from:"Roumen Petrov via RT"

[openssl-dev] [openssl.org #4681] X.509 load method

2016-09-22 Thread Roumen Petrov via RT

This is an enhancement request.

OpenSSL 1.1 hides details of structures used to load X.509 certificates, 
in particular - x509_lookup_method_st , x509_lookup_st and x509_object_st.
This impact non OpenSSL projects as external application has to 
duplicated those structures.

Request is OpenSSL do not change those structures until new 
implementation in a binary incompatible release.


It seems to me current look-up method is quite complex.
For instance get_by_subject performs two main steps load and query - see 
"by_dir".
In first step code using "query constraint" fetch data and adds each 
item found to store. Update of store requires thread lock.
In second step code query entire store using "query constraint" and 
prepare result. Query of store requires thread lock.

I guess that could be used more simple "callback" model - a method with 
callback context.
Method fetch data, return only item (certificate, CRL, etc.) on each 
call and so until end of data.
With this model library is responsible to update store and to prepare 
result. Lock of store could be managed internally.


Regards,
Roumen


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4681
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4590] accessors without const return arguments

2016-08-03 Thread Roumen Petrov via RT

Stephen Henson via RT wrote:
> On Sat Jun 25 22:09:59 2016, open...@roumenpetrov.info wrote:
>> Above is reason the request to remove const from return argument of get0
>> methods.
> We had a discussion about this and the preference was to have get methods
> retain const for various reasons.
>
> Instead the DSA_SIG/ECDSA_SIG structures now no longer pre-allocate r/s so 
> they
> aren't immediately freed when you set them.

Please update documentation (status of 3.8.2016):
1) DSA_SIG_new.pod
DSA_SIG_new() allocates and initializes a B structure.

So now function only allocates signature.


2) ECDSA_SIG_new.pod
ECDSA_SIG_new() allocates a new B structure (note: this
function also allocates the BIGNUMs) and initializes it.

Same here, but please indicate that this is changed in 1.1.


>> The issue is not only for ECDSA but also for DSA_SIG and RSA, DSA, DH
>> keys where situation is similar.
> Do you have some examples of how this affects other structures? For RSA/DSA/DH
> keys the fields are NULL initially unless I've missed something.
Impact is over other software where more or less situation is the same - 
code allocates and initialize(!) keys.
In deserialization process just updates allocated key material.

It seemt to me now is more easy just to perform "const cast hack" 
instead to rewrite totally code.

Roumen


-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4590
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4590] accessors without const return arguments

2016-06-25 Thread Roumen Petrov via RT

Hello,

Recently declaration of a number of get0 methods was changed to return 
constant values (BIGNUM).

Lets me quote description of an allocator "/ECDSA_SIG_new()/ allocates a 
new *ECDSA_SIG* structure (note: this function also allocates the 
BIGNUMs) and initialize it."

Now lets try to write deserialization of a ECDSA signature. With set 
method allocated and never user ECDSA members r and s has to be freed 
and replaced by new one. As result extra allocation of big numbers 
impact performance and increase memory usage.

Above is reason the request to remove const from return argument of get0 
methods.

The issue is not only for ECDSA but also for DSA_SIG and RSA, DSA, DH 
keys where situation is similar.


Regards,
Roumen Petrov



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4590
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #2363] bug: memory allocated by DH_new() may never be free()ed

2016-02-29 Thread Roumen Petrov via RT

It is expected DH_free(DH_new()); to leaks memory.  Usually XXX method 
initialize "extra data".

Sample code is without code that clear library, at least 
CRYPTO_cleanup_all_ex_data is missing.

Roumen



-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2363
Please log in as guest with password guest if prompted

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4320] [Patch] OpenSSL 1.1.0-pre3: "unable to load Key" error in PEM_get_EVP_CIPHER_INFO()

2016-02-22 Thread Roumen Petrov via RT

Hi Rich,

Rich Salz via RT wrote:
> fixed in commit 985c3146967633707f7c165df82bb0fd8f279758 thanks for the 
> report!
 From initial patch is missing line with header += 9.
Please could you review parsing with ENCRYPTED

Roumen

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4320
Please log in as guest with password guest if prompted

>From b359b5caf689583b247d825892ccd6dd42474de1 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Thu, 18 Feb 2016 23:26:43 +0200
Subject: [PATCH 4/4] #4320 OpenSSL 1.1.0-pre3: "unable to load Key" error in
 PEM_get_EVP_CIPHER_INFO()

---
 crypto/pem/pem_lib.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c
index a75d9ac..5e8077e 100644
--- a/crypto/pem/pem_lib.c
+++ b/crypto/pem/pem_lib.c
@@ -509,6 +509,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
 PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_NOT_ENCRYPTED);
 return (0);
 }
+header += 9;
 for (; (*header != '\n') && (*header != '\0'); header++) ;
 if (*header == '\0') {
 PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_SHORT_HEADER);
@@ -536,7 +537,7 @@ int PEM_get_EVP_CIPHER_INFO(char *header, EVP_CIPHER_INFO *cipher)
 }
 *header = '\0';
 cipher->cipher = enc = EVP_get_cipherbyname(dekinfostart);
-*header = c;
+*header++ = c;
 
 if (enc == NULL) {
 PEMerr(PEM_F_PEM_GET_EVP_CIPHER_INFO, PEM_R_UNSUPPORTED_ENCRYPTION);
-- 
1.8.4

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4312] documentation: RSA_new_method argument

2016-02-16 Thread Roumen Petrov via RT

Hello,

Function argument is pointer to ENGINE - please find attached patch

Regards,
Roumen Petrov

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4312
Please log in as guest with password guest if prompted

>From 2f2e1f210ec3c8452ecd041604fd14071a4b59ca Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Sat, 13 Feb 2016 10:41:49 +0200
Subject: [PATCH 3/5] documentation: RSA_new_method argument

---
 doc/crypto/RSA_set_method.pod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/crypto/RSA_set_method.pod b/doc/crypto/RSA_set_method.pod
index d09fed2..add193e 100644
--- a/doc/crypto/RSA_set_method.pod
+++ b/doc/crypto/RSA_set_method.pod
@@ -24,7 +24,7 @@ RSA_new_method - select RSA method
 
  int RSA_flags(const RSA *rsa);
 
- RSA *RSA_new_method(RSA_METHOD *method);
+ RSA *RSA_new_method(ENGINE *engine);
 
 =head1 DESCRIPTION
 
-- 
1.8.4

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4207] engine key format in 1.1

2016-01-16 Thread Roumen Petrov via RT

Also patches for commands:
- pkey : "0017-pkey-cmd-restore-keys-from-engine.patch"
- req : "0018-req-cmd-restore-keys-from-engine.patch"

>From 0ea1c0b9b600977e93efed4545166ec4ae245bc9 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Sat, 9 Jan 2016 14:52:14 +0200
Subject: [PATCH 17/19] pkey cmd: restore keys from engine

---
 apps/pkey.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/pkey.c b/apps/pkey.c
index 40db6f5..9a72df4 100644
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -71,11 +71,11 @@ typedef enum OPTION_choice {
 
 OPTIONS pkey_options[] = {
 {"help", OPT_HELP, '-', "Display this summary"},
-{"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
+{"inform", OPT_INFORM, 'f', "Input format (DER or PEM)"},
 {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
 {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
 {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
-{"in", OPT_IN, '<', "Input file"},
+{"in", OPT_IN, 's', "Input file"},
 {"out", OPT_OUT, '>', "Output file"},
 {"pubin", OPT_PUBIN, '-',
  "Read public key from input (default is private key)"},
@@ -116,7 +116,7 @@ int pkey_main(int argc, char **argv)
 ret = 0;
 goto end;
 case OPT_INFORM:
-if (!opt_format(opt_arg(), OPT_FMT_PEMDER, ))
+if (!opt_format(opt_arg(), OPT_FMT_ANY, ))
 goto opthelp;
 break;
 case OPT_OUTFORM:
-- 
1.8.4

>From 5c976b9fc19533514faae5c3c5ac1664eb33080b Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Sun, 10 Jan 2016 21:20:01 +0200
Subject: [PATCH 18/19] req cmd: restore keys from engine

---
 apps/req.c | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/req.c b/apps/req.c
index a0da788..335d777 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -136,8 +136,8 @@ OPTIONS req_options[] = {
 {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
 {"in", OPT_IN, '<', "Input file"},
 {"out", OPT_OUT, '>', "Output file"},
-{"key", OPT_KEY, '<', "Use the private key contained in file"},
-{"keyform", OPT_KEYFORM, 'F', "Key file format"},
+{"key", OPT_KEY, 's', "Use the private key contained in file"},
+{"keyform", OPT_KEYFORM, 'f', "Key file format"},
 {"pubkey", OPT_PUBKEY, '-', "Output public key"},
 {"new", OPT_NEW, '-', "New request"},
 {"config", OPT_CONFIG, '<', "Request template file"},
@@ -235,7 +235,7 @@ int req_main(int argc, char **argv)
 goto opthelp;
 break;
 case OPT_ENGINE:
-(void)setup_engine(opt_arg(), 0);
+e = setup_engine(opt_arg(), 0);
 break;
 case OPT_KEYGEN_ENGINE:
 #ifndef OPENSSL_NO_ENGINE
@@ -259,7 +259,7 @@ int req_main(int argc, char **argv)
 template = opt_arg();
 break;
 case OPT_KEYFORM:
-if (!opt_format(opt_arg(), OPT_FMT_PEMDER, ))
+if (!opt_format(opt_arg(), OPT_FMT_ANY, ))
 goto opthelp;
 break;
 case OPT_IN:
-- 
1.8.4

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4249] ECDSA method flags

2016-01-16 Thread Roumen Petrov via RT

In 1.0.2 branch commit 94c2f77a62be7079ab1893ab14b18a30157c4532 add 
functions to set ECDSA_METHOD structure.
One on functions is to set flags. Until now ECDSA flags are defined only 
in non-installed header.


1) "0003-move-some-ECDSA_METHOD-declarations-after-descriptio.patch"
First patch is cosmetic correction of above mentioned commit - move some 
declarations after description.

2) "0004-public-flag-ECDSA_FLAG_FIPS_METHOD.patch"
Actual patch that moves ECDSA flags to public header.

3) "0005-remove-unused-flag-EC_FLAG_FIPS_CHECKED.patch"

OpenSSL describes flag EC_FLAG_FIPS_CHECKED but this flags is not used 
in fips enabled openssl build. It seems to me is enough to set flag 
ECDSA_FLAG_FIPS_METHOD to allow ECDSA method to work in fips mode.


Regards,
Roumen Petrov



>From 4e2150fb50fc07e1edd38938f3d3c32e8438 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Thu, 14 Jan 2016 20:52:34 +0200
Subject: [PATCH 3/5] move some ECDSA_METHOD declarations after description

---
 crypto/ecdsa/ecdsa.h | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
index a6f0930..759a9b4 100644
--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -288,20 +288,20 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method,
  const ECDSA_SIG *sig,
  EC_KEY *eckey));
 
-void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags);
-
 /**  Set the flags field in the ECDSA_METHOD
  *   \param  ecdsa_method  pointer to existing ECDSA_METHOD
  *   \param  flags flags value to set
  */
 
-void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name);
+void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags);
 
 /**  Set the name field in the ECDSA_METHOD
  *   \param  ecdsa_method  pointer to existing ECDSA_METHOD
  *   \param  name name to set
  */
 
+void ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name);
+
 /* BEGIN ERROR CODES */
 /*
  * The following lines are auto generated by the script mkerr.pl. Any changes
-- 
1.8.4


>From c80719cbed504c390c069038e9e3ea7fcd7901ad Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Thu, 14 Jan 2016 20:53:15 +0200
Subject: [PATCH 4/5] public flag ECDSA_FLAG_FIPS_METHOD

---
 crypto/ecdsa/ecdsa.h| 9 +
 crypto/ecdsa/ecs_locl.h | 9 -
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/crypto/ecdsa/ecdsa.h b/crypto/ecdsa/ecdsa.h
index 759a9b4..7b432b9 100644
--- a/crypto/ecdsa/ecdsa.h
+++ b/crypto/ecdsa/ecdsa.h
@@ -295,6 +295,15 @@ void ECDSA_METHOD_set_verify(ECDSA_METHOD *ecdsa_method,
 
 void ECDSA_METHOD_set_flags(ECDSA_METHOD *ecdsa_method, int flags);
 
+/*
+ * If this flag is set the ECDSA method is FIPS compliant and can be used in
+ * FIPS mode. This is set in the validated module method. If an application
+ * sets this flag in its own methods it is its responsibility to ensure the
+ * result is compliant.
+ */
+
+# define ECDSA_FLAG_FIPS_METHOD  0x1
+
 /**  Set the name field in the ECDSA_METHOD
  *   \param  ecdsa_method  pointer to existing ECDSA_METHOD
  *   \param  name name to set
diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h
index d3a5efc..4cd5a21 100644
--- a/crypto/ecdsa/ecs_locl.h
+++ b/crypto/ecdsa/ecs_locl.h
@@ -86,15 +86,6 @@ struct ecdsa_method {
 
 # define ECDSA_METHOD_FLAG_ALLOCATED 0x2
 
-/*
- * If this flag is set the ECDSA method is FIPS compliant and can be used in
- * FIPS mode. This is set in the validated module method. If an application
- * sets this flag in its own methods it is its responsibility to ensure the
- * result is compliant.
- */
-
-# define ECDSA_FLAG_FIPS_METHOD  0x1
-
 typedef struct ecdsa_data_st {
 /* EC_KEY_METH_DATA part */
 int (*init) (EC_KEY *);
-- 
1.8.4


>From f7339510f472eacdafb0343bb14907de15102c18 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Thu, 14 Jan 2016 21:07:47 +0200
Subject: [PATCH 5/5] remove unused flag EC_FLAG_FIPS_CHECKED

---
 crypto/ec/ec.h| 1 -
 doc/crypto/EC_KEY_new.pod | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/crypto/ec/ec.h b/crypto/ec/ec.h
index 81e6faf..9146bc3 100644
--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -746,7 +746,6 @@ typedef struct ec_key_st EC_KEY;
 
 /* some values for the flags field */
 # define EC_FLAG_NON_FIPS_ALLOW  0x1
-# define EC_FLAG_FIPS_CHECKED0x2
 
 /** Creates a new EC_KEY object.
  *  \return EC_KEY object or NULL if an error occurred.
diff --git a/doc/crypto/EC_KEY_new.pod b/doc/crypto/EC_KEY_new.pod
index 0fa2de1..00dba25 100644
--- a/doc/crypto/EC_KEY_new.pod
+++ b/doc/crypto/EC_KEY_new.pod
@@ -73,7 +73,7 @@ of point_conversion_forms please refer to L.
 EC_KEY_insert_key_method_data and EC_KEY_get_key_method_data enable the caller to associate arbitrary

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

2016-01-03 Thread Roumen Petrov via RT

Salz, Rich via RT wrote:
> Tweaked, sigh.
> ; ./util/opensslwrap.sh engine - dynamic -pre 
> engine: Cannot mix flags and engine names.
> engine: Use -help for summary.
>  exit 1
>
If engine name cannot be at any position then please keep it as is. i.e. 
at last position. In this case please correct documentation with line in 
change log.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

2016-01-03 Thread Roumen Petrov via RT

Salz, Rich via RT wrote:
> Please see this:
>  
> https://github.com/openssl/openssl/compare/master...richsalz:rt4194?expand=1
>
It should fail with openssl engine - dynamic -pre 
SO_PATH:/lib/libfoo.so 

Help string looks good.

Roumen


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

2016-01-03 Thread Roumen Petrov via RT

Salz, Rich via RT wrote:
> So you're saying just close this ticket?
>
No. My request is to restore flexible engine command line and optionally 
help string.
I only disagree with proposed partial correction for command line.


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

2016-01-02 Thread Roumen Petrov via RT

Rich Salz via RT wrote:
> [SNIP]
> out = dup_bio_out(FORMAT_TEXT);
> - prog = opt_init(argc, argv, engine_options);
> if (!engines || !pre_cmds || !post_cmds)
> goto end;
> + while ((argv1 = argv[1]) != NULL && *argv1 != '-') {
> + sk_OPENSSL_STRING_push(engines, *argv1);
> + argc--;
> + argv++;
> + }
> + prog = opt_init(argc, argv, engine_options);
>
[SNIP]
Above patch is not complete. It seems to opt_init stop processing on 
first non-option argument.
In sample like :
openssl engine dynamic \
  -pre SO_PATH:/lib/libfoo.so \
  -pre ID:foo \
  -pre LOAD \
  -pre "CMD_FOO:some input data"

Arguments after dynamic are considered as engines The code try to use 
engines like "-pre",  "ID:foo" and "CMD_FOO:some input data".


Another sample is "Or to simply see the list of commands supported 
by the "foo" ENGINE;

openssl engine - dynamic \
  -pre SO_PATH:/lib/libfoo.so \
  -pre ID:foo \
  -pre LOAD
"
In above case engine is between "normal" arguments.

Roumen


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4207] engine key format in 1.1

2015-12-29 Thread Roumen Petrov via RT

Hi,

Implementation of common option processing for OpenSSL commands broke 
ENGINE key
format.
The patches attached to this email are only for tested command.


1) dgst command (see  0003-dgst-cmd-restore-keys-from-engine.patch)
Key form is described as any but value type of input ('<') is too 
restrictive - change input to string type.


2) rsa command (see 0004-rsa-cmd-restore-keys-from-engine.patch)
Similar as dgst.


3) dsa command (see 0005-dsa-cmd-implement-keys-from-engine.patch)
New.
Implementation of engine format is simple with common command processing.


4) ec command (see 0006-ec-cmd-implement-keys-from-engine.patch)
New.
Implementation of engine format requires specific load of input to be 
replaced to use  load_pubkey or load_key functions.
Then modification is similar as dsa.


5) rsautl command (see 0007-rsautl-cmd-restore-keys-from-engine.patch)
Key form input type 'f'(any) instead 'F' and input is from string type.


6) pkeyutl command (see 0008-pkeyutl-cmd-restore-keys-from-engine.patch)
Use key form input type 'f' instead 'F' .


Other commands are not tested yet.


Regards,
Roumen


>From 252430f0e1d0148b710caaa96de224384c5f8832 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Sun, 15 Nov 2015 11:00:00 +0200
Subject: [PATCH 03/15] dgst cmd: restore keys from engine

---
 apps/dgst.c | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/dgst.c b/apps/dgst.c
index fb09a45..24c1f28 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -94,11 +94,11 @@ OPTIONS dgst_options[] = {
 {"rand", OPT_RAND, 's'},
 {"out", OPT_OUT, '>', "Output to filename rather than stdout"},
 {"passin", OPT_PASSIN, 's'},
-{"sign", OPT_SIGN, '<', "Sign digest using private key in file"},
-{"verify", OPT_VERIFY, '<',
- "Verify a signature using public key in file"},
-{"prverify", OPT_PRVERIFY, '<',
- "Verify a signature using private key in file"},
+{"sign", OPT_SIGN, 's', "Sign digest using private key in val"},
+{"verify", OPT_VERIFY, 's',
+ "Verify a signature using public key in val"},
+{"prverify", OPT_PRVERIFY, 's',
+ "Verify a signature using private key in val"},
 {"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
 {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
 {"hex", OPT_HEX, '-', "Print as hex dump"},
-- 
1.8.4


>From 1a02cfbf0a67583cc98377aa59c5b13f48219f05 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Sun, 15 Nov 2015 11:02:57 +0200
Subject: [PATCH 04/15] rsa cmd: restore keys from engine

---
 apps/rsa.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/rsa.c b/apps/rsa.c
index cafa6f4..810713f 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -130,7 +130,7 @@ OPTIONS rsa_options[] = {
 {"help", OPT_HELP, '-', "Display this summary"},
 {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
 {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
-{"in", OPT_IN, '<', "Input file"},
+{"in", OPT_IN, 's', "Input file"},
 {"out", OPT_OUT, '>', "Output file"},
 {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
 {"pubout", OPT_PUBOUT, '-', "Output a public key"},
-- 
1.8.4


>From 942553a7d2e38297b57d0fa6a0c57b62c9d1507f Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Sun, 15 Nov 2015 11:03:43 +0200
Subject: [PATCH 05/15] dsa cmd: implement keys from engine

---
 apps/dsa.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/dsa.c b/apps/dsa.c
index 992d4e4..a2acd86 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -80,9 +80,9 @@ typedef enum OPTION_choice {
 
 OPTIONS dsa_options[] = {
 {"help", OPT_HELP, '-', "Display this summary"},
-{"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"},
+{"inform", OPT_INFORM, 'f', "Input format, DER PEM PVK"},
 {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"},
-{"in", OPT_IN, '<', "Input file"},
+{"in", OPT_IN, 's', "Input file"},
 {"out", OPT_OUT, '>', "Output file"},
 {"noout", OPT_NOOUT, '-', "Don't print key out"},
 {"text", OPT_TEXT, '-', "Print the key in text"},
@@ -131,7 +131,7 @@ int dsa_main(int argc, char **argv)
 goto end;
 case OPT_INFORM:
 if (!opt_format
-(opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, ))
+(opt_arg(), OPT_FMT_ANY | OPT_FMT_PVK, ))
 goto opthelp;
 break;
 case OPT_IN:
-- 
1.8.4


>From 35fe2da1bab1d1ca993d860128a12f1c4cb566a6 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Fri, 11 Dec 2015 22:46:02 +0200
Subject: [PATCH 06/15] ec cmd: implement keys from engine

---
 apps/ec.c | 46 ++
 1 file changed, 26 insertions(+), 20 deletions(-)

diff --git a/apps/ec.c b/apps/ec.c
index 8800cdf..7e8ca4e 100644

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

2015-12-29 Thread Roumen Petrov via RT

Salz, Rich via RT wrote:
> I don't know that I would call it a regression, but rather a difference. :)
> I'll fix the summary but not the old uncommon behavior.

Unlike other commands engine is flexible and documented behaviour (see 
previous post with quoted text).
As result in samples first is engine name then commands.
Just search in internet for samples - expect some recent openssl 
tutorial almost all other samples use name before options.

Request is only for engine. It is not for speed command for example.

This is reason to call issue regression.

Regards,
Roumen Petrov

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4200] extra data for ec keys

2015-12-24 Thread Roumen Petrov via RT

Update patch sent to request tracker - without gap for CRYPTO_EX_INDEX


Salz, Rich wrote:
>> External cryptographic modules may store addition information to key.
>> What about to define CRYPTO_EX_DATA for ec keys?
> That is the plan -- we will remove EX_EX_DATA and the internal API and just 
> use the standard crypto_ex_data stuff.  Want to make a more complete patch as 
> a github pull request? :)  Otherwise I'll get to it soon.
>


>From 07ad1979667aeb2ba99a8ed88f679fb684b8cf1c Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Thu, 24 Dec 2015 09:59:29 +0200
Subject: [PATCH 01/13] extra data for EC_KEY

---
 crypto/ec/ec_lcl.h   |  1 +
 crypto/ec/ec_lib.c   | 10 ++
 include/openssl/crypto.h | 17 -
 include/openssl/ec.h |  6 ++
 util/libeay.num  |  2 ++
 5 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h
index ebfaae3..912aa8e 100644
--- a/crypto/ec/ec_lcl.h
+++ b/crypto/ec/ec_lcl.h
@@ -267,6 +267,7 @@ struct ec_key_st {
 point_conversion_form_t conv_form;
 int references;
 int flags;
+CRYPTO_EX_DATA ex_data;
 EC_EXTRA_DATA *method_data;
 } /* EC_KEY */ ;
 
diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 7cb4759..e9e5832 100644
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -1091,3 +1091,13 @@ int ec_precompute_mont_data(EC_GROUP *group)
 BN_CTX_free(ctx);
 return ret;
 }
+
+int EC_KEY_set_ex_data(EC_KEY *key, int idx, void *arg)
+{
+return (CRYPTO_set_ex_data(>ex_data, idx, arg));
+}
+
+void *EC_KEY_get_ex_data(const EC_KEY *key, int idx)
+{
+return (CRYPTO_get_ex_data(>ex_data, idx));
+}
diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h
index 0d88a06..7fedb77 100644
--- a/include/openssl/crypto.h
+++ b/include/openssl/crypto.h
@@ -270,15 +270,14 @@ DECLARE_STACK_OF(void)
 # define CRYPTO_EX_INDEX_X509_STORE_CTX   5
 # define CRYPTO_EX_INDEX_DH   6
 # define CRYPTO_EX_INDEX_DSA  7
-# define CRYPTO_EX_INDEX_ECDH 8
-# define CRYPTO_EX_INDEX_ECDSA9
-# define CRYPTO_EX_INDEX_RSA 10
-# define CRYPTO_EX_INDEX_ENGINE  11
-# define CRYPTO_EX_INDEX_UI  12
-# define CRYPTO_EX_INDEX_BIO 13
-# define CRYPTO_EX_INDEX_STORE   14
-# define CRYPTO_EX_INDEX_APP 15
-# define CRYPTO_EX_INDEX__COUNT  16
+# define CRYPTO_EX_INDEX_RSA  8
+# define CRYPTO_EX_INDEX_ENGINE   9
+# define CRYPTO_EX_INDEX_UI  10
+# define CRYPTO_EX_INDEX_BIO 11
+# define CRYPTO_EX_INDEX_STORE   12
+# define CRYPTO_EX_INDEX_APP 13
+# define CRYPTO_EX_INDEX_EC_KEY  14
+# define CRYPTO_EX_INDEX__COUNT  15
 
 /*
  * This is the default callbacks, but we can have others as well: this is
diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index 1dc2db1..923844c 100644
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -868,6 +868,12 @@ void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data,
 void *(*dup_func) (void *),
 void (*free_func) (void *),
 void (*clear_free_func) (void *));
+
+#define EC_KEY_get_ex_new_index(l, p, newf, dupf, freef) \
+CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_EC_KEY, l, p, newf, dupf, freef)
+int EC_KEY_set_ex_data(EC_KEY *key, int idx, void *arg);
+void *EC_KEY_get_ex_data(const EC_KEY *key, int idx);
+
 /* wrapper functions for the underlying EC_GROUP object */
 void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
 
diff --git a/util/libeay.num b/util/libeay.num
index e10a4f1..f92fba4 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -4735,3 +4735,5 @@ OPENSSL_strlcat 5110	1_1_0	EXIST::FUNCTION:
 OPENSSL_memdup  5111	1_1_0	NOEXIST::FUNCTION:
 CRYPTO_memdup   5112	1_1_0	EXIST::FUNCTION:
 CRYPTO_strndup  5113	1_1_0	EXIST::FUNCTION:
+EC_KEY_get_ex_data  5114	1_1_0	EXIST::FUNCTION:EC
+EC_KEY_set_ex_data  5115	1_1_0	EXIST::FUNCTION:EC
-- 
1.8.4

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4195] remove duplicates in util/libeay.num

2015-12-22 Thread Roumen Petrov via RT

Hello,

After remove of some global variables in export file left double 
information for non existent functions.

For instance before:
X509_CERT_PAIR_it   3534 
EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
X509_CERT_PAIR_it   3534 
EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:

current:
X509_CERT_PAIR_it   35341_1_0 NOEXIST::FUNCTION:
X509_CERT_PAIR_it   35341_1_0 NOEXIST::FUNCTION:

Proposed patch removes duplicates.


Regards,
Roumen Petrov




>From 992be79410a3c909f4b1d2f492423aaf2c8a8454 Mon Sep 17 00:00:00 2001
From: Roumen Petrov 
Date: Sat, 21 Mar 2015 15:29:25 +0200
Subject: [PATCH 2/2] remove duplicates in util/libeay.num

---
 util/libeay.num | 13 -
 1 file changed, 13 deletions(-)

diff --git a/util/libeay.num b/util/libeay.num
index e9a678b..bce6ca0 100755
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -1951,7 +1951,6 @@ ENGINE_unregister_ciphers   2528	1_1_0	EXIST::FUNCTION:ENGINE
 ENGINE_get_ciphers  2529	1_1_0	EXIST::FUNCTION:ENGINE
 d2i_OCSP_BASICRESP  2530	1_1_0	EXIST::FUNCTION:
 KRB5_CHECKSUM_it2531	1_1_0	NOEXIST::FUNCTION:
-KRB5_CHECKSUM_it2531	1_1_0	NOEXIST::FUNCTION:
 EC_POINT_add2532	1_1_0	EXIST::FUNCTION:EC
 ASN1_item_ex_i2d2533	1_1_0	EXIST::FUNCTION:
 OCSP_CERTID_it  2534	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -1983,7 +1982,6 @@ X509_CRL_it 2555	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION
 X509_CRL_it 2555	1_1_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 OCSP_BASICRESP_add_ext  2556	1_1_0	EXIST::FUNCTION:
 KRB5_ENCKEY_it  2557	1_1_0	NOEXIST::FUNCTION:
-KRB5_ENCKEY_it  2557	1_1_0	NOEXIST::FUNCTION:
 UI_method_set_closer2558	1_1_0	EXIST::FUNCTION:
 X509_STORE_set_purpose  2559	1_1_0	EXIST::FUNCTION:
 i2d_ASN1_GENERALSTRING  2560	1_1_0	EXIST::FUNCTION:
@@ -2193,7 +2191,6 @@ X509_ATTRIBUTE_it   2732	1_1_0	EXIST:EXPORT_VAR_AS_FUNCTION:
 OCSP_ONEREQ_get_ext_by_NID  2733	1_1_0	EXIST::FUNCTION:
 PKCS12_decrypt_skey 2734	1_1_0	EXIST::FUNCTION:
 KRB5_AUTHENT_it 2735	1_1_0	NOEXIST::FUNCTION:
-KRB5_AUTHENT_it 2735	1_1_0	NOEXIST::FUNCTION:
 UI_dup_error_string 2736	1_1_0	EXIST::FUNCTION:
 RSAPublicKey_it 2737	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:RSA
 RSAPublicKey_it 2737	1_1_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:RSA
@@ -2211,7 +2208,6 @@ HMAC_CTX_reset  2747	1_1_0	EXIST::FUNCTION:
 ENGINE_get_digest   2748	1_1_0	EXIST::FUNCTION:ENGINE
 OCSP_RESPONSE_print 2749	1_1_0	EXIST::FUNCTION:
 KRB5_TKTBODY_it 2750	1_1_0	NOEXIST::FUNCTION:
-KRB5_TKTBODY_it 2750	1_1_0	NOEXIST::FUNCTION:
 ACCESS_DESCRIPTION_it   2751	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 ACCESS_DESCRIPTION_it   2751	1_1_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 PKCS7_ISSUER_AND_SERIAL_it  2752	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
@@ -2266,7 +2262,6 @@ ASN1_tag2bit2788	1_1_0	EXIST::FUNCTION:
 UI_method_set_flusher   2789	1_1_0	EXIST::FUNCTION:
 X509_ocspid_print   2790	1_1_0	EXIST::FUNCTION:
 KRB5_ENCDATA_it 2791	1_1_0	NOEXIST::FUNCTION:
-KRB5_ENCDATA_it 2791	1_1_0	NOEXIST::FUNCTION:
 ENGINE_get_load_pubkey_function 2792	1_1_0	EXIST::FUNCTION:ENGINE
 UI_add_user_data2793	1_1_0	EXIST::FUNCTION:
 OCSP_REQUEST_delete_ext 2794	1_1_0	EXIST::FUNCTION:
@@ -2485,7 +2480,6 @@ OCSP_url_svcloc_new 2973	1_1_0	EXIST::FUNCTION:
 ASN1_template_free  2974	1_1_0	NOEXIST::FUNCTION:
 OCSP_SINGLERESP_add_ext 2975	1_1_0	EXIST::FUNCTION:
 KRB5_AUTHENTBODY_it 2976	1_1_0	NOEXIST::FUNCTION:
-KRB5_AUTHENTBODY_it 2976	1_1_0	NOEXIST::FUNCTION:
 X509_supported_extension2977	1_1_0	EXIST::FUNCTION:
 i2d_KRB5_AUTHDATA   2978	1_1_0	NOEXIST::FUNCTION:
 UI_method_get_opener2979	1_1_0	EXIST::FUNCTION:
@@ -2587,13 +2581,11 @@ asn1_do_lock3059	1_1_0	NOEXIST::FUNCTION:
 PKCS7_ATTR_VERIFY_it3060	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PKCS7_ATTR_VERIFY_it3060	1_1_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
 KRB5_APREQBODY_it   3061	1_1_0	NOEXIST::FUNCTION:
-KRB5_APREQBODY_it

[openssl-dev] [openssl.org #4194] engine command regression in 1.1

2015-12-21 Thread Roumen Petrov via RT

Hello,

OpenSSL engine command allows user to specify cryptographic module name 
at any position.
For instance README.ENGINE recommend following:
   openssl engine dynamic \
 -pre SO_PATH:/lib/libfoo.so \
   

The master branch (future 1.1) requires engine names to be specified 
after all options. This is regression introduced by new common " 
option-parsing".

Also new summary lack information for engine name as command line argument.


Regards,
Roumen Petrov

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4029] incomplete get methods for X509_VERIFY_PARAM

2015-09-04 Thread Roumen Petrov via RT

Hello,

In master branch structure X509_VERIFY_PARAM is declared as opaque.

For following attributes "get"-method is not defined:
- check_time : applicable if flag X509_V_FLAG_USE_CHECK_TIME is set
- inh_flags
- purpose
- trust
- policies: stack of opaques ASN1 objects
- id : opaque structure, may require own set of "get"-methods

It seems to me for attributes name, flags and depth access is complete.
Please finish declaration of X509_VERIFY_PARAM  as opaque structure with 
definition of "get"-methods.

Regards,
Roumen Petrov

___
openssl-bugs-mod mailing list
openssl-bugs-...@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [PATCH] [openssl.org #2558] [patch] make windres controllable via build env var settings

2015-03-08 Thread Roumen Petrov via RT

Mike Frysinger via RT wrote:
 atm, the windres code in openssl is only usable via the cross-compile prefix
 option unlike all the other build tools.  So add support for the standard $RC
 / $WINDRES env vars as well.
 ---
 [SNIP]
   else{
   s/^CC=.*$/CC= $cc/;
   s/^AR=\s*ar/AR= $ar/;
   s/^RANLIB=.*/RANLIB= $ranlib/;
 + s/^WINDRES=\s*/WINDRES= \$\(CROSS_COMPILE\)/;
   s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq gcc || ($cc eq 
 'cc'  $target =~ /darwin/);
   }
Is above line correct ?

[SNIP]
Regards,
Roumen


___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl.org #832] ocsp and dsa key+socket option SO_REUSEADDR for responder

2014-08-15 Thread Roumen Petrov via RT

Rich Salz via RT wrote:
 SO_REUSEADDR is done.
It is not activated in ocsp.c .

The rest is fixed in 1.+

[SNIP]


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2745] Fwd: GOST engine memory problems

2012-09-01 Thread Roumen Petrov via RT


Stephen Henson via RT wrote:
 I've finally had time to look into this. Please see if this fixes the issue:
May be is not related, but this engine lack call of 
ENGINE_register_pkey_asn1_meths . It seems to me without this 
registration initialization is different . If engine configuration is 
with init =1 gost_pkey_asn1_meths is not called.

 http://cvs.openssl.org/chngview?cn=22789
Probably issue is only in static build. After above correction 
pmeth_GostR3410_94 is used as flag to prevent double initialization.

Openssl 1.0.1 versions call internally ENGINE_register_all_complete.
Since 1.0.1* is binary compatible to 1.0.0* how to detect that engine 
initialization is finished ?I would like to avoid extra call to 
ENGINE_register_all_complete.

 Steve.

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2781] OpenSSL 1.x doesn't compile on mingw-w64 (targeting win32)

2012-04-01 Thread Roumen Petrov via RT

Leandro Santiago via RT wrote:
 I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on
 mingw-w64 (gcc 4.7), but I'm having errors.
 I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10
 64-bit and Windows 7 32-bit having the same errors.

 The command line I used was:

 ./Configure --prefix=$BUILD_PATH shared threads mingw32:gcc
 --cross-compile-prefix=i686-w64-mingw32-
Platform is mingw, or may be you use patched version where mingw32 is 
defined.

[SNIP]

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2750] [BUG] spec file doesn't properly build for lib64

2012-03-04 Thread Roumen Petrov via RT

Kevin Vargo via RT wrote:
 Some minor updates to the openssl.spec: wrapping ifarch around the various 
 lib dirs to get the right files in the right places.

 See attached diff


Configure script and spec are not consistent regarding multilib. It 
seems to me spec file should use libdir script parameter to override 
subpath computed by Configure.
Pseudo script
if arch x86_64
   define libdir lib64
else
   define libdir lib
...
define CONFIG_FLAGS ... --libdir=%libdir


Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2752] objects.txt - update of extended key usage

2012-03-04 Thread Roumen Petrov via RT

Hi,

RFC  6187 X.509v3 Certificates for Secure Shell Authentication defines 
two extended key usage
( http://tools.ietf.org  /html/rfc6187#section-2.2.2 ) with numbers 21 
and 22 for secure shell client and server respectively.
Currently in OpenSSL last number defined is 10.

This request is only for ssh related numbers but obejct.txt could be 
updated to list more. As example on page http://www.imc.org  
/ietf-pkix/pkix-oid.asn last extended key usage is with number 29.

Regards,
Roumen Petrov

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2718] openssl-fips-1.2.3: testsuite failures (SIGILL / Illegal instruction)

2012-02-22 Thread Roumen Petrov via RT

Hi Guido,

Guido Trentalancia via RT wrote:
 Hello.

 I was trying to run the testsuite for openssl-fips-1.2.3 but I get a
 problems with several tests.
[SNIP]
 OpenSSL self-test report:
[SNIP]
 Target:   linux-x86_64
[SNIP]
 gcc version 4.6.1 (GCC)
Please could you confirm that during the build GCC 4.6.1 warn user for 
bad cast and that application will terminate it code is reached.

I note this on 64-bit platform with gcc 4.5.2 and as Steve suggest I 
switch to 0.9.8x fips build.


Regards,
Roumen Petrov


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

2011-09-26 Thread Roumen Petrov via RT

Nick Lewis via RT wrote:
 Roumen

 Thank you for looking at the patch
[SNIP]
 +   if (issuer_num  (issuer_num  x_num))

 Please find a corrected version below

 Best Regards
 Nick

[SNIP]
With update version i confirm that regression test of a software now 
pass with OpenSSL HEAD version.

I still have problem with HEAD regarding check if is for self signed. 
This case is not in openssl regression tests ans cannot be reproduced 
with openssl command line. Case is when callback function return 
true(ok) for when error is X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT for 
certificate that is not is trusted store. Later in code function 
check_trust() will return X509_TRUST_UNTRUSTED and check with comment /* 
If not explicitly trusted then indicate error */ will call again 
callback function with different error code. This functionality is not 
same as 1.0.0x.


Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

2011-09-11 Thread Roumen Petrov via RT

Nick Lewis via RT wrote:
 The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not 
 work correctly for some combinations of ctx-chain, x and issuer. For example 
 when the cert x is in the chain at a location other than the top, a path loop 
 is incorrectly declared. Also if the cert x is at the top of the chain but it 
 is self signed then a path loop is incorrectly declared. In practice the 
 latter causes bugs in which trusted self signed certificates are seen as 
 untrusted (e.g. some OCSP responses)

 It is my understanding that a path loop should only exist if the issuer is 
 present in the chain at a lower position to that of the cert x. Please find 
 below a patch against SNAP20110815

 Best Regards
 Nick
 _


 diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
 index 64df4d3..7bbe43b 100755
 --- a/crypto/x509/x509_vfy.c
 +++ b/crypto/x509/x509_vfy.c
 @@ -443,15 +443,18 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, 
 X509 *issuer)
  {
  int i;
  X509 *ch;
 +   int issuer_num = 0;
 +   int x_num = 0;
  for (i = 0; i  sk_X509_num(ctx-chain); i++)
   {
   ch = sk_X509_value(ctx-chain, i);
   if (ch == issuer || !X509_cmp(ch, issuer))
 -  {
 -  ret = X509_V_ERR_PATH_LOOP;
 -  break;
 -  }
 +  issuer_num = issuer_num ? issuer_num : i+1;
 +if (ch == x || !X509_cmp(ch, x))
 +  x_num = i+1;
   }
 +   if (issuer_num  x_num)
 +ret = X509_V_ERR_PATH_LOOP;
  }

The patch above fix some issues with self issued but break other 
non-self issued.


Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2504] Cross Compile MinGW DLLs on Linux

2011-04-27 Thread Roumen Petrov via RT

Marc Wäckerlin via RT wrote:
Hi OpenSSL

I managed to Cross Compile OpenSSL on Linux so that I can develop OpenSSL
applications that run on Windows entireliy inside a Linux build environment.

It even builds the executables and the DLLs on Linux.

Please add my changes to the official Configure script. The patch is in the
attachment.

Remark after some testing: As far as I see, the change in the MinGW target
(below 2. Change Link Arguments) is no more necessary in OpenSSL 1.0.0d.
Just remove the die-Line and everything is fine. :-)

Full documentation and Details of the patch are on my Homepage:
http://marc.waeckerlin.org/computer/blog/openssl_fuer_windows_mingw_unter_linux_crosscomilieren

From the Homepage:
-
Details of the Patch

1. Remove die-Line

Without the patch, you first drop into the error message:

./config --cross-compile-prefix=i586-mingw32msvc- --prefix=/tmp/openssl
shared mingw

Operating system: x86_64-whatever-linux2
Configuring for linux-x86_64
target already defined - linux-x86_64 (offending arg: mingw)

That's why the die-line is commented out.

Instead ./config I use ./Configure
2. Change Link Arguments

According to http://wagner.pp.ru/~vitus/articles/openssl-mingw.html, symbols
are not exported by default, that's why there is need for adding
-Wl,–export-all -shared.

Hmm, this is not true and the this build use util/libeay.num and
util/ssleay.num to export symbols.
May be those files are not up to date . Backup them, try make
util/libeay.num make util/ssleay.num after ./Configure and compare
with saved.

Thanks, Regards
Marc

Regards,
Roumen

__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org

Re: [openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.

2011-03-12 Thread Roumen Petrov via RT

Andrey Kulikov via RT wrote:
 Hello,

 Please find file attached: server_cert_from_engine4.patch
 This is a patch to allow loading server SSL certificate by ENGINE.

 [SNIP]

 After applying this patch s_server will accept -certform ENGINE option.

 This patch supplied by Stonesoft Corporation, who give me permission to
 supply it to OpenSSL.

 Feel free to contact with me with any related questions.

 Andrey.


No idea why patch use server in method names.

As the STORE it not available yet (enable in 0.98 but experimental in 1+ 
?!).
I vote for a simple temporary solution too ( 
http://www.stacken.kth.se/lists/heimdal-discuss/2005-04/msg4.html )

I prefer more generic method similar to ENGINE_load_ssl_client_cert, 
i.e. I need EVP keys, corresponding certificates and the certificate chain.
Of course engine ssl-cert method could be modified if SSL context is 
null to return above but current search criteria is limitation.

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2454] enable engine key for dsa command

2011-02-20 Thread Roumen Petrov via RT

Obsolete code prevent dsa command to use keys stored into engine.
The attached patch remove open of input file and left all to load_xxx 
functions.
See for reference rsa command that work fine.

Roumen

Index: apps/dsa.c
===
RCS file: /work/repo/mirror/openssl/openssl/apps/dsa.c,v
retrieving revision 1.39
diff -u -r1.39 dsa.c
--- apps/dsa.c	6 Apr 2010 11:18:57 -	1.39
+++ apps/dsa.c	19 Feb 2011 20:45:27 -
@@ -254,17 +258,6 @@
 		goto end;
 		}
 
-	if (infile == NULL)
-		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-	else
-		{
-		if (BIO_read_filename(in,infile) = 0)
-			{
-			perror(infile);
-			goto end;
-			}
-		}
-
 	BIO_printf(bio_err,read DSA key\n);
 
 		{

[openssl.org #2455] print dsa pubin/pubout options

2011-02-20 Thread Roumen Petrov via RT

See attached file with patch for openssl dsa command: print 
-pubin/-pubout options.
Also -engine flags is moved at same position as for rsa command.

Roumen

Index: apps/dsa.c
===
RCS file: /work/repo/mirror/openssl/openssl/apps/dsa.c,v
retrieving revision 1.39
diff -u -r1.39 dsa.c
--- apps/dsa.c	6 Apr 2010 11:18:57 -	1.39
+++ apps/dsa.c	19 Feb 2011 20:45:27 -
@@ -90,6 +90,8 @@
  * -seed- encrypt output if PEM format
  * -text	- print a text version
  * -modulus	- print the DSA public key
+ * -pubin	- Expect a public key in input file.
+ * -pubout	- Output a public key.
  */
 
 int MAIN(int, char **);
@@ -210,9 +212,6 @@
 		BIO_printf(bio_err, -passin arg input file pass phrase source\n);
 		BIO_printf(bio_err, -out argoutput file\n);
 		BIO_printf(bio_err, -passout argoutput file pass phrase source\n);
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, -engine e   use engine e, possibly a hardware device.\n);
-#endif
 		BIO_printf(bio_err, -desencrypt PEM output with cbc des\n);
 		BIO_printf(bio_err, -des3   encrypt PEM output with ede cbc des using 168 bit key\n);
 #ifndef OPENSSL_NO_IDEA
@@ -232,6 +231,11 @@
 		BIO_printf(bio_err, -text   print the key in text\n);
 		BIO_printf(bio_err, -noout  don't print key out\n);
 		BIO_printf(bio_err, -modulusprint the DSA public value\n);
+		BIO_printf(bio_err, -pubin  expect a public key in input file\n);
+		BIO_printf(bio_err, -pubout output a public key\n);
+#ifndef OPENSSL_NO_ENGINE
+		BIO_printf(bio_err, -engine e   use engine e, possibly a hardware device.\n);
+#endif
 		goto end;
 		}

Re: [openssl.org #2443] mkdef.pl cannot handle FIPS related functions

2011-02-04 Thread Roumen Petrov via RT

Dr. Stephen Henson wrote:
 [snip]
 I've updated the sources so they are now avaiable outside FIPS mode.

 Steve.

10x solved, please close.

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

[openssl.org #2443] mkdef.pl cannot handle FIPS related functions

2011-02-03 Thread Roumen Petrov via RT

The mingw cross-build of current HEAD(2011-01-31) fail :
WARNING: mkdef.pl doesn't know the following algorithms:
 NEXTPROTONEG
Creating library file: libcrypto.dll.a
Cannot export FIPS_dh_free: symbol not defined
.
Cannot export RSA_X931_generate_key_ex: symbol not defined
collect2: ld returned 1 exit status
make[4]: *** [link_a.cygwin] Error 1
make[4]: Leaving directory `SRCDIR'
make[3]: *** [do_cygwin-shared] Error 2
make[3]: Leaving directory `SRCDIR'
make[2]: *** [libcrypto.dll.a] Error 2
make[2]: Leaving directory `SRCDIR'
make[1]: *** [shared] Error 2
make[1]: Leaving directory `SRCDIR'
make: *** [build_crypto] Error 1

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2374] [PATCH] mingw32 cant compile e_capi.c (1.0.0b)

2010-11-18 Thread Roumen Petrov via RT

Guenter via RT wrote:
 Hi,
 it seems that all native MingW32 versions (tested with MingW32 4.50)
 lack of stuff to compile e_capi.c:
[SNIP]
 make[1]: *** [e_capi.o] Error 1
 make[1]: Leaving directory `/d/openssl-1.0.0b/engines'

 Therefore I've added some more define tests to OpenSSL 1.0.0b e_capi.c
 to furher check what we have (or not) in wincrypt.h:
 --- e_capi.c.orig Mon Mar 15 23:29:20 2010
 +++ e_capi.c  Thu Nov 18 17:43:19 2010
 @@ -76,10 +76,16 @@

[SNIP]
 */
 -#ifdef CERT_KEY_PROV_INFO_PROP_ID
 +#if defined(CERT_KEY_PROV_INFO_PROP_ID)  \
 +defined(CERT_STORE_PROV_SYSTEM_A)  \
 +defined(CERT_STORE_READONLY_FLAG)
# define __COMPILE_CAPIENG
#endif /* CERT_KEY_PROV_INFO_PROP_ID */
#endif /* OPENSSL_NO_CAPIENG */

 patch also attached.

I agree with Guenter about win api from mingw.org. The code should 
compile fine for mingw-64 headers.

So if defined ... looks good. The comment could be more simple - some 
mingw projects don't define .

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2246] dtls1.h includes winsock.h, overriding the #undefs from ossl_typ.h on Windows

2010-04-26 Thread Roumen Petrov via RT

M.-A. Lemburg via RT wrote:
 An application that only includes openssl/ssl.h from OpenSSL
 1.0.0 and doesn't use winsock.h will run into problems on Windows,
 since the dtls1.h header file includes the winsock.h header file long
 after the ossl_typ.h header file was loaded.

What about to define WIN32_LEAN_AND_MEAN ?
[SNIP]
Openssl 1+ is switched to winsock2.

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2195] [PATCH] Set default field separator in do_name_ex() (nameopt switch)

2010-03-18 Thread Roumen Petrov via RT

Kaspar Brand via RT wrote:
 When using -nameopt with the x509/req/ca commands, OpenSSL will
 currently abort the output if no sep_xxx option is provided. Examining
 the certificate from https://rt.openssl.org with openssl 509 -noout
 -text -nameopt utf8 e.g. gives

 Certificate:
  Data:
  Version: 3 (0x2)
  Serial Number:
  01:00:00:00:00:01:1c:57:8e:3a:eb
  Signature Algorithm: sha1WithRSAEncryption
  Issuer:

 I propose the attached patch, which adds sep_comma_plus_space if no
 other sep_xxx option is provided through the nameopt switch.

May be documentation should separate composite options like RFC2253, 
oneline and multiline from flags.
utf8
 convert all strings to UTF8 format first. This is required by 
RFC2253. ...

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2137] [PATCH] mingw fixups

2010-01-13 Thread Roumen Petrov via RT

Hi Alon,

Alon Bar-Lev via RT wrote:
 Hello,

 I use i686-w64-mingw32...
 We discussed this in past (I think) LEAN_AND_MEAN was added to win64
 but not win32.

 As w64 compiler much more complete and maintained I use it to compile
 win32 as-well.

 Alon.

 On Tue, Jan 12, 2010 at 11:14 PM, Roumen Petrov via RTr...@openssl.org  
 wrote:
 Alon Bar-Lev via RT wrote:

 The following is required in order to make beta4 compile using mingw (w64).

 Every time there is #includewindows.hsome symbols should be removed.
 Also, there is no need to #includewindows.hif e_os2.h was included.
 [SNIP]

 diff -urNp openssl-1.0.0-beta4.org/e_os.h openssl-1.0.0-beta4/e_os.h
 --- openssl-1.0.0-beta4.org/e_os.h2009-08-26 18:13:43.0 +0300
 +++ openssl-1.0.0-beta4/e_os.h2010-01-11 17:13:08.152360026 +0200
 @@ -372,6 +372,13 @@ static unsigned int _strlen31(const char
#define DEFAULT_HOME  C:
#  endif

 +#undef X509_NAME
 +#undef X509_EXTENSIONS
 +#undef X509_CERT_PAIR
 +#undef PKCS7_ISSUER_AND_SERIAL
 +#undef OCSP_REQUEST
 +#undef OCSP_RESPONSE

 Why -DWIN32_LEAN_AND_MEAN don't work in you build ?

 Roumen

Did you upgrade ? Lets check Configure updates:
-
...
revision 1.655
date: 2009/12/30 11:46:53;  author: appro;  state: Exp;  lines: +1 -1
Adapt mingw config for newer mingw environment. Note modified conditional
compilation in e_capi.c.
PR: 2113

-

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2137] [PATCH] mingw fixups

2010-01-12 Thread Roumen Petrov via RT

Alon Bar-Lev via RT wrote:

 The following is required in order to make beta4 compile using mingw (w64).

 Every time there is #includewindows.h  some symbols should be removed.
 Also, there is no need to #includewindows.h  if e_os2.h was included.
[SNIP]

 diff -urNp openssl-1.0.0-beta4.org/e_os.h openssl-1.0.0-beta4/e_os.h
 --- openssl-1.0.0-beta4.org/e_os.h2009-08-26 18:13:43.0 +0300
 +++ openssl-1.0.0-beta4/e_os.h2010-01-11 17:13:08.152360026 +0200
 @@ -372,6 +372,13 @@ static unsigned int _strlen31(const char
   #define DEFAULT_HOME  C:
   #  endif

 +#undef X509_NAME
 +#undef X509_EXTENSIONS
 +#undef X509_CERT_PAIR
 +#undef PKCS7_ISSUER_AND_SERIAL
 +#undef OCSP_REQUEST
 +#undef OCSP_RESPONSE

Why -DWIN32_LEAN_AND_MEAN don't work in you build ?

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #2071] Few more manual page

2009-10-15 Thread Roumen Petrov via RT

May be is good to document that numbers in hash dir starts from zero.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #1949] mod_ssl/openssl failures when more than 85 CAs are configured

2009-06-15 Thread Roumen Petrov via RT

Maarten Litmaath wrote:
 Hi Stephen,
 
 I can't see how anything could cause an issue with 85 CAs. The attached
 descriptions imply it might be a mod_ssl issue (not reproducible with
 s_server).
 
 There is a bit more information now in our ticket:
 
 https://savannah.cern.ch/bugs/?48458
 
 Romain Wartel wrote:
 
   So 4 conditions need to be met to reproduce the bug:
   - More than ~85 root CAs installed (the exact number varies)
   - The host certificate has been issued by the CERN CA
   - OpenSSL is configured to check the client side certificate
 (optional or required)
   - Both the CERN-Root CA and the CERN-TCA CA have to be installed
 
 However, Lassi A. Tuura then wrote:
 
   There is only one known condition triggering the problem,
   as quoted earlier in this thread: SSL re-negotiation response = 12kB
   leads to failure to flush the data to socket leading to server and
   client to wait indefinitely for each other.
  
   There's any number of ways to trim or expand the SSL response size
   to cross that threshold.
 
 The CERN CA has the second biggest size of all ~90 CAs currently
 supported by IGTF, which might explain why only CERN services are
 affected at this time.  OTOH, it does not look very different from
 others in the top 10:
 
 1e12d831.0 2594
 1d879c6c.0 2204
 9ff26ea4.0 2143
 55994d72.0 2029
 9dd23746.0 1996
 0a2bac92.0 1976
 f5ead794.0 1919
 03aa0ecb.0 1907
 6fee79b0.0 1903
 fe102e03.0 1900
 
 Then again, we may need to add the size of the CERN _Root_ CA:
 
 d254cc30.0 1350
 
 But there are other such chained CAs that do not cause problems...
 
 I'd suggest trying OpenSSL 0.9.8k as well though because some code
 changes might have an effect in that area.
 
 Steve Traylen wrote:
 
   it hangs the same , remove a few cas and it works.
  
   # rpm -q httpd mod_ssl openssl fedora-release
   httpd-2.2.11-8.x86_64
   mod_ssl-2.2.11-8.x86_64
   openssl-0.9.8k-4.fc11.x86_64
   fedora-release-11-1.noarch
 
 Might it be worth trying 1.0.0 as well?
 Thanks,
 Maarten
 __
 OpenSSL Project http://www.openssl.org
 Development Mailing List   openssl-dev@openssl.org
 Automated List Manager   majord...@openssl.org
 

In the past we can download a file with CA certificates ( 
ca-bundle.crt.tar.gz ) from mod_ssl site. Now file is removed but it 
contain more then 90 certificates (PEM format concatenated together).

I could confirm that problem is not in the number of certificates in 
file or  hash-dir as I test regularly with various OpenSSL versions 
starting from 0.9.6.

May be problem is in 64-bit OpenSSL (fedora?) build ?

Roumen




__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: [openssl.org #1753] snapshot 20081003 broke mingw build

2008-10-21 Thread Roumen Petrov via RT

Alon Bar-Lev via RT wrote:
 Attached are patches, please address this issues, it is hard to keep sync 
 this way.
 The order of the issue is according to importance, (1, 2, 3) blockers.
 Thanks!
 
 1. _XOPEN_SOURCE cannot be used in mingw, strptime is never used anyway?
 
 2. Make domd use cross compiler if available.
 
 3. Update depend to execute update so that openssl/crypto/objects/obj_xref.h
 will be generated as it is required for make depend.
 
 4. For some strange reason perl reports that symlinks are available
 under msys, while it cannot create symbolic link when the to
 is not reachable from cwd.
 
 5. Added -DWIN32_LEAN_AND_MEAN and drop the conflict undef of x509.h
 
 

I couldn't confirm above but I build in cross-compilation environment.
About 5) -DWIN32_LEAN_AND_MEAN it has to be default for all windows 
build except mingw32. It is related to winsock2 but mingw32 always 
include winsock2 headers. No objections this to be default for mingw 
too. May by you use mingw64  and this project use different headers in 
comparison to mingw32  project. The issue with mingw64 was already reported.

About 1) _XOPEN_SOURCE it is not clear what is really problem. I would 
like to reject this for minw32 It definition for mingw32 project is same 
as -posix compiler flag. Please detail version of mingw runtime environment.

About 2,3,4 - later.

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #1747] capi engine and mingw

2008-09-24 Thread Roumen Petrov via RT

The attached patch is for openssl head and allow capi engine to be build 
with mingw (tested with cross-compilation). Details for the patch follow:

Build:
- export of OPENSSL_isservice:
The new capi engine require function OPENSSL_isservice() if engine 
dialog is enabled.
To get correct record in util/libeay.num, crypto/cryptlib.h is added
to the header files list in util/mkdef.pl and function declaration is
put in #if *WIN* statement.

May be the repository file util/libeay.num isn't refreshed since I get a 
unexpected number of differences (see the patch).


- engine extra libraries:
The capi engine require additional library - crypt32.
The mingw crypt32 library declare limited number of import functions.
So a new def-file(engines/mingw-crypt32.def) is added to be used by
linker instead mingw import library and engines/Makefile is updated
accordingly.

The following makefiles are changed to add extra engine libraries:
   apps/Makefile
   test/Makefile
FIXME: how to add properly engine extra libraries or extra linker
flags(mingw case) only for static build ?
Also how to detect if engine is disabled ?


- engine mingw port:
The engine code is updated with missing form mingw headers required 
declarions. Some of them are in #if statement depending from mingw 
w32api version.


- engine fixes:
Increment by one definitions of lookup methods to match help string and
check in engine control method.
Last argument of function CryptDecrypt() is long.


Test (only rsa is tested):
- rsautl -{encrypt|decrypt} pass
- dgst   -{sign|prverify} fail (unimplemented public key method)
- engine require init to be set to 1 in engine section from openssl 
config file otherwise command like engine -pre list_csps fail.
Also if init is not set we can't add engine specific parameters as 
example store_name - module initialization error.




openssl-cvs-mingw-capi.patch.gz
Description: application/gzip

Re: [openssl.org #1552] mingw patch for openssl-cvs

2008-02-17 Thread Roumen Petrov via RT

patch updated to current cvs 20080217

Roumen




openssl-cvs20080217-mingw.patch.gz
Description: application/gzip

Re: [openssl.org #1552] mingw patch for openssl-cvs

2007-08-02 Thread Roumen Petrov via RT

And now against CVS




openssl-cvs-mingw.diff.gz
Description: application/gzip

[openssl.org #1553] mscrypto engine for 0.9.8

2007-06-29 Thread Roumen Petrov via RT

Please find attached file openssl-mscrypto-20070625.tar.gz with 
openssl engine that can use keys from windows key-store. The engine can 
work with external keys too.

Source is for openssl version 0.9.8 and  mingw build require openssl 
source with mingw patch for 0.9.8 from request #1552 ( see OpenSSL 
Request Tracer ).

Directory engines/ contain source code and in test/ are batch files 
for test cases, environment and sample openssl config files for engine 
(openssl.cnf is for 0.9.7). Engine can be used in 0.9.7 but 
mscrypto_err.* should be recreated with corresponding util/mkerr.pl . 
Engine support only rsa key/certificates. You don't need to mark the 
private key as exportable when import PKCS#12(pfx) file. Engine can use 
certificates/keys stored on smart cards.

Tests require private key, corresponding public key and certificate that 
match private key. Every test case
is operation with engine and opposite  operation without. Character a 
in test case is for with-without engine, b is for without-with. 
Test case 1x is for rsautl encrypt-decrypt, 2x - rsautl 
sign-verify, 3x1 -  dgst sign-verify with keys/certs form files and in 
3x2 (dgst sign-verify) engine will use certificate from key-store. For 
test cases 3{a,b}2  certificate with matching private key should be 
loaded into key-store.
In test cases 2{a,b} rsautl sign-verify should fail. This look like 
problem with implementation in used crypto provider.

File env.bat set paths to openssl program and configuration, engine, key 
files, certificate canonical name, etc. To run test you should set 
TEST in do_test.bat and to run it.

Extension of openssl configuration file is cnf and by default is always 
hidden.


Instruction for mingw build environment:

Build command:
$ make -f Makefile.mscrypto OPENSSLSRC=path_to_openssl_source
Make sure that openssl is build and installed.

To install:
$ make -f Makefile.mscrypto install {INSTALLTOP=...} {INSTALL_PREFIX=..}
, where INSTALLTOP and INSTALL_PREFIX are optional.


Roumen




openssl-mscrypto-20070625.tar.gz
Description: application/gzip

[openssl.org #1552] mingw patch for openssl-0.9.8e

2007-06-26 Thread Roumen Petrov via RT

I would like to propose following patch to openssl-0.9.8e source (see 
attachment openssl-0.9.8e-mingw.patch.gz).
This patch is intended to create executables compatible with other win32 
compilers.


Modifications:
./Makefiles.shared:
- link_o.cygwin(used to build engines): modified use def-files in case 
of mingw . As example def-files allow target to be linked without 
library to exist on build system (IMPORTS);
- link_a.cygwin: modified to produce dlls that match library name in 
def-file.

./engines/Makefile:
- installation is extended to handle mingw and add support for lib prefixes.
  also correct suffixes in code to be equal to description in comment 
before.

./Makefile.org:
- install dlls for openssl libraries

./Configure:
- mingw (cosmetic) : shared flag in not necessary;
- $IsMK1MF=1 (fatal, fixed upsteam) : remove this line since it break 
mingw non-single makefile build;
- option static-engine : allow mkdef.pl to work without extra arguments.
  This can be extended in future to be a configure option that allow 
static and dynamic engines to be build at same time.
  Note that gmp engine need patch too and ./README.ENGINE is obsolete.

./util/mkerr.pl (not mingw specific):
-  added 'extern C {' in case of c++ to match right curly-brackets at end

./crypto/x509/Makefile (not mingw specific):
- MINFO is created without information for crypto/x509/ in makefile.one 
(files) target.


Tests:
The created on linux executables successfully replace openssl (msc 13.x) 
found at url below.
All xmlsec (with openssl) DSig tests succeed on w2k.


Questions after build:
After build I compare results between an existing build (openssl
0.9.8a, msc 13.x) and new build (openssl 0.9.8e, gcc 3.4.5 mingw). The
difference  is attached an file objdump_table-diff.gz.

Result show that mingw build export more functions. I guess that this is
normal since mingw build is for xxx.8e.

Other difference is that engines in mingw build are dynamic while in msc
- static. No idea why msc build
(http://www.zlatkovic.com/libxml.en.html) is with static engines.


Diff show that variables OSSL_DES_version and OSSL_libdes_version from
crypto/des/des_ver.h are exported in msc while mingw build don't export
them. File crypto/opensslconf.h in mingw build
define OPENSSL_EXPORT_VAR_AS_FUNCTION .

If a remember well borland compiler don't export variables. It seems to
me that gcc (mingw) don't export too. So that should use
OPENSSL_XXX_GLOBAL for both variables?

Configure set EXPORT_VAR_AS_FN for some win32 targets(msc, borlang,
mingw, but cigwin). Should Configure set EXPORT_VAR_AS_FN always if
build is for shared win32 platform ?


Roumen




objdump_table-diff.gz
Description: application/gzip


openssl-0.9.8e-mingw.patch.gz
Description: application/gzip

Re: [openssl.org #1466] X.509 name's printing

2007-03-12 Thread Roumen Petrov via RT

RFC 2254 : The String Representation of LDAP Search Filters

This patch add support for rfc2254 escaping.

With patched source method
ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags);
, where flags are
XN_FLAG_RFC2253|ASN1_STRFLGS_ESC_2254
can be used in generation of LDAP search filter.

Roumen


Index: crypto/asn1/a_strex.c
===
RCS file: /work/repo/mirror/openssl/openssl/crypto/asn1/a_strex.c,v
retrieving revision 1.17
diff -u -r1.17 a_strex.c
--- crypto/asn1/a_strex.c   21 Feb 2007 17:44:53 -  1.17
+++ crypto/asn1/a_strex.c   4 Mar 2007 21:18:57 -
@@ -112,9 +112,10 @@
  * 4 byte forms.
  */
 
-static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, 
char_io *io_ch, void *arg)
+static int do_esc_char(unsigned long c, unsigned short flags, char *do_quotes, 
char_io *io_ch, void *arg)
 {
-   unsigned char chflgs, chtmp;
+   unsigned short chflgs;
+   unsigned char chtmp;
char tmphex[HEX_SIZE(long)+3];
 
if(c  0xL)
@@ -143,7 +144,7 @@
if(!io_ch(arg, chtmp, 1)) return -1;
return 2;
}
-   if(chflgs  (ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_ESC_MSB)) {
+   if(chflgs  
(ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_ESC_MSB|ASN1_STRFLGS_ESC_2254)) {
BIO_snprintf(tmphex, 11, \\%02X, chtmp);
if(!io_ch(arg, tmphex, 3)) return -1;
return 3;
@@ -161,10 +162,11 @@
  */
 
 static int do_buf(unsigned char *buf, int buflen,
-   int type, unsigned char flags, char *quotes, char_io 
*io_ch, void *arg)
+   int type, unsigned short flags, char *quotes, char_io 
*io_ch, void *arg)
 {
int i, outlen, len;
-   unsigned char orflags, *p, *q;
+   unsigned short orflags;
+   unsigned char *p, *q;
unsigned long c;
p = buf;
q = buf + buflen;
@@ -208,12 +210,12 @@
 * otherwise each character will be  0x7f and 
so the 
 * character will never be escaped on first and 
last.
 */
-   len = do_esc_char(utfbuf[i], (unsigned 
char)(flags | orflags), quotes, io_ch, arg);
+   len = do_esc_char(utfbuf[i], (unsigned 
short)(flags | orflags), quotes, io_ch, arg);
if(len  0) return -1;
outlen += len;
}
} else {
-   len = do_esc_char(c, (unsigned char)(flags | orflags), 
quotes, io_ch, arg);
+   len = do_esc_char(c, (unsigned short)(flags | orflags), 
quotes, io_ch, arg);
if(len  0) return -1;
outlen += len;
}
@@ -293,6 +295,7 @@
 };
 
 #define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
+ ASN1_STRFLGS_ESC_2254 | \
  ASN1_STRFLGS_ESC_QUOTE | \
  ASN1_STRFLGS_ESC_CTRL | \
  ASN1_STRFLGS_ESC_MSB)
@@ -309,10 +312,10 @@
int outlen, len;
int type;
char quotes;
-   unsigned char flags;
+   unsigned short flags;
quotes = 0;
/* Keep a copy of escape flags */
-   flags = (unsigned char)(lflags  ESC_FLAGS);
+   flags = (unsigned short)(lflags  ESC_FLAGS);
 
type = str-type;
 
Index: crypto/asn1/asn1.h
===
RCS file: /work/repo/mirror/openssl/openssl/crypto/asn1/asn1.h,v
retrieving revision 1.149
diff -u -r1.149 asn1.h
--- crypto/asn1/asn1.h  24 Dec 2006 16:22:54 -  1.149
+++ crypto/asn1/asn1.h  4 Mar 2007 12:40:36 -
@@ -475,6 +475,10 @@
 
 #define ASN1_STRFLGS_DUMP_DER  0x200
 
+/* This flag determines to do RC2254 escaping.
+ */
+#define ASN1_STRFLGS_ESC_2254  0x400
+
 /* All the string flags consistent with RFC2253,
  * escaping control characters isn't essential in
  * RFC2253 but it is advisable anyway.
Index: crypto/asn1/charmap.h
===
RCS file: /work/repo/mirror/openssl/openssl/crypto/asn1/charmap.h,v
retrieving revision 1.1
diff -u -r1.1 charmap.h
--- crypto/asn1/charmap.h   28 Jul 2000 01:58:11 -  1.1
+++ crypto/asn1/charmap.h   4 Mar 2007 12:49:05 -
@@ -2,13 +2,13 @@
  * Mask of various character properties
  */
 
-static unsigned char char_type[] = {
+static unsigned short char_type[] = {
  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
  2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
-120, 0, 1,40, 0, 0, 0,16,16,16, 0,25,25,16,16,16,
+120, 0, 1,40, 0, 0, 0,16,1040,1040,1040,25,25,16,16,16,
 16,16,16,16,16,16,16,16,16,16,16, 9, 9,16, 9,16,
  0,16,16,16,16,16,16,16,16,16,16,16,16,16,16,16,
-16,16,16,16,16,16,16,16,16,16,16, 0, 1, 0, 0, 0,
+16,16,16,16,16,16,16,16,16,16,16, 0,1025, 0,

[openssl.org #1466] X.509 name's printing

2007-01-28 Thread Roumen Petrov via RT


This ticket is opened to solve issues related to printing of subject
and/or issuer name of a X.509 certificate and related documentation.

Roumen


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #1466] X.509 name's printing

2007-01-28 Thread Roumen Petrov via RT


This patch correct escape form in ASN1_STRING_print_ex documentation.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #1466] X.509 name's printing

2007-01-28 Thread Roumen Petrov via RT


This patch correct options for command line argument -nameopt of x509 
application.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #1466] X.509 name's printing

2007-01-28 Thread Roumen Petrov via RT


Third issue is how to print certificate subject/issuer distinguished 
name in UTF-8 in more user friendly way ?

Example from manual page work fine:
$ openssl x509 -in cert.pem -noout -subject -nameopt oneline,-esc_msb

I prefer to use command more compatible to so called compatible format:
$ openssl x509 -in cert.pem -noout -subject -nameopt 
oneline,-esc_msb,-space_eq,sep_comma_plus

Bot above commands are not so intuitive.


After reading documentation user may try:
$ openssl x509 -in testid_rsa-rsa_md5.crt -noout -subject -nameopt utf8
This command show noting, without no error message and exit status is zero.
The documentation don't advice user that field separators are mandatory.


One solution is a_strex.c function do_name_ex to use as default one of 
existing formats.

Other possible solution is to add new -nameopt option,  as example 
UTF8 equivalent to utf8, one of
field separators and etc or maybe just to oneline but without esc_msb.

Third solution is to change only documentation to clarify that field 
separators are mandatory.

No idea what to prefer.


Fourth issue is related to -nameopt group options.
One group of options are field separators(sep_comma_plus, 
sep_comma_plus_space, sep_semi_plus_space, sep_multiline). Other group 
are options for field names (nofname, sname, lname, oid).
Flags for these options are more like value. They are not based on bits.

Quote from documentation Each option is described in detail below, all 
options can be preceded by a - to turn the option off.  This is not 
valid for these groups of options. The minus before these options is 
useless.

The program code surprisingly :) work although performed bitwise 
operation in that case.


Roumen

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #1400] spurious CRs in S/MIME clearsigned mails

2006-10-22 Thread Roumen Petrov via RT


Proposed patches:

a.) apps-smime.patch : proper eol for To,From and Subject headers in case of 
-crlfeol command line option.

b.) crypto-pkcs7-pk7_mime.patch :
- add header in case of binary procesing
- add empty line (mandatory) if procesing type is not specified
   (case without -text and without -binary)





__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #1400] spurious CRs in S/MIME clearsigned mails

2006-10-17 Thread Roumen Petrov via RT


Hello Bruno,

Please could you defail used software.

During the past weekend I have time to setup a test network:
linux box:
- sendmail 8.12.9
- popa3d 0.6.1
- Mozilla 1.7.13 email client

ms windows me (at last i found a PC with operating system that use CRLF as EOL):
- Mozilla 1.7.13 email client
- Outlook Express  email client

The s-mime emails are generated on linux box with openssl versions 0.9.6m, 
0.9.7d , 0.9.7l, 0.9.8a and 0.9.8d. In case of version = 0.9.7d mail are 
generated with and without openssl smime -crlfeol option. As result the test 
case is from 9 emails.

The client(sender) certificate contain emailAddress!
The pkcs12 file is imported in NSS and MS-CRYPTO keystores
with necessary marks to trust emails.


The emails are created with command:
$ [OPENSSL] smime -sign -text {-crlfeol} \
  -inkey ... \
  -signer ... \
  -from ... \
  -to ... \
  -subject ... \
  -in [INPUT_FILE]  [SMIME_FILE]
and send with:
$ cat [SMIME_FILE] | /usr/sbin/sendmail -t

All three clients can read properly all 9 emails and show correct signature.


In additional a test in other network with sendmail.postfix 
(postfix to sendmail compatibility interface), imap email server
and SeaMonkey email client work well.
Note in last test envitonment all software run on platform with LF only as EOL.
Also note that above is valid only with -text option to openssl smime.


What about you environment ?
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #832] ocsp and dsa key+socket option SO_REUSEADDR for responder

2004-03-04 Thread Roumen Petrov via RT


evp_md = EVP_get_digestbynid(rkey-type) return:
- DSA key: same as EVP_dss1()
- RSA key: NULL - OBJ_nid2sn(rkey-type) return rsaEncryption 



Richard Levitte - VMS Whacker wrote:

In message [EMAIL PROTECTED] on Fri, 27 Feb 2004 14:00:24 +0100 (MET), Stephen 
Henson via RT [EMAIL PROTECTED] said:

rt 
rt [levitte - Fri Feb 27 00:04:45 2004]:
rt 
rt  I noticed the EVP_dss1() hack, and am pondering about something a bit 
rt  mkore generic.  Could you test if the following line works?
rt  
rtevp_md = EVP_get_digestbynid(EVP_MD_nid(rkey));
rt  
rt  [guest - Mon Feb 23 18:13:00 2004]:
rt  
rt   Attached file extend OCSP responder with:
rt   - add support for dsa keys;
rt   - set SO_REUSEADDR when system support it.
rt   
rt   What about attached patch ?
rt   It is against 0.9.7b, but same fixes can be applied for 0.9.7c.
rt  
rt 
rt Its only because both EVP_PKEY and EVP_MD structures both have a field
rt called type and that EVP_MD_nid() is a macro that it works.
rt 
rt If ever EVP_MD_nid() was changed to a function bad things could happen.
[...]
rt The applications currently access pkey-type directly for this kind of
rt thing.

So basically, you're saying that the following would be the right
thing to do:

evp_md = EVP_get_digestbynid(rkey-type);

-
Please consider sponsoring my work on free software.
See http://www.free.lp.se/sponsoring.html for details.

  



__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

54 matches

Mail list logo