Re: [openssl.org #2519] crash when using newly-defined ASN1_SEQUENCE macros in Windows with elements that are also newly-defined SEQUENCEs...
I suggest you remove all files in include/openssl/, then rebuild. The reason for your problem is that the distribution contains a bunch of symlinks, like this: lrwxrwxrwx openssl/openssl 0 2011-02-08 18:13 openssl-1.0.0d/include/openssl/opensslconf.h - ../../crypto/opensslconf.h On Unix, that works with no problems. On environments that don't implement symlinks in a similar way, there may be problems, because it's not certain they will be recreated. Removing include/openssl/*.h makes sure these will be. Cheers, Richard In message rt-3.4.5-52058-1305706213-1353.2519-2...@openssl.org on Wed, 18 May 2011 10:10:13 +0200 (CEST), dave via RT r...@openssl.org said: configuration: * openssl 1.0.0.d * Win32, VC6 * static library (I don't know if the problem is confined to that configuration, but it's what I'm using). There appear to be two versions of opensslconf.h that are generated from the Configure script. One is placed in ./include/openssl, and one is placed in ./crypto. However, they are different; in particular with respect to the definition of OPENSSL_EXPORT_VAR_AS_FUNCTION. In the 'public' one placed in ./include/openssl, this is #undef'ed at line 79. In the 'internal' one placed in ./crypto, this is #undef'ed but then immediately #defined'ed at lines 84..85 The result is that, if the caller defines their own ASN1_SEQUENCE, and uses that as a member of another ASN1_SEQUENCE, then the resulting code for the _new() method will crash in tasn_new.c:51. The reason is that the internal 'item' member of the template record points to the template structure of the member sequence directly, rather than to a function which returns the template of that member sequence. Example of failing code: //begin failing code= //defs== typedef struct { ASN1_OBJECT* type; } INSIDE_SEQ; ASN1_SEQUENCE(INSIDE_SEQ) = { ASN1_SIMPLE(INSIDE_SEQ, type, ASN1_OBJECT), } ASN1_SEQUENCE_END(INSIDE_SEQ) DECLARE_ASN1_FUNCTIONS(INSIDE_SEQ) IMPLEMENT_ASN1_FUNCTIONS(INSIDE_SEQ) typedef struct { ASN1_OBJECT* type; INSIDE_SEQ* member; } OUTSIDE_SEQ; ASN1_SEQUENCE(OUTSIDE_SEQ) = { ASN1_SIMPLE(OUTSIDE_SEQ, type, ASN1_OBJECT), ASN1_SIMPLE(OUTSIDE_SEQ, member, INSIDE_SEQ) } ASN1_SEQUENCE_END(OUTSIDE_SEQ) DECLARE_ASN1_FUNCTIONS(OUTSIDE_SEQ) IMPLEMENT_ASN1_FUNCTIONS(OUTSIDE_SEQ) //code== OUTSIDE_SEQ* pos = OUTSIDE_SEQ_new();//crashes with access vioation ... //end failing code Complications: * since opensslconf.h #undef's the controlling constant, it isn't possible to modify the behaviour with compiler defs, etc. * I didn't want to tamper with the generated opensslconf.h in case that made things worse in an unexpected way. I have made example code work by 'fixing up' the template record definition manually, first by defining a function: const ASN1_ITEM* INSIDE_SEQ_it_haquery(void) { return INSIDE_SEQ_it; } and then changing the 'const' data segment (where the template defs are placed) to be writeable, and then fixing up the template record this way: { ASN1_TEMPLATE* p = (ASN1_TEMPLATE*)OUTSIDE_SEQ_seq_tt[1]; p-item = (void*) INSIDE_SEQ_it_haquery; } After dong that, then the call to: OUTSIDE_SEQ* pos = OUTSIDE_SEQ_new(); will work as expected. Of course, this is not really a good general solution. -dave __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1572] Info required: OpenSSL 9.8.e
In message [EMAIL PROTECTED] on Mon, 20 Aug 2007 13:17:00 +0200 (CEST), Dhaval Rao via RT [EMAIL PROTECTED] said: rt Platform: OpenVMS rt Query: I can see that OpenSSL could be built on rt OpenVMS Alpha VAX. rt Is OpenSSL supported on OpenVMS Itanium (IA64) rt platform. If not, could you please share with me what rt is the issue ? The issue is that I don't have an Itanium running VMS to do regular tests on. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Fw: [openssl.org #1434] Bug report - link error when openssl-0.9.7l compiled with no-ssl2 flag
I just kicked out Vasco Ribeiro from openssl-dev because of these repeated vacation messages. Vasco, as soon as you have either closed or educated your vacation program, you're welcome to resubscribe to the openssl-dev list. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis ---BeginMessage--- Lamento mas estou de férias e só posso ler a sua mensagem no dia 13 de Abril. Para assuntos urgentes deverá contactar o 22 040 8176. Obrigado, Vasco Ribeiro Lamento mas estou de férias e só posso ler a sua mensagem no dia 13 de Abril. Para assuntos urgentes deverá contactar o 22 040 8176. Obrigado, Vasco Ribeiro ---End Message---
Re: [PATCH] apps/ocsp.c: Fix non-POSIX #include
Applied with a twist (On VMS, time.h defines select(), according to docs. Why? Beats me) and committed. Thanks! Cheers, Richard In message [EMAIL PROTECTED] on Thu, 29 Mar 2007 11:33:04 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen Hi, vinschen vinschen building apps/ocsp.c fails on Cygwin like this: vinschen vinschen gcc [...] -c -o ocsp.o ocsp.c vinschen ocsp.c: In function `query_responder': vinschen ocsp.c:1262: error: storage size of 'tv' isn't known vinschen ocsp.c:1290: warning: implicit declaration of function `select' vinschen ocsp.c:1262: warning: unused variable `tv' vinschen make[2]: *** [ocsp.o] Error 1 vinschen vinschen The reason is that time.h is included instead of sys/time.h. The latter vinschen is required to get the definition of struct timeval per POSIX (1), and vinschen it's not required to include sys/time.h from time.h (2). The implicit vinschen declaration of select is a result of missing the sys/select.h include vinschen (3). The below patch fixes that. vinschen vinschen Index: apps/ocsp.c vinschen === vinschen RCS file: /home/cvs/cvsroot/src/openssl/apps/ocsp.c,v vinschen retrieving revision 1.39 vinschen diff -p -u -r1.39 ocsp.c vinschen --- apps/ocsp.c 25 Dec 2006 10:54:14 - 1.39 vinschen +++ apps/ocsp.c 29 Mar 2007 09:25:37 - vinschen @@ -63,7 +63,8 @@ vinschendeclared properly on Compaq platforms vinschen(at least with DEC C). vinschen */ vinschen -#include time.h vinschen +#include sys/time.h vinschen +#include sys/select.h vinschen #include apps.h vinschen #include openssl/pem.h vinschen #include openssl/ocsp.h vinschen vinschen vinschen Thanks, vinschen Corinna vinschen vinschen (1) http://www.opengroup.org/onlinepubs/009695399/basedefs/sys/time.h.html vinschen (2) http://www.opengroup.org/onlinepubs/009695399/basedefs/time.h.html vinschen (3) http://www.opengroup.org/onlinepubs/009695399/functions/select.html - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: STARTTLS patch for imap and ftp
In message [EMAIL PROTECTED] on Thu, 15 Feb 2007 10:34:23 -0800, Kees Cook [EMAIL PROTECTED] said: kees 3 years ago, I wrote a patch[1] (and did the TSU[2]) for adding kees these features to s_client. Can this please be applied to CVS? Yes. Done. Thank you, and sorry you had to wait 3 years for this to happen. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PMI patch for OpenSSH
In message [EMAIL PROTECTED] on Fri, 19 Jan 2007 17:42:50 +0100, Vincenzo Sciarra [EMAIL PROTECTED] said: vincenzo.sciarra I have just published a pre-alfa of a patch that has the goal to make vincenzo.sciarra OpenSSH aware with PMI. vincenzo.sciarra vincenzo.sciarra Reference site : http://nutmay.sourceforge.net Hi Vincenzo, I believe you've got the wrong mailinglist. This is openss*l*, not openss*h*. Don't worry about it, you're not the first to confuse us. I suggest you look at http://www.openssh.org/ to figure out the mailing list to use. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL breaks with gcc 4.2
In message [EMAIL PROTECTED] on Wed, 8 Nov 2006 21:59:19 -0800, David Schwartz [EMAIL PROTECTED] said: davids You are correct, but that's not the issue. The issue is this davids simple -- if you are going to call a function whose types you davids don't know (through a prototype), you must cast each type you davids pass to the type the function expects. End of story. OpenSSL davids does not do this. This is not valid C whether or not the type davids sizes are the same. So basically, you're saying that KR-style functions (non-prototyped) aren't handled in a pre-prototype manner any more? That's a fairly extreme change of how C used to work. While I understand such a change, it's going to break quite a lot of things that still have non-prototyped functions. Can you provide something in the C standard that supports this change? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] openssl-0.9.7l make install fails in fips-1.0/ directory
In message [EMAIL PROTECTED] on Fri, 29 Sep 2006 13:18:36 -0400, Brad House [EMAIL PROTECTED] said: brad Personally I'd prefer something truly cross-platform like CMake. I wholeheartedly agree, and would be willing to spend time implementing that, together with others. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Emails not getting through?
In message [EMAIL PROTECTED] on Mon, 18 Sep 2006 12:47:07 +1000, Erik de Castro Lopo [EMAIL PROTECTED] said: mle+openssl Well, it seems that the list manager is somewhat confused. mle+openssl mle+openssl From my work account I did which [EMAIL PROTECTED] which resulted mle+openssl in: mle+openssl mle+openssl which [EMAIL PROTECTED] mle+openssl The string '[EMAIL PROTECTED]' appears in the following mle+openssl entries in lists served by [EMAIL PROTECTED]: mle+openssl No matches found mle+openssl mle+openssl mle+openssl mle+openssl So I therefore tried to subscribe again and received the following: mle+openssl mle+openssl auth cee6ff89 subscribe openssl-dev [EMAIL PROTECTED] mle+openssl Address already subscribed to openssl-dev mle+openssl mle+openssl so it seems that my work email address is in some weird quantum state mle+openssl between subscribed and not-subscribed :-). I'd rather guess that 'which' is turned off for openssl-dev, so majordomo refuses to find your address there. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: FIPS 140-2 Validation Revoked
In message [EMAIL PROTECTED] on Tue, 18 Jul 2006 07:09:27 -0500 (CDT), [EMAIL PROTECTED] said: marquess John and I are already being asked what happens next. At marquess this point we don't know, but we haven't necessarily given marquess up. As we learn more I'll pass on our findings here. Having been part of the work and discussions for and about FIPSification and having personally felt thoroughly discouraged, I'm incredibly impressed by your courage, tenacity and power in this process. All power to you, and maybe I'll find the courage to get my head into it again (I've other things to resolve first, though). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Propose replacing POD with DocBook
In message [EMAIL PROTECTED] on Mon, 17 Jul 2006 11:40:01 -0400, Richard Salz [EMAIL PROTECTED] said: rsalz I propose that OpenSSL move to DocBook, an XML format, for its rsalz documentation. I agree completely. This was actually brought up a while ago by someone else (was that Dave Pawson, the one you're mentioning below?), and should probably have been discussed already then. rsalz DocBook (www.docbook.org) is an XML language for structured/- rsalz technical documentation. It includes XSLT stylesheets to rsalz convert docbook into many formats, including: roff manpages, rsalz HTML pages, a single HTML document, PDF (via an XSL format rsalz known as XSL-FO), etc. Moving forward, it provides true rsalz semantic markup, so that richer documentation rsalz (cross-references, various tables and summaries) are possible. It's actually pretty great, I've dabbed with it before, for a different project. I think the only thing that's an obstacle for me is that the synopsis for C function declarations get quite complicated at times, and I've found no way to properly markup a function pointer parameter declaration in such way that it looks acceptable in the nroff output. If you have an example or two, I'd love to see them. rsalz There are tools to convert from POD to DocBook; Dave Pawson has rsalz run them, and done a bit of cleanup, including making an rsalz overall book document so that a single document can be rsalz generated. And this is where I'd simply like to say patches welcome!, but let's hear a little from the rest of the team first. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Propose replacing POD with DocBook
In message [EMAIL PROTECTED] on Mon, 17 Jul 2006 19:51:53 +0100, Dave Pawson [EMAIL PROTECTED] said: dave.pawson http://www.docbook.org/tdg/en/html/funcparams.html dave.pawson dave.pawson Is that any help? That's what I've tried, and it seems like it doesn't add the parenthesis it should. I just experimented with the attached foo.xml, and did the following command do convert: : ; db2x_xsltproc -s man foo.xml | db2x_manxml The result is attached as foo.3. Note that the parameters to the function pointer don't have parenthesis around them. And also, the indentation of the include line is but-ugly, not quite what I expected. Spaces are a little to well obeyed, me thinks... BTW, I do this on a freshly updated Debian unstable. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis ?xml version='1.0'? !DOCTYPE book PUBLIC -//OASIS//DTD DocBk XML V4.2//EN http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd; refentry refentryinfo author firstnameRichard/firstname surnameLevitte/surname contribOriginal author/contrib email[EMAIL PROTECTED]/email /author /refentryinfo refmeta refentrytitlefoo/refentrytitle manvolnum3/manvolnum /refmeta refsynopsisdiv funcsynopsis funcsynopsisinfo #include lt;foo.hgt; /funcsynopsisinfo funcprototype funcdefvoid functionsort/function/funcdef paramdefint *parameterarr/parameter[]/paramdef paramdefint parameter(* comp)/parameter funcparamsint *, int */funcparams/paramdef /funcprototype /funcsynopsis /refsynopsisdiv /refentry .TH foo 3 .SH SYNOPSIS .nf #include foo.h .fi .sp 1 .PP void \fIsort\fR(int *\fIarr\fR[], int \fI(* comp)\fR int *, int *);
Re: IPv6 support in openssl's BIO
In message [EMAIL PROTECTED] on Thu, 13 Jul 2006 11:15:59 +0200, Jan Pazdziora [EMAIL PROTECTED] said: jpr-ossl The primary concern is a change in API/ABI, namely removal of three jpr-ossl functions: BIO_get_host_ip, BIO_get_port, and BIO_gethostbyname. They jpr-ossl are not documented in doc/crypto/BIO_s_connect.pod and the change in jpr-ossl logic, using getaddrinfo which can return multiple results, makes them jpr-ossl not needed by the other BIO_* functions. Can you explain why you need to remove those functions? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: IPv6 support in openssl's BIO
In message [EMAIL PROTECTED] on Thu, 13 Jul 2006 13:39:22 +0200, Jan Pazdziora [EMAIL PROTECTED] said: jpr-ossl On Thu, Jul 13, 2006 at 12:32:50PM +0200, Richard Levitte - VMS Whacker wrote: jpr-ossl In message [EMAIL PROTECTED] on Thu, 13 Jul 2006 11:15:59 +0200, Jan Pazdziora [EMAIL PROTECTED] said: jpr-ossl jpr-ossl jpr-ossl The primary concern is a change in API/ABI, namely removal of three jpr-ossl jpr-ossl functions: BIO_get_host_ip, BIO_get_port, and BIO_gethostbyname. They jpr-ossl jpr-ossl are not documented in doc/crypto/BIO_s_connect.pod and the change in jpr-ossl jpr-ossl logic, using getaddrinfo which can return multiple results, makes them jpr-ossl jpr-ossl not needed by the other BIO_* functions. jpr-ossl jpr-ossl Can you explain why you need to remove those functions? jpr-ossl jpr-ossl I do not _need_ to remove them. They _could_ be removed, as they jpr-ossl are no longer needed by other BIO_* functions. And since they are not jpr-ossl documented, noone else except the BIO_* functions should know about jpr-ossl them and use them. Note that they are documented by being declared in bio.h. The OpenSSL documentation in form of .pod files isn't complete yet. The best thing to do with functions that you want removed is to wrap them in a #ifndef OPENSSL_NO_DEPRECATED clause. If you look, you will see that we've already done that with some functions. jpr-ossl That's why I asked about the opinion about them -- are they jpr-ossl needed, are they wanted, what exactly whould they do ... ? The relevant question is are they used. If we're doing something that forces others to rewrite or tweak their applications, we need to give them ample warning if we can. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: IPv6 support in openssl's BIO
In message [EMAIL PROTECTED] on Thu, 13 Jul 2006 15:59:18 +0200, Jan Pazdziora [EMAIL PROTECTED] said: jpr-ossl OK. I suggest I prepare a patch that will not change them (they will jpr-ossl be IPv4-only), will mark them with #ifndef OPENSSL_NO_DEPRECATED, and jpr-ossl will not add them to the .pod. Sounds reasonable? Yes. jpr-ossl How about the problem of BIO_set_conn_ip/BIO_get_conn_ip being jpr-ossl IPv4-only? Do you prefer BIO_set_conn_ipv6/BIO_get_conn_ipv6 as their jpr-ossl IPv6-only counterparts, or some other way? How heavily is BIO_* used jpr-ossl and how heavily are BIO_set_conn_ip/BIO_get_conn_ip used? They aren't used at all in OpenSSL itself, as far as I can see. As for the rest of the world, your guess is as good as mine. They way they work, I think that IPv6 variants is the way to go. jpr-ossl And a third question -- the apps/*.c seem to use BIO_* for some tasks, jpr-ossl but some other things they duplicate -- the name resolving and socket jpr-ossl setup being a good example. Is there a plan (or a distant future jpr-ossl target) to have apps/*.c fully use BIO_*? There's no specific plan for that. This is one of those times when I will simply tell you that patches are welcome! :-) jpr-ossl I ask these questions to make sure I understand plans of the jpr-ossl OpenSSL Team well and that the patches I'm going to prepare jpr-ossl will have reasonable chance to be included in the core jpr-ossl openssl. From my point of view, as long as the apps/ stuff gives the same output for the same input, I have nothing against changes there (as long as they work all the way). I would be surprised if there was much protest from anyone else either. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1352] [BUG, 0.9.8b] Failed to read RSA key using BIO created from file descriptor
In message [EMAIL PROTECTED] on Sat, 01 Jul 2006 00:11:30 +0100, Darryl Miles [EMAIL PROTECTED] said: darryl-mailinglists Mikhail Gusarov via RT wrote: darryl-mailinglists Failing testcase is attached (pass rsa key as first argument) darryl-mailinglists darryl-mailinglists FYI: Attachment not seen, can't private mail you as your email address darryl-mailinglists wasn't preserved. Are you sure you attached it? Attachments aren't forwarded by the RT version we use. You have to check out the ticket itself. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] crypto/rand/rand_unix.c
OK, I'm applying it. I made one little change though, assuming the condition in the following part was meant to be 'defined(FD_SETSIZE)'...: +#else + /* lets use select() */ [...] + #if defined(OPENSSL_SYS_LINUX) + #define IOWAIT_FD_SETSIZE (FD_SETSIZE) + #else + /* fallback method */ + #define IOWAIT_FD_SETSIZE (sizeof(fd_set) * 8) + #endif Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] crypto/rand/rand_unix.c
In message [EMAIL PROTECTED] on Tue, 27 Jun 2006 07:53:06 +0200 (CEST), Richard Levitte - VMS Whacker [EMAIL PROTECTED] said: richard OK, I'm applying it. Hmm, someone beat me to it, at least on 0.9.9-dev... :-) Cheers, RIchard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Certificate renewal
In message [EMAIL PROTECTED] on Tue, 13 Jun 2006 23:27:51 -0700 (PDT), Josephin [EMAIL PROTECTED] said: j_suganthi Hi, j_suganthiWhen I'm renewing a certificate, if I'm changing j_suganthi the OU and L (location), will that certificate will be j_suganthi treated as a new certificate? When you renew a certificate, it is technically a new certificate, whether you change any part of the subject or not. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [patch] make AES-cfb128-encrypt faster by uglifying it
In message [EMAIL PROTECTED] on Thu, 25 May 2006 22:50:15 -0700 (PDT), Alex Dubov [EMAIL PROTECTED] said: oakad I thought all major compilers have sort of long long, oakad didn't them? After all, emulated long long is still oakad only two integer xors as opposed to 8 with char. If you look in the script Configure, you'll see what kinds of platforms we claim to support. That means that we have to be careful with the kind of assumptions we make. For example, your patch would fail miserably on VMS for VAX (which I know is still used out there). However, nothing stops you from making variants with different types of integers, maybe with some help from the macros used and defined in crypto/bn/bn.h, which are correctly defined for each platform, as far as we know. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Any possibility of GPL-based license in the future?
In message [EMAIL PROTECTED] on Tue, 16 May 2006 10:17:35 -0500, Matt England [EMAIL PROTECTED] said: mengland At 5/16/2006 09:55 AM, Bob Beck wrote: mengland More importantely, as the ssleay license is more mengland free (less restrictive) than the gpl it allows for mengland OpenSSL's inclusion into things that can not use the GPL, mengland due to it's restrictions. mengland mengland I agree that the ssleay license is more free (less restrictive). mengland mengland I want to be clear: we seek only an *additional* license, not a mengland replacement license. Whatever we choose to do, we're stuck with the SSLeay license. That can't legally be changed as things stand right now. And because it's just as incompatible with the GPL as the OpenSSL license, we can't license OpenSSL under the GPL even if we wanted to. The only way for a program licensed under the GPL to be linked with OpenSSL without stiring a stink anywhere is with that additional clause that was mentioned earlier (that wget uses among others). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Any possibility of GPL-based license in the future?
In message [EMAIL PROTECTED] on Tue, 16 May 2006 12:27:27 -0400, Richard Salz [EMAIL PROTECTED] said: rsalz As for BSD/advertising dicussions, the SSLeay license is rsalz characterized as BSD with copyright. It's not pure BSD, and rsalz so whether or not the current BSD license has an advertising rsalz clause is not relevant. Richard, you normally make sense, but reading this, I have to ask what the hell you're talking about! At this point, I fully expect you to know what copyright is and what a license is. Among others, there is no such thing as BSD with copyright because that would imply there is a BSD *without* copyright, and unless BSD suddenly turned public domain when I wasn't watching, that's just absurd. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Any possibility of GPL-based license in the future?
In message [EMAIL PROTECTED] on Tue, 16 May 2006 14:31:46 -0700, David Schwartz [EMAIL PROTECTED] said: davids davids In message davids [EMAIL PROTECTED] davids com on Tue, 16 May 2006 12:27:27 -0400, Richard Salz davids [EMAIL PROTECTED] said: davids davids rsalz As for BSD/advertising dicussions, the SSLeay license is davids rsalz characterized as BSD with copyright. It's not pure BSD, and davids rsalz so whether or not the current BSD license has an advertising davids rsalz clause is not relevant. davids davids Richard, you normally make sense, but reading this, I have to ask what davids the hell you're talking about! At this point, I fully expect you to davids know what copyright is and what a license is. Among others, there is davids no such thing as BSD with copyright because that would imply there davids is a BSD *without* copyright, and unless BSD suddenly turned public davids domain when I wasn't watching, that's just absurd. davids davids I think when he said BSD with copyright he meant davids BSD with advertising clause or something similar. Ah... makes sense. Richard, sorry for the lash. I've been in x too many discussions where people don't understand the difference between copyright and license, and I guess it got to me. My appologies. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [Patch] util/libeay.num
In message [EMAIL PROTECTED] on Fri, 12 May 2006 16:57:58 +0200, Gisle Vanem [EMAIL PROTECTED] said: giva With the following patch I'm able to link openssl.exe using the DLL giva (and not the static libs): Did a make update. There were more symbols missing and some other stuff to correct. The next snapshot will contain all those corrections. Thanks for the notification. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] printf size_t support.
In message [EMAIL PROTECTED] on Mon, 13 Mar 2006 10:05:38 +0100, [EMAIL PROTECTED] said: Stefan.Neis Is the patch tested on windows ? Stefan.Neis z modifier - I'm not sure that this is portable. Stefan.Neis Stefan.Neis if I remember correctly windows doesn't support this Stefan.Neis modifier (at least I was told this as we discussed this Stefan.Neis for another project) Stefan.Neis Stefan.Neis I'm not exactly sure, but I believe it's an extension of Stefan.Neis glibc (or maybe of C99 ?). At least, it doesn't seem to Stefan.Neis be supported by older Unix systems either, e.g. it's Stefan.Neis apparently not supported by Solaris 7. I'm sorry to disrupt this cozy discussion, but does it really matter if z conforms to some formal standard or not? After all, we're not trying to *replace* printf and friends, we're just building something that works for our purposes and more, and most of all, works everywhere independently of the current libc. If we wanted to write a replacemeent for printf and friends, we wouldn't have prefixed it with BIO_, and then this discussion would actually be relevant! My stand on this is that it's good that BIO_printf and friends works in compatible ways with printf, AND it is a good thing to make use of good extensions that are available elsewhere even if they aren't part of a formal standard. So, the real question is, do we have any use for the z modifier? That is the question that should be discussed, not if z is formalised or not. In my opinion we do need z, since size_t isn't always unsigned (with Visual C 6, for example), and that some compilers pester us with warnings if a size_t is used with a %lu specifier and even break builds (with Visual C, for instance, last time I battled with this). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ECCN TSU exception for OpenSSL?
In message [EMAIL PROTECTED] on Tue, 7 Mar 2006 15:07:37 +0100, Dr. Uwe Girlich [EMAIL PROTECTED] said: Uwe.Girlich I know this but reading the mailing list archive of Uwe.Girlich openssl-dev@openssl.org, it looks like some members of Uwe.Girlich the OpenSSL community already did this and I hoped to Uwe.Girlich simply get the CCATS number of a release. Those submitions are only patches, and the corresponding TSU notices are specifically for those patches, not OpenSSL in its entirity. OpenSSL is developped outside of the US (the central storage is in Germany, and the majority of the active developpers are in Germany, UK and Sweden), so there is really no need for it to have any TSU notification for the source, since it will get *imported* into the US from our perspective, not *exported* from it. I believe some companies may already have done the job you're trying to do. However, if they are willing to let you use their CCATS number is beyond my knowledge. Truth be told, I think you're on your own unless someone speaks up here and now. Cheers, RIchard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] bug in crypto/pqueue/pqueue.c
In message [EMAIL PROTECTED] on Mon, 19 Dec 2005 18:35:51 -0800, nagendra modadugu [EMAIL PROTECTED] said: nagendra diff -u -r1.5 pqueue.c nagendra --- crypto/pqueue/pqueue.c 7 Jun 2005 22:21:14 - 1.5 nagendra +++ crypto/pqueue/pqueue.c 20 Dec 2005 01:48:27 - nagendra @@ -184,7 +184,7 @@ nagendra } nagendra nagendra /* check the one last node */ nagendra - if ( memcpy(next-priority, prio64be,8) ==0) nagendra + if ( memcmp(next-priority, prio64be,8) ==0) nagendra found = next; nagendra nagendra if ( ! found) Whoopsie! Changed and submitted. Thanks! -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] Remove superfluous #include
In message [EMAIL PROTECTED] on Mon, 14 Nov 2005 07:46:11 +0100, Johan Gill [EMAIL PROTECTED] said: johane Johan Gill wrote: johane Hi, here's one more cleanup prior to my larger patch: johane Remove the inclusion of sys/times.h from crypto/rand/rand_unix.c. johane johane Any issues with this? The header complicates portability, and johane doesn't affect anything. I can't say I've a problem with it, unless there's something that we say we support that requires it. Of course, we can simply remove it and then see if any snapshot builder complains :-). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: LSB inclusion of OpenSSL
In message [EMAIL PROTECTED] on Mon, 7 Nov 2005 12:45:15 +0530, Pradosh Adoni [EMAIL PROTECTED] said: pradosh.adoni so ,would it make more sense to standardize on the EVP pradosh.adoni interface as opposed to the lower level functions ? pradosh.adoni This would force developers seeking LSB certification pradosh.adoni to go by that recommendation, unfortunately we can't pradosh.adoni say how well this would be accepted. Or if we do pradosh.adoni standardize on the lower level stuff , then we would pradosh.adoni need to indentify interfaces which are ABSOULTELY NOT pradosh.adoni going to change in the coming versions, but I don't pradosh.adoni know how feasible that is .. I'd opt for a standardisation of the EVP interface. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: LSB inclusion of OpenSSL
In message [EMAIL PROTECTED] on Mon, 7 Nov 2005 13:37:19 +0100, Dr. Stephen Henson [EMAIL PROTECTED] said: steve As for incompatible chanhes there is one nasty incompatibility steve with PKCS#11 which EVP might have to address if we ever need a steve full PKCS#11 ENGINE. Even that though could be done in a steve compatible way. Without jumping through hoops and bending over backwards twice? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: LSB inclusion of OpenSSL
In message [EMAIL PROTECTED] on Mon, 7 Nov 2005 14:00:17 +0100, Dr. Stephen Henson [EMAIL PROTECTED] said: steve The other is that its equivalent to EVP_CipherUpdate() and steve EVP_CipherFinal() which can output data in arbitrary sizes steve whereas our stuff will never be more than one block length steve larger than the input. I'm aware of some PKCS#11 steve implementations that buffer the input data until it reaches a steve few K in size and then dumps the whole lot. E Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1212] chil engine no longer works with static locks in 0.9.8
[Originally sent by John, all I'm doing is forwarding it to our ticket database to make sure it gets included. -- Richard Levitte] Hi Richard, Thanks for taking a look at this. [guest - Thu Oct 6 11:55:10 2005]: This stops our engine working with the openssl application (as it registers a lock debugging callback) and Apache 2.x (and other apps too no doubt) That's because those applications don't set up callbacks for the dynamic locks. The correct thing to do is to talk with the application authors and tell them that there are new requirements to make engines work. Unfortunately we do not have relationships with all of the application developers for the applications that our customers use, so this is not possible. We shall certainly apply pressure in this direction where we can. On that note, is there a plan to update the apps/openssl application to not use the static lock callback for lock debugging? or is there something else that we could do instead to allow our engine to work with static locks? It seems that the dynamic locks are rarely used. Yes, it's true, they are rarely use... currently. However, I really would encourage people to use them more, as they are a bit more flexible than the static locks. Ideally, OpenSSL should probably move to dynamic locks entirely, which would make maintainance quite a bit easier. The dynamic locks are clearly a much better solution and removing them from openssl will force all applications to move , which would be a good thing in the long run. Is there a plan to do this for any specific future release? Why is it that the static locks have not been removed completely for 0.9.8? If it is to keep some backward compatibility with older apps, or ones that see no reason to change, would it not be preferable if the whole of openssl was compatible in this way, including the engines? It seems a bit unfair on the end users who need hardware support for openssl to keep the interface, so the apps don't realise that they need to change, but to remove the engine support from these apps. I appreciate that the hack for our static lock was not pleasant, but it is no less pleasant than all the other static locks. Are you sure we can't persuade you to put it back in until all static locks are removed? By the way, do you have an nCipher HSM for interop testing? Thanks again -john -- John Hartley nCipher Ltd http://www.ncipher.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[openssl.org #1212] chil engine no longer works with static locks in 0.9.8
[Originally sent by John, all I'm doing is forwarding it to our ticket database to make sure it gets included. -- Richard Levitte] [And I did it wrong the first time. Appologies for the dupliactes] Hi Richard, Thanks for taking a look at this. [guest - Thu Oct 6 11:55:10 2005]: This stops our engine working with the openssl application (as it registers a lock debugging callback) and Apache 2.x (and other apps too no doubt) That's because those applications don't set up callbacks for the dynamic locks. The correct thing to do is to talk with the application authors and tell them that there are new requirements to make engines work. Unfortunately we do not have relationships with all of the application developers for the applications that our customers use, so this is not possible. We shall certainly apply pressure in this direction where we can. On that note, is there a plan to update the apps/openssl application to not use the static lock callback for lock debugging? or is there something else that we could do instead to allow our engine to work with static locks? It seems that the dynamic locks are rarely used. Yes, it's true, they are rarely use... currently. However, I really would encourage people to use them more, as they are a bit more flexible than the static locks. Ideally, OpenSSL should probably move to dynamic locks entirely, which would make maintainance quite a bit easier. The dynamic locks are clearly a much better solution and removing them from openssl will force all applications to move , which would be a good thing in the long run. Is there a plan to do this for any specific future release? Why is it that the static locks have not been removed completely for 0.9.8? If it is to keep some backward compatibility with older apps, or ones that see no reason to change, would it not be preferable if the whole of openssl was compatible in this way, including the engines? It seems a bit unfair on the end users who need hardware support for openssl to keep the interface, so the apps don't realise that they need to change, but to remove the engine support from these apps. I appreciate that the hack for our static lock was not pleasant, but it is no less pleasant than all the other static locks. Are you sure we can't persuade you to put it back in until all static locks are removed? By the way, do you have an nCipher HSM for interop testing? Thanks again -john -- John Hartley nCipher Ltd http://www.ncipher.com __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1212] chil engine no longer works with static locks in 0.9.8
In message [EMAIL PROTECTED] on Thu, 03 Nov 2005 12:32:30 +0100 (CET), Richard Levitte - VMS Whacker [EMAIL PROTECTED] said: richard [Originally sent by John, all I'm doing is forwarding it to our ticket richard database to make sure it gets included. -- Richard Levitte] I did it wrong. Sorry for this extra duplicate... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: move to SVN?
In message [EMAIL PROTECTED] on Mon, 31 Oct 2005 22:27:30 +, [EMAIL PROTECTED] [EMAIL PROTECTED] said: kent At work I use SVN. kent It's much better then CVS (IMHO). kent kent When will OPENSSL move to SVN? Personally, I'd rather it moved to monotone (http://www.venge.net/monotone/). SVN just doesn't go far enough to be a good enough replacement for CVS, in my opinion. Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: LSB inclusion of OpenSSL
In message [EMAIL PROTECTED] on Thu, 27 Oct 2005 18:49:53 +0530, Pradosh Adoni [EMAIL PROTECTED] said: pradosh.adoni though it has been fairly established that the pradosh.adoni resulting ABI will in all probabilty break in pradosh.adoni forthcoming (major) versions, It would be good to know pradosh.adoni if there exists some sort of timeline or roadmap on pradosh.adoni when these issues will be addressed. There is no timeline. You can't really expect one from a volunteer- driven project, as it hugely depends on the spare time of the controling participants. pradosh.adoni for eg. Of the current list of interfaces which ones pradosh.adoni are most definitely going to be deprecated in future pradosh.adoni versions ? For the longest time, we have recommended to use the EVP interface rather than lower level crypto functions. However, not even the EVP interface has been safe from incompatible changes, BUT those changes have been comparatively few. pradosh.adoni There was also discussion (but no definite commitment) pradosh.adoni of hiding data structures in future versions, Is this pradosh.adoni still a possibilty ? . Does it make sense to include pradosh.adoni these structures in the LSB if they are going to be pradosh.adoni addressed in the future ? I've done such an attempt once, and it really opened a can of worms. I don't quite remember what structure I tried to hide, and that's not really important. The important thing to realise is that while it's certainly possible to do, given enough time and resources, it's a HUGE project to take on. It's quite possible that it can be done in smaller increments. Unfortunately, there's always the risk that structure references are more deeply tangled than one might think, so something that looks small to begin with have a real possibility to open a can of worms and turn out to be a HUGE thing. I've thought for a long time that what's really needed is a rewrite that keeps the strong points of OpenSSL while doing the rest better. I started tinkering on something like that a while ago, and have come a part of the way. I was actually going to finish up the first part enough to be able to present it, but have been held up by work. It has the blessing of the rest of the OpenSSL team. Take a look at http://www.netcrypto.org/common/ for a quick briefing. Keep in mind that I haven't updated those pages in a while (a year?), so some details are outdated or incomplete. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: LSB inclusion of OpenSSL
In message [EMAIL PROTECTED] on Thu, 27 Oct 2005 11:01:23 -0400, Johnny Lam [EMAIL PROTECTED] said: jlam What makes you think that the OpenSSL developers will go to the jlam trouble to do all this major surgery to their codebase when they jlam won't do the very simple thing of just properly versioning their jlam shared libraries? Hmm, there's quite a lot of negativity flowing around these mailing lists lately... jlam When the ABI changes, all that they need to do is to increase jlam the major version of the shared libraries. It's *that* simple. jlam There doesn't need to be any major modification of the sources jlam -- just to a Makefile here and there. Right now, we have it depend on the version number. An please tell what the correct format for a soname is. On some Unixen, it seems like the correct format is libfoo.so.{x}.{y}, where x and y has very specific meaning: the program that was linked against libfoo.so.{x}.{y} can run against libfoo.so.{x}.{y+n} for all n = 0, 1, ..., oo. On other Unixen, the program that was linked with a library with a specific soname must run against a library with the exact same soname. Others have just one number. Others yet place the version information somewhere completely different. And I'm sure there are more methods that I haven't even heard of. But I'll take up the cue and see what we can do that works everywhere. But it's not just changing a Makefile a little here and there. If you want to help, please tell us how it should look on your specific platform. At some point, we'll have a knowledge database that covers at least most of the platforms we support or try to support. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: openssl 0.9.8 - ssl tests fails still report says tests passed ...
In message [EMAIL PROTECTED] on Sat, 22 Oct 2005 20:32:19 +0530, Dharmesh Vyas [EMAIL PROTECTED] said: dharmesh.mail I am a new user of openssl, and started exploring dharmesh.mail opensssl few days back. I am running the test (make dharmesh.mail test) and generating the report. I was analysing the dharmesh.mail logs generated and i have got some results that has dharmesh.mail clicked some doubts as follows, dharmesh.mail dharmesh.mail (1) If I run the tests and perform 'make report', the dharmesh.mail output generated shows 'Test passed.' But from the dharmesh.mail log file i found that in the section dharmesh.mail dharmesh.mail test SSL protocol [...] dharmesh.mail ERROR in CLIENT dharmesh.mail 12785:error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed:s2_clnt.c:1066: dharmesh.mail SSLv2, cipher (NONE) (NONE) dharmesh.mail 1 handshakes of 256 bytes done, dharmesh.mail dharmesh.mail and there are a few of this types which shows the same dharmesh.mail ERROR in CLIENT, This is correct. The test checks that all aspects of using SSL, *including* a correct check of certificates (which includes saying when there's a verification failure), is done properly. The error above proves that the software works as it should, even for certicates that fail to verify. That's why this test is a success. dharmesh.mail (2) Except ssltest.c if i edit any .c files in tests dharmesh.mail foder with some wrong value and perform the test dharmesh.mail and generate the report (by make report) it shows dharmesh.mail as Failure and stops performing any other dharmesh.mail tests. But if i edit anything in ssltest.c and dharmesh.mail perform the test, the logs and report says that dharmesh.mail 'Test Passed' and there will be some errors same dharmesh.mail like i showed in (1). So is it something like pass dharmesh.mail and failure of Tests doesnot depend on the dharmesh.mail ssltest.c. What, exactly, did you change in ssltest.c? Cheers, Richard -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1222] Please introduce versioned symbols
[Additional note to get the proposal itself into this ticket's history] From: Christoph Martin [EMAIL PROTECTED] Date: Thu, 13 Oct 2005 23:24:58 +0200 Subject: Proposal for symbol versioning of openssl Hi folks, openssl has evolved to a very important library in Linux distribution. A lot of cryptographic applications link to it including system libraries like pam modules and apache modules. Now it becomes more and more difficult to get all the binaries and libraries to link to the same version of openssl. This leads to situations where an application uses some libraries where on links to openssl 0.9.7 and another one to version 0.9.8. Since the symbols of the libraries are not yet versioned this leads to severe segfaults. For the Debian project we want to introduce symbol versioning like it is done not only in glibc. Since we want to maintain binary compatibility with as much other distributions we want to coordinate this work with you. At this time I only have contact addresses to a few maintainers. We propose that we version all exported symbols for openssl 0.9.8 with with the label OPENSSL_0.9.8, like glibc has the label GLIBC_2.0 etc. For that to happen I introduced a version script openssl.ld with the following contents: OPENSSL_0.9.8 { global: *; }; It has to be in the toplevel directory and in the engines directory. The SHARED_LDFLAGS get the additional options -Wl,--version-script=openssl.ld I will come with a proper patch soon. Please lets discuss this proposal and some detailed questions. What do you think of it? Would you include this change in you distribution? Does upstream include it too? Is it ok to tag all (*) symbols with this version or should there be a more complex version script? What about symbol versioning of openssl 0.9.7? (Debian includes both versions for compatibility reasons in the current unstable distro.) Christoph __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL version 0.9.7i released
In message [EMAIL PROTECTED] on Sat, 15 Oct 2005 13:17:08 +0200, Goetz Babin-Ebell [EMAIL PROTECTED] said: goetz Richard Levitte - VMS Whacker wrote: goetz goetz OpenSSL version 0.9.7i released goetz === goetz goetz OpenSSL 0.9.7h caused crashes when the shared libcrypto was goetz upgraded. This release fixes that problem. For those who want goetz or have to stay with the 0.9.7 series of OpenSSL instead of using goetz the 0.9.8 series, we strongly recommend that you upgrade to OpenSSL goetz 0.9.7h soon as possible. For a complete list of changes, please goetz^ goetz Oups... ;-) Oh fart... (the brain kind) Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL version 0.9.7i released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.7i released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 0.9.7h caused crashes when the shared libcrypto was upgraded. This release fixes that problem. For those who want or have to stay with the 0.9.7 series of OpenSSL instead of using the 0.9.8 series, we strongly recommend that you upgrade to OpenSSL 0.9.7h soon as possible. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. OpenSSL 0.9.7i is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file names are: * openssl-0.9.7i.tar.gz MD5 checksum: f69d82b206ff8bff9d0e721f97380b9e SHA1 checksum: 4c23925744d43272fa19615454da44e01465eb06 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDUIPNp6+eePcJRTsRAjdtAKCINFymy9DS/vrzmxDxLKRNCzIwjwCdGV74 NqcnOE9Eo+TC4RZPcX8dqUU= =R3AN -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: inconsistency in engines naming
In message [EMAIL PROTECTED] on Thu, 13 Oct 2005 22:51:13 +0200, Andy Polyakov [EMAIL PROTECTED] said: appro 1. One can cook some #ifdef spaghetti in dso_dlfcn.c [and approothers as required]. appro 2. One can fix affected link_o targets to adhere to suffix approhardcoded in corresponding dso module. appro 3. One can pick alternative suffix for dynamically loadable approobjects, e.g. .eng, and use it on *all* platforms. appro appro I'd personally prefer the last alternative. I'd even scrap the appro prefix... Is there a platform which would fail to dynamically appro load object with arbitrary extension? It's not a problem on appro Unices nor Windows... What about VMS? But this option is appro appropriate for next major release. My second preference is #2. A. It can probably be done on VMS as well, but would be regarded as *highly* irregular. On VMS, the normal extension for shared libraries is .EXE, unconditionally. I doubt you will ever find a shared library on VMS with a different extension. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1183] Building openssl-0.9.7e in Windows Visual Studio 2005 Environment
Kamalesh Nandi via RT writes: I was trying to build openssl-0.9.7e in Windows Visual Studio 2005 Beta2 Environment. I was getting an error. But the same openssl-0.9.7e builds fine in Windows Visual Studio 2003 Environment. Is there any additional steps to be performed specific to Visual Studio 2005? Well, you could start by giving us the build log in both cases. Just telling that you get an error is like telling us there are cars roaming in London. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: PKCS 1.5 Signature Generation Valid?
In message [EMAIL PROTECTED] on Thu, 28 Jul 2005 20:00:57 -0700, Ryan Phillips [EMAIL PROTECTED] said: ryan-openssl The specification states (10.1.2) that the data encoding ryan-openssl method includes a digestAlgorithmIdentifier and our ryan-openssl testing house says that this constant is needed, but ryan-openssl RSA_padding_add_PKCS1_type_1() does not appear to do ryan-openssl this. So the EB packet (from PKCS 1.5) is actually: As the name of the function you're looking at indicates, it deals with *padding*. That's basically the '00 || BT || PS || 00' part. If you want to see how the complete signature is made, you need to take a look at higher level functions. RSA_sign() would be a good start. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Simple 0.9.7x question
In message [EMAIL PROTECTED] on Wed, 27 Jul 2005 14:20:32 +0200, Dr. Stephen Henson [EMAIL PROTECTED] said: steve On Wed, Jul 27, 2005, Frdric Donnat wrote: steve steve But i did not have a look at 0.9.7 snapshot (my mistake). steve In the snapshot directory, what are openssl-r-0.9.7-stable-SNAP-date.tar.gz? steve steve steve Richard's RFC3820 code when it was a separate branch steve IIRC. Since that's now been merged we don't need it any more do steve we Richard? Ah, no, it's true,we don't. I'll see to it promptly. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: v0.9.8 cosmetic fixes for portability (QNX4 and Watcom C v10.6B)
In message [EMAIL PROTECTED] on Sun, 17 Jul 2005 20:01:24 -0700 (PDT), dean gaudet [EMAIL PROTECTED] said: dean On Mon, 18 Jul 2005, [EMAIL PROTECTED] wrote: dean dean Unless I do the following I get the Meaningless use of exression dean from the compiler: dean dean diff -ru openssl-0.9.8/crypto/bn/bn_recp.c openssl-0.9.8-QNX/crypto/bn/bn_recp.c dean --- openssl-0.9.8/crypto/bn/bn_recp.c 2005-04-26 22:53:13.0 +0400 dean +++ openssl-0.9.8-QNX4/crypto/bn/bn_recp.c 2005-07-17 22:44:12.0 +0400 dean @@ -204,8 +204,10 @@ dean ret=1; dean err: dean BN_CTX_end(ctx); dean - if(dv) bn_check_top(dv); dean - if(rem) bn_check_top(rem); dean + if(dv) dean + bn_check_top(dv); dean + if(rem) dean + bn_check_top(rem); dean return(ret); dean dean i'm surprised the compiler isn't still bitching... dean dean there's a bug here... dean dean see crypto/bn/bn.h -- bn_check_top() is defined to an empty dean string when BN_DEBUG is undefined... this can cause all sorts of dean havoc with a sequence like the above... the compiler is really dean seeing if(dv) if(rem) return(ret); ... nasty. Incorrect. The compiler will see 'if(dv) ; if(rem) ; return(ret)'. That's perfectly OK. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [PATCH] 0.9.8: Install bug on case-preserving filesystems
In message [EMAIL PROTECTED] on Thu, 7 Jul 2005 11:01:11 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen The problem only happens on filesystems which are not vinschen case-sensitive but only case-preserving, like filesystems on vinschen Windows or MacOS. vinschen vinschen What happens is that make(1) tries to find if the rule is up vinschen to date. While doing this, make calls stat(install), vinschen which returns with success on case-preserving filesystems! I've applied a fix which looks a little different from yours: Index: crypto/des/Makefile === RCS file: /e/openssl/cvs/openssl/crypto/des/Makefile,v retrieving revision 1.5 diff -u -r1.5 Makefile --- crypto/des/Makefile 16 May 2005 16:55:22 - 1.5 +++ crypto/des/Makefile 8 Jul 2005 10:10:55 - @@ -88,7 +88,10 @@ @$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST) @$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS) -install: +# We need to use force because 'install' matches 'INSTALL' on case +# insensitive systems +FRC.install: +install: FRC.install @[ -n $(INSTALLTOP) ] # should be set by top Makefile... @headerlist=$(EXHEADER); for i in $$headerlist ; \ do \ (did the same thing in the crypto/bf directory) Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Here goes...
I'm starting the release of 0.9.8. Hold ye' horses. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8 of our open source toolkit for SSL/TLS. This new OpenSSL version is a major release and incorporates many new features as well as major fixes compared to 0.9.7x. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES . The most significant changes are: o Major work on the BIGNUM library for higher efficiency and to make operations more streamlined and less contradictory. This is the result of a major audit of the BIGNUM library. o Addition of BIGNUM functions for fields GF(2^m) and NIST curves, to support the Elliptic Crypto functions. o Major work on Elliptic Crypto; ECDH and ECDSA added, including the use through EVP, X509 and ENGINE. o New ASN.1 mini-compiler that's usable through the OpenSSL configuration file. o Added support for ASN.1 indefinite length constructed encoding. o New PKCS#12 'medium level' API to manipulate PKCS#12 files. o Complete rework of shared library construction and linking programs with shared or static libraries, through a separate Makefile.shared. o Rework of the passing of parameters from one Makefile to another. o Changed ENGINE framework to load dynamic engine modules automatically from specifically given directories. o New structure and ASN.1 functions for CertificatePair. o Changed the ZLIB compression method to be stateful. o Changed the key-generation and primality testing progress mechanism to take a structure that contains the ticker function and an argument. o New engine module: GMP (performs private key exponentiation). o New engine module: VIA PadLOck ACE extension in VIA C3 Nehemiah processors. o Added support for IPv6 addresses in certificate extensions. See RFC 1884, section 2.2. o Added support for certificate policy mappings, policy constraints and name constraints. o Added support for multi-valued AVAs in the OpenSSL configuration file. o Added support for multiple certificates with the same subject in the 'openssl ca' index file. o Make it possible to create self-signed certificates using 'openssl ca -selfsign'. o Make it possible to generate a serial number file with 'openssl ca -create_serial'. o New binary search functions with extended functionality. o New BUF functions. o New STORE structure and library to provide an interface to all sorts of data repositories. Supports storage of public and private keys, certificates, CRLs, numbers and arbitrary blobs. This library is unfortunately unfinished and unused withing OpenSSL. o New control functions for the error stack. o Changed the PKCS#7 library to support one-pass S/MIME processing. o Added the possibility to compile without old deprecated functionality with the OPENSSL_NO_DEPRECATED macro or the 'no-deprecated' argument to the config and Configure scripts. o Constification of all ASN.1 conversion functions, and other affected functions. o Improved platform support for PowerPC. o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512). o New X509_VERIFY_PARAM structure to support parametrisation of X.509 path validation. o Major overhaul of RC4 performance on Intel P4, IA-64 and AMD64. o Changed the Configure script to have some algorithms disabled by default. Those can be explicitely enabled with the new argument form 'enable-xxx'. o Change the default digest in 'openssl' commands from MD5 to SHA-1. o Added support for DTLS. o New BIGNUM blinding. o Added support for the RSA-PSS encryption scheme o Added support for the RSA X.931 padding. o Added support for BSD sockets on NetWare. o Added support for files larger than 2GB. o Added initial support for Win64. o Added alternate pkg-config files. We consider OpenSSL 0.9.8 to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8 is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8.tar.gz MD5 checksum: 9da21071596a124acde6080552deac16 SHA1 checksum: 7350b0f0d1a6d257cb24b9d4dc5e30b80e49d6ac The checksums were calculated using the following command: openssl md5 openssl-0.9.8.tar.gz openssl sha1 openssl-0.9.8.tar.gz Yours, The OpenSSL
Why the *hell*???
Can anyone tell me why the hell CA.pl puts both the private key and the CSR in newreq.pem? Shouldn't they be *separate*? I'm baffled. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Why the *hell*???
In message [EMAIL PROTECTED] on Mon, 4 Jul 2005 22:29:54 +0200, Dr. Stephen Henson [EMAIL PROTECTED] said: steve On Mon, Jul 04, 2005, Richard Levitte - VMS Whacker wrote: steve steve Can anyone tell me why the hell CA.pl puts both the private steve key and the CSR in newreq.pem? Shouldn't they be *separate*? steve steve None except that the CA.sh script it was a translation of did steve the same. I take it you don't mind if I make a slight change to how things are done, then :-). Say welcome to our new born file, newkey.pem. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Any more showstoppers?
OK, I want to know if there's anything more for me to worry about, or can I release 0.9.8 tonight? You have 12 hours (until 19:30, GMT+0200) to try to stop me :-). If I receive no message saying I should release 0.9.8, I will at that time. That means the developers also have that time to fix small remaining bugs. Be careful though, so we don't break OpenSSL on some platforms in the last minute. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Considering SSL and Cryto libraries for LSB
In message [EMAIL PROTECTED] on Wed, 29 Jun 2005 17:44:38 -0700, Banginwar, Rajesh [EMAIL PROTECTED] said: rajesh.banginwar Do you or anyone on this project have data rajesh.banginwar suggesting which APIs are candidates for LSB rajesh.banginwar inclusion both from demand and stability point of rajesh.banginwar view? Quick answer, solely based on the header files and looking for the parts that do not expose there structures: EC, ECDH, ECDSA (although it exposes the signature structure, but I think that one's standardardised), pqueue, UI. ENGINE should also be here even though there are some exposed structures. Those structures are fairly well defined and are not subject to change soon, as far as I can predict. Quite honestly, even though I'm quite an enthusiastic OpenSSL developer for years and have been for years (since it started, really), I can't really recommend OpenSSL as an LSB candidate from that point of view, as it stands today. Every major upgrade (which we define as a change of x in 0.9.x) has had some kind of incompatibility with previous versions. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Considering SSL and Cryto libraries for LSB
In message [EMAIL PROTECTED] on Wed, 29 Jun 2005 22:05:07 -0700, Dan Kegel [EMAIL PROTECTED] said: dank http://www.gnu.org/software/gnutls/ dank exposes two APIs: the OpenSSL api (I gather?), and its own. About the OpenSSL API, this page answers part of the question. http://www.gnu.org/software/gnutls/reference/gnutls-openssl.html The rest of the answer is in gnutls/openssl.h. They expose some structures to remain compatible with the way OpenSSL currently works, so it's basically a compatibility that's as stripped down as possible. For the rest of GnuTLS, they seem to expose very little, from what I can gather by looking at the public header files. dank If so, perhaps that might provide a way forward: apps that need dank a stable interface can use the gnutls api (which openssl could dank provide as a wrapper); everyone else could use the openssl api dank (which gnutls seems to provide as a wrapper, unless I misread dank the docs). It's a path. Just a small warning about license politics: According to http://www.gnu.org/software/gnutls/gnutls.html, the GnuTLS core library is licensed under the LGPL. Looking at the header files, it looks like there's a mix of GPL and LGPL, and among others, their openssl.h is under the GPL (something I find very interesting). This may have changed with later versions... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ASN.1 error message in OpenSSL v0.9.7d
In message [EMAIL PROTECTED] on Tue, 28 Jun 2005 10:26:38 +0200, Nils Larsch [EMAIL PROTECTED] said: nlarsch asn1parse doesn't support txt input just der or pem The help says it does. I'll fix that. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/crypto/bn/ bn_nist.c
Ben, you committed four non-FIPS changes to 0.9.8-stable only. Are you going to commit them to HEAD as well? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/ssl/ ssltest.c
In message [EMAIL PROTECTED] on Tue, 28 Jun 2005 15:27:53 +0200 (CEST), Ben Laurie [EMAIL PROTECTED] said: ben Log: ben Did you know it was wrong to use a char as an array index? It isn't if you know what you're doing. However, when things like isspace() are implemented using an array, you will get surprising results if you feed it a signed char with the high bit set. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: make test still failing
In message [EMAIL PROTECTED] on Tue, 28 Jun 2005 09:29:54 -0700, Rodney Thayer [EMAIL PROTECTED] said: rodney 'make test' never works. in the EC test, it runs a long time rodney (tracing the output gives multiple gigabytes of text, it seems rodney to take on the order of an hour or more). the failure is a rodney memory fault of some kind. After I confirm this isn't a known rodney problem I'll run it again and post the last bit of the rodney output. We will also need to know exactly how you configured it, and what the configuration output was. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Missing documentation
In message [EMAIL PROTECTED] on Wed, 29 Jun 2005 06:42:59 +0200, Karsten Ohme [EMAIL PROTECTED] said: widerstand will there be some day, when the the OpenSSL source code widerstand is documented in a some way? In all source files, widerstand explanations to the functions, the parameters and comments widerstand in the code what is done are missing. We're well aware the documentation is lacking. We are adding some all the time. I wish we had the possibility to do *only* that for a while, but that's not what reality looks like. In the Open Source spirit, there's nothing stopping you from helping out. In a completely different project, I just learned a key phrase: patches are welcome! widerstand OpenSSL is the only wide available possibility for a widerstand crypto library with this functionality but it would not, widerstand if there would be a more user friendly alternative. Can widerstand somebody advice a alternative crypto and x509 library? CryptLib (http://www.cs.auckland.ac.nz/~pgut001/cryptlib/) Crypto++ (http://www.eskimo.com/~weidai/cryptlib.html) Botan (http://botan.randombit.net/) GnuTLS (http://www.gnu.org/software/gnutls/) There are probably more. I stick for OpenSSL, but hey, I'm a developer :-). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Still a few issues. Release delayed...
Hi, The release is delayed again. There are a couple of issues that I think need to be checked. I hope we'll be through with this in a week. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1105] DTLS HelloVerifyRequest PATCH
In message [EMAIL PROTECTED] on Sat, 25 Jun 2005 02:30:40 -0700, nagendra modadugu [EMAIL PROTECTED] said: nagendra It turns out that the Version field was omitted from the nagendra HelloVerify message in the internet draft. The document nagendra will be corrected. So the bug report can be removed, right? (and *please* keep [EMAIL PROTECTED] among the recipients. It's quite hard to follow history in the database when people keep skipping that address) Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #1135] 0.9.8-beta7-dev and DJGPP
In message [EMAIL PROTECTED] on Fri, 24 Jun 2005 14:50:53 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen On Jun 24 14:29, [EMAIL PROTECTED] via RT wrote: vinschen vinschen The OpenSSL 0.9.8-stable snapshot from 24 June 2005 configures, vinschen builds, tests, and installs without problem on DJGPP. vinschen vinschen Same for Cygwin. Thanks. Noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Release delayed a few days - 20050624 Success with Mac OS X 10.4.1
In message [EMAIL PROTECTED] on Fri, 24 Jun 2005 08:58:29 -0700, Rush Manbert [EMAIL PROTECTED] said: rush Just tried again with 20050624 snapshot. It built just fine and rush successfully ran all the tests. Great! Thanks! Noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Openssl-snap-20050624 (0.9.8) works on Stratus VOS
In message [EMAIL PROTECTED] on Fri, 24 Jun 2005 16:57:14 -0400, Green, Paul [EMAIL PROTECTED] said: Paul.Green I've built and run the self-tests for Paul.Green openssl-SNAP-20050624.tar.gz on Stratus VOS, using gcc, on Paul.Green both hardware platforms (PA-RISC and Intel IA32). Works Paul.Green just fine. Thanks a million! Thank *you*! Result noted. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 6 released
In message [EMAIL PROTECTED] on Wed, 22 Jun 2005 10:25:12 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen On Jun 21 08:21, Richard Levitte - VMS Whacker wrote: vinschen -BEGIN PGP SIGNED MESSAGE- vinschen Hash: SHA1 vinschen vinschen vinschenOpenSSL version 0.9.8 Beta 6 (FINAL!) vinschen vinschen Build and tests fine on Cygwin. Thanks. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 6 released
In message [EMAIL PROTECTED] on Wed, 22 Jun 2005 14:04:17 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen Any problem to apply the below last minute patch to util/cygwin.sh? No. I'll see to it. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 6 released
In message [EMAIL PROTECTED] on Wed, 22 Jun 2005 23:57:29 +1000, Steven Reddie [EMAIL PROTECTED] said: smr Operating system Configured for Compiler smr --- -- smr - smr Windows 2000 VC-WIN32MSVC 6.0 smr Cygwin 1.5.5-1i686-whatever-cygwin Cygwin gcc 3.3.1 smr Red Hat Linux 9 i686-whatever-linux2 linux-elf gcc 3.2.2 smr FreeBSD 4.6 i586-pc-freebsd4.6 BSD-x86-elf gcc 2.95.3 smr Solaris 2.6 sun4u-whatever-solaris2 solaris-sparcv9-cc Sun WorkShop smr 6 update 2 C 5.3 smr Solaris 2.7 sun4u-whatever-solaris2 solaris-sparcv9-cc Sun WorkShop smr 6 update 2 C 5.3 smr AIX 5.1 0050C89A4C00-ibm-aix aix-cc C for AIX smr Compiler, Version 6 smr HP-UX 11.11 9000/800-hp-hpux1x hpux-parisc2-cc HP C Compiler smr B.11.11.08 smr Tru64 OSF1 V4.0E alpha-dec-tru64 tru64-alpha-cc DEC C smr V5.8-009 All noted. Thanks! Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ Makefile.org openssl/apps/ Makefile openssl/cr...
In message [EMAIL PROTECTED] on Thu, 23 Jun 2005 02:03:32 +0200 (CEST), Andy Polyakov [EMAIL PROTECTED] said: appro OpenSSL CVS Repository appro http://cvs.openssl.org/ appro appro appro Server: cvs.openssl.org Name: Andy Polyakov appro Root: /v/openssl/cvs Email: [EMAIL PROTECTED] appro Module: openssl Date: 23-Jun-2005 02:03:27 appro Branch: HEAD Handle: 2005062301030323 appro appro Modified files: appro openssl Makefile.org appro openssl/appsMakefile appro openssl/crypto Makefile appro openssl/crypto/bio Makefile appro openssl/engines Makefile appro openssl/testMakefile appro appro Log: appro Jumbo Makfiles update. appro appro - eliminate ambiguities between GNU-ish and SysV-ish make flavors; appro - switch [back] to -e; appro - fold/unify rules; appro appro This is follow-up to the patch introducing common BUILDENV. Idea is appro to collect as much parameters in $(TOP) as possible and strip lower appro Makefiles for most variables [and thus makes them more readable]. Hmm, are you planning on doing this in 0.9.8-stable as well? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Release delayed a few days...
Hi all, Due to a number of last minute reports, the final release of OpenSSL 0.9.8 is delayed a few days to give the affected people a chance to test that the corrections done do fix things as expeted. So please, if you have sent in a report about something failing with one of the 0.9.8 betas, grap a snapshot (tomorrow's, i.e. openssl-0.9.8-stable-SNAP-20050624.tar.gz or later) and try it, to confirm that we fixed your problem and didn't create new ones. And if anyone else wants to run a test, just to see that we didn't break anything on your platform, please do so. In all cases, please tell us how it went, so we know. Same channel as before. I plan to do the final release on sunday (26th) or monday (27th) evening, swedish time, so time is of the essence. Thanks, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: typos in enc manual page?!
In message [EMAIL PROTECTED] on Fri, 24 Jun 2005 01:02:55 +0200, Steffen Pankratz [EMAIL PROTECTED] said: kratz00 Hi kratz00 kratz00 from the enc man page - SUPPORTED CIPHERS kratz00 kratz00 rc5-cbcRC5 cipher in CBC mode kratz00 rc5 Alias for rc5-cbc kratz00 rc5-cfbRC5 cipher in CBC mode [...] Thanks, I've committed a change. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 6 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 6 (FINAL!) = OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The sixth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ PLEASE TEST THIS RELEASE! This is a final beta. The final release is due very soon, and we would like your help to make this as good a release as ever possible. Among others, base64 decoding needs extra attention (see below). The file names of the beta are: o openssl-0.9.8-beta6.tar.gz MD5 checksum: e6771df5621169ae616adb3475aac71a SHA1 checksum: d5aad452a4a192780ff1990b5c75513eb8408fe2 The checksums were calculated using the following command: openssl md5 openssl-0.9.8-beta6.tar.gz openssl sha1 openssl-0.9.8-beta6.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the fifth beta, the following has happened: - Change the DJGPP setup so it's DEVRANDOM is defined in e_os.h instead of in the build command line. - Worked around a DJGPP command line bug during installation of docs. - Worked out better target selections for BSD ELF. - Corrected the CPUid code for x86_64. - Made the base64 decoder a bit more robust. - We made sure crypto/bn/bn_prime.h is properly built during an update. - Enhanced the documentation on id_function in threads.pod. - Added a fallback to software in the CSwift engine. - Other bug fixes... Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCt7G3p6+eePcJRTsRAmHnAJ9YcnbPEj2J48vkBHpZCBQ1vKQI/wCglgM5 wKq2R9+XiFHQS5aumgYaEkE= =1qsL -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: possible bug in BIO_f_base64 ?
In message [EMAIL PROTECTED] on Mon, 20 Jun 2005 12:11:30 +0200, Beat Jucker [EMAIL PROTECTED] said: bj Given attached BASE64 encoded file openssl will write only 5280 bj decoded bytes instead of the original 5305 bytes as other tools bj like mimencode, base64, Asn1Editor, web online base64 decoder, ... bj bj openssl base64 -d -in text.pem -out text.der bj -- 5280 instead of 5305 bytes!? I've played with previous incarnations, and noticed that with the latest update for 0.9.7-stable, I get 5305 bytes, while I get 5280 bytes with 0.9.8-stable. I compared crypto/evp/bio_b64.c from both branches, and there is virtually no difference, so the problem is somewhere else. I noticed something unusual about your file: the lines are 76 characters, when a PEM file usually (or at least by default when output by OpenSSL) has 64 character lines... I have no clue how important that fact is, but I'm going to conduct some tests. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: util/selftest.pl
In message [EMAIL PROTECTED] on Mon, 20 Jun 2005 11:52:50 -0700 (PDT), Tim Rice [EMAIL PROTECTED] said: tim I noticed make report didn't show the cc version on most of tim my System V platforms. This patch corrects this. Thanks, committed. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: possible bug in BIO_f_base64 ?
In message [EMAIL PROTECTED] on Mon, 20 Jun 2005 18:53:39 +0200, Dr. Stephen Henson [EMAIL PROTECTED] said: steve On Mon, Jun 20, 2005, Richard Levitte - VMS Whacker wrote: steve steve In message [EMAIL PROTECTED] on Mon, 20 Jun 2005 12:11:30 +0200, Beat Jucker [EMAIL PROTECTED] said: steve steve bj Given attached BASE64 encoded file openssl will write only 5280 steve bj decoded bytes instead of the original 5305 bytes as other tools steve bj like mimencode, base64, Asn1Editor, web online base64 decoder, ... steve bj steve bj openssl base64 -d -in text.pem -out text.der steve bj -- 5280 instead of 5305 bytes!? steve steve I've played with previous incarnations, and noticed that with the steve latest update for 0.9.7-stable, I get 5305 bytes, while I get 5280 steve bytes with 0.9.8-stable. I compared crypto/evp/bio_b64.c from both steve branches, and there is virtually no difference, so the problem is steve somewhere else. steve steve I noticed something unusual about your file: the lines are 76 steve characters, when a PEM file usually (or at least by default when steve output by OpenSSL) has 64 character lines... I have no clue how steve important that fact is, but I'm going to conduct some tests. steve steve steve The only significant change is: steve steve http://cvs.openssl.org/chngview?cn=12988 steve steve whether this is the problem or it has just triggered a problem steve elsewhere I don't know. This specific case seems to be because of the 76 character lines. The attached patch seems to fix it, though. Really, the base64 decoder is quite the pile of crap. Why on earth does it have dependence on where a NL will appear? There's absolutely no reason unless you're a PEM fetishist... It should really be rewritten... - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis Index: crypto/evp/encode.c === RCS file: /e/openssl/cvs/openssl/crypto/evp/encode.c,v retrieving revision 1.14 diff -u -r1.14 encode.c --- crypto/evp/encode.c 3 Apr 2005 16:38:22 - 1.14 +++ crypto/evp/encode.c 20 Jun 2005 22:01:26 - @@ -313,7 +313,7 @@ /* There will never be more than two '=' */ } - if ((v == B64_EOF) || (n = 64)) + if ((v == B64_EOF (n3) == 0) || (n = 64)) { /* This is needed to work correctly on 64 byte input * lines. We process the line and then need to
Rescheduling
Hi, I've just remade the release schedule a little bit. Originally, OpenSSL 0.9.8 was supposed to be released yesterday. However, due to personal stuff and some issues with the latest beta, the release has been slightly delayed. So, the final beta will be this evening (Swedish time), and the release is scheduled for Thursday (June 23) evening. This means that I'm asking for a last effort to help make OpenSSL 0.9.8 as good as it can be. Please test this final beta, and if there are any issue, please tell us. If there are any issues we have forgotten, please remind us! Actually, there's nothing stopping you fram grabbing a snapshot now and try it out :-). You might even find something for us to correct before we release beta 6. ftp://ftp.openssl.org/snapshot/openssl-0.9.8-stable-SNAP-mmdd.tar.gz (mmdd is really a date, like 20050620) - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: DOS patch for 0.9.8 beta 2
In message [EMAIL PROTECTED] on Wed, 1 Jun 2005 14:03:06 -0700 (PDT), Doug Kaufman [EMAIL PROTECTED] said: dkaufman You are quite correct, in that quoting DEVRANDOM was the wrong thing dkaufman to do. It put the string DEVRANDOM into the library instead of the dkaufman value of DEVRANDOM. I am sorry that I didn't realize exactly what the dkaufman quoting was doing before I submitted the patch. [...] dkaufman compiler: gcc -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN dkaufman -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=/dev/urandom\x24 -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM dkaufman OPENSSLDIR: /dev/env/DJDIR/ssl Hmms, \x24 is a dollar sign. With all makes, $$ becomes a single dollar sign. I'm guessing that having $$ instead of \x24 should fix the problems you see. The other option, of course, would be to double the backslashes. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ssl/kssl.c fails on NetBSD
In message [EMAIL PROTECTED] on Thu, 16 Jun 2005 14:41:03 +0900 (JST), GOTOU Yuuzou [EMAIL PROTECTED] said: gotoyuzo In message [EMAIL PROTECTED], gotoyuzo `Richard Levitte - VMS Whacker [EMAIL PROTECTED]' wrote: gotoyuzo In message [EMAIL PROTECTED] on Wed, 15 Jun 2005 18:38:27 +0900 (JST), GOTOU Yuuzou [EMAIL PROTECTED] said: gotoyuzo gotoyuzo It may be an issue of NetBSD, but #undef _XOPEN_SOURCE gotoyuzo gotoyuzo seems a little wrong too. gotoyuzo gotoyuzo Does it work if I remove the #undef _XOPEN_SOURCE? I had gotoyuzo it there for paranoid reasons, and it may not be needed. gotoyuzo gotoyuzo Yes. Make test passed. OK, I'll try that then. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Release delay
I'm delaying the release of 0.9.8 beta6 until tomorrow (friday) night. The reason is that I want to test some changes on systems that may be sensitive to them before releasing. I believe that will be better for the release process as a whole. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ssl/kssl.c fails on NetBSD
In message [EMAIL PROTECTED] on Wed, 15 Jun 2005 05:37:15 +0900 (JST), GOTOU Yuuzou [EMAIL PROTECTED] said: gotoyuzo Hi, gotoyuzo gotoyuzo Compilation of ssl/kssl.c fails on NetBSD 3.99.5. gotoyuzo gotoyuzo gcc -I../crypto -I.. -I../include -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -Wall -DOPENSSL_BN_ASM_PART_WORDS -DSHA1_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -c kssl.c gotoyuzo In file included from ../include/openssl/crypto.h:120, gotoyuzofrom ../include/openssl/comp.h:5, gotoyuzofrom ../include/openssl/ssl.h:176, gotoyuzofrom kssl.c:78: gotoyuzo /usr/include/stdlib.h:245: error: parse error before '*' token gotoyuzo *** Error code 1 gotoyuzo gotoyuzo This error could be avoided if we read at least one standard gotoyuzo header file before setting _XOPEN_SOURCE macro. That's not a good solution, because it basically disables the effect of _XOPEN_SOURCE. It would be interesting to know what, exactly, fails. Could it be that _XOPEN_SOURCE needs to have a different value on NetBSD 3.99.5? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: ssl/kssl.c fails on NetBSD
In message [EMAIL PROTECTED] on Wed, 15 Jun 2005 18:38:27 +0900 (JST), GOTOU Yuuzou [EMAIL PROTECTED] said: gotoyuzo It may be an issue of NetBSD, but #undef _XOPEN_SOURCE gotoyuzo seems a little wrong too. Does it work if I remove the #undef _XOPEN_SOURCE? I had it there for paranoid reasons, and it may not be needed. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 5 released
In message [EMAIL PROTECTED] on Mon, 13 Jun 2005 18:16:03 -0400, Mike Frysinger [EMAIL PROTECTED] said: vapier On Monday 13 June 2005 12:19 am, Richard Levitte - VMS Whacker wrote: vapierOpenSSL version 0.9.8 Beta 5 vapier vapier `./config make make test` passed on Gentoo/armel Which configuration target does that end up being? 'grep CONFIGURE_ARGS Makefile' should give you the answer. vapier Gentoo/armeb failed the x509 certificate test ('test_ss') due vapier to lack of enough random data, but i'm pretty sure that's a vapier system issue and unrelated to openssl ;) Maybe. Care to check it out? - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 5 released
In message [EMAIL PROTECTED] on Mon, 13 Jun 2005 19:03:10 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen On Jun 13 18:59, Richard Levitte - VMS Whacker wrote: vinschen In message [EMAIL PROTECTED] on Mon, 13 Jun 2005 10:57:10 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen vinschen vinschen On Jun 13 06:19, Richard Levitte - VMS Whacker wrote: vinschen vinschenOpenSSL version 0.9.8 Beta 5 vinschen vinschen vinschen vinschen vinschen vinschen Builds OOTB and tests run fine on Cygwin. vinschen vinschen Which version(s)? vinschen vinschen The latest release 1.5.17 and current CVS. Thanks. I just updated the STATUS file with that information. - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 5 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 5 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fifth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta5.tar.gz MD5 checksum: 4b492a622ca39f0c444c3cabc330933d SHA1 checksum: 3524b04490491e1d1674363fac601cd4b002d471 The checksums were calculated using the following command: openssl md5 openssl-0.9.8-beta5.tar.gz openssl sha1 openssl-0.9.8-beta5.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the fourth beta, the following has happened: - Changed -m486 to -march=i486 in Configure. - Added a new NetWare target that uses BSD sockets. - Propagate INSTALL_PREFIX to inner Makefiles. - Make it possible to read files larger than 2GB with the FILE BIO. - Enhance cipher suite parsing. - Other bug fixes... Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz JänickeBodo Möller -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCrQdUp6+eePcJRTsRAucGAKC6qdM+dkv49snNHEK6yOsTenuHSgCgjKmr 5dva5K5bwl7Q1HFzgIuyf08= =Lqig -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: 0.9.8 API/ABI compatibility with 0.9.7 ?
In message [EMAIL PROTECTED] on Thu, 9 Jun 2005 14:28:27 +, Eduardo Pérez [EMAIL PROTECTED] said: eperez On 2005-05-14 15:27:26 +, Eduardo Pérez wrote: eperez I was wondering if openssl-0.9.8 is going to be API/ABI eperez compatible with the current stable branch of openssl-0.9.7 eperez I think keeping API/ABI compatible is a good idea and makes eperez programmer and users life easier. eperez Anyway, if you are not going to keep API/ABI compatibility eperez in openssl-0.9.8 with 0.9.7 I'd like to hear the reasoning eperez behind that. 0.9.8 and 0.9.7 aren't compatible in certain areas. The biggest changes have nothing to do with function and variable symbols. If you want to look at the real incompatibilities, you need to compare the different structures. I'll get into that below. eperez In libcrypto I saw that in the newer version there are missing eperez symbols so it may not be API/ABI compatible if that symbols eperez were supposed to be public and used by applications. Those I saw in your diff were ECC symbols. ECC is still quite experimental in 0.9.7 and has evolved quite a lot in 0.9.8. eperez It seems that openssl doesn't want to keep API/ABI eperez compatibility between minor versions, ignoring the tremendous eperez help that it brings to end users and distributions packagers, eperez even knowing that compatibility could be achieved at no cost. I think you're making quite a harsch conclusion. One of the bigger problems with the foundation of OpenSSL is the open nature of almost all structures. To keep API/ABI compatibility, those would have to be frozen, but that would effectively stop all development that includes new methods with extended data, or certain security fixes, or... unless you want *really ugly* and *really insecure* hacks in OpenSSL. Trust me. For a comparison, I suggest you compare the RSA structures in crypto/rsa/rsa.h between 0.9.7 and 0.9.8. I suggest you compare simple little constants like EVP_MAX_KEY_LENGTH and EVP_MAX_BLOCK_LENGTH between 0.9.6 and 0.9.7. The biggest change that's needed in OpenSSL is to hide all the structures and all constants and have them available through functions (creator, destructors and information functions). So speaking of incompatibilites, we've really kept it low compared to what needs to be done and what could be done. Our version numbering is admitedly weird. Basically, we've treated '0.9.' as a prefix to signal that this isn't a 1.0 yet, and drastic changes can be expected, and effectively trated the next digit as a classic major version. This is reflected in the soname we give the shared libraries. We probably should do some drastic changes in our version numbering (which is quite a lesson to me personally. I've been reluctant to make a move to 1.0 because OpenSSL hasn't felt ready for that). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
In message [EMAIL PROTECTED] on Wed, 08 Jun 2005 00:32:52 +0200, Andy Polyakov [EMAIL PROTECTED] said: appro appro 1. I'm reluctant to include bn.h to non-bn code, because it's appro appronothing but counterintuitive [and is not good in long run]. appro appro 2. My standpoint is [still] that pqueue/dtls1 should not have appro approdependancy on bh.h either. appro appro 3. Using BIGNUM for DTLS purposes is *total* overkill. To back appro approthis up I'm going to suggest alternative, 64-bit neutral pq appro approcode shortly:-) appro appro I agree. appro appro Consider http://cvs.openssl.org/chngview?cn=13985 for 0.9.8. That was... unexpected :-). I was expecting some better kind of 64-bit emulating type, but definitely not an array of unsigned char. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
In message [EMAIL PROTECTED] on Wed, 08 Jun 2005 06:16:54 +0200 (CEST), Richard Levitte - VMS Whacker [EMAIL PROTECTED] said: richard In message [EMAIL PROTECTED] on Wed, 08 Jun 2005 00:32:52 +0200, Andy Polyakov [EMAIL PROTECTED] said: richard richard appro appro 1. I'm reluctant to include bn.h to non-bn code, because it's richard appro appronothing but counterintuitive [and is not good in long run]. richard appro appro 2. My standpoint is [still] that pqueue/dtls1 should not have richard appro approdependancy on bh.h either. richard appro appro 3. Using BIGNUM for DTLS purposes is *total* overkill. To back richard appro approthis up I'm going to suggest alternative, 64-bit neutral pq richard appro approcode shortly:-) richard appro richard appro I agree. richard appro richard appro Consider http://cvs.openssl.org/chngview?cn=13985 for 0.9.8. richard richard That was... unexpected :-). I was expecting some better kind of richard 64-bit emulating type, but definitely not an array of unsigned char. Don't take that as a complaint, BTW. If it works, I see no problem having that in 0.9.8, and maybe develop a better 64-bit type for 0.9.9. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
It's interesting to see this happening. We have two parts of OpenSSL, sha512 and pqueue, that solve the 64-bit integer problem in very different manners. Would it be a bad thing to have a header file in crypto/bn that provides a guaranteed 64-bit number, possibly through BIGNUM, with macros to distinguish between the true 64-bit integer and BIGNUM cases (like pq_compat.h has today), and have both sha512 and pqueue use it? I'm not saying that sha512 should be implemented using BINUMs, but rather that it should be possible to detect if 64-bit integers are support as far as OpenSSL knows, and have sha512 implemented in those terms instead of forcing the user to say no-sha512 because his first build failed? In message [EMAIL PROTECTED] on Mon, 6 Jun 2005 11:32:03 +0200 (CEST), Andy Polyakov [EMAIL PROTECTED] said: appro OpenSSL CVS Repository appro http://cvs.openssl.org/ appro appro appro Server: cvs.openssl.org Name: Andy Polyakov appro Root: /v/openssl/cvs Email: [EMAIL PROTECTED] appro Module: openssl Date: 06-Jun-2005 11:32:02 appro Branch: HEAD Handle: 2005060610320100 appro appro Modified files: appro openssl FAQ appro appro Log: appro FAQ to mention no-sha512 as option for compilers without support for 64-bit appro integer type. appro appro Summary: appro RevisionChanges Path appro 1.103 +10 -0 openssl/FAQ appro appro appro patch -p0 '@@ .' appro Index: openssl/FAQ appro appro $ cvs diff -u -r1.102 -r1.103 FAQ appro --- openssl/FAQ19 May 2005 19:54:49 - 1.102 appro +++ openssl/FAQ6 Jun 2005 09:32:01 - 1.103 appro @@ -47,6 +47,7 @@ appro* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]? appro* Why does OpenBSD-i386 build fail on des-586.s with Unimplemented segment type? appro* Why does the OpenSSL test suite fail in sha512t on x86 CPU? appro +* Why does compiler fail to compile sha512.c? appro appro[PROG] Questions about programming with OpenSSL appro appro @@ -607,6 +608,15 @@ approinstruction extentions. See accompanying INSTALL file and approOPENSSL_ia32cap(3) documentation page for further information. appro appro +* Why does compiler fail to compile sha512.c? appro + appro +OpenSSL SHA-512 implementation depends on compiler support for 64-bit appro +integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a appro +couple] lack support for this and therefore are incapable of compiling appro +the module in question. The recommendation is to disable SHA-512 by appro +adding no-sha512 to ./config [or ./Configure] command line. Another appro +possible alternative might be to switch to GCC. appro + appro[PROG] appro appro* Is OpenSSL thread-safe? appro @@ . appro __ appro OpenSSL Project http://www.openssl.org appro CVS Repository Commit List [EMAIL PROTECTED] appro Automated List Manager [EMAIL PROTECTED] appro - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: openssl/ FAQ
In message [EMAIL PROTECTED] on Mon, 06 Jun 2005 22:32:05 +0200, Andy Polyakov [EMAIL PROTECTED] said: appro 1. I'm reluctant to include bn.h to non-bn code, because it's appronothing but counterintuitive [and is not good in long run]. appro 2. My standpoint is [still] that pqueue/dtls1 should not have approdependancy on bh.h either. appro 3. Using BIGNUM for DTLS purposes is *total* overkill. To back approthis up I'm going to suggest alternative, 64-bit neutral pq approcode shortly:-) I agree. I'd rather see something like crypto/64bit.h (which is exported) and crypto/64bit.c. However, considering we're not very far from releasing 0.9.8 (everyone look at http://www.openssl.org/news/state.html!) I'd say a change to something completely new in this department should only be added to the 0.9.8 tree with lots of caution, and that the BIGNUM reference in pqueue may be a necessary compromise. In 0.9.9-dev, the matter is different, and I for one welcome any more developed 64-bit integer handling there. About the code in crypto/bn: there are some low-level routines that are specifically designed to handle 64-bit integers represented as two 32-bit integers. That code should be used, there's no point not to. So it would be natural to depend on that part of crypto/bn... Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [CVS] OpenSSL: OpenSSL_0_9_8-stable: openssl/crypto/pqueue/ pq_compat....
In message [EMAIL PROTECTED] on Mon, 06 Jun 2005 09:39:51 +1000 (EST), Brian Havard [EMAIL PROTECTED] said: brianh There's a few other places where VMS is specifically tested for related to brianh this that probably should also be changed. brianh brianh IE ./ssl/d1_pkt.c:139,1456,1741 brianh./ssl/d1_pkt.c:135 brianh./crypto/pqueue/pqueue.c:202 brianh brianh Currently, without BN_LLONG defined, I get this: brianh ./ssl/d1_pkt.c: In function `dtls1_record_replay_check': brianh ./ssl/d1_pkt.c:1457: invalid initializer Actually, as it is, I think those won't need to have any special tests any more, since all cases when there is no 64-bit integer provided by the compiler (as far as we know), BIGNUMs are used instead... I'll try that. Thanks for the notification. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 4 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 4 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The fourth beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta4.tar.gz MD5 checksum: 55268415737b3d21726307d778fdf39e SHA1 checksum: 3d2a19de0c7e1972f8a3f0420e6cf9ac35bbaf4f The checksums were calculated using the following command: openssl md5 openssl-0.9.8-beta4.tar.gz openssl sha1 openssl-0.9.8-beta4.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the third beta, the following has happened: - Ultrix issues are fixed (we think). - ia64 issues are fixed (we think). - NetWare is updated. - More VMS issues are fixed. - rpm build issues are fixed (we think). - Engine padloack isses are fixed (we think). - pqueue should now work a lot better on systems that do not support integer types larger than 32 bits. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCo6SSp6+eePcJRTsRAoGtAJwOQJxueNPiSaMFJ2Rrc2cvgOHP9gCfaDeF xKCWTtFoUUfZnYbuwy3B7JI= =wDna -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Suggestions for pqueue
In message [EMAIL PROTECTED] on Sat, 4 Jun 2005 04:31:21 +0200 (CEST), Andrija Antonijevic [EMAIL PROTECTED] said: openssl I am using OpenSSL on an architecture that has a shared openssl library model in which the arguments are passed through the openssl (32-bit) registers and for which passing the arguments whose openssl size is larger than 32-bit would create some problems. I assume you're talking about VMS, or is there another architecture involved as well? Would you mind telling me the VMS version and C compiler version? Is it on VAX? Can you tell me a little more about the problem? See, I assume you work on Alpha or ia64, otherwise pqueue would use BIGNUM for PQ_64BIT (because VAX doesn't have 'long long' according to our configuration parameters), so I've a hard time understanding the argument about 32-bit registers. openssl Additionally, it seems to me that pqueue_print should either openssl not be included when OPENSSL_NOSTDIO is defined since it uses openssl printf or it should be replaced with a version that takes a openssl FILE * argument (guarded with #ifndef openssl OPENSSL_NO_FP_API/#endif pair) and a version that takes a BIO openssl * (if this function is intended to be used for anything else openssl besides debugging purposes). Good point, I'll take a look at that. openssl I have included another patch (to be applied after the first openssl patch) which defines USE_BIGNUM_PQ_64BIT when OPENSSL_SYS_VMS openssl or VMS_TEST is defined and changes the #if openssl defined(OPENSSL_SYS_VMS) || defined(VMS_TEST) and similar openssl tests with #ifdef USE_BIGNUM_PQ_64BIT etc test in all openssl places. This would make it easier for other systems to use openssl the VMS changes, only pq_compat.h would have to be changed. Good point as well. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 3 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 3 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The third beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta3.tar.gz MD5 checksum: 5353f8c553c3be6835180bfdeb31b5dc SHA1 checksum: a8c3624e1dd5fd797fc5e58ea7d0def361fa26e2 The checksums were calculated using the following command: openssl md5 openssl-0.9.8-beta3.tar.gz openssl sha1 openssl-0.9.8-beta3.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 104 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES and http://www.openssl.org/source/exp/NEWS). Since the second beta, the following has happened: - the build system has been corrected for systems where the second beta was failing. These contain enhancements for VMS and DJGPP. - there has been work to make pqueue and dtls more portable - RSA-PSS and RSA-X.931 have been added. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCm6NTp6+eePcJRTsRAtthAJ9WJrdIXskkIFH7UcUADdbx/s8VOwCeLgQG X019YLgh1fNpWDYhicjjmGo= =Z/+m -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with engines in 0.9.8-beta1
In message [EMAIL PROTECTED] on Thu, 26 May 2005 21:29:25 -0400, Geoff Thorpe [EMAIL PROTECTED] said: geoff Eek, I've incurred the wrath of the Cult Of Strange Platforms geoff In Denial ... :-) *g* geoff I have no problems with a name change of the sort. In the geoff VMS case, I doubt anyone will mind :-). geoff geoff Actually, even in the unstrange build, this would be more geoff intrusive than I anticipated - it would require renaming the C geoff files too (ie. the makefile maps 'ncipher' to 'libncipher.so' geoff and 'e_ncipher.c'). Thoughts? Do it. Before I release beta 3. geoff [snip] geoff geoff duplicate symbol in libcrypto and so make install geoff geoff ended up geoff [snip] geoff Does that happen with a clean working directory? geoff geoff Oops, good call :-) heh :-) Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Problems with engines in 0.9.8-beta1
In message [EMAIL PROTECTED] on Tue, 24 May 2005 23:16:11 -0400, Geoff Thorpe [EMAIL PROTECTED] said: geoff Richard, any idea of how safe it would be to change the names geoff of the two shared librariesy at this stage of the 0.9.8 betas? geoff I'm reluctant to charge ahead for fear of breaking the strange geoff builds (win32, VMS, cygwin, ...) (I'll join Corinna in saying What? VMS a strange build? How dare you... ;-)) I have no problems with a name change of the sort. In the VMS case, I doubt anyone will mind :-). geoff Oh that reminds me too - the build I tried earlier got a geoff duplicate symbol in libcrypto and so make install ended up geoff without the shared-library version of libcrypto installed - geoff everything seemed to work anyway (presumably everything linked geoff to libcrypto.a instead) so this goes unnoticed quite easily. geoff I'll try to dig up more info tomorrow when I get back to the geoff machine I was on. Does that happen with a clean working directory? Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
[ANNOUNCE] OpenSSL 0.9.8 beta 2 released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8 Beta 2 OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL is currently in a release cycle. The second beta is now released. The beta release is available for download via HTTP and FTP from the following master locations (the various FTP mirrors you can find under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ The file names of the beta are: o openssl-0.9.8-beta2.tar.gz MD5 checksum: 2c1c0958500a6c4e63b5c13f0f5d0694 SHA1 checksum: bbe0460154099506484affb49d40ccaefe6ef3d2 The checksums were calculated using the following command: openssl md5 openssl-0.9.8-beta2.tar.gz openssl sha1 openssl-0.9.8-beta2.tar.gz Please download and test them as soon as possible. This new OpenSSL version incorporates 103 documented changes and bugfixes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). Since the first beta, the following has happened: - the build system has been corrected for systems where the first beta was failing. Enhancements for Cygwin are the most notable. - some more platforms have 'no-sse2' by default. - there are better checks to see if SHA-512 is built (it won't build on systems that have no support for 64-bit integers). - a memory leak in PKCS#7 has been plugged. - ECDH and ECDSA have a few enhancements. We still have problems with BN_ULLONG in crypto/pqueue and the DTLS files. It's being worked on. Reports and patches should be sent to [EMAIL PROTECTED] Discussions around the development of OpenSSL should be sent to [EMAIL PROTECTED] Anything else should go to [EMAIL PROTECTED] The best way, at least on Unix, to create a report is to do the following after configuration: make report That will do a few basic checks of the compiler and bc, then build and run the tests. The result will appear on screen and in the file testlog. Please read the report before sending it to us. There may be problems that we can't solve for you, like missing programs. Yours, The OpenSSL Project Team... Mark J. Cox Ben Laurie Andy Polyakov Ralf S. Engelschall Richard Levitte Geoff Thorpe Dr. Stephen Henson Bodo Möller Ulf Möller Lutz JänickeNils Larsch -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCkquTp6+eePcJRTsRAgKPAKCguxwQdtSwMv2VctoC1Nyo2+WOgQCfeAoE xS4Cc5davZAbfXEFPEaiphM= =qCHk -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: OpenSSL 0.9.8 Beta 1
In message [EMAIL PROTECTED] on Sat, 21 May 2005 19:21:20 -0700 (PDT), Tim Rice [EMAIL PROTECTED] said: tim On Fri, 20 May 2005, Richard Levitte - VMS Whacker wrote: tim tim In message [EMAIL PROTECTED] on Thu, 19 May 2005 22:14:20 -0700 (PDT), Tim Rice [EMAIL PROTECTED] said: tim tim Hmm... I personally do not support SCO products for political tim reasons, so I'm not going to offer much about them. However, tim it looks like the CC and CFLAGS variables do not follow along tim in the build for some of your platforms, and that has me a bit tim worried. I'll look at it today or tomorrow... tim tim If you have access to a Solaris 8 box you can see the problem tim there. GNU make works and the system make does not. tim The CHANGES file did not mention requiring GNU make now. tim Has this changed for 0.9.8 or is it a bug in the Makefile? It's a bug in the Makefile. Try a later 0.9.8 snapshot and check if it makes a difference, or try the beta that I'm gong to release tomorrow. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 1 released
In message [EMAIL PROTECTED] on Fri, 20 May 2005 14:45:01 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen Sorry for a possibly dumb question, but I don't quite vinschen understand the engines concept. Is there a good reason that vinschen the engine shared libs are created w/o version information? The engine shared libs are plug-ins. soname versions are not quite relevant in that case, and OpenSSL has an internal compatibility checking through an internal version number. vinschen The problem is that Makefile.shared is called from vinschen engines/Makefile without LIBVERSION being set to a sensible vinschen value, as it's done in the top level Makefile: Correct. vinschen Even worse, the engines Makefile doesn't even have the vinschen version information set anywhere, so it's not clear to me vinschen how I can generate the engines with version info. You simply don't :-). Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 1 released
In message [EMAIL PROTECTED] on Fri, 20 May 2005 18:32:47 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen Ok, below is a patch which should solve the problems on vinschen Cygwin. It tweaks Makefile.org, Makefile.shared, vinschen engines/Makefile and util/cygwin.sh. Applied. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: [ANNOUNCE] OpenSSL 0.9.8 beta 1 released
In message [EMAIL PROTECTED] on Sat, 21 May 2005 19:11:20 +0200, Corinna Vinschen [EMAIL PROTECTED] said: vinschen What about my question: vinschen vinschen What I'm not sure about is, if the engines shouldn't vinschen better be installed into /usr/bin. Otherwise they are vinschen only loadable using full paths, or when $PATH also vinschen contains the engine installation path, according to vinschen Windows DLL loading rules. I'd be grateful about a hint vinschen here... vinschen vinschen Is that something to worry about at all? The following from CHANGES should explain it: *) Change the ENGINE framework to automatically load engines dynamically from specific directories unless they could be found to already be built in or loaded. Move all the current engines except for the cryptodev one to a new directory engines/. The engines in engines/ are built as shared libraries if the shared options was given to ./Configure or ./config. Otherwise, they are inserted in libcrypto.a. /usr/local/ssl/engines is the default directory for dynamic engines, but that can be overriden at configure time through the usual use of --prefix and/or --openssldir, and at run time with the environment variable OPENSSL_ENGINES. [Geoff Thorpe and Richard Levitte] Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: QNX Compile Error (Illegal _XOPEN_SOURCE value)
In message [EMAIL PROTECTED] on Sat, 21 May 2005 10:07:23 -0700 (PDT), David Wolfe [EMAIL PROTECTED] said: dwolfe5272 I suspect that no other platforms would break if this dwolfe5272 change were made in the OpenSSL sources, as this seems to dwolfe5272 be the standard-mandated behavior: dwolfe5272 http://www.opengroup.org/onlinepubs/007908799/xsh/compilation.html Fix applied. Thanks for the notification. Cheers, Richard - Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. -- Richard Levitte [EMAIL PROTECTED] http://richard.levitte.org/ When I became a man I put away childish things, including the fear of childishness and the desire to be very grown up. -- C.S. Lewis __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]