[openssl.org #631] Bug report
The bug is in the file x509v3/v3_lib.c in the function X509V3_get_d2i() in
the 0.9.7b source code.
This bug affects all operating systems.
The problem: If the idx parameter points to an integer index, then the
function always returns NULL.
Here's the fixed code, with my addition marked with a comment:
void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx)
{
int lastpos, i;
X509_EXTENSION *ex, *found_ex = NULL;
if(!x) {
if(idx) *idx = -1;
if(crit) *crit = -1;
return NULL;
}
if(idx) lastpos = *idx + 1;
else lastpos = 0;
if(lastpos 0) lastpos = 0;
for(i = lastpos; i sk_X509_EXTENSION_num(x); i++)
{
ex = sk_X509_EXTENSION_value(x, i);
if(OBJ_obj2nid(ex-object) == nid) {
if(idx) {
*idx = i;
found_ex = ex; /*** this fixes the bug */
break;
} else if(found_ex) {
/* Found more than one */
if(crit) *crit = -2;
return NULL;
}
found_ex = ex;
}
}
if(found_ex) {
/* Found it */
if(crit) *crit = X509_EXTENSION_get_critical(found_ex);
return X509V3_EXT_d2i(found_ex);
}
/* Extension not found */
if(idx) *idx = -1;
if(crit) *crit = -1;
return NULL;
}
--
Doug Sauder
Hunny Software, Inc
Email: [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Custom error handling
Ok, the code would be something like this: if(err-disable) return; On a x86 cpu: read err: 1 cycle read disable: 1 cycle if : 3/5 cycles We don't count the return since it's conditional and in any events it will be called. I think that modern CPU will be capable of handling the 5/7 extra cycles, in those 4 functions :) Frédéric Giudicelli http://www.newpki.org - Original Message - From: Rich Salz [EMAIL PROTECTED] To: Frédéric Giudicelli [EMAIL PROTECTED] Cc: Richard Levitte - VMS Whacker [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, May 28, 2003 1:33 PM Subject: Re: Custom error handling In any event I think that functions ERR_disable() and ERR_enable() are still necessary, In my case I really don't care what errors the child functions generate since I'm in an post-error cleaning function, I see no point in wasting some CPU and RAM Modifying all the code to check are errors enabled and then do the right thing will take more CPU and the library will be bigger, taking more RAM. Richard's idea is much better. /r$ -- Rich Salz Chief Security Architect DataPower Technology http://www.datapower.com XS40 XML Security Gateway http://www.datapower.com/products/xs40.html __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Macros for getting time
I've made my own makefile for a target that isn't supported by OpenSSL (Open Watcom for Win32 to be exact). I'm wondering about the define in e.g. crypto/des/des_opts.c: #if !defined(OPENSSL_SYS_MSDOS) (!defined(OPENSSL_SYS_VMS) || ... #define TIMES #endif That assumption is IMHO way to optimistic because neither Watcom nor MingW have struct tms. A macro should be tested against compiler and not the system it's targeting. I suggest defining something like this in opensslconf.h.in: #if defined(_unix) || defined(__MINGW32__) || defined(_WATCOMC__) || \ defined(OPENSSL_SYS_VMS) || defined(__DECC) .. etc. #define HAVE_STRUCT_TIMEB #elif !defined(OPENSSL_SYS_MACOSX) #define HAVE_STRUCT_TMS #endif #if defined(HAVE_STRUCT_TMS) typedef struct tms OPENSSL_time; #define GETTIME(t) times(t) #define TIME_HEADER sys/times.h #elif defined(HAVE_STRUCT_TIMEB) typedef struct timeb OPENSSL_time; #define GETTIME(t) ftime(t) #define TIME_HEADER sys/timeb.h #else #error Help, No way to get time !?. #endif Should be no need to include sys/types.h before TIME_HEADER. It's already in e_os.h, right? Maybe 'HAVE_STRUCT_xx' should be added to the configure process, AFAICS it doesn't test for those headers. Just my 0.02 Euro. --gv __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: RE : RE : Old mail currently unaccessible to me...
On Wed, May 28, 2003, p b wrote: I had made some test: in fact when I changed the iv, I only changed few bits, so the uncrypted file seams to be the same. (whatever the value of iv, only the first bloc change). It's ok. That's expected behaviour for CBC mode. phbgt In the man, when you write EVP_CipherInit always use the phbgt default cipher implementation, is that mean that even using phbgt EVP_get_cipherbyname(aes-256-cbc), the cipher is not set to phbgt aes-256-cbc? With this type of initialisation, EVP_CipherInit use aes-256-cbc. In fact, it seams that there's no default cipher in openssl. What it means is that it uses the default implementation *of that cipher*. This will normally be the builting software version. There can however be multiple implementations of a given cipher for example hardware implementations in ENGINEs. An ENGINE can replace the default implementation so that for example an accelerated hardware version is used by default instead of the software one. It is also possible for an application to specify non default implementations of ciphers if they wish to. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #632] Unable to connect with some servers via SSL (openssl-0.9.7a and 7b)
Hi, I'm unable to connect via SSL with IBM Apache Web server (MUZO, the card-payment company in the Czech Republic). I'm using Red Hat 9 (openssl-0.9.7a-5) and the connection is closed after sending HTTP request. Red Hat Linux version 8.0 is fine (openssl-0.9.6b-33). The error is 100% reproducible, try following commands: openssl s_client -connect epay.paynet.cz:443 GET / HTTP/1.0 This generates error message read:errno=0 immediately after second line (Enter). In the correct case there is a reply with a HTML page. I'm able to view pages using Mozilla but not with links or lynx. Also curl is unable to get a page (because using openssl dynamic library). I'm not able to verify this bug on another system because no one have 0.9.7 version of your product. I tryed to compile and use openssl-0.9.7b with no luck. -- Milan Kerslager E-mail: [EMAIL PROTECTED] WWW:http://www.pslib.cz/~kerslage/ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #632] Unable to connect with some servers via SSL (openssl-0.9.7a and 7b)
[EMAIL PROTECTED] - Wed May 28 18:56:15 2003]: Hi, I'm unable to connect via SSL with IBM Apache Web server (MUZO, the card-payment company in the Czech Republic). I'm using Red Hat 9 (openssl-0.9.7a-5) and the connection is closed after sending HTTP request. Red Hat Linux version 8.0 is fine (openssl-0.9.6b-33). The error is 100% reproducible, try following commands: openssl s_client -connect epay.paynet.cz:443 GET / HTTP/1.0 This generates error message read:errno=0 immediately after second line (Enter). In the correct case there is a reply with a HTML page. I'm able to view pages using Mozilla but not with links or lynx. Also curl is unable to get a page (because using openssl dynamic library). I'm not able to verify this bug on another system because no one have 0.9.7 version of your product. I tryed to compile and use openssl-0.9.7b with no luck. Try it with the -bugs option. The server probably doesn't like the CBC vulnerability countermeasure (see CHANGES file). Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #627] Fw: bug report
[EMAIL PROTECTED] - Sun May 25 12:30:38 2003]: I have been trying to issue certificate containing AIA and CertificatePolicies (only with UserNotice) extensions. I have found the appropriate config file definitions for AIA and CertificatePolicies extensions and managed to issue certificate containg them. During the course of the experiments I have encountered the following bug: The AIA and CertificatePolicies extensions are defined in the config file in the following way: certificatePolicies=ia5org,1.2.3.4,1.5.6.7.8,@polsect [polsect] policyIdentifier = 1.3.5.8 CPS.1=http://my.host.name/; CPS.2=http://my.your.name/; [EMAIL PROTECTED] [notice] explicitText=Explicit Text Here organization=Organisation Name noticeNumbers=1,2,3,4 The point is that if CPS is missed out or preceeded by userNotice, openssl generates segmentation fault. I have repeated the problem on both Windows (using binary) and Linux (compiled by me). As a matter of fact for the certificates I want to produce I don't need the CPS qualifier and this is why I have discovered the bug. Fix committed, thanks for the report. Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #631] Bug report
Patch committed, thanks for the report. Steve. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #628] md2test breaks with NO_MD2 config
[EMAIL PROTECTED] - Sun May 25 18:07:32 2003]: Hi, Sorry to be nagging again about compilation issues. I get the following error when trying to build with MD2 disabled: In file included from md2test.c:62: ../include/openssl/md2.h:63:2: #error MD2 is disabled. Moving line 63: #include openssl/md2.h To line 73 (after the #else) solves this. OpenSSL version is 0.9.7b, OS is Red Hat linux 7.2, (configured using ./Configure linux-elf ... no-md2 ...) After having called Configure with this option should have been asked to make depend. If you would have used make depend, the softlink in test/ would have been replaced with a new destination: dummytest.c. I have applied your proposed change anyway, as it reduced possible sources of errors. Is there a way I can be more helpful (e.g. send small corrections to small bugs instead of asking you to do it) without me having to install and learn CVS (sorry, working mainly on Windoze machines...)? Hmm. We gladly accept patches in unified diff (diff -u) format. :-) Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
EVP_SealInit
In the EVP_SealInit() fonction, the secret key is generated by the random number generator. How can I use my own key ? Thanks. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #625] Bug while building openssl-0.9.7-stable-SNAP-20030522 and openssl-SNAP-20030522
[EMAIL PROTECTED] - Fri May 23 09:50:04 2003]: openssl-0.9.7-stable-SNAP-20030522 and openssl-SNAP-20030522 can't build under WindowsXPsp1 with VisualStudio2003 because there's un uncompatibility signed/unsigned in crypto/bn/bn_mul.c line 709 for SNAP, and line 379 for stable-SNAP Fixed by Richard on 28-May-2003 (RT #625 not included in the commit log). Thanks for your submission, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: EVP_SealInit
On Wed, May 28, 2003, p b wrote: In the EVP_SealInit() fonction, the secret key is generated by the random number generator. How can I use my own key ? There's no way to use your own key with that function. You could however use EVP_CipherInit() and call RSA_public_encrypt() manually to get the same effect. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #613] openssl c_client -starttls pop3
[EMAIL PROTECTED] - Sun May 11 10:13:19 2003]: Here is tiny whack to allow c_client to communicate with TLS enables POP3 server. See patch attached. Thanks for your submission. I have added you patch to both the stable (0.9.7) and the development (0.9.8) tree. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #604] openssl timeout problem
[EMAIL PROTECTED] - Fri May 2 15:27:29 2003]: Hi By a mistake trying out openssl s_client -connect ip:5000 against a windows XP system it hangs for a looong time before it timeouts. Is it possible to set a timeout function or this would be a good thing to add? Openssl s_client is an example implementation of client functionality. It does not provide all options with bells and whistles or to perfection. Timeout options are not provided by the basic openssl library. Timeouts are either provided by the underlying transport (TCP stack and/or kernel) or by the application using non-blocking behaviour and select(). The openssl s_client example application does not implement the latter and there are no plans to add it. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #623] Problem make clean
[EMAIL PROTECTED] - Sun May 25 09:42:02 2003]: On Fri, 23 May 2003, Lutz Jaenicke via RT wrote: I think my machine has a decent set of patches but as I don't have root access I cannot really verify that. Do you think you can do getconf ARG_MAX and getconf LINE_MAX on your machine such that I can see if this is indeed the problem? serv01 24: getconf ARG_MAX 20478 serv01 26: getconf LINE_MAX 2048 Best regards, Lutz Hi Lutz, I think this must mean there is something wrong with my workstation or my setup. I have exactly the same values as you so this cannot be the limiting factor. Perhaps there is a patch which is missing. Hmm. I have no more specific ideas. I did dig out the following: PHKL_10176: The internal buffer within the kernel was created with a length of 20480 bytes, with no provision for increasing its size. This patch provides for up to 100 such buffers, with all but the first allocated only if required (that is, if more than 20480 bytes of argv/env information is found). Thus, exec() now supports up to 2048000 bytes of argv/env information. However: this patch has long been superseeded by PHKL_16750 (and other later versions of this patch)... Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
registering engines
Hello, I am a newbie to openssl and I have just written a sha engine that would like to test out with openssl. I heard that the engine interface allows one to replace the openssl provided engines with custom ones but I'm not sure how to use that feature. Would someone please give me a pointer or so as to how I can register my code through the engine interface? Much thanks, Alvin __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
