The first part of David's suggestion is correct: your best bet is to get
your own legal counsel.
If the charities want to deploy it for their own use, e.g., with Apache
so they can take donations over the net :), then disregard the license
exemption. Here, your primary concern is: does my
On linux, getpid() is different for different threads.
/r$
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager
However, double declaration isn't an error, at least if the
declarations are exactly the same. Until someone comes up with a
better solution to break the circular dependency mentioned above, I
don't see that this really needs to get fixed. I'll add the keyword
nice to have to this
Richard Levitte via RT wrote:
Can I assume that sed exists and works properly? dirname can be
coded like this:
echo $$i | sed -e 's|[^/]*$||' -e 's|/$||'
dirname foo returns . which the above doesn't catch.
I can only think of the following short shell script
#! /bin/sh
rsalz*/* ) echo $I | sed -e 's@\(.*\)/.*@\1@' ;;
Why such a complicated sed? 's@/[^/]*$@@' is perfecty sufficient, and
a little bit more efficient :-).
Because it makes the implementation of basename pretty obvious :)
As for efficiency :) here's an implementation that uses
If makedepend is not found, perhaps a pointer to sources to build one.
Or, since perl is already required, include a quick perl script that does
70% of the job.
__
OpenSSL Project
Richard Levitte - VMS Whacker wrote:
rsalz Or, since perl is already required, include a quick perl script that does
rsalz 70% of the job.
Hmm, that could possibly be done... Do you have something ready?
Attached. Hope it's useful.
/r$
#! /usr/bin/env perl --
## Rough tool
No, think about it a bit more. What I sent you meets the 80/20 rule.
/r$
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
OtherName ::= SEQUENCE {
type-idOBJECT IDENTIFIER,
value [0] EXPLICIT ANY DEFINED BY type-id }
It means that the type-id OID defines the datatype of the value. Think
of it as a union.
An alternative scheme would be to make the value be OCTET STRING, but
then you'd
We want to write our own cert verification routine, but we need to pass
our own data down into the routine. No prob, the context has
app_verify_arg. Hooray :) But it's unused. Boo :(
We don't want to diverge from the source if we don't have to. Should we
add a ex_callback function pointer
But here the SHA_Update is called 1000 times with the same buffer. Is it
right?
It's just a test, so it's like calling SHA_Upodate with a 1000 buffers
that are all the same. It's just to ensure that the hash input is large.
Normally, you'd call SHA_Update once on your data.
/r$
As I understand it, OpenSSL will call abort() when it detects attack
against any hole in SSL.
Unh, no. The only time it calls abort is with -DREF_CHECK, and if a
reference count is less than zero, which is a can't happen condition.
/r$
the new patches that fix various buffer overflows in SSL code call abort()
anytime attacker wants.
Sorry, I should read all my email first.
You're right, of course.
__
OpenSSL Project
Yes, the
if (test)
lock()
if (test)
construct is very important (although I thought I saw a bug about
JVM implementations getting this wrong).
Anyone doing threads programming should read Andrew Birrell's 1989 tutorial.
The other option is for CliniComp to sponser getting OpenSSH/OpenSSL
through the certification process, and that's what I'm exploring.
If you look through the complete list, you'll see there's a vendor who had
an openssl software solution certified, but that it's not commercially
available.
I've changed the behavior so that it will FIRST try to get the file
pointed at with the environment variable. If the environment variable
wasn't set or loading the file failed, then the system default file will
be loaded. If that fails, an error is generated.
I don't think silently using
If the file pointed at with SSL_CERT_FILE is faulty in any way, the
code will fall back to the built-in default. If that fails, an error
is generated. How much does that differ from what you said?
Because you are saying: if there are any errors in the file named by
$SSL_CERT_FILE, then I'll
However, this is not true for data structures that are located on the
heap. In many cases OpenSSL provides functions that allow a buffer to
be reused: XXX_init(), XXX_cleanup(), XXX_free(). This is true for
several data structures. By replacing memset() with OPENSSL_cleanse()
in the
Let me make sure I understand. One SCO Unix, GCC without GNU ASM
*might* require -no-asm. That's the risk. The benefit is much cleaner
make.
I say go for it.
/r$
__
OpenSSL Project
Yes that's what I thought. Any ANSI C experts care to comment on whether
that is legal or not?
It's as legal as this:
extern int foo(int);
int (*fp)(int) = foo;
:)
__
OpenSSL Project
$(RANLIB) $(LIB) || echo Never mind.
How about putting a leading minus sign; it's simpler.
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL
2)Perhaps I did not make it clear but our policy is not to include
any cryptographic software directly into our applications.
You might want to reconsider this policy. Do you expect much revenue
from the banned country list? Is it worth the development and support
cost of keeping track with
select() expects the first parameter to contain the number of fd's to be
checked in all flavours of Unix.
No. It is 1+(maxfd). Traditioanlly they are the same, but for
long-running servers that open and close things and have holes they
won't be.
/r$
But, I want to get independent SSL structure even if one SSL connection is
still working, in optional moment. Example in sockets, will enough that I
exchange descriptors.
You need to put a multiplexing protocol on top of straight TCP.
Check out BEEP.
/r$
--
Rich Salz
ERR_mark()Puts a mark in the error stack
ERR_pop_to_mark() Pops off errors from the error stack until a
mark is found. The mark itself is popped as
well.
Do they nest? Perhaps this is cleaner:
int depth = ERR_get_depth();
void
enabled and then do the right
thing will take more CPU and the library will be bigger, taking more RAM.
Richard's idea is much better.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
asn1
object header.
The ASN1 structures are local forms that are created from wire
representations (DER). Look at the various i2d_xxx and d2i_xxx functions.
If you're having problems, it's not because something is wrong in the
place where you're looking. :)
/r$
--
Rich Salz, Chief Security
Has anyone looked at using the (new) ASN1 library to decode KRB5
packets?
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http
or not. That is why many protocols and data formats (e.g.,
PKCS#7), allow you to include a CRL with the data, so you can show your
receiver what data you had at the time.
It would be nice if TLS could include CRLs in the cert exchange.
/r$
--
Rich Salz Chief Security Architect
It is unfortunate that the process could not
have been more open, but I considered the goal worth that sacrifice,
Not a problem for me. :)
This is great -- one of the most exciting things I've seen in a long time!
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology
Early, Paul via RT wrote:
I am having trouble finding the README file associated with the patents you
reference.
Did you download the distribution? It's right there, at the top
directory. If not, then go read
http://cvs.openssl.org/getfile?v=1.39.2.22.2.1f=openssl/README
/r$
--
Rich Salz
On Sun, 17 Jan 1999, Ben Laurie wrote:
I'm being driven slowly mad by the number of files that have to be in
the CVS tree but also get modified by code. Most of them I can deal
with
I assume/hope that you'll do the "foo.in -- foo" kind of transform.
In general, Makefile.ssl is
linked to
Jeff has stated on the mailing list that he's a U.S. citizen.
What happens now?
It's not cryptographic software, nor crypto with a hole. I say don't
bother worrying. Based on my experience. Sameer's experience says
otherwise.
/r$
Neither. I exported documentation and user-level
specifications. I didn't export source because we felt it would be
technical assistance.
I exported source, because that's what the Open Software Foundation did.
I worked on DCE, an authenticated/secure RPC system that used
Kerberos. I
On Tue, 13 Apr 1999, Dr Stephen Henson wrote:
I was thinking more along the lines of the PKCS#11 (but cut down a bit)
to handle this kind of thing where you treat each 'object' as a set of
'attributes' and can search for objects that match a given attribute.
Something like:
int
Any consensus from the core folks on this?
On Wed, 31 Mar 1999 [EMAIL PROTECTED] wrote:
X509_NAME_oneline takes an X509 name and returns
it as a set of slash-separated components:
[EMAIL PROTECTED]
X509_NAME_print tries to turn it into a comma-separated
list:
c=us, o=certco,
A couple of weeks ago I asked about scripting languages that could be
used, e.g., to automate Registration Authority services. Here's
the promised summary, with thanks to:
M.-A. Lemburg [[EMAIL PROTECTED]]
Rodney Thayer [[EMAIL PROTECTED]]
Jeroen C. van Gelderen [[EMAIL PROTECTED]]
OpenSSL currently thinks that the DN can be used as a primary key for
certificates
Yeah, that's way too simple-minded.
One first step to make things right is to use the DN
plus any key identifier that may be available
The nice thing about key (and/or cert) identifiers is that there's so
Well, the authorityKeyIdentifier (consisting presumably just of a
KeyIdentifier) would have to match the issuer's subjectKeyIdentifier;
why would we care how that has been computed?
Because the CA might not put the AKI in certs that it signs?
Is there a requirement that a CA whose cert as SKI
Has anyone added a "-verify XXX" flag to the CRL command?
The XXX would be the file containing the CA cert.
Doesn't look to hard, given X509_PUBKEY_get and X509_CRL_verify
/r$
__
OpenSSL Project
and put something like following into e_os.h:
#if defined(__MWERKS__) defined(macintosh)
# if macintosh==1
# define MAC_OS
# endif
#endif
That is a very bad way to do things.
Use feature tests in your code -- HAVE_SYS_TIME, HAVE_STRCASECMP,
etc. Then in a single place (like
I would prefer to see a "reasonable" set of related functions put on
a single page. Deciding what's reasonable, of course, is why you
get the big salary. :)
They can be hardlinked to have multiple names. Better
versions of "man" special-case if the first line is ".so xxx" and
will turn "man
a file would be good, since i could create a fifo behind a firewall
directory and do a bunch of cat's to run a bunch of commands :)
__
OpenSSL Project http://www.openssl.org
Development Mailing
sure you can -- set the cipherspec.
and if you have to suppoer "legacy browsers" you need to.
On Thu, 24 Feb 2000, [iso-8859-1] Ulf Möller wrote:
On Wed, Feb 23, 2000 at 08:32:05PM -0800, Will wrote:
I've looked through the documentation, but I can't seem to
find how to build an
Is there a reason why not to just import the guess-system-type stuff
from Gnu autoconf? Surely our creativity is better spent elsewhere?
__
OpenSSL Project http://www.openssl.org
Development
What you are saying ist that OpenSSL is able to interoperate with
40-bit SSL clients and servers. That's true, but it is not what the
question was about.
Oops.
Sorry for the misleading answer.
__
OpenSSL Project
The following is true for both SSLeay and OpenSSL.
They use RSA. The RSA patent is not valid outside of the united states.
The patent expires toward the end of September; in six months the
question becomes moot.
If you can't wait until then, you have three choices:
Don't sell in the
Has anyone considered implementing the BSAFE API on top of OpenSSL?
(Oh rats, the Baldwin internet-draft expired, and
there doesn't seem to be a new one. Surprise, surprise.
I assume someone has a copy.)
__
OpenSSL Project
Anyone know of any HSM that supports OpenSSL CA functions for signing
certificates and CRL's?
If not, anyone aware of any work in progress and the HSM vendor(s) involved?
What's it worth to you? Semi :)
We've integrated Chrysalis-ITS Luna2 and CA3 cards into OpenSLS, and are
considering
--- 1055,1061
if (engine == NULL)
return;
if ((fd = get_dev_crypto()) 0)
+ ENGINE_free (engine);
return;
That's can't be right. Missing curly braces?
/r$
--
Rich Salz Chief Security Architect
Something like OPENSSL_atexit(void (*func)(void*), void* arg)
would be nice to have.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security
The mail stripped the attachments. Are they in RT? If not, how do I
get them into RT?
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security
Thanks, folks, for explaining. If RT2 is still being maintained, they
should add a note to the mail saying attachments not sent and not lost :)
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
follows the ANSI/ISO C standard which makes
\n be the line-ending character. Under Windows/DOS, etc., make sure to
open your files in text (not binary) mode.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security
And what OpenSSL calls PEM doesn't have that much to do with Privacy
Enhanced Mail...
Doesn't it? What is that, then?
PEM is dead. It died more than a decade ago. OpenSSL used the
boundary format. That's the only thing of PEM that remains. :)
/r$
--
Rich Salz
too many late nights hacking?
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
# fits in a C long. (Yes, those folks have non-robust code, but for
their applications you can't really claim it's broken.)
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com
padding,
than the RSA algorithm cannot be executed.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com
Therefore, what is a 1,024-bit input?
In terms of the OpenSSL API, the buffer that is passed in will be 128 bytes.
/r$
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com
What is the benefit of adding parts of OpenSSL to the LSB now?
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
__
OpenSSL Project
replacing the
ERR_get/remove_state seems like the cleaner solution.
Attached is a proposed diff. Any comments?
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40
, where n is the number of CPU's in
the system and use non-blocking I/O to pick up and put down multiple SSL
sessions within a single thread.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http
cool!
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Does anyone know about patent of MD5?
You can find an open source implementation in the appendices of
ftp://ftp.isi.edu/in-notes/rfc1321.txt
(Of course you have it in OpenSSL, but you might want to look at the
RFC to see the copyright in a document written by "The Man" himself.)
SHA-1 is
why uses mutexes at all?
programing model portability?
write an emulation using pthreads; that will help.
__
OpenSSL Project http://www.openssl.org
Development Mailing List
Adding yoru own security mechanism to NT is possible, although quite
difficult. You are probably better off reading about "data privacy" in
the COM documentation.
/r$
__
OpenSSL Project
One idea is to change your critical section to mark who has the lock.
This might provide some useful post-mortem info.
Add
const char* _file;
int _line;
as data members, and change Enter and Leave to be something like
void Enter(const char* file, int line)
{
Never mind -- of course it already does that.
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager
I am not _absolutely_ sure if the usage of extern "C" will solve your
problem, but I think you should at least try if you don't want to use the
STL or roguewave or similar instead.
Since OpenSSL is written in standard C, then wrapping all OpenSSL
#include
files with "extern "C"" should work
??? Crypto export was once legal, surely? If we go back far enough, that
is.
Sure. And if you could travel back in time, you could export.
If you did something at time t0 that was legal, and the law was changed at t1
to make it illegal, then you're okay. At t1, you cannot make a law that
I think many people actually see it as both SSL/TLS and generic crypto
library.
Yes. I would like to see such a generic crypto lib and for now OpenSSL
is the only thing available. I prefer CDSA, which is why I like Intel's
offer to integrate OpenSSL and CDSA... :)
/r$
Hopefully we can get permission from CertCo to
use they code in openssl, or we can replace the CertCo code, so that
we can bundle it into the next openssl release.
CertCo contributed that code to the OpenSSL community for general use,
as part of the regular OpenSSL licensing terms. It was
Do you have the object identifers for this? Do you know of any sources
of info I can look at about this extension. I can't find any mention
of it in RFC 2560.
See section 4.4.6 of RFC 2560 and the last few lines of appendix b.
It is required in the root CA certs or will it
work with it
I'm getting confused here. The original query was to convert
ASN1_UTCTIME to time_t, so what's wrong with ASN1_UTCTIME_get()? Well
other than the timezone issue mentioned in the source.
Nothing else, except that it's not in my slightly old snapshot. :)
Your code is buggy -- where is CFile::Read supposed to put the data? See
http://msdn.microsoft.com/library/devprods/vs6/visualc/vcmfc/_mfc_cfile.3a3a.read.htm
Or rewrite your code like this:
char buff[1024];
int i;
while ((i = file.Read(buff, sizeof buff)) 0)
I'm definitely willing to redesign the contents of objects.txt
Perhaps it should be like /etc/hosts -- first the guaranteed unique part (the
OID),
then a list of names. The first is the official name -- what to use on
output. Any others are aliases -- what can be accepted on input. Unclear
IMHO at least this type definition containing SET OF might lead to
different DER-encodings
Nope. As others have pointed out DER defines a unique encoding for "SET
OF"
You might want to look at i2d_ASN1_SET in crypto/a_set.c
Can somebody with real OCSP experience say anything about this?
I
One can see definitions like this:
{ iso standard 8571 abstract-syntax (2) }
The names aren't flat. To find out the number for "standard", you
ask iso. To find out the number of abstract-syntax, you ask the entity
that maintains "8571" (you might have to ask "standard" who that is).
On systems that don't need it, invoke make with RANLIB=: and the shell will
ignore it. (Combine the ar and ranlib commands one one line, as above, to
avoid an unnecessary additional spawn of sh for the possibly unneeded ranlib
invocation...)
Except that most make's are smart enough to call
Let me make sure I understand:
Changing the version number to 1.x.x will make it easier to
convince your management to use OpenSSL, as opposed to the
current plan of leaving it as 0.9 until a major API change
is done.
In other words you want the version number
'fes up, you were just looking for any excuse so ship that out. :)
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager
egrep existed in version 7; unices without it have forgotten their history. :)
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated
With the Debian policy it is not allowed to include nonfree
software. nonfree software has to go into the nonfree section.
The problem with this policy -- particularly for OpenSSL -- is that
"free" is very much a "localized" term. Do you mean only patents, or do
you care about trademarks,
I appreciate the detailed reply. I read the guidelines, and they render
most of my questions moot. As I read them, however, they also render
the original issue moot.
OpenSSL is completely "free" in the Debian sense.
My questions about locality, however, are still highly pertinent.
Let's look
Lutz is right, there's lots of bad advice lurking on the email lists;
openssl-dev is better than openssl-users.
On the other hand, I think it will be easier to figure out who's right
and who's not. Whenever you get conflicting feedback, or from someone
you don't know, mark it off as "to be
The above line strikes me as a typical fence-post error on the
part of the application author.
No. Some Solaris, for example, use a char (not even unsigned char!) to
store the file descriptor in their FILE structure (E.g., what KT (1st
ed.) shows as "int _fd" on page 165.
Can it be
Oh, absolutely. What I wanted to point out is that there is a BIO
that uses file descriptors, which makes the need for a flag to
bss_file.c completely needless and one complication too many. To
solve said problem, one should use the file descriptor BIO instead of
the stream BIO...
Except
IMHO we should ideally have console and file I/O all handled by BIOs in
such a way that any platform specific changes only need to be made in
one place.
Totally agree.
Wouldn't it be neat if all of openssl (except bio-file) could compile w/o
stdio.h? :)
I've forgotten what method 3 is.
#ifdef DO_IT_THISWAY
#define CCONST const
#else
#define CCONST /* */
#endif
int BN_mul(BIGNUM *r, CCONST BIGNUM *a_, CCONST BIGNUM *b, BN_CTX *ctx)
{
BIGNUM* a = (BIGNUM*)a_;
... proceed as currently used.
folks who are concerned that their compiler
That's not the issue - the issue is that if you declare something const
the compiler can assume it doesn't change over the function call. If it
does, then things can break.
No, because "noalias" was removed from the standard.
You're correct if I declare an object to be const, but the
There are circumstances where you may cast away the const knowing that,
in practice, it will not be modified, but you can never cast it away in
order to be able to modify it. That is just plain wrong and will break
things.
Unclear. My copy of the standard isn't at hand, but I don't recall
So with that in mind, is there a good reason to try and have this
functionality (but working this time!) in the new ASN1 code or should
any existing structure be freed and a new one freshly allocate?
Are refcounts on the ASN1 objects or higher-level? How do you handle
overwrite if the
I don't think we need nonblocking crypto; it would be enough to be able
to shunt the crypto off into another thread. That's what my API proposal
was about.
Insufficient for hardware crypto devices.
__
OpenSSL Project
The real fix would be to eliminate all
remaining non-ANSI constructs (that have still be left in because of
their implicit type conversion).
Are there any of those? Functions that take unpromoted types, I mean.
There are some that should just be fixed -- the function parameters for
after I pointed it out), that calling realloc() in the code will leave lots of
copies of private keys and other sensitive data lying around in memory. The
bignum code should never call the libc realloc(), but should instead use a safe
realloc which does a malloc(), a memcpy(), a memset() to
autoconf/automake does not work on Windows
I strongly agree with Geoff that the maintainers will probably find it easier
to maintain three "native" build environments -- Win32, VMS, Posix-like --
than the current scheme where things are shoe-horned into a really messy
like-no-other build
My main reservation with autoconf is that I find it difficult to
understand how to fix the configuration files - if we're going to adopt
it (which I won't rule out), then someone who does understand has to be
willing to help us understand it (not do it on our behalf, but explain
how we do it
rsalz I would recommend not using libtool right away.
I think everyone I've talked with so far has recommended not to use it
at all...
I was being polite. :) It's got potential, but in my view it's still
too rough around the edges. On the other hand, I prefer real Makefiles
as opposed to
You forget about threads sharing some objects on the heap. There was
a patch a few days ago about locking a little more around some RSA
operations...
Oh gosh, no, don't do that!
Please don't try to make objects themselves safe across threads.
/r$
1 - 100 of 1674 matches
Mail list logo