[PATCH] ec/ec_pmeth.c: fix unsigned char issue

[y]

From: Marcelo Cerri mhce...@linux.vnet.ibm.com

In some platforms, such as POWER, char is defined as unsigned. This
patch fix a problem when comparing a char to -1.

Signed-off-by: Marcelo Cerri mhce...@linux.vnet.ibm.com
---
 crypto/ec/ec_pmeth.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c
index e477418..933bf43 100644
--- a/crypto/ec/ec_pmeth.c
+++ b/crypto/ec/ec_pmeth.c
@@ -319,7 +319,7 @@ static int pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int 
p1, void *p2)
case EVP_PKEY_CTRL_EC_ECDH_COFACTOR:
if (p1 == -2)
{
-   if (dctx-cofactor_mode != -1)
+   if (dctx-cofactor_mode != ((char) -1))
return dctx-cofactor_mode;
else
{
-- 
1.8.4.rc3
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[PATCH 1/4] ppc64: add little-endian platform to Configure

[Marcelo Cerri]

This patch includes a new platform for little-endian ppc64. It uses the
same flags as big-endian ppc64 but it differs in the endianess flag and
uses a specific `flavour` value that is passed to the assembly generator
perl scripts.

Signed-off-by: Marcelo Cerri mhce...@linux.vnet.ibm.com
---
 Configure | 1 +
 config| 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Configure b/Configure
index 8d8cb51..f4855fd 100755
--- a/Configure
+++ b/Configure
@@ -365,6 +365,7 @@ my %table=(
 
 linux-generic64,gcc:-DTERMIO -O3 
-Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT 
DES_UNROLL 
BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
 linux-ppc64, gcc:-m64 -DB_ENDIAN -DTERMIO -O3 
-Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 
DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64,
+linux-ppc64le,   gcc:-m64 -DL_ENDIAN -DTERMIO -O3 
-Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 
DES_UNROLL:${ppc64_asm}:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64,
 linux-ia64,  gcc:-DL_ENDIAN -DTERMIO -O3 
-Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL 
DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
 linux-ia64-icc,icc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl 
-no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 
DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR),
 linux-x86_64,gcc:-m64 -DL_ENDIAN -DTERMIO -O3 
-Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT 
DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64,
diff --git a/config b/config
index b432f62..9b56d9f 100755
--- a/config
+++ b/config
@@ -586,10 +586,11 @@ case $GUESSOS in
esac
fi
;;
-  ppc64-*-linux2)
+  ppc64*-linux2)
if [ -z $KERNEL_BITS ]; then
echo WARNING! If you wish to build 64-bit library, then you have 
to
-   echo  invoke './Configure linux-ppc64' *manually*.
+   echo  invoke './Configure linux-ppc64' or
+   echo  './Configure linux-ppc64le' *manually*.
if [ $TEST = false -a -t 1 ]; then
echo  You have about 5 seconds to press Ctrl-C to 
abort.
(trap stty `stty -g` 2 0; stty -icanon min 0 time 50; read 
waste) 1
-- 
1.7.12
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3154] [PATCH] Document argument-handling of SSL_CTX_add_extra_chain_cert

[Daniel Kahn Gillmor via RT]

See on-list discussion starting with 20131029180341.ga31...@openssl.org
---
 doc/ssl/SSL_CTX_add_extra_chain_cert.pod | 4 
 1 file changed, 4 insertions(+)

diff --git a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod 
b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
index 11b3b4b..7782623 100644
--- a/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
+++ b/doc/ssl/SSL_CTX_add_extra_chain_cert.pod
@@ -24,6 +24,10 @@ the library will try to complete the chain from the 
available CA
 certificates in the trusted CA storage, see
 LSSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3).
 
+Callers should avoid reuse or freeing of the object pointed to by x509
+after passing it to this function.  It will be freed when ctx is
+freed.
+
 =head1 RESTRICTIONS
 
 Only one set of extra chain certificates can be specified per SSL_CTX
-- 
1.8.4.rc3

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Self-initialization of locking/threadid callbacks and auto-detection of features

[Corinna Vinschen]

On Oct 29 21:58, Andy Polyakov wrote:
 I feel like saying few words. One should recognize that by the time
 multi-threading support was taking shape there was a whole variety
 of threading implementations and callbacks were the only way to
 convey the specifics. Nowadays we're pretty much talking only about
 pthreads and Windows, and one can indeed argue why wouldn't OpenSSL
 simply default to either of the two when appropriate. While it's
 more than appropriate on Windows as it is, on pthreads-powered
 Unices it's not as obvious.
 [...]
  Ideally libcrypto should *detect* if
 *hosting* application is linked with libpthread and only *then*
 adjust accordingly. Is there way to detect if application is linked
 with libpthread at run-time? There is DSO_global_lookup.

Please, before any change is made in terms of threading, let me point
out that Cygwin is NOT Windows, even if it runs on Windows.  Cygwin
provides its own pthreads implementation which is always available,
even without explicit linking against -lpthread.

So, for Cygwin, please use pthreads, not Windows threading, otherwise
applications linked against libcrypto might be broken in subtil ways.


Thanks for considering,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat


pgpKeAfpitjTD.pgp
Description: PGP signature

Re: Self-initialization of locking/threadid callbacks and auto-detection of features

[Nico Williams]

On Wed, Oct 30, 2013 at 11:15:27AM +0100, Corinna Vinschen wrote:
 Please, before any change is made in terms of threading, let me point
 out that Cygwin is NOT Windows, even if it runs on Windows.  Cygwin
 provides its own pthreads implementation which is always available,
 even without explicit linking against -lpthread.
 
 So, for Cygwin, please use pthreads, not Windows threading, otherwise
 applications linked against libcrypto might be broken in subtil ways.

Of course.  But surely OpenSSL needs to be built separately (and
differently) for native Windows and Cygwin.  I.e., an OpenSSL DLL built
against the Windows CRT can't be used from a Cygwin app.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Self-initialization of locking/threadid callbacks and auto-detection of features

[Corinna Vinschen]

On Oct 30 11:39, Nico Williams wrote:
 On Wed, Oct 30, 2013 at 11:15:27AM +0100, Corinna Vinschen wrote:
  Please, before any change is made in terms of threading, let me point
  out that Cygwin is NOT Windows, even if it runs on Windows.  Cygwin
  provides its own pthreads implementation which is always available,
  even without explicit linking against -lpthread.
  
  So, for Cygwin, please use pthreads, not Windows threading, otherwise
  applications linked against libcrypto might be broken in subtil ways.
 
 Of course.  But surely OpenSSL needs to be built separately (and
 differently) for native Windows and Cygwin.  I.e., an OpenSSL DLL built
 against the Windows CRT can't be used from a Cygwin app.

Right.  I'm just trying to raise awareness before Cygwin gets sorted
into the runs on Windows so use Windows functions drawer, accidentally,
as happened too often in the past in various projects.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer
Red Hat


pgpV35LME50WJ.pgp
Description: PGP signature

SSL_VERIFY_NONE not working

[Zhengshan Yan]

Hi,

I want the client side don't try to verify the server certificate.

The verify_mode in SSL_ctx_st is set to SSL_VERIFY_NONE. But connection always 
terminated after calling x509_verify_cert().
Do you know what happens? The doc says this mode set in client side will 
disable verification of server certificate. Is there any where else should be 
set too? 

Regards
Jason 

Re: Self-initialization of locking/threadid callbacks and auto-detection of features

[Nico Williams]

On Wed, Oct 30, 2013 at 06:12:08PM +0100, Corinna Vinschen wrote:
 Right.  I'm just trying to raise awareness before Cygwin gets sorted
 into the runs on Windows so use Windows functions drawer, accidentally,
 as happened too often in the past in various projects.

I won't.

I'll basically be adding new targets for every existing target that has
a standard (POSIX or Win32) threading library.  I probably won't change
what target ./config picks -- I think core OpenSSL developers must make
that decision.

Nico
-- 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Self-initialization of locking/threadid callbacks and auto-detection of features

[Nico Williams]

On Tue, Oct 29, 2013 at 09:58:25PM +0100, Andy Polyakov wrote:


Another thing: run-time selection from among multiple pthreads
implementations can only safely be managed by the RTLD, and dependencies
on pthreads must still be declared via the linker-editor.

Libraries should be able to refer to pthread_* symbols and still use the
run-time-selected pthread implementation *even* if the library was
linked with -lpthread (and therefore a specific libpthread.so
compilation symlink).

If an OS delivers two (or more) pthreads implementations then:

 - if the ABIs of those pthreads implementations all match then the RTLD
   should be able to substitute any of them regardless of which
   libpthread any one object in the process was linked with;

   (e.g., via LD_PRELOAD, different library search paths, ..., but all
   the libpthreads would have to have the same SONAMEs and symbol
   version numbers)

 - but if their ABIs are not compatible then no run-time substitution is
   safe, no matter what the mechanism.

   (unless compatibility shims are involved, but then we *really* must
   leave it all to the RTLD and we can't be using dlsym() or weak
   symbols)

I don't think libraries should be failing to declare their dependencies
and then use dlsym(RTLD_DEFAULT) and dlopen()+dlsym() as a way to
run-time link-edit-load their undeclared dependencies.  Doing so is
fundamentally racy and so would have to be done in .init sections, and
results (which pthread gets used) would be unpredictable (since that
would depend on object load and .init firing order).  Plus we'd lose
observability via ldd(1).  I can't see any way to justify this without
having examples of OSes where this is the documented way to handle
dynamic linking against libpthread.  But maybe I'm missing something?

Nico
-- 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Enhancing eng_cryptodev.c

[Joshua Datko]

The cryptodev engine is working great for me, but eng_cryptodev.c does not
make available many of the ciphers that the cryptodev module
(linux-cryptodev) uses.

Mainly, I'd like to add AES in ECB, CTR, and GCM modes.  I'm attaching a
patch, for review purposes only, just to see if I'm on the right track
and/or missing something.  I'll submit a proper patch once I've added the
rest of the ciphers.

However, initial testing seems like everything is in order.  I've pasted
output of AES-128-ECB with this patch running on BeagleBone Black (TI
AM335x using linux-cryptodev).

Does anybody see any issues with my approach?

Josh

debian@arm:~/debian-packages$ time openssl speed -evp aes-128-ecb -engine
cryptodev
engine cryptodev set.
Doing aes-128-ecb for 3s on 16 size blocks: 10749 aes-128-ecb's in 0.01s
Doing aes-128-ecb for 3s on 64 size blocks: 21660 aes-128-ecb's in 0.02s
Doing aes-128-ecb for 3s on 256 size blocks: 8 aes-128-ecb's in 0.01s
Doing aes-128-ecb for 3s on 1024 size blocks: 8 aes-128-ecb's in 0.00s
Doing aes-128-ecb for 3s on 8192 size blocks: 8 aes-128-ecb's in 0.01s
OpenSSL 1.0.1e 11 Feb 2013
built on: Mon Oct 28 00:28:43 UTC 2013
options:bn(64,32) rc4(ptr,char) des(idx,cisc,16,long) aes(partial)
idea(int) blowfish(ptr)
compiler: gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DHAVE_CRYPTODEV -DUSE_CRYPTDEV_DIGESTS
-march=armv7-a -Wa,--noexecstack -DTERMIO -O3 -Wall -DOPENSSL_BN_ASM_MONT
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM
-DGHASH_ASM
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes256 bytes   1024 bytes   8192
bytes
aes-128-ecb  17198.40k69312.00k  204.80k infk
6553.60k

real 0m15.698s
user 0m0.057s
sys 0m2.746s


cryptodev.patch
Description: Binary data

Re: Self-initialization of locking/threadid callbacks and auto-detection of features

[Nico Williams]

It's getting closer, see:

https://github.com/nicowilliams/openssl/compare/thread_safety

I spoke to a Linux expert and was told that the correct thing to do in
the shared build of OpenSSL is to always link with -lpthread.  I assert
that this is also the correct thing to do on Solaris.  It's been so for
a long time now.  I.e., OpenSSL should default to using native threads
on all POSIX-like and Win32/64 systems (others will have to contribute
similar support for other environments).

My patches nonetheless will allow apps to provide alternate threading
callbacks, just as today, except that the callbacks now may not be
changed once set, and they are set to native implementations where
possible if they are needed before they are set.

Nico
-- 
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org