Picon

Current master branch doesn't compile - fails "make depend"


Configuration:

$ ./Configure darwin64-x86_64-cc enable-rfc3779 enable-rc5 enable-md2 enable-deprecated experimental-jpake threads zlib enable-ec_nistp_64_gcc_128 shared --prefix=/Users/ur20980/src/openssl-1.1 --openssldir=/Users/ur20980/src/engines-1.1

The symptom:

making depend in crypto... In file included from init.c:62: ../include/internal/conf.h:40:9: error: 'HEADER_INTERNAL_CONF_H' is used as a header guard here, followed by #define of a different macro [-Werror,-Wheader-guard] #ifndef HEADER_INTERNAL_CONF_H ^~~~~~~~~~~~~~~~~~~~~~ ../include/internal/conf.h:41:10: note: 'INTERNAL_CONF_H' is defined here; did you mean 'HEADER_INTERNAL_CONF_H'? # define INTERNAL_CONF_H ^~~~~~~~~~~~~~~ HEADER_INTERNAL_CONF_H 1 error generated. make[1]: *** [depend] Error 1 make: *** [depend] Error 1 $
-- 
Regards,
Uri Blumenthal
Attachment (smime.p7s): application/pkcs7-signature, 5849 bytes
--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Richard Levitte | 10 Feb 14:54 2016
Picon
Gravatar

refactor-build branch now in master

Hi,

this is just a quick message to tell you guys that the refactor-build
branch has now been merged into master.  The branch on github will
therefore be removed.

Thanks to all that helped so far.  I'm sure it's not entirely bug free
yet, so please help out checking it further.

On the unix platforms, you will notice that Configure tries to nudge
you to try --unified if you haven't already.  Please do try it, the
more it's tested, the better it will be.

Cheers,
Richard

-- 
Richard Levitte         levitte <at> openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/
--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Benjamin Kaduk | 10 Feb 04:05 2016

When the ocsp client is not really a client, to verify or not to verify

The ocsp utility is something of a jack-of-all-trades; in addition to
being able to function as an ocsp client or server (as the manual page
categorizes its behavior), it can do a few things that are not really
client or server behavior: generating a request but not sending it,
parsing a response from file, and mucking around in the revocation
database to get the status of a certificate by bypassing the protocol.

The middle case has something of a mismatch between the documentation
and the code, though -- the example in the manual page seems to indicate
that "openssl ocsp -respin resp.der -text" will just do a conversion of
the response from DER to text form, but in actuality, the utility will
also attempt to perform validation on the response, which is likely to
fail since no -CApath or -CAfile argument is given.  (It is possible
that the default trust stores could suffice to verify the input
response, but that seems unlikely in most cases.)  The other two cases I
mentioned above do not suffer from this ambiguity, since if a request is
just generated but not sent, there is no response to attempt to validate
(so the utility returns success), and if the utility is just checking
the server-side database, the check "[i]f running as responder don't
verify our own response" triggers an early (success) return.

I see arguments on both sides (that "openssl ocsp -respin resp.der
-text" should or should not attempt validation), but am currently
leaning towards the status quo that the "client side" always attempts
validation, for consistency and simplicity of code -- the risk of having
another code path that skips validation and might be overzealous is
bigger than the burden of just adding -noverify to the documented example.

I've filed https://github.com/openssl/openssl/pull/650 with a commit
that implements that behavior (as well as several other fixups to the
ocsp utility and manual page), but am happy to modify it if an alternate
resolution is preferred.

-Ben
--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Benjamin Kaduk | 10 Feb 04:05 2016

When the ocsp client is not really a client, to verify or not to verify

The ocsp utility is something of a jack-of-all-trades; in addition to
being able to function as an ocsp client or server (as the manual page
categorizes its behavior), it can do a few things that are not really
client or server behavior: generating a request but not sending it,
parsing a response from file, and mucking around in the revocation
database to get the status of a certificate by bypassing the protocol.

The middle case has something of a mismatch between the documentation
and the code, though -- the example in the manual page seems to indicate
that "openssl ocsp -respin resp.der -text" will just do a conversion of
the response from DER to text form, but in actuality, the utility will
also attempt to perform validation on the response, which is likely to
fail since no -CApath or -CAfile argument is given.  (It is possible
that the default trust stores could suffice to verify the input
response, but that seems unlikely in most cases.)  The other two cases I
mentioned above do not suffer from this ambiguity, since if a request is
just generated but not sent, there is no response to attempt to validate
(so the utility returns success), and if the utility is just checking
the server-side database, the check "[i]f running as responder don't
verify our own response" triggers an early (success) return.

I see arguments on both sides (that "openssl ocsp -respin resp.der
-text" should or should not attempt validation), but am currently
leaning towards the status quo that the "client side" always attempts
validation, for consistency and simplicity of code -- the risk of having
another code path that skips validation and might be overzealous is
bigger than the burden of just adding -noverify to the documented example.

I've filed https://github.com/openssl/openssl/pull/650 with a commit
that implements that behavior (as well as several other fixups to the
ocsp utility and manual page), but am happy to modify it if an alternate
resolution is preferred.

-Ben
--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Rich Salz via RT | 10 Feb 02:31 2016
Picon

[openssl.org #4286] Debug in OpenSSL

there is not enough information for us to reproduce the error, if there is one,
and it looks like a build configuration issue on your platform. please discuss
this on the openssl-users list.
--
Rich Salz, OpenSSL dev team; rsalz <at> openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4286
Please log in as guest with password guest if prompted

--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Rich Salz via RT | 10 Feb 02:18 2016
Picon

[openssl.org #4294] [bug] failed to install in Ubuntu

believed fixed. open new ticket if not.
--
Rich Salz, OpenSSL dev team; rsalz <at> openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4294
Please log in as guest with password guest if prompted

--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Rich Salz via RT | 10 Feb 02:15 2016
Picon

[openssl.org #4295] help cleanup in dgst, pkeyutl cmds

commit a173a7e thanks.
--
Rich Salz, OpenSSL dev team; rsalz <at> openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4295
Please log in as guest with password guest if prompted

--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Rich Salz via RT | 10 Feb 02:14 2016
Picon

[openssl.org #4123] Query regarding dummy variable inside crypto

fixed with commit effaf4d.
--
Rich Salz, OpenSSL dev team; rsalz <at> openssl.org

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4123
Please log in as guest with password guest if prompted

--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Engstrom, John via RT | 9 Feb 23:25 2016
Picon

[openssl.org #4300] BUG: Solaris FIPS container does not redefine bn_mul_mont_fpu in fipssyms.h

When building an OpenSSL shared library on Solaris with FIPS support you get a multiply defined symbol error:

ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined: 
(file /usr/local/ssl/fips-2.0/lib//fipscanister.o type=FUNC; file 
libcrypto.a(sparcv9a-mont.o) type=FUNC); 
ld: fatal: file processing errors. No output written to libcrypto.so.1.0.0 
make[4]: *** [link_a.solaris] Error 1 

This traces back to the fipssyms.h header file NOT defining bn_mul_mont_fpu when building the
fipscanister.  NOTE: the bn_mul_mont_fpu function in the SPARC assembly file (sparcv9a-mont.s) would
also need to get redefined as fips_bn_mul_mont.

Thanks,
John Engstrom
john.engstrom <at> tditechnologies.com

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4300
Please log in as guest with password guest if prompted

--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Hubert Kario via RT | 9 Feb 16:26 2016
Picon

Re: [openssl.org #4299] s_server cmd

On Tuesday 09 February 2016 03:44:43 J Mohan Rao Arisankala via RT 
wrote:
>    - trusted_first option can be removed, as it is always enabled in
> 1.1.
> But not removed the option, require confirmation.

-trusted_first and the alternative chains (-no_alt_chains) work a bit 
differently so you can't say it is always enabled

in edge cases you will get different chains or validation failures 
depending on options set

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic
-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4299
Please log in as guest with password guest if prompted

--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Matt Caswell via RT | 9 Feb 16:22 2016
Picon

[openssl.org #3824] FEATURE: Please provide a function to unintialize the library

On Wed Apr 29 05:10:28 2015, noloader <at> gmail.com wrote:
> This question crops up on occasion: How do you shutdown the OpenSSL
> library. See, for example:
>
> * "How to properly uninitialize OpenSSL",
> http://stackoverflow.com/questions/29845527/how-to-properly-
> uninitialize-openssl.
> * "Order of Cleanup to avoid memory leaks?",
> http://comments.gmane.org/gmane.comp.encryption.openssl.user/50784
>
> If you look at an answer like questions and answers
> http://comments.gmane.org/gmane.comp.encryption.openssl.user/50784,
> its non-trivial to get right. There were at least ***8*** cleanup
> calls, and 1 was still missed.
>
> In addition, there are some things that cannot be cleaned up because
> they are not accessible outside the library. For example:
>
> * ssl_comp_methods
> *
> https://rt.openssl.org/Ticket/Display.html?id=2561&user=guest&pass=guest
> *
> http://rt.openssl.org/Ticket/Display.html?id=2439&user=guest&pass=guest
> * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=584968.
>
> Please provide a function to unintialize the library. I imagine it
> would be similar to SSL_library_init(). But rather than having it
> create things, it would cleanup things.

Done.

In fact master now auto-initialises and deinitialises so no explicit init or
cleanup is required at all in most cases. There are some exceptions - see the
OPENSSL_INIT_crypto_library_start() and OPENSSL_INIT_ssl_library_start() man
pages in the latest master. Where explicit init and deinit is required there is
now a single function for each.

Closing this ticket.

Matt

-- 
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3824
Please log in as guest with password guest if prompted

--

-- 
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev


Gmane