[openssl.org #2967] Minor Bug - Options Missing from Application Usage

The new -CRL, -crl_download and -CRLform options are missing from the usage in s_client and s_server (I have not checked for the absence of non-crl related options from the usage) -- Nick Lewis nick.le...@usa.g4s.com +44 1684 277137 www.g4stechnology.com New Challenge House, International Drive,

[openssl.org #2959] Trivial Bug - Typo in apps/apps.h

- #define FORMAT_HTTP13 /* Dowload using HTTP */ + #define FORMAT_HTTP13 /* Download using HTTP */ -- Nick Lewis nick.le...@usa.g4s.com +44 1684 277137 www.g4stechnology.com New Challenge House, International Drive, Tewkesbury, Gloucestershire, GL20 8UQ, UK  Please consider

[openssl.org #2618] PATCH - Wrong exit code for pkeyutl -verify

When the pkeyutl application is using the -verify option it always exits with a value indicating an error even when verifying successfully. Please find below a patch that addresses this issue. It also modifies a message that is confusing when dealing with private keys. (The line numbers for

[openssl.org #2617] pkeyutl fails depending on order of options - PATCH

The openssl application pkeyutl fails if the keytypes -certin and -pubin are placed in the options list after the -inkey option. The error message does not indicate the correct reason for the error. The -pkeyopt and -peerkey options also have similar restrictions but the conditions are checked

RE: [openssl.org #2594] Problem with X509 path loop detection - PATCH

With update version i confirm that regression test of a software now pass with OpenSSL HEAD version. I still have problem with HEAD regarding check if is for self signed. This case is not in openssl regression tests ans cannot be reproduced with openssl command line. Case is when callback

[openssl.org #2612] Segfault protection in X509v3 extension API - PATCH

Please find attached below a patch that provides protection against segmentation faults in the X509v3 extension API Best Regards Nick diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c index 3146218..9e474c8 100755 --- a/crypto/x509v3/v3_prn.c +++

RE: [openssl.org #2612] AutoReply: Segfault protection in X509v3 extension API - PATCH

Please find attached below a revised patch that provides further protection against segmentation faults in the X509v3 extension API Best Regards Nick diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509v3/v3_prn.c index 3146218..094861e 100755 ---

[openssl.org #2605] Directly Create Public Key File from Cert - PATCH

Please find below a patch that permits a public key file to be produced directly from a certificate without piping from stdout. The patch also mops up a couple of bugs in which 'out' is not defined when needed Nick --- diff --git a/apps/x509.c b/apps/x509.c

[openssl.org #2599] Support for SHA256 and other MDs in X509 SubjectKeyIdentifier - PATCH

Please find below a patch to add SHA256 and other types of message digest support to the SubjectKeyidentifier. This functionality is accessed from the config file by adding an MD name after a semi-colon e.g. subjectKeyIdentifier=hash;sha256 Best Regards Nick diff --git

[openssl.org #2601] Support for use of sha256 for certificate comparisons - PATCH

Please find attached below a patch that adds support for the use of sha256 in certificate comparisons. It also addresses a problem in which sha1 comparison was attempted as long as OPENSSL_NO_SHA was absent even when OPENSSL_NO_SHA1 was defined Best Regards Nick diff --git

RE: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Roumen Thank you for looking at the patch and reporting the problem with it. I apologise that I did not test it properly. The path loop test in the patch should of course be first whether the issuer is in the chain and only if it is then whether it is lower than the cert x i.e. +

[openssl.org #2592] req -newkey rsa does not use key length specified in cnf file PATCH

When the req -newkey option value is of the form rsa rather than rsa:keylen the key length of the new rsa key should be taken from the config file. However req does not generate an rsa key of the correct length (despite displaying the message Generating a keylen bit RSA private key that

[openssl.org #2584] ssltest -test_cipherlist bug incorrectly skipping ciphers

The do_test_cipherlist(void) function in ssltest.c skips some cipher checks in all methods after the SSLv2_method due to missing resets of the i counter. Please find a patch below that resolves this bug and also adds support for TLSv1_1_method and TLSv1_2_method Best Regards Nick

RE: [openssl.org #2584] ssltest -test_cipherlist bug incorrectly skipping ciphers

Amended patch to avoid need for -f option with -tls1_1 and -tls1_2 options Best Regards Nick diff --git a/ssl/ssltest.c b/ssl/ssltest.c index cebd4e7..1978eeb 100755 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -432,6 +432,12 @@ static void sv_usage(void) #ifndef OPENSSL_NO_TLS1

[openssl.org #2579] Segfault for CMAC

With the 20110815 snapshot I am getting a SegFault when trying to use CMAC. The command I used is as follows: [root@localhost bin]# ./openssl dgst -mac cmac -macopt cipher:aes128 -macopt key:IZEASGTBPOIZEASG -c /lorum-ipsum.txt Segmentation fault Valgrind reports: ==27337== Invalid read of

RE: [openssl.org #2579] Segfault for CMAC

I think that the following patch on 20110815 should resolve the segfault and report the correct algorithm with cmac e.g. [root@localhost bin]# ./openssl dgst -mac cmac -macopt cipher:aes256 -macopt key:IZEASGTBPOIZEASGTBPOIZEASGTBPOIZ -c /lorum-ipsum.txt CMAC-AES-256-CBC(/lorum-ipsum.txt)=