Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
In message <20160116183724.gi12...@calimero.vinschen.de> on Sat, 16 Jan 2016 19:37:24 +0100, Corinna Vinschen said: vinschen> Who had this funny idea to use the Windows definitions when building for vinschen> Cygwin? I'm afraid that is lost in the thin web of history ;-) vinschen> vinschen> vinschen> Please, please, please, Cygwin is a *POSIX* layer. Please don't use vinschen> Windows functions on Cygwin, use POSIX functions and POSIX methods, vinschen> *unless* it's really necessary. vinschen> I hear ya. vinschen> Last but not least, we have a small build problem when building for the vinschen> distro: To build the packages with additional debuginfo packages, the vinschen> packages must not be built with the -s option, plus we have to induce a vinschen> few options for the sake of creating the debuginfo information. Up to vinschen> 1.0.2 we do this by tweaking openssl's build system. We add an expression vinschen> $(OPT_CFLAGS) to the CFLAGS definition for that. If there's a better, vinschen> easier way to do this, I'd be grateful for a hint. OPT_FLAGS would be for optimizing, do I get that right? I suggest you have a look at Configurations/10-main.conf, you might notice configuration items like debug_cflags, release_cflags, debug_lflags and release_lflags. If you have a look at my refactor-build branch, you will see a fairly thorough Configurations/README. If you look the commit titled "Refactor config - move templates docs asm templates to Configurations", you'll find the documentation that's applicable to what Configure in the master branch supports... later editions are currently only supported in my branch. vinschen> The attached patchset fixes all of the above. With this, vinschen> openssl-1.1.0-pre2 builds fine for Cygwin. I'll have a closer look at all that tomorrow. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Upcoming build system change
In message <20160116164653.gh12...@calimero.vinschen.de> on Sat, 16 Jan 2016 17:46:53 +0100, Corinna Vinschen said: vinschen> > ./config --unified vinschen> vinschen> I tried that and it doesn't work correctly for Cygwin on x86_64. vinschen> Rather than choosing the "Cygwin-x86_64" configuration, it chooses vinschen> the "Cygwin" configuration which is for the i686 based 32 bit vinschen> version of Cygwin. vinschen> vinschen> Can this be recified easily. vinschen> vinschen> Btw., for the new unified configuration it might make sense to vinschen> rename "Cygwin" to "Cygwin-i686". -march could then be set for vinschen> i686 as well since 32 bit Cygwin won't run on older CPUs anyway. Hey Corinna, This particular issue has nothing at all to do with with my build system changes, and everything to do with the "config" script. Its responsability is to figure out what the platform target should be and then call Configure with it. If you have a look in "config", it doesn't generate "Cygwin-x86_64" at all. Would you be willing to have a look at that script and modernise it regarding Cygwin? Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] SSL_set_tlsext_host_name(ssl, "")
On Sat, Jan 16, 2016, Viktor Dukhovni wrote: > > Please try the two attached patches. > Better version of the first patch. Those solve the problem for me. Thanks! ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Keyed hashing APIs for EVP?
On Sat, Jan 16, 2016, Bill Cox wrote: > > I feel keyed hashing is here to stay. Keccak also has this feature. > Assuming I'm reading the EVP API correctly, should add support for keyed > digests to EVP. What do you folks think? > Support for MAC already exists in EVP. It's possible to access HMAC, CMAC and GOST MAC algorithms using EVP. The interface isn't very friendly however and could be tidied up a bit. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4250] [typos] doc/ssl/SSL_CTX_dane_enable.pod
> On Jan 16, 2016, at 3:56 PM, Claus Assmann via RT wrote: > > -int depth = SSL_get0_dane_authority(s, NULL, &mspki); > +int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); > -(void) SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL); > +(void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, > NULL); Merged. Thanks. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4250] [typos] doc/ssl/SSL_CTX_dane_enable.pod
> On Jan 16, 2016, at 3:56 PM, Claus Assmann via RT wrote: > > -int depth = SSL_get0_dane_authority(s, NULL, &mspki); > +int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); > -(void) SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL); > +(void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, > NULL); Merged. Thanks. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4251] PR request: Add OCSP_SINGLERESP_get0_id() accessor
Since 1.1.0 API will be freezed soon, can you review the following pull-request Remi Gacogne posted: Add an OCSP_SINGLERESP_get0_id() accessor to the OCSP_CERTID of a OCSP_SINGLERESP https://github.com/openssl/openssl/pull/334 Thank you! ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4250] [typos] doc/ssl/SSL_CTX_dane_enable.pod
The example uses "s" in some places instead of "ssl": diff --git a/doc/ssl/SSL_CTX_dane_enable.pod b/doc/ssl/SSL_CTX_dane_enable.pod index c3c203e..21788ad 100644 --- a/doc/ssl/SSL_CTX_dane_enable.pod +++ b/doc/ssl/SSL_CTX_dane_enable.pod @@ -210,9 +210,9 @@ the lifetime of the SSL connection. const char *peername = SSL_get0_peername(ssl); EVP_PKEY *mspki = NULL; -int depth = SSL_get0_dane_authority(s, NULL, &mspki); +int depth = SSL_get0_dane_authority(ssl, NULL, &mspki); if (depth >= 0) { -(void) SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL); +(void) SSL_get0_dane_tlsa(ssl, &usage, &selector, &mtype, NULL, NULL); printf("DANE TLSA %d %d %d %s at depth %d\n", usage, selector, mtype, (mspki != NULL) ? "TA public key verified certificate" : depth ? "matched TA certificate" : "matched EE certificate", ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4219] [typos] DANE related docs
yes fixed; closing. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4183] No SSL_CIPHER_description() for ChaCha20/Poly1305
yes, fixed. closing. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
we did everything we want to do, closing this. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4222] Wrong definition of the macro SSL_set1_sigalgs in ssl.h (PR #519)
merged, closing. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4174] Support the TLS Feature (aka Must Staple) X.509v3 extension (RFC7633)
Yes merged and closing this. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4140] GITHUB PULL REQUEST: do not load engines twice
Merged, closing. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] "SSL_dane_enable() may be called"
> On Jan 16, 2016, at 2:32 PM, Claus Assmann wrote: > > - or very explicit: > SSL_dane_enable() must be called before the SSL handshake is initiated > with L if (and only if) you want to enable DANE for > that connection. I'm going with this one. Thanks. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4112] GH458: Fix "primarility" typo
right, this was merged; closing. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4026] patches to eliminate some warnings from clang
Compiler warnings in non-master aren't going to be addressed unless we see they are bugs. Clsoing this. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4239] [PATCH] fixing wildcard matching on punycode domains
Viktor merged this in. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] MSVC 2015 internal compiler error
Hi, FWIW I encountered the same problem last week with the statem_srvr.c. I undestood that it was a compiler bug, but suspected there was an underlying problem with the source code, as usually it is error in MY code that make the compiler crashes... :-( So I gave a try to Visual Studio Community 2013 SP 5, and it compiles even without a warning. Contrary at what I read, the update 1 of VS 2015 didn't fixed this. -Message d'origine- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Gisle Vanem Envoyé : samedi 16 janvier 2016 11:43 À : OpenSSL-dev Objet : [openssl-dev] MSVC 2015 internal compiler error While building OpenSSL from today's git-repo: ssl\d1_srtp.c : fatal error C1001: An internalerror has occurred in the compiler. (compiler file 'f:\dd\vctools\compiler\utc\src\p2\main.c', line 246) To work around this problem, try simplifying or changing the program near the locations listed above. Please choose the Technical Support command on the Visual C++ Help menu, or open the Technical Support help file for more information INTERNAL COMPILER ERROR in 'f:\gv\VC_2015\bin\cl.exe' Please choose the Technical Support command on the Visual C++ Help menu, or open the Technical Support help file for more information ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Jan 16 20:01, Corinna Vinschen wrote: > On Jan 16 19:59, Kurt Roeckx wrote: > > On Sat, Jan 16, 2016 at 07:42:50PM +0100, Corinna Vinschen wrote: > > > On Jan 16 19:37, Corinna Vinschen wrote: > > > > On Jan 14 15:44, Richard Levitte wrote: > > > > > -BEGIN PGP SIGNED MESSAGE- > > > > > Hash: SHA1 > > > > > > > > > > > > > > >OpenSSL version 1.1.0 pre release 2 (alpha) > > > > >=== > > > > > > > > I tried to build this for Cygwin and got some problems. > > > > [...] > > > > The attached patchset fixes all of the above. With this, > > > > openssl-1.1.0-pre2 builds fine for Cygwin. > > > > > > I added another patch to this mail which sets the default CPU for 32 bit > > > Cygwin builds to i686, as outlined in another mail. Cygwin won't run on > > > older CPUs anyway. The path depends on the 2nd patch from my previous > > > mail. > > > > Is gcc configure to only produce i686 code on cygwin, and so can > > we maybe drop the -march instead? > > Oh yes, indeed. Sorry I missed that :} Here's the changed patch. Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat From 544d74273588d8d3e887a2b0b32d2e5afb76d7d9 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Sat, 16 Jan 2016 19:39:37 +0100 Subject: [PATCH] On 32 bit Cygwin, build for 686 CPUs only Cygwin only supports at least i686 on 32 bit. Just build for the default CPU type. Signed-off-by: Corinna Vinschen --- Configurations/10-main.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index d732a82..14ed3a7 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1224,7 +1224,7 @@ "Cygwin" => { inherit_from => [ asm("x86_asm") ], cc => "gcc", -cflags => "\$(OPT_CFLAGS) -DTERMIOS -DL_ENDIAN -march=i486 -Wall", +cflags => "\$(OPT_CFLAGS) -DTERMIOS -DL_ENDIAN -Wall", debug_cflags => "-g -O0", release_cflags => "-O3 -fomit-frame-pointer", sys_id => "CYGWIN", -- 2.5.0 signature.asc Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] "SSL_dane_enable() may be called"
On Sat, Jan 16, 2016, Viktor Dukhovni wrote: > On Sat, Jan 16, 2016 at 04:30:26AM -0800, Claus Assmann wrote: > > SSL_dane_enable() may be called before the SSL handshake is > > initiated with L to enable DANE for that connection. > > "may" seems to be a bit confusing here: if you want "to enable DANE > > for that connection" then you "must" call the function, right? > Correct. And conversely must not be called, if the intention is > to not enable DANE. Any suggested improvements of the text. - simply replace "may" with "must"? SSL_dane_enable() must be called before the SSL handshake is initiated with L to enable DANE for that connection. - this might be better: To enable DANE for a connection SSL_dane_enable() must be called before the SSL handshake is initiated with L. - or very explicit: SSL_dane_enable() must be called before the SSL handshake is initiated with L if (and only if) you want to enable DANE for that connection. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] "SSL_dane_enable() may be called"
On Sat, Jan 16, 2016 at 04:30:26AM -0800, Claus Assmann wrote: > SSL_CTX_dane_enable.pod states: > > SSL_dane_enable() may be called before the SSL handshake is > initiated with L to enable DANE for that connection. > > "may" seems to be a bit confusing here: if you want "to enable DANE > for that connection" then you "must" call the function, right? Correct. And conversely must not be called, if the intention is to not enable DANE. Any suggested improvements of the text. -- Viktor. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Jan 16 19:59, Kurt Roeckx wrote: > On Sat, Jan 16, 2016 at 07:42:50PM +0100, Corinna Vinschen wrote: > > On Jan 16 19:37, Corinna Vinschen wrote: > > > On Jan 14 15:44, Richard Levitte wrote: > > > > -BEGIN PGP SIGNED MESSAGE- > > > > Hash: SHA1 > > > > > > > > > > > >OpenSSL version 1.1.0 pre release 2 (alpha) > > > >=== > > > > > > I tried to build this for Cygwin and got some problems. > > > [...] > > > The attached patchset fixes all of the above. With this, > > > openssl-1.1.0-pre2 builds fine for Cygwin. > > > > I added another patch to this mail which sets the default CPU for 32 bit > > Cygwin builds to i686, as outlined in another mail. Cygwin won't run on > > older CPUs anyway. The path depends on the 2nd patch from my previous > > mail. > > Is gcc configure to only produce i686 code on cygwin, and so can > we maybe drop the -march instead? Oh yes, indeed. Sorry I missed that :} Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat signature.asc Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Sat, Jan 16, 2016 at 07:42:50PM +0100, Corinna Vinschen wrote: > On Jan 16 19:37, Corinna Vinschen wrote: > > On Jan 14 15:44, Richard Levitte wrote: > > > -BEGIN PGP SIGNED MESSAGE- > > > Hash: SHA1 > > > > > > > > >OpenSSL version 1.1.0 pre release 2 (alpha) > > >=== > > > > I tried to build this for Cygwin and got some problems. > > [...] > > The attached patchset fixes all of the above. With this, > > openssl-1.1.0-pre2 builds fine for Cygwin. > > I added another patch to this mail which sets the default CPU for 32 bit > Cygwin builds to i686, as outlined in another mail. Cygwin won't run on > older CPUs anyway. The path depends on the 2nd patch from my previous > mail. Is gcc configure to only produce i686 code on cygwin, and so can we maybe drop the -march instead? Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] SSL_set_tlsext_host_name(ssl, "")
On Sat, Jan 16, 2016 at 06:41:43PM +, Viktor Dukhovni wrote: > > This can also be reproduced using > > openssl s_client -servername "" ... > > Please try the two attached patches. Better version of the first patch. -- Viktor. >From 792fd81abdffd068162077bdb972baccfe09f280 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 16 Jan 2016 12:57:24 -0500 Subject: [PATCH 1/2] Empty SNI names are not valid While empty inputs to SSL_set1_host() clear the reference identifier list. --- crypto/x509/x509_vpm.c | 4 ++-- ssl/s3_lib.c | 5 - 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 827360d..8826fec 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -92,11 +92,11 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode, * Refuse names with embedded NUL bytes, except perhaps as final byte. * XXX: Do we need to push an error onto the error stack? */ -if (namelen == 0) +if (namelen == 0 || name == NULL) namelen = name ? strlen(name) : 0; else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen)) return 0; -if (name && name[namelen - 1] == '\0') +if (namelen > 0 && name[namelen - 1] == '\0') --namelen; if (mode == SET_HOST) { diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index de8dae2..54b8eba 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3534,13 +3534,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { +size_t len; + OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; ret = 1; if (parg == NULL) break; -if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { +len = strlen((char *)parg); +if (len == 0 || len > TLSEXT_MAXLEN_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } -- 2.5.4 (Apple Git-61) ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Jan 16 19:37, Corinna Vinschen wrote: > On Jan 14 15:44, Richard Levitte wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > > >OpenSSL version 1.1.0 pre release 2 (alpha) > >=== > > I tried to build this for Cygwin and got some problems. > [...] > The attached patchset fixes all of the above. With this, > openssl-1.1.0-pre2 builds fine for Cygwin. I added another patch to this mail which sets the default CPU for 32 bit Cygwin builds to i686, as outlined in another mail̇. Cygwin won't run on older CPUs anyway. The path depends on the 2nd patch from my previous mail. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat From 3dca00f13e7ba3e798ef3f0cc059881056d1f43d Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Sat, 16 Jan 2016 19:39:37 +0100 Subject: [PATCH] On 32 bit Cygwin, build for 686 CPUs only Cygwin only supports at least i686 on 32 bit. Just build for this CPU type. Signed-off-by: Corinna Vinschen --- Configurations/10-main.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf index d732a82..02f9878 100644 --- a/Configurations/10-main.conf +++ b/Configurations/10-main.conf @@ -1224,7 +1224,7 @@ "Cygwin" => { inherit_from => [ asm("x86_asm") ], cc => "gcc", -cflags => "\$(OPT_CFLAGS) -DTERMIOS -DL_ENDIAN -march=i486 -Wall", +cflags => "\$(OPT_CFLAGS) -DTERMIOS -DL_ENDIAN -march=i686 -Wall", debug_cflags => "-g -O0", release_cflags => "-O3 -fomit-frame-pointer", sys_id => "CYGWIN", -- 2.5.0 signature.asc Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] SSL_set_tlsext_host_name(ssl, "")
On Sat, Jan 16, 2016 at 09:42:18AM -0800, Claus Assmann wrote: > While playing around with the DANE suppport in OpenSSL 1.1 Thanks for the test drive. > I noticed that the TLS handshake will fail if I specify an empty name: > SSL_dane_enable(ssl, "") Good catch. > (AFAICT no name is needed for DANE-TA(2) RRs). DANE requires the client to send SNI in all cases. The server will often ignore the SNI name if it has just one certificate. > This can also be reproduced using > openssl s_client -servername "" ... Please try the two attached patches. -- Viktor. >From c9f8d6dc5c37988ec5c721356b3e287a6d491c55 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 16 Jan 2016 12:57:24 -0500 Subject: [PATCH 1/2] Empty SNI names are not valid While empty inputs to SSL_set1_host() clear the reference identifier list. --- crypto/x509/x509_vpm.c | 4 ++-- ssl/s3_lib.c | 5 - 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 827360d..b596d84 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -92,11 +92,11 @@ static int int_x509_param_set_hosts(X509_VERIFY_PARAM *vpm, int mode, * Refuse names with embedded NUL bytes, except perhaps as final byte. * XXX: Do we need to push an error onto the error stack? */ -if (namelen == 0) +if (namelen == 0 || name == NULL) namelen = name ? strlen(name) : 0; else if (name && memchr(name, '\0', namelen > 1 ? namelen - 1 : namelen)) return 0; -if (name && name[namelen - 1] == '\0') +if (name != NULL && name[namelen - 1] == '\0') --namelen; if (mode == SET_HOST) { diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index de8dae2..54b8eba 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -3534,13 +3534,16 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) #endif /* !OPENSSL_NO_EC */ case SSL_CTRL_SET_TLSEXT_HOSTNAME: if (larg == TLSEXT_NAMETYPE_host_name) { +size_t len; + OPENSSL_free(s->tlsext_hostname); s->tlsext_hostname = NULL; ret = 1; if (parg == NULL) break; -if (strlen((char *)parg) > TLSEXT_MAXLEN_host_name) { +len = strlen((char *)parg); +if (len == 0 || len > TLSEXT_MAXLEN_host_name) { SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME); return 0; } -- 2.5.4 (Apple Git-61) >From 8fc1c14db18d000437664d81e4e250d44179bdc0 Mon Sep 17 00:00:00 2001 From: Viktor Dukhovni Date: Sat, 16 Jan 2016 13:25:17 -0500 Subject: [PATCH 2/2] Better invalid SNI name error handling Also report an SSL_dane_enable error when the basedomain is an invalid SNI name. Avoid side-effects when such a name is valid with X509_VERIFY_PARAM_set1_host(), as e.g. with an empty name, by setting the SNI name first. --- ssl/ssl_lib.c | 18 -- 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 90de747..e922e3f 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -872,18 +872,24 @@ int SSL_dane_enable(SSL *s, const char *basedomain) return 0; } +/* + * Default SNI name. This rejects empty names, while set1_host below + * accepts them and disables host name checks. To avoid side-effects with + * invalid input, set the SNI name first. + */ +if (s->tlsext_hostname == NULL) { + if (!SSL_set_tlsext_host_name(s, basedomain)) { +SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); + return -1; +} +} + /* Primary RFC6125 reference identifier */ if (!X509_VERIFY_PARAM_set1_host(s->param, basedomain, 0)) { SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN); return -1; } -/* Default SNI name */ -if (s->tlsext_hostname == NULL) { - if (!SSL_set_tlsext_host_name(s, basedomain)) - return -1; -} - dane->mdpth = -1; dane->pdpth = -1; dane->dctx = &s->ctx->dane; -- 2.5.4 (Apple Git-61) ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] OpenSSL version 1.1.0 pre release 2 published
On Jan 14 15:44, Richard Levitte wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > >OpenSSL version 1.1.0 pre release 2 (alpha) >=== I tried to build this for Cygwin and got some problems. First, with 1,0.2, we built the Cygwin package with the options enable-tlsext and no-krb5. The 1.1.0 notes mention that Kerberos ciphersuite support has been removed, so am I right that "no-krb5" just isn't required anymore? And what about "enable-tlsext"? Is that unchangable default now? Second, it doesn't build. I configured as usual for the Cygwin distro with the following set of options: shared zlib enable-camellia enable-seed enable-rfc3779 enable-cms \ enable-md2 no-idea no-rc5 [omitting enable-tlsext and no-krb5] The build bailed out with the following error: gcc [...] -c -o ct_lib.o ct_lib.c In file included from /usr/include/w32api/windows.h:95:0, from ../../include/openssl/async.h:60, from ../../ssl/ssl_locl.h:166, from ct_lib.c:63: ../../ssl/ssl_locl.h:1110:5: error: expected specifier-qualifier-list before '(' token X509_EXTENSIONS *tlsext_ocsp_exts; ^ : recipe for target 'ct_lib.o' failed Who had this funny idea to use the Windows definitions when building for Cygwin? Please, please, please, Cygwin is a *POSIX* layer. Please don't use Windows functions on Cygwin, use POSIX functions and POSIX methods, *unless* it's really necessary. And please, if you really think that Cygwin is lacking and you have to fall back to using Windows stuff, please *ask* first. It's really not helpful to use too much native Windows stuff because you're circumventing Cygwin's POSIX lauer and you might (i.e will) inadvertently break something in POSIX applications built for Cygwin. In this case, since Cygwin supports pthreads, why don't you use async_posix.h, which is the right thing to do on a POSIX system. While I was looking into this, I also found the snippet in apps/speed.c which completely breaks Cygwin POSIX-like signal handling by using native Win32 functions rather than POSIX signal functions. Please, please, don't. Additionally it turned out that the configury used two different macros to control a Cygwin build for no good reason, OPENSSL_SYS_CYGWIN and OPENSSL_SYS_WIN32_CYGWIN. Last but not least, we have a small build problem when building for the distro: To build the packages with additional debuginfo packages, the packages must not be built with the -s option, plus we have to induce a few options for the sake of creating the debuginfo information. Up to 1.0.2 we do this by tweaking openssl's build system. We add an expression $(OPT_CFLAGS) to the CFLAGS definition for that. If there's a better, easier way to do this, I'd be grateful for a hint. The attached patchset fixes all of the above. With this, openssl-1.1.0-pre2 builds fine for Cygwin. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat From ab1dba32d73a6c3df6bfebe68c9bd4440260b0d6 Mon Sep 17 00:00:00 2001 From: Corinna Vinschen Date: Sat, 16 Jan 2016 19:30:48 +0100 Subject: [PATCH 1/2] Use POSIX functions on Cygwin, not Win32 function Signed-off-by: Corinna Vinschen --- apps/speed.c| 10 +- crypto/async/arch/async_posix.h | 2 +- crypto/async/arch/async_win.h | 2 +- include/openssl/async.h | 2 +- test/asynctest.c| 4 ++-- 5 files changed, 6 insertions(+), 14 deletions(-) diff --git a/apps/speed.c b/apps/speed.c index d45a6f9..5bf1685 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -94,16 +94,8 @@ # include #endif -#if defined(_WIN32) || defined(__CYGWIN__) +#if defined(_WIN32) # include -# if defined(__CYGWIN__) && !defined(_WIN32) - /* - * should define _WIN32, which normally is mutually exclusive - * with __CYGWIN__, but if it didn't... - */ -# define _WIN32 - /* this is done because Cygwin alarm() fails sometimes. */ -# endif #endif #include diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index c247888..475b56f 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -54,7 +54,7 @@ #define OPENSSL_ASYNC_ARCH_ASYNC_POSIX_H #include -#if defined(OPENSSL_SYS_UNIX) && defined(OPENSSL_THREADS) +#if (defined(OPENSSL_SYS_UNIX) || defined(OPENSSL_SYS_CYGWIN)) && defined(OPENSSL_THREADS) # include diff --git a/crypto/async/arch/async_win.h b/crypto/async/arch/async_win.h index b247f59..31f2482 100644 --- a/crypto/async/arch/async_win.h +++ b/crypto/async/arch/async_win.h @@ -55,7 +55,7 @@ * This is the same detection used in cryptlib to set up the thread local * storage that we depend on, so just copy that */ -#if defined(_WIN32) || defined(__CYGWIN__) +#if defined(_WIN32) #include # define ASYNC_WIN # define ASYNC_ARCH diff --git a/include/openssl/async.h b/include/openssl/async.h index de5ef89..d130a36 100644 --- a/include/openssl
[openssl-dev] SSL_set_tlsext_host_name(ssl, "")
While playing around with the DANE suppport in OpenSSL 1.1 I noticed that the TLS handshake will fail if I specify an empty name: SSL_dane_enable(ssl, "") (AFAICT no name is needed for DANE-TA(2) RRs). This can also be reproduced using openssl s_client -servername "" ... The error I'm getting is: SSL3 alert read:fatal:decode error SSL_connect:error in SSLv3/TLS write client hello 694985564:error:1409441A:SSL routines:ssl3_read_bytes:reason(1050):record/rec_layer_s3.c:1346:SSL alert number 50 It seems an empty name should not be allowed: RFC 3546 3.1: opaque HostName<1..2^16-1>; Maybe SSL_set_tlsext_host_name() should return an error if an empty name is passed? PS: SSL_CTX_dane_enable.pod: =head1 SEE ALSO ... L, but AFAICT that man page does not exist. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Upcoming build system change
Hi Richard, On Jan 14 21:59, Richard Levitte wrote: > Hi, > > there's an effort going on to revamp the build system for future > OpenSSL, coining it as "unified". The intention is to have one and > the same base of information for all platforms, instead of having to > maintain one set of files for Unixly platforms, one makefile generator > for Windowsy platforms, and one pile of scripts with a serious case of > bit rot for VMS. > [...] > Config and build > > > For Unix users, who are used to the usual generation of a top Makefile > from Makefile.org... that is, Makefile.in since recently, this it > still the default, but you can always use the unified build as an > alternative by adding the flag --unified, like so: > > ./config --unified I tried that and it doesn't work correctly for Cygwin on x86_64. Rather than choosing the "Cygwin-x86_64" configuration, it chooses the "Cygwin" configuration which is for the i686 based 32 bit version of Cygwin. Can this be recified easily. Btw., for the new unified configuration it might make sense to rename "Cygwin" to "Cygwin-i686". -march could then be set for i686 as well since 32 bit Cygwin won't run on older CPUs anyway. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer Red Hat signature.asc Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] '-CIPHER_DEBUG' error on 'dh_dsa'
On Sat, Jan 16, 2016 at 03:03:41PM +, Alessandro Ghedini wrote: > On Sat, Jan 16, 2016 at 01:51:28pm +0100, Gisle Vanem wrote: > > Having '-DCIPHER_DEBUG' in the CFLAGS causes this error in > > MingW (gcc 5.1): > > ssl/ssl_lib.c:2499:58: error: 'dh_dsa' undeclared (first use in this > > function) > > dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); > > > > (+ a lot wore warnings). Time to retire/rewrite this 'CIPHER_DEBUG' > > part? Or patch ssl/ssl_lib.c: > > > > --- a/ssl/ssl_lib.c 2016-01-16 06:28:59 > > +++ b/ssl/ssl_lib.c 2016-01-16 13:40:51 > > @@ -2495,8 +2495,8 @@ > > > > #ifdef CIPHER_DEBUG > > fprintf(stderr, > > -"dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n", > > -dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); > > +"dht=%d re=%d rs=%d ds=%d\n", > > +dh_tmp, rsa_enc, rsa_sign, dsa_sign); > > #endif > > IMO it's better to just remove it. It's unlikely anyone is using it since the > build breaks. I opened a pull request (that includes another #if-related fix): I've actually used this like last week, but it was in the 1.0.2 branch. Kurt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4249] ECDSA method flags
In 1.0.2 branch commit 94c2f77a62be7079ab1893ab14b18a30157c4532 add functions to set ECDSA_METHOD structure. One on functions is to set flags. Until now ECDSA flags are defined only in non-installed header. 1) "0003-move-some-ECDSA_METHOD-declarations-after-descriptio.patch" First patch is cosmetic correction of above mentioned commit - move some declarations after description. 2) "0004-public-flag-ECDSA_FLAG_FIPS_METHOD.patch" Actual patch that moves ECDSA flags to public header. 3) "0005-remove-unused-flag-EC_FLAG_FIPS_CHECKED.patch" OpenSSL describes flag EC_FLAG_FIPS_CHECKED but this flags is not used in fips enabled openssl build. It seems to me is enough to set flag ECDSA_FLAG_FIPS_METHOD to allow ECDSA method to work in fips mode. Regards, Roumen Petrov >From 4e2150fb50fc07e1edd38938f3d3c32e8438 Mon Sep 17 00:00:00 2001 From: Roumen Petrov Date: Thu, 14 Jan 2016 20:52:34 +0200 Subject: [PATCH 3/5] move some ECDSA_METHOD declarations after description --- crypto/ecdsa/ecdsa.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h index a6f0930..759a9b4 100644 --- a/crypto/ecdsa/ecdsa.h +++ b/crypto/ecdsa/ecdsa.h @@ -288,20 +288,20 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method, const ECDSA_SIG *sig, EC_KEY *eckey)); -void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags); - /** Set the flags field in the ECDSA_METHOD * \param ecdsa_method pointer to existing ECDSA_METHOD * \param flags flags value to set */ -void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name); +void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags); /** Set the name field in the ECDSA_METHOD * \param ecdsa_method pointer to existing ECDSA_METHOD * \param name name to set */ +void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name); + /* BEGIN ERROR CODES */ /* * The following lines are auto generated by the script mkerr.pl. Any changes -- 1.8.4 >From c80719cbed504c390c069038e9e3ea7fcd7901ad Mon Sep 17 00:00:00 2001 From: Roumen Petrov Date: Thu, 14 Jan 2016 20:53:15 +0200 Subject: [PATCH 4/5] public flag ECDSA_FLAG_FIPS_METHOD --- crypto/ecdsa/ecdsa.h| 9 + crypto/ecdsa/ecs_locl.h | 9 - 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h index 759a9b4..7b432b9 100644 --- a/crypto/ecdsa/ecdsa.h +++ b/crypto/ecdsa/ecdsa.h @@ -295,6 +295,15 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method, void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags); +/* + * If this flag is set the ECDSA method is FIPS compliant and can be used in + * FIPS mode. This is set in the validated module method. If an application + * sets this flag in its own methods it is its responsibility to ensure the + * result is compliant. + */ + +# define ECDSA_FLAG_FIPS_METHOD 0x1 + /** Set the name field in the ECDSA_METHOD * \param ecdsa_method pointer to existing ECDSA_METHOD * \param name name to set diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h index d3a5efc..4cd5a21 100644 --- a/crypto/ecdsa/ecs_locl.h +++ b/crypto/ecdsa/ecs_locl.h @@ -86,15 +86,6 @@ struct ecdsa_method { # define ECDSA_METHOD_FLAG_ALLOCATED 0x2 -/* - * If this flag is set the ECDSA method is FIPS compliant and can be used in - * FIPS mode. This is set in the validated module method. If an application - * sets this flag in its own methods it is its responsibility to ensure the - * result is compliant. - */ - -# define ECDSA_FLAG_FIPS_METHOD 0x1 - typedef struct ecdsa_data_st { /* EC_KEY_METH_DATA part */ int (*init) (EC_KEY *); -- 1.8.4 >From f7339510f472eacdafb0343bb14907de15102c18 Mon Sep 17 00:00:00 2001 From: Roumen Petrov Date: Thu, 14 Jan 2016 21:07:47 +0200 Subject: [PATCH 5/5] remove unused flag EC_FLAG_FIPS_CHECKED --- crypto/ec/ec.h| 1 - doc/crypto/EC_KEY_new.pod | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h index 81e6faf..9146bc3 100644 --- a/crypto/ec/ec.h +++ b/crypto/ec/ec.h @@ -746,7 +746,6 @@ typedef struct ec_key_st EC_KEY; /* some values for the flags field */ # define EC_FLAG_NON_FIPS_ALLOW 0x1 -# define EC_FLAG_FIPS_CHECKED0x2 /** Creates a new EC_KEY object. * \return EC_KEY object or NULL if an error occurred. diff --git a/doc/crypto/EC_KEY_new.pod b/doc/crypto/EC_KEY_new.pod index 0fa2de1..00dba25 100644 --- a/doc/crypto/EC_KEY_new.pod +++ b/doc/crypto/EC_KEY_new.pod @@ -73,7 +73,7 @@ of point_conversion_forms please refer to L. EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary additional data specific to the elliptic curve scheme being used with the EC_KEY object. This data is treated as a "b
Re: [openssl-dev] '-CIPHER_DEBUG' error on 'dh_dsa'
On Sat, Jan 16, 2016 at 01:51:28pm +0100, Gisle Vanem wrote: > Having '-DCIPHER_DEBUG' in the CFLAGS causes this error in > MingW (gcc 5.1): > ssl/ssl_lib.c:2499:58: error: 'dh_dsa' undeclared (first use in this > function) > dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); > > (+ a lot wore warnings). Time to retire/rewrite this 'CIPHER_DEBUG' > part? Or patch ssl/ssl_lib.c: > > --- a/ssl/ssl_lib.c 2016-01-16 06:28:59 > +++ b/ssl/ssl_lib.c 2016-01-16 13:40:51 > @@ -2495,8 +2495,8 @@ > > #ifdef CIPHER_DEBUG > fprintf(stderr, > -"dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n", > -dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); > +"dht=%d re=%d rs=%d ds=%d\n", > +dh_tmp, rsa_enc, rsa_sign, dsa_sign); > #endif IMO it's better to just remove it. It's unlikely anyone is using it since the build breaks. I opened a pull request (that includes another #if-related fix): https://github.com/openssl/openssl/pull/559 Cheers signature.asc Description: PGP signature ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4246] OpenSSL-1.1-pre2 openssl req fails to use engine
Yes, #458 is similar but for the pkeyutl.c I would have changed: {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, to {"keyform", OPT_KEYFORM, 'f', "Private key format - default PEM"}, The patch also adds an additional parameter, {"engine_impl", OPT_ENGINE_IMPL, '-', "Also use engine given by -engine for crypto operations"}, I would ask the author about the engine_impl . It looks to me that to keep the previous behavior of the command one would need to add this option if an engine is used. IIt could also be an issue with the ordering of the parameters, or to try and not use the engine when the public key is used. (I could be wrong on this.) The author is also active on the OpenSC list trying to use EC with the OpenSC engine. On 1/15/2016 5:24 PM, Blumenthal, Uri - 0553 - MITLL via RT wrote: > Doug, could you please take a look at PR #548 (or is it #549)? It also > addresses this KEY_FORM issue. > > Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. >Original Message > From:deeng...@gmail.com via RT > Sent: Friday, January 15, 2016 17:10 > Reply To:r...@openssl.org > Cc:openssl-dev@openssl.org > Subject: [openssl-dev] [openssl.org #4246] OpenSSL-1.1-pre2 openssl req > fails to use engine > > req.c (and many of the other apps) appear to have lost the ability to use an > engine. > The attached diff is against the github.com verison using Tag OpenSSL_1_1-pre2 > In the req_options[] table: > OPT_KEY is set to "S" so pre- checking of the parameters does not drop the > string passed to the engine. > OPT_KEY_FORM is set to "f" so pre-checking will allow engine > > The engine is saved: > e = setup_engine(opt_arg(), 1); > > (I turned on debug, may want that off. ) > > to allow the theOPT_KEY_FORM to be an engine: > if (!opt_format(opt_arg(), OPT_FMT_PEMDER|OPT_FMT_ENGINE, &keyform)) > > This was tested with a modified version of OpenSC using ECDSA key on card to > generate a self signed certificate. > > openssl req -config /tmp/genreq.6156.openssl.conf -engine pkcs11 -keyform e > -sha256 -new -key slot_1-id_2 -out /tmp/selfsigned.pem -x509 -text > > > P.S. The EC_KEY_* functions appear to be working too (#4225) Have not tried > the ECDH yet. > > -- Douglas E. Engert > > > > -- Douglas E. Engert ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4246] OpenSSL-1.1-pre2 openssl req fails to use engine
Yes, #458 is similar but for the pkeyutl.c I would have changed: {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"}, to {"keyform", OPT_KEYFORM, 'f', "Private key format - default PEM"}, The patch also adds an additional parameter, {"engine_impl", OPT_ENGINE_IMPL, '-', "Also use engine given by -engine for crypto operations"}, I would ask the author about the engine_impl . It looks to me that to keep the previous behavior of the command one would need to add this option if an engine is used. IIt could also be an issue with the ordering of the parameters, or to try and not use the engine when the public key is used. (I could be wrong on this.) The author is also active on the OpenSC list trying to use EC with the OpenSC engine. On 1/15/2016 5:24 PM, Blumenthal, Uri - 0553 - MITLL via RT wrote: Doug, could you please take a look at PR #548 (or is it #549)? It also addresses this KEY_FORM issue. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. Original Message From:deeng...@gmail.com via RT Sent: Friday, January 15, 2016 17:10 Reply To:r...@openssl.org Cc:openssl-dev@openssl.org Subject: [openssl-dev] [openssl.org #4246] OpenSSL-1.1-pre2 openssl req fails to use engine req.c (and many of the other apps) appear to have lost the ability to use an engine. The attached diff is against the github.com verison using Tag OpenSSL_1_1-pre2 In the req_options[] table: OPT_KEY is set to "S" so pre- checking of the parameters does not drop the string passed to the engine. OPT_KEY_FORM is set to "f" so pre-checking will allow engine The engine is saved: e = setup_engine(opt_arg(), 1); (I turned on debug, may want that off. ) to allow the theOPT_KEY_FORM to be an engine: if (!opt_format(opt_arg(), OPT_FMT_PEMDER|OPT_FMT_ENGINE, &keyform)) This was tested with a modified version of OpenSC using ECDSA key on card to generate a self signed certificate. openssl req -config /tmp/genreq.6156.openssl.conf -engine pkcs11 -keyform e -sha256 -new -key slot_1-id_2 -out /tmp/selfsigned.pem -x509 -text P.S. The EC_KEY_* functions appear to be working too (#4225) Have not tried the ECDH yet. -- Douglas E. Engert -- Douglas E. Engert ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4207] engine key format in 1.1
Also patches for commands: - pkey : "0017-pkey-cmd-restore-keys-from-engine.patch" - req : "0018-req-cmd-restore-keys-from-engine.patch" >From 0ea1c0b9b600977e93efed4545166ec4ae245bc9 Mon Sep 17 00:00:00 2001 From: Roumen Petrov Date: Sat, 9 Jan 2016 14:52:14 +0200 Subject: [PATCH 17/19] pkey cmd: restore keys from engine --- apps/pkey.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/pkey.c b/apps/pkey.c index 40db6f5..9a72df4 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -71,11 +71,11 @@ typedef enum OPTION_choice { OPTIONS pkey_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, -{"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"}, +{"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"}, {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"}, -{"in", OPT_IN, '<', "Input file"}, +{"in", OPT_IN, 's', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, {"pubin", OPT_PUBIN, '-', "Read public key from input (default is private key)"}, @@ -116,7 +116,7 @@ int pkey_main(int argc, char **argv) ret = 0; goto end; case OPT_INFORM: -if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat)) +if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat)) goto opthelp; break; case OPT_OUTFORM: -- 1.8.4 >From 5c976b9fc19533514faae5c3c5ac1664eb33080b Mon Sep 17 00:00:00 2001 From: Roumen Petrov Date: Sun, 10 Jan 2016 21:20:01 +0200 Subject: [PATCH 18/19] req cmd: restore keys from engine --- apps/req.c | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/apps/req.c b/apps/req.c index a0da788..335d777 100644 --- a/apps/req.c +++ b/apps/req.c @@ -136,8 +136,8 @@ OPTIONS req_options[] = { {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"}, {"in", OPT_IN, '<', "Input file"}, {"out", OPT_OUT, '>', "Output file"}, -{"key", OPT_KEY, '<', "Use the private key contained in file"}, -{"keyform", OPT_KEYFORM, 'F', "Key file format"}, +{"key", OPT_KEY, 's', "Use the private key contained in file"}, +{"keyform", OPT_KEYFORM, 'f', "Key file format"}, {"pubkey", OPT_PUBKEY, '-', "Output public key"}, {"new", OPT_NEW, '-', "New request"}, {"config", OPT_CONFIG, '<', "Request template file"}, @@ -235,7 +235,7 @@ int req_main(int argc, char **argv) goto opthelp; break; case OPT_ENGINE: -(void)setup_engine(opt_arg(), 0); +e = setup_engine(opt_arg(), 0); break; case OPT_KEYGEN_ENGINE: #ifndef OPENSSL_NO_ENGINE @@ -259,7 +259,7 @@ int req_main(int argc, char **argv) template = opt_arg(); break; case OPT_KEYFORM: -if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform)) +if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) goto opthelp; break; case OPT_IN: -- 1.8.4 ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code
This has been (partially) fixed, so it can probably be closed. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4219] [typos] DANE related docs
Seems fixed in master, so this can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4183] No SSL_CIPHER_description() for ChaCha20/Poly1305
Looks fixed in master, can probably be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4222] Wrong definition of the macro SSL_set1_sigalgs in ssl.h (PR #519)
PR merged, can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4174] Support the TLS Feature (aka Must Staple) X.509v3 extension (RFC7633)
PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4112] GH458: Fix "primarility" typo
PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4140] GITHUB PULL REQUEST: do not load engines twice
PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4159] BUG ::: Null dereference in ssl3_free
Kurt said this is fixed in git, can be closed I guess. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4157] Download Documentation
Seems to me this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4026] patches to eliminate some warnings from clang
Looks like some things are already fixed in master, does this needs any more actions? Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4239] [PATCH] fixing wildcard matching on punycode domains
On Fri, Jan 15, 2016 at 06:08:38pm +, Viktor Dukhovni via RT wrote: > > > On Jan 15, 2016, at 10:32 AM, Zi Lin via RT wrote: > > > > > > Yes, this will get fixed. Thanks. Patches merged, can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4034] mkstack.pl does generate new safestack.h until release 1.0.1m
The mkstack.pl script was removed in master so this can probably be closed (unless it needs fixing in older releases as well). Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4054] [BUG] engine-provided ciphers are unavailable for command-line utility
Seems that this works in master, so it can probably be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-commits] [openssl] master update
Oops, my mistake. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz > -Original Message- > From: Rainer Jung [mailto:rainer.j...@kippdata.de] > Sent: Saturday, January 16, 2016 5:12 AM > To: openssl-dev@openssl.org > Subject: Re: [openssl-dev] [openssl-commits] [openssl] master update > > Please note that the patch in RT4247 also contains a hunk for > crypto/evp/e_camellia.c. This was not committed here, but without it one > gets the same type of compilation error on SPARC. Since the RT is already > closed I thought I better ask. > > The missing part is: > > Index: crypto/evp/e_camellia.c > --- crypto/evp/e_camellia.c 2016-01-14 10:51:32.0 +0100 > +++ crypto/evp/e_camellia.c 2016-01-16 04:01:44.443269000 +0100 > @@ -119,10 +119,10 @@ >const unsigned char *iv, int enc) >{ >int ret, mode, bits; > -EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data; > +EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) > EVP_CIPHER_CTX_cipher_data(ctx); > > -mode = ctx->cipher->flags & EVP_CIPH_MODE; > -bits = ctx->key_len * 8; > +mode = EVP_CIPHER_CTX_mode(ctx); > +bits = EVP_CIPHER_CTX_key_length(ctx) * 8; > >cmll_t4_set_key(key, bits, &dat->ks); > > Thank a bunch, > > Rainer > > Am 16.01.2016 um 04:47 schrieb Rich Salz: > > The branch master has been updated > > via ecdd0ff733985fb573d687fe85fa533f62f6cfd8 (commit) > >from 25be7a0feacdbd3326774f0da8aaeb966c1f57f8 (commit) > > > > > > - Log > > - > > commit ecdd0ff733985fb573d687fe85fa533f62f6cfd8 > > Author: Rich Salz > > Date: Fri Jan 15 22:37:11 2016 -0500 > > > > RT4247: Fix EVP_CIPHER_CTX opaque on sparc > > > > Via Rainer Jung > > > > Reviewed-by: Dr. Stephen Henson > > > > -- > > - > > > > Summary of changes: > > crypto/evp/e_des.c | 2 +- > > crypto/evp/e_des3.c | 4 ++-- > > 2 files changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index > > 5536f62..929151c 100644 > > --- a/crypto/evp/e_des.c > > +++ b/crypto/evp/e_des.c > > @@ -247,7 +247,7 @@ static int des_init_key(EVP_CIPHER_CTX *ctx, const > unsigned char *key, > > dat->stream.cbc = NULL; > > # if defined(SPARC_DES_CAPABLE) > > if (SPARC_DES_CAPABLE) { > > -int mode = ctx->cipher->flags & EVP_CIPH_MODE; > > +int mode = EVP_CIPHER_CTX_mode(ctx); > > > > if (mode == EVP_CIPH_CBC_MODE) { > > des_t4_key_expand(key, &dat->ks.ks); diff --git > > a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 16407e8..8b6c2b5 > > 100644 > > --- a/crypto/evp/e_des3.c > > +++ b/crypto/evp/e_des3.c > > @@ -270,7 +270,7 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, > const unsigned char *key, > > dat->stream.cbc = NULL; > > # if defined(SPARC_DES_CAPABLE) > > if (SPARC_DES_CAPABLE) { > > -int mode = ctx->cipher->flags & EVP_CIPH_MODE; > > +int mode = EVP_CIPHER_CTX_mode(ctx); > > > > if (mode == EVP_CIPH_CBC_MODE) { > > des_t4_key_expand(&deskey[0], &dat->ks1); @@ -297,7 > > +297,7 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const > unsigned char *key, > > dat->stream.cbc = NULL; > > # if defined(SPARC_DES_CAPABLE) > > if (SPARC_DES_CAPABLE) { > > -int mode = ctx->cipher->flags & EVP_CIPH_MODE; > > +int mode = EVP_CIPHER_CTX_mode(ctx); > > > > if (mode == EVP_CIPH_CBC_MODE) { > > des_t4_key_expand(&deskey[0], &dat->ks1); > ___ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] '-CIPHER_DEBUG' error on 'dh_dsa'
Having '-DCIPHER_DEBUG' in the CFLAGS causes this error in MingW (gcc 5.1): ssl/ssl_lib.c:2499:58: error: 'dh_dsa' undeclared (first use in this function) dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); (+ a lot wore warnings). Time to retire/rewrite this 'CIPHER_DEBUG' part? Or patch ssl/ssl_lib.c: --- a/ssl/ssl_lib.c 2016-01-16 06:28:59 +++ b/ssl/ssl_lib.c 2016-01-16 13:40:51 @@ -2495,8 +2495,8 @@ #ifdef CIPHER_DEBUG fprintf(stderr, -"dht=%d re=%d rs=%d ds=%d dhr=%d dhd=%d\n", -dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); +"dht=%d re=%d rs=%d ds=%d\n", +dh_tmp, rsa_enc, rsa_sign, dsa_sign); #endif -- --gv ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] "SSL_dane_enable() may be called"
SSL_CTX_dane_enable.pod states: SSL_dane_enable() may be called before the SSL handshake is initiated with L to enable DANE for that connection. "may" seems to be a bit confusing here: if you want "to enable DANE for that connection" then you "must" call the function, right? ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4248] Link error under Windows
For the TS_CONF issue, it was a simple matter of lacking marks in include/openssl/ts.h Fix coming up Vid Sat, 16 Jan 2016 kl. 10.39.39, skrev levitte: > My new build system won't change much in this respect, it still relies > on > util/libeay.num. So the issue lies in util/mkdef.pl (at least for the > TS_CONF > symbols). I haven't checked the others you mentioned, but it may come > down to > them not being marked properly as deprecated in their respective > headers. > > I'll try to have a look at this tomorrow. > > Vid Sat, 16 Jan 2016 kl. 06.17.13, skrev dra...@dancingdragon.be: > > This appears to be the same issue as when building with no-engine: > > > > https://github.com/openssl/openssl/issues/536 > > > > Hopefully Richard Levitte's new build system will be able to handle > > this. Presumably in the old system this would be handled by the last > > lines of ms\do_win64a.bat: > > > > perl util\mkdef.pl 32 libeay > ms\libeay32.def > > perl util\mkdef.pl 32 ssleay > ms\ssleay32.def > > > > > > On 1/15/2016 7:14 PM, marc.st...@approach.be via RT wrote: > > > On any version of Windows (32 or 64 bits), if using the "no- > > > deprecated" > > > configure flag, some functions (see list below) are not compiled > > > but > > > they are still referenced in LIBEAY32.DEF. This gives the following > > > error: LIBEAY32.def : error LNK2001: unresolved external symbol ... > > > > > > List of functions: > > > - BN_BLINDING_get_thread_id > > > - BN_BLINDING_set_thread_id > > > - BN_CTX_init > > > - BN_generate_prime > > > - BN_get_params > > > - BN_is_prime > > > - BN_is_prime_fasttest > > > - BN_set_params > > > - CRYPTO_get_id_callback > > > - CRYPTO_set_id_callback > > > - CRYPTO_thread_id > > > - DH_generate_parameters > > > - DSA_generate_parameters > > > - ERR_remove_state > > > - RSA_generate_key > > > - bn_dup_expand > > > > > > > > > ___ > > > openssl-dev mailing list > > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl- > > > dev > > > > > > > > -- > Richard Levitte > levi...@openssl.org -- Richard Levitte levi...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4243] 1.1.0-pre2: bug: EVP_CIPHER_CTX isn't completely opaque
No problem, misunderstandings happen. Closing this ticket now. Cheers, Richard Vid Sat, 16 Jan 2016 kl. 08.16.57, skrev baldu...@units.it: > > This is according to our interpretation of "type opacity", meaning > > that the > > type name is available but not its content. "Data hiding" is another > > way to p > ut > > it. This means that there will be a need to adapt, stack allocated > > EVP_CIPHER_CTX is no longer allowed, but there are functions to > > allocate and > > free them on/from the heap (EVP_CIPHER_CTX_new and > > EVP_CIPHER_CTX_free). > > > > What's your interpretation of type opacity? I'm not going to say that > > you're > > wrong and we're perfect, we're interested in feedback and > > constructive > > arguments. I just wanted to let you know our thinking so far. > > > > > > > > > apologies if I am missing something here. > > > > > ...it is evident that I was missing something! > > A simple search for "opaque type" brings me to, eg, wikipedia (yes, > that > popular!) where I find: > > "In computer science, an opaque data type is a data type > whose concrete data structure is not defined in an > interface." > > ie exactly what I naively called "inconsistency" (!) > > I'm sorry for the noise: I promise next time I'll double check before > disturbing > > thanks for your patience and politeness > > ciao > gabriele -- Richard Levitte levi...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Upcoming build system change
In message <5699df80.6030...@dancingdragon.be> on Fri, 15 Jan 2016 22:13:20 -0800, Joey Yandle said: dragon> I tried building your branch on windows, but the windows Configure dragon> targets appear to be missing: I haven't done anything specific with Windows yet... or, quite frankly, checked it very much... My focus has been mainly on Unix and VMS. I do have some start of a makefile for Windows as well, but it's just that, as start. dragon> c:\src\openssl>perl Configure VC-WIN64A dragon> Configuring OpenSSL version 1.1.0-pre3-dev (0x0x1013L) dragon> ... dragon> Configuring for VC-WIN64A dragon> Warning! target VC-WIN64A doesn't exist! dragon> Can't use an undefined value as an ARRAY reference at Configure line dragon> 825. This surprises me a bit, but we've had some issues surrounding this very target in master as well... it came down to Configure being a bit petty and has been changed accordingly, but my branch hasn't been rebased on the freshest master yet, so the fix hasn't propagated to my branch yet. I'm going to deal with that tomorrow and will make sure to verify the usual Windows configs then. Cheers, Richard -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] MSVC 2015 internal compiler error
While building OpenSSL from today's git-repo: ssl\d1_srtp.c : fatal error C1001: An internalerror has occurred in the compiler. (compiler file 'f:\dd\vctools\compiler\utc\src\p2\main.c', line 246) To work around this problem, try simplifying or changing the program near the locations listed above. Please choose the Technical Support command on the Visual C++ Help menu, or open the Technical Support help file for more information INTERNAL COMPILER ERROR in 'f:\gv\VC_2015\bin\cl.exe' Please choose the Technical Support command on the Visual C++ Help menu, or open the Technical Support help file for more information - Seems to be related to: typedef const char *OPENSSL_CSTRING; in safestack.h Changing this into: #ifdef _MSC_VER typedef char *OPENSSL_CSTRING; #else typedef const char *OPENSSL_CSTRING; #endif helps, but triggers the same internal compiler error later on. It suspect the compiler sees 'const const *x' in some places. So I assume that's the trigger for this fault. Details: Microsoft (R) C/C++ Optimizing Compiler Version 19.00.23026 for x86 on Win-10 build 10240. -- --gv ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4248] Link error under Windows
My new build system won't change much in this respect, it still relies on util/libeay.num. So the issue lies in util/mkdef.pl (at least for the TS_CONF symbols). I haven't checked the others you mentioned, but it may come down to them not being marked properly as deprecated in their respective headers. I'll try to have a look at this tomorrow. Vid Sat, 16 Jan 2016 kl. 06.17.13, skrev dra...@dancingdragon.be: > This appears to be the same issue as when building with no-engine: > > https://github.com/openssl/openssl/issues/536 > > Hopefully Richard Levitte's new build system will be able to handle > this. Presumably in the old system this would be handled by the last > lines of ms\do_win64a.bat: > > perl util\mkdef.pl 32 libeay > ms\libeay32.def > perl util\mkdef.pl 32 ssleay > ms\ssleay32.def > > > On 1/15/2016 7:14 PM, marc.st...@approach.be via RT wrote: > > On any version of Windows (32 or 64 bits), if using the "no-deprecated" > > configure flag, some functions (see list below) are not compiled but > > they are still referenced in LIBEAY32.DEF. This gives the following > > error: LIBEAY32.def : error LNK2001: unresolved external symbol ... > > > > List of functions: > > - BN_BLINDING_get_thread_id > > - BN_BLINDING_set_thread_id > > - BN_CTX_init > > - BN_generate_prime > > - BN_get_params > > - BN_is_prime > > - BN_is_prime_fasttest > > - BN_set_params > > - CRYPTO_get_id_callback > > - CRYPTO_set_id_callback > > - CRYPTO_thread_id > > - DH_generate_parameters > > - DSA_generate_parameters > > - ERR_remove_state > > - RSA_generate_key > > - bn_dup_expand > > > > > > ___ > > openssl-dev mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > > -- Richard Levitte levi...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl-commits] [openssl] master update
Please note that the patch in RT4247 also contains a hunk for crypto/evp/e_camellia.c. This was not committed here, but without it one gets the same type of compilation error on SPARC. Since the RT is already closed I thought I better ask. The missing part is: Index: crypto/evp/e_camellia.c --- crypto/evp/e_camellia.c 2016-01-14 10:51:32.0 +0100 +++ crypto/evp/e_camellia.c 2016-01-16 04:01:44.443269000 +0100 @@ -119,10 +119,10 @@ const unsigned char *iv, int enc) { int ret, mode, bits; -EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) ctx->cipher_data; +EVP_CAMELLIA_KEY *dat = (EVP_CAMELLIA_KEY *) EVP_CIPHER_CTX_cipher_data(ctx); -mode = ctx->cipher->flags & EVP_CIPH_MODE; -bits = ctx->key_len * 8; +mode = EVP_CIPHER_CTX_mode(ctx); +bits = EVP_CIPHER_CTX_key_length(ctx) * 8; cmll_t4_set_key(key, bits, &dat->ks); Thank a bunch, Rainer Am 16.01.2016 um 04:47 schrieb Rich Salz: The branch master has been updated via ecdd0ff733985fb573d687fe85fa533f62f6cfd8 (commit) from 25be7a0feacdbd3326774f0da8aaeb966c1f57f8 (commit) - Log - commit ecdd0ff733985fb573d687fe85fa533f62f6cfd8 Author: Rich Salz Date: Fri Jan 15 22:37:11 2016 -0500 RT4247: Fix EVP_CIPHER_CTX opaque on sparc Via Rainer Jung Reviewed-by: Dr. Stephen Henson --- Summary of changes: crypto/evp/e_des.c | 2 +- crypto/evp/e_des3.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index 5536f62..929151c 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -247,7 +247,7 @@ static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, dat->stream.cbc = NULL; # if defined(SPARC_DES_CAPABLE) if (SPARC_DES_CAPABLE) { -int mode = ctx->cipher->flags & EVP_CIPH_MODE; +int mode = EVP_CIPHER_CTX_mode(ctx); if (mode == EVP_CIPH_CBC_MODE) { des_t4_key_expand(key, &dat->ks.ks); diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 16407e8..8b6c2b5 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -270,7 +270,7 @@ static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, dat->stream.cbc = NULL; # if defined(SPARC_DES_CAPABLE) if (SPARC_DES_CAPABLE) { -int mode = ctx->cipher->flags & EVP_CIPH_MODE; +int mode = EVP_CIPHER_CTX_mode(ctx); if (mode == EVP_CIPH_CBC_MODE) { des_t4_key_expand(&deskey[0], &dat->ks1); @@ -297,7 +297,7 @@ static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, dat->stream.cbc = NULL; # if defined(SPARC_DES_CAPABLE) if (SPARC_DES_CAPABLE) { -int mode = ctx->cipher->flags & EVP_CIPH_MODE; +int mode = EVP_CIPHER_CTX_mode(ctx); if (mode == EVP_CIPH_CBC_MODE) { des_t4_key_expand(&deskey[0], &dat->ks1); ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #4243] 1.1.0-pre2: bug: EVP_CIPHER_CTX isn't completely opaque
> This is according to our interpretation of "type opacity", meaning that the > type name is available but not its content. "Data hiding" is another way to p ut > it. This means that there will be a need to adapt, stack allocated > EVP_CIPHER_CTX is no longer allowed, but there are functions to allocate and > free them on/from the heap (EVP_CIPHER_CTX_new and EVP_CIPHER_CTX_free). > > What's your interpretation of type opacity? I'm not going to say that you're > wrong and we're perfect, we're interested in feedback and constructive > arguments. I just wanted to let you know our thinking so far. > > > > > apologies if I am missing something here. > > ...it is evident that I was missing something! A simple search for "opaque type" brings me to, eg, wikipedia (yes, that popular!) where I find: "In computer science, an opaque data type is a data type whose concrete data structure is not defined in an interface." ie exactly what I naively called "inconsistency" (!) I'm sorry for the noise: I promise next time I'll double check before disturbing thanks for your patience and politeness ciao gabriele ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev