[PATCH] Fix to x509v3_config docs

2013-12-10 Thread Ryan Castellucci
I've discovered that having a trailing slash in an OCSP URL can cause
problems with MS-CAPI. This is a minimal patch to make the example
non-broken. I haven't added any additional text to the documentation
to explain this because all that was there in the first place was the
example. Please let me know if this needs to be more extensively
documented.

I've CC'd cr...@bis.doc.gov is requested in the readme, however this
is a trivial documentation change which doesn't touch any encryption
code.

diff --git a/doc/apps/x509v3_config.pod b/doc/apps/x509v3_config.pod
index 06d8467..8e3d48a 100644
--- a/doc/apps/x509v3_config.pod
+++ b/doc/apps/x509v3_config.pod
@@ -220,7 +220,7 @@ certain values are meaningful, for example OCSP
and caIssuers.

 Example:

- authorityInfoAccess = OCSP;URI:http://ocsp.my.host/
+ authorityInfoAccess = OCSP;URI:http://ocsp.my.host
  authorityInfoAccess = caIssuers;URI:http://my.ca/ca.html
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


Re: Questions on SSL_OP_SAFARI_ECDHE_ECDSA_BUG

2013-12-10 Thread Rob Stradling

On 09/12/13 23:34, Jeffrey Walton wrote:

Reference: 
http://openssl.6102.n7.nabble.com/openssl-org-3068-PATCH-Safari-broken-ECDHE-ECDSA-workaround-td45432.html
and http://openssl.6102.n7.nabble.com/Apple-are-apparently-dicks-td45512.html.

BL  ...and don't intend to fix their broken ECDSA support in Safari.
Apple really needs to fix their engineering process and broken
implementation. (And hire some QA personnel while they are at it...
This is something their lawyers can't fix with a change to their
license agreements).

Will the patch be applied to 0.9.8 and 1.0.1 branches?


It has been applied on those branches already.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_0_9_8-stable
Committed on 2013-10-04.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_1_0_0-stable
Committed on 2013-09-10.

http://git.openssl.org/gitweb/?p=openssl.git;a=shortlog;h=refs/heads/OpenSSL_1_0_1-stable
Committed on 2013-09-16.


If I can't wait for the patch in future stable releases (or don't want
to use SSL_OP_SAFARI_ECDHE_ECDSA_BUG), what are the other options? Can
I use a cipher_list to work around this? For example, can I prefer RSA
and DSS ciphers over ECDSA:

   const char* const PREFERRED_CIPHERS =

 /* TLS 1.2 only */
 ECDHE-RSA-AES256-GCM-SHA384:
 ECDHE-RSA-AES128-GCM-SHA256:

 /* TLS 1.2 only */
 DHE-DSS-AES256-GCM-SHA384:
 DHE-RSA-AES256-GCM-SHA384:
 DHE-DSS-AES128-GCM-SHA256:
 DHE-RSA-AES128-GCM-SHA256:

 /* TLS 1.2, see SSL_OP_SAFARI_ECDHE_ECDSA_BUG */
 ECDHE-ECDSA-AES256-GCM-SHA384:
 ECDHE-ECDSA-AES128-GCM-SHA256:


The broken versions of Safari/OSX don't support GCM (or DSS, I think), 
so enabling and even preferring ECDHE-ECDSA-AES256-GCM-SHA384 and 
ECDHE-ECDSA-AES128-GCM-SHA256 on your server shouldn't cause any problems.


If you can't wait for the patch, or don't want to use it, here are two 
workarounds that I think should work...


1. Ensure that these 4 ciphers are all disabled on your server (since 
these are the only ciphers that are affected by the Safari/OSX bug):

ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-RC4-SHA
ECDHE-ECDSA-DES-CBC3-SHA

or

2. If you want to enable 1 or more of those 4 ECDHE-ECDSA ciphers, 
ensure that your server prefers at least 1 of the following ciphers 
(that Safari/OSX also offers) ahead of them:

ECDH-RSA-AES128-SHA
ECDH-RSA-AES256-SHA
ECDH-RSA-RC4-SHA
ECDH-RSA-DES-CBC3-SHA
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-RC4-SHA
ECDHE-RSA-DES-CBC3-SHA
AES128-SHA
RC4-SHA
RC4-MD5
AES256-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA

(Obviously you'll need 2 server certificates, one with an RSA key and 
one with an ECC key).


--
Rob Stradling
Senior Research  Development Scientist
COMODO - Creating Trust Online
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org


[openssl.org #3194] [PATCH] Provide asn1parse with capability to show raw OIDs

2013-12-10 Thread Johannes Bauer via RT
Resubmitted (the first try I had the wrong mailing list, sorry):

Hello list,

the asn1parse application does provide a mechanism to enhance the output
by providing additional OID/string mappings. As of now it is not
possible to display the raw OIDs (without any name resolution done).
This is something I have found very useful in the past when digging into
ASN1.

I have written a patch against openssl-1.0.1e that does provide this
functionality. The changes for the user in summary are:

* Add -rawoids command line switch to asn1parse application

Under the hood I made these changes:

* Introduced i2t_ASN1_OBJECT_resolve and i2a_ASN1_OBJECT_resolve which
work just like i2t_ASN1_OBJECT and i2a_ASN1_OBJECT, but take an
additional resolveoids parameter
* Changed i2t_ASN1_OBJECT and i2a_ASN1_OBJECT to call their _resolve
respective counterparts (with resolve_oids = 1 in order to keep current
behavior)
* Changed API of ASN1_parse_dump in order to accept a resolve_oids parameter
* Changed calls of ASN1_parse_dump to pass 1 for the resolve_oids parameter

The rationale is as follows:

* i2t_ASN1_OBJECT and i2a_ASN1_OBJECT are probably used internally in
external applications, so I found it useful to keep their APIs stable
* ASN1_parse_dump is currently only used in debug/error output
conditions, which is why I thought API stability would not be that
important at this point. Any conversion from old to new is trivial (just
append ,1 to the call)

Attached to this mail is the patch I produced. I took care to preserve
coding style and nomenclature where applicable.

I would greatly appreciate feedback on this patch.
Best regards,
Johannes

From ae9c5bb1123db6b756af3d5114c7e0661c8b2e07 Mon Sep 17 00:00:00 2001
From: Johannes Bauer dfnsonfsdu...@gmx.de
Date: Fri, 29 Nov 2013 11:46:39 +0100
Subject: [PATCH] Implement raw OID display

---
 openssl-1.0.1e/apps/asn1pars.c|  8 +++-
 openssl-1.0.1e/apps/pkeyutl.c |  2 +-
 openssl-1.0.1e/apps/rsautl.c  |  2 +-
 openssl-1.0.1e/crypto/asn1/a_object.c | 20 +++-
 openssl-1.0.1e/crypto/asn1/asn1.h |  4 +++-
 openssl-1.0.1e/crypto/asn1/asn1_par.c | 16 
 openssl-1.0.1e/crypto/asn1/tasn_prn.c |  2 +-
 openssl-1.0.1e/crypto/x509v3/v3_prn.c |  2 +-
 8 files changed, 37 insertions(+), 19 deletions(-)

diff --git a/openssl-1.0.1e/apps/asn1pars.c b/openssl-1.0.1e/apps/asn1pars.c
index 0d66070..dd398f0 100644
--- a/openssl-1.0.1e/apps/asn1pars.c
+++ b/openssl-1.0.1e/apps/asn1pars.c
@@ -95,6 +95,7 @@ int MAIN(int argc, char **argv)
 	char *genstr=NULL, *genconf=NULL;
 	unsigned char *tmpbuf;
 	const unsigned char *ctmpbuf;
+	int rawoids = 0;
 	BUF_MEM *buf=NULL;
 	STACK_OF(OPENSSL_STRING) *osk=NULL;
 	ASN1_TYPE *at=NULL;
@@ -181,6 +182,10 @@ int MAIN(int argc, char **argv)
 			if (--argc  1) goto bad;
 			genconf= *(++argv);
 			}
+		else if (strcmp(*argv,-rawoids) == 0)
+			{
+			rawoids=1;
+			}
 		else
 			{
 			BIO_printf(bio_err,unknown option %s\n,*argv);
@@ -211,6 +216,7 @@ bad:
 		BIO_printf(bio_err,   ASN1 blob wrappings\n);
 		BIO_printf(bio_err, -genstr str   string to generate ASN1 structure from\n);
 		BIO_printf(bio_err, -genconf file file to generate ASN1 structure from\n);
+		BIO_printf(bio_err, -rawoids  never resolve OIDs to string representation\n);
 		goto end;
 		}
 
@@ -363,7 +369,7 @@ bad:
 	}
 	if (!noout 
 	!ASN1_parse_dump(out,(unsigned char *)(str[offset]),length,
-		indent,dump))
+		indent,dump,!rawoids))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
diff --git a/openssl-1.0.1e/apps/pkeyutl.c b/openssl-1.0.1e/apps/pkeyutl.c
index 7eb3f5c..5c56cd1 100644
--- a/openssl-1.0.1e/apps/pkeyutl.c
+++ b/openssl-1.0.1e/apps/pkeyutl.c
@@ -363,7 +363,7 @@ int MAIN(int argc, char **argv)
 	ret = 0;
 	if(asn1parse)
 		{
-		if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
+		if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1, 1))
 			ERR_print_errors(bio_err);
 		}
 	else if(hexdump)
diff --git a/openssl-1.0.1e/apps/rsautl.c b/openssl-1.0.1e/apps/rsautl.c
index b01f004..32cab61 100644
--- a/openssl-1.0.1e/apps/rsautl.c
+++ b/openssl-1.0.1e/apps/rsautl.c
@@ -302,7 +302,7 @@ int MAIN(int argc, char **argv)
 	}
 	ret = 0;
 	if(asn1parse) {
-		if(!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
+		if(!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1, 1)) {
 			ERR_print_errors(bio_err);
 		}
 	} else if(hexdump) BIO_dump(out, (char *)rsa_out, rsa_outlen);
diff --git a/openssl-1.0.1e/crypto/asn1/a_object.c b/openssl-1.0.1e/crypto/asn1/a_object.c
index 3978c91..c786da9 100644
--- a/openssl-1.0.1e/crypto/asn1/a_object.c
+++ b/openssl-1.0.1e/crypto/asn1/a_object.c
@@ -227,25 +227,25 @@ err:
 	return(0);
 	}
 
-int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a)
+int i2t_ASN1_OBJECT_resolve(char *buf, int buf_len, ASN1_OBJECT *a, int resolve_oids)
 {
-	return OBJ_obj2txt(buf, buf_len, a, 0);
+	return OBJ_obj2txt(buf, buf_len, a, !resolve_oids);
 }
 
-int i2a_ASN1_OBJECT(BIO