Re: [openssl.org #1504] Padding bug in 0.9.8d (Solaris 9, Sparc)
Stefan Neis via RT wrote:
> Nils Larsch via RT schrieb:
>> openssl doesn't support the type of padding
> > (0x80, 0x00, 0x00, ...) you are using
> > (openssl only supports the padding described
> > in pkcs7).
>
> In that case, any idea why it does happen to
> work with version 0.9.8? Assuming that wasn't
> intended, it sure seems like a very strange
> coincidence...
actually it was a coincidence :-) If you look at the old code
in crypto/evp/evp_enc.c
...
n=ctx->final[b-1];
if (n > b)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
return(0);
}
for (i=0; ifinal[--b] != n)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL,EVP_R_BAD_DECRYPT);
return(0);
}
}
n=ctx->cipher->block_size-n;
for (i=0; ifinal[i];
*outl=n;
you can see that this code will always return 8 bytes (the block size)
if n (== ctx->final[b-1]) is 0, regardless of how many padding bytes were
actually added.
>
>> Try decrypting it without padding (using the
> > EVP_CIPH_NO_PADDING flag) and remove the
> > padding yourself.
>
> OK, will do. Thanks,
ok, I will close this ticket.
Nils
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1504] Padding bug in 0.9.8d (Solaris 9, Sparc)
Stefan Neis via RT wrote: > Hi, > > Any feedback about my problem? Can anybody confirm the > padding bug shown by my sample code (see RT) or can > nobody reproduce it (e.g. because I forgot to mention > that I'm using a static build...)? openssl doesn't support the type of padding (0x80, 0x00, 0x00, ...) you are using (openssl only supports the padding described in pkcs7). Try decrypting it without padding (using the EVP_CIPH_NO_PADDING flag) and remove the padding yourself. Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1434] Bug report - link error when openssl-0.9.7l compiled with no-ssl2 flag
[EMAIL PROTECTED] via RT wrote: > I tried building OpenSSL 0.9.8e on windows with the no-ssl2 and it still > creates ms\ssleay32.def with the ssl2 and ssl23 functions. From reading > the logs this was supposed to be fixed in both 0.9.7l and 0.9.8 (bug > report 1434). > > Am I missing a step or a switch? > > Thanks, > > George > > Starting from a fresh download. > > Perl Configure VC-WIN32 no-ssl2 > Ms\do_nasm > > Ms\ssleay32.def now contains the functions for SSL2 and SSL23. did you read the "Troubleshooting" section in INSTALL.W32 ? Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1502] openssl 0.9.8a crashes when we try to use SSL URL - embedded montavista linux
Prasanna via RT wrote: > Hello, >I am using openssl 0.9.8a with SSL support. > When I call SSL_CTX_free() when we close HTTP Session the openssl stack > causes segmentation fault. > in crypto/stack/stck.c in function sk_pop_free() the ht->num has some > junk value. whihc causes the segfault. > > When we used openssl 0.9.7d we never entered the for look present in > sk_pop_free funtion. > Any fix for this. > Kindly elt me know if you need any further information about my setup do you have a backtrace ? Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1490] [BUG] [PATCH] unintialized enc_read_ctx/enc_write_ctx on error
patch applied. Thanks ! Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1468] [PATCH] zlib uses wrong malloc/free
patch applied (slightly modified) to 0.9.8-stable and 0.9.9-dev. Please test a recent snapshot. Thanks ! Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1467] [BUG] [PATCH] kssl wrong malloc/calloc/free
agree with your analysis => patch applied to 0.9.8-stable and the cvs head. Please test a recent snapshot. Thanks ! Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1461] Bug: EXPORT56 ciphers no longer exist
IMHO compile time options should be placed in the "INSTALL" file. However I'not sure if we really want to "encourage" user to enable these ciphers ... Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1460] Possible X509_NAME_print code error
afaik this code should break the printed dn up into several lines if it's length exceeds 80 characters ... As this hasn't worked for quite some time (since revesion 1.8 of this file afaik) and scripts might already depend on this form of the output I've simply removed this code (btw: X509_NAME_print() is deprecated anyway). Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1476] bug report s3_srvr.c OpenSSL-0.9.8d
fixed in 0.9.8-stable and in the cvs head. Please test a new snapshot. Thanks ! Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1462] [PATCH] fix some memory leaks in the pkcs7 crypto
committed (with minor modifications). Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1454] RSA key exponents different from 3 and F4
Annie Yousar via RT wrote: > Dear all, > Bleichenbacher's attack shows that it was possible to forge a PKCS #1 > v1.5 signature signed by a key using exponent 3. > > Unfortunately the implementation of the OpenSSL command > openssl genrsa ... > allows only to create keys with exponent 3 or F4. Nevertheless the new > RSA key generation routine RSA_generate_key_ex available in 0.9.8 works > already with arbitrary exponents. > > The included minor patch of apps/genrsa.c adds a new option for exponent > selection to the genrsa command. > > Because OpenSSL version 0.9.7 doesn't use RSA_generate_key_ex with > exponents BIGNUM but unsigned long, this patch is applicable to version > 0.9.8++ only. principally I'm not against such a change but I wonder how useful this feature is (or, in other words, how likely is it that a user selects a good exponent if [s]he doesn't want to use f4 and not something like 1) ? Another alternative might be to let the user specify a range from which a randomly generated exponent is used ... Btw: your patch removes the description of the '-3' option. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1441] OpenSSL crash
should be fixed in the repository (0.9.8-stable and cvs head). Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1440] [PATCH] Incorrect shared build of ccgost engine
patch applied, please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1354] patch: SSL_SESSION_get_time.pod mentions SSL_SESSION_get_timeout twice
fixed (0.9.8-stable and cvs head) Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1355] patch: bug in CONF_modules_free.pod
fixed (0.9.8-stable and cvs head) Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1398] 0.9.7k: documentation typo
fixed Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1408] [patch] typo fixes
fixed Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1443] pkcs12 utility usage message and man page are incomplete (patch)
patch applied. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1383] [PATCH] build on 64-bit platforms fails: snapshot of 2006/09/05
the problem in crypto/rsa/rsa_sign.c should be fixed. To fix the warnings with size_t and BIO_printf() a better solution would be to have a '%z' length modifier as using %lu for size_t might cause warnings on other systems. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1442] builtin_pbe array is not sorted (patch)
patch applied Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1438] BUG: extra backslash in openssl macros (version 0.9.8d)
should be fixed in the cvs. Please check a new snapshot. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1434] Bug report - link error when openssl-0.9.7l compiled with no-ssl2 flag
no response ... I therefore assume that the patch fixed your problem. Ticket closed. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1434] Bug report - link error when openssl-0.9.7l compiled with no-ssl2 flag
I've committed a fix for 0.9.7-stable. Could you test a new snapshot ? Concerning 0.9.8: I was unable to reproduce your problem ... which openssl 0.9.8 version did you test ? Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1343] bug in documentation
doc/crypto/RSA_get_ex_new_index.pod: The typedefs in were indeed wrong as they should specify the CRYPTO_EX_foobar() functions. I copied the relevant typedefs from crypto/ossl_typ.h. doc/crypto/BIO_ctrl.pod: the current text looks correct. doc/crypto/BIO_set_callback.pod: As the callback here refers to a function pointer variable of the BIO structure the typedef was IMHO wrong ... fixed. doc/ssl/SSL_CTX_set_tmp_rsa_callback.pod: the last parenthesis was indeed superfluous ... fixed. Please test a recent snapshot. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1407] Bug - add_cert_dir() logic is broken
I agree with your patch => patch applied (0.9.8-stable and head). Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1305] testtsa error
already fixed in the cvs ... ticket closed Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1294] SSL_free memory leak
this has been fixed some time ago ... ticket closed Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1435] Patch: EC key processing
patch applied. Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1418] Difference of function definitions in header file and man page
fixed in the cvs (some time ago) => ticket resolved. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1403] rsa_eay.c: Wrong first parameter in RSAerr calls
fix applied to 0.9.7-stable Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1338] [PATCH] speed/benchmark support for whirlpool in -SNAP
patch applied. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1347] Field 'attributes' of X509_REQ_INFO
patch applied to 0.9.8-stable and the cvs head. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1433] X509v3 OIDs from RFC 2459
patch applied. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1431] bug in setting ECDH and ECDSA methods
fixed in cvs __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1433] X509v3 OIDs from RFC 2459
via RT wrote: > Some X509v3 OIDs from RFC 2459 are currently missing from objects.txt: > > * X509v3 Certificate Issuer > * X509v3 Issuing Distribution Point > * X509v3 Subject Directory Attributes > > All the other OIDs from the RFC are already included in OpenSSL. The > attached patch introduces the above OIDs. does it really makes sense to add OIDs when openssl is not able to parse these extensions ? Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1432] error in ecdsa_do_sign and ecdsa_do_verify
Andrzej Chmielowiec via RT wrote: > I have tryed to sign sha256 digest using ECDSA_OpenSSL() method and > secp160r1 domain parameters. Unfortunately during this operation > apears an error which sugests that I am trying to sign too long > digest. But in such standards as IEEE 1363-2000 and SEC-1 (I do not > know what is in ANSI X9.62-2005) there is possibility to sign > arbitrary long digest with any domain parameters. as you already found out openssl 0.9.8 doesn't really support something else than ecdsa with sha1. This will change in 0.9.9 (and perhaps algorithm you mentioned to shorten the hash will be implemented). Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1431] bug in setting ECDH and ECDSA methods
[EMAIL PROTECTED] via RT wrote: > Setting ECDH and ECDSA methods in ENGINE interface does not > work properly. I can not set up ENGINE ECDH and ECDSA methods > as default. ... should be fixed now, please try a new snapshot. Thanks for the bug report. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1418] Difference of function definitions in header file and man page
Joachim Metz via RT wrote: > Hello OpenSSL team, > > First I want to compliment you with the good work your doing. > > I am currently working on a library that uses OpenSSL MD5 hash > calculation function. > > I have found a difference in and the MD5_Init manual > page (both 'man MD5_Init' and several online versions) > > The header specifies > int MD5_Init(MD5_CTX *c); > int MD5_Update(MD5_CTX *c, const void *data, unsigned long len); > int MD5_Final(unsigned char *md, MD5_CTX *c); > > And the manual page > void MD5_Init(MD5_CTX *c); > void MD5_Update(MD5_CTX *c, const void *data, > unsigned long len); > void MD5_Final(unsigned char *md, MD5_CTX *c); I've updated the pod files. Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1360] critical extension id-pe-qcStatements as per RFC 3039 not supported
Ulf Moeller via RT wrote:
> The certificate encoding is in fact ok:
>
> 27168: OBJECT IDENTIFIER qcStatements (1 3 6 1 5 5
> 7 1 3)
> 27261: BOOLEAN TRUE
> 2729 24: OCTET STRING, encapsulates {
> 2731 22: SEQUENCE {
> 2733 10: SEQUENCE {
> 27358: OBJECT IDENTIFIER
> : pkixQCSyntax-v1 (1 3 6 1 5 5 7 11 1)
> : }
> 27458: SEQUENCE {
> 27476: OBJECT IDENTIFIER
> : etsiQcsCompliance (0 4 0 1862 1 1)
> : }
> : }
> : }
> : }
>
> Google doesn't find the defintion of "etsiQcsCompliance", so I don't
> know what would be required to implement the extension.
in the isis-mtt context this extension is called "id-etsi-qcs-QcCompliance"
(see http://www.isis-mtt.t7-isis.org/ in case you have too much time to
waste ;-) .Afaik it simply means that the CA who issued the certificate
must be in compliance with ETSI TS 101 456 v1.1.1 ("Policy Requirements for
Certification Authorities Issuing Qualified Certificates").
As I have no real clue what to do with such an extension when verifying
a certificate I would simply ignore it.
Cheers,
Nils
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1318] [PATCH] AES-CFB1 and DES-CFB1 mode only encrypts 1/8th of the source
Michael McDougall wrote:
> diff -ur openssl-SNAP-20060415/crypto/aes/aes_cfb.c
> openssl-SNAP-20060415.changed/crypto/aes/aes_cfb.c
> --- openssl-SNAP-20060415/crypto/aes/aes_cfb.c2004-12-30
> 06:00:14.0 -0500
> +++ openssl-SNAP-20060415.changed/crypto/aes/aes_cfb.c2006-04-17
> 22:18:11.0 -0400
> @@ -191,18 +191,20 @@
> }
>
> /* N.B. This expects the input to be packed, MS bit first */
> -void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
> +void
> +AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
> const unsigned long length, const AES_KEY *key,
> unsigned char *ivec, int *num, const int enc)
> {
> unsigned int n;
> unsigned char c[1],d[1];
> +unsigned long length_in_bits = length * 8;
>
> assert(in && out && key && ivec && num);
> assert(*num == 0);
>
> memset(out,0,(length+7)/8);
> -for(n=0 ; n < length ; ++n)
> +for(n=0 ; n < length_in_bits ; ++n)
> {
> c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
> AES_cfbr_encrypt_block(c,d,1,key,ivec,enc);
the problem here is that that EVP layer specifies the length of the
input in bytes whereas this functions expects the length in bits
(although is not clearly specified somewhere).
> diff -ur openssl-SNAP-20060415/crypto/evp/e_des.c
> openssl-SNAP-20060415.changed/crypto/evp/e_des.c
> --- openssl-SNAP-20060415/crypto/evp/e_des.c 2004-03-28 13:00:11.0
> -0500
> +++ openssl-SNAP-20060415.changed/crypto/evp/e_des.c 2006-04-17
> 22:17:39.0 -0400
> @@ -109,8 +109,9 @@
> {
> unsigned int n;
> unsigned char c[1],d[1];
> +unsigned int inl_bits = inl * 8;
>
> -for(n=0 ; n < inl ; ++n)
> +for(n=0 ; n < inl_bits ; ++n)
> {
> c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
> DES_cfb_encrypt(c,d,1,1,ctx->cipher_data,(DES_cblock *)ctx->iv,
agree, with this one.
Cheers,
Nils
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1317] thers is a bug in openssl0.9.8a
wrote: > I have founded a bug in openssl 0.9.8.a! > when used EVP_des_ede3_cbc algorithm > > used > EVP_DecryptInit(KCtx->ctx, KCtx->enc, KCtx->keystr, KCtx->iv); > > EVP_DecryptUpdate(KCtx->ctx, pbData, (int *)pdwDataLen, p, len); > EVP_DecryptUpdate(KCtx->ctx, pbData, (int *)pdwDataLen, p, len); > EVP_DecryptUpdate(KCtx->ctx, pbData, (int *)pdwDataLen, p, len); > EVP_DecryptUpdate(KCtx->ctx, pbData, (int *)pdwDataLen, p, len); > > EVP_DecryptFinal(KCtx->ctx, &(pbData[*pdwDataLen]), &lastlen); > *pdwDataLen += lastlen; could you send us a sample programm ? I'm not sure what you're really doing (and what should be the bug in openssl). Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1316] pkcs12 - deref before null check
this is already fixed in the cvs. Please try a recent snapshot. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1191] [PATCH] Pre-Shared Key Ciphersuites for OpenSSL
has been included in the cvs head => ticket closed Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1279] OpenSSL 0.9.8a segfaults in SSL_CTX_load_verify_locations()
ticket closed as it seems to be a bug in the libc.so and not in openssl Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1293] T1_lib.c code does not compile with NO_EC
fix applied. Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1279] OpenSSL 0.9.8a segfaults in SSL_CTX_load_verify_locations()
[guest - Tue Feb 7 07:16:34 2006]: > Here's the certificate bundle file for reproducing this issue. using the gcc 3.4.2 on 64 bit Solaris 8 box I could reproduce your problem. Somewhat strange however is that when I replace the call to the standard qsort() function in crypto/stack/stack.c with an own implementation of the qsort() function everything seems to work. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1289] [PATCH] Making openssl-0.9.8a endian-safe on Intel Macs
problem already solved => ticket closed Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1289] [PATCH] Making openssl-0.9.8a endian-safe on Intel Macs
Markus Hardt via RT wrote: >>Markus Hardt via RT wrote: >> >>>Unfortunately, I wasn't able to compile openssl-0.9.8-stable- >>>SNAP-20060311 at all. Attached you'll find the log "make" produced. >> >>... >> >>>/usr/bin/ld: Undefined symbols: >>>_X509_STORE_set1_param >>>_X509_VERIFY_PARAM_free >>>_ASN1_generate_nconf >> >>... >> >>as these are symbols which are new in 0.9.8, could it be >>that your linker tries to use the 0.9.7 lib ? > > > Yes, that could be the case as I have a fink installation up and > running that includes 0.9.7i. But shouldn't the linker be configured > so that it uses the local object files? well did you configure openssl to build a shared or a static library ? In case of the latter have a look at the PROBLEM file. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1289] [PATCH] Making openssl-0.9.8a endian-safe on Intel Macs
Markus Hardt via RT wrote: > Unfortunately, I wasn't able to compile openssl-0.9.8-stable- > SNAP-20060311 at all. Attached you'll find the log "make" produced. ... > /usr/bin/ld: Undefined symbols: > _X509_STORE_set1_param > _X509_VERIFY_PARAM_free > _ASN1_generate_nconf ... as these are symbols which are new in 0.9.8, could it be that your linker tries to use the 0.9.7 lib ? Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1289] [PATCH] Making openssl-0.9.8a endian-safe on Intel Macs
Markus Hardt via RT wrote: > Hi! > > The script "Configure" assumes that darwin-i386 is a big endian > architecture. That's wrong. ;-) > > Here is a patch to solve that. could you please test a recent snapshot from the 0.9.8-stable branch. This bug should already be fixed. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1283] force C locale when using [a-z] in sed expressions
patch applied. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1287] Bug in crypto/rc2/rc2speed.c
fix applied. Please test a new snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1285] Make test error on MacIntel(2)
fixed in the cvs Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1284] Make test error on MacIntel
fixed in the cvs Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1280] typos
fixed, thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1217] OpenSSL 0.9.8 won't compile without SSLv2
should be fixed now, please try a recent snapshot Thanks for the report, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1269] Bug in AES_ctr128_encrypt
hmm, the bug is in your example. AES_ctr128_encrypt() is its own inverse so applying AES_ctr128_encrypt() twice (we the _same_ key) should give you the original input => instead of AES_set_decrypt_key() for the second call use AES_set_encrypt_key() for both function calls. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1270] BN_get_negative != BN_is_negative
fixed Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1266] openssl prime 2
should be fixed, please test a recent snapshot Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1266] openssl prime 2
should be fixed, please test a recent snapshot Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1223] make test fails on some systems in 0.9.8a
via RT wrote: ... > On a SuSE 9.0 machine, however, with gcc 3.3.1 and glibc 2.3.2 "make > test" deadlocks after: > > The following command should have some OK's and some failures > There are definitly a few expired certificates > ../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs ../certs/*.pem > ../certs/RegTP-5R.pem: /C=DE/O=Regulierungsbeh\xC8orde f\xC8ur > Telekommunikation und Post/0.2.262.1.10.7.20=1/CN=5R-CA 1:PN > error 10 at 0 depth lookup:certificate has expired > OK > ../certs/RegTP-6R.pem: /C=DE/O=Regulierungsbeh\xC8orde f\xC8ur > Telekommunikation und Post/0.2.262.1.10.7.20=1/CN=6R-Ca 1:PN > error 10 at 0 depth lookup:certificate has expired > OK > ../certs/argena.pem: OK > ../certs/argeng.pem: OK > ../certs/eng1.pem: OK > ../certs/eng2.pem: OK > ../certs/eng3.pem: OK > ../certs/eng4.pem: OK > ../certs/eng5.pem: OK > ../certs/thawteCb.pem: OK > ../certs/thawteCp.pem: OK > ../certs/vsign1.pem: OK > ../certs/vsign3.pem: OK > ../certs/vsignss.pem: OK > ../certs/wellsfgo.pem: OK > > The process does not consume any CPU time, it just blocks. if you build openssl with "-O2" instead of the default "-O3" it should work (at least it works for me) ... looks like a compiler bug. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1206] FTP USER Authentication
[EMAIL PROTECTED] via RT wrote: > We use DES encryption algorithm.When the user try to add an user with > the password 12345678 ,user couldn't login. So itried printing the DES > decrypted password, it returns junk password. Since it is junk user > couldn't login. Basically we maintain a file which will have the list of > users added and their password, this is a junk user couldn't login as I still don't know what you are doing (an example source code showing the bug would be very helpful !) => it's still not really possible to help you. Anyway this sounds more like a bug in your application than a bug in the openssl code. Cheers, Nils PS: you need to reply to [EMAIL PROTECTED] as otherwise the message is not appended to the ticket. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1206] FTP USER Authentication
[EMAIL PROTECTED] via RT wrote: > Hi > > We have ported the openSSL code for our project.We use SSL to > authenticate the users who use FTP to the controller(which is basically > a printer). We have different groups such as developer, user, designer > etc. each will have access permissions > > I am facing a problem with the DES encryption for a particular password. perhaps you should tell us what kind of problem do you have (otherwise it's more less impossible to help you) ... Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1194] bug in OpenSSL-0.9.8 (and previous versions) in crypto/objects/objects.txt (wrong text against sbgp objects
fixed, please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #683] SSL_CTX_new race condition
the tables are now initialized in SSL_library_init() hence making the lock for load_ciphers unnecessary => case resolved. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #1182] mem leak and minor error checking
fixed, please test a new snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1170] [PATCH] Some sanity checks
Yair Elharrar via RT wrote:
...
> diff -ur openssl-0.9.8-stable-SNAP-20050720\crypto\asn1\tasn_new.c
> openssl-0.9.8-mod\crypto\asn1\tasn_new.c
> --- openssl-0.9.8-stable-SNAP-20050720\crypto\asn1\tasn_new.c Wed May 11
> 06:45:24 2005
> +++ openssl-0.9.8-mod\crypto\asn1\tasn_new.c Wed Jul 20 14:57:44 2005
> @@ -326,8 +326,8 @@
> {
> ASN1_TYPE *typ;
> int utype;
> - const ASN1_PRIMITIVE_FUNCS *pf;
> - pf = it->funcs;
> + const ASN1_PRIMITIVE_FUNCS *pf=NULL;
> + if (it) pf = it->funcs;
>
> if (pf && pf->prim_new)
>return pf->prim_new(pval, it);
> @@ -374,8 +374,8 @@
> void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
> {
> int utype;
> - const ASN1_PRIMITIVE_FUNCS *pf;
> - pf = it->funcs;
> + const ASN1_PRIMITIVE_FUNCS *pf=NULL;
> + if (it) pf = it->funcs;
> if (pf)
>{
>if (pf->prim_clear)
Steve committed a different patch
> diff -ur openssl-0.9.8-stable-SNAP-20050720\crypto\ec\ec_lib.c
> openssl-0.9.8-mod\crypto\ec\ec_lib.c
> --- openssl-0.9.8-stable-SNAP-20050720\crypto\ec\ec_lib.c Sat May 21
> 03:00:42 2005
> +++ openssl-0.9.8-mod\crypto\ec\ec_lib.c Wed Jul 20 15:03:06 2005
> @@ -145,7 +145,7 @@
> {
> if (!group) return;
>
> - if (group->meth->group_clear_finish != 0)
> + if (group->meth && group->meth->group_clear_finish != 0)
>group->meth->group_clear_finish(group);
> else if (group->meth != NULL && group->meth->group_finish != 0)
>group->meth->group_finish(group);
> @@ -728,7 +728,7 @@
> {
> if (!point) return;
>
> - if (point->meth->point_finish != 0)
> + if (point->meth && point->meth->point_finish != 0)
>point->meth->point_finish(point);
> OPENSSL_free(point);
> }
> @@ -738,7 +738,7 @@
> {
> if (!point) return;
>
> - if (point->meth->point_clear_finish != 0)
> + if (point->meth && point->meth->point_clear_finish != 0)
>point->meth->point_clear_finish(point);
> else if (point->meth != NULL && point->meth->point_finish != 0)
>point->meth->point_finish(point);
no, unless something very strange has happened meth cannot be NULL
otherwise, see
http://marc.theaimsgroup.com/?l=openssl-cvs&m=112241132500534&w=2
Thanks,
Nils
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1170] [PATCH] Some sanity checks
patch applied, ticket resolved __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1174] ectest and libefence
ectest (with pre-computation) doesn't work when libefence is used __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1163] add a "list-client-ciphers" option to s_server
via RT wrote: > Oops, overlooked the -debug option that prints the "Shared ciphers". > > Although, if that < ciphers:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:RC4-MD5:RC4-SHA:AE > S128-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP1 > 024-RC4-SHA:EXP1024-DES-CBC-SHA:EXP-RC4-MD5:EXP-RC2-CBC-MD5>> > really is what firefox offers, why does it fail on EXPORT? > After all, e.g. EXP1024-RC4-SHA appears to be in common with > "openssl ciphers EXPORT"? which openssl version do you use ? I remember having a similar problem some time ago (and I think it has been fixed). Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1159] ./config shared no-deprecated
should be fixed, please test a recent snapshot Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1158] missing options in ca.pod and req.pod
committed. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1156] missing const in manpages
patch applied Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1145] Bug in openssl interactive mode
thanks, I've applied a slightly modified version of your patch; case resolved. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1128] [Fwd: Bug#314465: CA.pl and openssl.cnf default to insecure MD5 digest]
The default digest in 0.9.8 and the cvs head is SHA-1 (we didn't change 0.9.7 as we didn't want to break existing implementations depending on the default digest being MD5). About SHA-256 etc. : they are included in the soon to appear 0.9.8. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #749] bug in engine hw_cswift.c(cswift_rand_bytes) && patch
this should be fixed in current snapshots, please test Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1111] Test passed: OpenSSL 0.9.8 beta 5 on SuSE 9.3
thanks for the report. About the "make test" issue : "make test" should now run without a .rnd file on your platform (the error was caused by problem in rand_unix.c which has been fixed). Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1012] o_str.c searches strings.h even if config with -DNO_STRINGS_H
this should already by fixed in recent snapshots; case resolved Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #816] Bug report: some engines leave dangling DSO* after DSO_free
should be fixed Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #825] Patch: cswift engine openssl-0.9.7c
patch applied; please test a recent snapshot Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #972] make:: m486 is depricated
m486 has been replaced with "-march=i486"; case closed. thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1049] Configure: GCC x86: option -m486 deprecated
patch applied Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #817] ENHANCEMENT FAQ
I've updated the FAQ; case resolved. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #878] OpensslSsl2MasterkeyBo: OpenSSL SSL2 master key buffer overflow
see http://www.openssl.org/news/vulnerabilities.html Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #697] bn->top related bug fixes
this should be fixed in 0.9.8 . please test a recent snapshot from the 0.9.8 branch (or a beta release). Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1005] about a result of 'openssl ciphers'
should be fixed; please try a new snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #836] SSL_CTX_set_cipher_list() in OpenSSL 0.9.7c under Linux
should be fixed. please test a new snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1087] Memory leak - OpenSSL 0.9.7g
ok, ticket resolved. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1088] bug: SSL_load_client_CA_file always leaves errors in the error queue
ok, I've committed a fix with which SSL_load_client_CA_file should clear the error queue on success. Please test a recent snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1087] Memory leak - OpenSSL 0.9.7g
Karim Sharif via RT wrote:
> Hello,
>
> I would like to report a memory leak in SSL_connect(). Following code
> sample was check for memory leaks
> using "Purify" and show a 13K leak in SSL_connect().
did you read the "* I think I've detected a memory leak, is this a bug?"
item in the FAQ ?
Didn't purify give you a somewhat more precise description where
the mem leak is ?
...
> peer = SSL_get_peer_certificate(servercon);
> if (peer != NULL) {
> memset(sname, 0, sizeof(sname));
> X509_NAME_oneline(X509_get_subject_name(peer), sname, 400);
>
> memset(iname, 0, sizeof(iname));
> X509_NAME_oneline(X509_get_issuer_name(peer), iname, 400);
>
> memset(peerCN, 0, sizeof(peerCN));
> X509_NAME_get_text_by_NID(X509_get_subject_name(peer), 13,
> peerCN, 256);
> }
>
> SSL_free(servercon);
> SSL_CTX_free(ssl_ctx);
at least a "X509_free(peer);" is missing here, as SSL_get_peer_certificate
increases the reference counter of the X509 object.
> return 1;
> }
Cheers,
Nils
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1072] Assertion failure in bn_div_words (bn_asm.c)
The correct assertion should be assert((i == BN_BITS2) || (h <= (BN_ULONG)1
[openssl.org #1078] OpenSSL 0.9.8-stable-SNAP-20050523 doesn't build with no-aes
I've committed a fix for "no-aes", please test a new snapshot. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1064] [patch] fix pointer truncating in ssl/ssltest.c
patch applied. Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1061] [Fwd: Bug#240072: openssl: "engine dynamic -pre" segfaults]
thanks, should be fixed in a new snapshot. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1054] [Fwd: Bug#290271: openssl: typo in manpage CA.pl.1]
fixed Thanks, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #921] SSL Library Error: 336131157
the blinding code in openssl 0.9.8 has been updated to include something similar. please test a recent snapshot. Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #555] RSA blinding MT patch
I've committed something similar to 0.9.8, see [1]. Please try a recent snapshot. [1] http://marc.theaimsgroup.com/?l=openssl-cvs&m=111455472305028&w=2 Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #827] bug in RSA_blinding_on method
fixed in 0.9.8 Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #785] bug in RSA blinding code [WAS: Re: Seg fault in BN_mod_exp]
this should be fixed in 0.9.8 Cheers, Nils __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
