Re: [openssl.org #3502] nameConstraints bypass bug: a fix, or some approximation thereto
On 08/22/2014 12:26 PM, Salz, Rich wrote: > It'd be good to fix this. Behold a patch that seems to fix it: https://www.av8n.com/openssl/bypass-bugfix.diff The code seems pretty straightforward to me, but on the other hand, I have very little experience coding in the openssl environment, so I might be overlooking something. Somebody should check this pretty closely. A simple way to exhibit the bug (and the fix) as follows: Desired behavior: openssl verify -CAfile av8n-root-ca-cert.pem bypass.jdenker.com-cert.pem bypass.jdenker.com-cert.pem: C = US, CN = bypass.jdenker.com error 47 at 0 depth lookup:permitted subtree violation Observed (unfixed) behavior: openssl verify -CAfile av8n-root-ca-cert.pem bypass.jdenker.com-cert.pem bypass.jdenker.com-cert.pem: OK which is a security lapse. The demonstration certs can be found at: https://www.av8n.com/openssl/av8n-root-ca-cert.pem https://www.av8n.com/openssl/bypass.jdenker.com-cert.pem __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
On Tue, 9 Sep 2014, Rich Salz via RT wrote: > Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps for > integration after 1.0.2 > > commit f4f79df1a2e1d295e93afe68691499ec034b76ad > Author: Richard Silverman > Date: Tue Sep 9 12:37:27 2014 -0400 > > RT2962: add -keytab and -krb5svc flags. > > Add -keytab and -krb5svcd flags to s_client and s_server. > > I (rsalz) also udpated the documentation. Thanks! > (And I like your GIT pocket guide :) Glad to hear it. :) -- Richard __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2196] openssl1.0.0beta5 problems on FreeBSD
The perl issues aren't reproducible; maybe fixed now if there was a problem. Make issues are being tracked in (several) other tickets. The README/rt issue is fixed: OpenSSL_1_0_2-stable 3aa2d2d RT2196: Clear up some README wording HEAD 468ab1c RT2196: Clear up some README wording Author: Rich Salz Date: Tue Sep 9 17:41:46 2014 -0400 RT2196: Clear up some README wording Say where to email bug reports. Mention general RT tracker info in a separate paragraph. Reviewed-by: Tim Hudson ; -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3192] [PATCH] Fix spurious error in DSA verification failure
OpenSSL_1_0_2-stable f33ce36 RT3192: spurious error in DSA verify HEAD eb63bce RT3192: spurious error in DSA verify Author: Matt Caswell Date: Tue Sep 9 16:50:06 2014 -0400 RT3192: spurious error in DSA verify This is funny; Ben commented in the source, Matt opend a ticket, and Rich is doing the submit. Need more code-review? :) Reviewed-by: Dr. Stephen Henson ; -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3271] OpenSSL 1.0.2 Beta 1 Solaris 10 Sparc Shell error during make install
OpenSSL_1_0_2-stable e61c648 RT3271: Don't use "if !" in shell lines HEAD b999f66 RT3271: Don't use "if !" in shell lines Merge: 843921f b999f66 Author: Rich Salz Date: Tue Sep 9 17:06:40 2014 -0400 Merge branch 'master' of git.openssl.org:openssl Previous commit was reviewed by Geoff, not Stephen: Reviewed-by: Geoff Thorpe -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3512] SSL_MODE_ENABLE_PARTIAL_WRITE does not work in DTLS
Partial writes don't work for UDP. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2629] finalize MD2 removal
fixed earlier on https://github.com/akamai/openssl/tree/rsalz-monolith -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2503] openssl-1.0.0d build bug ? i686 build does not define AES_unwrap_key and other symbols on x86_64
Local error. Other tickets are tracking makefile changes, so closing this one. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2570] Timing related bug in openssl pkcs
sorry, you can't use stdin twice. we have no control over system buffering, among other things. closing file. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2537] potential use of uninitialized variable in x509_lu.c
The analysis seems wrong, getting confused by the union. closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2519] crash when using newly-defined ASN1_SEQUENCE macros in Windows with elements that are also newly-defined SEQUENCEs...
Local config error. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2560] missing NULL pointer check in ocsp_req_find_signer
This can't happen. It's an internal function and never gets NULL -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1165] Bug Report
Not enough information to reproduce the defect, closing the ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)
Closing this in favor of 2937 -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1909] bug report: OpenSSL can generate invalid version 1 certificates
OpenSSL_1_0_2-stable 8c0d19d RT1909: Omit version for v1 certificates HEAD 1f18f50 RT1909: Omit version for v1 certificates Author: Geoff Keating Date: Tue Sep 9 14:28:54 2014 -0400 RT1909: Omit version for v1 certificates When calling X509_set_version to set v1 certificate, that should mean that the version number field is omitted. Reviewed-by: Dr. Stephen Henson ; -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3502] nameConstraints bypass bug: a fix, or some approximation thereto
On 08/22/2014 12:26 PM, Salz, Rich wrote: > It'd be good to fix this. Behold a patch that seems to fix it: https://www.av8n.com/openssl/bypass-bugfix.diff The code seems pretty straightforward to me, but on the other hand, I have very little experience coding in the openssl environment, so I might be overlooking something. Somebody should check this pretty closely. A simple way to exhibit the bug (and the fix) as follows: Desired behavior: openssl verify -CAfile av8n-root-ca-cert.pem bypass.jdenker.com-cert.pem bypass.jdenker.com-cert.pem: C = US, CN = bypass.jdenker.com error 47 at 0 depth lookup:permitted subtree violation Observed (unfixed) behavior: openssl verify -CAfile av8n-root-ca-cert.pem bypass.jdenker.com-cert.pem bypass.jdenker.com-cert.pem: OK which is a security lapse. The demonstration certs can be found at: https://www.av8n.com/openssl/av8n-root-ca-cert.pem https://www.av8n.com/openssl/bypass.jdenker.com-cert.pem __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)
Indeed, Improved version of the patch are in: [openssl.org #2937] Handshake performance degradation in 1.0.1 and up. On 9 September 2014 21:16, Rich Salz via RT wrote: > From an internal review of the patch: > Contexts are meant to be reused and (for example) reusing the same context > and > digest avoids having to reallocate a buffer for the internal context > structure. > > I think this might actually be a problem in the ENGINE not handling reuse > properly, or the EVP API not having a way to signal reuse properly. > > Either way I don't think this is the correct fix. > -- > Rich Salz, OpenSSL dev team; rs...@openssl.org > >
Re: [openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)
Indeed, Improved version of the patch are in: [openssl.org #2937] Handshake performance degradation in 1.0.1 and up. On 9 September 2014 21:16, Rich Salz via RT wrote: > From an internal review of the patch: > Contexts are meant to be reused and (for example) reusing the same context > and > digest avoids having to reallocate a buffer for the internal context > structure. > > I think this might actually be a problem in the ENGINE not handling reuse > properly, or the EVP API not having a way to signal reuse properly. > > Either way I don't think this is the correct fix. > -- > Rich Salz, OpenSSL dev team; rs...@openssl.org > > __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2176] OPENSSL_ia32cap_loc() inconsistent
This incompatible change was made five years ago; nothing to do now. Closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2100] RAND_poll can be incredibly slow on Windows7 due to Heap32Next
timer-limiting for windows heap-walking, etc., seems to have been implemented some time ago. Closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1766] [PATCH] s_client -reconnect and -starttls don't work together
Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps to be intergrated after 1.0.2 commit 07cae301ea569173e18ae585caa1457660baf024 Author: John Gardiner Myers Date: Tue Sep 9 14:12:42 2014 -0400 RT1766: s_client -reconnect and -starttls broke Using both -starttls and -reconnect don't work because the flag to specify starttls is cleared before the reconnect happens. Only do that if we're no reconnecting. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3506] [PATCH] Fix typos in ssltest.c.
Fixed in master and 1.0.2 OpenSSL_1_0_2-stable 283a8fd RT3506: typo's in ssltest HEAD 4eadd11 RT3506: typo's in ssltest Author: Kurt Cancemi Date: Tue Sep 9 13:48:00 2014 -0400 RT3506: typo's in ssltest Reviewed-by: Dr. Stephen Henson -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3263] BUG: loading a config file from a drive with no media results in exit(1)
OPENSSL_config is a very simple-minded API. If the config file is on a drive that isn't available, and since the API exits on error, it's working as designed. Closing ticket. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2938] [PATCH] Severe resource leak in tls_P_hash() (v1.0.1 and up)
>From an internal review of the patch: Contexts are meant to be reused and (for example) reusing the same context and digest avoids having to reallocate a buffer for the internal context structure. I think this might actually be a problem in the ENGINE not handling reuse properly, or the EVP API not having a way to signal reuse properly. Either way I don't think this is the correct fix. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2982] Security Advisory as of 2013-02-05
Right, 1.0.1d had an error in the fix. Update the advisory to point to 1.0.1e or later. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2966] OpenSsl Library crashed,
Not enough information to reproduce the problem. Most likely application bug that is romping on memory. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2991] Certifacte verification with a RSA-SHA512 hash algorithm fails
SLS_library_init only loads the algorithms needed by SSL/TLS ciphersuites. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2962] [patch] openssl s_{client,server} improvements for Kerberos
Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps for integration after 1.0.2 commit f4f79df1a2e1d295e93afe68691499ec034b76ad Author: Richard Silverman Date: Tue Sep 9 12:37:27 2014 -0400 RT2962: add -keytab and -krb5svc flags. Add -keytab and -krb5svcd flags to s_client and s_server. I (rsalz) also udpated the documentation. (And I like your GIT pocket guide :) -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2956] incomplete archive
the link's good now. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2932] smime cmdline utility ignores errors
Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps for inclusion after 1.0.2 (The RAND_xxx issue was already fixed) commit 16365c8dc390e1cb29a4f64c9b3450d89532a960 Author: Dmitry Belyavsky Date: Tue Sep 9 12:09:32 2014 -0400 RT2932: Catch write errors Don't ignore the return value when writing PKCS7. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3519] BUG: incorrect handling of 'CAfile' and 'CApath' defaults
This is a duplicate of RT2936, fixed in https://github.com/akamai/openssl/tree/rsalz-monolith which will be part of post-1.0.2 commit 3938694b2a770efad980c947b68981b110e784d6 Author: Rich Salz Date: Fri Aug 15 14:27:04 2014 -0400 PR 2936, etc: Consistently use default cert dir All apps that have -CApath and -CAfile now are consistent and call common code to use the specified parameters, or use the default file/dir if none are specified. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2642] Bug Report: s_client uses forged/blacklisted EHLO hostname in smtp
Fixed in https://github.com/akamai/openssl/tree/rsalz-monolith/apps to be part of post-1.0.2 commit 90899ae82e14ecbfbeac6fc47757470f9a0a9b80 Author: Rich Salz Date: Tue Sep 9 10:22:01 2014 -0400 RT2642: Allow EHLO hostname to be specified. Add -smtphost flag, to specify the host used in the SMTP EHLO message. -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OPenssl 20140909 issues
On Mon, Sep 08, 2014 at 11:41:42PM -0600, The Doctor wrote: > ls: error initializing month strings The literal string "month" does not appear in OpenSSL 1.0.2 source code. You're probably compiling in a locale not supported by your system. "ls -l" is unable to format the date. -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OPenssl 20140909 issues
Is the top-level "rehash" target not getting executed? It should be a dependency of "test" (via the "tests" target). Mike On Tue, Sep 9, 2014 at 1:41 AM, The Doctor wrote: > Just found this in the latest openssl 1.0.2 snapshot > > > Script started on Mon Sep 8 23:19:16 2014 > doctor.nl2k.ab.ca//usr/source/openssl-1.0.2-stable-SNAP-20140909$ make test > testing... > (cd ..; make DIRS=crypto all) > making all in crypto... > ar r ../libcrypto.a cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o > cpt_err.o ebcdic.o uid.o o_time.o o_str.o o_dir.o o_fips.o o_init.o > fips_ers.o mem_clr.o > test -z "" || ar r ../libcrypto.a fipscanister.o > /usr/bin/ranlib ../libcrypto.a || echo Never mind. > making all in crypto/objects... > making all in crypto/md2... > making all in crypto/md4... > making all in crypto/md5... > making all in crypto/sha... > making all in crypto/mdc2... > making all in crypto/hmac... > making all in crypto/ripemd... > making all in crypto/whrlpool... > making all in crypto/des... > making all in crypto/aes... > making all in crypto/rc2... > making all in crypto/rc4... > making all in crypto/rc5... > making all in crypto/idea... > making all in crypto/bf... > making all in crypto/cast... > making all in crypto/camellia... > making all in crypto/seed... > making all in crypto/modes... > making all in crypto/bn... > making all in crypto/ec... > making all in crypto/rsa... > making all in crypto/dsa... > making all in crypto/ecdsa... > making all in crypto/dh... > making all in crypto/ecdh... > making all in crypto/dso... > making all in crypto/engine... > making all in crypto/buffer... > making all in crypto/bio... > making all in crypto/stack... > making all in crypto/lhash... > making all in crypto/rand... > making all in crypto/err... > making all in crypto/evp... > making all in crypto/asn1... > making all in crypto/pem... > making all in crypto/x509... > making all in crypto/x509v3... > making all in crypto/conf... > making all in crypto/txt_db... > making all in crypto/pkcs7... > making all in crypto/pkcs12... > making all in crypto/comp... > making all in crypto/ocsp... > making all in crypto/ui... > making all in crypto/krb5... > making all in crypto/cms... > making all in crypto/pqueue... > making all in crypto/ts... > making all in crypto/jpake... > making all in crypto/srp... > making all in crypto/store... > making all in crypto/cmac... > if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then (cd ..; make > libcrypto.so.1.0.0); fi > [ -z "" ] || gcc3 -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS > -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5 > -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g > -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_LIBUNBOUND > -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -Iinclude > -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso fips_premain.c > fipscanister.o libcrypto.a -lgmp -ldl -lm -lc > (cd ..; make DIRS=ssl all) > making all in ssl... > if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then (cd ..; make > libssl.so.1.0.0); fi > [ -z "" ] || gcc3 -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS > -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5 > -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g > -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_LIBUNBOUND > -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -Iinclude > -DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso fips_premain.c > fipscanister.o libcrypto.a -lgmp -ldl -lm -lc > ( :;LIBDEPS="${LIBDEPS:-../libssl.a ../libcrypto.a -lgmp -ldl -lm -lc}"; > LDCMD="${LDCMD:-gcc3}"; LDFLAGS="${LDFLAGS:--fPIC -DOPENSSL_PIC > -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT > -DDSO_DLFCN -DHAVE_DLFCN_H -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer > -O2 -Wall -g -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_LIBUNBOUND > -DOPENSSL_EXPERIMENTAL_STORE -DOPENSSL_BN_ASM_PART_WORDS > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM}"; LIBPATH=`for x > in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; > LIBPATH=`echo $LIBPATH | sed -e &
RE: [openssl.org #3520] [PATCH] 1.0.1e: Configure: Correctly Handle GCC/clang/LLVM -arch and -isysroot Options
Can we handle this like ticket 3521 and do -arch= ? And split that up into "-arch " ? :��I"Ϯ��r�m (Z+�7�zZ)���1���x��hW^��^��%�� ��&jם.+-1�ځ��j:+v���h�
[openssl.org #3522] [PATCH] 1.0.1e: Configure: Allow the apps, test and tools directories to be configured out of DIRS.
In exceedingly minimal libcrypto-only configurations of OpenSSL such as: no-lock no-threads no-shared no-zlib no-idea no-camellia no-seed no-bf no-cast no-des no-rc2 no-rc4 no-rc5 no-md2 no-md4 no-ripemd no-mdc2 no-rsa no-dsa no-dh no-whirlpool no-cms no-dgram no-sock no-ssl2 no-ssl3 no-err no-krb5 no-apps no-engine no-test no-tools no-hw no-dso no-devrandom no-sha512 no-dir no-egd no-tty no-srtp no-speed no-tlsext none of the 'apps', 'test', nor 'tools' subdirectories can be successfully built. Where the package configurator so chooses, allow these directories to be configured out of DIRS as 'engine' may be. --- openssl/Configure | 3 +++ 1 file changed, 3 insertions(+) diff --git a/openssl/Configure b/openssl/Configure index 29c8ec6..8cfc697 100755 --- a/openssl/Configure +++ b/openssl/Configure @@ -1607,7 +1607,10 @@ while () } } $sdirs = 0 unless /\\$/; +s/apps // if (/^DIRS=/ && $disabled{"apps"}); s/engines // if (/^DIRS=/ && $disabled{"engine"}); +s/test // if (/^DIRS=/ && $disabled{"test"}); +s/tools// if (/^DIRS=/ && $disabled{"tools"}); s/ccgost// if (/^ENGDIRS=/ && $disabled{"gost"}); s/^VERSION=.*/VERSION=$version/; s/^MAJOR=.*/MAJOR=$major/; -- 2.1.0 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3521] [PATCH] 1.0.1e: Configure: Correctly Handle GCC --sysroot Option
Correctly handle '--sysroot' GCC toolchain option when compiling for the Android NDK using targets such as linux-generic32 in which the external environment passes in the toolchain root. --- openssl/Configure | 4 1 file changed, 4 insertions(+) diff --git a/openssl/Configure b/openssl/Configure index 524201d..29c8ec6 100755 --- a/openssl/Configure +++ b/openssl/Configure @@ -930,6 +930,10 @@ PROCESS_ARGS: { $cross_compile_prefix=$1; } + elsif (/^--sysroot=(.*)$/) + { + $flags.=$_." "; + } else { print STDERR $usage; -- 2.1.0 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3520] [PATCH] 1.0.1e: Configure: Correctly Handle GCC/clang/LLVM -arch and -isysroot Options
Correctly handle '-arch' and '-isysroot' GCC/clang/LLVM options when compiling for Mac OS X or iOS using targets such as BSD-generic32 in which the external environment passes in the processor architecture and toolchain root. --- openssl/Configure | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/openssl/Configure b/openssl/Configure index 9c803dc..524201d 100755 --- a/openssl/Configure +++ b/openssl/Configure @@ -742,6 +742,7 @@ my $no_sse2=0; &usage if ($#ARGV < 0); +my $expect_option=0; my $flags; my $depflags; my $openssl_experimental_defines; @@ -790,7 +791,12 @@ PROCESS_ARGS: s /^zlib$/enable-zlib/; s /^zlib-dynamic$/enable-zlib-dynamic/; - if (/^no-(.+)$/ || /^disable-(.+)$/) + if ($expect_option == 1) + { + $flags .= $_ . " "; + $expect_option = 0; + } + elsif (/^no-(.+)$/ || /^disable-(.+)$/) { if (!($disabled{$1} eq "experimental")) { @@ -873,6 +879,10 @@ PROCESS_ARGS: } elsif (/^-[^-]/ or /^\+/) { + if (/^-arch$/ or /^-isysroot$/) +{ +$expect_option=1; +} $_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei; $flags.=$_." "; } -- 2.1.0 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3519] BUG: incorrect handling of 'CAfile' and 'CApath' defaults
Please, see my pull request on GitHub: https://github.com/openssl/openssl/pull/170 Description from the pull request: This commit has security implications for simple clients that use openssl s_client. To demostrate the issue described in the commit message do: openssl s_client -connect github.com:443 -verify_return_error -quiet -verify 100 -CAfile my_ca.pem Where my_ca.pem is any certificate file other than the one that actually signed github's cert. This should fail, but it currently succeeds. This pull request fixes that. Together with the annoyance that if you don't specify a CAfile in the above command it fails, though it should have succeeded. :) Discovered and debugged together with @errge. The intention was obviously to use the user-specified CAfile and CApath and if that fails (eg. user didn't specify anything) to use the defaults. Having || instead of && has two implications: 1. If the user doesn't specify anything, we don't use the defaults, so verification will always fail. This is mostly a nuisance. 2. If the user does specify something for CAfile or CApath, we will load the defaults too. Which have security implications: A simple client implementation with openssl s_client that wants to check that it's talking to the right server by specifying a private CAfile fails to achieve the promised security (as the server's certificate will also be checked against the default CA list). Best, Mihaly Barasz __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #2354] [PATCH] Increase Default RSA Key Size to 2048-bits
This can presumably be resolved as fixed, given the commit on #2626 just now. On 29/09/10 20:54, Rob Stradling via RT wrote: NIST (SP800-57 Part 1) recommends a minimum RSA key size of 2048-bits beyond 2010. From January 1st 2011, in order to comply with the current Microsoft[1] and Mozilla[2] CA Policies, Commercial CAs will no longer be permitted to issue certificates with RSA key sizes of <2048-bit. Please accept the attached patch, which increases the default RSA key size to 2048-bits for the "req", "genrsa" and "genpkey" apps. Thanks. [1] http://technet.microsoft.com/en-us/library/cc751157.aspx says: "we have advised Certificate Authorities...to transition their subordinate and end-certificates to 2048-bit RSA certificates, and to complete this transition for any root certificate distributed by the Program no later than December 31, 2010". [2] https://wiki.mozilla.org/CA:MD5and1024 says: "December 31, 2010 – CAs should stop issuing intermediate and end-entity certificates from roots with RSA key sizes smaller than 2048 bits. All CAs should stop issuing intermediate and end-entity certificates with RSA key size smaller than 2048 bits under any root". Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online Office Tel: +44.(0)1274.730505 Office Fax: +44.(0)1274.730909 www.comodo.com COMODO CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by COMODO for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3516] OCSP Certificate Chain Response Handling
Duplicate of #2206 ? On 05/09/14 08:35, Mehner, Carl via RT wrote: OCSP response handling in /apps/ocsp.c -- 2014-06-25 The OCSP Documentation States https://www.openssl.org/docs/apps/ocsp.html "Otherwise the OCSP responder certificate's CA is checked against the issuing CA certificate in the request. If there is a match and the OCSPSigning extended key usage is present in the OCSP responder certificate then the OCSP verify succeeds." --Assumptions-- The flag '-issuer' in openSSL's ocsp application is what the responder's certificate's CA is checking against. The 'responder's certificate's CA' means the certificate authority that is issuer of the ocsp signing certificate. --What Happens-- When running the command: openssl ocsp -no_nonce -issuer -cert -CA -url http:// Validation of the OCSP responder certificate fails unless the issuer's cert is also in the file containing the root CA cert. The error messages are: Response Verify Failure 8604:error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error:.\crypto\ocsp\ocsp_vfy.c:126:Verify error:unable to get local issuer certificate However, if you specify a -CAfile that includes the same cert from the '-issuer' flag and the root CA cert that is the root of trust for the ocsp responder cert, you will get back a 'Response verify OK' --What Should Happen-- If the certificate provided in the '-issuer' flag matches the CA certificate referenced in the OCSP responder's issuer field, the OCSP verify should succeed. There should be no need to chain up to the root in this case as it would be a waste of time since that evaluation is already done on the issuer certificate provided with the '-issuer' flag when evaluating the chain of the certificate provided by the '-cert' flag outside of the OCSP validation process. If the leaf validation fails, there is no need to validate the OCSP chain, the connection will fail regardless. However, if the anyone feels that the full chain needs to be validated, the validation procedure should be able to bridge the cert included on the '-issuer' flag with a single root specified on the '-CA' flag. (It currently does not.) -cem -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org