Resource leak in bss_file.c
We have a scan tool that has detected a resource leak if the call to
BIO_new fails to allocate memory. The 'file' pointer is not cleaned up.
97 BIO *BIO_new_file(const char *filename, const char *mode)
98 {
99 BIO *ret;
100 FILE *file;
101
Event alloc_fn: Called allocation function "fopen"
Event var_assign: Assigned variable "file" to storage returned from
"fopen"
At conditional (1): "file = fopen == 0" taking false path
102 if ((file=fopen(filename,mode)) == NULL)
103 {
104 SYSerr(SYS_F_FOPEN,get_last_sys_error());
105
ERR_add_error_data(5,"fopen('",filename,"','",mode,"')");
106 if (errno == ENOENT)
107
BIOerr(BIO_F_BIO_NEW_FILE,BIO_R_NO_SUCH_FILE);
108 else
109
BIOerr(BIO_F_BIO_NEW_FILE,ERR_R_SYS_LIB);
110 return(NULL);
111 }
At conditional (2): "ret = BIO_new == 0" taking true path
112 if ((ret=BIO_new(BIO_s_file_internal())) == NULL)
Event leaked_storage: Returned without freeing storage "file"
113 return(NULL);
114
115 BIO_set_fp(ret,file,BIO_CLOSE);
116 return(ret);
117 }
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: 64 bits computer always returns the same salt
It happens here on my 64 bit Linux system as well if I run the openssl that comes with the OS. However, if I run the openssl executable that I build for our own use (which has been modified to use our own RNG code) the salt varies as expected. Peter From: David Erosa García <[EMAIL PROTECTED]> To: openssl-dev@openssl.org Date: 04/04/2008 01:26 Subject:64 bits computer always returns the same salt Hello all. I tried the openssl-users list but I think this may be a question for the devel list: I'm doing my "homework" about openssl, but *this question has nothing to do with it*. It's just a doubt that arised while doing it. There is one exercise with the following text: Con el comando “openssl enc” y la siguiente clave AES: 188458A6D15034DFE386F23B61D43774 se puede descifrar cierta información. Podrías decir cual? Using the command " openssl enc" and the following AES key: 188458A6D15034DFE386F23B61D43774 you can decode some information, could you say what? I started playing with "openssl enc" and I thought the only thing I could "guess" was the salt (Surely I'm wrong). So I ran the command with a random IV: openssl enc -aes128 -K 188458A6D15034DFE386F23B61D43774 -iv 1 -P I found that the salt varies as it should on two machines with 32 bit CPU (not my main one): Office's computer (openssl 0.9.8g-4ubuntu2): salt=4075DFB76496F2B7 salt=4045D8B76466EBB7 salt=40C5DAB764E6EDB7 salt=4015DEB76436F1B7 salt=4025DFB76446F2B7 A server I have somewhere else (openssl 0.9.8c-4etch1): salt=50D882BF0C00 salt=B05DD9BF0C00 salt=A0CCC7BF0C00 salt=E0C88BBF0C00 salt=204190BF0C00 But when I run it on my main computer, it always outputs the same salt! This machine is a 64bit CPU, running a 64bits linux distribution (openssl 0.9.8g-4ubuntu2): salt=0004 salt=0004 salt=0004 salt=0004 I've been searching through the openssl lists and found nothing about this behavior. What can be happening? Is it about the 64 bit version of openssl? Thanks a lot for your attention. Regards. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Using FIPS as a static lib in VC++
On Thu, Apr 03, 2008, Liechty wrote: > > I have built a static library for VC++ but when I try to enable fips mode I > get a mismatched fingerprint error. Is the hash inserted into the library, > or does it need to be inserted into the executable when linking the .lib? > Or am I missing something else completely? It needs to be linked into the executable. Check out how the openssl utilities are linked in the makefile nt.mak for examples. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Using FIPS as a static lib in VC++
I have built a static library for VC++ but when I try to enable fips mode I get a mismatched fingerprint error. Is the hash inserted into the library, or does it need to be inserted into the executable when linking the .lib? Or am I missing something else completely? -- View this message in context: http://www.nabble.com/Using-FIPS-as-a-static-lib-in-VC%2B%2B-tp16471933p16471933.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRMF and SEQUENCE OF CertReq
Hi Martin,
thanks for your suggestion :) After writing the email, I think that I found
the correct way to do it. By using the following:
ASN1_ITEM_TEMPLATE(CRMF_REQ) =
ASN1_EX_TEMPLATE_TYPE(ASN1_TFLG_SEQUENCE_OF, 0, requests,
CRMF_CERT_REQ_MESSAGE)
ASN1_ITEM_TEMPLATE_END(CRMF_REQ)
I still can not load the request issued by NSS browser. Can you load it ? Do you
know what the format is ? I attach it to this email. I definitely do not
understand
what happens. In detail:
0-The ASN1 dump is as follows:
0:d=0 hl=4 l= 477 cons: SEQUENCE
4:d=1 hl=4 l= 473 cons: SEQUENCE
8:d=2 hl=4 l= 407 cons: SEQUENCE
12:d=3 hl=2 l= 4 prim: INTEGER :4D7A150A
18:d=3 hl=4 l= 355 cons: SEQUENCE
22:d=4 hl=2 l= 1 prim: cont [ 0 ]
25:d=4 hl=2 l= 89 cons: cont [ 5 ]
27:d=5 hl=2 l= 87 cons: SEQUENCE
[...]
116:d=4 hl=3 l= 240 cons: cont [ 6 ]
119:d=5 hl=3 l= 168 cons: SEQUENCE
122:d=6 hl=2 l= 7 prim: OBJECT:dsaEncryption
131:d=6 hl=3 l= 156 cons: SEQUENCE
[...]
359:d=4 hl=2 l= 16 cons: cont [ 9 ]
361:d=5 hl=2 l= 14 cons: SEQUENCE
363:d=6 hl=2 l= 3 prim: OBJECT:X509v3 Key Usage
368:d=6 hl=2 l= 1 prim: BOOLEAN :255
371:d=6 hl=2 l= 4 prim: OCTET STRING
[...]
419:d=2 hl=2 l= 60 cons: cont [ 1 ]
421:d=3 hl=2 l= 9 cons: SEQUENCE
423:d=4 hl=2 l= 7 prim: OBJECT:dsaWithSHA1
432:d=3 hl=2 l= 47 prim: BIT STRING
2-There should be an INTEGER (certReqId) and a CertTemplate, but then if
this is the case what heck is the prim [0] (which I suppose should be
the serial number) empty (at 22) ?
3-Than the later [5] (at 25) is, correctly, a Name, I suppose. Is this
a valid coding ? Am I totally wrong ?
Instead of parsing the Name as the subject, my program interprets it as
issuer (should be tagged as [3]), and I get the following error:
2896:error:0D0780AA:asn1 encoding routines:ASN1_ITEM_EX_D2I:illegal options on item
template:tasn_dec.c:192:Type=X509_NAME_INTERNAL
2896:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:737:Field=issuer, Type=CERT_TEMPLATE
2896:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:751:Field=certTemplate, Type=CRMF_CERT_REQUEST
2896:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:751:Field=certReq, Type=CRMF_CERT_REQ_MESSAGE
2896:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
error:tasn_dec.c:712:
2896:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:
Any idea here ?
Later,
Max
Martin Peylo wrote:
Hi Massimiliano,
I don't know if that's the best solution, but it worked for me that way:
in crmf.h:
typedef struct crmf_certreqmsg_st
{
»···CRMF_CERTREQUEST *certReq;
»···CRMF_PROOFOFPOSSESION *popo;/* 0 */
»···CRMF_ATTRIBUTETYPEANDVALUE *regInfo; /* 1 */
} CRMF_CERTREQMSG;
DECLARE_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
DECLARE_STACK_OF(CRMF_CERTREQMSG) /* CertReqMessages */
DECLARE_ASN1_SET_OF(CRMF_CERTREQMSG) /* CertReqMessages */
in crmf_asn.c:
ASN1_SEQUENCE(CRMF_CERTREQMSG) = {
»···ASN1_SIMPLE(CRMF_CERTREQMSG, certReq, CRMF_CERTREQUEST),
»···ASN1_IMP_OPT(CRMF_CERTREQMSG, popo, CRMF_PROOFOFPOSSESION, 0),
»···ASN1_IMP_SEQUENCE_OF_OPT(CRMF_CERTREQMSG, regInfo,
CRMF_ATTRIBUTETYPEANDVALUE, 1)
} ASN1_SEQUENCE_END(CRMF_CERTREQMSG)
IMPLEMENT_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
I needed it for CMP. In order to use the "CertReqMessages", I am doing:
In cmp.h:
typedef struct cmp_pkibody_st
{
»···int type;
»···union{
»···»···STACK_OF(CRMF_CERTREQMSG) *ir; /* 0 */
...
In cmp_asn.c:
ASN1_CHOICE(CMP_PKIBODY) = {
»···ASN1_EXP_SEQUENCE_OF(CMP_PKIBODY, value.ir, CRMF_CERTREQMSG, 0),
...
There might be other ways to do it - the OpenSSL ASN.1 documentation
seems to be not complete - but it works fine that way.
As there are not many things to use CRMF for: what are you
implementing? Do you know my code to use CMP with OpenSSL? You can
obtain the full code including the snippets I pasted above from
.
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063Work Phone: +1 (603) 646-9179
--o
smime.p7s
Description: S/MIME Cryptographic Signature
64 bits computer always returns the same salt
Hello all. I tried the openssl-users list but I think this may be a question for the devel list: I'm doing my "homework" about openssl, but *this question has nothing to do with it*. It's just a doubt that arised while doing it. There is one exercise with the following text: Con el comando “openssl enc” y la siguiente clave AES: 188458A6D15034DFE386F23B61D43774 se puede descifrar cierta información. Podrías decir cual? Using the command " openssl enc" and the following AES key: 188458A6D15034DFE386F23B61D43774 you can decode some information, could you say what? I started playing with "openssl enc" and I thought the only thing I could "guess" was the salt (Surely I'm wrong). So I ran the command with a random IV: openssl enc -aes128 -K 188458A6D15034DFE386F23B61D43774 -iv 1 -P I found that the salt varies as it should on two machines with 32 bit CPU (not my main one): Office's computer (openssl 0.9.8g-4ubuntu2): salt=4075DFB76496F2B7 salt=4045D8B76466EBB7 salt=40C5DAB764E6EDB7 salt=4015DEB76436F1B7 salt=4025DFB76446F2B7 A server I have somewhere else (openssl 0.9.8c-4etch1): salt=50D882BF0C00 salt=B05DD9BF0C00 salt=A0CCC7BF0C00 salt=E0C88BBF0C00 salt=204190BF0C00 But when I run it on my main computer, it always outputs the same salt! This machine is a 64bit CPU, running a 64bits linux distribution (openssl 0.9.8g-4ubuntu2): salt=0004 salt=0004 salt=0004 salt=0004 I've been searching through the openssl lists and found nothing about this behavior. What can be happening? Is it about the 64 bit version of openssl? Thanks a lot for your attention. Regards. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: CRMF and SEQUENCE OF CertReq
Hi Massimiliano,
I don't know if that's the best solution, but it worked for me that way:
in crmf.h:
typedef struct crmf_certreqmsg_st
{
»···CRMF_CERTREQUEST *certReq;
»···CRMF_PROOFOFPOSSESION *popo;/* 0 */
»···CRMF_ATTRIBUTETYPEANDVALUE *regInfo; /* 1 */
} CRMF_CERTREQMSG;
DECLARE_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
DECLARE_STACK_OF(CRMF_CERTREQMSG) /* CertReqMessages */
DECLARE_ASN1_SET_OF(CRMF_CERTREQMSG) /* CertReqMessages */
in crmf_asn.c:
ASN1_SEQUENCE(CRMF_CERTREQMSG) = {
»···ASN1_SIMPLE(CRMF_CERTREQMSG, certReq, CRMF_CERTREQUEST),
»···ASN1_IMP_OPT(CRMF_CERTREQMSG, popo, CRMF_PROOFOFPOSSESION, 0),
»···ASN1_IMP_SEQUENCE_OF_OPT(CRMF_CERTREQMSG, regInfo,
CRMF_ATTRIBUTETYPEANDVALUE, 1)
} ASN1_SEQUENCE_END(CRMF_CERTREQMSG)
IMPLEMENT_ASN1_FUNCTIONS(CRMF_CERTREQMSG)
I needed it for CMP. In order to use the "CertReqMessages", I am doing:
In cmp.h:
typedef struct cmp_pkibody_st
{
»···int type;
»···union{
»···»···STACK_OF(CRMF_CERTREQMSG) *ir; /* 0 */
...
In cmp_asn.c:
ASN1_CHOICE(CMP_PKIBODY) = {
»···ASN1_EXP_SEQUENCE_OF(CMP_PKIBODY, value.ir, CRMF_CERTREQMSG, 0),
...
There might be other ways to do it - the OpenSSL ASN.1 documentation
seems to be not complete - but it works fine that way.
As there are not many things to use CRMF for: what are you
implementing? Do you know my code to use CMP with OpenSSL? You can
obtain the full code including the snippets I pasted above from
.
Best regards,
Martin
On 4/3/08, Massimiliano Pala <[EMAIL PROTECTED]> wrote:
> Hi guys,
>
> I am stuck with a simple (hopefully) problem that I do not know how to
> solve.
> In particular I am trying to implement a CRMF simple interface. But I am
> not
> sure how to code the CertReqMessages. From the ASN.1 specification
> (rfc4211)
> it should be:
>
>CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
>
> Initially I implemented it as:
>
>ASN1_SEQUENCE (CRMF_REQ) = {
> ASN1_SEQUENCE_OF( CRMF_REQ, requests, CRMF_CERT_REQ_MESSAGE )
>} ASN1_SEQUENCE_END(CRMF_REQ)
>
>IMPLEMENT_ASN1_FUNCTIONS(CRMF_REQ)
>
> and the related:
>
> typedef struct crmfReq_st {
> STACK_OF(CRMF_CERT_REQ_MESSAGE) *requests;
> } CRMF_REQ;
>
> DECLARE_ASN1_FUNCTIONS(CRMF_REQ)
>
>
> Would this work ? Or because it would be something like:
>
> SEQUENCE
> SEQUENCE OF CRMF_CERT_REQ_MESSAGE
>
> it will not ? (Instead of being just one SEQUENCE is a SEQUENCE of a
> SEQUENCE). How do I solve my problem ?
>
>
> --
>
> Best Regards,
>
> Massimiliano Pala
>
> --o
> Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
> [EMAIL PROTECTED]
>
> Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
> PKI/Trust - Office 063Work Phone: +1 (603) 646-9179
> --o
>
>
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
CRMF and SEQUENCE OF CertReq
Hi guys,
I am stuck with a simple (hopefully) problem that I do not know how to solve.
In particular I am trying to implement a CRMF simple interface. But I am not
sure how to code the CertReqMessages. From the ASN.1 specification (rfc4211)
it should be:
CertReqMessages ::= SEQUENCE SIZE (1..MAX) OF CertReqMsg
Initially I implemented it as:
ASN1_SEQUENCE (CRMF_REQ) = {
ASN1_SEQUENCE_OF( CRMF_REQ, requests, CRMF_CERT_REQ_MESSAGE )
} ASN1_SEQUENCE_END(CRMF_REQ)
IMPLEMENT_ASN1_FUNCTIONS(CRMF_REQ)
and the related:
typedef struct crmfReq_st {
STACK_OF(CRMF_CERT_REQ_MESSAGE) *requests;
} CRMF_REQ;
DECLARE_ASN1_FUNCTIONS(CRMF_REQ)
Would this work ? Or because it would be something like:
SEQUENCE
SEQUENCE OF CRMF_CERT_REQ_MESSAGE
it will not ? (Instead of being just one SEQUENCE is a SEQUENCE of a
SEQUENCE). How do I solve my problem ?
--
Best Regards,
Massimiliano Pala
--o
Massimiliano Pala [OpenCA Project Manager][EMAIL PROTECTED]
[EMAIL PROTECTED]
Dartmouth Computer Science Dept Home Phone: +1 (603) 397-3883
PKI/Trust - Office 063Work Phone: +1 (603) 646-9179
--o
smime.p7s
Description: S/MIME Cryptographic Signature
