[openssl-dev] interaction between --strict-warnings and disabled features

Hi all, When I configure with --strict-warnings and, say, no-seed, my build fails due to an empty compilation unit e_seed.c. Is it just expected that if I'm going to use strict-warnings I will have most/all features enabled, or is this something that we would want to fix? Thanks, Ben

Re: [openssl-dev] interaction between --strict-warnings and disabled features

> When I configure with --strict-warnings and, say, no-seed, my build fails due > to an empty compilation unit e_seed.c. Does just putting an extern declaration in the file work? Or do we need something like "#if PEDANTIC" in apps/dsa.c, for example.

[openssl-dev] [openssl.org #4037] IV-setting bug on AES/CCM decryption

Hi, While running some tests on a module using OpenSSL, we noticed that when using EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_CCM_SET_IVLEN, length, NULL) to set the IV length, AES/CCM decryption does not seem to detect a bad IV length. With encryption, it is detected and an appropriate error code

[openssl-dev] [openssl.org #4036] Invalid use of memcpy() causing decrypt failure

We're seeing intermittent failures in the AES key wrap test cases in test/evp_test in the 1.0.2d release. We believe the problem is due to using memcpy() with overlapping src/dst memory regions. The following thread provides some insight into this memcpy() issue:

[openssl-dev] Strange problem with cms_cd.o?

I am trying to build the current Github version of openssl on Ubuntu-14.04 LTS. Must add that this system has openssl-1.0.1f already installed (relict of Ubuntu software update process). Everything seems to compile fine, but linking of “openssl” fails, complaining that it cannot find

Re: [openssl-dev] [openssl.org #4033] Unable to build openssl git master branch on NetBSD for > 24 hours

On 2015-09-10 21:40, Salz, Rich via RT wrote: > Please do "grep rehash Makefile" at the toplevel. To which I get: clarity 153 # grep rehash Makefile rm -f */*/*.o */*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c rehash: rehash.time rehash.time: certs apps

Re: [openssl-dev] interaction between --strict-warnings and disabled features

On Fri, Sep 11, 2015 at 05:46:13PM +, Salz, Rich wrote: > > When I configure with --strict-warnings and, say, no-seed, my build fails > > due > > to an empty compilation unit e_seed.c. > > Does just putting an extern declaration in the file work? Or do we need > something like "#if

[openssl-dev] [openssl.org #2397] openssl x509 stops outputting just before printing Issuer when using nameopt dn_rev

Fixed to use a default separator if none is specified. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4038] SSLv2 session reuse is broken on the 1.0.2 branch

SSLv2 support has been removed from master, but is still present in 1.0.2. Adding a range check in ssl_get_prev_session() broke the SSLv2 codepath because it supplied NULL as the 'limit' parameter that had not previously been used for SSLv2 (or v3), so the fix is just to supply a non-NULL limit.

Re: [openssl-dev] Strange problem with cms_cd.o?

On Fri, Sep 11, 2015, Blumenthal, Uri - 0553 - MITLL wrote: > I am trying to build the current Github version of openssl on Ubuntu-14.04 > LTS. Must add that this system has openssl-1.0.1f already installed (relict > of Ubuntu software update process). > > Everything seems to compile fine, but

Re: [openssl-dev] State machine rewrite

On Fri 2015-09-11 11:07:27 -0400, John Foley wrote: > It's great to see improvements in the state machine along with > consolidated handlers for TLS/DTLS. Agreed. Thanks for the work on this, Matt! > Having said that, have you considered using a state transition table > instead of long switch

[openssl-dev] [openssl.org #4037] IV-setting bug on AES/CCM decryption

On Fri Sep 11 17:34:27 2015, afels...@cisco.com wrote: > Hi, > > While running some tests on a module using OpenSSL, we noticed that > when using EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_CCM_SET_IVLEN, > length, NULL) to set the IV length, AES/CCM decryption does not seem > to detect a bad IV length.

Re: [openssl-dev] State machine rewrite

Here's another trivial example if that URL still isn't working for you: johnsantic.com/comp/state.html On Sep 11, 2015, at 5:46 PM, Daniel Kahn Gillmor > wrote: On Fri 2015-09-11 11:07:27 -0400, John Foley

[openssl-dev] [openssl.org #1851] [PATCH] "openssl verify -CAfile mutil_ca.pem site.cert" fails even if mutil_ca.pem contains the chain for site.cert

Ancient ticket, resolved long ago. Closing. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #2464] [PATCH] Experimental TLS-RSA-PSK support for OpenSSL

No problems reported, marking ticket as resolved. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4036] Invalid use of memcpy() causing decrypt failure

Fixed now in 1.0.2, it was already fixed in master. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #3978] RE: Openssl 1.0.2c include the FIPS 140-2 Object Module

Resolving ticket: not a bug. If you have any more problems use openssl-users. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #3974] The IV used by the 'openssl cms -encrypt -aes-256-gcm' command is not random (all zeroes).

GCM is not supported for CMS enveloped data. Attempting to use it now returns an error. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To

[openssl-dev] [openssl.org #3958] [PATCH] pkcs12 application selects bad defaults in FIPS mode

Fixed now, thanks for the report. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4009] bug: Handling of SUITEB* ciphers does not match documentation

Fixed now to SUITEB* works at the beginning of cipher string. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #3975] The CMS encrypt command uses the wrong ASN.1 encoding for the AES-GCM algorithm parameter.

GCM mode isn't currently supported in CMS, it was a bug that it attempted to use it and produced incorrect results. Resolved now to return an error for GCM. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org

[openssl-dev] State machine rewrite

I've just opened a github pull request to show recent work I have been doing on rewriting the OpenSSL state machine (for version 1.1.0). See: https://github.com/openssl/openssl/pull/394 My objectives for the rewrite were: - Remove duplication of state code between client and server - Remove

Re: [openssl-dev] State machine rewrite

> I've just opened a github pull request to show recent work I have been doing > on rewriting the OpenSSL state machine (for version 1.1.0). See: > https://github.com/openssl/openssl/pull/394 Extended discussion should probably happen on openssl-dev, as conversations don't work too well on

Re: [openssl-dev] State machine rewrite

+1 It's great to see improvements in the state machine along with consolidated handlers for TLS/DTLS. Having said that, have you considered using a state transition table instead of long switch statements to enforce the state transition rules? This would improve the maintainability of the code.