Andrey Kulikov via RT | 21 Sep 13:08 2014
Picon

[openssl.org #3538] 1.0.1h make test fails on test_verify - Debian x64

# uname -a
Linux deb7 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux
# gcc --version
gcc-4.7.real (Debian 4.7.2-5) 4.7.2

./config && make && make test
fails with following:

The following command should have some OK's and some failures
There are definitly a few expired certificates
../util/shlib_wrap.sh ../apps/openssl verify -CApath ../certs/demo
../certs/demo/*.pem
47536097586952:error:0B06E06B:x509 certificate
routines:X509_get_pubkey_parameters:unable to find parameters in
chain:x509_vfy.c:1814:
../certs/demo/ca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd,
CN = Test CA (1024 bit)
error 20 at 0 depth lookup:unable to get local issuer certificate
../certs/demo/dsa-ca.pem: C = AU, ST = Some-State, O = Internet Widgits Pty
Ltd, CN = CA
error 20 at 0 depth lookup:unable to get local issuer certificate
../certs/demo/dsa-pca.pem: C = AU, ST = Some-State, O = Internet Widgits
Pty Ltd, CN = PCA
error 18 at 0 depth lookup:self signed certificate
C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = PCA
error 10 at 0 depth lookup:certificate has expired
OK
../certs/demo/pca-cert.pem: C = AU, ST = Queensland, O = CryptSoft Pty Ltd,
CN = Test PCA (1024 bit)
error 18 at 0 depth lookup:self signed certificate
(Continue reading)

Andy Polyakov via RT | 19 Sep 23:54 2014
Picon

Re: [openssl.org #3165] tru64-alpha-cc compatibility fixes

>> I suggest to resort for adding -DOPENSSL_USE_IPV6=0 at config time. I
>> couldn't reproduce the problem on two different systems, so it's some
>> problem with yours.
> 
> What system(s) are you testing on?

We have discussed it earlier, 5.1. And was under impression that you
target 5.1 too. You had older compiler, but system headers should have
been same.

> Mine is "Digital UNIX V4.0G (Rev. 1530)".

Even more reason to resort additional argument. I mean if something is
broken and/or is not up to contemporary standard, why is it source code
that is expected to be twisted to accommodate outdated system? When it's
possible to work around the problem without modifying code.

>> It's being discussed internally. BTW, defining inline with
>> defined(__DECC) is formally incorrect, because DEC C *would* accept
>> inline if you pass -c99.
> 
>     $ which cc
>     /usr/ccs/bin/cc
> 
>     $ cc -c hello.c
>     cc: Error: hello.c, line 1: Missing ";". (nosemi)
>     static inline int foofunc(void)
>     --------------^
> 
>     $ cc -c99 -c hello.c
(Continue reading)

Andy Polyakov via RT | 19 Sep 21:36 2014
Picon

Re: [openssl.org #3165] tru64-alpha-cc compatibility fixes

Hi,

>>> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=d1cf23ac86c05b22b8780e2c03b67230564d2d34
>> With cross-reference to
>> http://rt.openssl.org/Ticket/Display.html?id=3333 can you confirm that
>> preproc=/tmp/$$$$.$ <at> .S assignment works?
> 
> Thanks for following this up.
> 
> The only issues I'm seeing on Tru64 V4 from OpenSSL now are code-related
> build errors; your makefile changes are good.
> 
> Starting with a plain ./config (defaults for everything), I get two
> build errors, described below. Once those are fixed---and the attached
> patch has my changes---the build completes successfully, and the test
> suite passes.
> 
> 
> Error the first:
> 
> cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include  -DOPENSSL_THREADS -pthread
-DDSO_DLFCN -DHAVE_DLFCN_H -std1 -tune host -fast -readonly_strings -DOPENSSL_BN_ASM_MONT
-DSHA1_ASM -DGHASH_ASM -c b_sock.c
> cc: Error: b_sock.c, line 630: The member "sa_in6" has an incomplete type. (incompmem)
> 		struct sockaddr_in6 sa_in6;
> ------------------------------------^
> cc: Error: b_sock.c, line 862: The member "sa_in6" has an incomplete type. (incompmem)
> 		struct sockaddr_in6 sa_in6;
> ------------------------------------^
> *** Exit 1
(Continue reading)

Tomas Mraz via RT | 19 Sep 11:59 2014
Picon

[openssl.org #3537] Bug in TS_check_status_info() and misleading comments

In the TS_check_status_info() there is bug where instead of appending
the ',' character to the failure info texts this character overwrites
the previous failure info text with strcpy() call.

Also the TS_STATUS_BUF_SIZE is named incorrectly as it does not relate
to status text but to the failure info text.

The attached patch fixes these minor bugs.

--

-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
(You'll never know whether the road is wrong though.)

Fedor Indutny | 19 Sep 10:30 2014

Re: [openssl.org #3528] [PATCH] ssl: SSL_MODE_ASYNC_KEY_EX

And an additional follow-up, with docs and refined code.

On Fri, Sep 19, 2014 at 2:48 AM, Fedor Indutny <fedor <at> indutny.com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here is an example of how it could be used (in my TLS terminator):


Basically, if you have ever used async SSL API, you should be
aware of things like:

    SSL_ERROR_WANT_READ
    SSL_ERROR_WANT_WRITE

In addition to these two, my patch adds:

    SSL_ERROR_WANT_SIGN
    SSL_ERROR_WANT_RSA_DECRYPT

If one of these is returned - you may get the data that should
be signed/decrypted with:

    SSL_get_key_ex_data()
    SSL_get_key_ex_len()

Get the key type (in case of SIGN):

    SSL_get_key_ex_type()
    // Returns EVP_PKEY_RSA, EVP_PKEY_ECC

And get signature digest nid with:

    SSL_get_key_ex_md()

Please be aware of the fact that `md` could be `NID_md5_sha1`,
take a look at bud's code to figure out what should be done in
this case (basically, you'll need to use raw
`RSA_decrypt_private()`).

After performing sign/decrypt (which could happen in other
thread, or on a different server) you should call:

    SSL_supply_key_ex()

to supply the result and continue handshake process. At
this point `SSL_read()`/`SSL_write()` will start returning
proper values.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUG2D2AAoJENcGPM4Zt+iQJdoQAKZxbcGpzHFktSbU3uDocy3R
fywWmqkYnoJ5jWF3xn4Excv4dAGhMfb/7tm9nt9zyV8g0Qsu8ChqWTl+kgK+hj9o
mV+3jhqPDWR2VhmAC3J5ZsCpNm3IW/iNgGiU+u/k9N2i0WHjYSoTHM/NooN5GIu2
KKhNXPw1Y05yxOZWmbUInMl/uscGWDtzylRNyJpfLFFu3JDQy1sBTKD6UAZC5ERY
7LUZ1TqVdk1DPY3Tf/j4IaB9Ds9teGLGj63J8upJhDjWHibFzV5bx6X+FjknUB9M
xaebV4yfHZNRHseBu2ZqTQ2f2MNnXVisdzJRX6oyYeyq872MsJjAFhbFhFTi0sTI
T8Y9n8cjuctbn+zTISVyVqEEBl8udWTY1t14SJ9lNcdU3xAf9OzEBVdORpUDqFl+
zteRC145o7gs7mEtJjyBpy8mhXB3mc13ZkC2qaJIyqkqAPODu/xlqCga7oaogHNy
Q2wy0HUeX69Ra0ada3TcJQgB14qESj3Uvq1hcgFk7SEXBxkU5NJ2OcItvU1+emd7
hRlQvDqiiQcK9WgsdOIKZpovtT3FswhsIy0Tv77Nx9PY04urOTEgmhPJHveCJOQq
i0apvI09YgimXs4Sd5h3rs9TsKrDtG0BG0jM1zfo5zbcKE2IbMpmzOc84MxkwUSl
tPV48uw46UVpu4zOOByM
=zJGs
-----END PGP SIGNATURE-----

On Sat, Sep 13, 2014 at 10:59 PM, Fedor Indutny <fedor <at> indutny.com> wrote:
Here is an additional patch, to expose the type of key that should be used for a signature.

On Thu, Sep 11, 2014 at 10:59 AM, Fedor Indutny via RT <rt <at> openssl.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello devs!

Here is a patch that implements asynchronous RSA key operation
mode for a TLS/SSL implementation in OpenSSL.

Here is some technical info about it:

Support async RSA exchange by providing new SSL_want_rsa_sign(),
SSL_want_rsa_decrypt() API methods.

After getting such want values - SSL_supply_key_ex_data() should be
invoked to continue handshake with a sign/decrypt data that was received
from the remote server.
- ---
 ssl/s3_srvr.c  | 398
++++++++++++++++++++++++++++++++++++++++-----------------
 ssl/ssl.h      |  28 ++++
 ssl/ssl3.h     |   6 +
 ssl/ssl_lib.c  |  31 ++++-
 ssl/ssl_locl.h |   2 +
 ssl/ssl_rsa.c  |  24 ++--
 ssl/ssltest.c  | 116 ++++++++++++++++-
 test/testssl   |   6 +
 8 files changed, 475 insertions(+), 136 deletions(-)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUEWeCAAoJENcGPM4Zt+iQPcoP/0R9wJz0gvqi5QFiGiAyOXyD
uWWB+lkGlB4r6AOhu1D02tQaQTaiRhSO3theSMOCZ4fQ+BMqZdyk37zq/6Z/rjnJ
jkd062SgYeh8WCvoJSoNF+gSeDgM/WnWw2q6R1Ls+DuYdQstym9+VIgx3LLd0LO8
19mYHPUms0TFkzPfLqST4keHyZlLa1HzsEpdEQ8TWaU1vqqSrH6NfvPDjwwzMVWG
yMOW8tM8I2WDU9V6zMm+Mr7qmU/zowwVmOnVu0Mi8wBpcpN1GvFGbN8oXispnLc/
uccrKK1l98p3wnI0uXe5SmXWB5ksaEtz6CMewZotRgKR8dluwEHqIZ1mzE4+TMxK
iFDqUlCcRIjGgssGyjbHC23inwDeN1lZjOxE0G0dhzJZcYAYWJ2rWSQQGxBJJy5Z
VFxaElNImDyZ9uUFUtEhzGoaAV7isC9h78anTFzJMuJLTiukHERwFPvRgU/HQPNx
EG481cmnjJ2M2hyWRBrvCna8SftUPmGHczqDPD+Tt4Ry/msoZpdwEcLNossl6GcF
wXoAMeV5Jg8CenVobdLDQ53G1pJCcY58Zk+Ep9Va+DqfoEsyHc+XhhApMP8B4leC
R2mwi0KVL5F6NPhqJmDi1aXKtUu4A50j3yk35aJrEjQCKv3BW1gHvlL763Sve/GL
CAsACbfGic+GRS52Pmo2
=f3GH
-----END PGP SIGNATURE-----




Attachment (0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch): application/octet-stream, 43 KiB
Attachment (0001-ssl-SSL_MODE_ASYNC_KEY_EX.patch.sig): application/octet-stream, 733 bytes
Rich Salz via RT | 19 Sep 03:49 2014
Picon

[openssl.org #3291] Patch/enhancement to CA.pl script

Right, doc updated:
commit e8185aea878a5a83712ad40a2740edc47442a1c3
Author: Rich Salz <rsalz <at> openssl.org>
Date: Thu Sep 18 21:45:41 2014 -0400

RT3291: Add -crl and -revoke options to CA.pl

Document the new features

Reviewed-by: Tim Hudson <tjh <at> openssl.org>
---

--
Rich Salz, OpenSSL dev team; rsalz <at> openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Darío B via RT | 19 Sep 00:21 2014
Picon

Re: [openssl.org #3291] Resolved: Patch/enhancement to CA.pl script

Thanks for taking into consideration my small contribution. I guess this
will also impact on an update of the documentation.

2014-09-08 17:22 GMT+02:00 Rich Salz via RT <rt <at> openssl.org>:

> According to our records, your request has been resolved. If you have any
> further questions or concerns, please respond to this message.
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Matt Caswell via RT | 18 Sep 22:53 2014
Picon

[openssl.org #3530] Problems measuring openssl speed

On Wed Sep 17 21:41:01 2014, beldmit <at> gmail.com wrote:
> Hello Matt,
>
> the improved patch is attached. It uses the EVP_DigestSign* API
> instead of
> EVP_digest and does not modify any header files.
>
> Thank you!

Hi Dmitry

There are still some significant problems with this patch as it is currently
written.

We don't really want to have lots of engine specific code within the apps.
Ideally we should be writing for the generic case...and then it should just
"work" (or at least with a bare minimum of tweaking) for an engine specific
implementation.

By writing this just for gost-mac, I think you are making assumptions about how
things work generally. As I said in my previous response I would write this for
HMAC/CMAC first, and then extend to gost-mac as required.

I'm not convinced that the overloading of the evp option to do lots of
different things is going to work out too well. Its already overloaded to
handle ciphers and digests...and the code tries to work out which one you have
supplied. You are overloading it further (but your approach only works for one
mac). It could probably be made to work...but only after jumping through
various hoops to get there.

I'm also not convinced that you are timing the right thing. You are setting up
the context, generating a new mac key, freeing the key and freeing the context
all within the timing loop...which doesn't seem right.

For all of the above reasons I am rejecting this patch at the current time.

Matt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Rich Salz via RT | 18 Sep 22:43 2014
Picon

[openssl.org #2301] Re: Slow crypto initialization.

Fixed in master and 1.0.2
OpenSSL_1_0_2-stable 5015a93 RT2301: GetDIBits, not GetBitmapBits in rand_win
master 99b00fd RT2301: GetDIBits, not GetBitmapBits in rand_win

Author: Jake Goulding <goulding <at> vivisimo.com>
Date: Fri Sep 5 11:13:23 2014 -0400

RT2301: GetDIBits, not GetBitmapBits in rand_win

GetDIBits has been around since Windows2000 and
BitBitmapBits is an old Win16 compatibility function
that is much slower.

Reviewed-by: Tim Hudson <tjh <at> openssl.org>
;

--
Rich Salz, OpenSSL dev team; rsalz <at> openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Michal Bozon via RT | 18 Sep 17:17 2014
Picon

[openssl.org #3535] TS high-precision time malformation - demo fix

There is one missing step in the script above:

  echo foo | openssl ts -query -out /tmp/x.tsq

(to be added e.g. below the "EOF" line)

Michal Bozon

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Michal Bozon via RT | 18 Sep 13:55 2014
Picon

[openssl.org #3535] TS high-precision time malformation - demo

Quick demonstration - doing a statistics on first
decimal place digit of large number of time-stamps:

----- sample output:
...
### BEFORE:
0: 0%         <--- !
1:11%
2:11%
3:11%
4:10%
5:11%
6:11%
7:12%
8:12%
9:11%
### AFTER:
0:10%
1:10%
2:10%
3:10%
4:10%
5:10%
6:10%
7:10%
8:10%
9:10%

----- script:
#!/bin/sh

cp apps/openssl.cnf /tmp/ossl.cnf

cat <<EOF >> /tmp/ossl.cnf
[ tsa_test ]
basicConstraints=CA:TRUE
extendedKeyUsage=critical,timeStamping
[ tsr_test ]
clock_precision_digits  = 6
serial = /tmp/serial
default_policy = 2.999.0
digests = sha1
EOF

openssl req -x509 -newkey rsa:2048 -config /tmp/ossl.cnf -nodes -batch \
  -extensions tsa_test -out /tmp/tsa_.pem -keyout /tmp/tsa_.pem

for ossl in openssl /usr/local/ssl/bin/openssl; do
  [ $ossl = openssl ] && echo "### BEFORE:" || echo "### AFTER:"
  for i in `seq 1 2000`; do
    $ossl ts -reply -config /tmp/ossl.cnf -queryfile /tmp/x.tsq \
      -signer /tmp/tsa_.pem -inkey /tmp/tsa_.pem -section tsr_test \
      | openssl ts -reply -in /dev/stdin -text \
      | grep '^Time stamp'
  done 2>/tmp/osslerr.out | perl -ne \
    '/\.(\d)/;$h{$1}++}{for(0..9){printf"%i:%2.f%%\n",$_,100*$h{$_}/$.}'
done

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org


Gmane