[openssl-dev] prefer headers from source tree
Hello, Build of master branch fail of on command line is specified include path (-I ...) with headers from another openssl version. Please see attached "0002-make-templates-prepend-path-to-source-headers.patch" file with proposed modification of make template. Tested wilt unix build. Windows modification is similar. Roumen >From a7e0111eea1ef51d62a673e8511e9017945c2780 Mon Sep 17 00:00:00 2001 From: Roumen Petrov Date: Sat, 21 May 2016 10:29:51 +0300 Subject: [PATCH 2/2] make templates: prepend path to source headers --- Configurations/unix-Makefile.tmpl| 10 +- Configurations/windows-makefile.tmpl | 8 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 34971a9..cb36178 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl @@ -871,7 +871,7 @@ EOF $target: $args{generator}->[0] $deps ( trap "rm -f \$@.*" INT 0; \\ $generator \$@.S; \\ - \$(CC) \$(CFLAGS) $incs -E \$@.S | \\ + \$(CC) $incs \$(CFLAGS) -E \$@.S | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@.i && \\ mv -f \$@.i \$@ ) EOF @@ -884,7 +884,7 @@ EOF } return <<"EOF"; $args{src}: $args{generator}->[0] $deps - \$(CC) \$(CFLAGS) $incs -E \$< | \\ + \$(CC) $incs \$(CFLAGS) -E \$< | \\ \$(PERL) -ne '/^#(line)?\\s*[0-9]+/ or print' > \$@ EOF } @@ -918,7 +918,7 @@ EOF if (!$disabled{makedepend} && $makedepprog =~ /\/makedepend/) { $recipe .= <<"EOF"; $obj$depext: $deps - -\$(MAKEDEPEND) -f- -o"|$obj$objext" -- \$(CFLAGS) $ecflags$incs -- $srcs \\ + -\$(MAKEDEPEND) -f- -o"|$obj$objext" -- $incs \$(CFLAGS) $ecflags -- $srcs \\ >\$\@.tmp 2>/dev/null -\$(PERL) -i -pe 's/^.*\\|//; s/ \\/(.|[^ ])*//; \$\$_ = undef if (/: *\$\$/ || /^(#.*| *)\$\$/); \$\$_.="\\n" unless !defined(\$\$_) or /\\R\$\$/g;' \$\@.tmp \@if cmp \$\@.tmp \$\@ > /dev/null 2> /dev/null; then \\ @@ -932,13 +932,13 @@ EOF if ($disabled{makedepend} || $makedepprog =~ /\/makedepend/) { $recipe .= <<"EOF"; $obj$objext: $deps - \$(CC) \$(CFLAGS) $ecflags$incs -c -o \$\@ $srcs + \$(CC) $incs \$(CFLAGS) $ecflags -c -o \$\@ $srcs EOF } if (!$disabled{makedepend} && $makedepprog !~ /\/makedepend/) { $recipe .= <<"EOF"; $obj$objext: $deps - \$(CC) \$(CFLAGS) $ecflags$incs -MMD -MF $obj$depext.tmp -MT \$\@ -c -o \$\@ $srcs + \$(CC) $incs \$(CFLAGS) $ecflags -MMD -MF $obj$depext.tmp -MT \$\@ -c -o \$\@ $srcs \@touch $obj$depext.tmp \@if cmp $obj$depext.tmp $obj$depext > /dev/null 2> /dev/null; then \\ rm -f $obj$depext.tmp; \\ diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 0d21c50..bba7e51 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -349,7 +349,7 @@ EOF $target: "$args{generator}->[0]" $deps set ASM=\$(AS) $generator \$@.S - \$(CC) \$(CFLAGS) $incs /EP /C \$@.S > \$@.i && move /Y \$@.i \$@ + \$(CC) $incs \$(CFLAGS) /EP /C \$@.S > \$@.i && move /Y \$@.i \$@ del /Q \$@.S EOF } @@ -362,7 +362,7 @@ EOF } return <<"EOF"; $target: "$args{generator}->[0]" $deps - \$(CC) \$(CFLAGS) $incs /EP /C "$args{generator}->[0]" > \$@.i && move /Y \$@.i \$@ + \$(CC) $incs \$(CFLAGS) /EP /C "$args{generator}->[0]" > \$@.i && move /Y \$@.i \$@ EOF } } @@ -400,13 +400,13 @@ s/^Note: including file: *//; END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" } << $obj$objext: $obj$depext - \$(CC) \$(CFLAGS) $ecflags$incs -c \$(COUTFLAG)\$\@ @<< + \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ @<< $srcs << EOF return <<"EOF" if ($disabled{makedepend}); $obj$objext: $deps - \$(CC) \$(CFLAGS) $ecflags$incs -c \$(COUTFLAG)\$\@ $srcs + \$(CC) $incs \$(CFLAGS) $ecflags -c \$(COUTFLAG)\$\@ $srcs EOF } -- 1.8.4 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4590] accessors without const return arguments
Hello, Recently declaration of a number of get0 methods was changed to return constant values (BIGNUM). Lets me quote description of an allocator "/ECDSA_SIG_new()/ allocates a new *ECDSA_SIG* structure (note: this function also allocates the BIGNUMs) and initialize it." Now lets try to write deserialization of a ECDSA signature. With set method allocated and never user ECDSA members r and s has to be freed and replaced by new one. As result extra allocation of big numbers impact performance and increase memory usage. Above is reason the request to remove const from return argument of get0 methods. The issue is not only for ECDSA but also for DSA_SIG and RSA, DSA, DH keys where situation is similar. Regards, Roumen Petrov -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4590 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Making assembly language optimizations working onCortex-M3
> The BoringSSL works as follows: > > 1. The person building the code passes -DOPENSSL_STATIC_ARMCAP and some > other flags like -DOPENSSL_STATIC_ARMCAP_NEON, to indicate which > features are available on the target. > > 2. When OPENSSL_STATIC_ARMCAP is defined, the runtime detection of > features is disabled. > > 3. When OPENSSL_STATIC_ARMCAP is defined, OPENSSL_armcap_P is fixed to a > value based on which of DOPENSSL_STATIC_ARMCAP_NEON, etc. are defined. > > 4. When OPENSSL_STATIC_ARMCAP isn't defined, then everything works like > it currently does; i.e. features are detected at runtime. > > The idea is that, instead having to go in and manually edit the code for > each different target system, one can just define these flags and the > code will auto-configure itself at build-time. I again seem to be failing to grasp the point. For far I was under impression that goal [denoted by subject] is to minimize resource consumption including code size. OPENSSL_STATIC_ARMCAP doesn't reduce code size, it simply sets OPENSSL_armcap_P to predefined value. And as we already established that we are talking about some overly specific usage case effectively outside OpenSSL, then why don't you simply replace armcap.c with one-liner that assigns OPENSSL_armcap_P to 0 or 1? > The problem here is you can't have both and having the capability > switch at runtime depending on hardware quirks is the better option > for the majority of users. > > That's usually true, but the topic of this thread is about how to get > OpenSSL working well on Cortex-M microcontrollers. In those situations, > we cannot really afford the dynamic detection or the many different > implementations of the same algorithm to exist in the final image. I doubt that current OPENSSL_STATIC_ARMCAP implementation result in any code savings. In order for compiler to omit code OPENSSL_armcap_P has to be at least declared constant (and it's not) and code omission can be performed only during link-time optimizations. Latter should not be recommended in security programming context and we don't... -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #2911] enhancement request: Windows RT support
In your previous mail you wrote: > Nobody got around to looking at this, sorry. I could not decode the patch > although 103K is big. Windows RT is no longer supported. Closing ticket. => no problem... Thanks francis.dup...@fdupont.fr -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2911 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4298] [Bug] Random number generation failing with FIPS and Android < 5.0
There is not enough information to repeat. Please open a new ticket, post a backtrace, or whatever. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4298 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3886] [BUG] [PATCH] verify fails for 3-level cert chain when using X509v3 Authority Key Identifier
It's not clear there is a bug (in fact, the bug commentary says that). If so, please open a new ticket with a PEM file of all the certs in the chain. Or perhaps post to openssl-users mailing list. Closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3886 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3811] [BUG REPORT] - Missing register name in aes-x86_64.s
Cannot reproduce. Attempt to provide a work-around/fix hasn't had any response. Closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3811 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h
The warnings are annoying but harmless. running 'make depend' is required. Closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3016] openssl ts fix
No plans to do this. Please re-open the ticket if it's *really* needed for interop. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3016 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #2964] OBJ_nid2obj() result value should be const
Updated the docs in master and 1.0.2 to explain that these really are const-like objects. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2964 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4589] simplifying writing code that is 1.0.x and 1.1.x compatible
Hi, at borgbackup project, we are currently trying to make it compatible with OpenSSL 1.0.x and 1.1.x. For the opaque cipher ctx this worked quite easily like this: https://github.com/borgbackup/borg/pull/1193/files#diff-85ee6ebe1cdcfd4a4699c3913d519b27R23 I could not have a cipher ctx structure as a instance variable, but a pointer to one worked. I am just computing the current IV myself, so I do not need to reach into the ctx (I need to do that anyway to support gcm mode). I used EVP_CIPHER_CTX_new/free() - although not in the man page, they are there since 0.98 (and the wiki examples use them, too). Solved. In borgbackup 1.2, we will also need the flexible (not single-call) interface to HMAC and I could get it working using the same method as above (using a pointer and the new/free functions - we do not access into hmac ctx here, so it is even simpler). But: HMAC_CTX_{new/free} are not available on 1.0.x. :-( So my question / request: could these functions be added to a future update, like 1.0.2i, to simplify migration / portability of code? I suspect that these 2 functions are very simple to backport from 1.1 to 1.0.x. Cheers, Thomas -- GPG ID: FAF7B393 GPG FP: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4589 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #2911] enhancement request: Windows RT support
Nobody got around to looking at this, sorry. I could not decode the patch although 103K is big. Windows RT is no longer supported. Closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2911 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] 1.1 release being delayed
> > And as far as regressions after beta 2 release are concerned, it looks > > like there was a change in the API that is not backwards compatible. I > > was hoping this would not happen after the "Beta 2 - Opaque work > > complete". Did I misunderstand what that note means? > > > > The non-compatible change (this actually broke wpa_supplicant build..) > > is this one: > > > > commit fd809cfdbd6e32b6b67b68c59f6d55fbed7a9327 > > Constify the parameter getters for RSA, DSA and DH > > > > -void DH_get0_key(const DH *dh, BIGNUM **pub_key, BIGNUM **priv_key) > > +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM > > **priv_key) > > > > > > Is there a clear point in time after which the OpenSSL 1.1.0 API is > > expected to be fully frozen for the release (well, other than the final > > public release showing up)? > > > > We are not planning any more opaque work before release, and are trying > to avoid API breaks at this late stage - but we can't fully rule it out > either. > > Matt +1 for the change. IMHO, the constification is a bug fix of the api, not a deliberate change. Having a const-incorrect api is always a nuisance and it is better to have it fixed now than after the final elease. Matthias smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev