Re: [openssl-users] What does EC_KEY_get0_public_key deliver?
On 09/01/15 00:05, Christian Weber wrote: Thanks Matt, i just assumed the BIGNUMs were the coordinates without any projection - obviously that assumption was wrong - mislead by the funtions name. What interests me is to how you accessed the BIGNUMs in the first place! The EC_POINT structure is opaque and is defined in an internal header file!! Applications shouldn't be reaching into those. Matt ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [openssl-announce] OpenSSL version 1.0.1k released
test failure on custom build: perl Configure ^ no-comp no-dso no-idea no-ssl2 no-ssl3 no-psk no-srp ^ --prefix=D:/var/pool/openssl-win32 ^ VC-WIN32 ... D:\var\tmp\openssl-1.0.1knmake -f ms\ntdll.mak ... D:\var\tmp\openssl-1.0.1knmake -f ms\nt.mak test Microsoft (R) Program Maintenance Utility Version 12.00.21005.1 Copyright (C) Microsoft Corporation. All rights reserved. cd out32 ..\ms\test rsa_test PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok PKCS #1 v1.5 encryption/decryption ok OAEP encryption/decryption ok destest Doing cbcm Doing ecb Doing ede ecb Doing cbc Doing desx cbc Doing ede cbc Doing pcbc Doing cfb8 cfb16 cfb32 cfb48 cfb64 cfb64() ede_cfb64() done Doing ofb Doing ofb64 Doing ede_ofb64 Doing cbc_cksum Doing quad_cksum input word alignment test 0 1 2 3 output word alignment test 0 1 2 3 fast crypt test ideatest 'ideatest' is not recognized as an internal or external command, operable program or batch file. problems. On Thu, Jan 8, 2015 at 11:39 PM, OpenSSL open...@openssl.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1k released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1k of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1k is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1k.tar.gz Size: 4434910 MD5 checksum: d4f002bd22a56881340105028842ae1f SHA1 checksum: 19d818e202558c212a9583fcdaf876995a633ddf The checksums were calculated using the following commands: openssl md5 openssl-1.0.1k.tar.gz openssl sha1 openssl-1.0.1k.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUro4+AAoJENnE0m0OYESRxuQH/2TFznmtvL92IMO6rjeCClYM bBqxvIaVs/l7sflcsENo67HNCn0/RmblmfULVY96Pvoin7z19wMyEFL+3NSM1w8v HkX2mRz23V8PEDxn23f3i1ltCCZgc+aQyKoOf6Rbo4WHxgIHKXdKqm8dhyVj6ODw s2Go3TvaUNtG1BoW6AJtr1ZHosq+WKaOjq5yiRdFb1o/00GipSOb6gRsT2qJHEXS NpFEJm1CRguJ7qe3SPgu7gGyQ34MVl9jO1onRlMqsE4anvZBtm5sK97YXRrc4fqK 0E/SO1sW+mz359fHJMYmYnefG0hs1+KNnA1ydEfLLrf1Bc8Lqft37rN0cVfKdzg= =oLV9 -END PGP SIGNATURE- ___ openssl-announce mailing list openssl-annou...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-announce ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What does EC_KEY_get0_public_key deliver?
Thanks Matt, i just assumed the BIGNUMs were the coordinates without any projection - obviously that assumption was wrong - mislead by the funtions name. However, we're operating on brainpool curves, so the latter function should do the job. I'll lookup the parameters and try tomorrow. MfG -- Chris Am 08.01.2015 um 22:43 schrieb Matt Caswell m...@openssl.org: On 08/01/15 17:16, Christian Weber wrote: Dear OpenSSL-Users, recently i found a pitfall using EC_KEY_get0_public_key(key-pkey.ec). The function just returns a copy to a pointer to key-pub_key which is a EC_POINT pointer. The key itself is taken from a certificate using EVP_PKEY *key = X509_get_pubkey(cert); Fine, i assumed, these must be coordinates of the publich key in the elements X and Y! Both are BIGNUMS as expected. How are you accessing the elements X and Y? The internal representation could be transformed and you should make sure you are using the correct functions to access them, i.e. one of: EC_POINT_get_affine_coordinates_GFp or EC_POINT_get_affine_coordinates_GF2m Which one to use depends on whether you are using a prime or binary curve. Matt ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to construct certificate chain when missing intermediate CA
Hi All: I am using X509_STORE_CTX_get1_chain() to get web site's full certificate chain. Now I am encounter an issue that some web site does not return intermediate CA certificate but only web site leaf certificate. For example. https://globaltrade.usbank.com Below is certificate I get. Subject: /C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 As my environment missing VeriSign Class 3 Secure Server CA - G3 certificate. When open web site in Browsers (Chrome on windows), I can see certificate chain is built successfully, I think this is because browser should recognize VeriSign Class 3 Secure Server CA - G3 this intermediate CA, and automatically installed crt into system. So my question is how can I achieve same as browsers with openssl, with openssl I can get error info. But where can I use program to download VeriSign G3 certificate and installed automatically, then I can build full certificate chain. Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[20] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[27] Peer cert subject[/C=US/ST=Minnesota/L=St. Paul/O=U.S. Bank/OU=ISS/CN=globaltrade.usbank.com] depth[0] error[21] -- Rejoice,I Desire! ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Build failure in 1.0.1k on Windows
I just downloaded 1.0.1k and when trying to build it on Windows (using Visual
Studio 10.0), I get a compile error:
.\crypto\cversion.c(80) : error C2065: 'cflags' : undeclared identifier
.\crypto\cversion.c(80) : warning C4047: 'return' : 'const char *' differs in
levels of indirection from 'int'
The problem is this block in cversion.c:
if (t == SSLEAY_CFLAGS)
{
#ifdef CFLAGS
return(cflags);
#else
return(compiler: information not available);
#endif
}
There is no cflags variable anywhere. I suspect this should be return
(CFLAGS);, and making this change to the source does make the compile succeed.
I'm not sure how it compiles as-is on Linux but it does.
Graeme Perrow
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] What does EC_KEY_get0_public_key deliver?
On 08/01/15 17:16, Christian Weber wrote: Dear OpenSSL-Users, recently i found a pitfall using EC_KEY_get0_public_key(key-pkey.ec). The function just returns a copy to a pointer to key-pub_key which is a EC_POINT pointer. The key itself is taken from a certificate using EVP_PKEY *key = X509_get_pubkey(cert); Fine, i assumed, these must be coordinates of the publich key in the elements X and Y! Both are BIGNUMS as expected. How are you accessing the elements X and Y? The internal representation could be transformed and you should make sure you are using the correct functions to access them, i.e. one of: EC_POINT_get_affine_coordinates_GFp or EC_POINT_get_affine_coordinates_GF2m Which one to use depends on whether you are using a prime or binary curve. Matt ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] openssl-1.0.1k - undeclared identifier
On 08/01/15 18:19, Guy wrote: Hello, I try to buld openssl-1.0.1k with Visual Studio... PERL Configure VC-WIN32... ms\do_nasm NMAKE -f ms\ntdll.mak and have one error: .\crypto\cversion.c(80) : error C2065: 'cflags' : undeclared identifier This is a known issue with the Windows build and there is a patch in git already. See commit 56cd7404 Matt ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL version 1.0.1k released
Anyone having trouble building on Windows? cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WIN32 -c .\crypto\cversion.c cversion.c .\crypto\cversion.c(80) : error C2065: 'cflags' : undeclared identifier .\crypto\cversion.c(80) : warning C4047: 'return' : 'const char *' differs in levels of indirection from 'int ' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. This is on Windows Server 2008 with Windows Server 2003 R2 Platform SDK and Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8804 for 80x86 Yes, I realize that it's an old compiler, but 1.0.1j built fine with it. ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL version 1.0.1k released
With a more modern 64-bit MS compiler, I still get a failure. I see that Cygwin released theirs, so I'm guessing this is a MS compiler issue. cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WIN64A -c .\crypto\cversion.c cversion.c crypto\cversion.c(80) : error C2065: 'cflags' : undeclared identifier crypto\cversion.c(80) : warning C4047: 'return' : 'const char *' differs in levels of indirection from 'int' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Microsoft (R) C/C++ Optimizing Compiler Version 14.00.40310.41 for AMD64 and the same Microsoft Platform SDK for Windows Server 2003 R2. Help? Thanks. ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] OpenSSL version 1.0.1k released
The C4047 is just a warning. The C2065 is a known issue, per Matt. -Original Message- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Kevin Layer Sent: Thursday, January 08, 2015 1:13 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] OpenSSL version 1.0.1k released With a more modern 64-bit MS compiler, I still get a failure. I see that Cygwin released theirs, so I'm guessing this is a MS compiler issue. cl /Fotmp32dll\cversion.obj -Iinc32 -Itmp32dll /MD /Ox -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_KRB5 -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -DOPENSSL_BUILD_SHLIBCRYPTO -DMK1MF_BUILD -DMK1MF_PLATFORM_VC_WIN64A -c .\crypto\cversion.c cversion.c crypto\cversion.c(80) : error C2065: 'cflags' : undeclared identifier crypto\cversion.c(80) : warning C4047: 'return' : 'const char *' differs in levels of indirection from 'int' NMAKE : fatal error U1077: 'cl' : return code '0x2' Stop. Microsoft (R) C/C++ Optimizing Compiler Version 14.00.40310.41 for AMD64 and the same Microsoft Platform SDK for Windows Server 2003 R2. Help? Thanks. ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] [Bulk] Build failure in 1.0.1k on Windows
Perrow, Graeme wrote:
I just downloaded 1.0.1k and when trying to build it on Windows (using Visual
Studio 10.0), I get a compile error:
.\crypto\cversion.c(80) : error C2065: 'cflags' : undeclared identifier
.\crypto\cversion.c(80) : warning C4047: 'return' : 'const char *' differs in
levels of indirection from 'int'
(you should avoid such long lines).
'cflags' should be automatically generated by the util/mkbuildinf.pl
script and included via crypto/buildinf.h (which is included in cversion.c).
It's a total mess. Here, crypto/buildinf*.h looks like:
#ifndef MK1MF_BUILD
/* auto-generated by util/mkbuildinf.pl for crypto/cversion.c */
#define CFLAGS
/*
* Generate CFLAGS as an array of individual characters. This is a
* workaround for the situation where CFLAGS gets too long for a C90 string
* literal
*/
static const char cflags[] = {
'c','o','m','p','i','l','e','r',':',' ',' ','','-','D','O','P','E','N',
'S','S','L','_','S','Y','S','N','A','M','E','_','W','I','N','3','2',' ',
'-','D','_','W','I','N','3','2',' ','-','D','W','I','N','N','T',' ','-',
'D','D','S','O','_','W','I','N','3','2',' ','-','D','O','P','E','N','S',
Nice and readable, no?
--
--gv
___
openssl-users mailing list
openssl-users@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 1.0.1k released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.1k released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1k of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1k is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1k.tar.gz Size: 4434910 MD5 checksum: d4f002bd22a56881340105028842ae1f SHA1 checksum: 19d818e202558c212a9583fcdaf876995a633ddf The checksums were calculated using the following commands: openssl md5 openssl-1.0.1k.tar.gz openssl sha1 openssl-1.0.1k.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUro4+AAoJENnE0m0OYESRxuQH/2TFznmtvL92IMO6rjeCClYM bBqxvIaVs/l7sflcsENo67HNCn0/RmblmfULVY96Pvoin7z19wMyEFL+3NSM1w8v HkX2mRz23V8PEDxn23f3i1ltCCZgc+aQyKoOf6Rbo4WHxgIHKXdKqm8dhyVj6ODw s2Go3TvaUNtG1BoW6AJtr1ZHosq+WKaOjq5yiRdFb1o/00GipSOb6gRsT2qJHEXS NpFEJm1CRguJ7qe3SPgu7gGyQ34MVl9jO1onRlMqsE4anvZBtm5sK97YXRrc4fqK 0E/SO1sW+mz359fHJMYmYnefG0hs1+KNnA1ydEfLLrf1Bc8Lqft37rN0cVfKdzg= =oLV9 -END PGP SIGNATURE- ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 0.9.8zd released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8zd released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8zd of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-0.9.8-notes.html OpenSSL 0.9.8zd is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-0.9.8zd.tar.gz Size: 3737538 MD5 checksum: e9b9ee12f2911e1a378e2458d9bfff77 SHA1 checksum: b9a6356d5385e0bd6b8af660576bfdef7b45666e The checksums were calculated using the following commands: openssl md5 openssl-0.9.8zd.tar.gz openssl sha1 openssl-0.9.8zd.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUrpVNAAoJENnE0m0OYESRDe0H/3AKK345ct3rR0QEQ1YN6d33 T4upEE2CKGaDhhqfPl0iHPDVxec+st98JxF3Yg5wQxWO7DxMe5bbKCYl/hM0ZSQd zTzeECDH5WtzlyXTCp5TZdLMwpPL3kkW0Q7D4q/RXZ6DE3fNVLDsxJOiVa4cWtHL JnuJCCqwSC5a5CfhcyAu5Tqt2/0xoFxcai8NmmhIWe806pfrwsN9PoD0YW9ARlLC hySrcCLy4MHtZYie4dv7JIOtVb1PPyX6qNsoKriGdpwb+drPvRtQFxSkbif+2gkf Y7YkDs8nKCdLwJvgonprl6HgcHh4eeBNpxOgfwMo/Vnw02HZvm7na2t4jxvmm+E= =+Z6j -END PGP SIGNATURE- ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL version 1.0.0p released
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 1.0.0p released === OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.0p of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.0-notes.html OpenSSL 1.0.0p is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.0p.tar.gz Size: 4008663 MD5 checksum: f66da50ff3624aeaf292948f27d8ae7d SHA1 checksum: 04dd495c47c7a11f7f311747121b6b77e08abb5b The checksums were calculated using the following commands: openssl md5 openssl-1.0.0p.tar.gz openssl sha1 openssl-1.0.0p.tar.gz Yours, The OpenSSL Project Team. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJUrpJ5AAoJENnE0m0OYESRXL4IAJ66ZB4N5/nhxPCYV0vGMjCE A6jBTMPNfcF+CX26rFr3nWTX85zvmAFW9r+nIddlvnLSsWtDKtOpZsyWiFzFSrtK gp7xPhI3B//Di1bkDk0zkhUcAT/7DU/8yp8Nm5J0XMu71H+3Uxh/QP6ZpyW1ZSJ7 eWeZGr+PoVaC0gcRR2HBPtaArL0fhbgGI7HggRslvNupiwBqJ42Z0wDY12ONaA38 Be6jiUBElRQqr5VmjPOSdezX0ZTErI7NZ5It1DCtsLuglbVsmrim57PSpOkWwVh0 FRi39qNR7T4/2SEcUN01EX7VENarqZaxIxJuYCIx6v8DXYQQ8NloUudBe6icmE8= =9lIN -END PGP SIGNATURE- ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] What does EC_KEY_get0_public_key deliver?
Dear OpenSSL-Users, recently i found a pitfall using EC_KEY_get0_public_key(key-pkey.ec). The function just returns a copy to a pointer to key-pub_key which is a EC_POINT pointer. The key itself is taken from a certificate using EVP_PKEY *key = X509_get_pubkey(cert); Fine, i assumed, these must be coordinates of the publich key in the elements X and Y! Both are BIGNUMS as expected. BUT instead i got some tranformed coordinates. Finally i got the coordinates by using EC_POINT_point2hex() with the propoer group and converting its output. There seems to be no instantly accessible BIGNUM-pair represesentation of a ECDSA public key, which i would like to gain access to. What am i missing? Thanks in advance -- Chris ___ openssl-users mailing list openssl-users@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] OpenSSL Security Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL Security Advisory [08 Jan 2015] === DTLS segmentation fault in dtls1_get_record (CVE-2014-3571) === Severity: Moderate A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k. OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p. OpenSSL 0.9.8 DTLS users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Markus Stenberg of Cisco Systems, Inc. The fix was developed by Stephen Henson of the OpenSSL core team. DTLS memory leak in dtls1_buffer_record (CVE-2015-0206) === Severity: Moderate A memory leak can occur in the dtls1_buffer_record function under certain conditions. In particular this could occur if an attacker sent repeated DTLS records with the same sequence number but for the next epoch. The memory leak could be exploited by an attacker in a Denial of Service attack through memory exhaustion. This issue affects OpenSSL versions: 1.0.1 and 1.0.0. OpenSSL 1.0.1 DTLS users should upgrade to 1.0.1k. OpenSSL 1.0.0 DTLS users should upgrade to 1.0.0p. This issue was reported to OpenSSL on 7th January 2015 by Chris Mueller who also provided an initial patch. Further analysis was performed by Matt Caswell of the OpenSSL development team, who also developed the final patch. no-ssl3 configuration sets method to NULL (CVE-2014-3569) = Severity: Low When openssl is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 17th October 2014 by Frank Schmirler. The fix was developed by Kurt Roeckx. ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572) == Severity: Low An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. This effectively removes forward secrecy from the ciphersuite. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) == Severity: Low An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session. This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. OpenSSL 0.9.8 users should upgrade to 0.9.8zd. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. DH client certificates accepted without verification [Server] (CVE-2015-0205) = Severity: Low An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. This effectively allows a client to authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys: these are extremely rare and hardly ever encountered. This issue affects OpenSSL versions: 1.0.1 and 1.0.0. OpenSSL 1.0.1 users should upgrade to 1.0.1k. OpenSSL 1.0.0 users should upgrade to 1.0.0p. This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team. Certificate fingerprints can be modified (CVE-2014-8275) Severity: Low OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the
