Re: [openssl.org #2626] ENHANCEMENT: please update default_bits to 2048 in default openssl.cnf

2011-10-20 Thread Rob Stradling
Duplicate of ticket #2354.

On Wednesday 19 Oct 2011 16:58:28 Daniel Kahn Gillmor via RT wrote:
 The current default openssl.cnf appears to have default_bits = 1024:
 
 http://cvs.openssl.org/fileview?f=openssl/apps/openssl.cnfv=1.23.4.6
 
 however, NIST has recommended avoiding reliance on 1024-bit RSA keys
 after 2010.
 
 See pages 63-66 of:
 
 http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_M
 ar08-2007.pdf
 
 Please change default_bits in the stock openssl.cnf to 2048, or include
 some clear justification for why the tool defaults to creating a
 deprecated keysize.
 
 Thanks,
 
   --dkg
 
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-dev@openssl.org
 Automated List Manager   majord...@openssl.org

Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com

COMODO CA Limited, Registered in England No. 04058690
Registered Office:
  3rd Floor, 26 Office Village, Exchange Quay,
  Trafford Road, Salford, Manchester M5 3EQ

This e-mail and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender by replying
to the e-mail containing this attachment. Replies to this email may be
monitored by Comodo for operational or business reasons. Whilst every
endeavour is taken to ensure that e-mails are free from viruses, no liability
can be accepted and the recipient is requested to use their own virus checking
software.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #2628] [PATCH] ServerKeyExchange signature broken if ECC key is used with DTLS

2011-10-20 Thread Robin Seggelmann via RT
The signature in the ServerKeyExchange is created with wrong parameters with 
ECC keys, because the TLS header length is used instead of the DTLS header 
length.

Thanks to Erwin Himawan for providing hints!

Best regards
Robin



--- ssl/d1_srvr.c   5 Sep 2011 10:25:21 -   1.20.2.21
+++ ssl/d1_srvr.c   20 Oct 2011 09:20:35 -
@@ -1271,7 +1271,7 @@
EVP_SignInit_ex(md_ctx,EVP_ecdsa(), NULL);

EVP_SignUpdate(md_ctx,(s-s3-client_random[0]),SSL3_RANDOM_SIZE);

EVP_SignUpdate(md_ctx,(s-s3-server_random[0]),SSL3_RANDOM_SIZE);
-   EVP_SignUpdate(md_ctx,(d[4]),n);
+   
EVP_SignUpdate(md_ctx,(d[DTLS1_HM_HEADER_LENGTH]),n);
if (!EVP_SignFinal(md_ctx,(p[2]),
(unsigned int *)i,pkey))
{






dtls-ecc-key-bug-1.0.0.patch
Description: Binary data


dtls-ecc-key-bug-1.0.1.patch
Description: Binary data


[openssl.org #2629] finalize MD2 removal

2011-10-20 Thread Vladimir Kotal via RT

After the removal of MD2 from OpenSSL_add_all_digests() it is no longer 
possible to use it from the 'dgst' command:

$ openssl version
OpenSSL 1.0.0e 6 Sep 2011
$ openssl -h 21 | ggrep -A 3 'Message Digest'
Message Digest commands (see the `dgst' command for more details)
md2   md4   md5   rmd160
sha   sha1

Firstly, it produces MD5 (because dgst defaults to MD5 if md == NULL):

$ openssl md2 /etc/passwd
MD5(/etc/passwd)= c36cbe1370e3399fd628410f0a221f5e

and if used explicitly it simply throws an error:

$ openssl dgst -md2 /etc/passwd
unknown option '-md2'
options are
-c  to output the digest with separating colons
...


This is because it was not removed from progs.h:

 154 #ifndef OPENSSL_NO_MD2
 155{FUNC_TYPE_MD,md2,dgst_main},
 156 #endif

and apps_startup() used by MAIN in dgst.c calls 
OpenSSL_add_all_algorithms() which results in a call of 
OpenSSL_add_all_digests().


v.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #1261] [PATCH] - binary S/MIME handling in openssl smime 1.0.0e

2011-10-20 Thread John Hughes via RT
This is an update of the patch made by Antti Tapio for 0.9.8a - ticket 
#1261

Index: apps/smime.c
===
RCS file: /home/john/cvsroot/openssl/apps/smime.c,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -p -r1.1.1.1 -r1.1.1.1.2.1
--- apps/smime.c	14 Oct 2011 11:17:40 -	1.1.1.1
+++ apps/smime.c	20 Oct 2011 07:16:06 -	1.1.1.1.2.1
@@ -78,7 +78,7 @@ static int smime_cb(int ok, X509_STORE_C
 #define SMIME_ENCRYPT	(1 | SMIME_OP)
 #define SMIME_DECRYPT	(2 | SMIME_IP)
 #define SMIME_SIGN	(3 | SMIME_OP | SMIME_SIGNERS)
-#define SMIME_VERIFY	(4 | SMIME_IP)
+#define SMIME_VERIFY	(4 | SMIME_IP | SMIME_OP)
 #define SMIME_PK7OUT	(5 | SMIME_IP | SMIME_OP)
 #define SMIME_RESIGN	(6 | SMIME_IP | SMIME_OP | SMIME_SIGNERS)
 
@@ -365,6 +365,23 @@ int MAIN(int argc, char **argv)
 goto argerr;
 			contfile = *++args;
 			}
+		else if (!strcmp(*args, -transenc) || !strcmp (*args, -transferencoding))
+			{
+			if (args[1])
+{
+if (!strcmp(args[1], binary))
+	flags |= SMIME_TRANSFER_ENCODING_BINARY;
+else if (!strcmp(args[1], base64))
+	;
+else {
+	BIO_printf(bio_err, Supported transfer encodings are base64 and binary\n);
+	badarg = 1;
+}
+args++;
+}
+			else
+badarg = 1;
+			}
 		else if (args_verify(args, NULL, badarg, bio_err, vpm))
 			continue;
 		else if ((cipher = EVP_get_cipherbyname(*args + 1)) == NULL)
@@ -488,6 +505,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,  -rand file%cfile%c...\n, LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err, load the file (or the files in the directory) into\n);
 		BIO_printf(bio_err, the random number generator\n);
+		BIO_printf(bio_err,  -transenc enc  transfer encoding to use (base64 or binary)\n);
 		BIO_printf (bio_err, cert.pem   recipient certificate(s) for encryption\n);
 		goto end;
 		}
Index: crypto/asn1/asn1.h
===
RCS file: /home/john/cvsroot/openssl/crypto/asn1/asn1.h,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -p -r1.1.1.1 -r1.1.1.1.2.1
--- crypto/asn1/asn1.h	14 Oct 2011 11:17:40 -	1.1.1.1
+++ crypto/asn1/asn1.h	15 Oct 2011 09:36:51 -	1.1.1.1.2.1
@@ -161,6 +161,7 @@ extern C {
 #define SMIME_OLDMIME		0x400
 #define SMIME_CRLFEOL		0x800
 #define SMIME_STREAM		0x1000
+#define SMIME_TRANSFER_ENCODING_BINARY	0x2000
 
 struct X509_algor_st;
 DECLARE_STACK_OF(X509_ALGOR)
@@ -1222,6 +1223,8 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_VERIFY 137
 #define ASN1_F_B64_READ_ASN1 209
 #define ASN1_F_B64_WRITE_ASN1 210
+#define ASN1_F_BINARY_READ_ASN1 219
+#define ASN1_F_BINARY_WRITE_ASN1			 220
 #define ASN1_F_BIO_NEW_NDEF 208
 #define ASN1_F_BITSTR_CB 180
 #define ASN1_F_BN_TO_ASN1_ENUMERATED			 138
@@ -1335,6 +1338,7 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_R_INVALID_OBJECT_ENCODING			 216
 #define ASN1_R_INVALID_SEPARATOR			 131
 #define ASN1_R_INVALID_TIME_FORMAT			 132
+#define ASN1_R_INVALID_TRANSFER_ENCODING		 217
 #define ASN1_R_INVALID_UNIVERSALSTRING_LENGTH		 133
 #define ASN1_R_INVALID_UTF8STRING			 134
 #define ASN1_R_IV_TOO_LARGE 135
Index: crypto/asn1/asn1_err.c
===
RCS file: /home/john/cvsroot/openssl/crypto/asn1/asn1_err.c,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.1
diff -u -p -r1.1.1.1 -r1.1.1.1.2.1
--- crypto/asn1/asn1_err.c	14 Oct 2011 11:17:40 -	1.1.1.1
+++ crypto/asn1/asn1_err.c	15 Oct 2011 09:36:51 -	1.1.1.1.2.1
@@ -135,6 +135,8 @@ static ERR_STRING_DATA ASN1_str_functs[]
 {ERR_FUNC(ASN1_F_ASN1_VERIFY),	ASN1_verify},
 {ERR_FUNC(ASN1_F_B64_READ_ASN1),	B64_READ_ASN1},
 {ERR_FUNC(ASN1_F_B64_WRITE_ASN1),	B64_WRITE_ASN1},
+{ERR_FUNC(ASN1_F_BINARY_READ_ASN1),	BINARY_READ_ASN1},
+{ERR_FUNC(ASN1_F_BINARY_WRITE_ASN1),	BINARY_WRITE_ASN1},
 {ERR_FUNC(ASN1_F_BIO_NEW_NDEF),	BIO_new_NDEF},
 {ERR_FUNC(ASN1_F_BITSTR_CB),	BITSTR_CB},
 {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED),	BN_to_ASN1_ENUMERATED},
Index: crypto/asn1/asn_mime.c
===
RCS file: /home/john/cvsroot/openssl/crypto/asn1/asn_mime.c,v
retrieving revision 1.1.1.1
retrieving revision 1.1.1.1.2.2
diff -u -p -r1.1.1.1 -r1.1.1.1.2.2
--- crypto/asn1/asn_mime.c	14 Oct 2011 11:17:40 -	1.1.1.1
+++ crypto/asn1/asn_mime.c	20 Oct 2011 07:16:07 -	1.1.1.1.2.2
@@ -100,7 +100,6 @@ static int mime_hdr_cmp(const MIME_HEADE
 static int mime_param_cmp(const MIME_PARAM * const *a,
 			const MIME_PARAM * const *b);
 static void mime_param_free(MIME_PARAM *param);
-static int mime_bound_check(char *line, int linelen, char *bound, int blen);
 static int multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret);
 static int strip_eol(char *linebuf, int *plen);
 static MIME_HEADER *mime_hdr_find(STACK_OF(MIME_HEADER) *hdrs, char *name);
@@