Re: [openssl.org #3145] openssl auto install to /usr/local/lib64
On Sunday 20 October 2013 10:40:10 Kx Mp via RT wrote: when install target folder have lib64 folder it will auto install into lib64 rather than lib folder what exactly is the suggestion ? there is a --libdir configure flag to set the path as needed. trying to add logic to guess what the right path is for the active toolchain tends to be fragile and toolchain specific. that's quite a lot of junk code for no real gain. if you want to install into lib64, then pass --libdir=lib64. -mike signature.asc Description: This is a digitally signed message part.
[PATCH] fix documentation for SSL_CTX_set_tmp_dh_callback and friends
The synopsis had the wrong parameter types and an extra (unused) function pointer declaration. The demo dhparam filenames should all end in .pem. --- doc/ssl/SSL_CTX_set_tmp_dh_callback.pod | 8 +++- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod b/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod index 29d1f8a..650d27a 100644 --- a/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod +++ b/doc/ssl/SSL_CTX_set_tmp_dh_callback.pod @@ -12,11 +12,9 @@ SSL_CTX_set_tmp_dh_callback, SSL_CTX_set_tmp_dh, SSL_set_tmp_dh_callback, SSL_se DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); long SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh); - void SSL_set_tmp_dh_callback(SSL_CTX *ctx, + void SSL_set_tmp_dh_callback(SSL *ssl, DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); - long SSL_set_tmp_dh(SSL *ssl, DH *dh) - - DH *(*tmp_dh_callback)(SSL *ssl, int is_export, int keylength)); + long SSL_set_tmp_dh(SSL *ssl, DH *dh); =head1 DESCRIPTION @@ -81,7 +79,7 @@ instead (see Ldhparam(1)|dhparam(1)), but in this case SSL_OP_SINGLE_DH_USE is mandatory. Application authors may compile in DH parameters. Files dh512.pem, -dh1024.pem, dh2048.pem, and dh4096 in the 'apps' directory of current +dh1024.pem, dh2048.pem, and dh4096.pem in the 'apps' directory of current version of the OpenSSL distribution contain the 'SKIP' DH parameters, which use safe primes and were generated verifiably pseudo-randomly. These files can be converted into C code using the B-C option of the -- 1.8.4.rc3 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3147] [PATCH 2/2] POD: Fix list termination
This fixes problems in POD list formatting: extra or missing =back sequences. doc/ssl/SSL_CTX_set1_curves.pod around line 90: =back without =over doc/ssl/SSL_CTX_set1_verify_cert_store.pod around line 73: =back without =over doc/ssl/SSL_CTX_add1_chain_cert.pod around line 82: =back without =over doc/crypto/evp.pod around line 40: '=item' outside of any '=over' crypto/des/des.pod around line 184: You forgot a '=back' before '=head1' --- crypto/des/des.pod |2 ++ doc/crypto/evp.pod |1 + doc/ssl/SSL_CTX_add1_chain_cert.pod|2 -- doc/ssl/SSL_CTX_set1_curves.pod|2 -- doc/ssl/SSL_CTX_set1_verify_cert_store.pod |2 -- 5 files changed, 3 insertions(+), 6 deletions(-) diff --git a/crypto/des/des.pod b/crypto/des/des.pod index bf479e8..b8daf61 100644 --- a/crypto/des/des.pod +++ b/crypto/des/des.pod @@ -181,6 +181,8 @@ the uuencoded file to embed in the begin line of the uuencoded output. If there is no name specified after the B-u, the name text.des will be embedded in the header. +=back + =head1 SEE ALSO ps(1), diff --git a/doc/crypto/evp.pod b/doc/crypto/evp.pod index 8a9ed96..29fab9f 100644 --- a/doc/crypto/evp.pod +++ b/doc/crypto/evp.pod @@ -35,6 +35,7 @@ EVP_PKEYs can be compared using LEVP_PKEY_cmp(3)|EVP_PKEY_cmp(3), or printed u LEVP_PKEY_print_private(3)|EVP_PKEY_print_private(3). The EVP_PKEY functions support the full range of asymmetric algorithm operations: + =over =item For key agreement see LEVP_PKEY_derive(3)|EVP_PKEY_derive(3) diff --git a/doc/ssl/SSL_CTX_add1_chain_cert.pod b/doc/ssl/SSL_CTX_add1_chain_cert.pod index ef26c9f..04f7526 100644 --- a/doc/ssl/SSL_CTX_add1_chain_cert.pod +++ b/doc/ssl/SSL_CTX_add1_chain_cert.pod @@ -79,8 +79,6 @@ using SSL_CTX_add_extra_chain_cert() will be used. All these functions return 1 for success and 0 for failure. -=back - =head1 SEE ALSO LSSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3) diff --git a/doc/ssl/SSL_CTX_set1_curves.pod b/doc/ssl/SSL_CTX_set1_curves.pod index 711f563..0c9be25 100644 --- a/doc/ssl/SSL_CTX_set1_curves.pod +++ b/doc/ssl/SSL_CTX_set1_curves.pod @@ -87,8 +87,6 @@ SSL_get1_curves() returns the number of curves, which may be zero. SSL_get1_shared_curve() returns the NID of shared curve Bn of zero if there is no shared curve Bn or the number of shared curves if Bn is -1. -=back - =head1 SEE ALSO LSSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3) diff --git a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod index a30ae93..493cca4 100644 --- a/doc/ssl/SSL_CTX_set1_verify_cert_store.pod +++ b/doc/ssl/SSL_CTX_set1_verify_cert_store.pod @@ -70,8 +70,6 @@ versions of OpenSSL. All these functions return 1 for success and 0 for failure. -=back - =head1 SEE ALSO LSSL_CTX_add_extra_chain_cert(3)|SSL_CTX_add_extra_chain_cert(3) -- 1.7.1 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #3148] Can't compile OpenSSL 1.0.1e on OpenIndiana x86_64 GCC 4.4.4
I'm compiling OpenSSL 1.0.1e on OI 151a8 x86_64, using Illumos-GCC 4.4.4 but failed: # ./configsnip # gmakemaking all in crypto...gmake[1]: Entering directory `/usr/share/src/openssl-1.0.1e/crypto'( echo #ifndef MK1MF_BUILD; \ echo ' /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \ echo ' #define CFLAGS gcc -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -O3 -Wall -DL_ENDIAN -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM'; \echo ' #define PLATFORM solaris64-x86_64-gcc'; \echo #define DATE \`LC_ALL=C LC_TIME=C date`\; \echo '#endif' ) buildinf.hgcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -O3 -Wall -DL_ENDIAN -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_AS M -c - o cryptlib.o cryptlib.cAssembler:, line 1 : Illegal flag (-)gmake[1]: *** [cryptlib.o] Error 1gmake[1]: Leaving directory `/usr/share/src/openssl-1.0.1e/crypto'gmake: *** [build_crypto] Error 1 Appreciate your helps. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: bsdmake mystery
I finally got around to taking another look at this. The next weird thing is MacOS thinks it _is_ a .S file, even though there's only mention of .s in the makefile. MacOS is, of course, case-insensitive, which probably doesn't help. On 19 August 2013 15:39, Ben Laurie b...@links.org wrote: Thanks for this ... haven't had the chance to test it yet (travel) but will do shortly. On 12 August 2013 05:49, Andy Polyakov ap...@openssl.org wrote: I'm trying to figure out why bsdmake on MacOS does this using the standard Makefiles: cc -c -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o x86_64cpuid.o x86_64cpuid.s but does this when using the single makefile: as -o tmp.master/x86_64cpuid.o tmp.master/x86_64cpuid.s anyone got any ideas? Its driving me crazy (and stops the single makefile from working on macos). AFAICS, both routes should use a .s.o rule which invokes as, so ... wtf? From Makefile. ... ASFLAG=$(CFLAG) BUILD_CMD=... $(MAKE) -e $(BUILDENV) ... build_crypto: ... AS='$(CC) -c' ... $(BUILD_ONE_CMD) ... For reference, idea behind -e $(BUILDENV) is to achieve consistent behaviour among different make flavours, BSD vs. SysV. For unification sake, i.e. to harmonize rules usage on all platforms, it might be appropriate to switch to .S on x86_64. I mean a number of platforms use .S files as output from perlasm scripts, i.e. assembly code that needs C pre-processing, which can arguably serve as common denominator for all platforms. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
ssleay PRNG entropy
Hello devs! I just found that its impossible to get error from `RAND_bytes()` if running on default `RAND_SSLeay()` method. There're a couple of reasons and observations, that are confirming it (sorry for using github, its just more convenient to me): 1. `RAND_poll()` is called only once in initialization of method: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L436-L440and https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L648-L652 2. Static variable `entropy`, which is used to determine if the PRNG output is secure is never decreased, and actually stays exactly at `ENTROPY_NEEDED` value all the time. This happens because `entropy -= ...` happens only in following condition: https://github.com/openssl/openssl/blob/master/crypto/rand/md_rand.c#L446-L463, which is always true. I think I can contribute a patch to make it work properly, if this isn't an intended behavior. Basically, to my mind, if condition in pt.2 should be removed and `RAND_poll()` should be called when there're not enough entropy. But that'll lead to enormous amounts of `RAND_poll()` calls, which will make performance worse that it really is. Any thoughts, opinions? Thank you, Fedor.
[openssl.org #3146] [PATCH 1/2] POD: Fix item numbering
Newer pod2man considers =item [1-9] part of a numbered list, while =item 0 starts an unnumbered list. Add a zero effect formatting mark to override this. doc/apps/smime.pod around line 315: Expected text after =item, not a number ... --- doc/apps/cms.pod| 12 ++-- doc/apps/smime.pod | 12 ++-- doc/ssl/SSL_COMP_add_compression_method.pod |4 ++-- doc/ssl/SSL_CTX_add_session.pod |4 ++-- doc/ssl/SSL_CTX_load_verify_locations.pod |4 ++-- doc/ssl/SSL_CTX_set_client_CA_list.pod |4 ++-- doc/ssl/SSL_CTX_set_session_id_context.pod |4 ++-- doc/ssl/SSL_CTX_set_ssl_version.pod |4 ++-- doc/ssl/SSL_CTX_use_psk_identity_hint.pod |2 +- doc/ssl/SSL_accept.pod |4 ++-- doc/ssl/SSL_clear.pod |4 ++-- doc/ssl/SSL_connect.pod |4 ++-- doc/ssl/SSL_do_handshake.pod|4 ++-- doc/ssl/SSL_read.pod|2 +- doc/ssl/SSL_session_reused.pod |4 ++-- doc/ssl/SSL_set_fd.pod |4 ++-- doc/ssl/SSL_set_session.pod |4 ++-- doc/ssl/SSL_shutdown.pod|4 ++-- doc/ssl/SSL_write.pod |2 +- 19 files changed, 43 insertions(+), 43 deletions(-) diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod index dc33703..29720a8 100644 --- a/doc/apps/cms.pod +++ b/doc/apps/cms.pod @@ -463,28 +463,28 @@ remains DER. =over 4 -=item 0 +=item Z0 the operation was completely successfully. -=item 1 +=item Z1 an error occurred parsing the command options. -=item 2 +=item Z2 one of the input files could not be read. -=item 3 +=item Z3 an error occurred creating the CMS file or when reading the MIME message. -=item 4 +=item Z4 an error occurred decrypting or verifying the message. -=item 5 +=item Z5 the message was verified correctly but an error occurred writing out the signers certificates. diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod index e4e89af..3aa6e84 100644 --- a/doc/apps/smime.pod +++ b/doc/apps/smime.pod @@ -308,28 +308,28 @@ remains DER. =over 4 -=item 0 +=item Z0 the operation was completely successfully. -=item 1 +=item Z1 an error occurred parsing the command options. -=item 2 +=item Z2 one of the input files could not be read. -=item 3 +=item Z3 an error occurred creating the PKCS#7 file or when reading the MIME message. -=item 4 +=item Z4 an error occurred decrypting or verifying the message. -=item 5 +=item Z5 the message was verified correctly but an error occurred writing out the signers certificates. diff --git a/doc/ssl/SSL_COMP_add_compression_method.pod b/doc/ssl/SSL_COMP_add_compression_method.pod index 42fa66b..f4d191c 100644 --- a/doc/ssl/SSL_COMP_add_compression_method.pod +++ b/doc/ssl/SSL_COMP_add_compression_method.pod @@ -53,11 +53,11 @@ SSL_COMP_add_compression_method() may return the following values: =over 4 -=item 0 +=item Z0 The operation succeeded. -=item 1 +=item Z1 The operation failed. Check the error queue to find out the reason. diff --git a/doc/ssl/SSL_CTX_add_session.pod b/doc/ssl/SSL_CTX_add_session.pod index 82676b2..8e0abd3 100644 --- a/doc/ssl/SSL_CTX_add_session.pod +++ b/doc/ssl/SSL_CTX_add_session.pod @@ -52,13 +52,13 @@ The following values are returned by all functions: =over 4 -=item 0 +=item Z0 The operation failed. In case of the add operation, it was tried to add the same (identical) session twice. In case of the remove operation, the session was not found in the cache. -=item 1 +=item Z1 The operation succeeded. diff --git a/doc/ssl/SSL_CTX_load_verify_locations.pod b/doc/ssl/SSL_CTX_load_verify_locations.pod index 84a799f..d1d8977 100644 --- a/doc/ssl/SSL_CTX_load_verify_locations.pod +++ b/doc/ssl/SSL_CTX_load_verify_locations.pod @@ -100,13 +100,13 @@ The following return values can occur: =over 4 -=item 0 +=item Z0 The operation failed because BCAfile and BCApath are NULL or the processing at one of the locations specified failed. Check the error stack to find out the reason. -=item 1 +=item Z1 The operation succeeded. diff --git a/doc/ssl/SSL_CTX_set_client_CA_list.pod b/doc/ssl/SSL_CTX_set_client_CA_list.pod index 5e66133..5e97392 100644 --- a/doc/ssl/SSL_CTX_set_client_CA_list.pod +++ b/doc/ssl/SSL_CTX_set_client_CA_list.pod @@ -66,13 +66,13 @@ values: =over 4 -=item 0 +=item Z0 A failure while manipulating the STACK_OF(X509_NAME) object occurred or the X509_NAME could not be extracted from Bcacert. Check the error stack to find out the reason. -=item 1 +=item Z1 The operation succeeded. diff --git a/doc/ssl/SSL_CTX_set_session_id_context.pod b/doc/ssl/SSL_CTX_set_session_id_context.pod index 58fc685..7c9e515 100644 --- a/doc/ssl/SSL_CTX_set_session_id_context.pod +++
RE: Self-initialization of locking/threadid callbacks and auto-detection of features
I like your proposal, but I'd prefer to see an already initialized error code returned. Or a flag to the (new?) init api that says ignore if already set /r$ -- Principal Security Engineer Akamai Technology Cambridge, MA
Re: Self-initialization of locking/threadid callbacks and auto-detection of features
On Monday, October 21, 2013, Salz, Rich wrote: I like your proposal, but I'd prefer to see an already initialized error code returned. Or a flag to the (new?) init api that says ignore if already set Thanks for your reply! I can add an error, but note that the caller can set then get the callbacks and compare to check whether the caller's callbacks were taken. I could also add a new set of callback setters with ignore-if-set flags. As long as the existing ones behave reliably in the already-set case. In the already-set case I think it may well be best to ignore without failing on the theory that the caller that first set the callbacks must have set sufficiently useful ones anyways... and that where the OS has a good enough default threading library, that's the one that will be used by all DSOs calling OpenSSL in the same process, as otherwise all hell would already be breaking loose anyways! (I can imagine twisted cases where this would not be true, but they seem exceedingly unlikely.) If you want to see the half-baked bits I have (which build on Linux, but which aren't tested) to see what I'm up to, see https://github.com/nicowilliams/openssl, specifically the thread_safety branch. See the XXX comments in rand_lib.c in particular. The outline: add a thread-safe one-time initialization function, built on whatever the OS provides, then use that to make callback init thread-safe. What I need to know: - should i add new targets to ./Configure? for now I modified the linux-elf target, but this feels wrong to me. - what about Windows? I either need to have different targets for pre-vista/2008 or. i have to write a once initialization function for older Windows (which I can and know how to do, it's just more work that, and in particular i couldn't test it, so I'm not inclined to do it). - if so, should ./config automatically pick the new targets where there is appropriate threading support? - how to allocate error codes for already initialized errors that you suggest? - should I work to make sure that it's possible to change the default RAND method after it's been set once? The code in rand_lib.c is currently fundamentally thread-unsafe, though it could be accidentally thread-safe if, e.g., ENGINE_finish() doesn't actually tear down state at all. The simplest fix involves setting the default only once, as wih the callbacks, but here I feel that's a shaky idea, that I should allow RAND method changes at any time, in a thread-safe manner -- more work for me, but less surprising. Nico -- (sent from a mobile device with lousy typing options, and no plain text button) (my patches need rebasing to squash and split up, need tests, need finishing, but if you have comments I would love them sooner than later! :)