[openssl-dev] [openssl.org #3638] [PATCH] Fix build with -DOPENSSL_NO_SRTP
Hey guys, 1.0.2-stable and master are currently broken when building with -DOPENSSL_NO_SRTP. Attached patches fix that. Best regards, Piotr Sikora OpenSSL_1_0_2__Fix-build-with-DOPENSSL_NO_SRTP.patch Description: Binary data OpenSSL_master__Fix-build-with-DOPENSSL_NO_SRTP.patch Description: Binary data ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL and certain PEM formats
On 12/18/2014 4:41 AM, Salz, Rich wrote: Are you trying to be proscriptive (say what people should use) or descriptive (document what is in use)? Yes, PKCS8-based PRIVATE KEY is better. But RSA PRIVATE KEY is in (wide) use and should be described. I am trying to be proscriptively descriptive about what is in use and will lead to (continued) interoperability. In the case of the * PRIVATE KEY labels, not a lot of crypto software supports it. The two biggest ones that I know of are OpenSSL and PolarSSL. (To my knowledge PolarSSL only supports RSA PRIVATE KEY and EC PRIVATE KEY--all others need to be in PRIVATE KEY PKCS #8 format.) These two OSS implementations may in fact dominate the market but only a certain market segment (namely web servers, and by extension, the web interfaces to web servers by web hosting companies). If you want to import a private key into Mac OS X, Mozilla NSS, Microsoft CryptoAPI, or the Java VM, you need to package it up (typically with a certificate) in a PKCS #12 file. PKCS #1 is an IETF (adopted) standard but PKCS #1 doesn't prescribe the RSA PRIVATE KEY label; it only defines the ASN.1 (BER/DER) representation. And PKCS #1 is no more or less a standard than the other IETF documents for the other key types, like Diffie-Hellman, ECC, etc. Anyway, the document was approved so it should be published with *minor* changes as an RFC soon. I am loathe to add new labels/formats; I am not convinced the threshold is met here. Cheers, Sean ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL and certain PEM formats
From: openssl-dev On Behalf Of Salz, Rich Sent: Thursday, December 18, 2014 07:42 Are you trying to be proscriptive (say what people should use) or descriptive (document what is in use)? Yes, PKCS8-based PRIVATE KEY is better. But RSA PRIVATE KEY is in (wide) use and should be described. E.g. Wireshark uses -- or did when I looked a few versions ago -- only the legacy RSA PRIVATE KEY form or PKCS12 not the PKCS8 PRIVATE KEY form. (PEM_read_*PrivateKey silently handles either legacy or PKCS8, but Wireshark doesn't use OpenSSL it uses GnuTLS.) There are also legacy DSA PRIVATE KEY and EC PRIVATE KEY. On the whole these algorithms and keys were not used as much as RSA in the past (EC is now rising) but they were used and may still exist. Technically there are legacy formats and IMPLEMENT_PEM routines for specific RSA,DSA,EC PUBLIC KEY. But PUBKEY (SPKI) has been default for at least 10 years, so these are probably very very little used. ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL and certain PEM formats
On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: Does OpenSSL have documented someplace exactly what it means to have a TRUSTED CERTIFICATE? It is a certificate + auxiliary data which specifies a friendly name plus a set of EKUs. For example, say we're talking about a certificate that i am willing to accept for the peer foo.example. If i mark it TRUSTED and it has another SubjectAltName of bar.example, will OpenSSL subsequently accept it for bar.example as well? http://marc.info/?l=openssl-devm=115218769327835w=2 There is no explicit association with a particular peer, it is up to the application to add corresponding trusted certificates to the store when validating particular peers for which such certificates have been configured. If such a certificate is added to the default store, then it will apply to all cases with a matching EKU. -- Viktor. ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL and certain PEM formats
On Fri, Dec 19, 2014 at 07:02:29AM -0800, Sean Leonard wrote: There is also a TRUSTED CERTIFICATE label that OpenSSL uses...I believe this is a vendor-specific extension but now that I am spelunking through the source code I see that it could be abused. Relevant source code/comments say: https://www.openssl.org/docs/apps/x509.html What is this abuse you speak of. No remote actor injects trusted certificates into the verifier's list of trust anchors. Trusted certificates are actually less trusted certificates, in that their set of EKUs is potentially constrained. -- Viktor. ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3631] Bug in the binary search in OBJ_bsearch_ex_ in obj_dat.c (1.0.1j)
No, i commented out the RSA encrypt routines and several other things that i can't/don't use. This resulted in a smaller array to search, which led me to this problem. I know it's no problem if you use OpenSSL the normal way. I don't call it from my code. My code only calls methods available in the OpenSSL API. Am 17.12.2014 14:51, schrieb Richard Levitte via RT: Are you using OBJ_bsearch_ex_ directly from your code? It seems to me that you have misunderstood how it works. size is the size of one element of your array, num is the number of elements. The actual size of the array (in bytes) should then be size*num, and you need to make sure that it is. I would, however, recommend that you don't call this function directly, and instead use the macro OBJ_bsearch_ex, which will calculate the element size properly for you, given a type that you give it. On Fri Dec 12 17:52:07 2014, matthias.mu...@jojema.de wrote: Hello, I strapped down OpenSSL 1.0.1j to only the PEM to RSA, BIO and RSA public decrypt functions. So a bug in the binary search in appeared: Current code: const void *OBJ_bsearch_ex_(const void *key, const void *base_, int num, int size, int (*cmp)(const void *, const void *), int flags) { const char *base=base_; int l,h,i=0,c=0; const char *p = NULL; if (num == 0) return(NULL); l=0; h=num; while (l h) { i=(l+h)/2; p= (base[i*size]); c=(*cmp)(key,p); if (c 0) h=i; else if (c 0) l=i+1; else break; } [...] My case: size = 4 num = 4 In the first round i evaluates to 2 which can not be divided by size and lets p escape the frame for the pointers, which results in a segfault. General case: This will fail for every case where num (size * 2) My fix: const void *OBJ_bsearch_ex_(const void *key, const void *base_, int num, int size, int (*cmp)(const void *, const void *), int flags) { const char *base=base_; int l,h,i=0,c=0; const char *p = NULL; if (num == 0) return(NULL); if (num size*2) { while(inum) { p=(base[i*size]); c=(*cmp)(key,p); if (!c) break; else ++i; } } else { l=0; h=num; while (l h) { i=(l+h)/2; p= (base[i*size]); c=(*cmp)(key,p); if (c 0) h=i; else if (c 0) l=i+1; else break; } } [...] Regards Matthias Mucha -- Richard Levitte levi...@openssl.org ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL and certain PEM formats
On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: Does OpenSSL have documented someplace exactly what it means to have a TRUSTED CERTIFICATE? It is a certificate + auxiliary data which specifies a friendly name plus a set of EKUs. Mozilla provides a list of root certificates and that includes at least the trust settings for that certificate. In Debian we then extract the certificates from that so that it can be used by applications that need to have a list of trusted CAs. However those trust settings are removed because not everything that wants to use those certificates understands the trusted certificate. It would be useful to have a standardised format. Kurt ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL and certain PEM formats
On Dec 19, 2014, at 11:35 AM, Kurt Roeckx k...@roeckx.be wrote: On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote: On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote: Does OpenSSL have documented someplace exactly what it means to have a TRUSTED CERTIFICATE? It is a certificate + auxiliary data which specifies a friendly name plus a set of EKUs. Mozilla provides a list of root certificates and that includes at least the trust settings for that certificate. What exactly is the Mozilla (NSS) format? How does it differ from the OpenSSL format? Sean ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev
[openssl-dev] TMN - Receber aqui os MMS que lhe enviarem
Spam detection software, running on the system mta, has identified this incoming email as possible spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content preview: [...] Content analysis details: (5.2 points, 5.0 required) pts rule name description -- -- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: imgbox.com] 0.0 NORMAL_HTTP_TO_IP URI: Uses a dotted-decimal IP address in URL 0.3 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts 0.0 HTML_MESSAGE BODY: HTML included in message -0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [194.97.152.144 listed in wl.mailspike.net] -0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag 0.0 T_REMOTE_IMAGE Message contains an external image 3.0 TO_EQ_FM_HTML_ONLY To == From and HTML only The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. ---BeginMessage--- ---End Message--- ___ openssl-dev mailing list openssl-dev@openssl.org https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev