Re: [openssl-dev] X509_V_FLAG_OCSP_CHECK

[Wall, Stephen]

> -Original Message-
> From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of 
> Anthony T CHOW
>
> On the openssl-user mailing list archive, I found this:
> 
> http://www.mail-archive.com/openssl-users@openssl.org/msg67721.html
> 
> On GitHub, I don't find this flag X509_V_FLAG_OCSP_CHECK

I've previously asked about this, the OpenSSL team had no plans to act on the 
patch at that time (a few months ago).
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

[Howard Chu]

Howard Chu via RT wrote:

In OpenLDAP we reference X509_NAME->bytes->data directly, we want the DER
bytes which we then pass thru our own DN validator/formatter. This no longer
works with OpenSSL 1.1 and I don't see any provided method to return the DER
bytes. I don't want a malloc'd copy, I just want read-only access to the bytes
already cached inside the X509_NAME structure.

The attached patch would be sufficient to meet this requirement.


We are tracking this here as well:

http://www.openldap.org/its/index.cgi/Development?id=8353

--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

[Stephen Henson via RT]

On Fri Jan 29 09:59:23 2016, alek...@aleksey.com wrote:
> Hello,
>
> At the moment, there is no way to set r/s in the ECDSA_SIG structure
> manually to verify the signature encoded into a different format.
> Would be great to add a simple function:
>
> void ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *)
>
> to set these values similar to other XXX_set0() functions.
>

The way ECDSA_SIG_new() work r and s should always be non-NULL so you
should be able to use the the ECDSA_SIG_get0 function to retrieve pointers to r
and s which can then be modified.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

[Howard Chu via RT]

Howard Chu via RT wrote:
> In OpenLDAP we reference X509_NAME->bytes->data directly, we want the DER
> bytes which we then pass thru our own DN validator/formatter. This no longer
> works with OpenSSL 1.1 and I don't see any provided method to return the DER
> bytes. I don't want a malloc'd copy, I just want read-only access to the bytes
> already cached inside the X509_NAME structure.
>
> The attached patch would be sufficient to meet this requirement.

We are tracking this here as well:

http://www.openldap.org/its/index.cgi/Development?id=8353

-- 
   -- Howard Chu
   CTO, Symas Corp.   http://www.symas.com
   Director, Highland Sun http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

[Douglas E Engert]

I agree.

Until OpenSSL adds a ECDSA_SIG_set0 there is a way, for example:

rv = PKCS11_ecdsa_sign(dgst, dlen, sigret, , key);
nLen = siglen / 2;
if (rv > 0) {
sig = ECDSA_SIG_new();
if (sig) {
#if OPENSSL_VERSION_NUMBER >= 0x1010L
/*
 * OpenSSL 1.1 does not have a way to allocate r and s
 * in ECDSA_SIG as it is now hidden.
 * Will us dummy ASN1 so r and s are allocated then
 * use ECDSA_SIG_get0 to get access to r and s
 * can then update r annd s
 */
const unsigned char *a;
unsigned char dasn1[8] =
{0x30, 0x06, 0x02, 0x01, 0x00, 0x02, 0x01, 
0x00};
BIGNUM *r;
BIGNUM *s;
a = dasn1;
d2i_ECDSA_SIG(, , 8);
ECDSA_SIG_get0(, , sig);
BN_bin2bn([0], nLen, r);
BN_bin2bn([nLen], nLen, s);
#else
BN_bin2bn([0], nLen, sig->r);
BN_bin2bn([nLen], nLen, sig->s);
#endif
}
}
return sig;

On 1/29/2016 3:59 AM, Aleksey Sanin via RT wrote:

Hello,

At the moment, there is no way to set r/s in the ECDSA_SIG structure
manually to verify the signature encoded into a different format.
Would be great to add a simple function:

void ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *)

to set these values similar to other XXX_set0() functions.

Thanks,



--

 Douglas E. Engert  
 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] OpenSSL Security Advisory

[Blumenthal, Uri - 0553 - MITLL]

+1

Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.
  Original Message  
From: Hanno Böck
Sent: Friday, January 29, 2016 06:18
To: openssl-dev@openssl.org
Reply To: openssl-dev@openssl.org
Cc: open...@openssl.org
Subject: Re: [openssl-dev] OpenSSL Security Advisory

On Thu, 28 Jan 2016 15:05:47 +
OpenSSL  wrote:

> Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
> default and cannot be disabled. This could have some performance
> impact.

I think it's good that this has been changed now.
I found this ephemeral key reuse always problematic.

However as far as I'm aware there's still the same situation with
elliptic curve diffie hellman. It reuses the ephemeral key for several
connections unless one sets SSL_OP_SINGLE_ECDH_USE.
As with the DH one most server apps already set this.

This is unrelated to the current vuln, but I find this risky. It
creates an additional server secret that can leak and bugs in the
elliptic curve key exchange that would be harmless without this feature
could become very severe.

I would therefore propose to do the same change also for ECDH and make
SSL_OP_SINGLE_ECDH_USE the default.

-- 
Hanno Böck
http://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: BBB51E42



smime.p7s
Description: S/MIME cryptographic signature
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3600] When compiling with enable-ec_nistp_64_gcc_128, then EC_GROUP_have_precompute_mult always returns 0

[Matt Caswell via RT]

Fixed in master and 1.0.2. Thanks for the report.

Matt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4278] DH_CHECK_PUBKEY_INVALID should be 0x4, not 0x3

[Matt Caswell via RT]

Thanks David - fixed.

Matt

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

[Aleksey Sanin via RT]

Hello,

At the moment, there is no way to set r/s in the ECDSA_SIG structure
manually to verify the signature encoded into a different format.
Would be great to add a simple function:

void ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *)

to set these values similar to other XXX_set0() functions.

Thanks,

-- 
Aleksey


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

[Kiyoshi KANAZAWA via RT]

Hello,


I tried openssl-1.1.0-pre2 on Solaris10 x86/x64.

For x86, no error found.
But for X64, make fails in crypto/modes.
Got the same result with solarisstudio12.4 & gcc-4.8.5.


1. with solarisstudio12.4
% ./Configure solaris64-x86_64-cc
% make
  :
cc -I.. -I../.. -I../modes -I../include -I../../include  -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa 
-DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o ghash-x86_64.o 
ghash-x86_64.s
cc: Warning: -xarch=generic64 is deprecated, use -m64 to create 64-bit programs
Assembler: 
    "ghash-x86_64.s", line 890 : Syntax error
    Near line: "    movq    $1.15473355479995e+19,%rax"
cc: fbe failed for ghash-x86_64.s
: recipe for target 'ghash-x86_64.o' failed
make[2]: *** [ghash-x86_64.o] Error 2
make[2]: Leaving directory '/tmp/openssl-1.1.0-pre2/crypto/modes'



2. with gcc-4.8.5
% ./Configure solaris64-x86_64-gcc
% make
  :
make[2]: Entering directory '/tmp/openssl-1.1.0-pre2/crypto/modes'
gcc -I.. -I../.. -I../modes -I../include -I../../include  -DOPENSSL_THREADS 
-pthread -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -Wall -DL_ENDIAN -DFILIO_H -O3 
-DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 
-DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM 
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o 
ghash-x86_64.o ghash-x86_64.s
ghash-x86_64.s: Assembler messages:
ghash-x86_64.s:890: Error: junk `.15473355479995e+19' after expression
: recipe for target 'ghash-x86_64.o' failed
make[2]: *** [ghash-x86_64.o] Error 1
make[2]: Leaving directory '/tmp/openssl-1.1.0-pre2/crypto/modes'
Makefile:90: recipe for target 'subdirs' failed
make[1]: *** [subdirs] Error 1
make[1]: Leaving directory '/tmp/openssl-1.1.0-pre2/crypto'
Makefile:287: recipe for target 'build_crypto' failed
make: *** [build_crypto] Error 1


Regards,

--- Kiyoshi 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

[Viktor Dukhovni]

> On Jan 29, 2016, at 4:59 AM, Kiyoshi KANAZAWA via RT  wrote:
> 
> cc -I.. -I../.. -I../modes -I../include -I../../include  -DOPENSSL_THREADS 
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa 
> -DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 
> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
> -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
> -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o ghash-x86_64.o 
> ghash-x86_64.s
> cc: Warning: -xarch=generic64 is deprecated, use -m64 to create 64-bit 
> programs
> Assembler: 
> "ghash-x86_64.s", line 890 : Syntax error
> Near line: "movq$1.15473355479995e+19,%rax"

You'll need a 64-bit Perl.  When I try "perl ghash-x86_64.pl" I get:

...
subq$48,%rcx
movq$11547335547999543296,%rax
movdqu  48(%rsi),%xmm14
movdqu  64(%rsi),%xmm15
...

-- 
Viktor.



___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

[Viktor Dukhovni via RT]

> On Jan 29, 2016, at 4:59 AM, Kiyoshi KANAZAWA via RT  wrote:
> 
> cc -I.. -I../.. -I../modes -I../include -I../../include  -DOPENSSL_THREADS 
> -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa 
> -DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 
> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
> -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
> -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o ghash-x86_64.o 
> ghash-x86_64.s
> cc: Warning: -xarch=generic64 is deprecated, use -m64 to create 64-bit 
> programs
> Assembler: 
> "ghash-x86_64.s", line 890 : Syntax error
> Near line: "movq$1.15473355479995e+19,%rax"

You'll need a 64-bit Perl.  When I try "perl ghash-x86_64.pl" I get:

...
subq$48,%rcx
movq$11547335547999543296,%rax
movdqu  48(%rsi),%xmm14
movdqu  64(%rsi),%xmm15
...

-- 
Viktor.




___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3885] [BUGFIX] OpenSSL fails to cross-compile on 32-bit->64-bit

[Short, Todd via RT]

I have an available fix:

https://github.com/openssl/openssl/pull/597

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

[Stephen Henson via RT]

On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote:
> Howard Chu via RT wrote:
> > In OpenLDAP we reference X509_NAME->bytes->data directly, we want the
> > DER
> > bytes which we then pass thru our own DN validator/formatter. This no
> > longer
> > works with OpenSSL 1.1 and I don't see any provided method to return
> > the DER
> > bytes. I don't want a malloc'd copy, I just want read-only access to
> > the bytes
> > already cached inside the X509_NAME structure.
> >
> > The attached patch would be sufficient to meet this requirement.
>
> We are tracking this here as well:
>
> http://www.openldap.org/its/index.cgi/Development?id=8353


I'd rather we didn't return a pointer to the internal BUF_MEM as we might want
to change that at some point.

Would a function like:

int X509_NAME_der(const X509_NAME *nm, const char **pder);

be suitable for your needs?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

[Stephen Henson via RT]

On Fri Jan 29 17:35:05 2016, steve wrote:
> On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote:
> > Howard Chu via RT wrote:
> > > In OpenLDAP we reference X509_NAME->bytes->data directly, we want
> > > the
> > > DER
> > > bytes which we then pass thru our own DN validator/formatter. This
> > > no
> > > longer
> > > works with OpenSSL 1.1 and I don't see any provided method to
> > > return
> > > the DER
> > > bytes. I don't want a malloc'd copy, I just want read-only access
> > > to
> > > the bytes
> > > already cached inside the X509_NAME structure.
> > >
> > > The attached patch would be sufficient to meet this requirement.
> >
> > We are tracking this here as well:
> >
> > http://www.openldap.org/its/index.cgi/Development?id=8353
>
>
> I'd rather we didn't return a pointer to the internal BUF_MEM as we
> might want
> to change that at some point.
>
> Would a function like:
>
> int X509_NAME_der(const X509_NAME *nm, const char **pder);
>
> be suitable for your needs?
>

Thinking about it a better name for comply with our naming convention would be
X509_NAME_get0_der.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

[Aleksey Sanin via RT]

Thanks! It works great.

Do you have plan to change the behavior of DSA_SIG_new() as well
to pre-create r and s? Currently both are NULL.

Thanks in advance,

Aleksey

On 1/29/16 5:44 AM, Stephen Henson via RT wrote:
> On Fri Jan 29 09:59:23 2016, alek...@aleksey.com wrote:
>> Hello,
>>
>> At the moment, there is no way to set r/s in the ECDSA_SIG structure
>> manually to verify the signature encoded into a different format.
>> Would be great to add a simple function:
>>
>> void ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *)
>>
>> to set these values similar to other XXX_set0() functions.
>>
> 
> The way ECDSA_SIG_new() work r and s should always be non-NULL so you
> should be able to use the the ECDSA_SIG_get0 function to retrieve pointers to 
> r
> and s which can then be modified.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> 


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

[Short, Todd]

This sounds like RT3885.

I have an available fix:

https://github.com/openssl/openssl/pull/597

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Jan 29, 2016, at 12:04 PM, Viktor Dukhovni via RT 
> wrote:


On Jan 29, 2016, at 4:59 AM, Kiyoshi KANAZAWA via RT 
> wrote:

cc -I.. -I../.. -I../modes -I../include -I../../include  -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa 
-DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o ghash-x86_64.o 
ghash-x86_64.s
cc: Warning: -xarch=generic64 is deprecated, use -m64 to create 64-bit programs
Assembler:
   "ghash-x86_64.s", line 890 : Syntax error
   Near line: "movq$1.15473355479995e+19,%rax"

You'll need a 64-bit Perl.  When I try "perl ghash-x86_64.pl" I get:

...
   subq$48,%rcx
   movq$11547335547999543296,%rax
   movdqu  48(%rsi),%xmm14
   movdqu  64(%rsi),%xmm15
...

--
Viktor.




___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

[Short, Todd via RT]

This sounds like RT3885.

I have an available fix:

https://github.com/openssl/openssl/pull/597

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Jan 29, 2016, at 12:04 PM, Viktor Dukhovni via RT 
> wrote:


On Jan 29, 2016, at 4:59 AM, Kiyoshi KANAZAWA via RT 
> wrote:

cc -I.. -I../.. -I../modes -I../include -I../../include  -DOPENSSL_THREADS 
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa 
-DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM 
-DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM 
-DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c  -o ghash-x86_64.o 
ghash-x86_64.s
cc: Warning: -xarch=generic64 is deprecated, use -m64 to create 64-bit programs
Assembler:
   "ghash-x86_64.s", line 890 : Syntax error
   Near line: "movq$1.15473355479995e+19,%rax"

You'll need a 64-bit Perl.  When I try "perl ghash-x86_64.pl" I get:

...
   subq$48,%rcx
   movq$11547335547999543296,%rax
   movdqu  48(%rsi),%xmm14
   movdqu  64(%rsi),%xmm15
...

--
Viktor.




___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

[Stephen Henson via RT]

On Fri Jan 29 17:59:59 2016, alek...@aleksey.com wrote:
>
> Do you have plan to change the behavior of DSA_SIG_new() as well
> to pre-create r and s? Currently both are NULL.
>

That seems like a reasonable change. In 1.0.x we can't do that because it would
result in compatibility issues. For 1.1.0 DSA_SIG will be made opaque at some
point and a DSA_SIG_get0() function will be added and pre-allocating r and s
simplifies the code.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

[Howard Chu via RT]

Stephen Henson via RT wrote:
> On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote:
>> Howard Chu via RT wrote:
>>> In OpenLDAP we reference X509_NAME->bytes->data directly, we want the
>>> DER
>>> bytes which we then pass thru our own DN validator/formatter. This no
>>> longer
>>> works with OpenSSL 1.1 and I don't see any provided method to return
>>> the DER
>>> bytes. I don't want a malloc'd copy, I just want read-only access to
>>> the bytes
>>> already cached inside the X509_NAME structure.
>>>
>>> The attached patch would be sufficient to meet this requirement.
>>
>> We are tracking this here as well:
>>
>> http://www.openldap.org/its/index.cgi/Development?id=8353
>
>
> I'd rather we didn't return a pointer to the internal BUF_MEM as we might want
> to change that at some point.
>
> Would a function like:
>
> int X509_NAME_der(const X509_NAME *nm, const char **pder);
>
> be suitable for your needs?

Yes, that would be fine.

-- 
   -- Howard Chu
   CTO, Symas Corp.   http://www.symas.com
   Director, Highland Sun http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

[Howard Chu via RT]

Stephen Henson via RT wrote:
> On Fri Jan 29 17:35:05 2016, steve wrote:
>> On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote:
>>> Howard Chu via RT wrote:
 In OpenLDAP we reference X509_NAME->bytes->data directly, we want
 the
 DER
 bytes which we then pass thru our own DN validator/formatter. This
 no
 longer
 works with OpenSSL 1.1 and I don't see any provided method to
 return
 the DER
 bytes. I don't want a malloc'd copy, I just want read-only access
 to
 the bytes
 already cached inside the X509_NAME structure.

 The attached patch would be sufficient to meet this requirement.
>>>
>>> We are tracking this here as well:
>>>
>>> http://www.openldap.org/its/index.cgi/Development?id=8353
>>
>>
>> I'd rather we didn't return a pointer to the internal BUF_MEM as we
>> might want
>> to change that at some point.
>>
>> Would a function like:
>>
>> int X509_NAME_der(const X509_NAME *nm, const char **pder);
>>
>> be suitable for your needs?
>>
>
> Thinking about it a better name for comply with our naming convention would be
> X509_NAME_get0_der.

Just to be clear - in our use case we already know the length. But if the 
function you're proposing is returning only a success/error code, then the 
function should probably also provide the length as a return parameter, for 
more general users.

-- 
   -- Howard Chu
   CTO, Symas Corp.   http://www.symas.com
   Director, Highland Sun http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] X509_V_FLAG_OCSP_CHECK

[Anthony T CHOW]

Stephen,

Thanks for the info and have a nice weekend,

Anthony.

-Original Message-
From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Wall, 
Stephen
Sent: Friday, January 29, 2016 5:56 AM
To: openssl-dev@openssl.org
Subject: Re: [openssl-dev] X509_V_FLAG_OCSP_CHECK

> -Original Message-
> From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of 
> Anthony T CHOW
>
> On the openssl-user mailing list archive, I found this:
> 
> http://www.mail-archive.com/openssl-users@openssl.org/msg67721.html
> 
> On GitHub, I don't find this flag X509_V_FLAG_OCSP_CHECK

I've previously asked about this, the OpenSSL team had no plans to act on the 
patch at that time (a few months ago).
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev