Re: The new subject hash algorithm

2013-10-06 Thread jsrivaya 
Hi Steve and Krzysztof,
I have not been able to reproduce the same output as openssl. Can you be
more specific how you achieved it?

So x509_name_canon generates the CANONICAL representation of the subject
name, right?

If I understand correctly, after generating the canon encoding I would only
have to pass it to EVP_Digest, correct?

Exposing x509_name_canon() to x509_cmp.c first.

unsigned long X509_NAME_hash(X509_NAME *x):
x509_name_canon()
EVP_Digest(x-canon_enc, x-canon_enclen, md, NULL, EVP_sha1(), NULL)





--
View this message in context: 
http://openssl.6102.n7.nabble.com/The-new-subject-hash-algorithm-tp44844p46720.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3135] Not all items displayed by list-cipher-commands are in OBJ_sn2nid()

2013-10-06 Thread Harlan Stenn via RT 
There are ciphers listed in the output of 'openssl list-cipher-commands'
that are not listed in OBJ_sn2nid(), eg 'rmd160'.  It would be Really
Nice if the list of ciphers in OBJ_sn2nid() included these aliases as
well.

http://bugs.ntp.org/show_bug.cgi?id=2463

If there is a better way to handle this please let me know, and we're
telling people that if you link with openssl, you can use any cipher
listed by 'openssl list-cipher-commands' and for some of these aliases
that's just not true and we're not finding another way to validate these
aliases.

-- 
Harlan Stenn st...@ntp.org
http://networktimefoundation.org  - be a member!

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #3136] [PATCH] get rid of extra space when printing -subject and -issuer in x509

2013-10-06 Thread Jiri Horky via RT 
Openssl behaves differently when printing subject or issuer from request
or from existing certificate in x509. If using x509 there is an extra
space after '=' character.
It can affect scripts that checks whether these fields in request and
certificate match. Moreover when printing serial, the in x509 there was
no extra space, so the behavior was kind of unpredictable. The attached
patch deletes the extra space in x509 output.

Jiri Horky

--- apps/x509.c	2013-10-03 13:42:39.504547535 +0200
+++ apps/x509.c.orig	2013-10-03 13:42:25.784301201 +0200
@@ -728,12 +728,12 @@ bad:
 			{
 			if (issuer == i)
 {
-print_name(STDout, issuer=,
+print_name(STDout, issuer= ,
 	X509_get_issuer_name(x), nmflag);
 }
 			else if (subject == i) 
 {
-print_name(STDout, subject=,
+print_name(STDout, subject= ,
 	X509_get_subject_name(x), nmflag);
 }
 			else if (serial == i)

[openssl.org #2958] [PATCH] Fix for #2958: DTLS connect limbo

2013-10-06 Thread Daniel Caiafa via RT 
In DTLS with peer authentication, cipher-spec can be changed before the
CertificateVerify message is processed leaving the connection in an
unrecoverable state. This situation happens if the CertificateVerify
message is lost or reordered

-Dan



dtls_2958.patch
Description: Binary data

[openssl.org #3137] The behavior of CRYPTO_set_mem_functions() in FIPS mode

2013-10-06 Thread Wang, Qun via RT 
Hi,

It looks like CRYPTO_set_mem_functions() of OpenSSL 1.0.1e does not work in 
FIPS 2.0.5: CRYPTO_set_mem_functions() calls indirectly CRYPTO_malloc() which 
sets allow_customize = 0; and so CRYPTO_set_mem_functions() does nothing 
(just return 0, instead of 1).

Gdb trace with a modified _ssl module:

#0  0x003803463100 in CRYPTO_malloc () from /lib64/libcrypto.so.10
#1  0x003803542fae in FIPS_drbg_new () from /lib64/libcrypto.so.10
#2  0x0038035448e1 in FIPS_drbg_health_check () from /lib64/libcrypto.so.10
#3  0x003803542e88 in FIPS_drbg_init () from /lib64/libcrypto.so.10
#4  0x0038034cf9d1 in RAND_init_fips () from /lib64/libcrypto.so.10
#5  0x003803465764 in OPENSSL_init_library () from /lib64/libcrypto.so.10
#6  0x003803462c61 in CRYPTO_set_mem_functions () from 
/lib64/libcrypto.so.10
#7  0x7135bc6c in PyInit__ssl () at 
/home/haypo/prog/python/default/Modules/_ssl.c:3180

My question - is this behavior expected or not?

Thanks a lot,
Qun


From: qun.w...@sap.com
Sent: Saturday, October 05, 2013 10:30 PM
To: 'openssl-n...@openssl.org'
Subject: The behavior of CRYPTO_set_mem_functions() in FIPS mode

Hi,

It looks like CRYPTO_set_mem_functions() of OpenSSL 1.0.1e-4.fc18 does not 
work: CRYPTO_set_mem_functions() calls indirectly CRYPTO_malloc() which sets 
allow_customize = 0; and so CRYPTO_set_mem_functions() does nothing (just 
return 0, instead of 1).

Gdb trace with a modified _ssl module:

#0  0x003803463100 in CRYPTO_malloc () from /lib64/libcrypto.so.10
#1  0x003803542fae in FIPS_drbg_new () from /lib64/libcrypto.so.10
#2  0x0038035448e1 in FIPS_drbg_health_check () from /lib64/libcrypto.so.10
#3  0x003803542e88 in FIPS_drbg_init () from /lib64/libcrypto.so.10
#4  0x0038034cf9d1 in RAND_init_fips () from /lib64/libcrypto.so.10
#5  0x003803465764 in OPENSSL_init_library () from /lib64/libcrypto.so.10
#6  0x003803462c61 in CRYPTO_set_mem_functions () from 
/lib64/libcrypto.so.10
#7  0x7135bc6c in PyInit__ssl () at 
/home/haypo/prog/python/default/Modules/_ssl.c:3180

My question - is this behavior expected or not?

Thanks a lot,
Qun





__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org