[openssl.org #2171] ssl2 is unnecessarily rejected as not supporting the safe renegotiation
As SSLv2 does not specify any renegotiation at all does it really make sense to reject it in the ssl23_get_client_hello() if legacy renegotiation is not enabled in the ssl options? openssl s_server when contacted with openssl s_client -sslv2 returns: 140392456742728:error:14076152:SSL routines:SSL23_GET_CLIENT_HELLO:unsafe legacy renegotiation disabled:s23_srvr.c:509: -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #2172] [BUG] Incorrect input checking in openssl enc
Hello, They have a bad verification of argument pass between in openssl command. I discovered this because i use a passphrase of more than 4000 chars (interest can be discussed). All following information about souce code is based on OpenSSL 0.9.8k. When the pass argument is givent by command line $ /usr/bin/openssl enc -p -d -a -bf -pass pass:big pass of 4000 chars -in mlvs or by environment size of passphrase is unlimited $ /usr/bin/openssl enc -p -d -a -bf -pass env:pass -in mlvs decoding occur correctly. But if i use: $ /usr/bin/openssl enc -p -d -a -bf -kfile /path/to/my/pass -in mlvs $ /usr/bin/openssl enc -p -d -a -bf -pass file:/path/to/my/pass -in mlvs i have something like this: bad decrypt 16246:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:330: After reading source code, i think this append because with openssl enc command with option kfile read only 128 first chars of the file (enc.c line 228). So it's unable to read correctly the complete passphrase. With the -pass option, same issu, reding is done in apps.c of a contant size APP_PASS_LEN define in apps.h with value of 1024. Same issue, unable to read complete pass file, so failure in decyphring. The issue is $ /usr/bin/openssl enc -p -d -a -bf -pass pass:big pass of 4000 chars -in $ /usr/bin/openssl enc -p -d -a -bf -pass env:pass -in mlvs $ /usr/bin/openssl enc -p -d -a -bf -kfile /path/to/my/pass -in mlvs $ /usr/bin/openssl enc -p -d -a -bf -pass file:/path/to/my/pass -in mlvs have not the same bahaviour with more than 128 chars in passphrase. And this is blocking when we want a passphrase with chars than cannot be passed by env or command line (with non ascii chars) and with size more than 1024 chars. Best regards, -- Sebastien Seblu Luttringer - IT Engineer Smartjog - TDF Pole Multimedia 27 bd Hippolyte Marques, 94200 Ivry sur Seine, France Phone: +33.1.58.68.62.32 Fax: +33.1.58.68.62.05 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Patch: fix a crash in the GOST engine
Hi there! I'm using the GOST engine to sign files on an ARM platform and I got a crash with bt pointing to the GOST engine. When gost2001_do_sign() fails for some reason (missing /dev/urandom in my case) it doesn't set 'newsig' to NULL and hence returns a dangling pointer. pkey_gost01_cp_sign() gets misled by it and everything goes downhill from there. The bt I got: #0 0x400ccbc0 in BN_num_bits (a=0x0) at bn_lib.c:250 #1 0x403a73f0 in store_bignum (bn=0x0, buf=0x1f120 , len=32) at gost_sign.c:316 #2 0x403a6a94 in pack_sign_cp (s=0x1f4d0, order=32, sig=0x1f120 , siglen=0xbe97fc18) at gost_sign.c:123 #3 0x403a5644 in pkey_gost01_cp_sign (ctx=0x1f470, sig=0x1f120 , siglen=0xbe97fc18, tbs=0xbe97fc38 ��?��!Шe��Jm�uzݾ�\211�U�\203Hk3\207�\211\017�, tbs_len=32) at gost_pmeth.c:366 #4 0x40157de4 in EVP_PKEY_sign (ctx=0x1f470, sig=0x1f120 , siglen=0xbe97fc18, tbs=0xbe97fc38 ��?��!Шe��Jm�uzݾ�\211�U�\203Hk3\207�\211\017�, -+ tbslen=32) at pmeth_fn.c:116 #5 0x4014dd90 in EVP_SignFinal (ctx=0xbe980cbc, sigret=0x1f120 , siglen=0xbe980cb8, pkey=0x1f448) at p_sign.c:104 #6 0x90e4 in sign_file (name=0xbe980f52 ipsum, e=0x1db00, md=0x403b2d50, pkey=0x1f448) at sign.c:122 #7 0x9548 in main (argc=2, argv=0xbe980e74) at sign.c:223 With the attached patch pkey_gost01_cp_sign() fails properly and I get a pretty clear error message. -- Dmitry Ivanov KDE PIM developer (pim.kde.org) partimage-ng developer (partimage-ng.net) --- openssl-1.0.0-stable-SNAP-20100215/engines/ccgost/gost2001.c 2008-02-28 16:45:05.0 +0300 +++ lpc/openssl/openssl-1.0.0-stable-SNAP-20100215/engines/ccgost/gost2001.c 2010-02-16 14:45:03.0 +0300 @@ -136,12 +136,14 @@ DSA_SIG *gost2001_do_sign(const unsigned { GOSTerr(GOST_F_GOST2001_DO_SIGN,GOST_R_RANDOM_NUMBER_GENERATOR_FAILED); DSA_SIG_free(newsig); +newsig = NULL; goto err; } if (!EC_POINT_mul(group,C,k,NULL,NULL,ctx)) { GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB); DSA_SIG_free(newsig); +newsig = NULL; goto err; } if (!X) X=BN_CTX_get(ctx); @@ -149,6 +151,7 @@ DSA_SIG *gost2001_do_sign(const unsigned { GOSTerr(GOST_F_GOST2001_DO_SIGN,ERR_R_EC_LIB); DSA_SIG_free(newsig); +newsig = NULL; goto err; } if (!r) r=BN_CTX_get(ctx);
[openssl.org #2171] ssl2 is unnecessarily rejected as not supporting the safe renegotiation
Fixed, ticket resolved. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: Patch: fix a crash in the GOST engine
On Tue, Feb 16, 2010, Dmitry Ivanov wrote: Hi there! I'm using the GOST engine to sign files on an ARM platform and I got a crash with bt pointing to the GOST engine. When gost2001_do_sign() fails for some reason (missing /dev/urandom in my case) it doesn't set 'newsig' to NULL and hence returns a dangling pointer. pkey_gost01_cp_sign() gets misled by it and everything goes downhill from there. Patch applied thanks for reporting this. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 beta5 release v. VMS
From: Arpadffy Zoltan zoltan.arpad...@scientificgames.se meanwhile I have tested the latest snapshot openssl-1.0.0-stable-SNAP-20100210.tar.gz and the build failed again, [...] Compiling The cversion.c File. (LIBRARY,LIB) #include buildinf.h .^ %CC-F-NOINCLFILEF, Cannot find file buildinf.h specified in #include directive. at line number 62 in file USRDSK:[ZAY.WORK.OPENSSL-100-STABLE-SNAP-20100210.CRYPTO]CVERSION.C;1 [...] The builder seems to be looking in the wrong place. SYS$DISK:[.''ARCH'] - SYS$DISK:[-.''ARCH'.CRYPTO] ALP $ gdiff -u openssl-1.0.0-stable-SNAP-20100211/crypto/crypto-lib.com_orig openssl-1.0.0-stable-SNAP-20100211/crypto/crypto-lib.com --- openssl-1.0.0-stable-SNAP-20100211/crypto/crypto-lib.com_orig 2009-11-12 09:02:05 -0600 +++ openssl-1.0.0-stable-SNAP-20100211/crypto/crypto-lib.com2010-02-16 14:00:48 -0600 @@ -1034,7 +1034,9 @@ THEN CC = CC/DECC $ CC = CC + /''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89 + - /NOLIST/PREFIX=ALL + - - /INCLUDE=(SYS$DISK:[],SYS$DISK:[.''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1]) + - + /INCLUDE = (SYS$DISK:[], SYS$DISK:[-.''ARCH'.CRYPTO], + - + SYS$DISK:[-], SYS$DISK:[.ENGINE.VENDOR_DEFNS], + - + SYS$DISK:[.EVP], SYS$DISK:[.ASN1]) + - CCEXTRAFLAGS $! $!Define The Linker Options File Name. @@ -1068,7 +1070,9 @@ $ ENDIF $ IF F$TRNLNM(DECC$CC_DEFAULT).EQS./DECC THEN CC = CC/VAXC $ CC = CC + /''CC_OPTIMIZE'/''DEBUGGER'/NOLIST + - - /INCLUDE=(SYS$DISK:[],SYS$DISK:[.''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1]) + - + /INCLUDE = (SYS$DISK:[], SYS$DISK:[-.''ARCH'.CRYPTO],+ - + SYS$DISK:[-], SYS$DISK:[.ENGINE.VENDOR_DEFNS],+ - + SYS$DISK:[.EVP], SYS$DISK:[.ASN1]) + - CCEXTRAFLAGS $ CCDEFS = VAXC, + CCDEFS $! @@ -1100,7 +1104,9 @@ $!Use GNU C... $! $ CC = GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST + - - /INCLUDE=(SYS$DISK:[],SYS$DISK:[.''ARCH'],SYS$DISK:[-],SYS$DISK:[.ENGINE.VENDOR_DEFNS],SYS$DISK:[.EVP],SYS$DISK:[.ASN1]) + - + /INCLUDE = (SYS$DISK:[], SYS$DISK:[-.''ARCH'.CRYPTO],+ - + SYS$DISK:[-], SYS$DISK:[.ENGINE.VENDOR_DEFNS],+ - + SYS$DISK:[.EVP], SYS$DISK:[.ASN1]) + - CCEXTRAFLAGS $! $!Define The Linker Options File Name. Still many test problems like these: [...] Testing key generation with NIST Binary-Curve B-571 . . . . ok cat WARNING: can't open config file: SSLROOT:[00]openssl.cnf WARNING: can't open config file: SSLROOT:[00]openssl.cnf base64 WARNING: can't open config file: SSLROOT:[00]openssl.cnf WARNING: can't open config file: SSLROOT:[00]openssl.cnf WARNING: can't open config file: SSLROOT:[00]openssl.cnf [...] I just wonder is there any chance to keep the VMS build clean and stable? Apparently not much of a chance. (Chance is the fool's name for Fate, I always say.) Steven M. Schweda s...@antinode-info 382 South Warwick Street(+1) 651-699-9818 Saint Paul MN 55105-2547 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 beta5 release v. VMS
[...] Still many test problems like these: [...] Testing key generation with NIST Binary-Curve B-571 . . . . ok cat WARNING: can't open config file: SSLROOT:[00]openssl.cnf WARNING: can't open config file: SSLROOT:[00]openssl.cnf [...] --- openssl-1.0.0-stable-SNAP-20100211/test/tests.com_orig 2010-01-24 19:04:13 -0600 +++ openssl-1.0.0-stable-SNAP-20100211/test/tests.com 2010-02-16 15:22:02 -0600 @@ -12,14 +12,16 @@ $ texe_dir := sys$disk:[-.'__arch'.exe.test] $ exe_dir := sys$disk:[-.'__arch'.exe.apps] $ -$ sslroot = f$parse(sys$disk:[-.apps];syntax_only) - ].;+ .] -$ define /translation_attributes = concealed sslroot 'sslroot' -$ -$ set default '__here' -$ $ on control_y then goto exit $ on error then goto exit $ +$ set default '__here' +$ sslroot = f$parse(sys$disk:[-.apps];syntax_only) - ].;+ .] +$ define /translation_attributes = concealed sslroot 'sslroot' +$ write sys$output ''__proc +$ show logical sslroot +$ directory /date /protection /size sslroot:[00]openssl.cnf +$ $ if p1 .nes. $ then $ tests = p1 It might be nice if tests.com announced itself, instead of starting silently. The show logical sslroot command helps the user find the files being used. The directory command provides a quick failure if openssl.cnf is not where it should be. These are not required for proper operation. Setting the default directory properly before assigning that value to the symbol sslroot is required. More white space is ok with me. Steven M. Schweda s...@antinode-info 382 South Warwick Street(+1) 651-699-9818 Saint Paul MN 55105-2547 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: OpenSSL 1.0.0 beta5 release v. VMS
--- openssl-1.0.0-stable-SNAP-20100211/test/tests.com_orig2010-01-24 19:04:13 -0600 +++ openssl-1.0.0-stable-SNAP-20100211/test/tests.com 2010-02-16 15:22:02 -0600 [...] +$set default '__here' +$sslroot = f$parse(sys$disk:[-.apps];syntax_only) - ].;+ .] +$define /translation_attributes = concealed sslroot 'sslroot' [...] Isn't this the stuff we also decided to change to something more like the following? $ set default '__here' $ set default [-.apps] $ sslroot = f$parse( f$environment( default), , , , no_conceal) $ sslroot = sslroot - ][ - .00 - ].; + .] $ define /translation_attributes = concealed sslroot 'sslroot' $ set default '__here' Either way, set default '__here' needs to be done before the other work. (And, with set default [-.apps], it needs to be done again, afterward.) I'm losing track of which fixes are not getting incorporated into the official source. Speaking of which, it's still not too late to add those SSL_ prefixes to the shared image names. Just a thought. Steven M. Schweda s...@antinode-info 382 South Warwick Street(+1) 651-699-9818 Saint Paul MN 55105-2547 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org