Re: Add cipher to openssl

2012-09-24 Thread Arsen Babakhanyan
Hello all
i am trying to add my crypto algorithm to openssl, but it is very hard
to change all files in project to integrate it.
please help me with this, how to do it,
Is there any easy ways to do it?
is there any manuals for it ?
Thank you in advance.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-24 Thread Rob Stradling

Hi Steve.

I saw your update (to 1.0.2 and HEAD), and I did start looking at 
backporting it into my 1.0.1/1.0.0/0.9.8 patches.


ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the 
t1_lib.c patch would have to be something like...


+   X509 *x;
+   x = ssl_get_server_send_cert)s);
+   /* If no certificate can't return certificate status */
+   if (x == NULL)
+   {
+   s-tlsext_status_expected = 0;
+   return 1;
+   }
+   /* Set current certificate to one we will use so
+* SSL_get_certificate et al can pick it up.
+*/
+   s-cert-key-x509 = x;

Is it OK to update s-cert-key-x509 like this?


On 21/09/12 14:34, Stephen Henson via RT wrote:

[rob.stradl...@comodo.com - Fri Sep 21 15:02:54 2012]:

Attached are patches for 1.0.0 and 0.9.8.




Note, I updated the original change to retain compatibility with
existing behaviour as far as possible. See:

http://cvs.openssl.org/chngview?cn=22808

Steve.



--
Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-24 Thread Rob Stradling

On 21/09/12 15:04, Stephen Henson via RT wrote:

[rob.stradl...@comodo.com - Fri Sep 21 15:55:39 2012]:

Hi Steve.

I saw your update (to 1.0.2 and HEAD), and I did start looking at
backporting it into my 1.0.1/1.0.0/0.9.8 patches.

ssl_get_server_send_pkey() is not available in 1.0.1 and earlier, so the
t1_lib.c patch would have to be something like...

+   X509 *x;
+   x = ssl_get_server_send_cert)s);
+   /* If no certificate can't return certificate status */
+   if (x == NULL)
+   {
+   s-tlsext_status_expected = 0;
+   return 1;
+   }
+   /* Set current certificate to one we will use so
+* SSL_get_certificate et al can pick it up.
+*/
+   s-cert-key-x509 = x;

Is it OK to update s-cert-key-x509 like this?



No because you could end up with all sorts of bad things happening (keys
and certificates not matching, certificate types not matching and memory
leaks).


That's what I thought.


Easiest solution is to also backport ssl_get_server_send_pkey see:

http://cvs.openssl.org/chngview?cn=22840


I didn't think of that.  Thanks!

I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or 
Ben get there first).


--
Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: [openssl.org #2836] [PATCH] Staple the correct OCSP Response when multiple certs are configured

2012-09-24 Thread Rob Stradling

On 21/09/12 15:12, Rob Stradling via RT wrote:

On 21/09/12 15:04, Stephen Henson via RT wrote:

snip

Easiest solution is to also backport ssl_get_server_send_pkey see:

http://cvs.openssl.org/chngview?cn=22840


I didn't think of that.  Thanks!

I'll prepare patches to backport 22840 to 1.0.0 and 0.9.8 (unless you or
Ben get there first).


http://cvs.openssl.org/patchset?cn=22840 applies cleanly (i.e. no failed 
hunks) on top of my patches for 1.0.0 and 0.9.8.


--
Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #2881] [BUG][PATCH] TLS 1 1.1 client ciphersuites incorrectly truncated

2012-09-24 Thread Tyler Hicks via RT
In Ubuntu, we build OpenSSL 1.0.1 with -DOPENSSL_NO_TLS1_2_CLIENT and
-DOPENSSL_MAX_TLS1_2_CIPHER_LENGTH=50. At first glance, this seems like
a strange combination of build options to me. Ignoring that for the
moment, I've ran into a bug where the TLS 1 and TLS 1.1 ClientHello
suggested ciphersuites are being incorrectly truncated.

The negotiated protocol version, s-version, is being used in
ssl23_client_hello() rather than the highest protocol version supported
by the client, which is s-client_version. Since a ServerHello hasn't
been received yet, the negotiated protocol version has not yet been
decided and I think that using s-version at this point is incorrect.

Additionally, 'make test' fails with this error:

---
test sslv2/sslv3 w/o (EC)DHE via BIO pair
Available compression methods:
  NONE
  ERROR in SERVER
  47452334661472:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
  shared cipher:s3_srvr.c:1375:
  TLSv1.2, cipher (NONE) (NONE)
  1 handshakes of 256 bytes done
  make[1]: *** [test_ssl] Error 1
  make[1]: Leaving directory `/tmp/openssl.orig/test'
  make: *** [tests] Error 2
---

With the patch below, 'make test' completes successfully. Another
reproducer for this bug is the following command:

$ openssl s_client -connect d2chzxaqi4y7f8.cloudfront.net:443 \
-CAfile /etc/ssl/certs/ca-certificates.crt

It fails with a handshake error which I assume is because the server
preferred cipher (RC4-MD5) is getting incorrectly chopped off in the
outgoing ClientHello. Specifying -tls1 allows for the handshake to
successfully complete, but this shouldn't be required.

Here's the proposed fix. Thanks!

diff -Nurp openssl.orig/ssl/s23_clnt.c openssl/ssl/s23_clnt.c
--- openssl.orig/ssl/s23_clnt.c 2012-09-17 11:11:57.526282229 -0700
+++ openssl/ssl/s23_clnt.c  2012-09-17 11:52:24.854232417 -0700
@@ -499,7 +499,7 @@ static int ssl23_client_hello(SSL *s)
 * as hack workaround chop number of supported ciphers
 * to keep it well below this if we use TLS v1.2
 */
-   if (TLS1_get_version(s) = TLS1_2_VERSION
+   if (TLS1_get_client_version(s) = TLS1_2_VERSION
 i  OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH  ~1;
 #endif
diff -Nurp openssl.orig/ssl/s3_clnt.c openssl/ssl/s3_clnt.c
--- openssl.orig/ssl/s3_clnt.c  2012-09-17 11:11:57.526282229 -0700
+++ openssl/ssl/s3_clnt.c   2012-09-17 11:52:02.698232870 -0700
@@ -776,7 +776,7 @@ int ssl3_client_hello(SSL *s)
 * as hack workaround chop number of supported ciphers
 * to keep it well below this if we use TLS v1.2
 */
-   if (TLS1_get_version(s) = TLS1_2_VERSION
+   if (TLS1_get_client_version(s) = TLS1_2_VERSION
 i  OPENSSL_MAX_TLS1_2_CIPHER_LENGTH)
i = OPENSSL_MAX_TLS1_2_CIPHER_LENGTH  ~1;
 #endif

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #2882] [Urgent] OpenSSLASN1 Bio vulnerability - Information Request

2012-09-24 Thread St├ęphane Boua via RT
Hi,

Is OpenSSL ASN1 Bio vulnerability fixed in the version 1.0.0j of OpenSSL ?  The 
recommended version to address that flaw was 1.0.0i  which is prior to 1.0.0j

Thanks in advance for your quick feedback.

St├ęphane Boua
[cid:image001.jpg@01CD9757.9F530720]
www.gdfsuez.comhttp://www.gdfsuez.com/



GDF SUEZ Mail Disclaimer: http://www.gdfsuez.com/disclaimer/disclaimer-fr.html










Hi,



Is OpenSSL ASN1 Bio vulnerability fixed in
the version 1.0.0j of OpenSSL ? ?The recommended version to address that
flaw was 1.0.0i ?which is prior to 1.0.0j



Thanks in advance for your quick feedback. 



St?phane Boua

www.gdfsuez.com 







GDF SUEZ Mail Disclaimer: http://www.gdfsuez.com/disclaimer/disclaimer-fr.html




inline: image001.jpg