Re: [openssl-dev] (future) STORE vs X509_LOOKUP_METHOD by_dir

Hi Richard, Richard Levitte wrote: Hi, I've some ponderings that I need to bounce a bit with you all. Some have talked about replace the X509_LOOKUP_METHOD X.509 lookup method could return certificate , revocation list or EVP_KEY (structure x509_object_st). Unfortunately functionality of

Re: [openssl-dev] [openssl.org #4681] Resolved: X.509 load method

Rich Salz via RT wrote: According to our records, your request has been resolved. If you have any further questions or concerns, please respond to this message. Resolved? Hmm, how to implement X.509 lookup method with 1.1+ API? Regards, Roumen Petrov -- openssl-dev mailing list

Re: [openssl-dev] [RFC v2 2/2] pem: load engine keys

Hi Richard, Richard Levitte wrote: In message<20161206.223057.237264374331072901.levi...@openssl.org> on Tue, 06 Dec 2016 22:30:57 +0100 (CET), Richard Levitte said: levitte> [SNIP] The easiest was actually to rewrite PEM_read_bio_PrivateKey() entirely, so it solely

Re: [openssl-dev] [RFC v2 2/2] pem: load engine keys

HI Richard, Richard Levitte wrote: In message<58472e4f.3010...@roumenpetrov.info> on Tue, 06 Dec 2016 23:31:59 +0200, Roumen Petrov<open...@roumenpetrov.info> said: openssl> Hi Richard, openssl> [SNIP] openssl> > Check. My STORE branch is made to support that

Re: [openssl-dev] [RFC v2 2/2] pem: load engine keys

Hi Richard, Richard Levitte wrote: [SNIP] James.Bottomley>1. We agreed that usability is greatly enhanced if openssl simply loads James.Bottomley> a key when presented with the file/uri etc. without the user having James.Bottomley> to specify what the format of a key is

Re: [openssl-dev] Still showing openssl 1.0.2 snapshot issue

Salz, Rich wrote: [SNIP] I posted yesterday, what's your config. I standard config/make does not do this for me. For instance: CONFIGURE_ARGS=--prefix=... -DOPENSSL_NO_BUF_FREELISTS shared no-ssl2 no-ssl3 zlib-dynamic enable-gost enable-unit-test linux-x86_64 Roumen -- openssl-dev mailing

Re: [openssl-dev] [RFC 1/2] engine: add new flag based method for loading engine keys

means that the key_id is actually a bio pointer. I'm not sure that is good idea to pass pointers between loadable modules. It could be used if there is no alternative. In this case URN format for could inform engine how to load key. [SNIP] Regadrs, Roumen Petrov -- openssl-dev mailing list

[openssl-dev] [openssl.org #4681] X.509 load method

This is an enhancement request. OpenSSL 1.1 hides details of structures used to load X.509 certificates, in particular - x509_lookup_method_st , x509_lookup_st and x509_object_st. This impact non OpenSSL projects as external application has to duplicated those structures. Request is OpenSSL do

Re: [openssl-dev] [openssl.org #4590] accessors without const return arguments

Stephen Henson via RT wrote: > On Sat Jun 25 22:09:59 2016, open...@roumenpetrov.info wrote: >> Above is reason the request to remove const from return argument of get0 >> methods. > We had a discussion about this and the preference was to have get methods > retain const for various reasons. > >

[openssl-dev] prefer headers from source tree

d. Windows modification is similar. Roumen >From a7e0111eea1ef51d62a673e8511e9017945c2780 Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Sat, 21 May 2016 10:29:51 +0300 Subject: [PATCH 2/2] make templates: prepend path to source headers --- Configurations

[openssl-dev] [openssl.org #4590] accessors without const return arguments

n argument of get0 methods. The issue is not only for ECDSA but also for DSA_SIG and RSA, DSA, DH keys where situation is similar. Regards, Roumen Petrov -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4590 Please log in as guest with password guest if prompted -- openssl-d

Re: [openssl-dev] use of X.509 lookup methods, X509_OBJECT internal or opaque?

Salz, Rich wrote: Can you look at https://github.com/openssl/openssl/pull/1044 [SNIP ] I pushed a new version that adds your feedback. 10x, it's fine by me. Roumen -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] use of X.509 lookup methods, X509_OBJECT internal or opaque?

Hi Rich, Salz, Rich wrote: Can you look at https://github.com/openssl/openssl/pull/1044 and see if it addresses the issues? Yes. May be with some definitions for backward compatibility. I mean for renamed pre 1.1 functions - with inserted ..._CTX into name of : -

Re: [openssl-dev] use of X.509 lookup methods, X509_OBJECT internal or opaque?

Hi Rich, Scope of my request is "use of a lookup method". Salz, Rich wrote: You need (1) I test port to current openssl code with following definitions X509_OBJECT_new() and X509_OBJECT_get0_X509_CRL. : diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index ff64821..8547b0d

Re: [openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

blic part between get0 and set0 key methods. For protocol "0009-sshkey.c-opaque-DSA-structure.patch" is practical sample of an upgrade to 1.1 API. RSA is similar. Cheers, Richard Roumen >From 57d17bdf3ef9975b6f09a597557843943909b5b9 Mon Sep 17 00:00:00 2001 From: Roumen Petr

[openssl-dev] remove defines that access X.509 store

umen >From 32b59c4406581d9e0418ba9b61a1abe2044468ff Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Sat, 16 Apr 2016 19:10:19 +0300 Subject: [PATCH 4/4] remove defines X509_STORE_set_verify_... as context is now opaque --- include/openssl/x509_vfy.h | 3 --- 1 file changed, 3

[openssl-dev] use of X.509 lookup methods, X509_OBJECT internal or opaque?

Hi Openssl developers, Recent modification to X509... structures prevent external implementation of X509_LOOKUP_METHOD. Main issue that 1.1beta5 is not usable. A lot of X509... structures are now opaque, but there is no access neither memory management functions. I hop that soon will be

[openssl-dev] get engine function for EC key

Hi, Currently access to engine member is available for some keys: $ grep -r get0_engine include/ include/openssl/dh.h:ENGINE *DH_get0_engine(DH *d); include/openssl/dsa.h:ENGINE *DSA_get0_engine(DSA *d); include/openssl/rsa.h:ENGINE *RSA_get0_engine(RSA *r); Please add function for EC_KEY. If

[openssl-dev] OPENSSL_cleanup now error is "invalid pointer"

Hi With current master "corrupted double-linked list" disappear but error still exist, see below Roumen Petrov wrote: [SNIP] Stack trace *** Error in '/apps/openssl': corrupted double-linked list: 0x006de730 *** ^C Program received signal SIGINT, Interrupt. 0x7f

[openssl-dev] build with defined ENGINE_REF_COUNT_DEBUG

Hi, Please see attached file 0003-build-with-defined-ENGINE_REF_COUNT_DEBUG.patch . If ENGINE_REF_COUNT_DEBUG is defined build fail. Proposed patch resolve issue. Regards, Roumen >From 3db4a9eb01f6caf1c59c50d8f6a3f6ec73cc71df Mon Sep 17 00:00:00 2001 From: Roumen Petrov &l

[openssl-dev] What about DSA_SIG_get0 ? Was: ECDSA_SIG_get0() for const ECDSA_SIG *

Hello , Issue 4436 report only ECDSA_SIG_get0 but DSA is the same. Perhaps DSA_SIG_get0 could use constant signature pointer. Stephen Henson via RT wrote: Fixed now. Closing ticket. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available

Re: [openssl-dev] OPENSSL_cleanup new issue

Hi Matt, Matt Caswell wrote: Hi Roumen On 10/03/16 22:21, Roumen Petrov wrote: Hello, With new thread model in some configurations openssl hands on unload of engine. I just pushed commit 773fd0bad4 to master which should hopefully resolve this issue. It seems to me hang is resolved after

[openssl-dev] OPENSSL_cleanup new issue

xit () from /lib64/libc.so.6 #11 0x0041cf5d in main (argc=, argv=out>) at apps/openssl.c:361 (gdb) My build is based on commit 603358de576217812cb3d752e97c78e476cdc879 -plus remaining modifications from issue "#4207 engine key format in 1.1" Regards, Roumen Petrov Roumen Petr

[openssl-dev] unified build dependencies

Hello , It seems to me unified build system work quite well with simultaneous build jobs. I would like to report a minor issue - I have to run make 3 times until all decencies are resolved. Second make rebuild about 450 items. Third time only speed is rebuild. The build is in a clean source

Re: [openssl-dev] OpenSSL 1.0.2g - make test fails with FIPS -- regression from 1.0.2f

Brad House wrote: It appears OpenSSL 1.0.2g introduced a regression when attempting to run 'make test' on a fips-enabled build on linux. When compiling without FIPS, the tests pass as expected. However, with fips turned on, "make test" fails when trying to use ssl2 it appears. Running 'make

Re: [openssl-dev] [openssl.org #2363] bug: memory allocated by DH_new() may never be free()ed

It is expected DH_free(DH_new()); to leaks memory. Usually XXX method initialize "extra data". Sample code is without code that clear library, at least CRYPTO_cleanup_all_ex_data is missing. Roumen -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2363 Please log in as guest

[openssl-dev] OPENSSL_cleanup additional

Hello, I just finish tests with new initialization methods. Memory detection tool report a number of memory leaks. Startup code is: OPENSSL_init_crypto( OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS |

[openssl-dev] shared build, master, 2016-02-23

Hello, The current master branch does not create shared libraries. Attached patch restore build with gnu tools. Regards, Roumen Petrov >From 2c3d122965a0a6a0b8b2ae3188b7c16658e5a57a Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Tue, 23 Feb 2016

Re: [openssl-dev] [openssl.org #4320] [Patch] OpenSSL 1.1.0-pre3: "unable to load Key" error in PEM_get_EVP_CIPHER_INFO()

d=4320 Please log in as guest with password guest if prompted >From b359b5caf689583b247d825892ccd6dd42474de1 Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Thu, 18 Feb 2016 23:26:43 +0200 Subject: [PATCH 4/4] #4320 OpenSSL 1.1.0-pre3: "unabl

[openssl-dev] OPENSSL_config with default configuration

Hello, OPENSSL_config with NULL argument crash in master branch. Please find attached file with proposed patch. Regards, Roumen >From f6eee9281567e47ae23383c527845cc4a897d195 Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Fri, 12 Feb 2016 22:18:59 +020

[openssl-dev] [openssl.org #4312] documentation: RSA_new_method argument

Hello, Function argument is pointer to ENGINE - please find attached patch Regards, Roumen Petrov -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4312 Please log in as guest with password guest if prompted >From 2f2e1f210ec3c8452ecd041604fd14071a4b59ca Mon Sep 17 00:00:00 2

Re: [openssl-dev] BIO_new_connect after refactoring

Richard Levitte wrote: That patch just got merged into master, commit 80926502986a97eed53afe1d85fc074e40829547 10x It seems to me #4296 is second report. Cheers, Richard In message <56b718f3.9070...@roumenpetrov.info> on Sun, 07 Feb 2016 12:14:11 +0200, Roumen Petrov

[openssl-dev] BIO_new_connect after refactoring

Hello, With master branch my ssh ocsp tests start to fail again. The program code call BIO_new_connect("127.0.01") and then parsing of 'name' crash. Please find attached proposed patch. Roumen >From 65f29abcce374e3ceddc93f2854493f1839eb305 Mon Sep 17 00:00:00 2001 From: Roumen

Re: [openssl-dev] [openssl.org #4207] engine key format in 1.1

Also patches for commands: - pkey : "0017-pkey-cmd-restore-keys-from-engine.patch" - req : "0018-req-cmd-restore-keys-from-engine.patch" >From 0ea1c0b9b600977e93efed4545166ec4ae245bc9 Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: S

[openssl-dev] [openssl.org #4249] ECDSA method flags

ibes flag EC_FLAG_FIPS_CHECKED but this flags is not used in fips enabled openssl build. It seems to me is enough to set flag ECDSA_FLAG_FIPS_METHOD to allow ECDSA method to work in fips mode. Regards, Roumen Petrov >From 4e2150fb50fc07e1edd38938f3d3c32e8438 Mon Sep 17 00:00:

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Salz, Rich via RT wrote: > Tweaked, sigh. > ; ./util/opensslwrap.sh engine - dynamic -pre > engine: Cannot mix flags and engine names. > engine: Use -help for summary. > exit 1 > If engine name cannot be at any position then please keep it as is. i.e. at last position. In this

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Salz, Rich via RT wrote: > Please see this: > > https://github.com/openssl/openssl/compare/master...richsalz:rt4194?expand=1 > It should fail with openssl engine - dynamic -pre SO_PATH:/lib/libfoo.so Help string looks good. Roumen ___

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Salz, Rich via RT wrote: > So you're saying just close this ticket? > No. My request is to restore flexible engine command line and optionally help string. I only disagree with proposed partial correction for command line. ___ openssl-dev mailing list

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

Rich Salz via RT wrote: > [SNIP] > out = dup_bio_out(FORMAT_TEXT); > - prog = opt_init(argc, argv, engine_options); > if (!engines || !pre_cmds || !post_cmds) > goto end; > + while ((argv1 = argv[1]) != NULL && *argv1 != '-') { > + sk_OPENSSL_STRING_push(engines, *argv1); > + argc--; > + argv++; >

[openssl-dev] [openssl.org #4207] engine key format in 1.1

1 From: Roumen Petrov <open...@roumenpetrov.info> Date: Sun, 15 Nov 2015 11:00:00 +0200 Subject: [PATCH 03/15] dgst cmd: restore keys from engine --- apps/dgst.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/apps/dgst.c b/apps/dgst.c index fb09a45..24

Re: [openssl-dev] [openssl.org #4194] engine command regression in 1.1

first is engine name then commands. Just search in internet for samples - expect some recent openssl tutorial almost all other samples use name before options. Request is only for engine. It is not for speed command for example. This is reason to call issue regression. Regards, Roumen

[openssl-dev] [openssl.org #4200] extra data for ec keys

al API and just > use the standard crypto_ex_data stuff. Want to make a more complete patch as > a github pull request? :) Otherwise I'll get to it soon. > >From 07ad1979667aeb2ba99a8ed88f679fb684b8cf1c Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date

[openssl-dev] access-EC_KEY-method-property

eth); pkey_rsa->engine = eng; ENGINE_up_ref(eng); Let me know how to proceed with this request. Roumen Petrov ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] extra data for ec keys

patch" - note that index CRYPTO_EX_INDEX is with gap in numbering but I would like patch to be minimal. I would like to request external applications to be able to change method - see attached patch "0009-access-EC_KEY-method-property.patch". Regards,

[openssl-dev] [openssl.org #4195] remove duplicates in util/libeay.num

EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION: current: X509_CERT_PAIR_it 35341_1_0 NOEXIST::FUNCTION: X509_CERT_PAIR_it 35341_1_0 NOEXIST::FUNCTION: Proposed patch removes duplicates. Regards, Roumen Petrov >From 992be79410a3c909f4b1d2f492423aaf2c8a8454 Mon Sep 17 00:00

[openssl-dev] __STDC_VERSION__ is not defined

:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Thu, 3 Dec 2015 23:43:24 +0200 Subject: [PATCH 01/15] __STDC_VERSION__ is not defined for c89 compilers --- include/openssl/e_os2.h | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/openssl/e_os2.

[openssl-dev] [openssl.org #4194] engine command regression in 1.1

options. This is regression introduced by new common " option-parsing". Also new summary lack information for engine name as command line argument. Regards, Roumen Petrov ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl

[openssl-dev] about "Rename some BUF_xxx to OPENSSL_xxx"

Hello, After modification OPENSSL_strlcpy is declared twice. Regards, Roumen >From 5f5b81e162eae025dcc40a7074a973621c7dac33 Mon Sep 17 00:00:00 2001 From: Roumen Petrov <open...@roumenpetrov.info> Date: Mon, 21 Dec 2015 18:45:06 +0200 Subject: [PATCH 02/15] redundant rede

Re: [openssl-dev] OCSP issues in master 2015-10-17

Dr. Stephen Henson wrote: On Sat, Oct 17, 2015, Roumen Petrov wrote: Hello, After embed some attributes OCSP in master stop to work. The current status is the client comment report "Cert Status: unknown" and "Nonce Verify error" for X.509 certificates used in my ssh reg

[openssl-dev] OCSP issues in master 2015-10-17

nown version to work is "47c9a1b5096be684c18335137284f0dfcefd12d6 : embed support for ASN1_STRING" (optionally with "Appease gcc's Wmaybe-uninitialized" if build fail due to pedantic compiler flags). First regression is from "af170194a88d6127d447bea826845c23ca192727 : embed OCSP_CERTID&q

[openssl-dev] [openssl.org #4029] incomplete get methods for X509_VERIFY_PARAM

structure, may require own set of "get"-methods It seems to me for attributes name, flags and depth access is complete. Please finish declaration of X509_VERIFY_PARAM as opaque structure with definition of "get"-methods. Regards, Roumen Petrov __

Re: [openssl-dev] [PATCH] [openssl.org #2558] [patch] make windres controllable via build env var settings

Mike Frysinger via RT wrote: atm, the windres code in openssl is only usable via the cross-compile prefix option unlike all the other build tools. So add support for the standard $RC / $WINDRES env vars as well. --- [SNIP] else{ s/^CC=.*$/CC= $cc/;

Re: [openssl-dev] Seeking feedback on some #ifdef changes

in script. [SNIP] OPENSSL_NO_STORE Also removing the code? Regards, Roumen Petrov ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl.org #3557] -nameopt utf8 behaviour in openssl 1.0.1i

set of flags as 'separator' is required. Pages x509 and X509_NAME_print_ex could be updated to detail that 'separator' flag is required. Regards, Roumen Petrov __ OpenSSL Project http

Re: [openssl.org #832] ocsp and dsa key+socket option SO_REUSEADDR for responder

Rich Salz via RT wrote: SO_REUSEADDR is done. It is not activated in ocsp.c . The rest is fixed in 1.+ [SNIP] __ OpenSSL Project http://www.openssl.org Development Mailing List

1.0.2beta2 and X.509 certificate verification

lookup:unable to get local issuer certificate 2 === There is extra error with code 20. This may break external applications with custom verification callback. For historic reasons exit code of openssl verify command is not used and to me this is not so important. Regards, Roumen Petrov

current 1.0.2 with gcc for windows

cannot be executed as makefile lack suffix for dependent executables . Please find attached proposed fix 0001-use-EXE_EXT-in-dependecies.patch.gz . Regards, Roumen Petrov 0001-use-EXE_EXT-in-dependecies.patch.gz Description: GNU Zip compressed data 0002-use-ULL-for-GCC-instead-MSC-specific

current 1.0.2 branch and fips

Hello, According the current version scheme 1.0.2 retain binary compatibility. In this case is expected external application linked 1.0.1 to work with 1.0.2 without modification. It seems to me now FIPS build retain binary but lost functional compatibility. For instance EVP_dss1 could be

Re: Major OpenSSL 1.0.1d regression from 1.0.1c

Hi, FIPS enabled build fail at same line. Brad House wrote: It appears there is a major regression with OpenSSL 1.0.1d over 1.0.1c. I've narrowed it down to setting a custom cipher list I think as if I do not set a cipher list, the issue does not occur. I have reproduced the issue with the

Re: [openssl.org #2745] Fwd: GOST engine memory problems

Stephen Henson via RT wrote: I've finally had time to look into this. Please see if this fixes the issue: May be is not related, but this engine lack call of ENGINE_register_pkey_asn1_meths . It seems to me without this registration initialization is different . If engine configuration is

Re: [openssl.org #2745] Fwd: GOST engine memory problems

Stephen Henson via RT wrote: I've finally had time to look into this. Please see if this fixes the issue: May be is not related, but this engine lack call of ENGINE_register_pkey_asn1_meths . It seems to me without this registration initialization is different . If engine configuration is

FIPS build in 1.0.1+ stable branches

Hello OpenSSL developers. I could not understand *Check-in [22619]* Reduce version skew in openssl 1.0.1 stable branch. May be this version adds some useful improvements but FIPS build(compile) is broken. I wonder what is policy to update 1.0.1 stable branch. After remove of #include

Re: ENGINE reference leak using FIPS-capable OpenSSL

Dr. Stephen Henson wrote: On Wed, Apr 18, 2012, Erik Tkal wrote: Any takers? Should I be able to build a FIPS-capable OpenSSL and have some of the implementation be provided via an ENGINE (e.g. let's say I have a hardware module to perform AES) but some by the OpenSSL FIPS canister? Or is

Re: [openssl.org #2781] OpenSSL 1.x doesn't compile on mingw-w64 (targeting win32)

Leandro Santiago via RT wrote: I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on mingw-w64 (gcc 4.7), but I'm having errors. I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10 64-bit and Windows 7 32-bit having the same errors. The command line I used was:

Re: [openssl.org #2781] OpenSSL 1.x doesn't compile on mingw-w64 (targeting win32)

Leandro Santiago via RT wrote: I'm trying to compile openssl 1.0.1 (but I also tested the 1.0.0) on mingw-w64 (gcc 4.7), but I'm having errors. I tested in three configurations: Ubuntu 11.04 32-bit, Kubuntu 11.10 64-bit and Windows 7 32-bit having the same errors. The command line I used

Re: [openssl.org #2750] [BUG] spec file doesn't properly build for lib64

Kevin Vargo via RT wrote: Some minor updates to the openssl.spec: wrapping ifarch around the various lib dirs to get the right files in the right places. See attached diff Configure script and spec are not consistent regarding multilib. It seems to me spec file should use libdir script

Re: [openssl.org #2750] [BUG] spec file doesn't properly build for lib64

Kevin Vargo via RT wrote: Some minor updates to the openssl.spec: wrapping ifarch around the various lib dirs to get the right files in the right places. See attached diff Configure script and spec are not consistent regarding multilib. It seems to me spec file should use libdir script

[openssl.org #2752] objects.txt - update of extended key usage

for ssh related numbers but obejct.txt could be updated to list more. As example on page http://www.imc.org /ietf-pkix/pkix-oid.asn last extended key usage is with number 29. Regards, Roumen Petrov __ OpenSSL Project

Re: Accessing ENGINESDIR value

Hi Dmitry, Dmitry Belyavsky wrote: Greetings! What is the correct way to get the ENGINESDIR value It is defined in opensslconf.h but it is not enough to include opensslconf.h to get it defined. Why engine directory for openssl configuration is so important ? Engine installation may depend

Re: [openssl.org #2718] openssl-fips-1.2.3: testsuite failures (SIGILL / Illegal instruction)

the build GCC 4.6.1 warn user for bad cast and that application will terminate it code is reached. I note this on 64-bit platform with gcc 4.5.2 and as Steve suggest I switch to 0.9.8x fips build. Regards, Roumen Petrov

Re: [openssl.org #2718] openssl-fips-1.2.3: testsuite failures (SIGILL / Illegal instruction)

the build GCC 4.6.1 warn user for bad cast and that application will terminate it code is reached. I note this on 64-bit platform with gcc 4.5.2 and as Steve suggest I switch to 0.9.8x fips build. Regards, Roumen Petrov

Re: mdc2 algorithm and 0.9.8x, 1.0.0x and upcoming 1.01

Dr. Stephen Henson wrote: [SNIP] Should be fixed now, see: http://cvs.openssl.org/chngview?cn=22124 to make OpenSSL understand both formats when verifying and: http://cvs.openssl.org/chngview?cn=22126 to use the same format as older versions of OpenSSL when creating signatures. 10x . I confirm

Re: mdc2 algorithm and 0.9.8x, 1.0.0x and upcoming 1.01

Dr. Stephen Henson wrote: On Wed, Feb 01, 2012, Roumen Petrov wrote: [SNIP] Looking into this there is a long standing incompatibility between various functions that use mdc2 for signatures. Since SSLeay the function RSA_sign() using mdc2 as an argument uses a DigestInfo structure whereas

mdc2 algorithm and 0.9.8x, 1.0.0x and upcoming 1.01

be verified only with 1.0.1 and verification fail with earlier version. Issue with certificates apply to CRLs Regards, Roumen Petrov P.S. high level log with test case failure: === entering .../origin+x509-7.1x-0.9.8t/... ... testing with OpenSSL 0.9.8t 18 Jan 2012 ... testid_rsa-rsa_mdc2.crt

DTLS-SRTP and mingw

One of recent changes is Add DTLS-SRTP negotiation from RFC 5764. After update build fail for HEAD . The simple solution is to move function declarations from srtp.h to tls1.h int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles); int SSL_set_tlsext_use_srtp(SSL *ctx,

2011-10-12 head, test fail , TLSv1.2 related ?

Hi, One of the changes is past week is to not enable ... sorry I remove diffs files and I cannot remember exact change (file, date, etc)... Result is that now regression test in head fail with : ...:error:04075070:rsa routines:RSA_sign:digest too big for rsa key:rsa_sign.c:119:

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Nick Lewis via RT wrote: Roumen Thank you for looking at the patch [SNIP] + if (issuer_num (issuer_num x_num)) Please find a corrected version below Best Regards Nick [SNIP] With update version i confirm that regression test of a software now pass with OpenSSL HEAD

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Nick Lewis via RT wrote: Roumen Thank you for looking at the patch [SNIP] + if (issuer_num (issuer_num x_num)) Please find a corrected version below Best Regards Nick [SNIP] With update version i confirm that regression test of a software now pass with OpenSSL HEAD

Re: Engines memory-management problems

Dmitry Belyavsky wrote: Greetings! On Thu, Sep 22, 2011 at 3:00 AM, Roumen Petrov open...@roumenpetrov.info wrote: [SNIP] What is result if register__gost methotds are moved from bind to init ? Double-free occurs too. The openssl speed -engine gost -evp gost89 is successful

Re: Engines memory-management problems

Hi Dmitry, Dmitry Belyavsky wrote: Greetings! During the 1.x version the current scheme of algorithms providing through engines was implemented. Debugging our (Cryptocom LTD) engines, I’ve found some troubles in the way it works, please tell me where I’m mistaken. Openssl is configured with

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Nick Lewis via RT wrote: The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not work correctly for some combinations of ctx-chain, x and issuer. For example when the cert x is in the chain at a location other than the top, a path loop is incorrectly declared. Also if the

Re: [openssl.org #2594] Problem with X509 path loop detection - PATCH

Nick Lewis via RT wrote: The path loop detection in crypto/x509/x509_vfy.c:check_issued() does not work correctly for some combinations of ctx-chain, x and issuer. For example when the cert x is in the chain at a location other than the top, a path loop is incorrectly declared. Also if the

Re: [openssl.org #2504] Cross Compile MinGW DLLs on Linux

Marc Wäckerlin via RT wrote: Hi OpenSSL I managed to Cross Compile OpenSSL on Linux so that I can develop OpenSSL applications that run on Windows entireliy inside a Linux build environment. It even builds the executables and the DLLs on Linux. Please add my changes to the official Configure

Re: [openssl.org #2504] Cross Compile MinGW DLLs on Linux

Marc Wäckerlin via RT wrote: Hi OpenSSL I managed to Cross Compile OpenSSL on Linux so that I can develop OpenSSL applications that run on Windows entireliy inside a Linux build environment. It even builds the executables and the DLLs on Linux. Please add my changes to the official

Re: MinGW building from cmd.exe woes

Darryl Miles wrote: [SNIP] Tried using: ms\mingw32.bat [SNIP] Try with ./Configure mingw . Roumen __ OpenSSL Project http://www.openssl.org Development Mailing List

Re: MinGW building from cmd.exe woes

Darryl Miles wrote: Roumen Petrov wrote: [SNIP] I have tried using perl Configure mingw ... manually but I have not been able to find a combination that works to produce a usable Makefile that mingw32-make.exe (a version of GNU Make) can use. May be issue is to find working version of mingw

Re: [openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.

Andrey Kulikov via RT wrote: Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. [SNIP] After applying this patch s_server will accept -certform ENGINE option. This patch supplied by Stonesoft Corporation,

Re: [openssl.org #2463] [PATCH]: OpenSSL 1.0.0d: Add abbility to load server certificate by ENGINE.

Andrey Kulikov via RT wrote: Hello, Please find file attached: server_cert_from_engine4.patch This is a patch to allow loading server SSL certificate by ENGINE. [SNIP] After applying this patch s_server will accept -certform ENGINE option. This patch supplied by Stonesoft Corporation, who

[openssl.org #2454] enable engine key for dsa command

Obsolete code prevent dsa command to use keys stored into engine. The attached patch remove open of input file and left all to load_xxx functions. See for reference rsa command that work fine. Roumen Index: apps/dsa.c === RCS file:

[openssl.org #2455] print dsa pubin/pubout options

See attached file with patch for openssl dsa command: print -pubin/-pubout options. Also -engine flags is moved at same position as for rsa command. Roumen Index: apps/dsa.c === RCS file:

Re: [openssl.org #2443] mkdef.pl cannot handle FIPS related functions

Dr. Stephen Henson wrote: [snip] I've updated the sources so they are now avaiable outside FIPS mode. Steve. 10x solved, please close. Roumen __ OpenSSL Project http://www.openssl.org

[openssl.org #2443] mkdef.pl cannot handle FIPS related functions

The mingw cross-build of current HEAD(2011-01-31) fail : WARNING: mkdef.pl doesn't know the following algorithms: NEXTPROTONEG Creating library file: libcrypto.dll.a Cannot export FIPS_dh_free: symbol not defined . Cannot export RSA_X931_generate_key_ex: symbol not defined collect2:

Re: [openssl.org #2443] mkdef.pl cannot handle FIPS related functions

Stephen Henson via RT wrote: [open...@roumenpetrov.info - Thu Feb 03 16:36:58 2011]: The mingw cross-build of current HEAD(2011-01-31) fail : WARNING: mkdef.pl doesn't know the following algorithms: NEXTPROTONEG Creating library file: libcrypto.dll.a Cannot export FIPS_dh_free: symbol

Re: [openssl.org #2374] [PATCH] mingw32 cant compile e_capi.c (1.0.0b)

Guenter via RT wrote: Hi, it seems that all native MingW32 versions (tested with MingW32 4.50) lack of stuff to compile e_capi.c: [SNIP] make[1]: *** [e_capi.o] Error 1 make[1]: Leaving directory `/d/openssl-1.0.0b/engines' Therefore I've added some more define tests to OpenSSL 1.0.0b

Re: [openssl.org #2374] [PATCH] mingw32 cant compile e_capi.c (1.0.0b)

Guenter via RT wrote: Hi, it seems that all native MingW32 versions (tested with MingW32 4.50) lack of stuff to compile e_capi.c: [SNIP] make[1]: *** [e_capi.o] Error 1 make[1]: Leaving directory `/d/openssl-1.0.0b/engines' Therefore I've added some more define tests to OpenSSL 1.0.0b

Re: [openssl.org #2246] dtls1.h includes winsock.h, overriding the #undefs from ossl_typ.h on Windows

M.-A. Lemburg via RT wrote: An application that only includes openssl/ssl.h from OpenSSL 1.0.0 and doesn't use winsock.h will run into problems on Windows, since the dtls1.h header file includes the winsock.h header file long after the ossl_typ.h header file was loaded. What about to define

Re: [openssl.org #2246] dtls1.h includes winsock.h, overriding the #undefs from ossl_typ.h on Windows

M.-A. Lemburg via RT wrote: An application that only includes openssl/ssl.h from OpenSSL 1.0.0 and doesn't use winsock.h will run into problems on Windows, since the dtls1.h header file includes the winsock.h header file long after the ossl_typ.h header file was loaded. What about to define

underscore in function name (OPENSSL_isservice)

Hello all, Check-in [19505] and [19557] cryptlib.c: allow application to override OPENSSL_isservice adds call for GetProcAddress with argument name of function that start with underscore. The function OPENSSL_isservice is specific for windows platforms and on those platforms in not well

Re: [PATCH] for compiling OpenSSL 1.0.0 (3/29/10) using MinGW

Ray Satiro wrote: Third time's the charm, hopefully... -- Without this patch the make will error with Pick one target type from and a list of assembler types. mingw32-make: *** [tmp\x86cpuid.asm] Error 1 -- I had to make some changes to compile OpenSSL 1.0.0 (3/29/10) using MinGW. The

Re: Windows support baseline [was: Unwanted dependencies to user32.dll]

William A. Rowe Jr. wrote: On 3/16/2010 4:53 PM, Kees Dekker wrote: * I saw a lot of NT4 code. What NT4 code? You must be referring to _WIN32_WINNT macro sometimes set to 0x400. It does not denote NT4-specific code, it denotes that NT4 is required *minimum*. Meaning that it targets *all*

  1   2   >