[openssl.org #23] Suggestion for smime.c
There is a known issue about the input to smime -sign being a pipe. Can
smime.c be changed so that it gives an error when it tries to rewind the
input? Something like:
if (BIO_reset(in) != 0 (flags PKCS7_DETACHED)) {
BIO_printf(bio_err, Can't rewind input file\n);
goto end;
}
(Diff w.r.t 0.9.6d-beta1 is attached)
This would have saved me some time tracking down the problem.
Thanks,
Ken Hirsch
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
error in EVP_EncryptInit(3) man page
hi, just noticed an error in the EVP_EncryptInit(3) man page. In the section on Return Values: EVP_CipherInit() and EVP_CipherUpdate() return 1 for success and 0 for failure. EVP_CipherFinal() returns 1 for a decryption failure or 1 for success. Cheers, Stella __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #24] error in EVP_EncryptInit(3) man page
hi, just noticed an error in the EVP_EncryptInit(3) man page. In the section on Return Values: EVP_CipherInit() and EVP_CipherUpdate() return 1 for success and 0 for failure. EVP_CipherFinal() returns 1 for a decryption failure or 1 for success. Cheers, Stella __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #18] missing semicolon in Makefile.org
I have added the missing ; for 0.9.7-dev and -dev. We had no reports for 0.9.6d-beta1, even though the problem seems to be in it, too. I however don't want to break that version just minutes before it is released. Best regards, Lutz __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl Makefile.org
On Tue, May 07, 2002 at 05:10:40PM +0100, Ben Laurie wrote: [EMAIL PROTECTED] wrote: jaenicke07-May-2002 17:35:18 Modified:.Tag: OpenSSL_0_9_7-stable Makefile.org Log: Add missing ; after fi Submitted by: [EMAIL PROTECTED] PR: [openssl.org #18] Revision ChangesPath No revision No revision 1.154.2.4 +3 -3 openssl/Makefile.org Index: Makefile.org === RCS file: /e/openssl/cvs/openssl/Makefile.org,v retrieving revision 1.154.2.3 retrieving revision 1.154.2.4 diff -u -r1.154.2.3 -r1.154.2.4 --- Makefile.org 2002/04/13 12:28:49 1.154.2.3 +++ Makefile.org 2002/05/07 15:35:09 1.154.2.4 @@ -697,8 +697,8 @@ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ - fi \ - done + fi; \ + done; I can't believe this final ; is required! The ; after the fi is required, because it is a continuation line due to the \ (... fi ; done) The ; after the done should not be required. We do not handle this consistently ourselves. At several locations there is a trailing ; that should not be needed, at several other locations it is not... Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: cvs commit: openssl Makefile.org
[EMAIL PROTECTED] wrote: jaenicke07-May-2002 17:35:18 Modified:.Tag: OpenSSL_0_9_7-stable Makefile.org Log: Add missing ; after fi Submitted by: [EMAIL PROTECTED] PR: [openssl.org #18] Revision ChangesPath No revision No revision 1.154.2.4 +3 -3 openssl/Makefile.org Index: Makefile.org === RCS file: /e/openssl/cvs/openssl/Makefile.org,v retrieving revision 1.154.2.3 retrieving revision 1.154.2.4 diff -u -r1.154.2.3 -r1.154.2.4 --- Makefile.org 2002/04/13 12:28:49 1.154.2.3 +++ Makefile.org 2002/05/07 15:35:09 1.154.2.4 @@ -697,8 +697,8 @@ cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \ $(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \ chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \ - fi \ - done + fi; \ + done; I can't believe this final ; is required! Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Legalizing OpenSSL in France
Hi, In France each cryptographic software must be declared to a government agency (DCSSI, see http://france.fsfeurope.org/dcssi/dcssi.fr.html for more information in french). In order to complete this declaration, we need to fill a short technical form. Could someone with intimate OpenSSL knowledge fill it for us in english ? You'll find a english translation of the form at: http://france.fsfeurope.org/dcssi/arrete-17-mars-1999.en.html and the technical form filled for GnuPG, also available in english will give you an idea of the answers expected. http://france.fsfeurope.org/dcssi/gnupg.en.html Thanks in advance, -- Loic Dachary http://www.dachary.org/ [EMAIL PROTECTED] 12 bd Magenta http://www.senga.org/ [EMAIL PROTECTED] 75010Paris T: 33 1 42 45 07 97 [EMAIL PROTECTED] GPG Public Key: http://www.dachary.org/loic/gpg.txt __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[patch] SSL.cert_store
mod_ssl has this comment in ssl_engine_kernel.c:
/*
* override SSLCACertificateFile SSLCACertificatePath
* This is tagged experimental because it has to use an ugly kludge: We
* have to change the locations inside the SSL_CTX* (per-server global)
* instead inside SSL* (per-connection local) and reconfigure it to the
* old values later. That's problematic at least for the threaded process
* model of Apache under Win32 or when an error occurs. But unless
* OpenSSL provides a SSL_load_verify_locations() function we've no other
* chance to provide this functionality...
*/
i saw references to a STATUS file in the mail archives that ralf was
working on this, but doesn't seem to have happened yet. the simple
patch below implements the required functions to change the cert_store
in the SSL structure, rather than SSL_CTX. this is required for this
feature of mod_ssl to be threadsafe with apache 2.0.
--- ./ssl/ssl.h~Mon Dec 17 11:24:39 2001
+++ ./ssl/ssl.h Fri Mar 15 09:30:13 2002
@@ -675,6 +675,8 @@
int first_packet;
int client_version; /* what was passed, used for
* SSLv3/TLS rollback check */
+
+ struct x509_store_st /* X509_STORE */ *cert_store;
};
#ifdef __cplusplus
@@ -928,7 +930,9 @@
void SSL_CTX_free(SSL_CTX *);
long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
long SSL_CTX_get_timeout(SSL_CTX *ctx);
+X509_STORE *SSL_get_cert_store(SSL *);
X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+void SSL_set_cert_store(SSL *,X509_STORE *);
void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
int SSL_want(SSL *s);
intSSL_clear(SSL *s);
@@ -1136,7 +1140,10 @@
void SSL_set_shutdown(SSL *ssl,int mode);
int SSL_get_shutdown(SSL *ssl);
int SSL_version(SSL *ssl);
+int SSL_set_default_verify_paths(SSL *ssl);
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
+int SSL_load_verify_locations(SSL *ssl, const char *CAfile,
+ const char *CApath);
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath);
#define SSL_get0_session SSL_get_session /* just peek at pointer */
--- ./ssl/ssl_lib.c~Wed Oct 24 12:05:26 2001
+++ ./ssl/ssl_lib.c Fri Mar 15 11:28:51 2002
@@ -371,6 +371,7 @@
ssl_clear_cipher_ctx(s);
if (s-cert != NULL) ssl_cert_free(s-cert);
+ if (s-cert_store != NULL) X509_STORE_free(s-cert_store);
/* Free up if allocated */
if (s-ctx) SSL_CTX_free(s-ctx);
@@ -1929,11 +1930,22 @@
}
#ifndef NO_STDIO
+int SSL_set_default_verify_paths(SSL *ssl)
+ {
+ return(X509_STORE_set_default_paths(ssl-cert_store));
+ }
+
int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx)
{
return(X509_STORE_set_default_paths(ctx-cert_store));
}
+int SSL_load_verify_locations(SSL *ssl, const char *CAfile,
+ const char *CApath)
+ {
+ return(X509_STORE_load_locations(ssl-cert_store,CAfile,CApath));
+ }
+
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
@@ -2007,11 +2019,26 @@
return(1);
}
+X509_STORE *SSL_get_cert_store(SSL *ssl)
+ {
+ if (ssl-cert_store != NULL)
+ return ssl-cert_store;
+ else
+ return ssl-ctx-cert_store;
+ }
+
X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *ctx)
{
return(ctx-cert_store);
}
+void SSL_set_cert_store(SSL *ssl,X509_STORE *store)
+ {
+ if (ssl-cert_store != NULL)
+ X509_STORE_free(ssl-cert_store);
+ ssl-cert_store=store;
+ }
+
void SSL_CTX_set_cert_store(SSL_CTX *ctx,X509_STORE *store)
{
if (ctx-cert_store != NULL)
--- ./ssl/ssl_cert.c~ Tue Jul 31 03:20:53 2001
+++ ./ssl/ssl_cert.cFri Mar 15 09:33:16 2002
@@ -442,12 +442,14 @@
X509 *x;
int i;
X509_STORE_CTX ctx;
+ X509_STORE *cert_store = s-cert_store ?
+s-cert_store : s-ctx-cert_store;
if ((sk == NULL) || (sk_X509_num(sk) == 0))
return(0);
x=sk_X509_value(sk,0);
- X509_STORE_CTX_init(ctx,s-ctx-cert_store,x,sk);
+ X509_STORE_CTX_init(ctx,cert_store,x,sk);
if (SSL_get_verify_depth(s) = 0)
X509_STORE_CTX_set_depth(ctx, SSL_get_verify_depth(s));
X509_STORE_CTX_set_ex_data(ctx,SSL_get_ex_data_X509_STORE_CTX_idx(),s);
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Question about b_print.c
I ran into a problem with a stack overflow that has me looking at the
crypto\bio\b_print.c code and wondering a few things. Consider the
following routine (note especially the MS_STATIC variable):
int BIO_vprintf (BIO *bio, const char *format, va_list args)
{
int ret;
size_t retlen;
MS_STATIC char hugebuf[1024*10];
char *hugebufp = hugebuf;
size_t hugebufsize = sizeof(hugebuf);
char *dynbuf = NULL;
int ignored;
dynbuf = NULL;
CRYPTO_push_info(doapr());
_dopr(hugebufp, dynbuf, hugebufsize,
retlen, ignored, format, args);
if (dynbuf)
{
ret=BIO_write(bio, dynbuf, (int)retlen);
OPENSSL_free(dynbuf);
}
else
{
ret=BIO_write(bio, hugebuf, (int)retlen);
}
CRYPTO_pop_info();
return(ret);
}
On a non-windows platform, there is a 10k buffer (hugebuf) being
allocated on the stack. That seems excessive and is causing me a stack
overrun. It seems even more excessive when looking at how it is used. It
is passed to _dopr and then to doapr_outch which is defined as follows:
static void
doapr_outch(
char **sbuffer,
char **buffer,
size_t *currlen,
size_t *maxlen,
int c)
{
/* If we haven't at least one buffer, someone has doe a big booboo
*/
assert(*sbuffer != NULL || buffer != NULL);
if (buffer) {
while (*currlen = *maxlen) {
if (*buffer == NULL) {
assert(*sbuffer != NULL);
if (*maxlen == 0)
*maxlen = 1024;
*buffer = OPENSSL_malloc(*maxlen);
if (*currlen 0)
memcpy(*buffer, *sbuffer, *currlen);
*sbuffer = NULL;
} else {
*maxlen += 1024;
*buffer = OPENSSL_realloc(*buffer, *maxlen);
}
}
/* What to do if *buffer is NULL? */
assert(*sbuffer != NULL || *buffer != NULL);
}
if (*currlen *maxlen) {
if (*sbuffer)
(*sbuffer)[(*currlen)++] = (char)c;
else
(*buffer)[(*currlen)++] = (char)c;
}
return;
}
doapr_outch doesn't even use the static buffer if a dynamic buffer is
available so the 10k stack variable is completely unused in this code.
OK, the static buffer can be used in the memcpy, but that code isn't
used since *currlen will be 0 the first time we are called. The second
assert in doapr_outch prevents us from passing a pointer to a NULL
static buffer to _dopr but that assert seems to protect for code that is
never used (i.e. memcpy).
Bottom line, allocating an unused 10k stack variable seems like a bad
idea. I would remove the second assert in doapr_outch and pass a pointer
to a NULL static buffer to _dopr from BIO_vprintf if it were me. At the
very least the static buffer can be very minimal in size.
Can this change be made? Do I need to submit a patch to do it? Or am I
missing something?
Verdon Walker
(801) 861-2633
[EMAIL PROTECTED]
Novell, Inc., the leading provider of Net business solutions
http://www.novell.com
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
