==by 0x5AFA92F: EC_POINT_mul (in /usr/lib64/libcrypto.so.1.0.2g)
==28037==by 0x5AF9876: EC_POINT_new (in /usr/lib64/libcrypto.so.1.0.2g)
==28037==by 0x5B02835: EC_KEY_generate_key (in 
/usr/lib64/libcrypto.so.1.0.2g)
==28037==by 0x5B51B82: EVP_PKEY_keygen (in /usr/lib64/libcrypto.so.1.0.2g)
==28037==by 0x436A29: ??? (in /usr/bin/openssl)
==28037==by 0x41A457: ??? (in /usr/bin/openssl)
==28037==by 0x41A0D6: ??? (in /usr/bin/openssl)
==28037==by 0x62B357F: (below main) (libc-start.c:289)


This may be a bug in valgrind, or according to some valgrind posts,
caused by an illegal instruction. Thus reported here.


The failed system is:
model name : Intel(R) Core(TM) i7-5600U CPU @ 2.60GHz
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 
clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm 
constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc 
aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 
sdbg fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt 
tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch ida arat 
epb pln pts dtherm intel_pt tpr_shadow vnmi flexpriority ept vpid fsgsbase 
tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap xsaveopt


originally at: https://bugzilla.redhat.com/show_bug.cgi?id=1326024


--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4509
Please log in as guest with password guest if prompted

--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4509
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3716] Patch for setting preferred cipher list

[Short, Todd via RT]

Yes, not absolutely necessary.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3716
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

[Short, Todd via RT]

OpenSSL is generally able to compile with the musl C library (same idea as 
uClibc):

OpenSSL 1.0.2f:
./config
make depend
CC=/usr/local/bin/musl-gcc ./config
make

./config is run twice, because "make depend" fails since domd can’t find the 
makedepend command after CC is set to musl-gcc. However, after running ./config 
a second time (to update the CC), the make succeeds. openssl loads and run. If 
musl is configured with --disable-shared, then it does not require any dynamic 
executables.

master:
CC=/usr/local/bin/musl-gcc ./config
make depend
make
"make depend" succeeds in master, even after CC is set to musl-gcc. But linking 
fails due to setcontext, getcontext and makecontext being undefined. They 
appear to be used by the async code; there doesn’t seem to be a way to turn off 
async (or force NULL async). I looked in the musl library, and there are 
declarations of these functions()s, but no definitions.

A maintainer of the musl library has indicated that these are deprecated Posix 
APIs. Might there be a way to disable the use of these APIs, and permit only 
async_none so that these other libraries (uClibc and musl) could be used 
instead?

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Feb 3, 2016, at 9:00 PM, Salz, Rich via RT 
> wrote:

This might be interesting to support, but unfortunately nobody looked at the
bug in years and the build process has changed a great deal. If you could
re-integrate this against what's in master, we'd look at it. If that's too much
work, I understand. We don't have/use this particular run-time environment.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



-
http://rt.openssl.org/Ticket/Display.html?id=1979

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #1979] Add uClibc support

[Short, Todd via RT]

FYI: The rational for why these APIs are deprecated.
http://pubs.opengroup.org/onlinepubs/009695399/functions/makecontext.html#tag_03_356_08

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



-
http://rt.openssl.org/Ticket/Display.html?id=1979

Please log in as guest with password guest if prompted

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3885] [BUGFIX] OpenSSL fails to cross-compile on 32-bit->64-bit

[Short, Todd via RT]

I have an available fix:

https://github.com/openssl/openssl/pull/597

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

[Short, Todd via RT]

This sounds like RT3885.

I have an available fix:

https://github.com/openssl/openssl/pull/597

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Jan 29, 2016, at 12:04 PM, Viktor Dukhovni via RT 
> wrote:


On Jan 29, 2016, at 4:59 AM, Kiyoshi KANAZAWA via RT 
> wrote:

cc -I.. -I../.. -I../modes -I../include -I../../include  -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa 
-DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o ghash-x86_64.o 
ghash-x86_64.s
cc: Warning: -xarch=generic64 is deprecated, use -m64 to create 64-bit programs
Assembler:
   "ghash-x86_64.s", line 890 : Syntax error
   Near line: "movq$1.15473355479995e+19,%rax"

You'll need a 64-bit Perl.  When I try "perl ghash-x86_64.pl" I get:

...
   subq$48,%rcx
   movq$11547335547999543296,%rax
   movdqu  48(%rsi),%xmm14
   movdqu  64(%rsi),%xmm15
...

--
Viktor.




___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4272] [BUG/PATCH] Unit tests fail when DTLS is disabled

[Short, Todd via RT]

Hello:

When DTLS is disabled in master (./config no-dtls) the corresponding unit tests 
fail. The same thing would happen if TLS were disabled. The issue is in the 
’TLS Version min/max tests’ and DTLS Version min/max tests’. The skip function 
is not called within a SKIP: { } block, causing the tests to fail unexpectedly 
by “skipping” the planned test, and then doing another test (i.e. ok()) later.

I have a patch, but I am waiting for the RT number.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4272] [BUG/PATCH] Unit tests fail when DTLS is disabled

[Short, Todd via RT]

Pull request for RT4272:

https://github.com/openssl/openssl/pull/589
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4265] [BUG/PATCH] OpenSSL does not compile when SRTP is disabled

[Short, Todd via RT]

Apologies, apparently I already reported this problem ~5 weeks ago as RT4188. 
So, RT4188 and RT4265 are duplicates.

However, the latest pull request is : 
https://github.com/openssl/openssl/pull/582

--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."

On Jan 22, 2016, at 10:00 AM, Short, Todd via RT 
<r...@openssl.org<mailto:r...@openssl.org>> wrote:

Hello,

When SRTP is disabled, OpenSSL does not successfully compile due to an error in 
s_server.c

I have a patch for this, I am just waiting for the RT to be created first.
--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com><mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4265] [BUG/PATCH] OpenSSL does not compile when SRTP is disabled

[Short, Todd via RT]

Hello,

When SRTP is disabled, OpenSSL does not successfully compile due to an error in 
s_server.c

I have a patch for this, I am just waiting for the RT to be created first.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4262] Fwd: Configure script warns when no configurations changes occur

[Short, Todd via RT]

Hello,

When ./config is run, the Configure script always complains about 'make depend’ 
needing to be run because the $default_depflags and $depflags do not match.
Recent changes to Configure automatically create $default_depflags, but takes 
special exceptions for shared, zip, hw and asm, which are not normally put into 
$default_depflags but are put into |$depflags| causing a mismatch leading to 
the warning.

I have a patch, but am waiting for the RT to be created first.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4262] Fwd: Configure script warns when no configurations changes occur

[Short, Todd via RT]

Added pull request:

https://github.com/openssl/openssl/pull/578

--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."

On Jan 21, 2016, at 4:11 PM, Short, Todd via RT 
<r...@openssl.org<mailto:r...@openssl.org>> wrote:

Hello,

When ./config is run, the Configure script always complains about 'make depend’ 
needing to be run because the $default_depflags and $depflags do not match.
Recent changes to Configure automatically create $default_depflags, but takes 
special exceptions for shared, zip, hw and asm, which are not normally put into 
$default_depflags but are put into |$depflags| causing a mismatch leading to 
the warning.

I have a patch, but am waiting for the RT to be created first.
--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com><mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."



___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4263] store does not compile with opaque data structures

[Short, Todd via RT]

Hello,

When experimental-store is enabled in the master branch, the compile fails, due 
to structures that are now opaque.

I have a patch, but am waiting for the RT to be created first.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4263] store does not compile with opaque data structures

[Short, Todd via RT]

I added a pull request:

https://github.com/openssl/openssl/pull/579

--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."

On Jan 21, 2016, at 4:23 PM, Short, Todd via RT 
<r...@openssl.org<mailto:r...@openssl.org>> wrote:

Hello,

When experimental-store is enabled in the master branch, the compile fails, due 
to structures that are now opaque.

I have a patch, but am waiting for the RT to be created first.
--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com><mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

[Short, Todd via RT]

Updated patch for RT4206, with updated names from draft -04.




0001-Add-CHACHA20-alias-for-ciphers.patch
Description: Binary data

---Todd Short// tsh...@akamai.com// "One if by land, two if by sea, three if by the Internet."

On Jan 6, 2016, at 7:46 AM, Hubert Kario via RT <r...@openssl.org> wrote:On Monday 28 December 2015 15:28:26 Kurt Roeckx via RT wrote:On Mon, Dec 28, 2015 at 03:01:28PM +0000, Short, Todd via RT wrote:Hello OpenSSL.org<http://OpenSSL.org>:This is a patch for the master branch. The changes in master to addChaCha20 to OpenSSL do not include an alias for the cipher in the"openssl cipher" command, nor in the cipher functions., even thoughthe necessary constants have been defined. The attached patch addsthat alias.The following openssl commands now behave as expected:openssl ciphers CHACHA20openssl ciphers CHACHA20:AESPlease at least also update the documentation, like ciphers.pod.I'm also not sure if CHACHA20 should only select those incombination with Poly1305, even if those are currently the onlysupported.AES selects both AES-CBC and AES-GCM while AESGCM selects just AES-GCM.Selecting ChaCha20-Poly1305 by just CHACHA20 is consistent with existing flags.-- Regards,Hubert KarioSenior Quality Engineer, QE BaseOS Security teamWeb: www.cz.redhat.comRed Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

[Short, Todd via RT]

Hello OpenSSL.org:

This is a patch for the master branch. The changes in master to add ChaCha20 to 
OpenSSL do not include an alias for the cipher in the “openssl cipher” command, 
nor in the cipher functions., even though the necessary constants have been 
defined. The attached patch adds that alias.

The following openssl commands now behave as expected:

openssl ciphers CHACHA20
openssl ciphers CHACHA20:AES

Thanks,

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



0002-Add-CHACHA20-alias-for-ciphers.patch
Description: Binary data
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

[Short, Todd via RT]

Updated patch. Updates documentation (ciphers.pod), and lays some groundwork in 
case ChaCha20 is used with something other than Poly1305.

(Also updates the Camellia cipher alias to use an existing #define.)

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."




0002-Add-CHACHA20-alias-for-ciphers.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4206] [PATCH] Add cipher alias for ChaCha20

[Short, Todd via RT]

True, but there’s currently no flag defined for just “ChaCha20” ciphers, just 
SSL_CHACHA20POLY1305. My understanding is that CHACHA20POLY1305 is considered 
AEAD, so the two will always be linked. That being said, nothing prevents 
CHACHA20 from referencing additional CHACHA20 ciphers, nor precludes adding 
CHACHA20POLY1305 as a cipher string.

--
-Todd Short
// tsh...@akamai.com<mailto:tsh...@akamai.com>
// "One if by land, two if by sea, three if by the Internet."

On Dec 28, 2015, at 10:28 AM, Kurt Roeckx via RT 
<r...@openssl.org<mailto:r...@openssl.org>> wrote:

On Mon, Dec 28, 2015 at 03:01:28PM +, Short, Todd via RT wrote:
Hello OpenSSL.org<http://OpenSSL.org><http://OpenSSL.org>:

This is a patch for the master branch. The changes in master to add ChaCha20 to 
OpenSSL do not include an alias for the cipher in the "openssl cipher" command, 
nor in the cipher functions., even though the necessary constants have been 
defined. The attached patch adds that alias.

The following openssl commands now behave as expected:

openssl ciphers CHACHA20
openssl ciphers CHACHA20:AES

Please at least also update the documentation, like ciphers.pod.

I'm also not sure if CHACHA20 should only select those in
combination with Poly1305, even if those are currently the only
supported.


Kurt




___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4197] [PATCH] Memory leak in state machine in error path

[Short, Todd via RT]

Hello OpenSSL org:

I found the following issue via code inspection. In 
tls_process_client_key_exchange(), when EC is disabled, and an error occurs in 
ssl_generate_master_secret() or RAND_bytes(), the error path does not free 
rsa_decrypt.

Note that rsa_decrypt is not conditionally defined by OPENSSL_NO_RSA, so I did 
not wrap the free with that conditional.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



0001-Memory-leak-in-state-machine-in-error-path.patch
Description: Binary data
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4187] [Patch] Secure memory subsystem does not report actual size

[Short, Todd via RT]

Hello OpenSSL Organization:

This patch updates the secure memory allocator to allow callers to determine 
the actual size of the secure memory allocation. This can be used by 
applications to report accurate memory usage.

Github link:
https://github.com/akamai/openssl/commit/6d0b49bd810e0ae36d934c34cab8ad37089ca6ef

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4188] [Patch/Fix] s_server.c does not compile when no-srtp is configured

[Short, Todd via RT]

Hello OpenSSL Organization:

When ‘no-srtp’ is configured, the s_server.c application does not successfully 
compile. The undefined variable srtp_profiles is referenced. This patch fixes 
the issue.

Github link:
https://github.com/akamai/openssl/commit/f78119f39621d02bee31c9427b2be3a9d2cff26f

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4149] [PATCH] ssl_set_pkey() unnecessarily updates certificates

[Short, Todd via RT]

Hello OpenSSL.org

We have found the following issue in 1.0.2 and master branches of OpenSSL:

ssl_set_pkey() unnecessarily updates certificates

Some key types types (EC, DSA, DH, but not RSA) have separate parameters that 
are needed for correct operation. When ssl_set_pkey() is called (via 
SSL_use_PrivateKey), it copies these parameters from the newly set private key 
into the public key of the CERT structure. This could lead to a modification of 
the X509 structure while it is being used in another thread.

This parameter copy is unconditional, and always occurs during ssl_set_pkey(). 
The proposed solution is to modify the copy routine EVP_PKEY_copy_parameters() 
to check for parameter equality via the EVP_PKEY_cmp_parameters() function 
before doing the actual copy. If the parameters match, then success is returned 
and no copy is performed. (But also check to see if the parameters are there 
before the compare.)
   
This avoids unnecessary modification of the certificate structure and avoids 
the crash. The parameters may be copied on the first setting of the private 
key, but after that, the parameters will be equal and not copied any more.

There is minimal locking around the SSL_use_PrivateKey() and other 
corresponding code, so adding additional locking would not suffice.

A patch will be sent via github pull request, once a RT number is assigned.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4109] Re: Error installing openssl version 1.0.2

[Short, Todd via RT]

This is likely the same as RT3885. Check out this fix:

https://github.com/akamai/openssl/commit/15ecb1a4dc4f75d6c33e8cd9089ca5cfc78d28dc

You may be running a 32-bit version of Perl on a 64-bit platform.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Oct 27, 2015, at 3:02 PM, Dhruv Bhatt via RT  wrote:

Hi,

I am trying to install openssl version 1.0.2.

What I do:
1. tar the version openssl-1.0.2
2. cd to that directory .
3. ./config —prefix=<> —openssldir=<>
4. make


Issue is something with crypto/modes/ghash-x86_64.s file at line 890.

junk ‘’ after expression.

Has this issue been fixed? Also it comes with 1.0.2d version as well. But if we 
try 1.0.1j version it works completely fine and I am able to install that 
version.

Thanks,
Dhruv.

P.S. I am trying to help someone install openssl and I have seen this issue 
twice till now, I do not have any logs with me will try to get one.
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4074] [PATCH] Fixes for when PSK, SRP, SRTP and DTLS1 are disabled

[Short, Todd via RT]

Hello OpenSSL Org:

While evaluating the master branch, I discovered that the code does not 
compile, nor do the unit tests pass, when disabling certain features. 
Specifically, PSK, SRP, SRTP and DTLS1.

The following patch for master branch will fix the issues.

Thanks,

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



0001-Fix-when-SRP-SRTP-DTLS1-PSK-are-disabled.patch
Description: Binary data
___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3724] Patch/Feature to add asynchronous processing for some operations

[Short, Todd via RT]

Hello,

Again, we have an updated patch for asynchronous processing: unit-tests and 
copyright.

Github link:
https://github.com/akamai/openssl/commit/92914accbb54ee085918451468575a5e76baba20

And attached file.

Thanks,

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."



0003-RT3724-Add-asynchronous-event-processing.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

[Short, Todd via RT]

Updates to the IPv4/IPv6: port-based client cache patch:

Updated documentation, unit-tests and copyright.

Github link:
https://github.com/akamai/openssl/commit/0a9ec5fc896c0fdc417e60366d03c1d95cc53033

And attached patch.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."




0023-RT3883-Add-IPv4-IPv6-port-based-client-cache.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3869] [PATCH] Add shared session lists in SSL_CTX

[Short, Todd via RT]

Hello OpenSSL Org:

We have an updated patch for RT 3869, which includes a deadlock fix when 
flushing sessions.

Github link:
https://github.com/akamai/openssl/commit/6b8c80239d174e7ca55f052b86f942d70ffca29ehttps://github.com/akamai/openssl/commits/akamai-master-july2015

And attachment.



0017-RT3869-Add-shared-session-lists-in-SSL_CTX.patch
Description: Binary data
Thanks.
---Todd Short// tsh...@akamai.com// "One if by land, two if by sea, three if by the Internet."

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3885] [BUGFIX] OpenSSL fails to cross-compile on 32-bit-64-bit

[Short, Todd via RT]

Hello OpenSSL Org:

We have an updated patch; there were issues with AES-GCM on some platforms, due 
to multiply operations on immediate constant values.

Updated github patch:
https://github.com/openssl/openssl/commit/15ecb1a4dc4f75d6c33e8cd9089ca5cfc78d28dc

And attached.



0001-RT3885-OpenSSL-fails-to-cross-compile-on-32-bit-64-b.patch
Description: Binary data
Thank you.
---Todd Short// tsh...@akamai.com// "One if by land, two if by sea, three if by the Internet."

On May 30, 2015, at 3:48 AM, Joy Tu via RT r...@openssl.org wrote:Hello OpenSSL Org:This is a change that Akamai has made to its implementation of OpenSSL.Version: master branchDescription: OpenSSL fails to cross-compile on 32-bit-64-bitOlder/32-bit versions of perl cannot handle 64-bit numbers, so whenthe x86_64-xlate.pl script encounters a 64-bit number, the oct()function munges it into a double-precision rather than a 64-bitinteger. In this case, we know it's either a hex number or an octalnumber. So, if hex, just pass through as hex string, otherwise allowoct() to handle it.This is a problem in ghash-x86_64.pl (ghash-x86_64.s), and the solutionhas an impact all 64-bit platforms. Ran the unit tests to make sure it'sOKGithub link:https://github.com/akamai/openssl/commit/89808ba6a3e3ab69b12518dc5ba651eb29c18ee7And attachment.Thank you.---Todd Short// tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet.”0004-OpenSSL-fails-to-cross-compile-on-32-bit-64-bit.patch___openssl-dev mailing listTo unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3875] [PATCH] Add external X509_STORE to SSL_CTX

[Short, Todd via RT]

Updated this patch with new documentation.

Github link:
https://github.com/akamai/openssl/commit/34cd12929b479f0c229bb9d564e2d2eec3d8df5d

And attachment.
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.

On May 27, 2015, at 4:32 PM, Short, Todd via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add external X509_STORE to SSL_CTX

Add SSL_CTX_set_cert_store_ref() API to add an external X509_STORE to
an SSL_CTX. (There is no get API).
Github link:
https://github.com/akamai/openssl/commit/517559c8637cda3750b39017685742590f1b692e

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”

0018-Add-external-X509_STORE-to-SSL_CTX.patch___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev




0018-RT3875-Add-external-X509_STORE-to-SSL_CTX.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3881] [PATCH] Instrument OpenSSL buffer heap memory usage

[Short, Todd via RT]

Updates to the buffer heap memory usage patch:
Updated documentation.

Github link:
https://github.com/akamai/openssl/commit/222f0d2d94be8b92c306c062320fd15b59a9000a

And attached file.

Thank you,

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.

On May 30, 2015, at 3:48 AM, Joy Tu via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description:  Instrument OpenSSL buffer heap memory usage

Added function to register callbacks to allocate and free data buffers.

These callbacks can then allocate and free the memory as needed, while
also recording buffer allocations.

This permits a user-definable implementation of FREE_BUFLIST, which has been 
removed.

(Yes, documentation is lacking at this point).

Github link:

https://github.com/akamai/openssl/commit/4a6d71bbd2f4fe38ebcbe2f9917a1c7fedd117f8

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”

0022-Instrument-OpenSSL-buffer-heap-memory-usage.patch___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



0021-RT3881-Instrument-OpenSSL-buffer-heap-memory-usage.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3865] [Patch] Add DISALLOW_RENEGOTIATION option

[Short, Todd via RT]

Hello,

Please find an updated patch that includes updated documentation.

Github link:

https://github.com/akamai/openssl/commit/9f3a6ecb83e80cbfebc038a860d5ce63817e0098

Thanks.
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.

On May 26, 2015, at 2:56 PM, Short, Todd via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add DISALLOW_RENEGOTIATION option

Add support to disallow renegotiation in openssl
The bit definition may need to change when pulled.

Github link:
https://github.com/akamai/openssl/commit/fcab621995d55d8873a02a96d5a8157f38469ebb

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

0010-Add-DISALLOW_RENEGOTIATION-option.patch
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev




0010-RT3865-Add-DISALLOW_RENEGOTIATION-option.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

[Short, Todd via RT]

Hello,

We have an updated version of the patch that includes updated documentation.

GitHub link:
https://github.com/akamai/openssl/commit/980d0b6e67dce0088dcb49e6fa66bbb868f43000

And attachment

Thanks,

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.



0013-RT3868-Add-SSL_get0_peer_certificate.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3869] [PATCH] Add shared session lists in SSL_CTX

[Short, Todd via RT]

Hello,

We have an updated patch for this: updated documentation

Github link:
https://github.com/akamai/openssl/commit/246b86ee329c70cbf8c822e852cc31e1076d53fd

And attachment.

Thanks,
--
-Todd Short
// tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.

On May 26, 2015, at 4:29 PM, Short, Todd via RT r...@openssl.org wrote:

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add shared session lists in SSL_CTX

Support for shared session lists via SSL_CTX_share_session_cache().
Added locking during the sharing and cleanup.

Github link:
https://github.com/akamai/openssl/commit/fe1e4ac33a89e9176af0b645eafc2aaec5fc2266

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”

0014-Add-shared-session-lists-in-SSL_CTX.patch___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev




0014-RT3869-Add-shared-session-lists-in-SSL_CTX.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3870] [PATCH] Async TLSEXT servername support.

[Short, Todd via RT]

Hello,

We have an updated patch for this, which includes updated documentation, 
unit-tests and copyright.

Github link:
https://github.com/akamai/openssl/commit/1f26946f7e5cf85b20c3b97a8c0e6a869f9a04fa

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.

On May 26, 2015, at 4:29 PM, Short, Todd via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Async TLSEXT servername support.

Adds support for processing the servername TLSEXT asynchronously,
using the SSL_WANT_EVENT mechanism (RT 3724).

Github link:
https://github.com/akamai/openssl/commit/0205cc4eee7084e65a69995293ad584f7da21fa9

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

0015-Async-TLSEXT-servername-support.patch___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev



0015-RT3870-Async-TLSEXT-servername-support.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3874] [PATCH] Add certificate verify data to SSL struct

[Short, Todd via RT]

Hello:

We have an updated patch with documentation for this.

Github link:
https://github.com/akamai/openssl/commit/e431afa72e77da4463c8cdcac8893336b9b32b04

And attachment.

Thanks,

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.

On May 27, 2015, at 4:32 PM, Short, Todd via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add certificate verify data to SSL struct

Add app_verify_callback and app_verify_arg to the SSL structure and add
SSL_SESSION_set_verify_result() API. The values are copied from the
SSL_CTX into the SSL. There is also an SSL_set_cert_verify_callback() API.

Github link:
https://github.com/akamai/openssl/commit/a7d729491c2dacd4dae01eb49e1ca3ff797133ff

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”

0017-Add-certificate-verify-data-to-SSL-struct.patch___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3873] [PATCH] Add traffic counters

[Short, Todd via RT]

Hello,

We have an updated patch for this: includes documentation.

Github link:
https://github.com/akamai/openssl/commit/956053b4b4a6f374df939c3d830cb1a095428ac9

And attachment.

Thanks,
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.

On May 27, 2015, at 4:32 PM, Short, Todd via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add traffic counters

Add data counters to SSL structure bytes_written and bytes_read
Includes SSL_get_byte_counters() API.

Github link:
https://github.com/akamai/openssl/commit/517559c8637cda3750b39017685742590f1b692e

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”

0016-Add-traffic-counters.patch___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev





0016-RT3873-Add-traffic-counters.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

[Short, Todd via RT]

Yup, we noticed that too. 

--
-Todd Short
// tsh...@akamai.com
// Sent from my iPhone
// One if by land, two if by sea, three if by the Internet.


 On Jun 5, 2015, at 5:27 PM, Jonathan Larmour via RT r...@openssl.org wrote:
 
 On 01/06/15 15:22, Short, Todd via RT wrote:
 Re: copyrights:
 
 Planning to copy the (109-line) main copyright from another source file and 
 append to it:
 
 /* 
 * Copyright (C) 2015 Akamai Technologies. ALL RIGHTS RESERVED.
 * This code was originally developed by Akamai Technologies and
 * and contributed to the OpenSSL project.
 */
 
 Acceptable?
 
 Just a little thing I noticed, but your text has and and (separated by a
 newline).
 
 Jifl
 
 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

[Short, Todd via RT]

Re: copyrights:

Planning to copy the (109-line) main copyright from another source file and 
append to it:

/* 
 * Copyright (C) 2015 Akamai Technologies. ALL RIGHTS RESERVED.
 * This code was originally developed by Akamai Technologies and
 * and contributed to the OpenSSL project.
 */

Acceptable?
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On May 31, 2015, at 9:27 AM, Salz, Rich via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:


(Documentation is in the source files, not a .pod)

Do you have code to produce usable manpages from the embedded
documentation?  We can't ask users to read the source.

I believe Todd meant for the test program.


   * The copyright notice does not refer to any license that would allow
 inclusion in OpenSSL.

Sigh.  We'll fix that to just submit with the akamai copyright and openssl 
license.





___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3882] [BUGFIX] lh_SSL_SESSION_delete() not checked

[Short, Todd via RT]

Depending on how the comparison function was implemented, the insert could 
still succeed at the point mentioned.

In the case of the patch sent for RT 3883, the original implementation of the 
comparison function always failed if the client IP address was not set (given 
that RT 3883 does not require the IP address to be set before adding to the 
session database, this made sense - a NULL address should never match any other 
address, even a NULL address). Thus we would end up in a situation where no 
match was found in the lhash, but still deleting the structure from the list, 
causing an inconsistency. The compare function was repaired to always match 
itself, preventing this occurrence.

The patch makes the code in timeout_doall_arg() match the remove_session_lock() 
function, which does an lh_SESSION_retrieve() followed by 
lh_SSL_SESSION_delete() and SSL_SESSION_list_remove() if the retrieve() is 
successful.

Fundamentally, this patch is to keep the SSL_SESSION database in a consistent 
state, regardless of the behavior of the compare and hash functions. I consider 
that a “good” thing.

One could replace most of timeout_doall_arg() with remove_session_lock(lck=0) 
and have the same effect - but that won’t necessarily work with RT 3883’s patch 
since it does not set the session_id_length for client-side SSL_SESSIONs.

static void timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p)
{
if ((p-time == 0) || (p-time  (s-time + s-timeout))) { /* timeout */
/*
 * The reason we don't call SSL_CTX_remove_session() is to save on
 * locking overhead
 */
(void)remove_session_lock(p-ctx, s, 0);
}
}

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On May 31, 2015, at 4:46 PM, Salz, Rich via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hmm, but does it? If you look for the comment '/* We *are* in trouble ... */'
in ssl_sess.c, you'll see that there is a similar kind of protection in place
already at the time of insert. So quite frankly and with all respect, I'm not
sure if this particular fix does anything of value any longer.

On Sun May 31 22:28:18 2015, tsh...@akamai.commailto:tsh...@akamai.com wrote:
We (Akamai) had a bad session compare function at one point; the
compare was fixed, but also added this change to protect the LHASH.

So, yes, this can only really happen if one has a bad comparison
function.

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// Sent from my iPhone
// One if by land, two if by sea, three if by the Internet.


On May 31, 2015, at 4:22 PM, Richard Levitte via RT 
r...@openssl.orgmailto:r...@openssl.org
wrote:

I'm not sure how that can happen, as each SSL_SESSION in that lhash
will have
unique content. This is assured by the way lh_insert functions and
by
ssl_session_cmp (which gets called by getrn in lhash.c, via the
function
pointer cf).

So while your suggestion will most probably work as a band aid, I'm
thinking
you've really found a bug in ssl_session_cmp or in the lhash code
itself. Could
you verify?

On Sun May 31 21:24:04 2015, tsh...@akamai.commailto:tsh...@akamai.com wrote:
No,

The second code sample removes a matching instance, but not
necessarily the same instance. If they are not the same instance,
then
it would need to be re-inserted in and else clause.

This is a fine distinction.

This would leave to having the list and hash not contain the same
contents: Either the number of items is different, or the two sets
of
items are different.

There's a similar example in the code, I believe, but I'd have to
search for it.

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// Sent from my iPhone
// One if by land, two if by sea, three if by the Internet.


On May 31, 2015, at 12:43 PM, Richard Levitte via RT
r...@openssl.orgmailto:r...@openssl.org wrote:

You solution does the following:

if (lh_SSL_SESSION_retrieve(p-cache, s) == s) {
(void)lh_SSL_SESSION_delete(p-cache, s);
...

Would you agree that the following does the same?

if (lh_SSL_SESSION_delete(p-cache, s) == s) {
...


On Sat May 30 09:48:06 2015, tsh...@akamai.commailto:tsh...@akamai.com wrote:
Hello OpenSSL Org:

This is a change that Akamai has made to its
implementation of OpenSSL.

Version: master branch
Description:
lh_SSL_SESSION_delete() not checked

Fix an OpenSSL issue where the
return code of lh_SSL_SESSION_delete()
is not checked, causing a
stale reference in the lhash.

Github link:


https://github.com/akamai/openssl/commit/3a114c2f0e3bf241732fef7a2d339a230ca68abc
And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”


--
Richard Levitte
levi...@openssl.org


--
Richard Levitte
levi...@openssl.org




--
Richard Levitte
levi...@openssl.org



___
openssl-dev mailing list
To unsubscribe: 

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

[Short, Todd via RT]

Note that this (almost) is identical to the Sun Microsystems contribution 
copyright in s3_both.c, s3_clnt.c s3_lib.c s3_srvr.c, ssl_cert.c ssl_ciph.c, 
ssl_lib.c and ssl_locl.h…

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On Jun 1, 2015, at 10:22 AM, Short, Todd via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Re: copyrights:

Planning to copy the (109-line) main copyright from another source file and 
append to it:

/* 
* Copyright (C) 2015 Akamai Technologies. ALL RIGHTS RESERVED.
* This code was originally developed by Akamai Technologies and
* and contributed to the OpenSSL project.
*/

Acceptable?
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On May 31, 2015, at 9:27 AM, Salz, Rich via RT 
r...@openssl.orgmailto:r...@openssl.orgmailto:r...@openssl.org wrote:


(Documentation is in the source files, not a .pod)

Do you have code to produce usable manpages from the embedded
documentation?  We can't ask users to read the source.

I believe Todd meant for the test program.


  * The copyright notice does not refer to any license that would allow
inclusion in OpenSSL.

Sigh.  We'll fix that to just submit with the akamai copyright and openssl 
license.





___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3882] [BUGFIX] lh_SSL_SESSION_delete() not checked

[Short, Todd via RT]

No,

The second code sample removes a matching instance, but not necessarily the 
same instance. If they are not the same instance, then it would need to be 
re-inserted in and else clause. 

This is a fine distinction. 

This would leave to having the list and hash not contain the same contents: 
Either the number of items is different, or the two sets of items are 
different. 

There's a similar example in the code, I believe, but I'd have to search for 
it. 

--
-Todd Short
// tsh...@akamai.com
// Sent from my iPhone
// One if by land, two if by sea, three if by the Internet.


 On May 31, 2015, at 12:43 PM, Richard Levitte via RT r...@openssl.org wrote:
 
 You solution does the following:
 
 if (lh_SSL_SESSION_retrieve(p-cache, s) == s) {
 (void)lh_SSL_SESSION_delete(p-cache, s);
 ...
 
 Would you agree that the following does the same?
 
 if (lh_SSL_SESSION_delete(p-cache, s) == s) {
 ...
 
 
 On Sat May 30 09:48:06 2015, tsh...@akamai.com wrote:
 Hello OpenSSL Org:
 
 This is a change that Akamai has made to its
 implementation of OpenSSL.
 
 Version: master branch
 Description:
 lh_SSL_SESSION_delete() not checked
 
 Fix an OpenSSL issue where the
 return code of lh_SSL_SESSION_delete()
 is not checked, causing a
 stale reference in the lhash.
 
 Github link:
 https://github.com/akamai/openssl/commit/3a114c2f0e3bf241732fef7a2d339a230ca68abc
 And attachment.
 
 Thank you.
 --
 -Todd Short
 // tsh...@akamai.com
 // “One if by land, two if by sea, three if by the Internet.”
 
 
 --
 Richard Levitte
 levi...@openssl.org
 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3882] [BUGFIX] lh_SSL_SESSION_delete() not checked

[Short, Todd via RT]

We (Akamai) had a bad session compare function at one point; the compare was 
fixed, but also added this change to protect the LHASH.

So, yes, this can only really happen if one has a bad comparison function. 

--
-Todd Short
// tsh...@akamai.com
// Sent from my iPhone
// One if by land, two if by sea, three if by the Internet.


 On May 31, 2015, at 4:22 PM, Richard Levitte via RT r...@openssl.org wrote:
 
 I'm not sure how that can happen, as each SSL_SESSION in that lhash will have
 unique content. This is assured by the way lh_insert functions and by
 ssl_session_cmp (which gets called by getrn in lhash.c, via the function
 pointer cf).
 
 So while your suggestion will most probably work as a band aid, I'm thinking
 you've really found a bug in ssl_session_cmp or in the lhash code itself. 
 Could
 you verify?
 
 On Sun May 31 21:24:04 2015, tsh...@akamai.com wrote:
 No,
 
 The second code sample removes a matching instance, but not
 necessarily the same instance. If they are not the same instance, then
 it would need to be re-inserted in and else clause.
 
 This is a fine distinction.
 
 This would leave to having the list and hash not contain the same
 contents: Either the number of items is different, or the two sets of
 items are different.
 
 There's a similar example in the code, I believe, but I'd have to
 search for it.
 
 --
 -Todd Short
 // tsh...@akamai.com
 // Sent from my iPhone
 // One if by land, two if by sea, three if by the Internet.
 
 
 On May 31, 2015, at 12:43 PM, Richard Levitte via RT
 r...@openssl.org wrote:
 
 You solution does the following:
 
 if (lh_SSL_SESSION_retrieve(p-cache, s) == s) {
 (void)lh_SSL_SESSION_delete(p-cache, s);
 ...
 
 Would you agree that the following does the same?
 
 if (lh_SSL_SESSION_delete(p-cache, s) == s) {
 ...
 
 
 On Sat May 30 09:48:06 2015, tsh...@akamai.com wrote:
 Hello OpenSSL Org:
 
 This is a change that Akamai has made to its
 implementation of OpenSSL.
 
 Version: master branch
 Description:
 lh_SSL_SESSION_delete() not checked
 
 Fix an OpenSSL issue where the
 return code of lh_SSL_SESSION_delete()
 is not checked, causing a
 stale reference in the lhash.
 
 Github link:
 https://github.com/akamai/openssl/commit/3a114c2f0e3bf241732fef7a2d339a230ca68abc
 And attachment.
 
 Thank you.
 --
 -Todd Short
 // tsh...@akamai.com
 // “One if by land, two if by sea, three if by the Internet.”
 
 
 --
 Richard Levitte
 levi...@openssl.org
 
 
 --
 Richard Levitte
 levi...@openssl.org
 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

[Short, Todd via RT]

Many of the changes Akamai has did not include proper documentation. I have 
noted these and will send updated patches when done. I will also update the 
copyrights.

--
-Todd Short
// tsh...@akamai.com
// One if by land, two if by sea, three if by the Internet.


 On May 31, 2015, at 9:27 AM, Salz, Rich via RT r...@openssl.org wrote:
 
 
 (Documentation is in the source files, not a .pod)
 
 Do you have code to produce usable manpages from the embedded
 documentation?  We can't ask users to read the source.
 
 I believe Todd meant for the test program.
 
 
* The copyright notice does not refer to any license that would allow
  inclusion in OpenSSL.
 
 Sigh.  We'll fix that to just submit with the akamai copyright and openssl 
 license.
 
 
 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3882] [BUGFIX] lh_SSL_SESSION_delete() not checked

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description:  lh_SSL_SESSION_delete() not checked

Fix an OpenSSL issue where the return code of lh_SSL_SESSION_delete()
is not checked, causing a stale reference in the lhash.

Github link:

https://github.com/akamai/openssl/commit/3a114c2f0e3bf241732fef7a2d339a230ca68abc

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0001-lh_SSL_SESSION_delete-not-checked.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3881] [PATCH] Instrument OpenSSL buffer heap memory usage

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description:  Instrument OpenSSL buffer heap memory usage

Added function to register callbacks to allocate and free data buffers.

These callbacks can then allocate and free the memory as needed, while
also recording buffer allocations.

This permits a user-definable implementation of FREE_BUFLIST, which has been 
removed.

(Yes, documentation is lacking at this point).

Github link:

https://github.com/akamai/openssl/commit/4a6d71bbd2f4fe38ebcbe2f9917a1c7fedd117f8

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0022-Instrument-OpenSSL-buffer-heap-memory-usage.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3880] [PATCH] Windows: Add definitions for AI_ constants

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description:  Windows: Add definitions for AI_ constants

Add definitions for AI_ADDRCONFIG and AI_NUMERICSERV

Github link:

https://github.com/akamai/openssl/commit/4ca23c77fabd23cd610ada221fac494c0ae9b030

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”




0021-Windows-Add-defintions-for-AI_-constants.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3885] [BUGFIX] OpenSSL fails to cross-compile on 32-bit-64-bit

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description:  OpenSSL fails to cross-compile on 32-bit-64-bit

Older/32-bit versions of perl cannot handle 64-bit numbers, so when
the x86_64-xlate.pl script encounters a 64-bit number, the oct()
function munges it into a double-precision rather than a 64-bit
integer. In this case, we know it's either a hex number or an octal
number. So, if hex, just pass through as hex string, otherwise allow
oct() to handle it.

This is a problem in ghash-x86_64.pl (ghash-x86_64.s), and the solution
has an impact all 64-bit platforms. Ran the unit tests to make sure it's
OK

Github link:

https://github.com/akamai/openssl/commit/89808ba6a3e3ab69b12518dc5ba651eb29c18ee7

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”




0004-OpenSSL-fails-to-cross-compile-on-32-bit-64-bit.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3884] [PATCH] Add support for Win64 in o_str.c

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description:  Add support for Win64 in o_str.c

OPENSSL_SYS_WIN64 is missing in a check for windows.

Github link:

https://github.com/akamai/openssl/commit/a4204b839be4b33cd0f4e7e2639aae6384e1c2d7

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0003-Add-support-for-Win64-in-o_str.c.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3883] [PATCH] Add IPv4/IPv6:port-based client cache

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description:  Add IPv4/IPv6:port-based client cache

Update client cache to use IPv4/v6 addresses via sockaddr_storage.
Add unit tests for client cache

(Documentation is in the source files, not a .pod)

Github link:

https://github.com/akamai/openssl/commit/6bac97c07d7f6eb3015a2b5fe2869b0560a9594a

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0002-Add-IPv4-IPv6-port-based-client-cache.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3876] [PATCH] Do not complain if config file not found

[Short, Todd via RT]

The parameters in the configuration file, in general, apply only to certificate 
operations. The openssl application does way more than certificate operations, 
and seeing a warning for a configuration file that has no impact on the 
operation being performed is annoying. Rather than completely remove the 
warning, I would instead suggest that the warning only be issued for certain 
commands that may use parameters from the configuration file.

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On May 28, 2015, at 8:19 AM, Blumenthal, Uri - 0553 - MITLL 
u...@ll.mit.edumailto:u...@ll.mit.edu wrote:

If I want and expect openssl to use a config file, and it did not find it - 
it's darn useful for me to be informed of that fact by openssl.


- Original Message -
From: Rich Salz via RT [mailto:r...@openssl.org]
Sent: Wednesday, May 27, 2015 08:44 PM
To: tsh...@akamai.commailto:tsh...@akamai.com 
tsh...@akamai.commailto:tsh...@akamai.com
Cc: openssl-dev@openssl.orgmailto:openssl-dev@openssl.org 
openssl-dev@openssl.orgmailto:openssl-dev@openssl.org
Subject: [openssl-dev] [openssl.orghttp://openssl.org #3876] [PATCH] Do not 
complain if config file not found

Because it goes ahead and proceeds. Not it is explicit testing ENOTFOUND.
It should either error+exit or not complain.

I can be convinced the current behavior is useful.
--
Rich Salz, OpenSSL dev team; rs...@openssl.orgmailto:rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3873] [PATCH] Add traffic counters

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add traffic counters

Add data counters to SSL structure bytes_written and bytes_read
Includes SSL_get_byte_counters() API.

Github link:
https://github.com/akamai/openssl/commit/517559c8637cda3750b39017685742590f1b692e

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0016-Add-traffic-counters.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3874] [PATCH] Add certificate verify data to SSL struct

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add certificate verify data to SSL struct

Add app_verify_callback and app_verify_arg to the SSL structure and add
SSL_SESSION_set_verify_result() API. The values are copied from the
SSL_CTX into the SSL. There is also an SSL_set_cert_verify_callback() API.

Github link:
https://github.com/akamai/openssl/commit/a7d729491c2dacd4dae01eb49e1ca3ff797133ff

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0017-Add-certificate-verify-data-to-SSL-struct.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3876] [PATCH] Do not complain if config file not found

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Do not complain if config file not found

Remove warning when OpenSSL config file can't be found

Github link:
https://github.com/akamai/openssl/commit/48ad3880d3247063098d1d2b0aa4e362c4b9d996

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0019-Do-not-complain-if-config-file-not-found.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3877] [PATCH] Add X509 OCSP error codes and messages

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add X509 OCSP error codes and messages

Github link:
https://github.com/akamai/openssl/commit/6a4a5ae2cca42c5143d82b2fd5520c1c64724d4f

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0020-Add-X509-OCSP-error-codes-and-messages.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3875] [PATCH] Add external X509_STORE to SSL_CTX

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add external X509_STORE to SSL_CTX

Add SSL_CTX_set_cert_store_ref() API to add an external X509_STORE to
an SSL_CTX. (There is no get API).
Github link:
https://github.com/akamai/openssl/commit/517559c8637cda3750b39017685742590f1b692e

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0018-Add-external-X509_STORE-to-SSL_CTX.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3876] [PATCH] Do not complain if config file not found

[Short, Todd via RT]

I'll let the original author (Rich Salz, cc'd), explain. 

--
-Todd Short
// tsh...@akamai.com
// Sent from my iPhone
// One if by land, two if by sea, three if by the Internet.


 On May 27, 2015, at 6:40 PM, Daniel Kahn Gillmor via RT r...@openssl.org 
 wrote:
 
 On Wed 2015-05-27 16:32:45 -0400, Short, Todd via RT wrote:
 
 This is a change that Akamai has made to its implementation of OpenSSL.
 
 Version: master branch
 Description: Do not complain if config file not found
 
 Remove warning when OpenSSL config file can't be found
 
 Github link:
 https://github.com/akamai/openssl/commit/48ad3880d3247063098d1d2b0aa4e362c4b9d996
 
 Why?  Is this warning no longer relevant?
 
  --dkg
 
 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3865] [Patch] Add DISALLOW_RENEGOTIATION option

[Short, Todd via RT]

Hi Daniel:

I don't disagree. These patches were made by Akamai employees over the years, 
and we are finally able to contribute to them. They are of varying quality when 
it comes to documentation (usually based on the original author of the patch).

--
-Todd Short
// tsh...@akamai.com
// Sent from my iPhone
// One if by land, two if by sea, three if by the Internet.


 On May 27, 2015, at 5:43 PM, Daniel Kahn Gillmor d...@fifthhorseman.net 
 wrote:
 
 On Tue 2015-05-26 14:56:10 -0400, Short, Todd via RT wrote:
 This is a change that Akamai has made to its implementation of OpenSSL.
 
 Version: master branch
 Description: Add DISALLOW_RENEGOTIATION option
 
 Add support to disallow renegotiation in openssl
 The bit definition may need to change when pulled.
 
 Thanks for these patches, Todd!
 
 It would be great if patches which add new configuration options also
 were to update the documentation.  It looks like this changeset would
 want to also provide patches for:
 
 doc/ssl/SSL_CTX_set_options.pod
 doc/apps/s_server.pod
 
  --dkg


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3724] Patch/Feature to add asynchronous processing for some operations

[Short, Todd via RT]

Hello All:

We have an updated patch for this. Github link:

https://github.com/akamai/openssl/commit/33081aea3b86852c676e3715745aa7c295a34150




0003-Add-asynchronous-event-processing.patch
Description: Binary data

---Todd Short// tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet."

On Feb 27, 2015, at 3:14 PM, Short, Todd via RT r...@openssl.org wrote:Hello OpenSSL Org:This is a change that Akamai has made to its implementation of OpenSSL.Version: master branchDescription: Patch/Feature to add asynchronous processing for some operationsThis change rebrands SSL_ERROR_WANT_X509_LOOKUP to be SSL_ERROR_WANT_EVENT, making an event type to wait for visible in SSL-rwstate and letting TLS_SRP have its own event type instead of piggybacking on SSL_X509_LOOKUP. This also adds events for for decryption of client key exchange response, generating client certificate verify message and signing of server key exchange message. these typically long-duration RSA operations. The events are:# define SSL_MIN_EVENT 1000/* client is deciding which cert to present - doesn't follow MIN */# define SSL_EVENT_X509_LOOKUP SSL_X509_LOOKUP/* server is processing TLS SRP client hello */# define SSL_EVENT_SRP_CLIENTHELLO 1000/* server is waiting for decryption of key */# define SSL_EVENT_KEY_EXCH_DECRYPT_DONE 1001/* client is waiting for cert verify setup */# define SSL_EVENT_SETUP_CERT_VRFY_DONE 1002/* server is siging the message for key exchange */New APIs:void SSL_CTX_set_schedule_task_cb(SSL_CTX *ctx, SSL_schedule_task_cb cb);int SSL_signal_event(const SSL *ssl, int event, int retcode);int SSL_signal_event_err(const SSL *ssl, int event, int func, int reason, const char *file, int line);int SSL_want_event(const SSL *ssl);Github link:https://github.com/akamai/openssl/commit/e4fa5107524bb5e6e4c79953d436b7e59ee6c5e2And attachment.Thank you.---Todd Short// tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet."0004-Rebranding-of-SSL_ERROR_WANT_X509_LOOKUP-as-SSL_ERRO.patch___openssl-dev mailing listTo unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3729] Patch to add support for iovec-based IO in OpenSSL

[Short, Todd via RT]

Hello again:

We have an updated patch for this. Github link:

https://github.com/akamai/openssl/commit/17431369cce8e4cd01f6f236fb2d6a75c8c79aef




0009-Add-iovec-based-I-O-routines.patch
Description: Binary data

---Todd Short// tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet."

On Mar 6, 2015, at 10:02 AM, Short, Todd via RT r...@openssl.org wrote:Hello OpenSSL Org:This is a change that Akamai has made to its implementation of OpenSSL.Version: master branchDescription: Add “struct iovec” variants to ssl IO (configurable, disabled by default)This adds support of iovec-based IO into openSSL. iovec can be faster than normal IO mechanism as there are fewer calls into the kernel.Regular APIs are modified to use “ssl_bucket” (similar to iovec structures) at the lower level, so the IO path is still the same regardless of whether iovec-based APIs are used or not.Github link:https://github.com/akamai/openssl/commit/91f65728bbd7d52ae6b75050d31e197591769d78And attachment.Thank you.---Todd Short// tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet."0001-Add-struct-iovec-variants-to-ssl-IO-configurable-dis.patch___openssl-dev mailing listTo unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3870] [PATCH] Async TLSEXT servername support.

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Async TLSEXT servername support.

Adds support for processing the servername TLSEXT asynchronously,
using the SSL_WANT_EVENT mechanism (RT 3724).

Github link:
https://github.com/akamai/openssl/commit/0205cc4eee7084e65a69995293ad584f7da21fa9

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0015-Async-TLSEXT-servername-support.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3869] [PATCH] Add shared session lists in SSL_CTX

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add shared session lists in SSL_CTX

Support for shared session lists via SSL_CTX_share_session_cache().
Added locking during the sharing and cleanup.

Github link:
https://github.com/akamai/openssl/commit/fe1e4ac33a89e9176af0b645eafc2aaec5fc2266

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.”



0014-Add-shared-session-lists-in-SSL_CTX.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add SSL_get0_peer_certificate()
Add SSL_get0_peer_certificate() function which just returns the
pointer to the certificate; SSL_get_peer_certificate() increments
the references

Github link:
https://github.com/akamai/openssl/commit/83ec5c0d576f6d38ed84b914038e052b525d6828

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0013-Add-SSL_get0_peer_certificate.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3867] [PATCH] Support Multiple CA certs in ocsp app

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Support Multiple CA certs in ocsp app

Add the ability to read multiple CA certs from a single file in the
ocsp app.

Github link:
https://github.com/akamai/openssl/commit/7f5ed141fef8509b589b5a5601f0ec2bf5e08faf

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0012-Support-Multiple-CA-certs-in-ocsp-app.patch
Description: Binary data


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3865] [Patch] Add DISALLOW_RENEGOTIATION option

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add DISALLOW_RENEGOTIATION option

Add support to disallow renegotiation in openssl
The bit definition may need to change when pulled.

Github link:
https://github.com/akamai/openssl/commit/fcab621995d55d8873a02a96d5a8157f38469ebb

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0010-Add-DISALLOW_RENEGOTIATION-option.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3866] [PATCH] Support for vc10 build

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Support for vc10 build

Includes some changes for VC9 and VC7 compiles as well

Github link:
https://github.com/akamai/openssl/commit/dcd470b6ab92b8e2661872de298de78de1b5057b

And attachment.

Thank you.

--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0011-Support-for-vc10-build.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3722] Patch to add -preserve_dates option to x509 app

[Short, Todd via RT]

Hello All,

We have an updated patch for this. Github link:

https://github.com/akamai/openssl/commit/e3909f5dc3ce841515cbe925a0d5138664a0c41c




0006-Add-preserve-dates-to-x509-app.patch
Description: Binary data

---Todd Short// tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet."

On Feb 27, 2015, at 3:14 PM, Short, Todd via RT r...@openssl.org wrote:Hello OpenSSL Org:This is a change that Akamai has made to its implementation of OpenSSL.Version: master branchDescription: Add -preserve_dates option to x509 appIf -preserve_dates is passed to the x509 app, any changes to the certificate will not change the validity dates.Github link:https://github.com/akamai/openssl/commit/b11e6b59e802f9fab0675126018529db7f2259e0And attachment.Thank you.---Todd Short// tsh...@akamai.commailto:tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet."0007-Add-preserve-dates-to-x509-app.patch___openssl-dev mailing listTo unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3717] Patch for IPv6 support in s_client/s_server

[Short, Todd via RT]

I was unaware of 2501. But that’s fine by me… however, why hasn’t 2051 been 
applied to the code?
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On Mar 24, 2015, at 4:14 PM, Quanah Gibson-Mount 
qua...@zimbra.commailto:qua...@zimbra.com wrote:

--On Tuesday, March 03, 2015 3:15 PM -0600 Short, Todd 
tsh...@akamai.commailto:tsh...@akamai.com wrote:

The previous patch file had two bugs due to a swapped argument and the
formatting changes (missing braces).


The attached is an updated patch.

Why did you open a new RT when 
http://rt.openssl.org/Ticket/Display.html?id=2051 already exists and has for 
ages?  I would suggest RT3717 be marked as a duplicate of 2051.

--Quanah

--

Quanah Gibson-Mount
Platform Architect
Zimbra, Inc.

Zimbra ::  the leader in open source messaging and collaboration
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3744] Enhancement Request

[Short, Todd via RT]

This is more of a request to change the TLS protocol, than an enhancement to 
OpenSSL.

DHE and ECDHE ciphers provide PFS to protect against compromised public 
key-pairs.

However, if a MITM has the same certificate, signed by a trusted certificate 
authority, then most bets are off.

Client-authentication can provide additional protection against MITM attacks, 
and allow servers to identify if a MITM is interfering with a valid user.
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On Mar 11, 2015, at 8:28 AM, Shawn Fernandes via RT 
r...@openssl.orgmailto:r...@openssl.org wrote:

Hi,
At the moment, we have SSL handshake making use of a single certificate, using 
a single key-pair present in the certificate.
In the event the MITM has the same certificate(SSL - offloader) then the data 
can be encrypted/decrypted.
Would like to know if we can have the enhancement of using random key pair, 
generated form each certificate, so that each SSL handshake would make use of a 
random key-pair, and thereby give a different key value to each encryption 
-decryption, and therby be able to determine if the MITM with a same 
certificate has decrypted  encrypted data.
With Regards,
Shawn

___
openssl-dev mailing list
To unsubscribe: 
https://urldefense.proofpoint.com/v2/url?u=https-3A__mta.openssl.org_mailman_listinfo_openssl-2Ddevd=AwICAgc=96ZbZZcaMF4w0F4jpN6LZgr=QBEcQsqoUDdk1Q26CzlzNPPUkKYWIh1LYsiHAwmtRikm=ds4i2k1LUtsCfZgPMHS2VdrUvh5w6_xSLfNdm1vpRPos=kEns4AYdLMO2_ASqWmVdf9jEzb8yMzvELxKIbzr6Mqce=


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3729] Patch to add support for iovec-based IO in OpenSSL

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add “struct iovec” variants to ssl IO (configurable, disabled by 
default)

This adds support of iovec-based IO into openSSL. iovec can be faster than 
normal IO mechanism as there are fewer calls into the kernel.
Regular APIs are modified to use “ssl_bucket” (similar to iovec structures) at 
the lower level, so the IO path is still the same regardless of whether 
iovec-based APIs are used or not.

Github link:
https://github.com/akamai/openssl/commit/91f65728bbd7d52ae6b75050d31e197591769d78

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.




0001-Add-struct-iovec-variants-to-ssl-IO-configurable-dis.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates

[Short, Todd via RT]

This code is currently being used by Akamai to check for the validity of 
certificates.

I find it highly unusual for multiple certificates to have the same SubjectDN 
to be valid simultaneously.
All those certificates would need to have a unique serial number; but the 
Issuer’s serial number is is not included in the certificate, so there’s no 
easy way to determine the issuing certificate.

To validate those chains, the signature would have to be validated using the 
public key of each certificate that matches the Issuer. That can be an 
expensive proposition, and there are clients that will give up after the first 
failure.

Have you seen any chains like this IRL?

Do you know of any CA that have their chains set up like this?

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.

On Feb 27, 2015, at 5:31 PM, Brian Smith 
br...@briansmith.orgmailto:br...@briansmith.org wrote:

Short, Todd via RT r...@openssl.orgmailto:r...@openssl.org wrote:
Check that in matching issuer/subject certs, that a self-signed subject also 
has a self-signed issuer.
Given that the subject certificate is self-signed, it means that the issuer and 
the subject are the same certificate. This change verifies that.

Github link:
https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b

Could you explain this more?

In your patch, there is a comment that says Input certificate
(subject) is self signed. But, the test is that the issuer name
equals the subject name. That means the certificate is self-*issued*,
not self-*signed*.

Consider this chain:

{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key2 }
{ Subject=Foo, Issuer=Foo, Key=Key2, Signed by Key3 }
{ Subject=Foo, Issuer=Foo, Key=Key3, Signed by Key3, Trust Anchor }

All three certificates are self-issued. The issuer of the first
certificate is not self-signed but it is self-issued. But, it being
self-issued doesn't matter because it isn't a trust anchor.

Consider this chain:

{ Subject=Foo, Issuer=Foo, Key=Key1, Signed by Key1 }
{ Subject=Foo, Issuer=Bar, Key=Key1, Signed by Key2 }
{ Subject=Bar, Issuer=Bar, Key=Key2, Signed by Key2, Trust Anchor }

The first certificate is self-signed and self-issued. It's issuer is
not self-signed or self-issued, so your patch would reject this chain.
But, this is a valid chain.

Cheers,
Brian
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3720] Patch for Increment SSL session miss counter appropriately

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Increment SSL session miss counter appropriately

There is a missing increment of ctx-stats.sess_miss.

Github link:
https://github.com/akamai/openssl/commit/794af05da2ff8dc40083ad0c5f7ba9ee6e6fa723

And attachment.

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0005-Increment-ssl-session-miss-counter-properly.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3721] Patch for additional checking of self-signed certificates

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Additional checking of self-signed certificates.

Check that in matching issuer/subject certs, that a self-signed subject also 
has a self-signed issuer.
Given that the subject certificate is self-signed, it means that the issuer and 
the subject are the same certificate. This change verifies that.

Github link:
https://github.com/akamai/openssl/commit/faff94b732472616828fe724e09053f134ebb88b

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0006-Check-that-in-matching-issuer-subject-certs-that-a-s.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3723] Patch to add short name Email to emailAddress object

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add short name Email to emailAddress object (crypto/object*)

Provides “Email” as a short name for “emailAddress”.

Github link:
https://github.com/akamai/openssl/commit/f4fad8d9eadac5e997395eeac5a101796663a8a7

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0008-Add-short-name-Email-to-emailAddress-object-crypto-o.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3722] Patch to add -preserve_dates option to x509 app

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Add -preserve_dates option to x509 app

If -preserve_dates is passed to the x509 app, any changes to the certificate 
will not change the validity dates.

Github link:
https://github.com/akamai/openssl/commit/b11e6b59e802f9fab0675126018529db7f2259e0

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0007-Add-preserve-dates-to-x509-app.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3724] Patch/Feature to add asynchronous processing for some operations

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to its implementation of OpenSSL.

Version: master branch
Description: Patch/Feature to add asynchronous processing for some operations

This change rebrands SSL_ERROR_WANT_X509_LOOKUP to be SSL_ERROR_WANT_EVENT, 
making an event type to wait for visible in SSL-rwstate and letting TLS_SRP 
have its own event type instead of piggybacking on SSL_X509_LOOKUP. This also 
adds events for for decryption of client key exchange response, generating 
client certificate verify message and signing of server key exchange message. 
these typically long-duration RSA operations. The events are:

# define SSL_MIN_EVENT1000
/* client is deciding which cert to present - doesn't follow MIN */
# define SSL_EVENT_X509_LOOKUPSSL_X509_LOOKUP
/* server is processing TLS SRP client hello */
# define SSL_EVENT_SRP_CLIENTHELLO1000
/* server is waiting for decryption of key */
# define SSL_EVENT_KEY_EXCH_DECRYPT_DONE  1001
/* client is waiting for cert verify setup */
# define SSL_EVENT_SETUP_CERT_VRFY_DONE   1002
/* server is siging the message for key exchange */

New APIs:
void SSL_CTX_set_schedule_task_cb(SSL_CTX *ctx, SSL_schedule_task_cb cb);
int SSL_signal_event(const SSL *ssl, int event, int retcode);
int SSL_signal_event_err(const SSL *ssl, int event, int func, int reason, const 
char *file, int line);
int SSL_want_event(const SSL *ssl);

Github link:
https://github.com/akamai/openssl/commit/e4fa5107524bb5e6e4c79953d436b7e59ee6c5e2

And attachment.

Thank you.
--
-Todd Short
// tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0004-Rebranding-of-SSL_ERROR_WANT_X509_LOOKUP-as-SSL_ERRO.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3716] Patch for setting preferred cipher list

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to it’s implementation of OpenSSL.

Description: Adds connivence methods to set preferred cipher list

This adds two wrappers:
* SSL_CTX_set_ciphers_ex() sets the cipher list and sets the SSL_OP_CIPHER 
flags.
* SSL_CTX_set_preferred_ciphers() sets the cipher list via 
SSL_CTX_set_ciphers_ex() and turns on SSL_OP_CIPHER_SERVER_PREFERENCE

GitHub Link:
https://github.com/akamai/openssl/commit/86a216938e4c9381973f537352e01ba392e5688e
And attachment.



0001-Adds-convenience-method-to-set-preferred-cipher-list.patch
Description: Binary data
Thank you.
---Todd Short// tsh...@akamai.com// “One if by land, two if by sea, three if by the Internet."

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3717] Patch for IPv6 support in s_client/s_server

[Short, Todd via RT]

Hello OpenSSL Org:

This is a change that Akamai has made to it’s implementation of OpenSSL.

Version: master branch
Description: Adds IPv6 support in s_client/s_server

This adds two options, -4 and -6, to specify the address family to connect 
with. In addition, the address field on the command line is parsed via 
getaddrinfo().

GitHub Link:
https://github.com/akamai/openssl/commit/6878f747167f2cba82316d5f664c2bac88554cb3

And attachment.

Thank you:
--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.



0003-Provides-IPv6-support-in-s_client-s_server-Patch-ipv.patch
Description: Binary data
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3710] New EX_DATA indices should start at 1

[Short, Todd via RT]

As written now, CRYPTO_get_ex_new_index() will return 0 as an index the first 
time it is called. When called, CRYPTO_get_ex_new_index() adds a new, dup and 
free function for the index.

This conflicts with the common use of “app_data” (e.g. SSL_set_app_data(), 
BIO_set_app_data()) which uses index 0, and does not explicitly reserve it. 
This can lead to invalid memory frees and/or leaked memory.

Having the indices returned by CRYPTO_get_ex_new_index() start at 1 avoids this.

--
-Todd Short
// tsh...@akamai.commailto:tsh...@akamai.com
// “One if by land, two if by sea, three if by the Internet.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev