Any more showstoppers?
OK, I want to know if there's anything more for me to worry about, or can I release 0.9.8 tonight? You have 12 hours (until 19:30, GMT+0200) to try to stop me :-). If I receive no message saying I should release 0.9.8, I will at that time. That means the developers also have that time to fix small remaining bugs. Be careful though, so we don't break OpenSSL on some platforms in the last minute. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1137] pem.h-definitions in 0.9.8-stable-SNAP-20050624
I'm resolving this ticket. [levitte - Sat Jun 25 00:05:02 2005]: > [EMAIL PROTECTED] - Fri Jun 24 18:23:09 2005]: > > > If I compile Apache 2.0.54 with beta6 or the latest snapshot, I have > to > > correct the usage of PEM_F_DEF_CALLBACK to PEM_F_PEM_DEF_CALLBACK > > (defined in pem.h). > > > > The naming of the constants has changed with 0.9.8 and breaks > > compatibility with "top" applications like Apache httpd. > > The naming in 0.9.7 was a mistake from a naming scheme point of view. > > > Is this a bug or a feature? It might confuse quite some users when > > starting to compile with 0.9.8... > > It is a bug correction, although cosmetic. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1136] 0.9.8-beta6 on DJGPP
This got fixed. Ticket resolved. [levitte - Sat Jun 25 00:09:24 2005]: > With gcc on Linux (and I assume since it's gcc, that'll go for more or > less all 32-bit architectures it runs on), I get a warning when changing > %u to %lu, so it seems to me that whatever is done, someone loses. > > If course, I could make that a DJGPP special... > > [EMAIL PROTECTED] - Fri Jun 24 18:21:58 2005]: > > > I sent the following on 21 June, but I don't see where it actually > >made > > it to the list or to the archives. Sorry if it turns out to be a > > duplicate. > > > > The beta6 of openssl 0.9.8 compiles, tests, and installs on DJGPP > > without any problems that I see. There is just one warning during the > > compilation, at apps/passwd.c: > > > > gcc -DMONOLITH -I.. -I../include -I/dev/env/WATT_ROOT/inc -DTERMIOS > >-DL_ENDIAN -fomit-frame-pointer -O2 -Wall > >-DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM > >-DAES_ASM -c -o passwd.o passwd.c > > passwd.c: In function `do_passwd': > > passwd.c:477: warning: unsigned int format, long unsigned int arg (arg > >3) > > > > Doug > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1143] pkg-config files for each lib
[levitte - Tue Jul 5 06:48:27 2005]: > [guest - Thu Jun 30 00:15:54 2005]: > > > with the single "openssl.pc" pkg-config file we can only > > link witl -lcrypto -lssl -ldl. it would be better to provide > > a libcrypto.pc and a libssl.pc so we can create apps and libs, > > that link with libcrypto only. [...] > Either way, I like the idea. I'm just now checking that my change > works, then I'll commit. Added. Ticket resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1143] pkg-config files for each lib
[guest - Thu Jun 30 00:15:54 2005]: > with the single "openssl.pc" pkg-config file we can only > link witl -lcrypto -lssl -ldl. it would be better to provide > a libcrypto.pc and a libssl.pc so we can create apps and libs, > that link with libcrypto only. You do realise that libssl.pc will have exactly the same information as openssl.pc, right? Either way, I like the idea. I'm just now checking that my change works, then I'll commit. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Why the *hell*???
In message <[EMAIL PROTECTED]> on Mon, 4 Jul 2005 22:29:54 +0200, "Dr. Stephen Henson" <[EMAIL PROTECTED]> said: steve> On Mon, Jul 04, 2005, Richard Levitte - VMS Whacker wrote: steve> steve> > Can anyone tell me why the hell CA.pl puts both the private steve> > key and the CSR in newreq.pem? Shouldn't they be *separate*? steve> steve> None except that the CA.sh script it was a translation of did steve> the same. I take it you don't mind if I make a slight change to how things are done, then :-). Say welcome to our new born file, newkey.pem. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Why the *hell*???
Can anyone tell me why the hell CA.pl puts both the private key and the CSR in newreq.pem? Shouldn't they be *separate*? I'm baffled. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Considering SSL and Cryto libraries for LSB
In message <[EMAIL PROTECTED]> on Wed, 29 Jun 2005 22:05:07 -0700, Dan Kegel <[EMAIL PROTECTED]> said: dank> http://www.gnu.org/software/gnutls/ dank> exposes two APIs: the OpenSSL api (I gather?), and its own. About the OpenSSL API, this page answers part of the question. http://www.gnu.org/software/gnutls/reference/gnutls-openssl.html The rest of the answer is in gnutls/openssl.h. They expose some structures to remain compatible with the way OpenSSL currently works, so it's basically a compatibility that's as stripped down as possible. For the rest of GnuTLS, they seem to expose very little, from what I can gather by looking at the public header files. dank> If so, perhaps that might provide a way forward: apps that need dank> a stable interface can use the gnutls api (which openssl could dank> provide as a wrapper); everyone else could use the openssl api dank> (which gnutls seems to provide as a wrapper, unless I misread dank> the docs). It's a path. Just a small warning about license politics: According to http://www.gnu.org/software/gnutls/gnutls.html, the GnuTLS core library is licensed under the LGPL. Looking at the header files, it looks like there's a mix of GPL and LGPL, and among others, their openssl.h is under the GPL (something I find very interesting). This may have changed with later versions... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: make test still failing
In message <[EMAIL PROTECTED]> on Wed, 29 Jun 2005 22:07:04 -0700, Rodney Thayer <[EMAIL PROTECTED]> said: rodney> with openssl-0.9.8-beta6, on fedora core 3 on an intel box, rodney> for example: rodney> rodney>"./config no-shared no-idea no-rc5 -d" FAILS Does it still fail in the same place (the EC test)? In that case, would you mind running it manually under a debugger (since it's the debug target that fails, it should be quite possible :-))? It should be quite easy, you do it like this: cd test; ../util/shlib_wrap.sh gdb ectest then stop it when it starts looping, get the traceback and send it to us. If it's a new failure, please tell us what it is and a log. One detail: did the build go through with no warnings (I assume it came through without errors :-))? If there are warnings, maybe they can give us a hint as well. In that case, I'd appreciate a complete build log (doesn't need to include the test run). - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Considering SSL and Cryto libraries for LSB
In message <[EMAIL PROTECTED]> on Wed, 29 Jun 2005 17:44:38 -0700, "Banginwar, Rajesh" <[EMAIL PROTECTED]> said: rajesh.banginwar> Do you or anyone on this project have data rajesh.banginwar> suggesting which APIs are candidates for LSB rajesh.banginwar> inclusion both from demand and stability point of rajesh.banginwar> view? Quick answer, solely based on the header files and looking for the parts that do not expose there structures: EC, ECDH, ECDSA (although it exposes the signature structure, but I think that one's standardardised), pqueue, UI. ENGINE should also be here even though there are some exposed structures. Those structures are fairly well defined and are not subject to change soon, as far as I can predict. Quite honestly, even though I'm quite an enthusiastic OpenSSL developer for years and have been for years (since it started, really), I can't really recommend OpenSSL as an LSB candidate from that point of view, as it stands today. Every "major upgrade" (which we define as a change of x in 0.9.x) has had some kind of incompatibility with previous versions. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1105] DTLS HelloVerifyRequest PATCH
[EMAIL PROTECTED] - Wed Jun 29 17:43:06 2005]: > > So the bug report can be removed, right? > > Yes, the report can be removed. It is not a bug. Thanks. Ticket resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Missing documentation
In message <[EMAIL PROTECTED]> on Wed, 29 Jun 2005 06:42:59 +0200, Karsten Ohme <[EMAIL PROTECTED]> said: widerstand> will there be some day, when the the OpenSSL source code widerstand> is documented in a some way? In all source files, widerstand> explanations to the functions, the parameters and comments widerstand> in the code what is done are missing. We're well aware the documentation is lacking. We are adding some all the time. I wish we had the possibility to do *only* that for a while, but that's not what reality looks like. In the Open Source spirit, there's nothing stopping you from helping out. In a completely different project, I just learned a key phrase: patches are welcome! widerstand> OpenSSL is the only wide available possibility for a widerstand> crypto library with this functionality but it would not, widerstand> if there would be a more user friendly alternative. Can widerstand> somebody advice a alternative crypto and x509 library? CryptLib (http://www.cs.auckland.ac.nz/~pgut001/cryptlib/) Crypto++ (http://www.eskimo.com/~weidai/cryptlib.html) Botan (http://botan.randombit.net/) GnuTLS (http://www.gnu.org/software/gnutls/) There are probably more. I stick for OpenSSL, but hey, I'm a developer :-). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: make test still failing
In message <[EMAIL PROTECTED]> on Tue, 28 Jun 2005 09:29:54 -0700, Rodney Thayer <[EMAIL PROTECTED]> said: rodney> 'make test' never works. in the EC test, it runs a long time rodney> (tracing the output gives multiple gigabytes of text, it seems rodney> to take on the order of an hour or more). the failure is a rodney> memory fault of some kind. After I confirm this isn't a known rodney> problem I'll run it again and post the last bit of the rodney> output. We will also need to know exactly how you configured it, and what the configuration output was. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/ssl/ ssltest.c
In message <[EMAIL PROTECTED]> on Tue, 28 Jun 2005 15:27:53 +0200 (CEST), "Ben Laurie" <[EMAIL PROTECTED]> said: ben> Log: ben> Did you know it was wrong to use a char as an array index? It isn't if you know what you're doing. However, when things like isspace() are implemented using an array, you will get surprising results if you feed it a signed char with the high bit set. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/crypto/bn/ bn_nist.c
Ben, you committed four non-FIPS changes to 0.9.8-stable only. Are you going to commit them to HEAD as well? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ASN.1 error message in OpenSSL v0.9.7d
In message <[EMAIL PROTECTED]> on Tue, 28 Jun 2005 10:26:38 +0200, Nils Larsch <[EMAIL PROTECTED]> said: nlarsch> asn1parse doesn't support "txt" input just der or pem The help says it does. I'll fix that. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1105] DTLS HelloVerifyRequest PATCH
In message <[EMAIL PROTECTED]> on Sat, 25 Jun 2005 02:30:40 -0700, nagendra modadugu <[EMAIL PROTECTED]> said: nagendra> It turns out that the Version field was omitted from the nagendra> HelloVerify message in the internet draft. The document nagendra> will be corrected. So the bug report can be removed, right? (and *please* keep [EMAIL PROTECTED] among the recipients. It's quite hard to follow history in the database when people keep skipping that address) Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Still a few issues. Release delayed...
Hi, The release is delayed again. There are a couple of issues that I think need to be checked. I hope we'll be through with this in a week. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl-snap-20050624 (0.9.8) works on Stratus VOS
In message <[EMAIL PROTECTED]> on Fri, 24 Jun 2005 16:57:14 -0400, "Green, Paul" <[EMAIL PROTECTED]> said: Paul.Green> I've built and run the self-tests for Paul.Green> openssl-SNAP-20050624.tar.gz on Stratus VOS, using gcc, on Paul.Green> both hardware platforms (PA-RISC and Intel IA32). Works Paul.Green> just fine. Thanks a million! Thank *you*! Result noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Release delayed a few days - 20050624 Success with Mac OS X 10.4.1
In message <[EMAIL PROTECTED]> on Fri, 24 Jun 2005 08:58:29 -0700, Rush Manbert <[EMAIL PROTECTED]> said: rush> Just tried again with 20050624 snapshot. It built just fine and rush> successfully ran all the tests. Great! Thanks! Noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1135] 0.9.8-beta7-dev and DJGPP
In message <[EMAIL PROTECTED]> on Fri, 24 Jun 2005 14:50:53 +0200, Corinna Vinschen <[EMAIL PROTECTED]> said: vinschen> On Jun 24 14:29, [EMAIL PROTECTED] via RT wrote: vinschen> > vinschen> > The OpenSSL 0.9.8-stable snapshot from 24 June 2005 configures, vinschen> > builds, tests, and installs without problem on DJGPP. vinschen> vinschen> Same for Cygwin. Thanks. Noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1135] 0.9.8-beta7-dev and DJGPP
Great! Thanks! Ticket resolved. [EMAIL PROTECTED] - Fri Jun 24 14:29:00 2005]: > The OpenSSL 0.9.8-stable snapshot from 24 June 2005 configures, > builds, tests, and installs without problem on DJGPP. The default cert > file and directory also work as expected, whether or not > SSL_CERT_FILE and SSL_CERT_DIR are defined in the environment. > > Thanks. > Doug > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1136] 0.9.8-beta6 on DJGPP
With gcc on Linux (and I assume since it's gcc, that'll go for more or less all 32-bit architectures it runs on), I get a warning when changing %u to %lu, so it seems to me that whatever is done, someone loses. If course, I could make that a DJGPP special... [EMAIL PROTECTED] - Fri Jun 24 18:21:58 2005]: > I sent the following on 21 June, but I don't see where it actually >made > it to the list or to the archives. Sorry if it turns out to be a > duplicate. > > The beta6 of openssl 0.9.8 compiles, tests, and installs on DJGPP > without any problems that I see. There is just one warning during the > compilation, at apps/passwd.c: > > gcc -DMONOLITH -I.. -I../include -I/dev/env/WATT_ROOT/inc -DTERMIOS >-DL_ENDIAN -fomit-frame-pointer -O2 -Wall >-DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM >-DAES_ASM -c -o passwd.o passwd.c > passwd.c: In function `do_passwd': > passwd.c:477: warning: unsigned int format, long unsigned int arg (arg >3) > > Doug -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1137] pem.h-definitions in 0.9.8-stable-SNAP-20050624
[EMAIL PROTECTED] - Fri Jun 24 18:23:09 2005]: > If I compile Apache 2.0.54 with beta6 or the latest snapshot, I have to > correct the usage of PEM_F_DEF_CALLBACK to PEM_F_PEM_DEF_CALLBACK > (defined in pem.h). > > The naming of the constants has changed with 0.9.8 and breaks > compatibility with "top" applications like Apache httpd. The naming in 0.9.7 was a mistake from a naming scheme point of view. > Is this a bug or a feature? It might confuse quite some users when > starting to compile with 0.9.8... It is a bug correction, although cosmetic. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1138] User data field needed in X509_STORE structure
[EMAIL PROTECTED] - Fri Jun 24 18:23:27 2005]:
> Sometimes it is needed to do something with errors during X.509
> certificate validation. For example, collect all error messages
> in some memory space.
>
> Unfortunately, verify callback function only takes preverify status
> and a pointer to X509_STORE structure. If this structure had some
> "void* userdata" field - it would be possible to do it without using
> global variables.
Use the ex_data structure. Some very simple code to get an appropriate
index, store data and retreive it:
X509_user_data_ex_free(void *obj, void *item, CRYPTO_EX_DATA *ad,
int ind,long argl, void *argp)
{
free(item);
}
int X509_user_data_index()
{
static index = -1;
if (index == -1)
{
index = X509_STORE_CTX_get_ex_new_index(0, "X509 Store", NULL,
NULL,
X509_user_data_ex_free);
}
return index;
}
/* Store */
X509_STORE_CTX_set_ex_data(ctx, X509_user_data_index(), your_data);
/* Retreive */
your_data = X509_STORE_CTX_set_ex_data(ctx, X509_user_data_index());
Case dismissed.
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: typos in enc manual page?!
In message <[EMAIL PROTECTED]> on Fri, 24 Jun 2005 01:02:55 +0200, Steffen Pankratz <[EMAIL PROTECTED]> said: kratz00> Hi kratz00> kratz00> from the enc man page -> SUPPORTED CIPHERS kratz00> kratz00> rc5-cbcRC5 cipher in CBC mode kratz00> rc5 Alias for rc5-cbc kratz00> rc5-cfbRC5 cipher in CBC mode [...] Thanks, I've committed a change. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Release delayed a few days...
Hi all, Due to a number of last minute reports, the final release of OpenSSL 0.9.8 is delayed a few days to give the affected people a chance to test that the corrections done do fix things as expeted. So please, if you have sent in a report about something failing with one of the 0.9.8 betas, grap a snapshot (tomorrow's, i.e. openssl-0.9.8-stable-SNAP-20050624.tar.gz or later) and try it, to confirm that we fixed your problem and didn't create new ones. And if anyone else wants to run a test, just to see that we didn't break anything on your platform, please do so. In all cases, please tell us how it went, so we know. Same channel as before. I plan to do the final release on sunday (26th) or monday (27th) evening, swedish time, so time is of the essence. Thanks, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1123] 0.9.8-beta6 compile error
Thanks for the report. I've committed a fix. Ticket resolved. [EMAIL PROTECTED] - Tue Jun 21 15:24:02 2005]: > beta6 doesn't compile on XP with > set OPTS=no-asm no-engine no-krb5 no-hw > > str_lib.c > .\crypto\store\str_lib.c(62) : fatal error C1083: Cannot open include > file: 'openssl/engine.h': No such file or directory > NMAKE : fatal error U1077: 'cl' : return code '0x2' > Stop. > > Removing #include from store\str_lib.c, or using > #ifndef OPENSSL_NO_ENGINE temporarily solve the problem. > > Next compile end with: > e_4758cca.c > .\engines\e_4758cca.c(62) : fatal error C1083: Cannot open include > file: > 'openssl/engine.h': No such file or directory > NMAKE : fatal error U1077: 'cl' : return code '0x2' > Stop. > Thanks, > -cipo > > > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1125] Bug-report: namespace clash with Solaris crypt.h
OK, the definition of des_crypt() is disabled.
Ticket resolved.
[EMAIL PROTECTED] - Wed Jun 22 13:25:46 2005]:
> Hello,
>
> Hans Meine has (re-)discovered the following name-clash on Solaris 8
>(SunOS 5.8):
>
> [EMAIL PROTECTED]:/software/cyrus-sasl-2.1.21/source/cyrus-sasl-
>2.1.21/build-SunOS-5.8/saslauthd
> -> make
> gmake all-am
> gmake[1]: Entering directory
> `/software/cyrus-sasl-2.1.21/source/cyrus-sasl-2.1.21/build-SunOS-
>5.8/saslauthd'
> source='../../saslauthd/auth_getpwent.c' object='auth_getpwent.o'
>libtool=no \
> depfile='.deps/auth_getpwent.Po'
>tmpdepfile='.deps/auth_getpwent.TPo' \
> depmode=gcc /bin/bash ../../saslauthd/config/depcomp \
> gcc -DHAVE_CONFIG_H
> -DSASLAUTHD_CONF_FILE_DEFAULT=\"/software/cyrus-sasl-2.1.21/etc/
saslauthd.conf\"
> -I. -I../../saslauthd -I.. -I. -I../../saslauthd -I.
> -I../../saslauthd/include -I./include -I../../saslauthd/../include
> -I/software/openssl-0.9.7g/SunOS-5.8/include -g -O2 -c `test -f
> '../../saslauthd/auth_getpwent.c' || echo
> '../../saslauthd/'`../../saslauthd/auth_getpwent.c
> In file included from ../../saslauthd/auth_getpwent.c:53:
> /usr/include/crypt.h:22: parse error before `('
> /usr/include/crypt.h:22: parse error before `const'
> gmake[1]: *** [auth_getpwent.o] Error 1
> gmake[1]: Leaving directory
> `/software/cyrus-sasl-2.1.21/source/cyrus-sasl-2.1.21/build-SunOS-
>5.8/saslauthd'
> gmake: *** [all] Error 2
>
> The reason here ist that
>
> /software/openssl-0.9.7g/SunOS-5.8/include/openssl/des_old.h
>
> defines (in line 174)
>
> #define des_crypt(b,s)\
> DES_crypt((b),(s))
>
> which lead to
>
> extern char * DES_crypt(( const char * ),( const char * )) ;
>
> in /usr/include/crypt.h:22
>
> This seems to be a reasonably well known issue, see e.g.
>
> http://www.opensubscriber.com/message/cyrus-
>[EMAIL PROTECTED]/1505445.html
> http://www.google.com/search?q=crypt.h+solaris+des_old.h
>
> Greetings
>
> Sven Utcke
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1127] openssl-0.9.8-beta6: two minor problem man pages during install
Fixed. Thanks for notifying. Ticket resolved. [EMAIL PROTECTED] - Wed Jun 22 13:26:19 2005]: > > During installation: > > installing man3/OPENSSL_Applink.3 > ../../util/pod2man.pl: Improper man page - no dash in NAME header in > paragraph 3 of OPENSSL_Applink.pod > .3 => OPENSSL_Applink.3 > > > installing man3/OPENSSL_ia32cap.3 > ../../util/pod2man.pl: Improper man page - no dash in NAME header in > paragraph 3 of OPENSSL_ia32cap.pod > .3 => OPENSSL_ia32cap.3 > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1122] [PATCH] ssl_lib.c compilation fails on Diab Data compiler
Glad to hear you hate faulty compilers. I've added a patch that
comments the argument names and a comment that explains it.
Ticket resolved.
[EMAIL PROTECTED] - Wed Jun 22 16:55:12 2005]:
> Yep, that's the only place.
> I hate DCC too...
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Richard
> Levitte via RT
> Sent: Wednesday, June 22, 2005 5:46 PM
> To: Yair Elharrar
> Cc: openssl-dev@openssl.org
> Subject: [openssl.org #1122] [PATCH] ssl_lib.c compilation fails on
>Diab
> Data compiler
>
>
>
> Ugh
>
> Is that the only place? We have more functions that return function
> pointers, so I'm a bit baffled this would be the only place your
> (buggy) compiler chokes on...
>
> [EMAIL PROTECTED] - Tue Jun 21 11:29:13 2005]:
>
> > Diab Data DCC compiler chokes on ssl_lib.c. Here's a patch.
> >
> > diff -ur ssl\ssl_lib.c modssl\ssl_lib.c
> > --- ssl\ssl_lib.c Fri Jun 10 23:05:38 2005
> > +++ modssl\ssl_lib.c Mon Jun 20 09:34:20 2005
> > @@ -2396,7 +2396,7 @@
> > ssl->info_callback=cb;
> > }
> >
> > -void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int
> > type,int val)
> > +void (*SSL_get_info_callback(const SSL *ssl))(const SSL *,int ,int
>)
> > {
> > return ssl->info_callback;
> > }
> >
>
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1130] [PATCH] OpenSSL 0.9.8 general patches for Stratus VOS
Thanks, applied. I've a few comments further down. Ticket resolved. [guest - Wed Jun 22 23:26:42 2005]: > As an editorial comment, I would like to respectfully suggest that in > the future, platform tests (#ifdef __IA32__) be used to establish > attributes or qualities, and that the mainline source code test the > attributes or qualities. The current source code tests __IA32__ and > related macros for several different reasons (e.g., instruction set, > endianness, alignment requirements, etc.) Having it test attribute or > quality names would have been much more transparent. We do some tests like that, but using OpenSSL specific macros generated from the system name field in the configuration strings. This is because we (or at least I) have run into trouble where different compilers support differents sets of flag macros for the same kind of function. It kind of gets out of hand... -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1129] [PATCH] Update 0.9.8 Configure lines for Stratus VOS
Thanks, patch applied. I will apply the other one as well. Ticket resolved. [guest - Wed Jun 22 23:04:09 2005]: > Here are the patches to the OpenSSL 0.9.8-beta5 Configure script for > Stratus VOS. I've tested them on a Stratus Continuum (PA-RISC) system > running VOS 14.7.0ax and on the Stratus V Series V400 system (Intel > IA32) running VOS 15.1.0ah. These changes are sufficient for our PA- > RISC platform, and they are necessary but not sufficient for the Intel > IA32 platform. > > I'm breaking up the changes into VOS-only changes (this patch) and a > second patch that VOS IA32 needs but which also affects other > platforms. > > The following is an explanation of these changes for the curious. > > I'm dropping support for our "vcc" compiler because it does not > currently support 64-bit integers. If and when it gains such support, > I'll restore the lines in Configure. > > I'm dropping the explicit specification of the target platform (gcc "- > b" argument) so that the spec works with both platforms. We don't > support cross compiling with gcc, so the build has to be run on the > proper platform anyway. > > I'm explicitly defining the B_ENDIAN macro to avoid some assumptions > in the source code that the Intel IA32 is always Little Endian. We > have created a gcc that implements a Big Endian environment on the > IA32; fun stuff. The second patch for VOS will add the actual checks. > > I've removed the definition of BN_CTX_DEBUG in the "debug" build > because we run the self-tests with every build, and if this variable > is defined we get more than 2 gigabytes of output from the testsI > think that only the developer/debugger of the bignum package cares > about this level of debugging. > > Thanks > PG > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1131] Patch for 0.9.8beta6 by_dir.c
Patch applied and committed on all active branches. Thanks!
Ticket resolved.
[EMAIL PROTECTED] - Thu Jun 23 11:40:36 2005]:
> On April 24th, I wrote to openssl-dev:
>
> > Also, the function "dir_ctrl" in crypto/x509/by_dir.c looks wrong to
> > me. Shouldn't it be checking for the environment variable first,
then
> > getting the default if no environment variable is specified (the way
> > by_file_ctrl does in crypto/x509/by_file.c)? Sorry if I am
misreading
> > what that function is doing. The code looks the same in 0.9.7 and
> > 0.9.8.
>
> I have done some more testing, and openssl is indeed using certs from
> the default directory, even if a different directory is specified
> by SSL_CERT_DIR. This patch changes the logic to what we have in
> by_file.c. That is, if SSL_CERT_DIR is defined in the environment,
> openssl uses it exclusively for the directory of hashed certs. If
> SSL_CERT_DIR is not defined, then the default directory is used.
>
> Since I am in the US, a copy of the patch is being forwarded to the
> appropriate US government agencies.
>
> Doug
>
> --- crypto/x509/by_dir.c.ori 2004-01-22 14:36:46.0 -0800
> +++ crypto/x509/by_dir.c 2005-06-22 12:09:00.0 -0800
> @@ -122,19 +122,19 @@
> {
> case X509_L_ADD_DIR:
> if (argl == X509_FILETYPE_DEFAULT)
> + dir=(char *)Getenv(X509_get_default_cert_dir_env());
> + if (dir)
> + ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
> + else
> {
> ret=add_cert_dir(ld,X509_get_default_cert_dir(),
> X509_FILETYPE_PEM);
> + }
> if (!ret)
> {
> X509err(X509_F_DIR_CTRL,X509_R_LOADING_CERT_DIR
);
> }
> - else
> - {
> - dir=(char *)
Getenv(X509_get_default_cert_dir_env());
> - ret=add_cert_dir(ld,dir,X509_FILETYPE_PEM);
> - }
> - }
> +
> else
> ret=add_cert_dir(ld,argp,(int)argl);
> break;
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1133] compile error
What the...? At first sight, it looks like an installation error, but it could also be that header files from two different compiler installations are mixed. I've no clue what to do about this. Can you help? [EMAIL PROTECTED] - Thu Jun 23 16:20:08 2005]: > > making all in ssl... > gcc -I../crypto -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT > -DDSO_DLFCN > -DHAVE_DLFCN_H -O3 -fomit-frame-pointer -march=i486 -Wall -DL_ENDIAN > -DOPENSSL_NO_INLINE_ASM -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM > -DMD5_ASM > -DRMD160_ASM -DAES_ASM -c kssl.c > In file included from ../include/openssl/bio.h:67, > from ../include/openssl/ssl.h:179, > from kssl.c:80: > /opt/local/lib/gcc-lib/i386-pc-solaris2.8/2.95.3/include/stdarg.h:170: > conflicting types for `va_list' > /usr/include/stdio.h:120: previous declaration of `va_list' > *** Error code 1 > make: Fatal error: Command failed for target `kssl.o' > Current working directory /home/pavo/ugai/src/openssl-0.9.8-beta6/ssl > *** Error code 1 > make: Fatal error: Command failed for target `build_ssl' > Current working directory /home/pavo/ugai/src/openssl-0.9.8-beta6 > working directory /home/pavo/ugai/src/openssl-0.9.8-beta6 > Running make test... > > OpenSSL self-test report: > > OpenSSL version: 0.9.8-beta6 > Last change: Correct naming of the 'chil' and '4758cca' ENGINEs. > Thi... > Options: --prefix=/opt/local no-gmp no-krb5 no-mdc2 no-rc5 > no-shared no-sse2 no-zlib no-zlib-dynamic > OS (uname): SunOS pavo 5.8 Generic_117351-24 i86pc i386 i86pc > OS (config): i86pc-whatever-solaris2 > Target (default): solaris-x86-gcc > Target: solaris-x86-gcc > Compiler: gcc version 2.95.3 20010315 (release) > > Failure! > [...] > > Test report in file testlog > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ Makefile.org openssl/apps/ Makefile openssl/cr...
In message <[EMAIL PROTECTED]> on Thu, 23 Jun 2005 02:03:32 +0200 (CEST), "Andy Polyakov" <[EMAIL PROTECTED]> said: appro> OpenSSL CVS Repository appro> http://cvs.openssl.org/ appro> appro> appro> Server: cvs.openssl.org Name: Andy Polyakov appro> Root: /v/openssl/cvs Email: [EMAIL PROTECTED] appro> Module: openssl Date: 23-Jun-2005 02:03:27 appro> Branch: HEAD Handle: 2005062301030323 appro> appro> Modified files: appro> openssl Makefile.org appro> openssl/appsMakefile appro> openssl/crypto Makefile appro> openssl/crypto/bio Makefile appro> openssl/engines Makefile appro> openssl/testMakefile appro> appro> Log: appro> Jumbo Makfiles update. appro> appro> - eliminate ambiguities between GNU-ish and SysV-ish make flavors; appro> - switch [back] to -e; appro> - fold/unify rules; appro> appro> This is follow-up to the patch introducing common BUILDENV. Idea is appro> to collect as much parameters in $(TOP) as possible and "strip" lower appro> Makefiles for most variables [and thus makes them more readable]. Hmm, are you planning on doing this in 0.9.8-stable as well? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 6 released
In message <[EMAIL PROTECTED]> on Wed, 22 Jun 2005 23:57:29 +1000, "Steven Reddie" <[EMAIL PROTECTED]> said: smr> Operating system Configured for Compiler smr> --- -- smr> - smr> Windows 2000 VC-WIN32MSVC 6.0 smr> Cygwin 1.5.5-1i686-whatever-cygwin Cygwin gcc 3.3.1 smr> Red Hat Linux 9 i686-whatever-linux2 linux-elf gcc 3.2.2 smr> FreeBSD 4.6 i586-pc-freebsd4.6 BSD-x86-elf gcc 2.95.3 smr> Solaris 2.6 sun4u-whatever-solaris2 solaris-sparcv9-cc Sun WorkShop smr> 6 update 2 C 5.3 smr> Solaris 2.7 sun4u-whatever-solaris2 solaris-sparcv9-cc Sun WorkShop smr> 6 update 2 C 5.3 smr> AIX 5.1 0050C89A4C00-ibm-aix aix-cc C for AIX smr> Compiler, Version 6 smr> HP-UX 11.11 9000/800-hp-hpux1x hpux-parisc2-cc HP C Compiler smr> B.11.11.08 smr> Tru64 OSF1 V4.0E alpha-dec-tru64 tru64-alpha-cc DEC C smr> V5.8-009 All noted. Thanks! Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 6 released
In message <[EMAIL PROTECTED]> on Wed, 22 Jun 2005 14:04:17 +0200, Corinna Vinschen <[EMAIL PROTECTED]> said: vinschen> Any problem to apply the below last minute patch to util/cygwin.sh? No. I'll see to it. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 6 released
In message <[EMAIL PROTECTED]> on Wed, 22 Jun 2005 11:36:07 +0200, [EMAIL PROTECTED] said: Michael.Straessle> Beta 6 compiles fine and passes tests on win32 (XP/VC6/nasm) Thanks. Noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 6 released
In message <[EMAIL PROTECTED]> on Wed, 22 Jun 2005 10:25:12 +0200, Corinna Vinschen <[EMAIL PROTECTED]> said: vinschen> On Jun 21 08:21, Richard Levitte - VMS Whacker wrote: vinschen> > -BEGIN PGP SIGNED MESSAGE- vinschen> > Hash: SHA1 vinschen> > vinschen> > vinschen> > OpenSSL version 0.9.8 Beta 6 (FINAL!) vinschen> vinschen> Build and tests fine on Cygwin. Thanks. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl-0.9.8-beta6 tested ok on Solaris 8 cc (32+64 bit) and gcc 2.95.3 (32 bit)
In message <[EMAIL PROTECTED]> on Wed, 22 Jun 2005 09:12:26 +0200, Jostein Tveit <[EMAIL PROTECTED]> said: josteitv> openssl-0.9.8-beta6 compiled and tested ok on the following josteitv> combinations: josteitv> josteitv> - Solaris 8 SPARC cc: Sun C 5.7 2005/01/07 32-bit josteitv> (./Configure solaris-sparcv9-cc shared) josteitv> josteitv> - Solaris 8 SPARC cc: Sun C 5.7 2005/01/07 64-bit josteitv> (./Configure solaris64-sparcv9-cc shared) josteitv> josteitv> - Solaris 8 SPARC gcc 2.95.3 32-bit josteitv> (./Configure solaris-sparcv9-gcc shared) Thanks. Noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1122] [PATCH] ssl_lib.c compilation fails on Diab Data compiler
Ugh
Is that the only place? We have more functions that return function
pointers, so I'm a bit baffled this would be the only place your
(buggy) compiler chokes on...
[EMAIL PROTECTED] - Tue Jun 21 11:29:13 2005]:
> Diab Data DCC compiler chokes on ssl_lib.c. Here's a patch.
>
> diff -ur ssl\ssl_lib.c modssl\ssl_lib.c
> --- ssl\ssl_lib.c Fri Jun 10 23:05:38 2005
> +++ modssl\ssl_lib.c Mon Jun 20 09:34:20 2005
> @@ -2396,7 +2396,7 @@
> ssl->info_callback=cb;
> }
>
> -void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int
> type,int val)
> +void (*SSL_get_info_callback(const SSL *ssl))(const SSL *,int ,int )
> {
> return ssl->info_callback;
> }
>
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1124] Standart ISO 8601 violation(Bug in ASN1_GENERALIZEDTIME_set?)
[levitte - Wed Jun 22 16:31:26 2005]: > GeneralizeTime is defined in X.680 and ISO/IEC Internal Standard 8824- > 1. Read carefully, it specifies that the date part should be formatted > as specified in ISO 8601, as well as the time part, but it doesn't say > that the combined value should be constructed as described in ISO > 8601. All it says is that the time part should be appended to the date > part, and that the combination should optionally get Z or a time zone > specification appended to it. No T anywhere. Of course, you could then say that the definition of GeneralizedTime is in violation with ISO 8601. That's something to bring up with ISO/ITU- T. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1124] Standart ISO 8601 violation(Bug in ASN1_GENERALIZEDTIME_set?)
[EMAIL PROTECTED] - Tue Jun 21 15:24:18 2005]: > I am using perl to parse result from openssl's ASN.1 and found > following problem: > > Perl request ASN1_GENERALIZEDTIME to be in format "19940203T141529Z". > Openssl functrion ASN1_GENERALIZEDTIME_set does not set "T" between >date > and time. Regarding ISO 8601 standart it looks like bug for me. In my > opinion "T" should be set to follow standart. > > All openssl versions are affected(incl. today's 0.9.8b6). GeneralizeTime is defined in X.680 and ISO/IEC Internal Standard 8824- 1. Read carefully, it specifies that the date part should be formatted as specified in ISO 8601, as well as the time part, but it doesn't say that the combined value should be constructed as described in ISO 8601. All it says is that the time part should be appended to the date part, and that the combination should optionally get Z or a time zone specification appended to it. No T anywhere. The Perl code needs to be corrected. Case dismissed. > > Regards, > Dimitar Kamenov > > > "Tumbleweed E-mail Firewall " made the following > annotations on 06/21/05 05:34:31 > -- > This e-mail, including attachments, may include confidential and/or >proprietary information, and may be used only by the person or >entity to which it is addressed. If the reader of this e-mail is >not the intended recipient or his or her authorized agent, the >reader is hereby notified that any dissemination, distribution or >copying of this e-mail is prohibited. If you have received this e- >mail in error, please notify the sender by replying to this message >and delete this e-mail immediately. > == > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1126] 0.9.8-beta6: make report: Test passed
Here or on the mailing lists, I don't particularly care. Thanks for testing! [EMAIL PROTECTED] - Wed Jun 22 13:25:55 2005]: > Hi! > > If I understood OpenSSL 0.9.8 beta 6 announcement correctly, you > wanted to see following info. Perhaps you only wanted to see test > failures reported, in that case sorry for disturbing. > > Best regards, > Petri Koistinen > > OpenSSL self-test report: > > OpenSSL version: 0.9.8-beta6 > Last change: Correct naming of the 'chil' and '4758cca' ENGINEs. > Thi... > Options: --openssldir=/etc/ssl --prefix=/usr enable-shared > -mcpu=pentium -mcpu=pentiumpro no-gmp no-krb5 no-mdc2 no-rc5 no-zlib > no-zlib-dynamic > OS (uname): Linux dsl-hkigw8td4.dial.inet.fi 2.6.12 #4 Mon Jun > 20 02:12:36 EEST 2005 i686 pentiumpro i386 GNU/Linux > OS (config): i686-whatever-linux2 > Target (default): linux-elf > Target: linux-elf > Compiler: Configured with: ../gcc-3.4.2/configure > --prefix=/usr --libexecdir=/usr/lib --enable-shared > --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu > --enable-languages=c,c++ > Thread model: posix > gcc version 3.4.2 > > Test passed. > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 6 released
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 0.9.8 Beta 6 (FINAL!)
=
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
OpenSSL is currently in a release cycle. The sixth beta is now
released. The beta release is available for download via HTTP and
FTP from the following master locations (the various FTP mirrors you
can find under http://www.openssl.org/source/mirror.html):
o http://www.openssl.org/source/
o ftp://ftp.openssl.org/source/
PLEASE TEST THIS RELEASE! This is a final beta. The final release
is due very soon, and we would like your help to make this as good a
release as ever possible. Among others, base64 decoding needs extra
attention (see below).
The file names of the beta are:
o openssl-0.9.8-beta6.tar.gz
MD5 checksum: e6771df5621169ae616adb3475aac71a
SHA1 checksum: d5aad452a4a192780ff1990b5c75513eb8408fe2
The checksums were calculated using the following command:
openssl md5 < openssl-0.9.8-beta6.tar.gz
openssl sha1 < openssl-0.9.8-beta6.tar.gz
Please download and test them as soon as possible. This new OpenSSL
version incorporates 104 documented changes and bugfixes to the
toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES
and http://www.openssl.org/source/exp/NEWS).
Since the fifth beta, the following has happened:
- Change the DJGPP setup so it's DEVRANDOM is defined in e_os.h
instead of in the build command line.
- Worked around a DJGPP command line bug during installation of
docs.
- Worked out better target selections for BSD ELF.
- Corrected the CPUid code for x86_64.
- Made the base64 decoder a bit more robust.
- We made sure crypto/bn/bn_prime.h is properly built during an
update.
- Enhanced the documentation on id_function in threads.pod.
- Added a fallback to software in the CSwift engine.
- Other bug fixes...
Reports and patches should be sent to [EMAIL PROTECTED]
Discussions around the development of OpenSSL should be sent to
[EMAIL PROTECTED] Anything else should go to
[EMAIL PROTECTED]
The best way, at least on Unix, to create a report is to do the
following after configuration:
make report
That will do a few basic checks of the compiler and bc, then build
and run the tests. The result will appear on screen and in the file
"testlog". Please read the report before sending it to us. There
may be problems that we can't solve for you, like missing programs.
Yours,
The OpenSSL Project Team...
Mark J. Cox Nils Larsch Ulf Möller
Ralf S. Engelschall Ben Laurie Andy Polyakov
Dr. Stephen Henson Richard Levitte Geoff Thorpe
Lutz JänickeBodo Möller
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFCt7G3p6+eePcJRTsRAmHnAJ9YcnbPEj2J48vkBHpZCBQ1vKQI/wCglgM5
wKq2R9+XiFHQS5aumgYaEkE=
=1qsL
-END PGP SIGNATURE-
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: possible bug in BIO_f_base64 ?
In message <[EMAIL PROTECTED]> on Mon, 20 Jun 2005 18:53:39 +0200, "Dr. Stephen
Henson" <[EMAIL PROTECTED]> said:
steve> On Mon, Jun 20, 2005, Richard Levitte - VMS Whacker wrote:
steve>
steve> > In message <[EMAIL PROTECTED]> on Mon, 20 Jun 2005 12:11:30 +0200,
Beat Jucker <[EMAIL PROTECTED]> said:
steve> >
steve> > bj> Given attached BASE64 encoded file openssl will write only 5280
steve> > bj> decoded bytes instead of the original 5305 bytes as other tools
steve> > bj> like mimencode, base64, Asn1Editor, web online base64 decoder, ...
steve> > bj>
steve> > bj> openssl base64 -d -in text.pem -out text.der
steve> > bj> --> 5280 instead of 5305 bytes!?
steve> >
steve> > I've played with previous incarnations, and noticed that with the
steve> > latest update for 0.9.7-stable, I get 5305 bytes, while I get 5280
steve> > bytes with 0.9.8-stable. I compared crypto/evp/bio_b64.c from both
steve> > branches, and there is virtually no difference, so the problem is
steve> > somewhere else.
steve> >
steve> > I noticed something unusual about your file: the lines are 76
steve> > characters, when a PEM file usually (or at least by default when
steve> > output by OpenSSL) has 64 character lines... I have no clue how
steve> > important that fact is, but I'm going to conduct some tests.
steve> >
steve>
steve> The only significant change is:
steve>
steve> http://cvs.openssl.org/chngview?cn=12988
steve>
steve> whether this is the problem or it has just triggered a problem
steve> elsewhere I don't know.
This specific case seems to be because of the 76 character lines. The
attached patch seems to fix it, though.
Really, the base64 decoder is quite the pile of crap. Why on earth
does it have dependence on where a NL will appear? There's absolutely
no reason unless you're a PEM fetishist... It should really be
rewritten...
-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
Index: crypto/evp/encode.c
===
RCS file: /e/openssl/cvs/openssl/crypto/evp/encode.c,v
retrieving revision 1.14
diff -u -r1.14 encode.c
--- crypto/evp/encode.c 3 Apr 2005 16:38:22 - 1.14
+++ crypto/evp/encode.c 20 Jun 2005 22:01:26 -
@@ -313,7 +313,7 @@
/* There will never be more than two '=' */
}
- if ((v == B64_EOF) || (n >= 64))
+ if ((v == B64_EOF && (n&3) == 0) || (n >= 64))
{
/* This is needed to work correctly on 64 byte input
* lines. We process the line and then need to
Re: util/selftest.pl
In message <[EMAIL PROTECTED]> on Mon, 20 Jun 2005 11:52:50 -0700 (PDT), Tim Rice <[EMAIL PROTECTED]> said: tim> I noticed "make report" didn't show the cc version on most of tim> my System V platforms. This patch corrects this. Thanks, committed. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: possible bug in BIO_f_base64 ?
In message <[EMAIL PROTECTED]> on Mon, 20 Jun 2005 12:11:30 +0200, Beat Jucker <[EMAIL PROTECTED]> said: bj> Given attached BASE64 encoded file openssl will write only 5280 bj> decoded bytes instead of the original 5305 bytes as other tools bj> like mimencode, base64, Asn1Editor, web online base64 decoder, ... bj> bj> openssl base64 -d -in text.pem -out text.der bj> --> 5280 instead of 5305 bytes!? I've played with previous incarnations, and noticed that with the latest update for 0.9.7-stable, I get 5305 bytes, while I get 5280 bytes with 0.9.8-stable. I compared crypto/evp/bio_b64.c from both branches, and there is virtually no difference, so the problem is somewhere else. I noticed something unusual about your file: the lines are 76 characters, when a PEM file usually (or at least by default when output by OpenSSL) has 64 character lines... I have no clue how important that fact is, but I'm going to conduct some tests. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Rescheduling
Hi, I've just remade the release schedule a little bit. Originally, OpenSSL 0.9.8 was supposed to be released yesterday. However, due to personal stuff and some issues with the latest beta, the release has been slightly delayed. So, the final beta will be this evening (Swedish time), and the release is scheduled for Thursday (June 23) evening. This means that I'm asking for a last effort to help make OpenSSL 0.9.8 as good as it can be. Please test this final beta, and if there are any issue, please tell us. If there are any issues we have forgotten, please remind us! Actually, there's nothing stopping you fram grabbing a snapshot now and try it out :-). You might even find something for us to correct before we release beta 6. ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-mmdd.tar.gz (mmdd is really a date, like 20050620) - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1121] [patch 0.9.8-beta5] make depend fails if bn_prime.h does not exist
That's not the way it's usually solved. First of all, it's better if
you call 'make update', and I'm just committing a change that will make
sure it creates crypto/bn/bn_prime.h (just like it does with all the
other generated files).
Ticket resolved.
[guest - Mon Jun 20 02:53:48 2005]:
> This is a report based on openssl-0.9.8-beta5, built on Fedora Core 1.
>
> bn_prime.h is a derived file. Therefore, I believe that "make depend"
> should not require it to exist. Yet, if crypto/bn/bn_prime.h does not
> exist, "make depend" fails -- it builds crypto/bn/Makefile without
> references to bn_prime.o -- not very useful.
>
> The solution is to have crypto/bn/Makefile create a dummy version of
>the
> file crypto/bn/bn_prime.h, and then get rid of it after the make
>depend
> finishes. This is similar to actions taken for other header files
>that
> are built by "make all". Here is a tested patch that accomplishes
>this
> goal:
>
> --- crypto/bn/Makefile~ 2005-06-19 20:23:32.0 -0400
> +++ crypto/bn/Makefile 2005-06-19 20:26:32.0 -0400
> @@ -139,7 +139,9 @@
>
> depend:
> @[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
> + [ -z "$(THIS)" -o -f bn_prime.h ] || touch bn_prime.h # fake
> bn_prime.h if it does not exist
> $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS)
> $(LIBSRC)
> + [ -z "$(THIS)" -o -s bn_prime.h ] || rm bn_prime.h
>
> dclean:
> $(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print;
> exit(0);}' $(MAKEFILE) >Makefile.new
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1085] DJGPP patch for 0.9.8-beta3
[EMAIL PROTECTED] - Sun Jun 19 13:26:58 2005]: > On Mon, 13 Jun 2005, Richard Levitte via RT wrote: > > > Aha, *that's* what we need to debug then. > > > > BTW, the exit code of a pipe is usually the exit code of the last > > command in the chain. So you can't really blame grep, since their > > result is piped into a parenthesised complex command. I'm willing >to be > > either 'read' or 'util/point.sh' return with an exit code other than >0, > > and that it could be enough to have an 'exit 0' at the end of the > > complex command (and maybe another 'set -e' before the while loop). > > Testing various changes in Makefile reveals that the problem really > does seem to be the return code from grep. This is probably a bug in > the DJGPP implementation of "set -e" in bash, related to the fact that > DOS really doesn't have pipes. They are emulated via temporary files. > The DJGPP "set -e" seems to be sensitive to non-zero return codes > within the simulated pipe. The attached patch to Makefile.org works > for DJGPP. I think it shouldn't adversely affect other platforms. I've applied your patch. Like you, I see no reason why it should break builds on other platforms. Ticket resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1110] DEVRAMDOM define in rand_unix.c
Applied. Thanks. [EMAIL PROTECTED] - Sun Jun 19 13:16:19 2005]: > I tried compiling with DJGPP using your patch applied to beta5. It > compiles OK, but there are a lot of warnings, since there is a default > definition of DEVRANDOM earlier in the e_os.h file. I applied this > patch. > > --- e_os.h.ori2005-06-18 23:50:38.0 -0800 > +++ e_os.h2005-06-19 04:07:10.0 -0800 > @@ -227,6 +227,7 @@ > #define _setmode setmode > #define _O_TEXT O_TEXT > #define _O_BINARY O_BINARY > +#undef DEVRANDOM > #define DEVRANDOM "/dev/urandom\x24" > # endif /* __DJGPP__ */ > > Doug -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1096] Minor documentation bugs
I changed the lines about id_function only slightly, and added the discussion about getpid() vs. pthread_self() in the NOTES section. Ticket resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1083] Compilation error in crypto/pqueue/pqueue.c on "hpux-parisc-cc shared"
I haven't seen any more reports like this, so I'm resolving this ticket. It feels like a safe bet, since we have removed all traces of BIGNUM from pqueue. [levitte - Mon Jun 6 00:54:39 2005]: > beta 4 is out soon. Please try it and report back. I believe the > BN_ULLONG issues with pqueue are properly dealt with. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1090] [BUG] Segfault in dgst signing with rsa private key
Hi, it sounds like I can resolve this ticket. The extra test suite sounds interesting, please send it to me ([EMAIL PROTECTED]). Unfortunately, if it's GNU make specific, we will not have it in the standard build, but it might work as an option for those who want to try it out. [EMAIL PROTECTED] - Mon Jun 6 10:45:09 2005]: > Hello! > > On Mon, 6 Jun 2005, Richard Levitte via RT wrote: > > > > > Did you check that you actually get the right library? Do it like >this: > > > > LD_LIBRARY_PATH=. ldd ./apps/openssl > > [EMAIL PROTECTED] LD_LIBRARY_PATH=. ldd ./apps/openssl > libssl.so.0.9.8 => ./libssl.so.0.9.8 (0x40018000) > libcrypto.so.0.9.8 => ./libcrypto.so.0.9.8 (0x40056000) > libdl.so.2 => /lib/libdl.so.2 (0x40194000) > libz.so.1 => /usr/lib/libz.so.1 (0x40197000) > libc.so.6 => /lib/libc.so.6 (0x401a9000) > /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x4000) > > I've tried it again with 20050606 snapshot. > > >> make report: > >> > OpenSSL self-test report: > > OpenSSL version: 0.9.8-beta4-dev > Last change: Correct naming of the 'chil' and '4758cca' ENGINEs. >Thi... > Options: -g enable-shared enable-zlib no-gmp no-krb5 no-mdc2 >no-rc5 no-zlib-dynamic > OS (uname): Linux manul 2.4.26-1-386 #1 Tue Aug 24 13:31:19 JST >2004 i686 GNU/Linux > OS (config): i686-whatever-linux2 > Target (default): linux-elf > Target: linux-elf > Compiler: Configured with: ../src/configure -v >--enable-languages=c,c++,java,f77,pascal,objc,ada,treelang >--prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info >--with-gxx-include-dir=/usr/include/c++/3.3 --enable-shared >--enable-__cxa_atexit --with-system-zlib --enable-nls >--without-included-gettext --enable-clocale=gnu --enable-debug >--enable-java-gc=boehm --enable-java-awt=xlib --enable-objc-gc >i486-linux > Thread model: posix > gcc version 3.3.5 (Debian 1:3.3.5-12) > > Test skipped. > > > >> LD_LIBRARY_PATH=. ./apps/openssl req -newkey rsa:512 -nodes -batch > >>-keyout keyrsa.pem -out reqrsa.pem -config apps/openssl.cnf > >> LD_LIBRARY_PATH=. ./apps/openssl x509 -req -set_serial 1 -signkey > >>keyrsa.pem -in reqrsa.pem -out certrsa.pem > >> LD_LIBRARY_PATH=. ./apps/openssl dgst -sha1 -sign keyrsa.pem -out > >>dsignrsa.bin CHANGES > >> > >> It causes a segfault with backtrace > > This sequence of commands doesn't cause a segfault now. It fails with > correct error message. > > >> The same problem is on smime. > >> > >> I do: > >> == > >> LD_LIBRARY_PATH=. ./apps/openssl smime -encrypt -binary -in CHANGES > >>-aes256 -out encryptionrsa.pem -outform pem certrsa.pem > >> LD_LIBRARY_PATH=. ./apps/openssl smime -decrypt -binary -in > >>encryptionrsa.pem -recip certrsa.pem -inkey keyrsa.pem -out > >>smime_decrrsa.dump -inform pem > >> = > >> > >> Segfault occurs on decrypt with the same backtrace: > > Segfault doesn't occurs here too. But it doesn't decrypt without > specified -rand key. It seems to be a bug. > > >> PS. We have a extra test suite testing openssl executable. > >> Unfortunately, it's GNU make specific. Are you interested in it? > > Are you interested in this test suite? > > Thank you. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1101] I Need Help
I'll remove this ticket as this looks like a user question rather than a bug report. I'll still respond to it, just not in this form. [guest - Mon Jun 6 17:19:44 2005]: > Hello, > I need some help, I have installed everything correctly but the make > command will not work and I cant get the openssl to work from the > command line to create the CSR. I am installing this with ApacheSSL. I > do have access via VNC to make this alot easier and understandable on > what exactly I mean here. If you could please email me back at > [EMAIL PROTECTED] or call me at (270) 991-7380. > > Thanks alot I need help ASAP my company is waiting on me to get this > done so our merchant account application will go through. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1102] Missing -fPIC flag in the default configuration to build static library
Yes, this was changed a while ago. The proper way to get -fPIC into the build is to configure with the "shared" option. The build will still produce a static library as well as a shared library, with all objects built with -fPIC. Ticket resolved. [guest - Tue Jun 7 09:19:12 2005]: > > OpenSSL version: output of 'openssl version -a' > bash-2.05# openssl version -a > OpenSSL 0.9.7g 11 Apr 2005 > built on: Fri Jun 3 12:06:08 IST 2005 > platform: hpux-parisc-gcc > options: bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) > idea(int) blowfish(idx) > compiler: gcc -DOPENSSL_THREADS -DDSO_DL -DOPENSSL_NO_KRB5 > -D_REENTRANT -O3 -DB_ENDIAN -DBN_DIV2W > OPENSSLDIR: "/usr/local/ssl" > > OS Name, Version, Hardware platform > bash-2.05# uname -a > HP-UX chromium B.10.20 A 9000/785 > > Compiler Details (name, version) > bash-2.05# gcc -v > Reading specs from > /usr/local/gcc3.4.2/lib/gcc/hppa2.0-hp-hpux10.20/3.4.2/specs > Configured with: ../gcc-3.4.2/configure --prefix=/usr/local/gcc3. 4.2 > --enable-languages=c,c++ --with-ld=/usr/ccs/bin/ld --with-gnu-as > --with-as=/usr/local/bin/as --disable-nls > Thread model: single > gcc version 3.4.2 > > > Problem Description > > There is a difference in the compilation flags in OpenSSL-0.9.6l and > OpenSSL-0.9.7g. The -fPIC flag is missing. > On HP-UX, if you build a shared library that needs to be statically > linked to libcrypto.a, you get linker error as shown below > > g++ -fPIC -c test1.o -I/usr/local/ssl/include > g++ -fPIC -c test2.o -I/usr/local/ssl/include > g++ -shared -fPIC -o libtest.sl test1.o test2.o -L/usr/local/ssl/ lib > -lcrypto -lssl -lm > Ex: /usr/ccs/bin/ld: Invalid loader fixup for symbol >"default_malloc_ex". > > However the same code works with OpenSSL-0.9.6l > bash-2.05# /usr/local/ssl-0.9.6l/bin/openssl version -a > OpenSSL 0.9.6l 04 Nov 2003 > built on: Mon Dec 1 19:36:51 GMT 2003 > platform: hpux-parisc-gcc > options: bn(64,32) md2(int) rc4(ptr,int) des(ptr,risc1,16,long) > idea(int) blowfish(idx) > compiler: gcc -fPIC -DTHREADS -DDSO_DL -D_REENTRANT -O3 - DB_ENDIAN > -DBN_DIV2W > > Both the versions (ie OpenSSL-0.9.6l and OpenSSL-0.9.7g) are build >with > default configuration. > > The same has been observed in case of SunOS 5.7 (I did not try on >other > versions or flavors) > > > Regds, > Manish Pai -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1105] DTLS HelloVerifyRequest PATCH
I'm leaving this unresolved for now, since we still don't know if that's a bug in the draft or not... -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1107] NetWare patch for 0.9.8-beta4
I applied this change a few days ago, and didn't resolve the ticket? Strange. Anyway, patch applied and committed, ticket resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1110] DEVRAMDOM define in rand_unix.c
The real issue was the backslahes in the configuration definition for
DJGPP and how those interacted with the handling of a build environment
in the Makefiles.
I resolved the issue by moving the definition of DEVRANDOM for DJGPP
from Configure to e_os.h.
[guest - Mon Jun 13 11:45:04 2005]:
> Since 0.9.8beta3 method RAND_pool, when DEVRANDOM is defined, don't
>read
> data from specified devices.
>
> before:
> $ strace -f openssl genrsa 2>&1 | grep -i random
> open("/dev/urandom", ...) = 3
>
> after:
> $ strace -f openssl genrsa 2>&1 | grep -i random
> open("DEVRANDOM", ...) = -1 ENOENT ...
>
>
> solution - remove quotes around DEVRANDOM in file
>"crypto/rand/rand_unix.c"
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1112] 0.9.8 beta 5 build issue on windows
Hi Jeffrey, I just committed such a change. Ticket resolved. [EMAIL PROTECTED] - Tue Jun 14 10:05:51 2005]: > The following build issue exists: > > cl /Fotmp32dll\c_zlib.obj -Iinc32 -Itmp32dll -DZLIB_SHARED > -DZLIB -DKRB5_MIT /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo > -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 > -DOPENSSL_SYSNAME_WINNT -DOPENSSL_USE_APPLINK -I. /Fdout32dll > -DOPENSSL_NO_IDEA -DOPENSSL_NO_RC5 -DOPENSSL_NO_MDC2 > -I/usr/kerberos/include -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -c > .\crypto\comp\c_zlib.c > c_zlib.c > crypto\comp\c_zlib.c(76) : error C2220: warning treated as error - no > object file generated > crypto\comp\c_zlib.c(76) : warning C4005: 'ZLIB_SHARED' : macro >redefinition > command-line arguments : see previous definition of >'ZLIB_SHARED' > > This can be corrected by wrapping the #define ZLIB_SHARED in an >#ifndef > ... #endif block. > > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1113] openssl-0.9.8-beta5 - install fails on "../../util/pod2man.pl: Invalid man page"
It fails because of the new section declarations (done with a '=for
comment') that appear before the '=head1 NAME' line. I just committed a
change that fixes this.
Ticket resolved.
[EMAIL PROTECTED] - Tue Jun 14 10:06:07 2005]:
>
> making all in tools...
> ./pod2mantest: pod2man: not found
> pod2man does not work properly ('BasicTest' failed). Looking for
>another pod2man ...
> No working pod2man found. Consider installing a new version.
> As a workaround, we'll use a bundled old copy of pod2man.pl.
> installing man1/CA.pl.1
> installing man1/asn1parse.1
> installing man1/ca.1
> installing man1/ciphers.1
> installing man5/config.5
> ../../util/pod2man.pl: Invalid man page - 1st pod line is not NAME in
>config.pod
> *** Error code 255
> make: Fatal error: Command failed for target `install_docs'
>
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1089] test report for OpenBSD -current
[EMAIL PROTECTED] - Thu Jun 16 08:00:29 2005]: > sorry for not getting back sooner, but beta5 works fine. It's all right. Thanks. Ticket really resolved this time. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DOS patch for 0.9.8 beta 2
In message <[EMAIL PROTECTED]> on Wed, 1 Jun 2005 14:03:06 -0700 (PDT), Doug Kaufman <[EMAIL PROTECTED]> said: dkaufman> You are quite correct, in that quoting DEVRANDOM was the wrong thing dkaufman> to do. It put the string "DEVRANDOM" into the library instead of the dkaufman> value of DEVRANDOM. I am sorry that I didn't realize exactly what the dkaufman> quoting was doing before I submitted the patch. [...] dkaufman> compiler: gcc -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN dkaufman> -fomit-frame-pointer -O2 -Wall -DDEVRANDOM="/dev/urandom\x24" -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM dkaufman> OPENSSLDIR: "/dev/env/DJDIR/ssl" Hmms, \x24 is a dollar sign. With all makes, $$ becomes a single dollar sign. I'm guessing that having $$ instead of \x24 should fix the problems you see. The other option, of course, would be to double the backslashes. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Release delay
I'm delaying the release of 0.9.8 beta6 until tomorrow (friday) night. The reason is that I want to test some changes on systems that may be sensitive to them before releasing. I believe that will be better for the release process as a whole. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ssl/kssl.c fails on NetBSD
In message <[EMAIL PROTECTED]> on Thu, 16 Jun 2005 14:41:03 +0900 (JST), GOTOU Yuuzou <[EMAIL PROTECTED]> said: gotoyuzo> In message <[EMAIL PROTECTED]>, gotoyuzo> `Richard Levitte - VMS Whacker <[EMAIL PROTECTED]>' wrote: gotoyuzo> > In message <[EMAIL PROTECTED]> on Wed, 15 Jun 2005 18:38:27 +0900 (JST), GOTOU Yuuzou <[EMAIL PROTECTED]> said: gotoyuzo> > gotoyuzo> It may be an issue of NetBSD, but "#undef _XOPEN_SOURCE" gotoyuzo> > gotoyuzo> seems a little wrong too. gotoyuzo> > gotoyuzo> > Does it work if I remove the #undef _XOPEN_SOURCE? I had gotoyuzo> > it there for paranoid reasons, and it may not be needed. gotoyuzo> gotoyuzo> Yes. Make test passed. OK, I'll try that then. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ssl/kssl.c fails on NetBSD
In message <[EMAIL PROTECTED]> on Wed, 15 Jun 2005 18:38:27 +0900 (JST), GOTOU Yuuzou <[EMAIL PROTECTED]> said: gotoyuzo> It may be an issue of NetBSD, but "#undef _XOPEN_SOURCE" gotoyuzo> seems a little wrong too. Does it work if I remove the #undef _XOPEN_SOURCE? I had it there for paranoid reasons, and it may not be needed. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ssl/kssl.c fails on NetBSD
In message <[EMAIL PROTECTED]> on Wed, 15 Jun 2005 05:37:15 +0900 (JST), GOTOU Yuuzou <[EMAIL PROTECTED]> said: gotoyuzo> Hi, gotoyuzo> gotoyuzo> Compilation of ssl/kssl.c fails on NetBSD 3.99.5. gotoyuzo> gotoyuzo> gcc -I../crypto -I.. -I../include -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c kssl.c gotoyuzo> In file included from ../include/openssl/crypto.h:120, gotoyuzo>from ../include/openssl/comp.h:5, gotoyuzo>from ../include/openssl/ssl.h:176, gotoyuzo>from kssl.c:78: gotoyuzo> /usr/include/stdlib.h:245: error: parse error before '*' token gotoyuzo> *** Error code 1 gotoyuzo> gotoyuzo> This error could be avoided if we read at least one standard gotoyuzo> header file before setting _XOPEN_SOURCE macro. That's not a good solution, because it basically disables the effect of _XOPEN_SOURCE. It would be interesting to know what, exactly, fails. Could it be that _XOPEN_SOURCE needs to have a different value on NetBSD 3.99.5? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 5 released
In message <[EMAIL PROTECTED]> on Mon, 13 Jun 2005 18:16:03 -0400, Mike
Frysinger <[EMAIL PROTECTED]> said:
vapier> On Monday 13 June 2005 12:19 am, Richard Levitte - VMS Whacker wrote:
vapier> > OpenSSL version 0.9.8 Beta 5
vapier>
vapier> `./config && make && make test` passed on Gentoo/armel
Which configuration target does that end up being?
'grep CONFIGURE_ARGS Makefile' should give you the answer.
vapier> Gentoo/armeb failed the x509 certificate test ('test_ss') due
vapier> to lack of enough random data, but i'm pretty sure that's a
vapier> system issue and unrelated to openssl ;)
Maybe. Care to check it out?
-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.
--
Richard Levitte [EMAIL PROTECTED]
http://richard.levitte.org/
"When I became a man I put away childish things, including
the fear of childishness and the desire to be very grown up."
-- C.S. Lewis
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 5 released
In message <[EMAIL PROTECTED]> on Mon, 13 Jun 2005 19:03:10 +0200, Corinna Vinschen <[EMAIL PROTECTED]> said: vinschen> On Jun 13 18:59, Richard Levitte - VMS Whacker wrote: vinschen> > In message <[EMAIL PROTECTED]> on Mon, 13 Jun 2005 10:57:10 +0200, Corinna Vinschen <[EMAIL PROTECTED]> said: vinschen> > vinschen> > vinschen> On Jun 13 06:19, Richard Levitte - VMS Whacker wrote: vinschen> > vinschen> > OpenSSL version 0.9.8 Beta 5 vinschen> > vinschen> > vinschen> > vinschen> vinschen> > vinschen> Builds OOTB and tests run fine on Cygwin. vinschen> > vinschen> > Which version(s)? vinschen> vinschen> The latest release 1.5.17 and current CVS. Thanks. I just updated the STATUS file with that information. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 5 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 5 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fifth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta5.tar.gz MD5 checksum: 4b492a622ca39f0c444c3cabc330933d SHA1 checksum: 3524b04490491e1d1674363fac601cd4b002d471 The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta5.tar.gz openssl sha1 < openssl-0.9.8-beta5.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the fourth beta, the following has happened: - Changed -m486 to -march=i486 in Configure. - Added a new NetWare target that uses BSD sockets. - Propagate INSTALL_PREFIX to inner Makefiles. - Make it possible to read files larger than 2GB with the FILE BIO. - Enhance cipher suite parsing. - Other bug fixes... Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCrQdUp6+eePcJRTsRAucGAKC6qdM+dkv49snNHEK6yOsTenuHSgCgjKmr 5dva5K5bwl7Q1HFzgIuyf08= =Lqig -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1103] bug: openssl-0.9.8-beta4 "make depend" fails in separate tree configuration
[EMAIL PROTECTED] - Tue Jun 7 10:22:05 2005]: The problem is not about separate trees, but a bug in the way domd is called: > making dependencies crypto... > [ -z "depend" -o -f buildinf.h ] || touch buildinf.h # fake buildinf.h >if it does not exist > [ -z "depend" ] || ../util/domd .. -MD makedepend -- -KPIC >-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN >-DHAVE_DLFCN_H -R/usr/local/ssl/lib -xarch=v8 -xO5 -xstrconst >-xdepend -Xa -DB_ENDIAN -DBN_DIV2W -I. -I.. -I../include >-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA >-DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -- cryptlib.c mem.c mem_clr.c >mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c >o_time.c o_str.c o_dir.c > [ -z "depend" -o -s buildinf.h ] || rm buildinf.h > making depend in crypto/objects... > ../util/domd .. -MD makedepend -- -g -I.. -I../.. -I../../include >-DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA >-DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 -- o_names.c obj_dat.c >obj_lib.c obj_err.c > sh: ../util/domd: not found > *** Error code 1 See how it's calling ../util/domd when it should call ../../util/domd? That's the problem. This has been fixed, BTW, so it should work with the next beta, at least as far as I can see. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1085] DJGPP patch for 0.9.8-beta3
[EMAIL PROTECTED] - Sun Jun 12 03:21:44 2005]: > On Mon, 6 Jun 2005, Richard Levitte via RT wrote: > > > Whatever the problem is, I do not agree with removing 'set -e'. >Setting > > -e ensures that an error that happens within a loop is propagated to > > become the error *of* the loop (or actually, the whole shell >session), > > which is therefore returned to make. Without 'set -e', errors may > > happen withing the loops or a series of commands with make not >knowing > > about it. Instead, make will only get the exit code from the last > > command executed. > > > I guess I just don't understand. I don't see why it succeeds on any > platform. The "set -e" fails if an exit code is anything other than > "0". Installing the manual pages involves calling grep with arguments > known to succeed at times and fail at times, sometimes giving exit > code of "0" and sometimes of "1". That seems to be why "set -e" stops > the loop. For example: Aha, *that's* what we need to debug then. BTW, the exit code of a pipe is usually the exit code of the last command in the chain. So you can't really blame grep, since their result is piped into a parenthesised complex command. I'm willing to be either 'read' or 'util/point.sh' return with an exit code other than 0, and that it could be enough to have an 'exit 0' at the end of the complex command (and maybe another 'set -e' before the while loop). -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1108] config return != 0
[guest - Sun Jun 12 12:08:21 2005]: > + ./config --prefix=/home/aj/opentest shared zlib i386 threads > Operating system: i686-whatever-linux2 > Configuring for linux-elf > target already defined - linux-elf "i386" doesn't mean anything special to Configure, so it thinks it's a target argument, and since ./config already inserted "linux-elf" in there, it looks like a double target request to Configure. You probably want "386" instead of "i386" Case dismissed. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8 API/ABI compatibility with 0.9.7 ?
In message <[EMAIL PROTECTED]> on Thu, 9 Jun 2005 14:28:27 +, Eduardo Pérez <[EMAIL PROTECTED]> said: eperez> On 2005-05-14 15:27:26 +, Eduardo Pérez wrote: eperez> > I was wondering if openssl-0.9.8 is going to be API/ABI eperez> > compatible with the current stable branch of openssl-0.9.7 eperez> > I think keeping API/ABI compatible is a good idea and makes eperez> > programmer and users life easier. eperez> > Anyway, if you are not going to keep API/ABI compatibility eperez> > in openssl-0.9.8 with 0.9.7 I'd like to hear the reasoning eperez> > behind that. 0.9.8 and 0.9.7 aren't compatible in certain areas. The biggest changes have nothing to do with function and variable symbols. If you want to look at the real incompatibilities, you need to compare the different structures. I'll get into that below. eperez> In libcrypto I saw that in the newer version there are missing eperez> symbols so it may not be API/ABI compatible if that symbols eperez> were supposed to be public and used by applications. Those I saw in your diff were ECC symbols. ECC is still quite experimental in 0.9.7 and has evolved quite a lot in 0.9.8. eperez> It seems that openssl doesn't want to keep API/ABI eperez> compatibility between minor versions, ignoring the tremendous eperez> help that it brings to end users and distributions packagers, eperez> even knowing that compatibility could be achieved at no cost. I think you're making quite a harsch conclusion. One of the bigger problems with the foundation of OpenSSL is the open nature of almost all structures. To keep API/ABI compatibility, those would have to be frozen, but that would effectively stop all development that includes new methods with extended data, or certain security fixes, or... unless you want *really ugly* and *really insecure* hacks in OpenSSL. Trust me. For a comparison, I suggest you compare the RSA structures in crypto/rsa/rsa.h between 0.9.7 and 0.9.8. I suggest you compare simple little constants like EVP_MAX_KEY_LENGTH and EVP_MAX_BLOCK_LENGTH between 0.9.6 and 0.9.7. The biggest change that's needed in OpenSSL is to hide all the structures and all constants and have them available through functions (creator, destructors and information functions). So speaking of incompatibilites, we've really kept it low compared to what needs to be done and what could be done. Our version numbering is admitedly weird. Basically, we've treated '0.9.' as a prefix to signal that "this isn't a 1.0 yet, and drastic changes can be expected", and effectively trated the next digit as a classic major version. This is reflected in the soname we give the shared libraries. We probably should do some drastic changes in our version numbering (which is quite a lesson to me personally. I've been reluctant to make a move to 1.0 because OpenSSL hasn't felt ready for that). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
In message <[EMAIL PROTECTED]> on Wed, 08 Jun 2005 06:16:54 +0200 (CEST), Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> said: richard> In message <[EMAIL PROTECTED]> on Wed, 08 Jun 2005 00:32:52 +0200, Andy Polyakov <[EMAIL PROTECTED]> said: richard> richard> appro> > appro> 1. I'm reluctant to include bn.h to non-bn code, because it's richard> appro> > appro>nothing but counterintuitive [and is not good in long run]. richard> appro> > appro> 2. My standpoint is [still] that pqueue/dtls1 should not have richard> appro> > appro>dependancy on bh.h either. richard> appro> > appro> 3. Using BIGNUM for DTLS purposes is *total* overkill. To back richard> appro> > appro>this up I'm going to suggest alternative, 64-bit neutral pq richard> appro> > appro>code shortly:-) richard> appro> > richard> appro> > I agree. richard> appro> richard> appro> Consider http://cvs.openssl.org/chngview?cn=13985 for 0.9.8. richard> richard> That was... unexpected :-). I was expecting some better kind of richard> 64-bit emulating type, but definitely not an array of unsigned char. Don't take that as a complaint, BTW. If it works, I see no problem having that in 0.9.8, and maybe develop a better 64-bit type for 0.9.9. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
In message <[EMAIL PROTECTED]> on Wed, 08 Jun 2005 00:32:52 +0200, Andy Polyakov <[EMAIL PROTECTED]> said: appro> > appro> 1. I'm reluctant to include bn.h to non-bn code, because it's appro> > appro>nothing but counterintuitive [and is not good in long run]. appro> > appro> 2. My standpoint is [still] that pqueue/dtls1 should not have appro> > appro>dependancy on bh.h either. appro> > appro> 3. Using BIGNUM for DTLS purposes is *total* overkill. To back appro> > appro>this up I'm going to suggest alternative, 64-bit neutral pq appro> > appro>code shortly:-) appro> > appro> > I agree. appro> appro> Consider http://cvs.openssl.org/chngview?cn=13985 for 0.9.8. That was... unexpected :-). I was expecting some better kind of 64-bit emulating type, but definitely not an array of unsigned char. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1043] Updated 0.9.7g NetWare Patch for the Contribution page
[EMAIL PROTECTED] - Tue Jun 7 23:19:33 2005]: > This is marked fixed, but checking the website again today shows it > still has the old patch from 0.9.7d. Is there something else that > needs to happen? Thanks. I've updated the page you looked at. I've currently no clue why that didn't happened on it's own... -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
In message <[EMAIL PROTECTED]> on Mon, 06 Jun 2005 22:32:05 +0200, Andy Polyakov <[EMAIL PROTECTED]> said: appro> 1. I'm reluctant to include bn.h to non-bn code, because it's appro>nothing but counterintuitive [and is not good in long run]. appro> 2. My standpoint is [still] that pqueue/dtls1 should not have appro>dependancy on bh.h either. appro> 3. Using BIGNUM for DTLS purposes is *total* overkill. To back appro>this up I'm going to suggest alternative, 64-bit neutral pq appro>code shortly:-) I agree. I'd rather see something like crypto/64bit.h (which is exported) and crypto/64bit.c. However, considering we're not very far from releasing 0.9.8 (everyone look at http://www.openssl.org/news/state.html!) I'd say a change to something completely new in this department should only be added to the 0.9.8 tree with lots of caution, and that the BIGNUM reference in pqueue may be a necessary compromise. In 0.9.9-dev, the matter is different, and I for one welcome any more developed 64-bit integer handling there. About the code in crypto/bn: there are some low-level routines that are specifically designed to handle 64-bit integers represented as two 32-bit integers. That code should be used, there's no point not to. So it would be natural to depend on that part of crypto/bn... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
It's interesting to see this happening. We have two parts of OpenSSL, sha512 and pqueue, that solve the 64-bit integer problem in very different manners. Would it be a bad thing to have a header file in crypto/bn that provides a guaranteed 64-bit number, possibly through BIGNUM, with macros to distinguish between the true 64-bit integer and BIGNUM cases (like pq_compat.h has today), and have both sha512 and pqueue use it? I'm not saying that sha512 should be implemented using BINUMs, but rather that it should be possible to detect if 64-bit integers are support as far as OpenSSL knows, and have sha512 implemented in those terms instead of forcing the user to say no-sha512 because his first build failed? In message <[EMAIL PROTECTED]> on Mon, 6 Jun 2005 11:32:03 +0200 (CEST), "Andy Polyakov" <[EMAIL PROTECTED]> said: appro> OpenSSL CVS Repository appro> http://cvs.openssl.org/ appro> appro> appro> Server: cvs.openssl.org Name: Andy Polyakov appro> Root: /v/openssl/cvs Email: [EMAIL PROTECTED] appro> Module: openssl Date: 06-Jun-2005 11:32:02 appro> Branch: HEAD Handle: 2005060610320100 appro> appro> Modified files: appro> openssl FAQ appro> appro> Log: appro> FAQ to mention no-sha512 as option for compilers without support for 64-bit appro> integer type. appro> appro> Summary: appro> RevisionChanges Path appro> 1.103 +10 -0 openssl/FAQ appro> appro> appro> patch -p0 <<'@@ .' appro> Index: openssl/FAQ appro> appro> $ cvs diff -u -r1.102 -r1.103 FAQ appro> --- openssl/FAQ19 May 2005 19:54:49 - 1.102 appro> +++ openssl/FAQ6 Jun 2005 09:32:01 - 1.103 appro> @@ -47,6 +47,7 @@ appro>* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? appro>* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"? appro>* Why does the OpenSSL test suite fail in sha512t on x86 CPU? appro> +* Why does compiler fail to compile sha512.c? appro> appro>[PROG] Questions about programming with OpenSSL appro> appro> @@ -607,6 +608,15 @@ appro>instruction extentions. See accompanying INSTALL file and appro>OPENSSL_ia32cap(3) documentation page for further information. appro> appro> +* Why does compiler fail to compile sha512.c? appro> + appro> +OpenSSL SHA-512 implementation depends on compiler support for 64-bit appro> +integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a appro> +couple] lack support for this and therefore are incapable of compiling appro> +the module in question. The recommendation is to disable SHA-512 by appro> +adding no-sha512 to ./config [or ./Configure] command line. Another appro> +possible alternative might be to switch to GCC. appro> + appro>[PROG] appro> appro>* Is OpenSSL thread-safe? appro> @@ . appro> __ appro> OpenSSL Project http://www.openssl.org appro> CVS Repository Commit List [EMAIL PROTECTED] appro> Automated List Manager [EMAIL PROTECTED] appro> - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1100] Problem with beta3/4 with INSTALL_PREFIX
[EMAIL PROTECTED] - Mon Jun 6 10:08:03 2005]:
> The following is missing in the Makefile , as the bin,engine,misc
> directories are all installing in to the operating system.
>
> BUILDENV= INSTALL_PREFIX='${INSTALL_PREFIX}' \
>
Right. Change applied and committed. Thanks for the notification.
Ticket resolved.
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1089] test report for OpenBSD -current
[EMAIL PROTECTED] - Mon Jun 6 07:15:40 2005]: > Richard Levitte via RT wrote: > > Thanks for the positive report! Apropos the 'test skipped' stuff, >I'm > > not sure why skipping tests on unbuilt algorithms is self-defeating. > > It didn't skip only the tests on unbuilt algorithms, it skipped *all* > the tests. Ah, good point. I jumped to conclusions too fast, it seems. Sorry about that. I just committed a change, but unfortunately, it's a little late to get it into beta4. Would you be willing to test tomorrow's snapshot (openssl-0.9.8-stable-SNAP-20050607.tar.gz), to ensure it does the right thing before beta5? Ticket reopened. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 4 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 4 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fourth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta4.tar.gz MD5 checksum: 55268415737b3d21726307d778fdf39e SHA1 checksum: 3d2a19de0c7e1972f8a3f0420e6cf9ac35bbaf4f The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta4.tar.gz openssl sha1 < openssl-0.9.8-beta4.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the third beta, the following has happened: - Ultrix issues are fixed (we think). - ia64 issues are fixed (we think). - NetWare is updated. - More VMS issues are fixed. - rpm build issues are fixed (we think). - Engine padloack isses are fixed (we think). - pqueue should now work a lot better on systems that do not support integer types larger than 32 bits. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCo6SSp6+eePcJRTsRAoGtAJwOQJxueNPiSaMFJ2Rrc2cvgOHP9gCfaDeF xKCWTtFoUUfZnYbuwy3B7JI= =wDna -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/crypto/pqueue/ pq_compat....
In message <[EMAIL PROTECTED]> on Mon, 06 Jun 2005 09:39:51 +1000 (EST), "Brian Havard" <[EMAIL PROTECTED]> said: brianh> There's a few other places where VMS is specifically tested for related to brianh> this that probably should also be changed. brianh> brianh> IE ./ssl/d1_pkt.c:139,1456,1741 brianh>./ssl/d1_pkt.c:135 brianh>./crypto/pqueue/pqueue.c:202 brianh> brianh> Currently, without BN_LLONG defined, I get this: brianh> ./ssl/d1_pkt.c: In function `dtls1_record_replay_check': brianh> ./ssl/d1_pkt.c:1457: invalid initializer Actually, as it is, I think those won't need to have any special tests any more, since all cases when there is no 64-bit integer provided by the compiler (as far as we know), BIGNUMs are used instead... I'll try that. Thanks for the notification. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1043] Updated 0.9.7g NetWare Patch for the Contribution page
Added the 0.9.7g diff. Thanks! Ticket resolved. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1074] rpmbuild -tb openssl-0.9.7g.tar.gz fails
[EMAIL PROTECTED] - Wed May 18 18:43:41 2005]:
> When I attempt to build openssl-0.9.7g in with rpmbuild (i.e. rpmbuild
> -tb openssl-0.9.7g.tar.gz ) the build always fails with the following
> error.
>
> RPM build errors:
> File not found: /var/tmp/openssl-0.9.7g-root/var/ssl/lib
And it's entirely right. The proper thing to do is to remove the
following line in openssl.spec:
%dir %attr(0755,root,root) %{openssldir}/lib
I've commited such a change.
Tickatd resolved.
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1080] Test reports
Thanks for the test reports. Please do it again on beta 4 when it comes out (soon). Ticket resolved. [EMAIL PROTECTED] - Tue May 31 13:49:18 2005]: > Report for Win32 tests: > <> > Report for Linux tests: > <> > > > > *** > Richard Wong > Atlas Centre > Rutherford Appleton Laboratory > Oxfordshire > United Kingdom > OX11 0QX > > Telephone: 01235-446075 > Email: [EMAIL PROTECTED] > *** > The contents of this email are sent in confidence for the use of the >intended recipient only. If you are not one of the intended >recipients do not take action on it or show it to anyone else, but >return this email to the sender and delete your copy of it. > > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1083] Compilation error in crypto/pqueue/pqueue.c on "hpux-parisc-cc shared"
beta 4 is out soon. Please try it and report back. I believe the BN_ULLONG issues with pqueue are properly dealt with. [EMAIL PROTECTED] - Tue May 31 14:01:08 2005]: > cc: "pqueue.h", line 73: error 1000: Unexpected symbol: "BN_ULLONG". > cc: "pqueue.h", line 73: error 1573: Type of "priority" is undefined > due to an i > llegal declaration. > cc: "pqueue.h", line 73: error 1578: Size of struct or union member is > unknown. > cc: "pqueue.h", line 80: error 1000: Unexpected symbol: "priority". > cc: "pqueue.h", line 80: error 1573: Type of "priority" is undefined > due to an i > llegal declaration. > cc: "pqueue.h", line 89: error 1000: Unexpected symbol: "BN_ULLONG". > cc: "pqueue.h", line 89: error 1573: Type of "priority" is undefined > due to an i > llegal declaration. > cc: "pqueue.c", line 71: error 1000: Unexpected symbol: "priority". > cc: "pqueue.c", line 71: error 1573: Type of "priority" is undefined > due to an i > llegal declaration. > cc: "pqueue.c", line 77: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 77: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 77: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 127: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 127: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 127: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 127: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 127: error 1563: Expression in if must be scalar. > cc: "pqueue.c", line 139: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 139: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 139: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 139: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 139: error 1563: Expression in if must be scalar. > cc: "pqueue.c", line 167: error 1000: Unexpected symbol: "BN_ULLONG". > cc: "pqueue.c", line 167: error 1573: Type of "priority" is undefined > due to an > illegal declaration. > cc: "pqueue.c", line 178: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 178: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 178: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 178: error 1563: Expression in if must be scalar. > cc: "pqueue.c", line 186: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 186: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 186: error 1554: Indirection must be through a > pointer. > cc: "pqueue.c", line 186: error 1563: Expression in if must be scalar. > cc: "pqueue.c", line 210: error 1531: Invalid member of struct or > union. > cc: "pqueue.c", line 210: warning 563: Argument #2 is not the correct > type. > *** Error exit code 1 > > Stop. > *** Error exit code 1 > > Stop. > *** Error exit code 1 > > Stop. > *** Error exit code 1 > > Stop. > > > Heymen Nicolaij > Technisch Specialist > > Getronics PinkRoccade > Luchthavenweg 54, 5657 EB Eindhoven > Postbus 57010, 5605 AA Eindhoven > > T:040-2562685 > E:[EMAIL PROTECTED] > I:www.pinkroccade.nl > > -- - > Op deze e-mail is een disclaimer van toepassing/ This e-mail is > subject to a disclaimer: <http://www.pinkroccade.nl/emaildisclaimer> > -- - > > > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1085] DJGPP patch for 0.9.8-beta3
[EMAIL PROTECTED] - Tue May 31 17:03:31 2005]: > There is one problem with beta-3 which also occurred in earler > versions, but which I had overlooked, since no errors were generated. > On DJGPP, install_docs stops after installing man1/CA.pl.1. No other > man pages were installed. The rest of the installation went fine. I > believe that this occurs because of non-portable assumptions about > return values made by the makefile. The attached patch fixes it for > DJGPP. I had previously reported this problem (see rt tickets #932 and > 989). > Doug > Whatever the problem is, I do not agree with removing 'set -e'. Setting -e ensures that an error that happens within a loop is propagated to become the error *of* the loop (or actually, the whole shell session), which is therefore returned to make. Without 'set -e', errors may happen withing the loops or a series of commands with make not knowing about it. Instead, make will only get the exit code from the last command executed. I believe that the problem lies somewhere else and needs to be investigated a bit further. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1086] openssl-0.9.8-beta3 on ULTRIX 4.5 (cc)
It looks to me like the sha512 problem has been solved by moving up the
inclusion of opensslconf.h.
I think I just solved the pq_compat.h problem by make the check for
those environments that need to use BIGNUM a bit more generic.
[EMAIL PROTECTED] - Tue May 31 17:03:47 2005]:
> Environment: openssl-0.9.8-beta3, ULTRIX 4.5, ultrix-cc
>
> - crypto/sha/sha512.c fails to compile
>cc -I.. -I../.. -I../../include -DZLIB ... -DL_ENDIAN -c sha512.c
>cfe: Error: sha512.c, line 61: Syntax Error
>c->h[0]=0xcbbb9d5dc1059ed8ULL ;
>^
>
>"long long" is only partially supported, i.e. add/sub work,
>but mul/div/... not; see http://archive.apache.org/gnats/4940
>
> - disabling SHA512 with "no-sha512" does not work as expected
>./Configure no-sha512 ...
>make depend
>make
> :
>cc -I.. -I../.. -I../../include -DZLIB ... -DL_ENDIAN -c sha512.c
>cfe: Error: sha512.c, line 59: Syntax Error
> int SHA384_Init (SHA512_CTX *c)
> ^
>
>"OPENSSL_NO_SHA512" gets defined in crypto/opensslconf.h, so the
>"!defined(OPENSSL_NO_SHA512)" comes too early in
> crypto/sha/sha512.c -
>or sha512.c should be compiled with "-DOPENSSL_NO_SHA512" in this
> case.
>
> - crypto/pqueue/pqueue.c fails to compile
>cc -I.. -I../.. -I../../include -DZLIB ... -DL_ENDIAN -c pqueue.c
>cfe: Error: ./pqueue.h, line 73: Syntax Error
>BN_ULLONG priority;
>^
>
>In the "THIRTY_TWO_BIT" case, BN_ULLONG gets defined in
> crypto/bn/bn.h
>only if "BN_LLONG" is defined, there is no "else" for environments
>without 64-bit integer support.
>The "VMS_TEST" hack (?) in crypto/pqueue/pq_compat.h works on
> ULTRIX
>("Other environments ... can safely use the code developed for
> VMS."),
>crypto/pqueue/pqueue.c, ssl/d1_lib.c, and ssl/d1_pkt.c compile OK.
>
> Summary:
>With
> ./Configure no-sha512 -DOPENSSL_NO_SHA512 -DVMS_TEST ultrix-cc
>openssl-0.9.8-beta3 builds on ULTRIX 4.5 with cc.
>
> Bernhard Simon, TU Wien, ZID/StS
>
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1089] test report for OpenBSD -current
Thanks for the positive report! Apropos the 'test skipped' stuff, I'm not sure why skipping tests on unbuilt algorithms is self-defeating. Anyway, I'm resolving this ticket. [EMAIL PROTECTED] - Wed Jun 1 10:10:50 2005]: > Hi, > > Here is a testlog for OpenBSD -current. We probably won't get around > to > integrating 0.9.8 until after OpenBSD-3.8 is released. > > I hacked the 'test skipped' stuff our of util/selftest.pl - I think > skipping > tests because of no-mdc2 and no-rc5 is somewhat self-defeating > > -d > > > OpenSSL self-test report: > > OpenSSL version: 0.9.8-beta3 > Last change: Correct naming of the 'chil' and '4758cca' ENGINEs. > Thi... > Options: 386 no-gmp no-krb5 no-mdc2 no-rc5 no-shared no-sse2 > no-zlib no-zlib-dynamic > OS (uname): OpenBSD baragon.mindrot.org 3.7 BARAGON#26 i386 > OS (config): i386-whatever-openbsd > Target (default): BSD-x86-elf > Target: BSD-x86-elf > Compiler: Configured with: > Thread model: single > gcc version 3.3.5 (propolice) > > Test passed. > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1090] [BUG] Segfault in dgst signing with rsa private key
e backtrace: > = > #0 0x400bdca8 in BN_BLINDING_set_thread_id (b=0xb51, n=1076728596) > at bn_blind.c:267 > 267 b->thread_id = n; > (gdb) bt > #0 0x400bdca8 in BN_BLINDING_set_thread_id (b=0xb51, n=1076728596) > at bn_blind.c:267 > #1 0x400d7f85 in RSA_setup_blinding (rsa=0x80b1e48, in_ctx=0x80b4050) > at rsa_lib.c:405 > #2 0x400d6fc9 in rsa_get_blinding (rsa=0x80b1e48, r=0xbfffe198, > local=0xbfffe19c, ctx=0x80b4050) at rsa_eay.c:251 > #3 0x400d649f in RSA_eay_private_decrypt (flen=64, > from=0xb51 , > to=0x80b4000 >"MobvxUlZUTDmtnqei5qEsbdjUzWrlWk/yhAu1MpYYjtAOmUh/ 0OwN+ske\nKGegsfJuRc1C1alZTc1", >rsa=0x80b1e48, padding=1) at rsa_eay.c:482 > #4 0x400d7c90 in RSA_private_decrypt (flen=2897, > from=0xb51 , > to=0xb51 , rsa=0x402d9314, >padding=2897) > at rsa_lib.c:294 > #5 0x400fc61f in EVP_PKEY_decrypt (key=0xb51 bounds>, > ek=0xb51 , ekl=2897, priv=0xb51) at >p_dec.c:83 > #6 0x4013edf9 in PKCS7_dataDecode (p7=0x80b1bf8, pkey=0x80b1bd8, >in_bio=0x0, > pcert=0x80b1eb8) at pk7_doit.c:442 > #7 0x40141126 in PKCS7_decrypt (p7=0x80b1bf8, pkey=0x80b1bd8, >cert=0x0, > data=0x80b1d98, flags=128) at pk7_smime.c:450 > #8 0x08089995 in smime_main (argc=13, argv=0xb968) at smime.c:687 > #9 0x08055d3a in do_cmd (prog=0x80b1290, argc=13, argv=0xb968) > at openssl.c:382 > #10 0x08055b6e in main (Argc=13, Argv=0xb968) at openssl.c:301 > = > > The problem doesn't exist on 20050523 snapshot. > > Thank you. > > PS. We have a extra test suite testing openssl executable. > Unfortunately, it's GNU make specific. Are you interested in it? -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1091] openssl-0.9.8-beta3 on ULTRIX 4.5 (gcc)
Change applied and committed. Thanks. Ticket resolved. [EMAIL PROTECTED] - Wed Jun 1 17:20:55 2005]: > Environment: openssl-0.9.8-beta3, ULTRIX 4.5, ultrix-gcc (gcc 2.95.3) > > On this platform, gcc 2.95.3 supports 64-bit integer. To enable SHA512 > (and avoid the "undefined BN_ULLONG" problem in pqueue.c) only the > following change was necessary: > > - Configure (line 497, insert BN_LLONG) >"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::BN_LLONG", > > With this change openssl-0.9.8-beta3 compiled fine (4.5 hours) and > passed all tests (2.6 hours). > > Bernhard Simon, TU Wien, ZID/StS > -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1094] openssl-0.9.8-beta3 doesn't build on Linux IA64
I think I resolved this. Configure erroneously refered to ia64.o instead of bn-ia64.o... Fix committed and will be part of beta4. Thanks for the notification. Ticket resolved. If there is still a problem with this, please generate a new bug report. [EMAIL PROTECTED] - Fri Jun 3 12:58:08 2005]: > System: > SuSE SLES-8 (ia64) > VERSION = 8.1 > > Source tarball: > openssl-0.9.8-beta3.tar.gz > > Build commands: > tar zxf openssl-0.9.8-beta3.tar.gz > cd openssl-0.9.8-beta3 > ./config --prefix=/users/kst/local/apps/openssl-0.9.8-beta3 > make > > Output (partial): > > gcc -I.. -I../.. -I../../include -DOPENSSL_THREADS -D_REENTRANT > -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wall -DSHA1_ASM > -DSHA256_ASM -DSHA512_ASM -DAES_ASM -c -o bn_sqr.o bn_sqr.c > make[2]: *** No rule to make target `ia64.o', needed by `lib'. Stop. > make[2]: Leaving directory `/users/kst/src/openssl/openssl-0.9.8- > beta3/crypto/bn' > make[1]: *** [subdirs] Error 1 > make[1]: Leaving directory `/users/kst/src/openssl/openssl-0.9.8- > beta3/crypto' > make: *** [build_crypto] Error 1 > > I see the same problem with openssl-SNAP-20050602.tar.gz . > > More details available on request. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1095] IA64 Linux: Intel compiler name change
Hi! Patch applied and committed to the 0.9.8 and 0.9.9-dev branches. Thanks. Ticket resolved. [EMAIL PROTECTED] - Fri Jun 3 12:58:18 2005]: > Reference: [openssl.org #516] > > A couple of years ago, I submitted a patch to the Configure > script to support the Intel compiler on Linux/IA64, adding a new > "linux-ia64-ecc". > > Since then, in release 8 of the Intel compiler, the name of the > compiler drive has been changed from "ecc" to "icc" (matching the > name on ia32). > > I've attached a patch for Configure that adds a new configuration, > "linux-ia64-icc". The only change is the name of the compiler. > This is based on openssl-SNAP-20050602.tar.gz. > > The "linux-ia64-ecc" is still there, since the previous version of > the compiler is presumably still in use. > > The "ecc" command still exists in release 8; it invokes the compiler > like icc but produces a warning message on stderr: > > ecc: warning: The Intel C/C++ driver is now named icc. You can > suppress this message with '-quiet' > > I don't know whether this has any effect (I've seen cases where > configuration scripts are confused when the compiler writes anything > to stderr, even if the compilation is successful). > > I haven't actually been able to test this patch, since the latest > release doesn't build on IA-64. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1097] Bug Report
Hi,
I just applied and committed the proposed change. Thanks!
Ticket resolved.
[EMAIL PROTECTED] - Sat Jun 4 19:24:48 2005]:
> In function X509_cmp_time file X509_vfy.c
>
> Existing code for handling offset on validity time:
>
> if (*str == 'Z')
> offset=0;
> else
> {
> printf("*str != Z is %c\n",*str);
> if ((*str != '+') && (str[5] != '-'))
> return 0;
> offset=((str[1]-'0')*10+(str[2]-'0'))*60;
> offset+=(str[3]-'0')*10+(str[4]-'0');
> if (*str == '-')
> offset= -offset;
> }
>
> Should be:
>
> if (*str == 'Z')
> offset=0;
> else
> {
> printf("*str != Z is %c\n",*str);
> if ((*str != '+') && (*str != '-'))
> return 0;
> offset=((str[1]-'0')*10+(str[2]-'0'))*60;
> offset+=(str[3]-'0')*10+(str[4]-'0');
> if (*str == '-')
> offset= -offset;
> }
>
> The existing code will accept
>
> "050603014800+1800", but not "050603014800-0600"
>
> > Jim Heit
> > Enterprise Server Communications Engineering
> > UNISYS Central Development Laboratory
> > Roseville, MN USA
> > +1(651)635-3169 Net2 524-3169
> > Fax +1(651)635-5260 Net2 524-5260
> > Reply to: [EMAIL PROTECTED]
> >
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-
mail
> and its attachments from all computers.
>
>
>
--
Richard Levitte
[EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
[openssl.org #1098] NetWare patch for 0.9.8-beta3
Thanks for the patch. I just applied and committed them. Ticket closed. -- Richard Levitte [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Suggestions for pqueue
In message <[EMAIL PROTECTED]> on Sat, 4 Jun 2005 04:31:21 +0200 (CEST), Andrija Antonijevic <[EMAIL PROTECTED]> said: openssl> I am using OpenSSL on an architecture that has a shared openssl> library model in which the arguments are passed through the openssl> (32-bit) registers and for which passing the arguments whose openssl> size is larger than 32-bit would create some problems. I assume you're talking about VMS, or is there another architecture involved as well? Would you mind telling me the VMS version and C compiler version? Is it on VAX? Can you tell me a little more about the problem? See, I assume you work on Alpha or ia64, otherwise pqueue would use BIGNUM for PQ_64BIT (because VAX doesn't have 'long long' according to our configuration parameters), so I've a hard time understanding the argument about 32-bit registers. openssl> Additionally, it seems to me that pqueue_print should either openssl> not be included when OPENSSL_NOSTDIO is defined since it uses openssl> printf or it should be replaced with a version that takes a openssl> FILE * argument (guarded with #ifndef openssl> OPENSSL_NO_FP_API/#endif pair) and a version that takes a BIO openssl> * (if this function is intended to be used for anything else openssl> besides debugging purposes). Good point, I'll take a look at that. openssl> I have included another patch (to be applied after the first openssl> patch) which defines USE_BIGNUM_PQ_64BIT when OPENSSL_SYS_VMS openssl> or VMS_TEST is defined and changes the #if openssl> defined(OPENSSL_SYS_VMS) || defined(VMS_TEST) and similar openssl> tests with #ifdef USE_BIGNUM_PQ_64BIT etc test in all openssl> places. This would make it easier for other systems to use openssl> the VMS changes, only pq_compat.h would have to be changed. Good point as well. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ "When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up." -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 3 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 3 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The third beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta3.tar.gz MD5 checksum: 5353f8c553c3be6835180bfdeb31b5dc SHA1 checksum: a8c3624e1dd5fd797fc5e58ea7d0def361fa26e2 The checksums were calculated using the following command: openssl md5 < openssl-0.9.8-beta3.tar.gz openssl sha1 < openssl-0.9.8-beta3.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the second beta, the following has happened: - the build system has been corrected for systems where the second beta was failing. These contain enhancements for VMS and DJGPP. - there has been work to make pqueue and dtls more portable - RSA-PSS and RSA-X.931 have been added. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file "testlog". Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCm6NTp6+eePcJRTsRAtthAJ9WJrdIXskkIFH7UcUADdbx/s8VOwCeLgQG X019YLgh1fNpWDYhicjjmGo= =Z/+m -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
