date:20150921

[openssl-dev] [openssl.org #4056] 1.0.2d and Configure issue under X32 (ARFLAGS is architecture name?)

2015-09-21 Thread noloa...@gmail.com via RT

I experienced this issue under X32. X32 provides 32-bit integers,
longs and pointers combined with the richness of x86_64 register set.
Debian has a chroot environment for X32 at
https://wiki.debian.org/X32Port.

It appears ARFLAGS is set to the architecture when using RPATH options
in Configure's $cflags and $ldflags. RPATHS are important (IMHO)
because OpenSSL can get into a situation where /usr/local/bin/openssl
uses /usr/local/lib/libssl.so, but libssl.so uses the system's
/usr/lib/libcrypto.so.

I added a Configure target that provides RPATH options to $cflags
(field 2) and $ldflags (field 6):

# ./Configure LIST | grep x32
linux-x32
linux-x32-rpath
linux32-s390x

Here's what it looks like (copy and paste from under emacs; ignore the
back slashes):

"linux-x32-rpath","gcc:-mx32 -DL_ENDIAN -O3 -Wall
-Wl,-rpath=/usr/local/ssl\
/lib::-D_REENTRANT::-Wl,-rpath=/usr/local/ssl/lib
-ldl:SIXTY_FOUR_BIT RC4_CHUNK\
_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC
-mx32:.so.\$(\
SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",

And below is what it results in, which fails under `make` because `ARFLAGS=m32`.

Jeff

**

# unset ARFLAGS
# ./Configure linux-x32-rpath shared enable-ec_nistp_64_gcc_128
Configuring for linux-x32-rpath
no-gmp  [default]  OPENSSL_NO_GMP (skip dir)
no-jpake[experimental] OPENSSL_NO_JPAKE (skip dir)
no-krb5 [krb5-flavor not specified] OPENSSL_NO_KRB5
no-libunbound   [experimental] OPENSSL_NO_LIBUNBOUND (skip dir)
no-md2  [default]  OPENSSL_NO_MD2 (skip dir)
no-rc5  [default]  OPENSSL_NO_RC5 (skip dir)
no-rfc3779  [default]  OPENSSL_NO_RFC3779 (skip dir)
no-sctp [default]  OPENSSL_NO_SCTP (skip dir)
no-ssl-trace[default]  OPENSSL_NO_SSL_TRACE (skip dir)
no-store[experimental] OPENSSL_NO_STORE (skip dir)
no-unit-test[default]  OPENSSL_NO_UNIT_TEST (skip dir)
no-zlib [default]
no-zlib-dynamic [default]
IsMK1MF=0
CC=gcc
CFLAG =-fPIC -mx32 -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -mx32 -DL_ENDIAN -O3 -Wall
-Wl,-rpath=/usr/local/ssl/lib -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
EX_LIBS   =-Wl,-rpath=/usr/local/ssl/lib -ldl
CPUID_OBJ =x86_64cpuid.o
BN_ASM=x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o
rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
EC_ASM=ecp_nistz256.o ecp_nistz256-x86_64.o
DES_ENC   =des_enc.o fcrypt_b.o
AES_ENC   =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o
aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o
aesni-mb-x86_64.o
BF_ENC=bf_enc.o
CAST_ENC  =c_enc.o
RC4_ENC   =rc4-x86_64.o rc4-md5-x86_64.o
RC5_ENC   =rc5_enc.o
MD5_OBJ_ASM   =md5-x86_64.o
SHA1_OBJ_ASM  =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
sha1-mb-x86_64.o sha256-mb-x86_64.o
RMD160_OBJ_ASM=
CMLL_ENC  =cmll-x86_64.o cmll_misc.o
MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o
ENGINES_OBJ   =
PROCESSOR =
RANLIB=/usr/bin/ranlib
ARFLAGS   =x32
PERL  =/usr/bin/perl
SIXTY_FOUR_BIT mode
DES_UNROLL used
DES_INT used
RC4_CHUNK is unsigned long long
created directory `include/openssl'
...

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4055] FIPS Object Module User Guide corrections needed for (*get_entropy)()

2015-09-21 Thread Gibbons, Lee D via RT

This is to highlight a bug in the FIPS Object Module 2.10 and corrective 
documentation in its User Guide.

The User Guide for the FIPS Object Module 2.10 describes the (*get_entropy)() 
callback:

size_t (*get_entropy)(DRBG_CTX *ctx, unsigned char **pout,
   int entropy, size_t min_len, size_t max_len)

"A call to this function requests entropy bits of entropy in a 
buffer of between min_len and
max_len size bytes inclusive. The values of these are mechanism 
specific and taken from
SP800-90 tables. This callback should then return the amount of 
data in the buffer *pout and the
length in the return value, or zero in case of being unable to 
retrieve sufficient entropy."

The caller of (*get_entropy)() is the static function fips_get_entropy(). 
Notice how it constructs the  value, which should be in bits:

 rv = dctx->get_entropy(dctx, , entropy + bl,
min_len + bl, max_len + bl);
 *pout = tout + bl;
 if (rv < (min_len + bl) || (rv % bl))
   return 0;

The "entropy + bl" expression is mixing types, adding bits and bytes together. 
Anyone defining a (*get_entropy)() callback had better ignore the  
parameter. What's more, the callback had better return  rounded up to 
a dctx->entropy_blocklen boundary or face failure. The User Guide mentions none 
of this.

I realize the FIPS Object Module is frozen. The documentation should be 
corrected to expose the real restrictions on the callback.

Doug Gibbons | Consulting Engineer | Avaya Inc. | 12121 Grant St | 2S-237 | 
Thornton, CO 80241 | 303-538-3538 | 
ldgibb...@avaya.com



___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] Some tests fail on the current/latest SNAP

2015-09-21 Thread Blumenthal, Uri - 0553 - MITLL

Richard and Matt,

Thank you very much for your help. I confirm that the problems
disappeared, and all the tests now succeed:

$ make test
testing...
make[1]: Entering directory `/media/uri/Src/openssl/test'
make[2]: Entering directory `/media/uri/Src/openssl'
making all in apps...
make[3]: Entering directory `/media/uri/Src/openssl/apps'
make[3]: Nothing to be done for `all'.
make[3]: Leaving directory `/media/uri/Src/openssl/apps'
make[2]: Leaving directory `/media/uri/Src/openssl'
TOP=.. PERL=/usr/bin/perl /usr/bin/perl run_tests.pl alltests
../test/recipes/00-check_testexes.t ... ok
../test/recipes/05-test_bf.t .. ok
../test/recipes/05-test_cast.t  ok
../test/recipes/05-test_des.t . ok
../test/recipes/05-test_hmac.t  ok
../test/recipes/05-test_idea.t  ok
../test/recipes/05-test_md2.t . ok
../test/recipes/05-test_md4.t . ok
../test/recipes/05-test_md5.t . ok
../test/recipes/05-test_mdc2.t  ok
../test/recipes/05-test_rand.t  ok
../test/recipes/05-test_rc2.t . ok
../test/recipes/05-test_rc4.t . ok
../test/recipes/05-test_rc5.t . ok
../test/recipes/05-test_rmd.t . ok
../test/recipes/05-test_sha1.t  ok
../test/recipes/05-test_sha256.t .. ok
../test/recipes/05-test_sha512.t .. ok
../test/recipes/05-test_wp.t .. ok
../test/recipes/10-test_bn.t .. ok
../test/recipes/10-test_exp.t . ok
../test/recipes/15-test_dh.t .. ok
../test/recipes/15-test_dsa.t . ok
../test/recipes/15-test_ec.t .. ok
../test/recipes/15-test_ecdh.t  ok
../test/recipes/15-test_ecdsa.t ... ok
../test/recipes/15-test_rsa.t . ok
../test/recipes/20-test_enc.t . ok
../test/recipes/25-test_crl.t . ok
../test/recipes/25-test_gen.t . ok
../test/recipes/25-test_pkcs7.t ... ok
../test/recipes/25-test_req.t . ok
../test/recipes/25-test_sid.t . ok
../test/recipes/25-test_verify.t .. ok
../test/recipes/25-test_x509.t  ok
../test/recipes/30-test_engine.t .. ok
../test/recipes/30-test_evp.t . ok
../test/recipes/30-test_evp_extra.t ... ok
../test/recipes/30-test_pbelu.t ... ok
../test/recipes/40-test_rehash.t .. ok
../test/recipes/70-test_clienthello.t . ok
../test/recipes/70-test_packet.t .. ok
../test/recipes/70-test_sslextension.t  ok
../test/recipes/70-test_sslsessiontick.t .. ok
../test/recipes/70-test_sslskewith0p.t  ok
../test/recipes/70-test_sslvertol.t ... ok
../test/recipes/70-test_verify_extra.t  ok
../test/recipes/80-test_ca.t .. ok
../test/recipes/80-test_cms.t . ok
../test/recipes/80-test_ocsp.t  ok
../test/recipes/80-test_ssl.t . ok
../test/recipes/80-test_tsa.t . ok
../test/recipes/90-test_constant_time.t ... ok
../test/recipes/90-test_gmdiff.t .. ok
../test/recipes/90-test_gost2814789.t . ok
../test/recipes/90-test_heartbeat.t ... ok
../test/recipes/90-test_ige.t . ok
../test/recipes/90-test_jpake.t ... ok
../test/recipes/90-test_np.t .. ok
../test/recipes/90-test_p5_crpt2.t  ok
../test/recipes/90-test_secmem.t .. ok
../test/recipes/90-test_srp.t . ok
../test/recipes/90-test_v3name.t .. ok
All tests successful.
Files=63, Tests=343, 29 wallclock secs ( 0.36 usr  0.05 sys + 19.63 cusr
8.62 csys = 28.66 CPU)
Result: PASS
make[1]: Leaving directory `/media/uri/Src/openssl/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.1.0-dev xx XXX 
built on: reproducible build, date unspecified
platform: linux-x86_64
compiler: gcc -I. -I.. -I../include -Iinclude  -fPIC -DOPENSSL_PIC -DZLIB
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-Wa,--noexecstack -m64 -DL_ENDIAN -Wall -O3 -DOPENSSL_EXPERIMENTAL_JPAKE
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM
-DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"


-- 
Regards,
Uri Blumenthal





On 9/20/15, 14:09 , "Richard Levitte"  wrote:

>In message <55fdb8f1.1000...@openssl.org> on Sat, 19 Sep 2015 20:35:13
>+0100, Matt Caswell  said:
>
>matt> On 18/09/15 21:24, Blumenthal, Uri - 0553 - MITLL wrote
>matt> > # Looks like you planned 11 tests but ran 20.
>matt> > 
>matt> > 
>matt> > #   Failed test 'CMS <=> CMS consistency tests, modified key
>parameters
>matt> > # '
>matt> > #   at ../test/recipes/80-test_cms.t line 460.
>matt> > # Looks like you failed 1 test of 4.
>matt> > ../test/recipes/80-test_cms.t .
>matt> > Dubious, test returned 1 (wstat 256, 0x100)
>matt> > Failed 1/4

Re: [openssl-dev] CBC mode does not seems to work in OpenSSL 1.0.2d

2015-09-21 Thread Salz, Rich

> I have ported OpenSSL 1.0.2d on our product. After that CBC mode is not 
> working. Handshakes are failing with bad mac alert failure. When I checked 
> the code mac retrieved from ssl3_cbc_copy_mac does not match with the 
> calculated mac.

Try using the openssl ciphers command to narrow down the differences.
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4042] Build Bug w/ OpenSSL on Windows? No Applink

2015-09-21 Thread Jan Ehrhardt

Stephen Henson via RT in gmane.comp.encryption.openssl.devel (Sun, 20 Sep
2015 22:51:21 +):
>In more detail I just tried a build from sources. I did this:
>
>set FIPSDIR=X:\some\for\fips\module\installation
>cd 
>ms\do_fips
>cd 
>perl Configure VC-WIN32 fips
>nmake -f ms\ntdll.mak
>
>With no problems. I'd suggest you try that as a starting point and let me know
>of any errors you get. You will need to install nasm for that to work.

Did you do that with VS2015 aka VC14? The Apache and PHP world is moving
to VC14. PHP7 will only be built with VC14.
-- 
Jan

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3823] [PATCH] Improve the robustness of event logging

2015-09-21 Thread Rich Salz via RT

fixed on master, thanks.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3823] [PATCH] Improve the robustness of event logging

2015-09-21 Thread Rich Salz via RT

also in 1.0.2 and 1.0.1, in addition to master.
--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3479] BIO_read_filename() does not handle UTF-8 on Windows, as BIO_new_file() does.

2015-09-21 Thread Rich Salz via RT

OpenSSL_1_0_1-stable 21d8f24 RT3479: Add UTF8 support to BIO_read_filename()
OpenSSL_1_0_2-stable 0ea050e RT3479: Add UTF8 support to BIO_read_filename()
master ff03599 RT3479: Add UTF8 support to BIO_read_filename()

Author: David Woodhouse 
Date: Wed Sep 9 15:49:01 2015 -0400


--
Rich Salz, OpenSSL dev team; rs...@openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4042] Build Bug w/ OpenSSL on Windows? No Applink

2015-09-21 Thread Jan Ehrhardt

Jan Ehrhardt in gmane.comp.encryption.openssl.devel (Mon, 21 Sep 2015
22:42:17 +0200):
>Stephen Henson via RT in gmane.comp.encryption.openssl.devel (Sun, 20 Sep
>2015 22:51:21 +):
>>In more detail I just tried a build from sources. I did this:
>>
>>set FIPSDIR=X:\some\for\fips\module\installation
>>cd 
>>ms\do_fips
>>cd 
>>perl Configure VC-WIN32 fips
>>nmake -f ms\ntdll.mak
>>
>>With no problems. I'd suggest you try that as a starting point and let me know
>>of any errors you get. You will need to install nasm for that to work.
>
>Did you do that with VS2015 aka VC14? The Apache and PHP world is moving
>to VC14. PHP7 will only be built with VC14.

The error message with VC14 is still the same as it was with FIPS 2.0.9:

N:\openssl>nmake -f ms\ntdll.mak test

Microsoft (R) Program Maintenance Utility Version 14.00.23026.0
Copyright (C) Microsoft Corporation.  All rights reserved.

SET FIPS_LINK=link
SET FIPS_CC=cl
SET FIPS_CC_ARGS=/Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll
/MD /Ox /O2 /Ob2 -DOPENSSL_THREADS  -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo
-DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN
-D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m
-I\usr\local\ssl\fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
-DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2
-DOPENSSL_NO_KRB5 -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE
-DOPENSSL_NO_STATIC_ENGINE /Fdtmp32dll/lib -D_WINDLL  -c
SET PREMAIN_DSO_EXE=out32dll\fips_premain_dso.exe
SET
FIPS_SHA1_EXE=\usr\local\ssl\fips-2.0\bin\fips_standalone_sha1.exe
SET FIPS_TARGET=out32dll\libeay32.dll
SET FIPSLIB_D=\usr\local\ssl\fips-2.0\lib
perl \usr\local\ssl\fips-2.0\bin\fipslink.pl /nologo
/subsystem:console /opt:ref /debug /dll /fixed /map  /base:0xFB0
/out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @d:\temp\nm50A8.tmp
Invalid hash syntax in file at \usr\local\ssl\fips-2.0\bin\fipslink.pl
line 90.
NMAKE : fatal error U1077: 'C:\Perl64\bin\perl.EXE' : return code '0xff'
Stop.

N:\openssl>out32dll\fips_premain_dso.exe out32dll\libeay32.dll
OPENSSL_Uplink(00DB5000,08): no OPENSSL_Applink

Jan

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4056] 1.0.2d and Configure issue under X32 (ARFLAGS is architecture name?)

[openssl-dev] [openssl.org #4055] FIPS Object Module User Guide corrections needed for (*get_entropy)()

Re: [openssl-dev] Some tests fail on the current/latest SNAP

Re: [openssl-dev] CBC mode does not seems to work in OpenSSL 1.0.2d

Re: [openssl-dev] [openssl.org #4042] Build Bug w/ OpenSSL on Windows? No Applink

[openssl-dev] [openssl.org #3823] [PATCH] Improve the robustness of event logging

[openssl-dev] [openssl.org #3823] [PATCH] Improve the robustness of event logging

[openssl-dev] [openssl.org #3479] BIO_read_filename() does not handle UTF-8 on Windows, as BIO_new_file() does.

Re: [openssl-dev] [openssl.org #4042] Build Bug w/ OpenSSL on Windows? No Applink

9 matches

Site Navigation

Mail list logo

Footer information