Re: [openssl-dev] X509_V_FLAG_OCSP_CHECK

2016-01-29 Thread Anthony T CHOW
Stephen, Thanks for the info and have a nice weekend, Anthony. -Original Message- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Wall, Stephen Sent: Friday, January 29, 2016 5:56 AM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] X509_V_FLAG_OCSP_CHECK >

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

2016-01-29 Thread Howard Chu via RT
Stephen Henson via RT wrote: > On Fri Jan 29 17:35:05 2016, steve wrote: >> On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote: >>> Howard Chu via RT wrote: In OpenLDAP we reference X509_NAME->bytes->data directly, we want the DER bytes which we then pass thru our own DN va

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

2016-01-29 Thread Howard Chu via RT
Stephen Henson via RT wrote: > On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote: >> Howard Chu via RT wrote: >>> In OpenLDAP we reference X509_NAME->bytes->data directly, we want the >>> DER >>> bytes which we then pass thru our own DN validator/formatter. This no >>> longer >>> works with O

[openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

2016-01-29 Thread Stephen Henson via RT
On Fri Jan 29 17:59:59 2016, alek...@aleksey.com wrote: > > Do you have plan to change the behavior of DSA_SIG_new() as well > to pre-create r and s? Currently both are NULL. > That seems like a reasonable change. In 1.0.x we can't do that because it would result in compatibility issues. For 1.1.0

Re: [openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

2016-01-29 Thread Aleksey Sanin via RT
Thanks! It works great. Do you have plan to change the behavior of DSA_SIG_new() as well to pre-create r and s? Currently both are NULL. Thanks in advance, Aleksey On 1/29/16 5:44 AM, Stephen Henson via RT wrote: > On Fri Jan 29 09:59:23 2016, alek...@aleksey.com wrote: >> Hello, >> >> At the m

[openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

2016-01-29 Thread Stephen Henson via RT
On Fri Jan 29 17:35:05 2016, steve wrote: > On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote: > > Howard Chu via RT wrote: > > > In OpenLDAP we reference X509_NAME->bytes->data directly, we want > > > the > > > DER > > > bytes which we then pass thru our own DN validator/formatter. This > >

[openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

2016-01-29 Thread Stephen Henson via RT
On Fri Jan 29 15:08:47 2016, h...@highlandsun.com wrote: > Howard Chu via RT wrote: > > In OpenLDAP we reference X509_NAME->bytes->data directly, we want the > > DER > > bytes which we then pass thru our own DN validator/formatter. This no > > longer > > works with OpenSSL 1.1 and I don't see any p

[openssl-dev] [openssl.org #3885] [BUGFIX] OpenSSL fails to cross-compile on 32-bit->64-bit

2016-01-29 Thread Short, Todd via RT
I have an available fix: https://github.com/openssl/openssl/pull/597 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." ___ openssl-dev mailing list To unsubscribe: https://mta.o

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

2016-01-29 Thread Short, Todd via RT
This sounds like RT3885. I have an available fix: https://github.com/openssl/openssl/pull/597 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Jan 29, 2016, at 12:04 PM, Viktor Dukhovni via RT mailto:r...@openssl.org

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

2016-01-29 Thread Short, Todd
This sounds like RT3885. I have an available fix: https://github.com/openssl/openssl/pull/597 -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet." On Jan 29, 2016, at 12:04 PM, Viktor Dukhovni via RT mailto:r...@openssl.org

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

2016-01-29 Thread Viktor Dukhovni via RT
> On Jan 29, 2016, at 4:59 AM, Kiyoshi KANAZAWA via RT wrote: > > cc -I.. -I../.. -I../modes -I../include -I../../include -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa > -DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 > -DOPENSSL

Re: [openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

2016-01-29 Thread Viktor Dukhovni
> On Jan 29, 2016, at 4:59 AM, Kiyoshi KANAZAWA via RT wrote: > > cc -I.. -I../.. -I../modes -I../include -I../../include -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xarch=generic64 -xstrconst -Xa > -DL_ENDIAN -DFILIO_H -xO5 -xdepend -xbuiltin -DOPENSSL_IA32_SSE2 > -DOPENSSL

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

2016-01-29 Thread Howard Chu via RT
Howard Chu via RT wrote: > In OpenLDAP we reference X509_NAME->bytes->data directly, we want the DER > bytes which we then pass thru our own DN validator/formatter. This no longer > works with OpenSSL 1.1 and I don't see any provided method to return the DER > bytes. I don't want a malloc'd copy, I

Re: [openssl-dev] [openssl.org #4274] OpenSSL 1.1 X509_NAME_der()

2016-01-29 Thread Howard Chu
Howard Chu via RT wrote: In OpenLDAP we reference X509_NAME->bytes->data directly, we want the DER bytes which we then pass thru our own DN validator/formatter. This no longer works with OpenSSL 1.1 and I don't see any provided method to return the DER bytes. I don't want a malloc'd copy, I just

Re: [openssl-dev] X509_V_FLAG_OCSP_CHECK

2016-01-29 Thread Wall, Stephen
> -Original Message- > From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of > Anthony T CHOW > > On the openssl-user mailing list archive, I found this: > > http://www.mail-archive.com/openssl-users@openssl.org/msg67721.html > > On GitHub, I don't find this flag X509_V

Re: [openssl-dev] OpenSSL Security Advisory

2016-01-29 Thread Blumenthal, Uri - 0553 - MITLL
+1 Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.   Original Message   From: Hanno Böck Sent: Friday, January 29, 2016 06:18 To: openssl-dev@openssl.org Reply To: openssl-dev@openssl.org Cc: open...@openssl.org Subject: Re: [openssl-dev] OpenSSL Security Advisory On

[openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

2016-01-29 Thread Stephen Henson via RT
On Fri Jan 29 09:59:23 2016, alek...@aleksey.com wrote: > Hello, > > At the moment, there is no way to set r/s in the ECDSA_SIG structure > manually to verify the signature encoded into a different format. > Would be great to add a simple function: > > void ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *

Re: [openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

2016-01-29 Thread Douglas E Engert
I agree. Until OpenSSL adds a ECDSA_SIG_set0 there is a way, for example: rv = PKCS11_ecdsa_sign(dgst, dlen, sigret, &siglen, key); nLen = siglen / 2; if (rv > 0) { sig = ECDSA_SIG_new(); if (sig) { #if OPENSSL_VERSION_NUMBER >= 0x1010L

[openssl-dev] [openssl.org #3600] When compiling with enable-ec_nistp_64_gcc_128, then EC_GROUP_have_precompute_mult always returns 0

2016-01-29 Thread Matt Caswell via RT
Fixed in master and 1.0.2. Thanks for the report. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4278] DH_CHECK_PUBKEY_INVALID should be 0x4, not 0x3

2016-01-29 Thread Matt Caswell via RT
Thanks David - fixed. Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] OpenSSL Security Advisory

2016-01-29 Thread Hanno Böck
On Thu, 28 Jan 2016 15:05:47 + OpenSSL wrote: > Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by > default and cannot be disabled. This could have some performance > impact. I think it's good that this has been changed now. I found this ephemeral key reuse always problema

[openssl-dev] [openssl.org #4280] OpenSSL 1.1.0 pre 2: feature request: ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) is needed

2016-01-29 Thread Aleksey Sanin via RT
Hello, At the moment, there is no way to set r/s in the ECDSA_SIG structure manually to verify the signature encoded into a different format. Would be great to add a simple function: void ECDSA_SIG_set0(const ECDSA_SIG*, BIGNUM *, BIGNUM *) to set these values similar to other XXX_set0() functio

[openssl-dev] [openssl.org #4279] openssl-1.1.0-pre2 make failes on Solaris10 x64

2016-01-29 Thread Kiyoshi KANAZAWA via RT
Hello, I tried openssl-1.1.0-pre2 on Solaris10 x86/x64. For x86, no error found. But for X64, make fails in crypto/modes. Got the same result with solarisstudio12.4 & gcc-4.8.5. 1. with solarisstudio12.4 % ./Configure solaris64-x86_64-cc % make   : cc -I.. -I../.. -I../modes -I../include -I../