[openssl-dev] [openssl.org #3638] [PATCH] Fix build with -DOPENSSL_NO_SRTP

2014-12-19 Thread Piotr Sikora via RT
Hey guys,
1.0.2-stable and master are currently broken when building with
-DOPENSSL_NO_SRTP.

Attached patches fix that.

Best regards,
Piotr Sikora



OpenSSL_1_0_2__Fix-build-with-DOPENSSL_NO_SRTP.patch
Description: Binary data


OpenSSL_master__Fix-build-with-DOPENSSL_NO_SRTP.patch
Description: Binary data
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


Re: [openssl-dev] OpenSSL and certain PEM formats

2014-12-19 Thread Sean Leonard

On 12/18/2014 4:41 AM, Salz, Rich wrote:

Are you trying to be proscriptive (say what people should use) or descriptive 
(document what is in use)?

Yes, PKCS8-based PRIVATE KEY is better.  But RSA PRIVATE KEY is in (wide) use 
and should be described.


I am trying to be proscriptively descriptive about what is in use and 
will lead to (continued) interoperability.


In the case of the * PRIVATE KEY labels, not a lot of crypto software 
supports it. The two biggest ones that I know of are OpenSSL and 
PolarSSL. (To my knowledge PolarSSL only supports RSA PRIVATE KEY and 
EC PRIVATE KEY--all others need to be in PRIVATE KEY PKCS #8 
format.) These two OSS implementations may in fact dominate the market 
but only a certain market segment (namely web servers, and by extension, 
the web interfaces to web servers by web hosting companies). If you want 
to import a private key into Mac OS X, Mozilla NSS, Microsoft CryptoAPI, 
or the Java VM, you need to package it up (typically with a certificate) 
in a PKCS #12 file.


PKCS #1 is an IETF (adopted) standard but PKCS #1 doesn't prescribe the 
RSA PRIVATE KEY label; it only defines the ASN.1 (BER/DER) 
representation. And PKCS #1 is no more or less a standard than the other 
IETF documents for the other key types, like Diffie-Hellman, ECC, etc.


Anyway, the document was approved so it should be published with *minor* 
changes as an RFC soon. I am loathe to add new labels/formats; I am not 
convinced the threshold is met here.


Cheers,

Sean

___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


Re: [openssl-dev] OpenSSL and certain PEM formats

2014-12-19 Thread Dave Thompson
 From: openssl-dev On Behalf Of Salz, Rich
 Sent: Thursday, December 18, 2014 07:42

 Are you trying to be proscriptive (say what people should use) or
descriptive
 (document what is in use)?
 
 Yes, PKCS8-based PRIVATE KEY is better.  But RSA PRIVATE KEY is in (wide)
 use and should be described.
 
E.g. Wireshark uses -- or did when I looked a few versions ago -- only the 
legacy RSA PRIVATE KEY form or PKCS12 not the PKCS8 PRIVATE KEY form.

(PEM_read_*PrivateKey silently handles either legacy or PKCS8, but 
Wireshark doesn't use OpenSSL it uses GnuTLS.)

There are also legacy DSA PRIVATE KEY and EC PRIVATE KEY.
On the whole these algorithms and keys were not used as much as RSA 
in the past (EC is now rising) but they were used and may still exist.

Technically there are legacy formats and IMPLEMENT_PEM routines for 
specific RSA,DSA,EC PUBLIC KEY. But PUBKEY (SPKI) has been default 
for at least 10 years, so these are probably very very little used.


___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


Re: [openssl-dev] OpenSSL and certain PEM formats

2014-12-19 Thread Viktor Dukhovni
On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote:

 Does OpenSSL have documented someplace exactly what it means to have a
 TRUSTED CERTIFICATE?

It is a certificate + auxiliary data which specifies a friendly name
plus a set of EKUs.

 For example, say we're talking about a certificate that i am willing to
 accept for the peer foo.example.  If i mark it TRUSTED and it has
 another SubjectAltName of bar.example, will OpenSSL subsequently accept
 it for bar.example as well?

http://marc.info/?l=openssl-devm=115218769327835w=2

There is no explicit association with a particular peer, it is up
to the application to add corresponding trusted certificates to
the store when validating particular peers for which such certificates
have been configured.  If such a certificate is added to the default
store, then it will apply to all cases with a matching EKU.

-- 
Viktor.
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


Re: [openssl-dev] OpenSSL and certain PEM formats

2014-12-19 Thread Viktor Dukhovni
On Fri, Dec 19, 2014 at 07:02:29AM -0800, Sean Leonard wrote:

 There is also a TRUSTED CERTIFICATE label that OpenSSL uses...I believe
 this is a vendor-specific extension but now that I am spelunking through the
 source code I see that it could be abused. Relevant source code/comments
 say:
 https://www.openssl.org/docs/apps/x509.html

What is this abuse you speak of.  No remote actor injects trusted
certificates into the verifier's list of trust anchors.  Trusted
certificates are actually less trusted certificates, in that
their set of EKUs is potentially constrained.

-- 
Viktor.
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


Re: [openssl-dev] [openssl.org #3631] Bug in the binary search in OBJ_bsearch_ex_ in obj_dat.c (1.0.1j)

2014-12-19 Thread Matthias Mucha via RT
No, i commented out the RSA encrypt routines and several other things 
that i can't/don't use. This resulted in a smaller array to search, 
which led me to this problem.

I know it's no problem if you use OpenSSL the normal way. I don't call 
it from my code. My code only calls methods available in the OpenSSL API.

Am 17.12.2014 14:51, schrieb Richard Levitte via RT:
 Are you using OBJ_bsearch_ex_ directly from your code? It seems to me that you
 have misunderstood how it works. size is the size of one element of your 
 array,
 num is the number of elements. The actual size of the array (in bytes) should
 then be size*num, and you need to make sure that it is.

 I would, however, recommend that you don't call this function directly, and
 instead use the macro OBJ_bsearch_ex, which will calculate the element size
 properly for you, given a type that you give it.

 On Fri Dec 12 17:52:07 2014, matthias.mu...@jojema.de wrote:
 Hello,

 I strapped down OpenSSL 1.0.1j to only the PEM to RSA, BIO and RSA
 public
 decrypt functions. So a bug in the binary search in appeared:

 Current code:

 const void *OBJ_bsearch_ex_(const void *key, const void *base_, int
 num,
 int size,
 int (*cmp)(const void *, const void *),
 int flags)
 {
 const char *base=base_;
 int l,h,i=0,c=0;
 const char *p = NULL;

 if (num == 0) return(NULL);
 l=0;
 h=num;
 while (l  h)
 {
 i=(l+h)/2;
 p= (base[i*size]);
 c=(*cmp)(key,p);
 if (c  0)
 h=i;
 else if (c  0)
 l=i+1;
 else
 break;
 }


 [...]

 My case: size = 4
 num = 4

 In the first round i evaluates to 2 which can not be divided by size
 and lets p
 escape the frame for the pointers, which results in a segfault.

 General case:

 This will fail for every case where num  (size * 2)


 My fix:

 const void *OBJ_bsearch_ex_(const void *key, const void *base_, int
 num,
 int size,
 int (*cmp)(const void *, const void *),
 int flags)
 {
 const char *base=base_;
 int l,h,i=0,c=0;
 const char *p = NULL;

 if (num == 0) return(NULL);
 if (num  size*2) {
 while(inum)
 {
 p=(base[i*size]);
 c=(*cmp)(key,p);
 if (!c) break;
 else ++i;
 }
 }
 else {
 l=0;
 h=num;
 while (l  h)
 {
 i=(l+h)/2;
 p= (base[i*size]);
 c=(*cmp)(key,p);
 if (c  0)
 h=i;
 else if (c  0)
 l=i+1;
 else
 break;
 }
 }

 [...]

 Regards

 Matthias Mucha


 --
 Richard Levitte
 levi...@openssl.org



___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


Re: [openssl-dev] OpenSSL and certain PEM formats

2014-12-19 Thread Kurt Roeckx
On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote:
 On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote:
 
  Does OpenSSL have documented someplace exactly what it means to have a
  TRUSTED CERTIFICATE?
 
 It is a certificate + auxiliary data which specifies a friendly name
 plus a set of EKUs.

Mozilla provides a list of root certificates and that includes at
least the trust settings for that certificate.  In Debian we then
extract the certificates from that so that it can be used by
applications that need to have a list of trusted CAs.  However
those trust settings are removed because not everything that wants
to use those certificates understands the trusted certificate.  It
would be useful to have a standardised format.


Kurt

___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


Re: [openssl-dev] OpenSSL and certain PEM formats

2014-12-19 Thread Sean Leonard

On Dec 19, 2014, at 11:35 AM, Kurt Roeckx k...@roeckx.be wrote:

 On Fri, Dec 19, 2014 at 03:05:32PM +, Viktor Dukhovni wrote:
 On Fri, Dec 19, 2014 at 08:47:55AM -0500, Daniel Kahn Gillmor wrote:
 
 Does OpenSSL have documented someplace exactly what it means to have a
 TRUSTED CERTIFICATE?
 
 It is a certificate + auxiliary data which specifies a friendly name
 plus a set of EKUs.
 
 Mozilla provides a list of root certificates and that includes at
 least the trust settings for that certificate.  

What exactly is the Mozilla (NSS) format? How does it differ from the OpenSSL 
format?

Sean
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev


[openssl-dev] TMN - Receber aqui os MMS que lhe enviarem

2014-12-19 Thread openssl-dev
Spam detection software, running on the system mta,
has identified this incoming email as possible spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
@@CONTACT_ADDRESS@@ for details.

Content preview:  [...] 

Content analysis details:   (5.2 points, 5.0 required)

 pts rule name  description
 -- --
 0.0 URIBL_BLOCKED  ADMINISTRATOR NOTICE: The query to URIBL was 
blocked.
See

http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information.
[URIs: imgbox.com]
 0.0 NORMAL_HTTP_TO_IP  URI: Uses a dotted-decimal IP address in URL
 0.3 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
 0.0 HTML_MESSAGE   BODY: HTML included in message
-0.0 RCVD_IN_MSPIKE_H3  RBL: Good reputation (+3)
[194.97.152.144 listed in wl.mailspike.net]
-0.0 RCVD_IN_MSPIKE_WL  Mailspike good senders
 0.1 HTML_SHORT_LINK_IMG_1  HTML is very short with a linked image
 0.6 HTML_MIME_NO_HTML_TAG  HTML-only message, but there is no HTML tag
 0.0 T_REMOTE_IMAGE Message contains an external image
 3.0 TO_EQ_FM_HTML_ONLY To == From and HTML only

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.

---BeginMessage---

---End Message---
___
openssl-dev mailing list
openssl-dev@openssl.org
https://mta.opensslfoundation.net/mailman/listinfo/openssl-dev