BN_bin2bn() gets coredump in 0.9.7k
Hi, I have compiled 64-bit OpenSSL 0.9.7k on HP-UX 11.23 PA architecture withoptimization level +O3 (default). When i test BN_bin2bn() function in cryto library with the following test program, it gets coredump. Here is my test program.=#include stdio.h#include openssl/rsa.h int main() { RSA *public; unsigned int bits, len; char *buf, *uu; unsigned char *blob; public = RSA_generate_key(1024, 35, NULL, NULL); bits = BN_num_bits(public-n); printf("%u", bits); buf = BN_bn2dec(public-e); printf(" %s", buf); OPENSSL_free(buf); buf = BN_bn2dec(public-n); printf(" %s", buf); OPENSSL_free(buf); return 0;}= But the problem does not occur with +O1 optimization level compilation. Also when the same test program is linked with OpenSSL 0.9.8c 64bit library compiled with +O3 optimization level, it executes successfully. The reason would be CVS check-in 12579 and 13128, which are only appliedin 0.9.8 series. Why these changes are not applied to 0.9.7 trunk ??? Can any body know about this issue..? Thanks -Siva.
Re: [SECURITY] OpenSSL 0.9.8c and 0.9.7k released
Hi, I could see the patch for "RSA Signature Forgery" available in the location http://www.openssl.org/news/patch-CVE-2006-4339.txt is been updated with removal of unwanted code lines on september 6.Will these changes be commited to the OpenSSL releases 0.9.7 and 0.9.8. If so, when will be the souce packages ready with the updated patch.Thanks, -Siva- Original Message - From: "Mark J Cox" [EMAIL PROTECTED]To: openssl-announce@openssl.org; openssl-dev@openssl.org; full-disclosure@lists.grok.org.uk; openssl-users@openssl.orgSent: Tuesday, September 05, 2006 3:11 PMSubject: [SECURITY] OpenSSL 0.9.8c and 0.9.7k released -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 OpenSSL version 0.9.8c and 0.9.7k released == OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.8c of our open source toolkit for SSL/TLS. This new OpenSSL version is a security and bugfix release and incorporates changes and bugfixes to the toolkit. For a complete list of changes, please see http://www.openssl.org/source/exp/CHANGES. This release fixes an important security vulnerability which could allow RSA Signature Forgery, CVE-2006-4339. Please see http://www.openssl.org/news/secadv_20060905.txt We also release 0.9.7k, which contains the security update and bugfixes compared to 0.9.7j. We consider OpenSSL 0.9.8c to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.8c is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ For those who want or have to stay with the 0.9.7 series of OpenSSL, we strongly recommend that you upgrade to OpenSSL 0.9.7k as soon as possible. It's available in the same location as 0.9.8c. The distribution file names are: * openssl-0.9.8c.tar.gz MD5 checksum: 78454bec556bcb4c45129428a766c886 SHA1 checksum: d0798e5c7c4509d96224136198fa44f7f90e001d * openssl-0.9.7k.tar.gz MD5 checksum: be6bba1d67b26eabb48cf1774925416f SHA1 checksum: 90056b8f5e518edc9f74f66784fbdcfd9b784dd2 The checksums were calculated using the following commands: openssl md5 openssl-0.9.*.tar.gz openssl sha1 openssl-0.9.*.tar.gz Yours, The OpenSSL Project Team... Mark J. Cox Nils Larsch Ulf Möller Ralf S. Engelschall Ben Laurie Andy Polyakov Dr. Stephen Henson Richard Levitte Geoff Thorpe Lutz Jänicke Bodo Möller-BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) iQCVAwUBRP1Enu6tTP1JpWPZAQKUhQP/dBLTKnYVGvNvUYi2mleBNoUn8ISsZsA8 5jfBOzsrR+GnZHdyxU3wqcUBzoteE6robAB5Xz1eVvtQDoSPOor0zQWNTrTOEL7N 3MUbD/xwCv46kfk6OnptUUQ1UK2uA+IV6nxQHx6CDDdDO5wr2D8vBX3Q2JCuPXlf YjbILfKdPaA= =CW+z -END PGP SIGNATURE- __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]-- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.7/437 - Release Date: 9/4/2006
fips_aes_data file is missing
Hi, I have compiled OpenSSL- 0.9.7j in HP-UXand when looking into the source,I have noticed that the file fips_aes_data is missing. In the test directory of OpenSSL source there is a fips_aes_data file, whichis a link to ../fips-1.0/aes/fips_aes_data. fips_aes_data - ../fips-1.0/aes/fips_aes_data But in ../fips/aes directory there is no fips_aes_data file. Please make me clear what is happening here..?Why this file is missing. Is it an unwanted link..? Thanks in advance. Thanks, -Siva
FIPS enabled OpenSSL with shared enabled-how to do?
Hi , I am building FIPS compliant OpenSSL in HP-UX PA 11.11 architecture. I was build the FIPS module from the source with the security policy 140-2 suggested in the FIPS user guide. The steps followed to build the FIPS module are ./config fips make make install The stepsfollowed to build FIPS enabled OpenSSL are ./Configure threads zlib shared fips no-rc5 no-idea no-krb5 --openssldir=/opt/openssl hpux-cc gmake depend gmake While building the FIPS enabled OpenSSL, i was thrown into the following error. + fips-1.0/fipsld -b +Z -Wl,-B,symbolic,+vnocompatwarnings,-z,+h,libcrypto.sl.0.9.7 -o libcrypto.sl.0.9.7 -Wl,-Fl,libcrypto.a -ldldCanister: /usr/local/ssl/lib/fipscanister.o/usr/ccs/bin/ld: DP relative code in file /usr/local/ssl/lib/fipscanister.o - shared library must be position independent. Use +z or +Z to recompile.gmake[4]: *** [do_hpux-shared] Error 1 If we remove the sharedin the configure option it will be fixed. But it will not create the openssl shared libraries. Is there any way to overcome this issue with shared enabled, and also can we able to set some compileroptionswhilebuiding FIPS module?If yes, please guide me how to do?. Thanks in advance -siva