From rt at openssl.org Tue Mar 1 04:12:37 2016 From: rt at openssl.org (Hejian via RT) Date: Tue, 01 Mar 2016 04:12:37 +0000 Subject: [openssl-dev] [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm In-Reply-To: References: Message-ID: Hi? we met crash of openssl (varely, 3 times i have seen) on linux x86_64. openSSL version is 1.0.1r. The stack is as below: Program terminated with signal 11, Segmentation fault. Thread 1 (Thread 0x7f0654871700 (LWP 22383)): #0 0x00007f06a2cdddb8 in sha1_block_data_order_ssse3 () from *****/libcrypto.so.1.0.0 #1 0xca62c1d6ca62c1d6 in ?? () #2 0xca62c1d6ca62c1d6 in ?? () #3 0xca62c1d6ca62c1d6 in ?? () We find the similar issue on https://rt.openssl.org/, the ticket id is 3191 . Can u help me confirm is it the same issue ? And where can I get the commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527 ? Ths ! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From atulthosar at gmail.com Tue Mar 1 04:12:45 2016 From: atulthosar at gmail.com (Atul Thosar) Date: Tue, 1 Mar 2016 09:42:45 +0530 Subject: [openssl-dev] OpenSSL 1.0.2f build issue - unresolved external symbol In-Reply-To: References: Message-ID: Any thoughts/pointers? Including openssl-users group in hope if any one aware of this issue. -- ?BR , Atul Thosar On 29 February 2016 at 00:15, Atul Thosar wrote: > Hi All, > I am building OpenSSL v1.0.2f for Win32 platform, but compilation failed > w/ following errors. I googled a bit, but could not locate the exact > cause. Appreciate if anyone could help. Thanks in Advance. > > rc /fo"tmp32dll\libeay32.res" /d CRYPTO ms\version32.rc > link /nologo /subsystem:console /opt:ref /debug /dll > /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def > @C:\Users\athosar\AppData\Local\Temp\nm43EB.tmp > Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp > cryptlib.obj : error LNK2001: unresolved external symbol _OPENSSL_ia32cap_P > cryptlib.obj : error LNK2019: unresolved external symbol > _OPENSSL_ia32_cpuid referenced in function _OPENSSL_cpuid_setup > md5_dgst.obj : error LNK2019: unresolved external symbol > _md5_block_asm_data_order referenced in function _MD5_Update > sha1dgst.obj : error LNK2019: unresolved external symbol > _sha1_block_data_order referenced in function _SHA1_Update > sha256.obj : error LNK2019: unresolved external symbol > _sha256_block_data_order referenced in function _SHA256_Update > sha512.obj : error LNK2019: unresolved external symbol > _sha512_block_data_order referenced in function _SHA512_Final > > out32dll\libeay32.dll : fatal error LNK1120: 6 unresolved externals > NMAKE : fatal error U1077: '"c:\Program Files (x86)\Microsoft Visual > Studio 8\VC\BIN\link.EXE"' : return code '0x460' > Stop. > > > Build machine configurations are - > > OS: Windows 7, 64 bit > Compiler: Visual Studio 2005 > Active Perl Version: v5.16.3 > > Initial commands given to configure OpenSSL are - > > perl Configure VC-WIN32 no-asm --prefix= > ms\do_ms > nmake -f ms\ntdll.mak > > > -- > ?BR, > Atul Thosar > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From michel.sales at free.fr Tue Mar 1 08:35:24 2016 From: michel.sales at free.fr (Michel) Date: Tue, 1 Mar 2016 09:35:24 +0100 Subject: [openssl-dev] OpenSSL 1.0.2f build issue - unresolved external symbol In-Reply-To: References: Message-ID: <000c01d17395$4d0e7710$e72b6530$@sales@free.fr> Hi, FWIW, trying the exact same configure commands on OpenSSL 1.0.2f : perl Configure VC-WIN32 no-asm --prefix= ms\do_ms nmake -f ms\ntdll.mak I was NOT able to reproduce the problem under Windows 7 64 bits using Visual Studio 2013 and Perl 5.22.1. Everything goes fine. Michel. -------------- next part -------------- An HTML attachment was scrubbed... URL: From kotamarthyd at gmail.com Tue Mar 1 09:48:21 2016 From: kotamarthyd at gmail.com (Kanaka Kotamarthy) Date: Tue, 1 Mar 2016 15:18:21 +0530 Subject: [openssl-dev] (no subject) Message-ID: Hi I am trying to test behaviour of Openssl in resumption rejection case. I am using with Openssl-1.1.0 pre2 version. When using Openssl as client and other ssl library as server, Initially client and server accepts on resumption, later server expects client rejected the resumption and sends server hello with different protocol version and cipher suite. What will be behaviour of Openssl in this case? when I test this on Openssl I get wrong ssl version error. But, When I run same thing on Broingssl, I get no error, handshake was success full with new protocol version. Can someone help me with this? Thank you Durga. From rt at openssl.org Tue Mar 1 12:52:17 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Tue, 01 Mar 2016 12:52:17 +0000 Subject: [openssl-dev] [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm In-Reply-To: <56D59088.2070006@openssl.org> References: <56D59088.2070006@openssl.org> Message-ID: Hi, > we met crash of openssl (varely, 3 times i have seen) on linux x86_64. > openSSL version is 1.0.1r. > > The stack is as below: > Program terminated with signal 11, Segmentation fault. > Thread 1 (Thread 0x7f0654871700 (LWP 22383)): > #0 0x00007f06a2cdddb8 in sha1_block_data_order_ssse3 () > from *****/libcrypto.so.1.0.0 > #1 0xca62c1d6ca62c1d6 in ?? () > #2 0xca62c1d6ca62c1d6 in ?? () > #3 0xca62c1d6ca62c1d6 in ?? () > > We find the similar issue on https://rt.openssl.org/, the ticket id is 3191 . > Can u help me confirm is it the same issue ? Not with presented information :-( You need to complement it with output from 'info reg' as well as output from 'disass' command till you see => mark pointing at failing instruction. From debugger prompts that is. And since stack back-tracing is problematic here, tell approximately what was going on? I mean did you experience crash with openssl command (which one if so), or is it a web (or some other tls) server facing network? > And where can I get the commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527 ? It was incorporated 1.0.1 since 1.0.1f. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From appro at openssl.org Tue Mar 1 13:00:33 2016 From: appro at openssl.org (Andy Polyakov) Date: Tue, 1 Mar 2016 14:00:33 +0100 Subject: [openssl-dev] OpenSSL 1.0.2f build issue - unresolved external symbol In-Reply-To: References: Message-ID: <56D59271.3010508@openssl.org> > link /nologo /subsystem:console /opt:ref /debug /dll > /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def > @C:\Users\athosar\AppData\Local\Temp\nm43EB.tmp > Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp > cryptlib.obj : error LNK2001: unresolved external symbol _OPENSSL_ia32cap_P This shouldn't happen if you go for no-asm. Basically it sounds like a left-over from attempt to build with asm support. In other words start over from empty directory. From openssl at openssl.org Tue Mar 1 14:03:02 2016 From: openssl at openssl.org (OpenSSL) Date: Tue, 1 Mar 2016 14:03:02 +0000 Subject: [openssl-dev] OpenSSL version 1.0.1s published Message-ID: <20160301140302.GA6668@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.1s released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.1s of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.1-notes.html OpenSSL 1.0.1s is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.1s.tar.gz Size: 4551210 SHA1 checksum: d027e1a00c26da7fede7d537d5c7718c3cdb4653 SHA256 checksum: e7e81d82f3cd538ab0cdba494006d44aab9dd96b7f6233ce9971fb7c7916d511 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.1s.tar.gz openssl sha256 openssl-1.0.1s.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJW1ZviAAoJENnE0m0OYESRVY8H/javcOAnFG3l1uzYuSrcgHrA 52x/A5gqFOW7rx5KE4jUjahSFePpNahqaR+A9m8dte2pvAJIySSk73z1IChhrtkF 14CALui+okl0KolF098sULmBy/GKoRQmiGMqQHxukXZZ8ihiqtfiEX1yCf0CiH8U crE4fHw50hBRV8BeT8KEE6A29Cpi9LQ0b0I3pPl5k/q0DtkdyNYMRcA7JKrSsI72 X/tyJcHaoAEZaBoVCqdlj/G1qOA/YlDtNfa9lkMZQaLz8wFLlZTo8/obuonVmaPH uJRj3oylvVkGWYIOpq+7jTJxjHlJweRrKbU8+W//rCSPNfbPBvAAQS7q9lKz/SA= =3wfG -----END PGP SIGNATURE----- From openssl at openssl.org Tue Mar 1 14:03:14 2016 From: openssl at openssl.org (OpenSSL) Date: Tue, 1 Mar 2016 14:03:14 +0000 Subject: [openssl-dev] OpenSSL version 1.0.2g published Message-ID: <20160301140314.GA6870@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.2g released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 1.0.2g of our open source toolkit for SSL/TLS. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.0.2-notes.html OpenSSL 1.0.2g is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.0.2g.tar.gz Size: 5266102 SHA1 checksum: 36af23887402a5ea4ebef91df8e61654906f58f2 SHA256 checksum: b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33 The checksums were calculated using the following commands: openssl sha1 openssl-1.0.2g.tar.gz openssl sha256 openssl-1.0.2g.tar.gz Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJW1Zr6AAoJENnE0m0OYESRegcH/RzJkSQo2TT7wl55DKd5/7a2 3PaUxlNQOxA7E1Z7DAs9rfhox0+GbqaIOASBP+yVyP1+yHafMPuM3mpIQNg1fwT8 Oaxfh84a3XpfNO76xVWoKrgp62jYOaug2kfpnJ53uQuBqbhkjCW48KCxBELQZr9Q CsMy3SHtVwNfQQbOTDEsTjPFRpJ4UYO0EUtLV11Q78Gq4cxwWmOB0UCKJ/ucpUcl K8750Ijz27tWUK2cLOjJPAKQBaz1Rol8k0hZC0/Gtgiq/u+IFlx17HU3Yc2ZjLWu Op4KQ95vNu1icTxKUxfz4af3f/XEvC4ZjEC/2dMfUxy/zktLR4yRoG//xi7v8bg= =ovbL -----END PGP SIGNATURE----- From openssl at openssl.org Tue Mar 1 14:05:39 2016 From: openssl at openssl.org (OpenSSL) Date: Tue, 1 Mar 2016 14:05:39 +0000 Subject: [openssl-dev] OpenSSL Security Advisory Message-ID: <20160301140539.GA9602@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL Security Advisory [1st March 2016] ========================================= NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of SSLv2 due not only to the issues described below, but to the other known deficiencies in the protocol as described at https://tools.ietf.org/html/rfc6176 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) ================================================================ Severity: High A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). Recovering one session key requires the attacker to perform approximately 2^50 computation, as well as thousands of connections to the affected server. A more efficient variant of the DROWN attack exists against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf released on 19/Mar/2015 (see CVE-2016-0703 below). Users can avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers, if they've not done so already. Disabling all SSLv2 ciphers is also sufficient, provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f) have been deployed. Servers that have not disabled the SSLv2 protocol, and are not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2 ciphers are nominally disabled, because malicious clients can force the use of SSLv2 with EXPORT ciphers. OpenSSL 1.0.2g and 1.0.1s deploy the following mitigation against DROWN: SSLv2 is now by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. In addition, weak ciphers in SSLv3 and up are now disabled in default builds of OpenSSL. Builds that are not configured with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength ciphers. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on December 29th 2015 by Nimrod Aviram and Sebastian Schinzel. The fix was developed by Viktor Dukhovni and Matt Caswell of OpenSSL. Double-free in DSA code (CVE-2016-0705) ======================================= Severity: Low A double free bug was discovered when OpenSSL parses malformed DSA private keys and could lead to a DoS attack or memory corruption for applications that receive DSA private keys from untrusted sources. This scenario is considered rare. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 7th 2016 by Adam Langley (Google/BoringSSL) using libFuzzer. The fix was developed by Dr Stephen Henson of OpenSSL. Memory leak in SRP database lookups (CVE-2016-0798) =================================================== Severity: Low The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory management semantics; the returned pointer was sometimes newly allocated, and sometimes owned by the callee. The calling code has no way of distinguishing these two cases. Specifically, SRP servers that configure a secret seed to hide valid login information are vulnerable to a memory leak: an attacker connecting with an invalid username can cause a memory leak of around 300 bytes per connection. Servers that do not configure SRP, or configure SRP but do not configure a seed are not vulnerable. In Apache, the seed directive is known as SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user is now disabled even if the user has configured a seed. Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note that OpenSSL makes no strong guarantees about the indistinguishability of valid and invalid logins. In particular, computations are currently not carried out in constant time. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was discovered on February 23rd 2016 by Emilia K??sper of the OpenSSL development team. Emilia K??sper also developed the fix. BN_hex2bn/BN_dec2bn NULL pointer deref/heap corruption (CVE-2016-0797) ====================================================================== Severity: Low In the BN_hex2bn function the number of hex digits is calculated using an int value |i|. Later |bn_expand| is called with a value of |i * 4|. For large values of |i| this can result in |bn_expand| not allocating any memory because |i * 4| is negative. This can leave the internal BIGNUM data field as NULL leading to a subsequent NULL ptr deref. For very large values of |i|, the calculation |i * 4| could be a positive value smaller than |i|. In this case memory is allocated to the internal BIGNUM data field, but it is insufficiently sized leading to heap corruption. A similar issue exists in BN_dec2bn. This could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user applications with very large untrusted hex/dec data. This is anticipated to be a rare occurrence. All OpenSSL internal usage of these functions use data that is not expected to be untrusted, e.g. config file data or application command line arguments. If user developed applications generate config file data based on untrusted data then it is possible that this could also lead to security consequences. This is also anticipated to be rare. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 19th 2016 by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. Fix memory issues in BIO_*printf functions (CVE-2016-0799) ========================================================== Severity: Low The internal |fmtstr| function used in processing a "%s" format string in the BIO_*printf functions could overflow while calculating the length of a string and cause an OOB read when printing very long strings. Additionally the internal |doapr_outch| function can attempt to write to an OOB memory location (at an offset from the NULL pointer) in the event of a memory allocation failure. In 1.0.2 and below this could be caused where the size of a buffer to be allocated is greater than INT_MAX. E.g. this could be in processing a very long "%s" format string. Memory leaks can also occur. The first issue may mask the second issue dependent on compiler behaviour. These problems could enable attacks where large amounts of untrusted data is passed to the BIO_*printf functions. If applications use these functions in this way then they could be vulnerable. OpenSSL itself uses these functions when printing out human-readable dumps of ASN.1 data. Therefore applications that print this data could be vulnerable if the data is from untrusted sources. OpenSSL command line applications could also be vulnerable where they print out ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is not considered directly vulnerable. Additionally certificates etc received via remote connections via libssl are also unlikely to be able to trigger these issues because of message size limits enforced within libssl. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on February 23rd by Guido Vranken. The fix was developed by Matt Caswell of the OpenSSL development team. Side channel attack on modular exponentiation (CVE-2016-0702) ============================================================= Severity: Low A side-channel attack was found which makes use of cache-bank conflicts on the Intel Sandy-Bridge microarchitecture which could lead to the recovery of RSA keys. The ability to exploit this issue is limited as it relies on an attacker who has control of code in a thread running on the same hyper-threaded core as the victim thread which is performing decryptions. This issue affects OpenSSL versions 1.0.2 and 1.0.1. OpenSSL 1.0.2 users should upgrade to 1.0.2g OpenSSL 1.0.1 users should upgrade to 1.0.1s This issue was reported to OpenSSL on Jan 8th 2016 by Yuval Yarom, The University of Adelaide and NICTA, Daniel Genkin, Technion and Tel Aviv University, and Nadia Heninger, University of Pennsylvania with more information at http://cachebleed.info. The fix was developed by Andy Polyakov of OpenSSL. Divide-and-conquer session key recovery in SSLv2 (CVE-2016-0703) ================================================================ Severity: High This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address vulnerability CVE-2015-0293. s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers. If clear-key bytes are present for these ciphers, they *displace* encrypted-key bytes. This leads to an efficient divide-and-conquer key recovery attack: if an eavesdropper has intercepted an SSLv2 handshake, they can use the server as an oracle to determine the SSLv2 master-key, using only 16 connections to the server and negligible computation. More importantly, this leads to a more efficient version of DROWN that is effective against non-export ciphersuites, and requires no significant computation. This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf (released March 19th 2015). This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J. Alex Halderman of the University of Michigan. The underlying defect had by then already been fixed by Emilia K??sper of OpenSSL on March 4th 2015. The fix for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d (1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf). Bleichenbacher oracle in SSLv2 (CVE-2016-0704) ============================================== Severity: Moderate This issue only affected versions of OpenSSL prior to March 19th 2015 at which time the code was refactored to address the vulnerability CVE-2015-0293. s2_srvr.c overwrite the wrong bytes in the master-key when applying Bleichenbacher protection for export cipher suites. This provides a Bleichenbacher oracle, and could potentially allow more efficient variants of the DROWN attack. This issue affected OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze and all earlier versions. It was fixed in OpenSSL 1.0.2a, 1.0.1m, 1.0.0r and 0.9.8zf (released March 19th 2015). This issue was reported to OpenSSL on February 10th 2016 by David Adrian and J. Alex Halderman of the University of Michigan. The underlying defect had by then already been fixed by Emilia K??sper of OpenSSL on March 4th 2015. The fix for this issue can be identified by commits ae50d827 (1.0.2a), cd56a08d (1.0.1m), 1a08063 (1.0.0r) and 65c588c (0.9.8zf). Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/policies/releasestrat.html), support for OpenSSL version 1.0.1 will cease on 31st December 2016. No security updates for that version will be provided after that date. Users of 1.0.1 are advised to upgrade. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20160301.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJW1Z3XAAoJENnE0m0OYESRFCgH/1UW63/q8J2eApcMxOd7oYcD y0yRRD1SNpbTalYTNRGK2e4VY4iq7ux8ps3Bw9ieTYcRlMqqcHOPjsPEht0oVyZJ nYBfqwkISjRPYDn4mcV+DUsqLqNhakLZsMbkm0DY6GXq/pxolYlNN07NfsKP7WaQ 1Ff9OkVxhuXYZ+6RmbOAt4+61+CggPIpnBNS8B9U6howG9xOLEWo7ELjXlbBHGny W8Jfmc3z4/UlY/f9iod9qYxo1ljNAhQ8Jd+IcNUuOXea15+S8g35AJR42vLVVzyo jQH7vxNqmwqxrQNUHkAVgXNTLsSMJ4vQ4gCHZEe2CAU9xUt8ifeJrIOjxgjAFvI= =7baS -----END PGP SIGNATURE----- From hkario at redhat.com Tue Mar 1 15:22:03 2016 From: hkario at redhat.com (Hubert Kario) Date: Tue, 01 Mar 2016 16:22:03 +0100 Subject: [openssl-dev] OpenSSL Security Advisory In-Reply-To: <20160301140539.GA9602@openssl.org> References: <20160301140539.GA9602@openssl.org> Message-ID: <10280065.tWxBCtY4jQ@pintsize.usersys.redhat.com> Scripts to verify that a server is not vulnerable to DROWN. Two scripts are provided to verify that SSLv2 and all of its ciphers are disabled and that export grade SSLv2 are disabled and can't be forced by client. Reproducer requires Python 2.6 or 3.2 or later, you will also need git to download the sources # Download the reproducer: git clone https://github.com/tomato42/tlsfuzzer cd tlsfuzzer git checkout ssl2 # Download the reproducer dependencies git clone https://github.com/tomato42/tlslite-ng .tlslite-ng ln -s .tlslite-ng/tlslite tlslite pushd .tlslite-ng # likely won't be necessary in near future, code will be merged soon git checkout sslv2 popd git clone https://github.com/warner/python-ecdsa .python-ecdsa ln -s .python-ecdsa/ecdsa ecdsa To verify that an https server at example.com does not support SSLv2 at all, use the following command: PYTHONPATH=. python scripts/test-sslv2-force-export-cipher.py \ -h example.com -p 443 To only verify that the server does not support export grade SSLv2 ciphers, use the following command: PYTHONPATH=. python scripts/test-sslv2-force-cipher.py -h example.com \ -p 443 (note, the first script is a superset of the second one) In both cases all the individual tests in the scripts should print "OK" status if the specific cipher is not supported and report "failed: 0" together with exit status of 0 if you want to automate it. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From rt at openssl.org Tue Mar 1 16:54:59 2016 From: rt at openssl.org (Rich Salz via RT) Date: Tue, 01 Mar 2016 16:54:59 +0000 Subject: [openssl-dev] [openssl.org #4358] Problems in ocsp.1ssl In-Reply-To: <20160229175530.727EB13A0E65@snark.thyrsus.com> References: <20160229175530.727EB13A0E65@snark.thyrsus.com> Message-ID: fixed thanks. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4358 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 1 17:11:46 2016 From: rt at openssl.org (Rich Salz via RT) Date: Tue, 01 Mar 2016 17:11:46 +0000 Subject: [openssl-dev] [openssl.org #4347] Fix GCC unused-value warnings with HOST_c2l() In-Reply-To: <1456442886.4666.120.camel@infradead.org> References: <1456442886.4666.120.camel@infradead.org> Message-ID: fixed with commit 09977dd thanks! -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4347 Please log in as guest with password guest if prompted From brad at monetra.com Tue Mar 1 17:50:46 2016 From: brad at monetra.com (Brad House) Date: Tue, 1 Mar 2016 12:50:46 -0500 Subject: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine) Message-ID: <56D5D676.9010603@monetra.com> We have a Mac build system running an older version (10.7), targeting 10.6, which is using this compiler: $ cc --version i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.1.00) And while building 1.0.2g released today, we found a build regression for x86_64, this regression appears to only impact 1.0.2g (1.0.1s also released today is unaffected, as is the prior 1.0.2f, and 1.0.2g when building 32bit/i386 too is unaffected). The build error is: cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -isysroot /Developer/SDKs/MacOSX10.6.sdk/ -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local//ssl-fips-2.0.11-x86_64/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c -o sha1-x86_64.o sha1-x86_64.s sha1-x86_64.s:1243:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1243:suffix or operands invalid for `pshufd' sha1-x86_64.s:1245:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1245:suffix or operands invalid for `pshufd' sha1-x86_64.s:1395:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1395:suffix or operands invalid for `pshufd' sha1-x86_64.s:1396:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1396:suffix or operands invalid for `pshufd' -Brad From rt at openssl.org Tue Mar 1 17:58:14 2016 From: rt at openssl.org (David Edelsohn via RT) Date: Tue, 01 Mar 2016 17:58:14 +0000 Subject: [openssl-dev] [openssl.org #4361] IBM POWER VSX optimizations for OpenSSL In-Reply-To: References: Message-ID: I would like to create a number of enhancement requests for OpenSSL to improve the performance of specific algorithms on IBM POWER using the VSX SIMD instruction set with the possibility of creating financial bounties (through bountysource.com) for the projects. What is the best way open these requests? Should I send email to RT? Should I open issues on Github? Thanks, David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4361 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 1 18:01:28 2016 From: rt at openssl.org (Rich Salz via RT) Date: Tue, 01 Mar 2016 18:01:28 +0000 Subject: [openssl-dev] [openssl.org #4361] IBM POWER VSX optimizations for OpenSSL In-Reply-To: References: Message-ID: See https://openssl.org/community/getting-started.html for a starting point. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4361 Please log in as guest with password guest if prompted From brad at monetra.com Tue Mar 1 18:09:36 2016 From: brad at monetra.com (Brad House) Date: Tue, 1 Mar 2016 13:09:36 -0500 Subject: [openssl-dev] OpenSSL 1.0.2g - make test fails with FIPS -- regression from 1.0.2f Message-ID: <56D5DAE0.4050006@monetra.com> It appears OpenSSL 1.0.2g introduced a regression when attempting to run 'make test' on a fips-enabled build on linux. When compiling without FIPS, the tests pass as expected. However, with fips turned on, "make test" fails when trying to use ssl2 it appears. Running 'make test' is a fairly standard practice to try to ensure there were no unexpected failures on a given platform. 1.0.2f is unaffected, as is 1.0.1r. However, 1.0.1s is also impacted. Here's the last bit from the failure: ../util/shlib_wrap.sh ./evp_extra_test PASS test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 47614155012464:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1877: 47614155012464:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1877: test ssl2 is forbidden in FIPS mode Testing was requested for a disabled protocol. Skipping tests. gmake[1]: *** [test_ssl] Error 1 gmake[1]: Leaving directory `/home/bhouse/tmp/openssl-1.0.2g/test' gmake: *** [tests] Error 2 -Brad From Carl.Tietjen at microfocus.com Tue Mar 1 18:00:49 2016 From: Carl.Tietjen at microfocus.com (Carl Tietjen) Date: Tue, 1 Mar 2016 18:00:49 +0000 Subject: [openssl-dev] Test script failing for OpenSSL-1.0.1s when built as FIPS Capable Message-ID: <3AB7EF789FF16E4C81C5BA3833C2A195133F3EB2@prvxmb01.microfocus.com> Hello, I have run into a problem when I am build OpenSSL-1.0.1s as FIPS Capable. The problem is that the test script is failing. I believe that this maybe because of different behavior in the tests now that the "no-ssl2" flag has been added to the OPTIONS (i.e. SSLv2 has been disabled in OpenSSL, but not in the tests). Details below. Any help would be appreciated. Thanks, Carl Tietjen Micofocus Problem: "make test" is failing because of change to disable SSLv2 Version: openssl-1.0.1s FIPS Module: openssl-fips-ecp-2.0.11 Error message: ... test ssl2 is forbidden in FIPS mode Testing was requested for a disabled protocol. Skipping tests. make[1]: *** [test_ssl] Error 1 make[1]: Leaving directory `/root/FIPS_1.0.1s/openssl-1.0.1s/test' make: *** [tests] Error 2 Make test failed ________________________ Old messages (i.e. from OpenSSL-1.0.1r build): ... test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 140038414411432:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1720: 140038414411432:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1720: test tls1 ... From rt at openssl.org Tue Mar 1 18:54:22 2016 From: rt at openssl.org (David Benjamin via RT) Date: Tue, 01 Mar 2016 18:54:22 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: Message-ID: I'm unclear on what EVP_CIPHER's interface guarantees are, but our EVP_AEAD APIs are documented to allow in/out buffers to alias as long as out is <= in. This matches what callers might expect from a naive implementation. Our AES-GCM EVP_AEADs, which share code with OpenSSL, have tended to match this pattern too. For ChaCha, of chacha-{x86,x86_64,armv4,armv8}.pl and the C implementation, all seem satisfy this (though it's possible I don't have complete coverage) except for chacha-x86.pl. That one works if in == out, but not if out is slightly behind. We were able to reproduce problems when in = out + 1. The SSE3 code triggers if the input is at least 256 bytes and the non-SSE3 code if the input is at least 64 bytes. The non-SSE3 code is because the words in a block are processed in a slightly funny order (0, 4, 8, 9, 12, 14, 1, 2, 3, 5, 6, 7, 10, 11, 13, 15). I haven't looked at the SSE3 case carefully, but I expect it's something similar. Could the blocks perhaps be processed in a more straight-forward ordering, so that chacha-x86.pl behaves like the other implementations? (It's nice to avoid bugs that only trigger in one implementation.) Or is this order necessary for something? David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Tue Mar 1 19:15:13 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 1 Mar 2016 19:15:13 +0000 Subject: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine) In-Reply-To: <56D5D676.9010603@monetra.com> References: <56D5D676.9010603@monetra.com> Message-ID: <20160301191513.GJ12869@mournblade.imrryr.org> On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: > We have a Mac build system running an older version (10.7), targeting 10.6, which is > using this compiler: > > $ cc --version > i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.1.00) > > > And while building 1.0.2g released today, we found a build regression for x86_64, this > regression appears to only impact 1.0.2g (1.0.1s also released today is unaffected, > as is the prior 1.0.2f, and 1.0.2g when building 32bit/i386 too is unaffected). > > The build error is: > > cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -isysroot /Developer/SDKs/MacOSX10.6.sdk/ -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local//ssl-fips-2.0.11-x86_64/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c -o sha1-x86_64.o sha1-x86_64.s > sha1-x86_64.s:1243:missing or invalid immediate expression `0b00011011' taken as 0 > sha1-x86_64.s:1243:suffix or operands invalid for `pshufd' > sha1-x86_64.s:1245:missing or invalid immediate expression `0b00011011' taken as 0 > sha1-x86_64.s:1245:suffix or operands invalid for `pshufd' > sha1-x86_64.s:1395:missing or invalid immediate expression `0b00011011' taken as 0 > sha1-x86_64.s:1395:suffix or operands invalid for `pshufd' > sha1-x86_64.s:1396:missing or invalid immediate expression `0b00011011' taken as 0 > sha1-x86_64.s:1396:suffix or operands invalid for `pshufd' The only plausible change from 1.0.2f to 1.0.2g that I see that might be related to this is below. Does it work if you revert this change (patch -R): commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac Author: Andy Polyakov Date: Wed Feb 10 15:11:40 2016 +0100 perlasm/x86_64-xlate.pl: pass pure constants verbatim. RT#3885 Reviewed-by: Rich Salz (cherry picked from commit fd7dc201d3b9d43972de6a0e659f7ef6421c99cc) diff --git a/crypto/perlasm/x86_64-xlate.pl b/crypto/perlasm/x86_64-xlate.pl index 9c70b8c..ee04221 100755 --- a/crypto/perlasm/x86_64-xlate.pl +++ b/crypto/perlasm/x86_64-xlate.pl @@ -198,8 +198,11 @@ my %globals; if ($gas) { # Solaris /usr/ccs/bin/as can't handle multiplications # in $self->{value} - $self->{value} =~ s/(?{value} =~ s/([0-9]+\s*[\*\/\%]\s*[0-9]+)/eval($1)/eg; + my $value = $self->{value}; + $value =~ s/(?{value} = $value; + } sprintf "\$%s",$self->{value}; } else { $self->{value} =~ s/(0b[0-1]+)/oct($1)/eig; -- Viktor. From rt at openssl.org Tue Mar 1 19:19:32 2016 From: rt at openssl.org (Steven Valdez via RT) Date: Tue, 01 Mar 2016 19:19:32 +0000 Subject: [openssl-dev] [openssl.org #4363] [PATCH] Adding missing BN_CTX_(start/end) in crypto/ec/ec_key.c In-Reply-To: References: Message-ID: Hi, This is a patch that uses BN_CTX_start/end to correctly initialize the BN_CTX stack in EC_KEY_set_public_key_affine_coordinates. -Steven -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4363 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: bn_context.patch Type: text/x-patch Size: 937 bytes Desc: not available URL: From nounou.dadoun at avigilon.com Tue Mar 1 19:50:51 2016 From: nounou.dadoun at avigilon.com (Nounou Dadoun) Date: Tue, 1 Mar 2016 19:50:51 +0000 Subject: [openssl-dev] OpenSSL Security Advisory In-Reply-To: <10280065.tWxBCtY4jQ@pintsize.usersys.redhat.com> References: <20160301140539.GA9602@openssl.org> <10280065.tWxBCtY4jQ@pintsize.usersys.redhat.com> Message-ID: <8149AB08BCB1F54F92680ED6104891A0E190E7@mbx027-w1-ca-4.exch027.domain.local> Thanks for the test tool and making it available so quickly, we were able to close our DROWN bug ticket less than an hour after opening it! I'm interested in your tlsfuzzer tool (of which this appears to be a part), is there a larger test suite available? Is there any documentation out there? Thanks again .. N Nou Dadoun Senior Firmware Developer, Security Specialist Office: 604.629.5182 ext 2632 Support: 888.281.5182 ?|? avigilon.com Follow?Twitter ?|? Follow?LinkedIn -----Original Message----- From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Hubert Kario Sent: Tuesday, March 01, 2016 7:22 AM To: openssl-dev at openssl.org Subject: Re: [openssl-dev] OpenSSL Security Advisory Scripts to verify that a server is not vulnerable to DROWN. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic From rt at openssl.org Tue Mar 1 20:05:45 2016 From: rt at openssl.org (David Benjamin via RT) Date: Tue, 01 Mar 2016 20:05:45 +0000 Subject: [openssl-dev] [openssl.org #4364] [PATCH] ASN1_get_object should not accept large universal tags. In-Reply-To: References: Message-ID: See attached. OpenSSL can't actually represent large universal tags because it collides with the V_ASN1_NEG flag, yet it happily parses them in high tag number form. d2i_ASN1_TYPE interprets 1f82020100 as a negative zero, rather than an element with tag [UNIVERSAL 258]. I've intentionally made the patch very conservative, so it only limits universal tags, in case there is worry about someone actually using tag number 258 of another class. (Although I've never seen anything go beyond 31 into high tag number form at all.) Our version of the change has a test: https://boringssl.googlesource.com/boringssl/+/fb2c6f8c8565e1e2d85c24408050c96521acbcdc%5E%21/ It should be straight-forward to adapt (the test barely does anything). I'm not sure how adding a test in OpenSSL works these days, so I leave that to you. David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4364 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-ASN1_get_object-should-not-accept-large-universal-ta.patch Type: text/x-patch Size: 1781 bytes Desc: not available URL: From openssl at roumenpetrov.info Tue Mar 1 20:19:13 2016 From: openssl at roumenpetrov.info (Roumen Petrov) Date: Tue, 01 Mar 2016 22:19:13 +0200 Subject: [openssl-dev] OpenSSL 1.0.2g - make test fails with FIPS -- regression from 1.0.2f In-Reply-To: <56D5DAE0.4050006@monetra.com> References: <56D5DAE0.4050006@monetra.com> Message-ID: <56D5F941.2030705@roumenpetrov.info> Brad House wrote: > It appears OpenSSL 1.0.2g introduced a regression when attempting to run > 'make test' on a fips-enabled build on linux. When compiling without FIPS, the > tests pass as expected. However, with fips turned on, "make test" fails > when trying to use ssl2 it appears. Running 'make test' is a fairly > standard practice to try to ensure there were no unexpected failures on > a given platform. > > 1.0.2f is unaffected, as is 1.0.1r. However, 1.0.1s is also impacted. Actually all 1.0.{1|2}* versions are impacted if build is with no-ssl2 and no-ssl3 [SNIP] Roumen From jakub.openssl at gmail.com Tue Mar 1 20:49:29 2016 From: jakub.openssl at gmail.com (Jakub Zelenka) Date: Tue, 1 Mar 2016 20:49:29 +0000 Subject: [openssl-dev] PHP openssl ext port for 1.1 - cert->name Message-ID: Hello, I'm just slowly porting PHP core openssl ext to work with OpenSSL 1.1 and just came across one thing that I can't find a function for. We have got a part in openssl_x509_parse where we display cert->name (cert is X509 struct) if it is not NULL: https://github.com/php/php-src/blob/715a198e1f4f6f79f596963727b1a1c92e7fed1b/ext/openssl/openssl.c#L1998 The X509 is now opaque and I can't find any function for that which I might be missing because it's quite late... :) I tried to find it using grep -rn '>name' crypto/x509 but it doesn't show any function that would return a cert name Not sure if it's actually useful to show that but I see that the name is set in x509_cb when operation is ASN1_OP_D2I_POST as X509_NAME_oneline(ret->cert_info.subject, NULL, 0) . Please could you let me know if there is a function for that or what I should use instead? Thanks a lot Jakub -------------- next part -------------- An HTML attachment was scrubbed... URL: From steve at openssl.org Tue Mar 1 21:03:32 2016 From: steve at openssl.org (Dr. Stephen Henson) Date: Tue, 1 Mar 2016 21:03:32 +0000 Subject: [openssl-dev] PHP openssl ext port for 1.1 - cert->name In-Reply-To: References: Message-ID: <20160301210332.GA10260@openssl.org> On Tue, Mar 01, 2016, Jakub Zelenka wrote: > Hello, > > I'm just slowly porting PHP core openssl ext to work with OpenSSL 1.1 and > just came across one thing that I can't find a function for. > > We have got a part in openssl_x509_parse where we display cert->name (cert > is X509 struct) if it is not NULL: > > https://github.com/php/php-src/blob/715a198e1f4f6f79f596963727b1a1c92e7fed1b/ext/openssl/openssl.c#L1998 > > The X509 is now opaque and I can't find any function for that which I might > be missing because it's quite late... :) > > I tried to find it using > > grep -rn '>name' crypto/x509 > > but it doesn't show any function that would return a cert name > > Not sure if it's actually useful to show that but I see that the name is > set in x509_cb when operation is ASN1_OP_D2I_POST > as X509_NAME_oneline(ret->cert_info.subject, NULL, 0) . > > Please could you let me know if there is a function for that or what I > should use instead? > It isn't really useful. It uses the ancient and quirky X509_NAME_oneline() function to convert the certificate subject name to an old oneline format (which mishandles things like multi byte characters). If you really want it you can create it using X509_get_subect_name() and X509_NAME_oneline() directly but you have to free it once you've finished with it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From michel.sales at free.fr Tue Mar 1 21:06:13 2016 From: michel.sales at free.fr (Michel) Date: Tue, 1 Mar 2016 22:06:13 +0100 Subject: [openssl-dev] [openssl-users] OpenSSL Security Advisory In-Reply-To: <20160301140539.GA9602@openssl.org> References: <20160301140539.GA9602@openssl.org> Message-ID: <004501d173fe$305be030$9113a090$@sales@free.fr> Hi, I am a bit surprised with the following assertion concerning CVE-2016-0798 : (Memory leak in SRP database lookups) "This issue was discovered on February 23rd 2016..." My opinion is that this issue is known at least since I reported it to you (first in march 2015 !) : https://mta.openssl.org/pipermail/openssl-dev/2015-March/001015.html https://mta.openssl.org/pipermail/openssl-bugs-mod/2015-December/000279.html This is s a further demonstration that I still have to improve my english ! ;-) Regards, Michel. From brad at monetra.com Tue Mar 1 21:18:59 2016 From: brad at monetra.com (Brad House) Date: Tue, 1 Mar 2016 16:18:59 -0500 Subject: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine) In-Reply-To: <20160301191513.GJ12869@mournblade.imrryr.org> References: <56D5D676.9010603@monetra.com> <20160301191513.GJ12869@mournblade.imrryr.org> Message-ID: <56D60743.9000607@monetra.com> On 03/01/2016 02:15 PM, Viktor Dukhovni wrote: > On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: > >> We have a Mac build system running an older version (10.7), targeting 10.6, which is >> using this compiler: >> >> $ cc --version >> i686-apple-darwin11-llvm-gcc-4.2 (GCC) 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.1.00) >> >> >> And while building 1.0.2g released today, we found a build regression for x86_64, this >> regression appears to only impact 1.0.2g (1.0.1s also released today is unaffected, >> as is the prior 1.0.2f, and 1.0.2g when building 32bit/i386 too is unaffected). >> >> The build error is: >> >> cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -isysroot /Developer/SDKs/MacOSX10.6.sdk/ -mmacosx-version-min=10.6 -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT >> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -I/usr/local//ssl-fips-2.0.11-x86_64/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -c -o sha1-x86_64.o sha1-x86_64.s >> sha1-x86_64.s:1243:missing or invalid immediate expression `0b00011011' taken as 0 >> sha1-x86_64.s:1243:suffix or operands invalid for `pshufd' >> sha1-x86_64.s:1245:missing or invalid immediate expression `0b00011011' taken as 0 >> sha1-x86_64.s:1245:suffix or operands invalid for `pshufd' >> sha1-x86_64.s:1395:missing or invalid immediate expression `0b00011011' taken as 0 >> sha1-x86_64.s:1395:suffix or operands invalid for `pshufd' >> sha1-x86_64.s:1396:missing or invalid immediate expression `0b00011011' taken as 0 >> sha1-x86_64.s:1396:suffix or operands invalid for `pshufd' > > The only plausible change from 1.0.2f to 1.0.2g that I see that > might be related to this is below. Does it work if you revert this > change (patch -R): > > commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac > [snip] Confirmed. Reverting that commit fixes the build. -Brad From bkaduk at akamai.com Tue Mar 1 21:27:07 2016 From: bkaduk at akamai.com (Benjamin Kaduk) Date: Tue, 1 Mar 2016 15:27:07 -0600 Subject: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine) In-Reply-To: <56D60743.9000607@monetra.com> References: <56D5D676.9010603@monetra.com> <20160301191513.GJ12869@mournblade.imrryr.org> <56D60743.9000607@monetra.com> Message-ID: <56D6092B.7020405@akamai.com> On 03/01/2016 03:18 PM, Brad House wrote: > On 03/01/2016 02:15 PM, Viktor Dukhovni wrote: >> On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: >> >> The only plausible change from 1.0.2f to 1.0.2g that I see that might >> be related to this is below. Does it work if you revert this change >> (patch -R): commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac [snip] > Confirmed. Reverting that commit fixes the build. > Does the alternate patch from RT #3885 (i.e., from https://github.com/openssl/openssl/pull/597) cause a similar build breakage? -Ben From rsalz at akamai.com Tue Mar 1 21:35:28 2016 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 1 Mar 2016 21:35:28 +0000 Subject: [openssl-dev] [openssl-users] OpenSSL Security Advisory In-Reply-To: <004501d173fe$305be030$9113a090$@sales@free.fr> References: <20160301140539.GA9602@openssl.org> <004501d173fe$305be030$9113a090$@sales@free.fr> Message-ID: > I am a bit surprised with the following assertion concerning CVE-2016-0798 : > (Memory leak in SRP database lookups) > "This issue was discovered on February 23rd 2016..." Yes, Michel, sorry. You did create a ticket: https://rt.openssl.org/Ticket/Display.html?id=4172 Thanks for being so good-natured about the oversight. -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz From rt at openssl.org Tue Mar 1 21:40:46 2016 From: rt at openssl.org (=?UTF-8?B?RW1pbGlhIEvDpHNwZXI=?= via RT) Date: Tue, 01 Mar 2016 21:40:46 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: Message-ID: If the other EVP ciphers universally allow this then I think we must treat this as a bug, because people may be relying on this behaviour. There is also sporadic documentation in lower-level APIs (AES source and des.pod) that the buffers may overlap. If it's inconsistent then, at the very least, we must document that it is not allowed. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted From brad at monetra.com Tue Mar 1 21:52:06 2016 From: brad at monetra.com (Brad House) Date: Tue, 1 Mar 2016 16:52:06 -0500 Subject: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine) In-Reply-To: <56D6092B.7020405@akamai.com> References: <56D5D676.9010603@monetra.com> <20160301191513.GJ12869@mournblade.imrryr.org> <56D60743.9000607@monetra.com> <56D6092B.7020405@akamai.com> Message-ID: <56D60F06.2020204@monetra.com> On 03/01/2016 04:27 PM, Benjamin Kaduk wrote: > On 03/01/2016 03:18 PM, Brad House wrote: >> On 03/01/2016 02:15 PM, Viktor Dukhovni wrote: >>> On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: >>> >>> The only plausible change from 1.0.2f to 1.0.2g that I see that might >>> be related to this is below. Does it work if you revert this change >>> (patch -R): commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac [snip] >> Confirmed. Reverting that commit fixes the build. >> > > Does the alternate patch from RT #3885 (i.e., from > https://github.com/openssl/openssl/pull/597) cause a similar build breakage? > Confirmed, this alternate patch worked (or at least compiled) fine: https://github.com/akamai/openssl/commit/c4af68c317c025c7d0c4f0495b8115d6426a25be.patch -Brad From jakub.openssl at gmail.com Tue Mar 1 22:16:36 2016 From: jakub.openssl at gmail.com (Jakub Zelenka) Date: Tue, 1 Mar 2016 22:16:36 +0000 Subject: [openssl-dev] PHP openssl ext port for 1.1 - cert->name In-Reply-To: <20160301210332.GA10260@openssl.org> References: <20160301210332.GA10260@openssl.org> Message-ID: On 1 Mar 2016 21:03, "Dr. Stephen Henson" wrote: > > On Tue, Mar 01, 2016, Jakub Zelenka wrote: > > > Hello, > > > > I'm just slowly porting PHP core openssl ext to work with OpenSSL 1.1 and > > just came across one thing that I can't find a function for. > > > > We have got a part in openssl_x509_parse where we display cert->name (cert > > is X509 struct) if it is not NULL: > > > > https://github.com/php/php-src/blob/715a198e1f4f6f79f596963727b1a1c92e7fed1b/ext/openssl/openssl.c#L1998 > > > > The X509 is now opaque and I can't find any function for that which I might > > be missing because it's quite late... :) > > > > I tried to find it using > > > > grep -rn '>name' crypto/x509 > > > > but it doesn't show any function that would return a cert name > > > > Not sure if it's actually useful to show that but I see that the name is > > set in x509_cb when operation is ASN1_OP_D2I_POST > > as X509_NAME_oneline(ret->cert_info.subject, NULL, 0) . > > > > Please could you let me know if there is a function for that or what I > > should use instead? > > > > It isn't really useful. It uses the ancient and quirky X509_NAME_oneline() > function to convert the certificate subject name to an old oneline format > (which mishandles things like multi byte characters). > > If you really want it you can create it using X509_get_subect_name() and > X509_NAME_oneline() directly but you have to free it once you've finished with > it. > Ok great. I will probably do that for now just to keep it as it was and then possibly take a look if we could replace it with something more useful or if we should just remove it. That function needs closer look anyway. Thanks a lot for letting me know! -------------- next part -------------- An HTML attachment was scrubbed... URL: From appro at openssl.org Tue Mar 1 23:04:22 2016 From: appro at openssl.org (Andy Polyakov) Date: Wed, 2 Mar 2016 00:04:22 +0100 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: Message-ID: <56D61FF6.7090303@openssl.org> > I'm unclear on what EVP_CIPHER's interface guarantees are, but our EVP_AEAD > APIs are documented to allow in/out buffers to alias as long as out is <= > in. This matches what callers might expect from a naive implementation. > > Our AES-GCM EVP_AEADs, which share code with OpenSSL, have tended to match > this pattern too. For ChaCha, of chacha-{x86,x86_64,armv4,armv8}.pl and the > C implementation, all seem satisfy this (though it's possible I don't have > complete coverage) except for chacha-x86.pl. That one works if in == out, > but not if out is slightly behind. > > We were able to reproduce problems when in = out + 1. The SSE3 code > triggers if the input is at least 256 bytes and the non-SSE3 code if the > input is at least 64 bytes. The non-SSE3 code is because the words in a > block are processed in a slightly funny order (0, 4, 8, 9, 12, 14, 1, 2, 3, > 5, 6, 7, 10, 11, 13, 15). I haven't looked at the SSE3 case carefully, but > I expect it's something similar. It's in 16-byte chunks numbered 0,4,8,12, 1,5,8,13, 2,6,... > Could the blocks perhaps be processed in a more straight-forward ordering, > so that chacha-x86.pl behaves like the other implementations? (It's nice to > avoid bugs that only trigger in one implementation.) Or is this order > necessary for something? It's the order in which amount of references to memory is minimal. But double-check attached. -------------- next part -------------- diff --git a/crypto/chacha/asm/chacha-x86.pl b/crypto/chacha/asm/chacha-x86.pl index 850c917..986e7f7 100755 --- a/crypto/chacha/asm/chacha-x86.pl +++ b/crypto/chacha/asm/chacha-x86.pl @@ -19,13 +19,13 @@ # P4 18.6/+84% # Core2 9.56/+89% 4.83 # Westmere 9.50/+45% 3.35 -# Sandy Bridge 10.5/+47% 3.20 -# Haswell 8.15/+50% 2.83 -# Silvermont 17.4/+36% 8.35 +# Sandy Bridge 10.7/+47% 3.24 +# Haswell 8.22/+50% 2.89 +# Silvermont 17.8/+36% 8.53 # Sledgehammer 10.2/+54% -# Bulldozer 13.4/+50% 4.38(*) +# Bulldozer 13.5/+50% 4.39(*) # -# (*) Bulldozer actually executes 4xXOP code path that delivers 3.55; +# (*) Bulldozer actually executes 4xXOP code path that delivers 3.50; $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); @@ -238,18 +238,20 @@ if ($xmm) { &xor ($a, &DWP(4*0,$b)); # xor with input &xor ($b_,&DWP(4*4,$b)); - &mov (&DWP(4*0,"esp"),$a); + &mov (&DWP(4*0,"esp"),$a); # off-load for later write &mov ($a,&wparam(0)); # load output pointer &xor ($c, &DWP(4*8,$b)); &xor ($c_,&DWP(4*9,$b)); &xor ($d, &DWP(4*12,$b)); &xor ($d_,&DWP(4*14,$b)); - &mov (&DWP(4*4,$a),$b_); # write output - &mov (&DWP(4*8,$a),$c); - &mov (&DWP(4*9,$a),$c_); - &mov (&DWP(4*12,$a),$d); - &mov (&DWP(4*14,$a),$d_); + &mov (&DWP(4*4,"esp"),$b_); + &mov ($b_,&DWP(4*0,"esp")); + &mov (&DWP(4*8,"esp"),$c); + &mov (&DWP(4*9,"esp"),$c_); + &mov (&DWP(4*12,"esp"),$d); + &mov (&DWP(4*14,"esp"),$d_); + &mov (&DWP(4*0,$a),$b_); # write output in order &mov ($b_,&DWP(4*1,"esp")); &mov ($c, &DWP(4*2,"esp")); &mov ($c_,&DWP(4*3,"esp")); @@ -266,35 +268,45 @@ if ($xmm) { &xor ($d, &DWP(4*5,$b)); &xor ($d_,&DWP(4*6,$b)); &mov (&DWP(4*1,$a),$b_); + &mov ($b_,&DWP(4*4,"esp")); &mov (&DWP(4*2,$a),$c); &mov (&DWP(4*3,$a),$c_); + &mov (&DWP(4*4,$a),$b_); &mov (&DWP(4*5,$a),$d); &mov (&DWP(4*6,$a),$d_); - &mov ($b_,&DWP(4*7,"esp")); - &mov ($c, &DWP(4*10,"esp")); + &mov ($c,&DWP(4*7,"esp")); + &mov ($d,&DWP(4*8,"esp")); + &mov ($d_,&DWP(4*9,"esp")); + &add ($c,&DWP(64+4*7,"esp")); + &mov ($b_, &DWP(4*10,"esp")); + &xor ($c,&DWP(4*7,$b)); &mov ($c_,&DWP(4*11,"esp")); + &mov (&DWP(4*7,$a),$c); + &mov (&DWP(4*8,$a),$d); + &mov (&DWP(4*9,$a),$d_); + + &add ($b_, &DWP(64+4*10,"esp")); + &add ($c_,&DWP(64+4*11,"esp")); + &xor ($b_, &DWP(4*10,$b)); + &xor ($c_,&DWP(4*11,$b)); + &mov (&DWP(4*10,$a),$b_); + &mov (&DWP(4*11,$a),$c_); + + &mov ($c,&DWP(4*12,"esp")); + &mov ($c_,&DWP(4*14,"esp")); &mov ($d, &DWP(4*13,"esp")); &mov ($d_,&DWP(4*15,"esp")); - &add ($b_,&DWP(64+4*7,"esp")); - &add ($c, &DWP(64+4*10,"esp")); - &add ($c_,&DWP(64+4*11,"esp")); &add ($d, &DWP(64+4*13,"esp")); &add ($d_,&DWP(64+4*15,"esp")); - &xor ($b_,&DWP(4*7,$b)); - &xor ($c, &DWP(4*10,$b)); - &xor ($c_,&DWP(4*11,$b)); &xor ($d, &DWP(4*13,$b)); &xor ($d_,&DWP(4*15,$b)); &lea ($b,&DWP(4*16,$b)); - &mov (&DWP(4*7,$a),$b_); - &mov ($b_,&DWP(4*0,"esp")); - &mov (&DWP(4*10,$a),$c); + &mov (&DWP(4*12,$a),$c); &mov ($c,&wparam(2)); # len - &mov (&DWP(4*11,$a),$c_); &mov (&DWP(4*13,$a),$d); + &mov (&DWP(4*14,$a),$c_); &mov (&DWP(4*15,$a),$d_); - &mov (&DWP(4*0,$a),$b_); &lea ($a,&DWP(4*16,$a)); &sub ($c,64); &jnz (&label("outer_loop")); @@ -572,12 +584,12 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di)); # previous my ($xa0,$xa1,$xa2,$xa3,$xt0,$xt1,$xt2,$xt3)=map("xmm$_",(0..7)); - #&movdqa ($xa0,&QWP(16*0-128,"ebx")); # it's there - &movdqa ($xa1,&QWP(16*1-128,"ebx")); - &movdqa ($xa2,&QWP(16*2-128,"ebx")); - &movdqa ($xa3,&QWP(16*3-128,"ebx")); - for($i=0;$i<256;$i+=64) { + #&movdqa ($xa0,&QWP($i+16*0-128,"ebx")); # it's there + &movdqa ($xa1,&QWP($i+16*1-128,"ebx")); + &movdqa ($xa2,&QWP($i+16*2-128,"ebx")); + &movdqa ($xa3,&QWP($i+16*3-128,"ebx")); + &paddd ($xa0,&QWP($i+16*0-128,"ebp")); # accumulate key material &paddd ($xa1,&QWP($i+16*1-128,"ebp")); &paddd ($xa2,&QWP($i+16*2-128,"ebp")); @@ -598,25 +610,29 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di)); # previous #($xa2,$xt2)=($xt2,$xa2); - &movdqu ($xt0,&QWP(64*0-128,$inp)); # load input - &movdqu ($xt1,&QWP(64*1-128,$inp)); - &movdqu ($xa2,&QWP(64*2-128,$inp)); - &movdqu ($xt3,&QWP(64*3-128,$inp)); - &lea ($inp,&QWP($i<192?16:(64*4-16*3),$inp)); - &pxor ($xt0,$xa0); + &movdqa (&QWP($i+16*0-128,"ebx"),$xa0); &movdqa ($xa0,&QWP($i+16*4-128,"ebx")) if ($i<192); - &pxor ($xt1,$xa1); - &movdqa ($xa1,&QWP($i+16*5-128,"ebx")) if ($i<192); - &pxor ($xt2,$xa2); - &movdqa ($xa2,&QWP($i+16*6-128,"ebx")) if ($i<192); - &pxor ($xt3,$xa3); - &movdqa ($xa3,&QWP($i+16*7-128,"ebx")) if ($i<192); - &movdqu (&QWP(64*0-128,$out),$xt0); # store output - &movdqu (&QWP(64*1-128,$out),$xt1); - &movdqu (&QWP(64*2-128,$out),$xt2); - &movdqu (&QWP(64*3-128,$out),$xt3); - &lea ($out,&QWP($i<192?16:(64*4-16*3),$out)); + &movdqa (&QWP($i+16*1-128,"ebx"),$xa1); + &movdqa (&QWP($i+16*2-128,"ebx"),$xt2); + &movdqa (&QWP($i+16*3-128,"ebx"),$xa3); + } + for($i=0;$i<256;$i+=64) { + my $j = 16*($i/64); + &movdqu ($xa0,&QWP($i+16*0-128,$inp)); # load input + &movdqu ($xa1,&QWP($i+16*1-128,$inp)); + &movdqu ($xa2,&QWP($i+16*2-128,$inp)); + &movdqu ($xa3,&QWP($i+16*3-128,$inp)); + &pxor ($xa0,&QWP($j+64*0-128,"ebx")); + &pxor ($xa1,&QWP($j+64*1-128,"ebx")); + &pxor ($xa2,&QWP($j+64*2-128,"ebx")); + &pxor ($xa3,&QWP($j+64*3-128,"ebx")); + &movdqu (&QWP($i+16*0-128,$out),$xa0); # write output + &movdqu (&QWP($i+16*1-128,$out),$xa1); + &movdqu (&QWP($i+16*2-128,$out),$xa2); + &movdqu (&QWP($i+16*3-128,$out),$xa3); } + &lea ($inp,&DWP(256,$inp)); + &lea ($out,&DWP(256,$out)); &sub ($len,64*4); &jnc (&label("outer_loop")); @@ -967,12 +983,12 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di)); # previous my ($xa0,$xa1,$xa2,$xa3,$xt0,$xt1,$xt2,$xt3)=map("xmm$_",(0..7)); - #&vmovdqa ($xa0,&QWP(16*0-128,"ebx")); # it's there - &vmovdqa ($xa1,&QWP(16*1-128,"ebx")); - &vmovdqa ($xa2,&QWP(16*2-128,"ebx")); - &vmovdqa ($xa3,&QWP(16*3-128,"ebx")); - for($i=0;$i<256;$i+=64) { + #&vmovdqa ($xa0,&QWP($i+16*0-128,"ebx")); # it's there + &vmovdqa ($xa1,&QWP($i+16*1-128,"ebx")); + &vmovdqa ($xa2,&QWP($i+16*2-128,"ebx")); + &vmovdqa ($xa3,&QWP($i+16*3-128,"ebx")); + &vpaddd ($xa0,$xa0,&QWP($i+16*0-128,"ebp")); # accumulate key material &vpaddd ($xa1,$xa1,&QWP($i+16*1-128,"ebp")); &vpaddd ($xa2,$xa2,&QWP($i+16*2-128,"ebp")); @@ -987,21 +1003,33 @@ my ($ap,$bp,$cp,$dp)=map(($_&~3)+(($_-1)&3),($ai,$bi,$ci,$di)); # previous &vpunpcklqdq ($xt3,$xa0,$xa2); # "a2" &vpunpckhqdq ($xa3,$xa0,$xa2); # "a3" - &vpxor ($xt0,$xa1,&QWP(64*0-128,$inp)); - &vpxor ($xt1,$xt2,&QWP(64*1-128,$inp)); - &vpxor ($xt2,$xt3,&QWP(64*2-128,$inp)); - &vpxor ($xt3,$xa3,&QWP(64*3-128,$inp)); - &lea ($inp,&QWP($i<192?16:(64*4-16*3),$inp)); - &vmovdqa ($xa0,&QWP($i+16*4-128,"ebx")) if ($i<192); - &vmovdqa ($xa1,&QWP($i+16*5-128,"ebx")) if ($i<192); - &vmovdqa ($xa2,&QWP($i+16*6-128,"ebx")) if ($i<192); - &vmovdqa ($xa3,&QWP($i+16*7-128,"ebx")) if ($i<192); - &vmovdqu (&QWP(64*0-128,$out),$xt0); # store output - &vmovdqu (&QWP(64*1-128,$out),$xt1); - &vmovdqu (&QWP(64*2-128,$out),$xt2); - &vmovdqu (&QWP(64*3-128,$out),$xt3); - &lea ($out,&QWP($i<192?16:(64*4-16*3),$out)); + &vmovdqa ($xa0,&QWP($i+16*4-128,"ebx")) if ($i<192); + &vmovdqa (&QWP($i+16*0-128,"ebx"),$xa1); + &vmovdqa (&QWP($i+16*1-128,"ebx"),$xt2); + &vmovdqa (&QWP($i+16*2-128,"ebx"),$xt3); + &vmovdqa (&QWP($i+16*3-128,"ebx"),$xa3); + } + &vmovdqu ($xa0,&QWP(16*0-128,$inp)); # load input + &vmovdqu ($xa1,&QWP(16*1-128,$inp)); + &vmovdqu ($xa2,&QWP(16*2-128,$inp)); + &vmovdqu ($xa3,&QWP(16*3-128,$inp)); + for($i=0;$i<256;$i+=64) { + my $j = 16*($i/64); + &vpxor ($xt0,$xa0,&QWP($j+64*0-128,"ebx")); + &vmovdqu ($xa0,&QWP($i+16*4-128,$inp)) if ($i<192); + &vpxor ($xt1,$xa1,&QWP($j+64*1-128,"ebx")); + &vmovdqu ($xa1,&QWP($i+16*5-128,$inp)) if ($i<192); + &vpxor ($xt2,$xa2,&QWP($j+64*2-128,"ebx")); + &vmovdqu ($xa2,&QWP($i+16*6-128,$inp)) if ($i<192); + &vpxor ($xt3,$xa3,&QWP($j+64*3-128,"ebx")); + &vmovdqu ($xa3,&QWP($i+16*7-128,$inp)) if ($i<192); + &vmovdqu (&QWP($i+16*0-128,$out),$xt0); # write output + &vmovdqu (&QWP($i+16*1-128,$out),$xt1); + &vmovdqu (&QWP($i+16*2-128,$out),$xt2); + &vmovdqu (&QWP($i+16*3-128,$out),$xt3); } + &lea ($inp,&DWP(256,$inp)); + &lea ($out,&DWP(256,$out)); &sub ($len,64*4); &jnc (&label("outer_loop")); From rt at openssl.org Wed Mar 2 02:15:37 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 02:15:37 +0000 Subject: [openssl-dev] [openssl.org #4365] OS X 10.5, 64-bit PPC, and chacha-ppc.s:454:Parameter syntax error (parameter 1) In-Reply-To: References: Message-ID: $ make depend && make clean && make ... cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 -c -o chacha-ppc.o chacha-ppc.s chacha-ppc.s:454:Parameter syntax error (parameter 1) make[2]: *** [chacha-ppc.o] Error 1 make[1]: *** [subdirs] Error 1 make: *** [build_crypto] Error 1 ********** $ KERNEL_BITS=64 ./config Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin64-ppc-cc Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [forced] Configuring for darwin64-ppc-cc IsMK1MF =no CC =cc CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM LFLAG = PLIB_LFLAG =-Wl,-search_paths_first EX_LIBS = CPUID_OBJ =ppccpuid.o ppccap.o BN_ASM =bn-ppc.o ppc-mont.o ppc64-mont.o EC_ASM = DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghashp8-ppc.o PADLOCK_OBJ = CHACHA_ENC =chacha-ppc.o POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/opt/local/bin//perl5 SIXTY_FOUR_BIT_LONG mode Configured for darwin64-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4365 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 02:54:58 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 02:54:58 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: Message-ID: $ make depend && make clean && make ... $ make test ... ../test/recipes/80-test_tsa.t ............. ok ../test/recipes/90-test_async.t ........... 1/1 # Failed test 'running asynctest' # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. # Looks like you failed 1 test of 1. ../test/recipes/90-test_async.t ........... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ... Test Summary Report ------------------- ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=70, Tests=389, 213 wallclock secs ( 1.44 usr 0.75 sys + 166.97 cusr 45.51 csys = 214.67 CPU) Result: FAIL Failed 1/70 test programs. 1/389 subtests failed. make[1]: *** [tests] Error 255 ********** $ KERNEL_BITS=64 ./config no-asm Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin64-ppc-cc Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-asm [option] OPENSSL_NO_ASM no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [forced] Configuring for darwin64-ppc-cc IsMK1MF =no CC =cc CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC LFLAG = PLIB_LFLAG =-Wl,-search_paths_first EX_LIBS = CPUID_OBJ =mem_clr.o BN_ASM =bn_asm.o EC_ASM = DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM = RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ = PADLOCK_OBJ = CHACHA_ENC =chacha_enc.o POLY1305_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/opt/local/bin//perl5 SIXTY_FOUR_BIT_LONG mode Configured for darwin64-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 03:16:25 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 03:16:25 +0000 Subject: [openssl-dev] [openssl.org #4366]: OS X 10.5, 64-bit PPC, and chacha-ppc.s:454:Parameter syntax error (parameter 1) In-Reply-To: References: Message-ID: The issue exists with 32-bit builds, too: $ KERNEL_BITS=32 ./config Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin-ppc-cc Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [forced] Configuring for darwin-ppc-cc IsMK1MF =no CC =cc CFLAG = -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -O3 DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM LFLAG = PLIB_LFLAG =-Wl,-search_paths_first EX_LIBS = CPUID_OBJ =ppccpuid.o ppccap.o BN_ASM =bn-ppc.o ppc-mont.o ppc64-mont.o EC_ASM = DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghashp8-ppc.o PADLOCK_OBJ = CHACHA_ENC =chacha-ppc.o POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/opt/local/bin//perl5 THIRTY_TWO_BIT mode BN_LLONG mode Configured for darwin-ppc-cc. On Tue, Mar 1, 2016 at 9:15 PM, Jeffrey Walton wrote: > $ make depend && make clean && make > ... > > cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE > -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc64 > -DB_ENDIAN -O3 -c -o chacha-ppc.o chacha-ppc.s > chacha-ppc.s:454:Parameter syntax error (parameter 1) > make[2]: *** [chacha-ppc.o] Error 1 > make[1]: *** [subdirs] Error 1 > make: *** [build_crypto] Error 1 > > ********** > > $ KERNEL_BITS=64 ./config > Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul > 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC > Configuring for darwin64-ppc-cc > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-zlib [default] > no-zlib-dynamic [forced] > Configuring for darwin64-ppc-cc > IsMK1MF =no > CC =cc > CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM > SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG =-Wl,-search_paths_first > EX_LIBS = > CPUID_OBJ =ppccpuid.o ppccap.o > BN_ASM =bn-ppc.o ppc-mont.o ppc64-mont.o > EC_ASM = > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4_enc.o rc4_skey.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM = > SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o > sha512p8-ppc.o > RMD160_OBJ_ASM= > CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o > MODES_OBJ =ghashp8-ppc.o > PADLOCK_OBJ = > CHACHA_ENC =chacha-ppc.o > POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/opt/local/bin//perl5 > > SIXTY_FOUR_BIT_LONG mode > > Configured for darwin64-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 03:30:42 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 03:30:42 +0000 Subject: [openssl-dev] [openssl.org #4367] FEATURE: Please add -headerpad_max_install_names to LDFLAGS for dynamic libraries on OS X builds In-Reply-To: References: Message-ID: OS X side steps the problems with selecting the wrong runtime library and RPATHs by using something called an install name. Effectively, the install name should be placed in libcrypto.dylib and libssl.dylib, and it calls out the fully qualified path name. Programs linked to a library with an install name will record the library, and dyld(1) will link to the proper library at runtime. There's no need for tricks like LD_LIBRARY_PATH on Linux (its called DYLD_LIBRARY_PATH on OS X). To make room for an install name that may change (for example, from PWD to /usr/local/ssl/lib, you need to use the flag -headerpad_max_install_names on libcrypto.dylib and libssl.dylib. To add the icing to the cake, 'make install' should add the following to its recipe for OS X: cp libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib And: cp libssl.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 04:14:40 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 04:14:40 +0000 Subject: [openssl-dev] [openssl.org #4367]: OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: Message-ID: For completeness, the same configuration under 32-bit is OK. On Tue, Mar 1, 2016 at 9:54 PM, Jeffrey Walton wrote: > $ make depend && make clean && make > ... > > $ make test > ... > > ../test/recipes/80-test_tsa.t ............. ok > ../test/recipes/90-test_async.t ........... 1/1 > # Failed test 'running asynctest' > # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > # Looks like you failed 1 test of 1. > ../test/recipes/90-test_async.t ........... Dubious, test returned 1 > (wstat 256, 0x100) > Failed 1/1 subtests > ... > Test Summary Report > ------------------- > ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=70, Tests=389, 213 wallclock secs ( 1.44 usr 0.75 sys + 166.97 > cusr 45.51 csys = 214.67 CPU) > Result: FAIL > Failed 1/70 test programs. 1/389 subtests failed. > make[1]: *** [tests] Error 255 > > ********** > $ KERNEL_BITS=64 ./config no-asm > Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul > 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC > Configuring for darwin64-ppc-cc > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-asm [option] OPENSSL_NO_ASM > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-zlib [default] > no-zlib-dynamic [forced] > Configuring for darwin64-ppc-cc > IsMK1MF =no > CC =cc > CFLAG = -D_REENTRANT -arch ppc64 -DB_ENDIAN -O3 > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC > LFLAG = > PLIB_LFLAG =-Wl,-search_paths_first > EX_LIBS = > CPUID_OBJ =mem_clr.o > BN_ASM =bn_asm.o > EC_ASM = > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes_core.o aes_cbc.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4_enc.o rc4_skey.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM = > SHA1_OBJ_ASM = > RMD160_OBJ_ASM= > CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o > MODES_OBJ = > PADLOCK_OBJ = > CHACHA_ENC =chacha_enc.o > POLY1305_OBJ = > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/opt/local/bin//perl5 > > SIXTY_FOUR_BIT_LONG mode > > Configured for darwin64-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 04:34:49 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 04:34:49 +0000 Subject: [openssl-dev] [openssl.org #4367]: FEATURE: Please add -headerpad_max_install_names to LDFLAGS for dynamic libraries on OS X builds In-Reply-To: References: Message-ID: Also worth mentioning: depending on how much magic will be sprinkled from the PERL script... install_name is available on OS X 10.4 and above, which covers the last 10 years or so. Also see "Configure-based open source libraries: current_version and install_name" (http://lists.apple.com/archives/unix-porting/2006/Dec/msg00009.html) on the Apple mailing lists. On Tue, Mar 1, 2016 at 10:30 PM, Jeffrey Walton wrote: > OS X side steps the problems with selecting the wrong runtime library > and RPATHs by using something called an install name. Effectively, the > install name should be placed in libcrypto.dylib and libssl.dylib, and > it calls out the fully qualified path name. Programs linked to a > library with an install name will record the library, and dyld(1) will > link to the proper library at runtime. There's no need for tricks like > LD_LIBRARY_PATH on Linux (its called DYLD_LIBRARY_PATH on OS X). > > To make room for an install name that may change (for example, from > PWD to /usr/local/ssl/lib, you need to use the flag > -headerpad_max_install_names on libcrypto.dylib and libssl.dylib. > > To add the icing to the cake, 'make install' should add the following > to its recipe for OS X: > > cp libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > > And: > > cp libssl.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib > install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib > $(DESTDIR)$(OPENSSLDIR)/lib/libssl.dylib -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 05:05:10 2016 From: rt at openssl.org (Mike Frysinger via RT) Date: Wed, 02 Mar 2016 05:05:10 +0000 Subject: [openssl-dev] [PATCH] [openssl.org #2558] make windres controllable via build env var settings In-Reply-To: <1456894690-30782-1-git-send-email-vapier@gentoo.org> References: <1456894690-30782-1-git-send-email-vapier@gentoo.org> Message-ID: atm, the windres code in openssl is only usable via the cross-compile prefix option unlike all the other build tools. So add support for the standard $RC / $WINDRES env vars as well. --- Configure | 1 + Makefile.in | 2 ++ Makefile.shared | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/Configure b/Configure index 080bc06..f5b1257 100755 --- a/Configure +++ b/Configure @@ -888,6 +888,7 @@ $target{ranlib} = $ENV{'RANLIB'} || $target{ranlib} || $default_ranlib; $target{ar} = $ENV{'AR'} || "ar"; $target{arflags} = "" if !defined($target{arflags}); $target{nm} = "nm"; +$target{windres} = $ENV{'RC'} || $ENV{'WINDRES'} || "windres"; # Make sure build_scheme is consistent. $target{build_scheme} = [ $target{build_scheme} ] if ref($target{build_scheme}) ne "ARRAY"; diff --git a/Makefile.in b/Makefile.in index 30f44ff..0830b88 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,6 +103,7 @@ ARFLAGS= {- $target{arflags} -} AR=$(CROSS_COMPILE){- $target{ar} -} $(ARFLAGS) r RANLIB= {- $target{ranlib} -} NM= $(CROSS_COMPILE){- $target{nm} -} +WINDRES= $(CROSS_COMPILE){- $target{windres} -} PERL= {- $config{perl} -} #RM= echo -- RM= rm -f @@ -254,6 +255,7 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\ SHARED_CFLAG='$(SHARED_CFLAG)' \ AS='$(CC)' ASFLAG='$(CFLAG) -c' \ AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \ + WINDRES='$(WINDRES)' \ CROSS_COMPILE='$(CROSS_COMPILE)' \ PERL='$(PERL)' DYNAMIC_ENGINES='$(DYNAMIC_ENGINES)' \ SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)' \ diff --git a/Makefile.shared b/Makefile.shared index 9028960..adcfe40 100644 --- a/Makefile.shared +++ b/Makefile.shared @@ -280,7 +280,7 @@ link_shlib.cygwin: echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \ "$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \ $(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \ - $(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \ + $(WINDRES) $(SHARED_RCFLAGS) -o rc.o; \ ALLSYMSFLAGS='-Wl,--whole-archive'; \ NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \ SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,--enable-auto-image-base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a rc.o"; \ -- 2.6.2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2558 Please log in as guest with password guest if prompted From atulthosar at gmail.com Wed Mar 2 07:49:54 2016 From: atulthosar at gmail.com (Atul Thosar) Date: Wed, 2 Mar 2016 13:19:54 +0530 Subject: [openssl-dev] OpenSSL 1.0.2f build issue - unresolved external symbol In-Reply-To: <56D59271.3010508@openssl.org> References: <56D59271.3010508@openssl.org> Message-ID: Thanks Andy, Michel. I'll give a try again. -- B ?R? , Atul Thosar On 1 March 2016 at 18:30, Andy Polyakov wrote: > > link /nologo /subsystem:console /opt:ref /debug /dll > > /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def > > @C:\Users\athosar\AppData\Local\Temp\nm43EB.tmp > > Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp > > cryptlib.obj : error LNK2001: unresolved external symbol > _OPENSSL_ia32cap_P > > This shouldn't happen if you go for no-asm. Basically it sounds like a > left-over from attempt to build with asm support. In other words start > over from empty directory. > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 2 09:18:35 2016 From: rt at openssl.org (Hejian via RT) Date: Wed, 02 Mar 2016 09:18:35 +0000 Subject: [openssl-dev] =?utf-8?b?562U5aSNOiAgW29wZW5zc2wub3JnICM0MzYwXSBb?= =?utf-8?q?BUG=5D_OpenSSL-1=2E0=2E1_crash_on_sha1=5Fblock=5Fdata=5F?= =?utf-8?q?order=5Fssse3_asm?= In-Reply-To: References: <56D59088.2070006@openssl.org> Message-ID: Thank you very much for your reply! Here is my complement: 1. I use the OpenSSL 1.0.1q, not 1.0.1r, sorry. 2.> I mean did you experience crash with openssl command (which one if so), or is it a web (or some other tls) server facing network? --our system is C/S structure, client and server communicate by CORBA. I experience crash when CORBA calls. The following is one stack: Program terminated with signal 11, Segmentation fault. Thread 1 (Thread 0x7f0654871700 (LWP 22383)): #0 0x00007f06a2cdddb8 in sha1_block_data_order_ssse3 () from ***/lib/libcrypto.so.1.0.0 #1 0xca62c1d6ca62c1d6 in ?? () #2 0xca62c1d6ca62c1d6 in ?? () #3 0xca62c1d6ca62c1d6 in ?? () #4 0xca62c1d6ca62c1d6 in ?? () #5 0xca62c1d6ca62c1d6 in ?? () #6 0xca62c1d6ca62c1d6 in ?? () #7 0xca62c1d6ca62c1d6 in ?? () #8 0xca62c1d6ca62c1d6 in ?? () #9 0xffffffffffffffea in ?? () #10 0x00007f06aee0ded0 in ?? () #11 0x03ffffffffffffff in ?? () #12 0x00007f06a2cdb173 in SHA1_Update () ... #16 0x00007f06a19e967b in ssl3_write_bytes () from ***/lib/libssl.so.1.0.0 #17 0x00007f06a0c0dc97 in ACE_SSL_SOCK_Stream::send(void const*, unsigned long, int, ACE_Time_Value const*) const () from ***/lib/libACE_SSL.so.6.1.0 #18 0x00007f06a0c0e001 in ACE_SSL_SOCK_Stream::sendv(iovec const*, unsigned long, ACE_Time_Value const*) const () from ***/lib/libACE_SSL.so.6.1.0 #19 0x00007f06a0e9ce6d in TAO::SSLIOP::Transport::send(iovec*, int, unsigned long&, ACE_Time_Value const*) () from ***/lib/libTAO_SSLIOP.so ... #25 0x00007f06a8025544 in TAO_Transport::send_message_shared(TAO_Stub*, TAO_Message_Semantics, ACE_Message_Block const*, ACE_Time_Value*) () from ***/lib/libTAO.so.2.1.0 #26 0x00007f06a0e9cfba in TAO::SSLIOP::Transport::send_message(TAO_OutputCDR&, TAO_Stub*, TAO_Message_Semantics, ACE_Time_Value*) () ... #35 0x00007f06a80227bf in TAO_Transport::process_parsed_messages(TAO_Queued_Data*, TAO_Resume_Handle&) () from ***/lib/libTAO.so.2.1.0 #36 0x00007f06a8023228 in TAO_Transport::handle_input_parse_data(TAO_Resume_Handle&, ACE_Time_Value*) () from ***/lib/libTAO.so.2.1.0 #37 0x00007f06a8023a43 in TAO_Transport::handle_input(TAO_Resume_Handle&, ACE_Time_Value*) () from ***/lib/libTAO.so.2.1.0 #38 0x00007f06a0e9d0ad in TAO::SSLIOP::Transport::handle_input(TAO_Resume_Handle&, ACE_Time_Value*) () from ***/lib/libTAO_SSLIOP.so #39 0x00007f06a7f8cf03 in TAO_Connection_Handler::svc_i() () from ***/lib/libTAO.so.2.1.0 #40 0x00007f06a7870497 in ACE_Task_Base::svc_run(void*) () ... #44 0x00007f06a6ad264d in clone () from /lib64/libc.so.6 #45 0x0000000000000000 in ?? () (gdb) quit 3.> You need to complement it with output from 'info reg' as well as output from 'disass' command till you see => mark pointing at failing instruction. --I check with one coredump file. (gdb) bt #0 0x00002b41740e8db8 in sha1_block_data_order_ssse3 () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #1 0xfdf35677747316a9 in ?? () #2 0x76e31e49fb938e17 in ?? () #3 0xda54424849480908 in ?? () #4 0x8169066fd99a223c in ?? () #5 0xd3959399c3228e53 in ?? () #6 0x4b40cb4385132309 in ?? () #7 0xe89493da4d391b51 in ?? () #8 0x258fe4e948e933e5 in ?? () #9 0xffffffffffffffe7 in ?? () #10 0x000055555a419c60 in ?? () #11 0x03ffffffffffffff in ?? () #12 0x00002b41740e6173 in SHA1_Update () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #13 0x00002b417415b0ab in ssleay_rand_bytes () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #14 0x00002aaaaabf6496 in tls1_enc () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #15 0x00002aaaaabeb690 in do_ssl3_write () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #16 0x00002aaaaabebb6b in ssl3_dispatch_alert () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #17 0x00002aaada93cf90 in ?? () #18 0x0000000000000000 in ?? () (gdb) i r rsp rsp 0x50a7e100 0x50a7e100 (gdb) x /1x 0x50a7e100 0x50a7e100: 0xfdf35677747316a9 (gdb) x /30a 0x50a7e100 0x50a7e100: 0xfdf35677747316a9 0x76e31e49fb938e17 0x50a7e110: 0xda54424849480908 0x8169066fd99a223c 0x50a7e120: 0xd3959399c3228e53 0x4b40cb4385132309 0x50a7e130: 0xe89493da4d391b51 0x258fe4e948e933e5 0x50a7e140: 0xffffffffffffffe7 0x55555a419c60 0x50a7e150: 0x3ffffffffffffff 0x2b41740e6173 0x50a7e160: 0x13 0x408 0x50a7e170: 0x2aaad71c5938 0x8 0x50a7e180: 0x408 0x2b417415b0ab 0x50a7e190: 0x2b41741e8f87 0x50a7e1c0 0x50a7e1a0: 0x50a7e1f0 0x1 0x50a7e1b0: 0x100000000 0x50a7e210 0x50a7e1c0: 0x2b4174328140 0x0 0x50a7e1d0: 0x0 0x55555a419c60 0x50a7e1e0: 0x0 0x2b4174165c40 (gdb) disassemble 0x2b41740e6173 Dump of assembler code for function SHA1_Update: ... 0x00002b41740e607f <+31>: sub $0x28,%rsp ... 0x00002b41740e60f5 <+149>: callq 0x2b41740e7140 ... 0x00002b41740e613e <+222>: add $0x28,%rsp 0x00002b41740e6142 <+226>: retq (gdb) disass 0x2b41740e8db8 Dump of assembler code for function sha1_block_data_order_ssse3: 0x00002b41740e8210 <+0>: push %rbx 0x00002b41740e8211 <+1>: push %rbp 0x00002b41740e8212 <+2>: push %r12 0x00002b41740e8214 <+4>: lea -0x40(%rsp),%rsp 0x00002b41740e8219 <+9>: mov %rdi,%r8 ... 0x00002b41740e8da7 <+2967>: je 0x2b41740e8f40 0x00002b41740e8dad <+2973>: movdqa 0x40(%r11),%xmm6 0x00002b41740e8db3 <+2979>: movdqa (%r11),%xmm9 => 0x00002b41740e8db8 <+2984>: movdqu (%r9),%xmm0 --is this what you want ? 0x00002b41740e8dbd <+2989>: movdqu 0x10(%r9),%xmm1 0x00002b41740e8dc3 <+2995>: movdqu 0x20(%r9),%xmm2 0x00002b41740e8dc9 <+3001>: movdqu 0x30(%r9),%xmm3 Thanks B/R -----????----- ???: Andy Polyakov via RT [mailto:rt at openssl.org] ????: 2016?3?1? 20:52 ???: Hejian (E) ??: openssl-dev at openssl.org ??: Re: [openssl-dev] [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm Hi, > we met crash of openssl (varely, 3 times i have seen) on linux x86_64. > openSSL version is 1.0.1r. > > The stack is as below: > Program terminated with signal 11, Segmentation fault. > Thread 1 (Thread 0x7f0654871700 (LWP 22383)): > #0 0x00007f06a2cdddb8 in sha1_block_data_order_ssse3 () from > *****/libcrypto.so.1.0.0 > #1 0xca62c1d6ca62c1d6 in ?? () > #2 0xca62c1d6ca62c1d6 in ?? () > #3 0xca62c1d6ca62c1d6 in ?? () > > We find the similar issue on https://rt.openssl.org/, the ticket id is 3191 . > Can u help me confirm is it the same issue ? Not with presented information :-( You need to complement it with output from 'info reg' as well as output from 'disass' command till you see => mark pointing at failing instruction. From debugger prompts that is. And since stack back-tracing is problematic here, tell approximately what was going on? I mean did you experience crash with openssl command (which one if so), or is it a web (or some other tls) server facing network? > And where can I get the commit b77b58a398c8b9b4113f3fb6b48e162a3b8d4527 ? It was incorporated 1.0.1 since 1.0.1f. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 09:18:35 2016 From: rt at openssl.org (Klein Marek via RT) Date: Wed, 02 Mar 2016 09:18:35 +0000 Subject: [openssl-dev] [openssl.org #4368] ESSCertIDv2 Update for RFC 3161 In-Reply-To: References: Message-ID: Hello, This patch https://github.com/openssl/openssl/pull/771 adds support for ESSCertIDv2 to ts module as defined in RFC5816 (Update for RFC 3161), thus it removes another hardcoded SHA-1 usage from ts module. It is possible to choose the hash algorithm that is used to calculate certificate id by setting .conf variable "ess_cert_id_v2_alg". By setting "ess_cert_id_v2" variable it is possible to decide whether ESSCertIDv2 should be used instead of original ESSCertID. Original behavior (using ESSCertID) is preserved. Kind Regards / S pozdravom Marek Klein Disig, a.s. Zahradnicka 151, 821 08 Bratislava 2 marek.klein at disig.sk www.disig.sk -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4368 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5187 bytes Desc: not available URL: From bbrumley at gmail.com Wed Mar 2 09:44:56 2016 From: bbrumley at gmail.com (Billy Brumley) Date: Wed, 2 Mar 2016 11:44:56 +0200 Subject: [openssl-dev] [openssl.org #3667] [PATCH] Faster GLV elliptic curves In-Reply-To: References: Message-ID: Ported from 1.0 to 1.1 -- PR: https://github.com/openssl/openssl/pull/776 On Tue, Jan 20, 2015 at 4:02 PM, Billy Brumley via RT wrote: > This patch gives about 50% speed improvement for existing GLV elliptic > curves in OpenSSL. Read about it here: > > http://eprint.iacr.org/2015/036 > > It could use a review. Perhaps the best known use case for secp256k1 > right now is Bitcoin. > > BBB > > Before: > op op/s > 160 bit ecdh (secp160r1) 0.0001s 6730.6 > 192 bit ecdh (nistp192) 0.0002s 5714.8 > 224 bit ecdh (nistp224) 0.0002s 4153.6 > 256 bit ecdh (nistp256) 0.0003s 3573.1 > 160 bit ecdh (secp160k1) 0.0002s 6198.2 > 192 bit ecdh (secp192k1) 0.0002s 5191.9 > 224 bit ecdh (secp224k1) 0.0003s 3789.3 > 256 bit ecdh (secp256k1) 0.0003s 3281.2 > > sign verify sign/s verify/s > 160 bit ecdsa (secp160r1) 0.0001s 0.0002s 19289.6 5581.5 > 192 bit ecdsa (nistp192) 0.0001s 0.0002s 16011.7 4650.7 > 224 bit ecdsa (nistp224) 0.0001s 0.0003s 12987.1 3378.2 > 256 bit ecdsa (nistp256) 0.0001s 0.0003s 11061.8 2913.0 > 160 bit ecdsa (secp160k1) 0.0001s 0.0002s 18946.5 5290.5 > 192 bit ecdsa (secp192k1) 0.0001s 0.0002s 15605.9 4289.9 > 224 bit ecdsa (secp224k1) 0.0001s 0.0003s 12752.6 3145.9 > 256 bit ecdsa (secp256k1) 0.0001s 0.0004s 10803.0 2733.2 > > > > After: > op op/s > 160 bit ecdh (secp160r1) 0.0001s 6798.4 > 192 bit ecdh (nistp192) 0.0002s 5667.2 > 224 bit ecdh (nistp224) 0.0002s 4081.5 > 256 bit ecdh (nistp256) 0.0003s 3578.9 > 160 bit ecdh (secp160k1) 0.0001s 9102.5 > 192 bit ecdh (secp192k1) 0.0001s 7784.3 > 224 bit ecdh (secp224k1) 0.0002s 5554.4 > 256 bit ecdh (secp256k1) 0.0002s 4890.4 > > sign verify sign/s verify/s > 160 bit ecdsa (secp160r1) 0.0001s 0.0002s 19264.6 5416.7 > 192 bit ecdsa (nistp192) 0.0001s 0.0002s 15956.0 4723.1 > 224 bit ecdsa (nistp224) 0.0001s 0.0003s 12855.8 3379.9 > 256 bit ecdsa (nistp256) 0.0001s 0.0003s 11017.8 2911.7 > 160 bit ecdsa (secp160k1) 0.0001s 0.0001s 18959.9 6705.4 > 192 bit ecdsa (secp192k1) 0.0001s 0.0002s 15624.0 5681.4 > 224 bit ecdsa (secp224k1) 0.0001s 0.0002s 12513.0 4189.3 > 256 bit ecdsa (secp256k1) 0.0001s 0.0003s 10621.2 3569.8 > > > > $ cat /proc/cpuinfo > processor : 0 > vendor_id : GenuineIntel > cpu family : 6 > model : 60 > model name : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz > stepping : 3 > microcode : 26 > cpu MHz : 800.000 > cache size : 6144 KB > physical id : 0 > siblings : 4 > core id : 0 > cpu cores : 4 > apicid : 0 > initial apicid : 0 > fpu : yes > fpu_exception : yes > cpuid level : 13 > wp : yes > flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge > mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe > syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts > rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor > ds_cpl vmx smx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 > x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand > lahf_lm abm ida arat epb xsaveopt pln pts dts tpr_shadow vnmi > flexpriority ept vpid fsgsbase bmi1 hle avx2 smep bmi2 erms invpcid > rtm > bogomips : 6384.88 > clflush size : 64 > cache_alignment : 64 > address sizes : 39 bits physical, 48 bits virtual > power management: SNIP > > > diff -ru --new-file openssl-1.0.1l-orig/apps/speed.c openssl-1.0.1l/apps/speed.c > --- openssl-1.0.1l-orig/apps/speed.c 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/apps/speed.c 2015-01-19 13:44:38.232456333 +0200 > @@ -244,7 +244,7 @@ > #define RSA_NUM 4 > #define DSA_NUM 3 > > -#define EC_NUM 16 > +#define EC_NUM 8 > #define MAX_ECDH_SIZE 256 > > static const char *names[ALGOR_NUM]={ > @@ -512,18 +512,10 @@ > #define R_EC_P192 1 > #define R_EC_P224 2 > #define R_EC_P256 3 > -#define R_EC_P384 4 > -#define R_EC_P521 5 > -#define R_EC_K163 6 > -#define R_EC_K233 7 > -#define R_EC_K283 8 > -#define R_EC_K409 9 > -#define R_EC_K571 10 > -#define R_EC_B163 11 > -#define R_EC_B233 12 > -#define R_EC_B283 13 > -#define R_EC_B409 14 > -#define R_EC_B571 15 > +#define R_EC_K160 4 > +#define R_EC_K192 5 > +#define R_EC_K224 6 > +#define R_EC_K256 7 > > #ifndef OPENSSL_NO_RSA > RSA *rsa_key[RSA_NUM]; > @@ -553,19 +545,10 @@ > NID_X9_62_prime192v1, > NID_secp224r1, > NID_X9_62_prime256v1, > - NID_secp384r1, > - NID_secp521r1, > - /* Binary Curves */ > - NID_sect163k1, > - NID_sect233k1, > - NID_sect283k1, > - NID_sect409k1, > - NID_sect571k1, > - NID_sect163r2, > - NID_sect233r1, > - NID_sect283r1, > - NID_sect409r1, > - NID_sect571r1 > + NID_secp160k1, > + NID_secp192k1, > + NID_secp224k1, > + NID_secp256k1 > }; > static const char * test_curves_names[EC_NUM] = > { > @@ -574,25 +557,15 @@ > "nistp192", > "nistp224", > "nistp256", > - "nistp384", > - "nistp521", > - /* Binary Curves */ > - "nistk163", > - "nistk233", > - "nistk283", > - "nistk409", > - "nistk571", > - "nistb163", > - "nistb233", > - "nistb283", > - "nistb409", > - "nistb571" > + "secp160k1", > + "secp192k1", > + "secp224k1", > + "secp256k1" > }; > static int test_curves_bits[EC_NUM] = > { > - 160, 192, 224, 256, 384, 521, > - 163, 233, 283, 409, 571, > - 163, 233, 283, 409, 571 > + 160, 192, 224, 256, > + 160, 192, 224, 256 > }; > > #endif > @@ -962,18 +935,10 @@ > else if (strcmp(*argv,"ecdsap192") == 0) ecdsa_doit[R_EC_P192]=2; > else if (strcmp(*argv,"ecdsap224") == 0) ecdsa_doit[R_EC_P224]=2; > else if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2; > - else if (strcmp(*argv,"ecdsap384") == 0) ecdsa_doit[R_EC_P384]=2; > - else if (strcmp(*argv,"ecdsap521") == 0) ecdsa_doit[R_EC_P521]=2; > - else if (strcmp(*argv,"ecdsak163") == 0) ecdsa_doit[R_EC_K163]=2; > - else if (strcmp(*argv,"ecdsak233") == 0) ecdsa_doit[R_EC_K233]=2; > - else if (strcmp(*argv,"ecdsak283") == 0) ecdsa_doit[R_EC_K283]=2; > - else if (strcmp(*argv,"ecdsak409") == 0) ecdsa_doit[R_EC_K409]=2; > - else if (strcmp(*argv,"ecdsak571") == 0) ecdsa_doit[R_EC_K571]=2; > - else if (strcmp(*argv,"ecdsab163") == 0) ecdsa_doit[R_EC_B163]=2; > - else if (strcmp(*argv,"ecdsab233") == 0) ecdsa_doit[R_EC_B233]=2; > - else if (strcmp(*argv,"ecdsab283") == 0) ecdsa_doit[R_EC_B283]=2; > - else if (strcmp(*argv,"ecdsab409") == 0) ecdsa_doit[R_EC_B409]=2; > - else if (strcmp(*argv,"ecdsab571") == 0) ecdsa_doit[R_EC_B571]=2; > + else if (strcmp(*argv,"ecdsak160") == 0) ecdsa_doit[R_EC_K160]=2; > + else if (strcmp(*argv,"ecdsak192") == 0) ecdsa_doit[R_EC_K192]=2; > + else if (strcmp(*argv,"ecdsak224") == 0) ecdsa_doit[R_EC_K224]=2; > + else if (strcmp(*argv,"ecdsak256") == 0) ecdsa_doit[R_EC_K256]=2; > else if (strcmp(*argv,"ecdsa") == 0) > { > for (i=0; i < EC_NUM; i++) > @@ -986,18 +951,10 @@ > else if (strcmp(*argv,"ecdhp192") == 0) ecdh_doit[R_EC_P192]=2; > else if (strcmp(*argv,"ecdhp224") == 0) ecdh_doit[R_EC_P224]=2; > else if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2; > - else if (strcmp(*argv,"ecdhp384") == 0) ecdh_doit[R_EC_P384]=2; > - else if (strcmp(*argv,"ecdhp521") == 0) ecdh_doit[R_EC_P521]=2; > - else if (strcmp(*argv,"ecdhk163") == 0) ecdh_doit[R_EC_K163]=2; > - else if (strcmp(*argv,"ecdhk233") == 0) ecdh_doit[R_EC_K233]=2; > - else if (strcmp(*argv,"ecdhk283") == 0) ecdh_doit[R_EC_K283]=2; > - else if (strcmp(*argv,"ecdhk409") == 0) ecdh_doit[R_EC_K409]=2; > - else if (strcmp(*argv,"ecdhk571") == 0) ecdh_doit[R_EC_K571]=2; > - else if (strcmp(*argv,"ecdhb163") == 0) ecdh_doit[R_EC_B163]=2; > - else if (strcmp(*argv,"ecdhb233") == 0) ecdh_doit[R_EC_B233]=2; > - else if (strcmp(*argv,"ecdhb283") == 0) ecdh_doit[R_EC_B283]=2; > - else if (strcmp(*argv,"ecdhb409") == 0) ecdh_doit[R_EC_B409]=2; > - else if (strcmp(*argv,"ecdhb571") == 0) ecdh_doit[R_EC_B571]=2; > + else if (strcmp(*argv,"ecdhk160") == 0) ecdh_doit[R_EC_K160]=2; > + else if (strcmp(*argv,"ecdhk192") == 0) ecdh_doit[R_EC_K192]=2; > + else if (strcmp(*argv,"ecdhk224") == 0) ecdh_doit[R_EC_K224]=2; > + else if (strcmp(*argv,"ecdhk256") == 0) ecdh_doit[R_EC_K256]=2; > else if (strcmp(*argv,"ecdh") == 0) > { > for (i=0; i < EC_NUM; i++) > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ec_curve.c openssl-1.0.1l/crypto/ec/ec_curve.c > --- openssl-1.0.1l-orig/crypto/ec/ec_curve.c 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ec_curve.c 2015-01-19 13:43:51.375897173 +0200 > @@ -1836,18 +1836,18 @@ > { NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, "SECG curve over a 112 bit prime field" }, > { NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, "SECG curve over a 128 bit prime field" }, > { NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, "SECG curve over a 128 bit prime field" }, > - { NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, "SECG curve over a 160 bit prime field" }, > + { NID_secp160k1, &_EC_SECG_PRIME_160K1.h, EC_GFp_glv_method, "SECG curve over a 160 bit prime field" }, > { NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, "SECG curve over a 160 bit prime field" }, > { NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field" }, > /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ > - { NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field" }, > - { NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field" }, > + { NID_secp192k1, &_EC_SECG_PRIME_192K1.h, EC_GFp_glv_method, "SECG curve over a 192 bit prime field" }, > + { NID_secp224k1, &_EC_SECG_PRIME_224K1.h, EC_GFp_glv_method, "SECG curve over a 224 bit prime field" }, > #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 > { NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field" }, > #else > { NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field" }, > #endif > - { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" }, > + { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, EC_GFp_glv_method, "SECG curve over a 256 bit prime field" }, > /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ > { NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" }, > #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ec.h openssl-1.0.1l/crypto/ec/ec.h > --- openssl-1.0.1l-orig/crypto/ec/ec.h 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ec.h 2015-01-19 13:43:50.864153182 +0200 > @@ -146,6 +146,11 @@ > */ > const EC_METHOD *EC_GFp_mont_method(void); > > +/** Returns GFp methods using optimized methods for GLV curves > + * \return EC_METHOD object > + */ > +const EC_METHOD *EC_GFp_glv_method(void); > + > /** Returns GFp methods using optimized methods for NIST recommended curves > * \return EC_METHOD object > */ > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ec_lcl.h openssl-1.0.1l/crypto/ec/ec_lcl.h > --- openssl-1.0.1l-orig/crypto/ec/ec_lcl.h 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ec_lcl.h 2015-01-19 13:43:51.080045178 +0200 > @@ -348,6 +348,13 @@ > int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); > > > +/* method functions in ecp_glv.c */ > +int ec_GFp_glv_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, > + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx); > +int ec_GFp_glv_precompute_mult(EC_GROUP *group, BN_CTX *ctx); > +int ec_GFp_glv_have_precompute_mult(const EC_GROUP *group); > + > + > /* method functions in ecp_nist.c */ > int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); > int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ecp_glv.c openssl-1.0.1l/crypto/ec/ecp_glv.c > --- openssl-1.0.1l-orig/crypto/ec/ecp_glv.c 1970-01-01 02:00:00.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ecp_glv.c 2015-01-20 11:30:44.442723943 +0200 > @@ -0,0 +1,336 @@ > +#include > + > +#ifdef OPENSSL_FIPS > +#include > +#endif > + > +#include "ec_lcl.h" > + > +/** > + * Faster scalar multiplication for GLV curves: > + * http://eprint.iacr.org/2015/036 > + * > + * @author Billy Brumley > + */ > + > +const EC_METHOD *EC_GFp_glv_method(void) > + { > + static const EC_METHOD ret = { > + EC_FLAGS_DEFAULT_OCT, > + NID_X9_62_prime_field, > + ec_GFp_mont_group_init, > + ec_GFp_mont_group_finish, > + ec_GFp_mont_group_clear_finish, > + ec_GFp_mont_group_copy, > + ec_GFp_mont_group_set_curve, > + ec_GFp_simple_group_get_curve, > + ec_GFp_simple_group_get_degree, > + ec_GFp_simple_group_check_discriminant, > + ec_GFp_simple_point_init, > + ec_GFp_simple_point_finish, > + ec_GFp_simple_point_clear_finish, > + ec_GFp_simple_point_copy, > + ec_GFp_simple_point_set_to_infinity, > + ec_GFp_simple_set_Jprojective_coordinates_GFp, > + ec_GFp_simple_get_Jprojective_coordinates_GFp, > + ec_GFp_simple_point_set_affine_coordinates, > + ec_GFp_simple_point_get_affine_coordinates, > + 0,0,0, > + ec_GFp_simple_add, > + ec_GFp_simple_dbl, > + ec_GFp_simple_invert, > + ec_GFp_simple_is_at_infinity, > + ec_GFp_simple_is_on_curve, > + ec_GFp_simple_cmp, > + ec_GFp_simple_make_affine, > + ec_GFp_simple_points_make_affine, > + ec_GFp_glv_mul, > + ec_GFp_glv_precompute_mult, > + ec_GFp_glv_have_precompute_mult, > + ec_GFp_mont_field_mul, > + ec_GFp_mont_field_sqr, > + 0 /* field_div */, > + ec_GFp_mont_field_encode, > + ec_GFp_mont_field_decode, > + ec_GFp_mont_field_set_to_one }; > + > +#ifdef OPENSSL_FIPS > + if (FIPS_mode()) > + return fips_ec_gfp_glv_method(); > +#endif > + > + return &ret; > + } > + > +/* GLV-related per-curve constants */ > +static const unsigned char glv_constants_secp160k1[] = { > + /* beta */ > + 0x9b,0xa4,0x8c,0xba,0x5e,0xbc,0xb9,0xb6, > + 0xbd,0x33,0xb9,0x28,0x30,0xb2,0xa2,0xe0, > + 0xe1,0x92,0xf1,0x0a, > + /* a1 */ > + 0x91,0x62,0xfb,0xe7,0x39,0x84,0x47,0x2a, > + 0x0a,0x9e, > + /* b1 */ > + 0x96,0x34,0x1f,0x11,0x38,0x93,0x3b,0xc2, > + 0xf5,0x05, > + /* a2 */ > + 0x01,0x27,0x97,0x1a,0xf8,0x72,0x17,0x82, > + 0xec,0xff,0xa3, > + /* b2 */ > + 0x91,0x62,0xfb,0xe7,0x39,0x84,0x47,0x2a, > + 0x0a,0x9e > +}; > + > +static const unsigned char glv_constants_secp192k1[] = { > + /* beta */ > + 0xbb,0x85,0x69,0x19,0x39,0xb8,0x69,0xc1, > + 0xd0,0x87,0xf6,0x01,0x55,0x4b,0x96,0xb8, > + 0x0c,0xb4,0xf5,0x5b,0x35,0xf4,0x33,0xc2, > + /* a1 */ > + 0x71,0x16,0x9b,0xe7,0x33,0x0b,0x30,0x38, > + 0xed,0xb0,0x25,0xf1, > + /* b1 */ > + 0xb3,0xfb,0x34,0x00,0xde,0xc5,0xc4,0xad, > + 0xce,0xb8,0x65,0x5c, > + /* a2 */ > + 0x01,0x25,0x11,0xcf,0xe8,0x11,0xd0,0xf4, > + 0xe6,0xbc,0x68,0x8b,0x4d, > + /* b2 */ > + 0x71,0x16,0x9b,0xe7,0x33,0x0b,0x30,0x38, > + 0xed,0xb0,0x25,0xf1 > +}; > + > +static const unsigned char glv_constants_secp224k1[] = { > + /* beta */ > + 0x01,0xf1,0x78,0xff,0xa4,0xb1,0x7c,0x89, > + 0xe6,0xf7,0x3a,0xec,0xe2,0xaa,0xd5,0x7a, > + 0xf4,0xc0,0xa7,0x48,0xb6,0x3c,0x83,0x09, > + 0x47,0xb2,0x7e,0x04, > + /* a1 */ > + 0xb8,0xad,0xf1,0x37,0x8a,0x6e,0xb7,0x34, > + 0x09,0xfa,0x6c,0x9c,0x63,0x7d, > + /* b1 */ > + 0x6b,0x8c,0xf0,0x7d,0x4c,0xa7,0x5c,0x88, > + 0x95,0x7d,0x9d,0x67,0x05,0x91, > + /* a2 */ > + 0x6b,0x8c,0xf0,0x7d,0x4c,0xa7,0x5c,0x88, > + 0x95,0x7d,0x9d,0x67,0x05,0x91, > + /* b2 */ > + 0x01,0x24,0x3a,0xe1,0xb4,0xd7,0x16,0x13, > + 0xbc,0x9f,0x78,0x0a,0x03,0x69,0x0e > +}; > + > +static const unsigned char glv_constants_secp256k1[] = { > + /* beta */ > + 0x85,0x16,0x95,0xd4,0x9a,0x83,0xf8,0xef, > + 0x91,0x9b,0xb8,0x61,0x53,0xcb,0xcb,0x16, > + 0x63,0x0f,0xb6,0x8a,0xed,0x0a,0x76,0x6a, > + 0x3e,0xc6,0x93,0xd6,0x8e,0x6a,0xfa,0x40, > + /* a1 */ > + 0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28, > + 0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3, > + /* b1 */ > + 0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd, > + 0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15, > + /* a2 */ > + 0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd, > + 0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15, > + /* b2 */ > + 0x01,0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3, > + 0xf6,0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf, > + 0xd8 > +}; > + > +/** > + * Integer decomposition. > + * See 3.5 in "Guide to Elliptic Curve Cryptography" > + * > + * The alg is slightly re-arranged to keep all constants positive > + * > + * n = constants[0] > + * a1 = constants[2] > + * b1 = constants[3] > + * a2 = constants[4] > + * b2 = constants[5] > + */ > +int ec_GFp_glv_decompose(BIGNUM *k1, BIGNUM *k2, const BIGNUM *scalar, const BIGNUM **constants, BN_CTX *ctx) { > + > + int ret = 0; > + > + BIGNUM *twok, *c1, *c2; > + > + BN_CTX_start(ctx); > + > + do { > + twok = BN_CTX_get(ctx); > + c1 = BN_CTX_get(ctx); > + if ((c2 = BN_CTX_get(ctx)) == NULL) break; > + > + if (!BN_lshift1(twok, scalar)) break; > + > + /* weird computation is for closest int rounding */ > + /* c1 = (2*b2*k+r[0])/(2*r[0]) */ > + /* c2 = (2*b1*k+r[0])/(2*r[0]) */ > + if (!BN_mul(c1, twok, constants[5], ctx)) break; > + if (!BN_add(c1, c1, constants[0])) break; > + if (!BN_div(c1, NULL, c1, constants[0], ctx)) break; > + if (!BN_rshift1(c1, c1)) break; > + if (!BN_mul(c2, twok, constants[3], ctx)) break; > + if (!BN_add(c2, c2, constants[0])) break; > + if (!BN_div(c2, NULL, c2, constants[0], ctx)) break; > + if (!BN_rshift1(c2, c2)) break; > + > + /* k1 = k - (c1*a1 + c2*a2) */ > + /* k2 = c1*b1 - c2*b2 */ > + if (!BN_mul(k1, constants[2], c1, ctx)) break; > + if (!BN_mul(k2, constants[4], c2, ctx)) break; > + if (!BN_add(k1, k1, k2)) break; > + if (!BN_sub(k1, scalar, k1)) break; > + if (!BN_mul(c1, constants[3], c1, ctx)) break; > + if (!BN_mul(c2, constants[5], c2, ctx)) break; > + if (!BN_sub(k2, c1, c2)) break; > + > + ret = 1; > + } while(0); > + > + BN_CTX_end(ctx); > + > + return ret; > + > +} > + > +/** > + * Computes the sum > + * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1] > + */ > +int ec_GFp_glv_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, > + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) > + { > + > + /* use default stuff if we have precomp and it can help */ > + if(num == 0 && EC_GROUP_have_precompute_mult(group)) > + return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); > + > + int i, ret = 0; > + > + BIGNUM *tscalar = NULL; > + EC_POINT **tpoints = NULL; > + BIGNUM **tscalars = NULL; > + BIGNUM **constants = NULL; > + > + if ((constants = OPENSSL_malloc(6*sizeof(BIGNUM *))) == NULL) return 0; > + > + BN_CTX_start(ctx); > + > + /* fill in the constants */ > + for(i=0; i<6; i++) { > + constants[i] = BN_CTX_get(ctx); > + } > + > + if(constants[5] == NULL) goto err; > + > + if (!EC_GROUP_get_order(group, constants[0], ctx)) goto err; > + > + switch(EC_GROUP_get_curve_name(group)) { > + case NID_secp160k1: > + BN_bin2bn(glv_constants_secp160k1 + 0, 20, constants[1]); > + BN_bin2bn(glv_constants_secp160k1 + 20, 10, constants[2]); > + BN_bin2bn(glv_constants_secp160k1 + 30, 10, constants[3]); > + BN_bin2bn(glv_constants_secp160k1 + 40, 11, constants[4]); > + BN_bin2bn(glv_constants_secp160k1 + 51, 10, constants[5]); > + break; > + case NID_secp192k1: > + BN_bin2bn(glv_constants_secp192k1 + 0, 24, constants[1]); > + BN_bin2bn(glv_constants_secp192k1 + 24, 12, constants[2]); > + BN_bin2bn(glv_constants_secp192k1 + 36, 12, constants[3]); > + BN_bin2bn(glv_constants_secp192k1 + 48, 13, constants[4]); > + BN_bin2bn(glv_constants_secp192k1 + 61, 12, constants[5]); > + break; > + case NID_secp224k1: > + BN_bin2bn(glv_constants_secp224k1 + 0, 28, constants[1]); > + BN_bin2bn(glv_constants_secp224k1 + 28, 14, constants[2]); > + BN_bin2bn(glv_constants_secp224k1 + 42, 14, constants[3]); > + BN_bin2bn(glv_constants_secp224k1 + 56, 14, constants[4]); > + BN_bin2bn(glv_constants_secp224k1 + 70, 15, constants[5]); > + break; > + case NID_secp256k1: > + BN_bin2bn(glv_constants_secp256k1 + 0, 32, constants[1]); > + BN_bin2bn(glv_constants_secp256k1 + 32, 16, constants[2]); > + BN_bin2bn(glv_constants_secp256k1 + 48, 16, constants[3]); > + BN_bin2bn(glv_constants_secp256k1 + 64, 16, constants[4]); > + BN_bin2bn(glv_constants_secp256k1 + 80, 17, constants[5]); > + break; > + default: > + goto err; > + } > + > + /* encode beta parameter to curve's finite field */ > + if (!group->meth->field_encode(group, constants[1], constants[1], ctx)) goto err; > + > + /* setup some arrays and decompose scalar if it's present and apply endomorphism */ > + if(scalar == NULL) { > + if ((tpoints = OPENSSL_malloc(2 * num * sizeof(EC_POINT *))) == NULL) goto err; > + if ((tscalars = OPENSSL_malloc(2 * num * sizeof(BIGNUM *))) == NULL) goto err; > + } > + else { > + if ((tpoints = OPENSSL_malloc((2 * num + 1) * sizeof(EC_POINT *))) == NULL) goto err; > + if ((tscalars = OPENSSL_malloc((2 * num + 1) * sizeof(BIGNUM *))) == NULL) goto err; > + tscalar = BN_CTX_get(ctx); > + if ((tscalars[2*num] = BN_CTX_get(ctx)) == NULL) goto err; > + if ((tpoints[2*num] = EC_POINT_new(group)) == NULL) goto err; > + if (!EC_POINT_copy(tpoints[2*num], EC_GROUP_get0_generator(group))) goto err; > + if (!group->meth->field_mul(group, &tpoints[2*num]->X, &tpoints[2*num]->X, constants[1], ctx)) goto err; > + if (!ec_GFp_glv_decompose(tscalar, tscalars[2*num], scalar, (const BIGNUM **)constants, ctx)) goto err; > + } > + > + /* decompose all the other scalars and apply the endomorphism */ > + for(i=0; i < num; i++) { > + tpoints[2*i ] = *((EC_POINT **)points + 2*i); > + if ((tpoints[2*i+1] = EC_POINT_new(group)) == NULL) goto err; > + if (!EC_POINT_copy(tpoints[2*i+1], tpoints[2*i])) goto err; > + if (!group->meth->field_mul(group, &tpoints[2*i+1]->X, &tpoints[2*i+1]->X, constants[1], ctx)) goto err; > + tscalars[2*i ] = BN_CTX_get(ctx); > + if ((tscalars[2*i+1] = BN_CTX_get(ctx)) == NULL) goto err; > + if (!ec_GFp_glv_decompose(tscalars[2*i], tscalars[2*i+1], scalars[i], (const BIGNUM **)constants, ctx)) goto err; > + } > + > + /* call into the multi scalar mult routine with new parameters */ > + if(scalar == NULL) { > + ret = ec_wNAF_mul(group, r, scalar, 2*num, (const EC_POINT **)tpoints, (const BIGNUM **)tscalars, ctx); > + } > + else { > + ret = ec_wNAF_mul(group, r, tscalar, 2*num+1, (const EC_POINT **)tpoints, (const BIGNUM **)tscalars, ctx); > + } > + > +err: > + > + /* cleanup */ > + if (tpoints != NULL) { > + for(i=0; i < num; i++) { > + EC_POINT_free(tpoints[2*i+1]); > + } > + if (scalar != NULL) { > + EC_POINT_free(tpoints[2*num]); > + } > + } > + > + BN_CTX_end(ctx); > + > + OPENSSL_free(tpoints); > + OPENSSL_free(tscalars); > + OPENSSL_free(constants); > + > + return ret; > + } > + > +int ec_GFp_glv_precompute_mult(EC_GROUP *group, BN_CTX *ctx) > + { > + return ec_wNAF_precompute_mult(group, ctx); > + } > + > +int ec_GFp_glv_have_precompute_mult(const EC_GROUP *group) > + { > + return ec_wNAF_have_precompute_mult(group); > + } > + > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/Makefile openssl-1.0.1l/crypto/ec/Makefile > --- openssl-1.0.1l-orig/crypto/ec/Makefile 2015-01-15 16:45:04.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/Makefile 2015-01-19 13:43:51.239965175 +0200 > @@ -17,13 +17,13 @@ > APPS= > > LIB=$(TOP)/libcrypto.a > -LIBSRC= ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c\ > +LIBSRC= ec_lib.c ecp_smpl.c ecp_mont.c ecp_glv.c ecp_nist.c ec_cvt.c ec_mult.c\ > ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c\ > ec2_smpl.c ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c \ > ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \ > ecp_oct.c ec2_oct.c ec_oct.c > > -LIBOBJ= ec_lib.o ecp_smpl.o ecp_mont.o ecp_nist.o ec_cvt.o ec_mult.o\ > +LIBOBJ= ec_lib.o ecp_smpl.o ecp_mont.o ecp_glv.o ecp_nist.o ec_cvt.o ec_mult.o\ > ec_err.o ec_curve.o ec_check.o ec_print.o ec_asn1.o ec_key.o\ > ec2_smpl.o ec2_mult.o ec_ameth.o ec_pmeth.o eck_prn.o \ > ecp_nistp224.o ecp_nistp256.o ecp_nistp521.o ecp_nistputil.o \ > @@ -233,6 +233,14 @@ > ecp_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h > ecp_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h > ecp_mont.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_mont.c > +ecp_glv.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h > +ecp_glv.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h > +ecp_glv.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h > +ecp_glv.o: ../../include/openssl/err.h ../../include/openssl/lhash.h > +ecp_glv.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h > +ecp_glv.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h > +ecp_glv.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h > +ecp_glv.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_glv.c > ecp_nist.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h > ecp_nist.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h > ecp_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h > > _______________________________________________ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > From rt at openssl.org Wed Mar 2 09:45:06 2016 From: rt at openssl.org (Billy Brumley via RT) Date: Wed, 02 Mar 2016 09:45:06 +0000 Subject: [openssl-dev] [openssl.org #3667] [PATCH] Faster GLV elliptic curves In-Reply-To: References: Message-ID: Ported from 1.0 to 1.1 -- PR: https://github.com/openssl/openssl/pull/776 On Tue, Jan 20, 2015 at 4:02 PM, Billy Brumley via RT wrote: > This patch gives about 50% speed improvement for existing GLV elliptic > curves in OpenSSL. Read about it here: > > http://eprint.iacr.org/2015/036 > > It could use a review. Perhaps the best known use case for secp256k1 > right now is Bitcoin. > > BBB > > Before: > op op/s > 160 bit ecdh (secp160r1) 0.0001s 6730.6 > 192 bit ecdh (nistp192) 0.0002s 5714.8 > 224 bit ecdh (nistp224) 0.0002s 4153.6 > 256 bit ecdh (nistp256) 0.0003s 3573.1 > 160 bit ecdh (secp160k1) 0.0002s 6198.2 > 192 bit ecdh (secp192k1) 0.0002s 5191.9 > 224 bit ecdh (secp224k1) 0.0003s 3789.3 > 256 bit ecdh (secp256k1) 0.0003s 3281.2 > > sign verify sign/s verify/s > 160 bit ecdsa (secp160r1) 0.0001s 0.0002s 19289.6 5581.5 > 192 bit ecdsa (nistp192) 0.0001s 0.0002s 16011.7 4650.7 > 224 bit ecdsa (nistp224) 0.0001s 0.0003s 12987.1 3378.2 > 256 bit ecdsa (nistp256) 0.0001s 0.0003s 11061.8 2913.0 > 160 bit ecdsa (secp160k1) 0.0001s 0.0002s 18946.5 5290.5 > 192 bit ecdsa (secp192k1) 0.0001s 0.0002s 15605.9 4289.9 > 224 bit ecdsa (secp224k1) 0.0001s 0.0003s 12752.6 3145.9 > 256 bit ecdsa (secp256k1) 0.0001s 0.0004s 10803.0 2733.2 > > > > After: > op op/s > 160 bit ecdh (secp160r1) 0.0001s 6798.4 > 192 bit ecdh (nistp192) 0.0002s 5667.2 > 224 bit ecdh (nistp224) 0.0002s 4081.5 > 256 bit ecdh (nistp256) 0.0003s 3578.9 > 160 bit ecdh (secp160k1) 0.0001s 9102.5 > 192 bit ecdh (secp192k1) 0.0001s 7784.3 > 224 bit ecdh (secp224k1) 0.0002s 5554.4 > 256 bit ecdh (secp256k1) 0.0002s 4890.4 > > sign verify sign/s verify/s > 160 bit ecdsa (secp160r1) 0.0001s 0.0002s 19264.6 5416.7 > 192 bit ecdsa (nistp192) 0.0001s 0.0002s 15956.0 4723.1 > 224 bit ecdsa (nistp224) 0.0001s 0.0003s 12855.8 3379.9 > 256 bit ecdsa (nistp256) 0.0001s 0.0003s 11017.8 2911.7 > 160 bit ecdsa (secp160k1) 0.0001s 0.0001s 18959.9 6705.4 > 192 bit ecdsa (secp192k1) 0.0001s 0.0002s 15624.0 5681.4 > 224 bit ecdsa (secp224k1) 0.0001s 0.0002s 12513.0 4189.3 > 256 bit ecdsa (secp256k1) 0.0001s 0.0003s 10621.2 3569.8 > > > > $ cat /proc/cpuinfo > processor : 0 > vendor_id : GenuineIntel > cpu family : 6 > model : 60 > model name : Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz > stepping : 3 > microcode : 26 > cpu MHz : 800.000 > cache size : 6144 KB > physical id : 0 > siblings : 4 > core id : 0 > cpu cores : 4 > apicid : 0 > initial apicid : 0 > fpu : yes > fpu_exception : yes > cpuid level : 13 > wp : yes > flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge > mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe > syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts > rep_good xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor > ds_cpl vmx smx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 > x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand > lahf_lm abm ida arat epb xsaveopt pln pts dts tpr_shadow vnmi > flexpriority ept vpid fsgsbase bmi1 hle avx2 smep bmi2 erms invpcid > rtm > bogomips : 6384.88 > clflush size : 64 > cache_alignment : 64 > address sizes : 39 bits physical, 48 bits virtual > power management: SNIP > > > diff -ru --new-file openssl-1.0.1l-orig/apps/speed.c openssl-1.0.1l/apps/speed.c > --- openssl-1.0.1l-orig/apps/speed.c 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/apps/speed.c 2015-01-19 13:44:38.232456333 +0200 > @@ -244,7 +244,7 @@ > #define RSA_NUM 4 > #define DSA_NUM 3 > > -#define EC_NUM 16 > +#define EC_NUM 8 > #define MAX_ECDH_SIZE 256 > > static const char *names[ALGOR_NUM]={ > @@ -512,18 +512,10 @@ > #define R_EC_P192 1 > #define R_EC_P224 2 > #define R_EC_P256 3 > -#define R_EC_P384 4 > -#define R_EC_P521 5 > -#define R_EC_K163 6 > -#define R_EC_K233 7 > -#define R_EC_K283 8 > -#define R_EC_K409 9 > -#define R_EC_K571 10 > -#define R_EC_B163 11 > -#define R_EC_B233 12 > -#define R_EC_B283 13 > -#define R_EC_B409 14 > -#define R_EC_B571 15 > +#define R_EC_K160 4 > +#define R_EC_K192 5 > +#define R_EC_K224 6 > +#define R_EC_K256 7 > > #ifndef OPENSSL_NO_RSA > RSA *rsa_key[RSA_NUM]; > @@ -553,19 +545,10 @@ > NID_X9_62_prime192v1, > NID_secp224r1, > NID_X9_62_prime256v1, > - NID_secp384r1, > - NID_secp521r1, > - /* Binary Curves */ > - NID_sect163k1, > - NID_sect233k1, > - NID_sect283k1, > - NID_sect409k1, > - NID_sect571k1, > - NID_sect163r2, > - NID_sect233r1, > - NID_sect283r1, > - NID_sect409r1, > - NID_sect571r1 > + NID_secp160k1, > + NID_secp192k1, > + NID_secp224k1, > + NID_secp256k1 > }; > static const char * test_curves_names[EC_NUM] = > { > @@ -574,25 +557,15 @@ > "nistp192", > "nistp224", > "nistp256", > - "nistp384", > - "nistp521", > - /* Binary Curves */ > - "nistk163", > - "nistk233", > - "nistk283", > - "nistk409", > - "nistk571", > - "nistb163", > - "nistb233", > - "nistb283", > - "nistb409", > - "nistb571" > + "secp160k1", > + "secp192k1", > + "secp224k1", > + "secp256k1" > }; > static int test_curves_bits[EC_NUM] = > { > - 160, 192, 224, 256, 384, 521, > - 163, 233, 283, 409, 571, > - 163, 233, 283, 409, 571 > + 160, 192, 224, 256, > + 160, 192, 224, 256 > }; > > #endif > @@ -962,18 +935,10 @@ > else if (strcmp(*argv,"ecdsap192") == 0) ecdsa_doit[R_EC_P192]=2; > else if (strcmp(*argv,"ecdsap224") == 0) ecdsa_doit[R_EC_P224]=2; > else if (strcmp(*argv,"ecdsap256") == 0) ecdsa_doit[R_EC_P256]=2; > - else if (strcmp(*argv,"ecdsap384") == 0) ecdsa_doit[R_EC_P384]=2; > - else if (strcmp(*argv,"ecdsap521") == 0) ecdsa_doit[R_EC_P521]=2; > - else if (strcmp(*argv,"ecdsak163") == 0) ecdsa_doit[R_EC_K163]=2; > - else if (strcmp(*argv,"ecdsak233") == 0) ecdsa_doit[R_EC_K233]=2; > - else if (strcmp(*argv,"ecdsak283") == 0) ecdsa_doit[R_EC_K283]=2; > - else if (strcmp(*argv,"ecdsak409") == 0) ecdsa_doit[R_EC_K409]=2; > - else if (strcmp(*argv,"ecdsak571") == 0) ecdsa_doit[R_EC_K571]=2; > - else if (strcmp(*argv,"ecdsab163") == 0) ecdsa_doit[R_EC_B163]=2; > - else if (strcmp(*argv,"ecdsab233") == 0) ecdsa_doit[R_EC_B233]=2; > - else if (strcmp(*argv,"ecdsab283") == 0) ecdsa_doit[R_EC_B283]=2; > - else if (strcmp(*argv,"ecdsab409") == 0) ecdsa_doit[R_EC_B409]=2; > - else if (strcmp(*argv,"ecdsab571") == 0) ecdsa_doit[R_EC_B571]=2; > + else if (strcmp(*argv,"ecdsak160") == 0) ecdsa_doit[R_EC_K160]=2; > + else if (strcmp(*argv,"ecdsak192") == 0) ecdsa_doit[R_EC_K192]=2; > + else if (strcmp(*argv,"ecdsak224") == 0) ecdsa_doit[R_EC_K224]=2; > + else if (strcmp(*argv,"ecdsak256") == 0) ecdsa_doit[R_EC_K256]=2; > else if (strcmp(*argv,"ecdsa") == 0) > { > for (i=0; i < EC_NUM; i++) > @@ -986,18 +951,10 @@ > else if (strcmp(*argv,"ecdhp192") == 0) ecdh_doit[R_EC_P192]=2; > else if (strcmp(*argv,"ecdhp224") == 0) ecdh_doit[R_EC_P224]=2; > else if (strcmp(*argv,"ecdhp256") == 0) ecdh_doit[R_EC_P256]=2; > - else if (strcmp(*argv,"ecdhp384") == 0) ecdh_doit[R_EC_P384]=2; > - else if (strcmp(*argv,"ecdhp521") == 0) ecdh_doit[R_EC_P521]=2; > - else if (strcmp(*argv,"ecdhk163") == 0) ecdh_doit[R_EC_K163]=2; > - else if (strcmp(*argv,"ecdhk233") == 0) ecdh_doit[R_EC_K233]=2; > - else if (strcmp(*argv,"ecdhk283") == 0) ecdh_doit[R_EC_K283]=2; > - else if (strcmp(*argv,"ecdhk409") == 0) ecdh_doit[R_EC_K409]=2; > - else if (strcmp(*argv,"ecdhk571") == 0) ecdh_doit[R_EC_K571]=2; > - else if (strcmp(*argv,"ecdhb163") == 0) ecdh_doit[R_EC_B163]=2; > - else if (strcmp(*argv,"ecdhb233") == 0) ecdh_doit[R_EC_B233]=2; > - else if (strcmp(*argv,"ecdhb283") == 0) ecdh_doit[R_EC_B283]=2; > - else if (strcmp(*argv,"ecdhb409") == 0) ecdh_doit[R_EC_B409]=2; > - else if (strcmp(*argv,"ecdhb571") == 0) ecdh_doit[R_EC_B571]=2; > + else if (strcmp(*argv,"ecdhk160") == 0) ecdh_doit[R_EC_K160]=2; > + else if (strcmp(*argv,"ecdhk192") == 0) ecdh_doit[R_EC_K192]=2; > + else if (strcmp(*argv,"ecdhk224") == 0) ecdh_doit[R_EC_K224]=2; > + else if (strcmp(*argv,"ecdhk256") == 0) ecdh_doit[R_EC_K256]=2; > else if (strcmp(*argv,"ecdh") == 0) > { > for (i=0; i < EC_NUM; i++) > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ec_curve.c openssl-1.0.1l/crypto/ec/ec_curve.c > --- openssl-1.0.1l-orig/crypto/ec/ec_curve.c 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ec_curve.c 2015-01-19 13:43:51.375897173 +0200 > @@ -1836,18 +1836,18 @@ > { NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, "SECG curve over a 112 bit prime field" }, > { NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, "SECG curve over a 128 bit prime field" }, > { NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, "SECG curve over a 128 bit prime field" }, > - { NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, "SECG curve over a 160 bit prime field" }, > + { NID_secp160k1, &_EC_SECG_PRIME_160K1.h, EC_GFp_glv_method, "SECG curve over a 160 bit prime field" }, > { NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, "SECG curve over a 160 bit prime field" }, > { NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field" }, > /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ > - { NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field" }, > - { NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field" }, > + { NID_secp192k1, &_EC_SECG_PRIME_192K1.h, EC_GFp_glv_method, "SECG curve over a 192 bit prime field" }, > + { NID_secp224k1, &_EC_SECG_PRIME_224K1.h, EC_GFp_glv_method, "SECG curve over a 224 bit prime field" }, > #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 > { NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field" }, > #else > { NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field" }, > #endif > - { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field" }, > + { NID_secp256k1, &_EC_SECG_PRIME_256K1.h, EC_GFp_glv_method, "SECG curve over a 256 bit prime field" }, > /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ > { NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field" }, > #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ec.h openssl-1.0.1l/crypto/ec/ec.h > --- openssl-1.0.1l-orig/crypto/ec/ec.h 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ec.h 2015-01-19 13:43:50.864153182 +0200 > @@ -146,6 +146,11 @@ > */ > const EC_METHOD *EC_GFp_mont_method(void); > > +/** Returns GFp methods using optimized methods for GLV curves > + * \return EC_METHOD object > + */ > +const EC_METHOD *EC_GFp_glv_method(void); > + > /** Returns GFp methods using optimized methods for NIST recommended curves > * \return EC_METHOD object > */ > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ec_lcl.h openssl-1.0.1l/crypto/ec/ec_lcl.h > --- openssl-1.0.1l-orig/crypto/ec/ec_lcl.h 2015-01-15 16:43:49.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ec_lcl.h 2015-01-19 13:43:51.080045178 +0200 > @@ -348,6 +348,13 @@ > int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); > > > +/* method functions in ecp_glv.c */ > +int ec_GFp_glv_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, > + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx); > +int ec_GFp_glv_precompute_mult(EC_GROUP *group, BN_CTX *ctx); > +int ec_GFp_glv_have_precompute_mult(const EC_GROUP *group); > + > + > /* method functions in ecp_nist.c */ > int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); > int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/ecp_glv.c openssl-1.0.1l/crypto/ec/ecp_glv.c > --- openssl-1.0.1l-orig/crypto/ec/ecp_glv.c 1970-01-01 02:00:00.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/ecp_glv.c 2015-01-20 11:30:44.442723943 +0200 > @@ -0,0 +1,336 @@ > +#include > + > +#ifdef OPENSSL_FIPS > +#include > +#endif > + > +#include "ec_lcl.h" > + > +/** > + * Faster scalar multiplication for GLV curves: > + * http://eprint.iacr.org/2015/036 > + * > + * @author Billy Brumley > + */ > + > +const EC_METHOD *EC_GFp_glv_method(void) > + { > + static const EC_METHOD ret = { > + EC_FLAGS_DEFAULT_OCT, > + NID_X9_62_prime_field, > + ec_GFp_mont_group_init, > + ec_GFp_mont_group_finish, > + ec_GFp_mont_group_clear_finish, > + ec_GFp_mont_group_copy, > + ec_GFp_mont_group_set_curve, > + ec_GFp_simple_group_get_curve, > + ec_GFp_simple_group_get_degree, > + ec_GFp_simple_group_check_discriminant, > + ec_GFp_simple_point_init, > + ec_GFp_simple_point_finish, > + ec_GFp_simple_point_clear_finish, > + ec_GFp_simple_point_copy, > + ec_GFp_simple_point_set_to_infinity, > + ec_GFp_simple_set_Jprojective_coordinates_GFp, > + ec_GFp_simple_get_Jprojective_coordinates_GFp, > + ec_GFp_simple_point_set_affine_coordinates, > + ec_GFp_simple_point_get_affine_coordinates, > + 0,0,0, > + ec_GFp_simple_add, > + ec_GFp_simple_dbl, > + ec_GFp_simple_invert, > + ec_GFp_simple_is_at_infinity, > + ec_GFp_simple_is_on_curve, > + ec_GFp_simple_cmp, > + ec_GFp_simple_make_affine, > + ec_GFp_simple_points_make_affine, > + ec_GFp_glv_mul, > + ec_GFp_glv_precompute_mult, > + ec_GFp_glv_have_precompute_mult, > + ec_GFp_mont_field_mul, > + ec_GFp_mont_field_sqr, > + 0 /* field_div */, > + ec_GFp_mont_field_encode, > + ec_GFp_mont_field_decode, > + ec_GFp_mont_field_set_to_one }; > + > +#ifdef OPENSSL_FIPS > + if (FIPS_mode()) > + return fips_ec_gfp_glv_method(); > +#endif > + > + return &ret; > + } > + > +/* GLV-related per-curve constants */ > +static const unsigned char glv_constants_secp160k1[] = { > + /* beta */ > + 0x9b,0xa4,0x8c,0xba,0x5e,0xbc,0xb9,0xb6, > + 0xbd,0x33,0xb9,0x28,0x30,0xb2,0xa2,0xe0, > + 0xe1,0x92,0xf1,0x0a, > + /* a1 */ > + 0x91,0x62,0xfb,0xe7,0x39,0x84,0x47,0x2a, > + 0x0a,0x9e, > + /* b1 */ > + 0x96,0x34,0x1f,0x11,0x38,0x93,0x3b,0xc2, > + 0xf5,0x05, > + /* a2 */ > + 0x01,0x27,0x97,0x1a,0xf8,0x72,0x17,0x82, > + 0xec,0xff,0xa3, > + /* b2 */ > + 0x91,0x62,0xfb,0xe7,0x39,0x84,0x47,0x2a, > + 0x0a,0x9e > +}; > + > +static const unsigned char glv_constants_secp192k1[] = { > + /* beta */ > + 0xbb,0x85,0x69,0x19,0x39,0xb8,0x69,0xc1, > + 0xd0,0x87,0xf6,0x01,0x55,0x4b,0x96,0xb8, > + 0x0c,0xb4,0xf5,0x5b,0x35,0xf4,0x33,0xc2, > + /* a1 */ > + 0x71,0x16,0x9b,0xe7,0x33,0x0b,0x30,0x38, > + 0xed,0xb0,0x25,0xf1, > + /* b1 */ > + 0xb3,0xfb,0x34,0x00,0xde,0xc5,0xc4,0xad, > + 0xce,0xb8,0x65,0x5c, > + /* a2 */ > + 0x01,0x25,0x11,0xcf,0xe8,0x11,0xd0,0xf4, > + 0xe6,0xbc,0x68,0x8b,0x4d, > + /* b2 */ > + 0x71,0x16,0x9b,0xe7,0x33,0x0b,0x30,0x38, > + 0xed,0xb0,0x25,0xf1 > +}; > + > +static const unsigned char glv_constants_secp224k1[] = { > + /* beta */ > + 0x01,0xf1,0x78,0xff,0xa4,0xb1,0x7c,0x89, > + 0xe6,0xf7,0x3a,0xec,0xe2,0xaa,0xd5,0x7a, > + 0xf4,0xc0,0xa7,0x48,0xb6,0x3c,0x83,0x09, > + 0x47,0xb2,0x7e,0x04, > + /* a1 */ > + 0xb8,0xad,0xf1,0x37,0x8a,0x6e,0xb7,0x34, > + 0x09,0xfa,0x6c,0x9c,0x63,0x7d, > + /* b1 */ > + 0x6b,0x8c,0xf0,0x7d,0x4c,0xa7,0x5c,0x88, > + 0x95,0x7d,0x9d,0x67,0x05,0x91, > + /* a2 */ > + 0x6b,0x8c,0xf0,0x7d,0x4c,0xa7,0x5c,0x88, > + 0x95,0x7d,0x9d,0x67,0x05,0x91, > + /* b2 */ > + 0x01,0x24,0x3a,0xe1,0xb4,0xd7,0x16,0x13, > + 0xbc,0x9f,0x78,0x0a,0x03,0x69,0x0e > +}; > + > +static const unsigned char glv_constants_secp256k1[] = { > + /* beta */ > + 0x85,0x16,0x95,0xd4,0x9a,0x83,0xf8,0xef, > + 0x91,0x9b,0xb8,0x61,0x53,0xcb,0xcb,0x16, > + 0x63,0x0f,0xb6,0x8a,0xed,0x0a,0x76,0x6a, > + 0x3e,0xc6,0x93,0xd6,0x8e,0x6a,0xfa,0x40, > + /* a1 */ > + 0xe4,0x43,0x7e,0xd6,0x01,0x0e,0x88,0x28, > + 0x6f,0x54,0x7f,0xa9,0x0a,0xbf,0xe4,0xc3, > + /* b1 */ > + 0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd, > + 0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15, > + /* a2 */ > + 0x30,0x86,0xd2,0x21,0xa7,0xd4,0x6b,0xcd, > + 0xe8,0x6c,0x90,0xe4,0x92,0x84,0xeb,0x15, > + /* b2 */ > + 0x01,0x14,0xca,0x50,0xf7,0xa8,0xe2,0xf3, > + 0xf6,0x57,0xc1,0x10,0x8d,0x9d,0x44,0xcf, > + 0xd8 > +}; > + > +/** > + * Integer decomposition. > + * See 3.5 in "Guide to Elliptic Curve Cryptography" > + * > + * The alg is slightly re-arranged to keep all constants positive > + * > + * n = constants[0] > + * a1 = constants[2] > + * b1 = constants[3] > + * a2 = constants[4] > + * b2 = constants[5] > + */ > +int ec_GFp_glv_decompose(BIGNUM *k1, BIGNUM *k2, const BIGNUM *scalar, const BIGNUM **constants, BN_CTX *ctx) { > + > + int ret = 0; > + > + BIGNUM *twok, *c1, *c2; > + > + BN_CTX_start(ctx); > + > + do { > + twok = BN_CTX_get(ctx); > + c1 = BN_CTX_get(ctx); > + if ((c2 = BN_CTX_get(ctx)) == NULL) break; > + > + if (!BN_lshift1(twok, scalar)) break; > + > + /* weird computation is for closest int rounding */ > + /* c1 = (2*b2*k+r[0])/(2*r[0]) */ > + /* c2 = (2*b1*k+r[0])/(2*r[0]) */ > + if (!BN_mul(c1, twok, constants[5], ctx)) break; > + if (!BN_add(c1, c1, constants[0])) break; > + if (!BN_div(c1, NULL, c1, constants[0], ctx)) break; > + if (!BN_rshift1(c1, c1)) break; > + if (!BN_mul(c2, twok, constants[3], ctx)) break; > + if (!BN_add(c2, c2, constants[0])) break; > + if (!BN_div(c2, NULL, c2, constants[0], ctx)) break; > + if (!BN_rshift1(c2, c2)) break; > + > + /* k1 = k - (c1*a1 + c2*a2) */ > + /* k2 = c1*b1 - c2*b2 */ > + if (!BN_mul(k1, constants[2], c1, ctx)) break; > + if (!BN_mul(k2, constants[4], c2, ctx)) break; > + if (!BN_add(k1, k1, k2)) break; > + if (!BN_sub(k1, scalar, k1)) break; > + if (!BN_mul(c1, constants[3], c1, ctx)) break; > + if (!BN_mul(c2, constants[5], c2, ctx)) break; > + if (!BN_sub(k2, c1, c2)) break; > + > + ret = 1; > + } while(0); > + > + BN_CTX_end(ctx); > + > + return ret; > + > +} > + > +/** > + * Computes the sum > + * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1] > + */ > +int ec_GFp_glv_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, > + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) > + { > + > + /* use default stuff if we have precomp and it can help */ > + if(num == 0 && EC_GROUP_have_precompute_mult(group)) > + return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); > + > + int i, ret = 0; > + > + BIGNUM *tscalar = NULL; > + EC_POINT **tpoints = NULL; > + BIGNUM **tscalars = NULL; > + BIGNUM **constants = NULL; > + > + if ((constants = OPENSSL_malloc(6*sizeof(BIGNUM *))) == NULL) return 0; > + > + BN_CTX_start(ctx); > + > + /* fill in the constants */ > + for(i=0; i<6; i++) { > + constants[i] = BN_CTX_get(ctx); > + } > + > + if(constants[5] == NULL) goto err; > + > + if (!EC_GROUP_get_order(group, constants[0], ctx)) goto err; > + > + switch(EC_GROUP_get_curve_name(group)) { > + case NID_secp160k1: > + BN_bin2bn(glv_constants_secp160k1 + 0, 20, constants[1]); > + BN_bin2bn(glv_constants_secp160k1 + 20, 10, constants[2]); > + BN_bin2bn(glv_constants_secp160k1 + 30, 10, constants[3]); > + BN_bin2bn(glv_constants_secp160k1 + 40, 11, constants[4]); > + BN_bin2bn(glv_constants_secp160k1 + 51, 10, constants[5]); > + break; > + case NID_secp192k1: > + BN_bin2bn(glv_constants_secp192k1 + 0, 24, constants[1]); > + BN_bin2bn(glv_constants_secp192k1 + 24, 12, constants[2]); > + BN_bin2bn(glv_constants_secp192k1 + 36, 12, constants[3]); > + BN_bin2bn(glv_constants_secp192k1 + 48, 13, constants[4]); > + BN_bin2bn(glv_constants_secp192k1 + 61, 12, constants[5]); > + break; > + case NID_secp224k1: > + BN_bin2bn(glv_constants_secp224k1 + 0, 28, constants[1]); > + BN_bin2bn(glv_constants_secp224k1 + 28, 14, constants[2]); > + BN_bin2bn(glv_constants_secp224k1 + 42, 14, constants[3]); > + BN_bin2bn(glv_constants_secp224k1 + 56, 14, constants[4]); > + BN_bin2bn(glv_constants_secp224k1 + 70, 15, constants[5]); > + break; > + case NID_secp256k1: > + BN_bin2bn(glv_constants_secp256k1 + 0, 32, constants[1]); > + BN_bin2bn(glv_constants_secp256k1 + 32, 16, constants[2]); > + BN_bin2bn(glv_constants_secp256k1 + 48, 16, constants[3]); > + BN_bin2bn(glv_constants_secp256k1 + 64, 16, constants[4]); > + BN_bin2bn(glv_constants_secp256k1 + 80, 17, constants[5]); > + break; > + default: > + goto err; > + } > + > + /* encode beta parameter to curve's finite field */ > + if (!group->meth->field_encode(group, constants[1], constants[1], ctx)) goto err; > + > + /* setup some arrays and decompose scalar if it's present and apply endomorphism */ > + if(scalar == NULL) { > + if ((tpoints = OPENSSL_malloc(2 * num * sizeof(EC_POINT *))) == NULL) goto err; > + if ((tscalars = OPENSSL_malloc(2 * num * sizeof(BIGNUM *))) == NULL) goto err; > + } > + else { > + if ((tpoints = OPENSSL_malloc((2 * num + 1) * sizeof(EC_POINT *))) == NULL) goto err; > + if ((tscalars = OPENSSL_malloc((2 * num + 1) * sizeof(BIGNUM *))) == NULL) goto err; > + tscalar = BN_CTX_get(ctx); > + if ((tscalars[2*num] = BN_CTX_get(ctx)) == NULL) goto err; > + if ((tpoints[2*num] = EC_POINT_new(group)) == NULL) goto err; > + if (!EC_POINT_copy(tpoints[2*num], EC_GROUP_get0_generator(group))) goto err; > + if (!group->meth->field_mul(group, &tpoints[2*num]->X, &tpoints[2*num]->X, constants[1], ctx)) goto err; > + if (!ec_GFp_glv_decompose(tscalar, tscalars[2*num], scalar, (const BIGNUM **)constants, ctx)) goto err; > + } > + > + /* decompose all the other scalars and apply the endomorphism */ > + for(i=0; i < num; i++) { > + tpoints[2*i ] = *((EC_POINT **)points + 2*i); > + if ((tpoints[2*i+1] = EC_POINT_new(group)) == NULL) goto err; > + if (!EC_POINT_copy(tpoints[2*i+1], tpoints[2*i])) goto err; > + if (!group->meth->field_mul(group, &tpoints[2*i+1]->X, &tpoints[2*i+1]->X, constants[1], ctx)) goto err; > + tscalars[2*i ] = BN_CTX_get(ctx); > + if ((tscalars[2*i+1] = BN_CTX_get(ctx)) == NULL) goto err; > + if (!ec_GFp_glv_decompose(tscalars[2*i], tscalars[2*i+1], scalars[i], (const BIGNUM **)constants, ctx)) goto err; > + } > + > + /* call into the multi scalar mult routine with new parameters */ > + if(scalar == NULL) { > + ret = ec_wNAF_mul(group, r, scalar, 2*num, (const EC_POINT **)tpoints, (const BIGNUM **)tscalars, ctx); > + } > + else { > + ret = ec_wNAF_mul(group, r, tscalar, 2*num+1, (const EC_POINT **)tpoints, (const BIGNUM **)tscalars, ctx); > + } > + > +err: > + > + /* cleanup */ > + if (tpoints != NULL) { > + for(i=0; i < num; i++) { > + EC_POINT_free(tpoints[2*i+1]); > + } > + if (scalar != NULL) { > + EC_POINT_free(tpoints[2*num]); > + } > + } > + > + BN_CTX_end(ctx); > + > + OPENSSL_free(tpoints); > + OPENSSL_free(tscalars); > + OPENSSL_free(constants); > + > + return ret; > + } > + > +int ec_GFp_glv_precompute_mult(EC_GROUP *group, BN_CTX *ctx) > + { > + return ec_wNAF_precompute_mult(group, ctx); > + } > + > +int ec_GFp_glv_have_precompute_mult(const EC_GROUP *group) > + { > + return ec_wNAF_have_precompute_mult(group); > + } > + > diff -ru --new-file openssl-1.0.1l-orig/crypto/ec/Makefile openssl-1.0.1l/crypto/ec/Makefile > --- openssl-1.0.1l-orig/crypto/ec/Makefile 2015-01-15 16:45:04.000000000 +0200 > +++ openssl-1.0.1l/crypto/ec/Makefile 2015-01-19 13:43:51.239965175 +0200 > @@ -17,13 +17,13 @@ > APPS= > > LIB=$(TOP)/libcrypto.a > -LIBSRC= ec_lib.c ecp_smpl.c ecp_mont.c ecp_nist.c ec_cvt.c ec_mult.c\ > +LIBSRC= ec_lib.c ecp_smpl.c ecp_mont.c ecp_glv.c ecp_nist.c ec_cvt.c ec_mult.c\ > ec_err.c ec_curve.c ec_check.c ec_print.c ec_asn1.c ec_key.c\ > ec2_smpl.c ec2_mult.c ec_ameth.c ec_pmeth.c eck_prn.c \ > ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c \ > ecp_oct.c ec2_oct.c ec_oct.c > > -LIBOBJ= ec_lib.o ecp_smpl.o ecp_mont.o ecp_nist.o ec_cvt.o ec_mult.o\ > +LIBOBJ= ec_lib.o ecp_smpl.o ecp_mont.o ecp_glv.o ecp_nist.o ec_cvt.o ec_mult.o\ > ec_err.o ec_curve.o ec_check.o ec_print.o ec_asn1.o ec_key.o\ > ec2_smpl.o ec2_mult.o ec_ameth.o ec_pmeth.o eck_prn.o \ > ecp_nistp224.o ecp_nistp256.o ecp_nistp521.o ecp_nistputil.o \ > @@ -233,6 +233,14 @@ > ecp_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h > ecp_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h > ecp_mont.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_mont.c > +ecp_glv.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h > +ecp_glv.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h > +ecp_glv.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h > +ecp_glv.o: ../../include/openssl/err.h ../../include/openssl/lhash.h > +ecp_glv.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h > +ecp_glv.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h > +ecp_glv.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h > +ecp_glv.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_glv.c > ecp_nist.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h > ecp_nist.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h > ecp_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h > > _______________________________________________ > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3667 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 11:59:25 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Wed, 02 Mar 2016 11:59:25 +0000 Subject: [openssl-dev] [openssl.org #4341] [PATCH] Consistently use arm_arch.h constants in armcap assembly code. In-Reply-To: <56D6D59A.4000000@openssl.org> References: <56D6D59A.4000000@openssl.org> Message-ID: > Patch attached. This is just a little cleanup change to fix not everything > using the OPENSSL_armcap constants. (Existing ones already are using them, > so I'm assuming this is okay.) Applied. Thanks. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4341 Please log in as guest with password guest if prompted From hkario at redhat.com Wed Mar 2 14:21:45 2016 From: hkario at redhat.com (Hubert Kario) Date: Wed, 02 Mar 2016 15:21:45 +0100 Subject: [openssl-dev] OpenSSL Security Advisory In-Reply-To: <8149AB08BCB1F54F92680ED6104891A0E190E7@mbx027-w1-ca-4.exch027.domain.local> References: <20160301140539.GA9602@openssl.org> <10280065.tWxBCtY4jQ@pintsize.usersys.redhat.com> <8149AB08BCB1F54F92680ED6104891A0E190E7@mbx027-w1-ca-4.exch027.domain.local> Message-ID: <2037146.HOr1INHC03@pintsize.usersys.redhat.com> On Tuesday 01 March 2016 19:50:51 Nounou Dadoun wrote: > I'm interested in your tlsfuzzer tool (of which this appears to be a > part), is there a larger test suite available? Is there any > documentation out there? > Thanks again .. N No, for now there isn't one. The plan is to have a full featured "engine" for running reproducers like this one before working on writing more detailed and comprehensive test cases, and later still, automated generation of test cases (so that it really is a fuzzer for a TLS protocol). All documentation is on github, if you have questions feel free to mail me or open tickets. If you are interested in helping the project, I can for now only point you to a project that implements the crypto itself, for later use in tlsfuzzer, here: https://github.com/tomato42/tlslite-ng/issues As I'm not sure that the tlsfuzzer architecture is correct for task at hand, for now I'm not asking for help on it directly, I'd prefer not to have to throw away somebody else's months of work because the whole approach of tlsfuzzer was incorrect... That being said, I'm open for test ideas. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From rt at openssl.org Wed Mar 2 14:27:54 2016 From: rt at openssl.org (Rich Salz via RT) Date: Wed, 02 Mar 2016 14:27:54 +0000 Subject: [openssl-dev] [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: <1422347341-5962-1-git-send-email-msp@ncp-e.com> References: <1422347341-5962-1-git-send-email-msp@ncp-e.com> Message-ID: Steve, what do you thnk? -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From noloader at gmail.com Wed Mar 2 15:01:50 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Wed, 2 Mar 2016 10:01:50 -0500 Subject: [openssl-dev] Visibility of OPENSSL_ia32cap, OPENSSL_armcap and friends Message-ID: Hi Andy, On Wed, Mar 2, 2016 at 6:59 AM, Andy Polyakov via RT wrote: >> Patch attached. This is just a little cleanup change to fix not everything >> using the OPENSSL_armcap constants. (Existing ones already are using them, >> so I'm assuming this is okay.) > > Applied. Thanks. Forgive my ignorance... Are OPENSSL_ia32cap, OPENSSL_armcap and friends intended to be public? Setting the values when using openssl.exe are discuss in the man pages, so that kind of speaks to public. However, the symbols for OPENSSL_ia32cap_P[] are available in the static library but missing from the shared object, so I'm not sure what's supposed to be happening. Inspecting values from OPENSSL_ia32cap_P[] and friends comes up frequently, like "how do I know if AES-NI" is available. Jeff From rt at openssl.org Wed Mar 2 16:16:37 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 16:16:37 +0000 Subject: [openssl-dev] [openssl.org #4369] OS X 10.5, 32-bit PPC, and "passing argument 2 of 'cmov' discards qualifiers from pointer target type" In-Reply-To: References: Message-ID: Compiling on OS X 10.5/32-bit PowerPC. This is Apple's GCC 4.0.1, and not Clang in disguise. $ KERNEL_BITS=32 ./config ... $ make depend && make clean && make ... cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -O3 -fPIC -fno-common -c -o curve25519.o curve25519.c curve25519.c: In function 'table_select': curve25519.c:3323: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type curve25519.c:3324: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type curve25519.c:3325: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type curve25519.c:3326: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type curve25519.c:3327: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type curve25519.c:3328: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type curve25519.c:3329: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type curve25519.c:3330: warning: passing argument 2 of 'cmov' discards qualifiers from pointer target type -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4369 Please log in as guest with password guest if prompted From Frank.Broda at ipb-halle.de Wed Mar 2 16:16:49 2016 From: Frank.Broda at ipb-halle.de (Broda, Frank) Date: Wed, 02 Mar 2016 16:16:49 +0000 Subject: [openssl-dev] [openssl.org #4287] Option -attime for "openssl ts -verify" In-Reply-To: References: Message-ID: Hi, On Tue Feb 02 Stephen Henson wrote: > On Tue Feb 02 15:56:01 2016, Frank.Broda at ipb-halle.de wrote: > > Hi, > > please find my pull request on > > https://github.com/openssl/openssl/pull/610 > > > > These two patches add an -attime option to "openssl ts -verify" > > similar to the same option in "openssl verify". This allows checking > > of timestamp responses with expired certificates. Documentation has > > been updated as well. > > > IMHO a better way to handle this is to make "ts" handle general verify > options the same way that ocsp, verify, cms, s_client and s_server do then > you get -attime support automatically. The implementation for "ts -verify" would be straightforward. But for "ts -query" and "ts -reply" an existing "-policy" option produces conflicts. I'm not sure how to resolve this. Two alternatives come to my mind: 1. Rename the original "-policy" option to something like "-requestpolicy" (please suggest alternatives). In this case it would not be possible to call "ts -query" with an "-attime" option (or all the other verify options which do not make sense in this context). The drawback is: it would break some existing code, because the original "-policy" option gets renamed. 2. Remove the original "-policy" option from the list of options and use the "OPT_V_OPTIONS" throughout. The policy would be then extracted from the X509_VERIFY_PARAM structure created during parsing of the verify options. This seems not elegant to me. It would allow lots of options which make no sense in "ts -query" and "ts -reply". Probably I'd make a mess when trying to implement this. Please excuse my poor understanding of the whole subject. There might be other strategies, but I'm not aware of them. Kind regards, Frank From rt at openssl.org Wed Mar 2 16:25:27 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 16:25:27 +0000 Subject: [openssl-dev] [openssl.org #4366]: OS X 10.5, 64-bit PPC, and chacha-ppc.s:454:Parameter syntax error (parameter 1) In-Reply-To: References: Message-ID: The fix is rather trivial, but I'm not sure how to make PERL script do it: std r30,448(r1) std r31,456(r1) - li 12,-1 + li r12,-1 std r0, 480(r1) I don't know if it worked as expected because I don't see a self test that explicitly exercises ChaCha. It may be there, I just don't see its output. Jeff On Tue, Mar 1, 2016 at 10:16 PM, Jeffrey Walton wrote: > The issue exists with 32-bit builds, too: > > $ KERNEL_BITS=32 ./config > > On Tue, Mar 1, 2016 at 9:15 PM, Jeffrey Walton wrote: >> $ make depend && make clean && make >> ... >> >> cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN >> -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE >> -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM >> -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc64 >> -DB_ENDIAN -O3 -c -o chacha-ppc.o chacha-ppc.s >> chacha-ppc.s:454:Parameter syntax error (parameter 1) >> make[2]: *** [chacha-ppc.o] Error 1 >> make[1]: *** [subdirs] Error 1 >> make: *** [build_crypto] Error 1 >> ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 16:43:00 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Wed, 02 Mar 2016 16:43:00 +0000 Subject: [openssl-dev] [openssl.org #4369] OS X 10.5, 32-bit PPC, and "passing argument 2 of 'cmov' discards qualifiers from pointer target type" In-Reply-To: <20160302164256.GA28916@roeckx.be> References: <20160302164256.GA28916@roeckx.be> Message-ID: On Wed, Mar 02, 2016 at 04:16:37PM +0000, noloader at gmail.com via RT wrote: > curve25519.c: In function 'table_select': > curve25519.c:3323: warning: passing argument 2 of 'cmov' discards That should be fixed shortly. Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4369 Please log in as guest with password guest if prompted From wrowe at rowe-clan.net Wed Mar 2 17:04:45 2016 From: wrowe at rowe-clan.net (William A Rowe Jr) Date: Wed, 2 Mar 2016 11:04:45 -0600 Subject: [openssl-dev] 'make test' broken in 1.0.2g/1.0.1s... Message-ID: This isn't the most correct fix, however the new release broke the testfipsssl ability to verify that -ssl2 is not accepted for SSLFIPS_ENABLE requests, since this check now fails OK instead of failing NOK as it is supposed to... --- 1.0.2g/test/testfipsssl 2016-03-01 12:29:25 UTC (rev 8415) +++ 1.0.2g/test/testfipsssl 2016-03-02 10:07:40 UTC (rev 8416) @@ -38,8 +38,9 @@ echo test ssl3 is forbidden in FIPS mode $ssltest -ssl3 $extra && exit 1 -echo test ssl2 is forbidden in FIPS mode -$ssltest -ssl2 $extra && exit 1 +## echo test ssl2 is forbidden in FIPS mode +## $ssltest -ssl2 $extra && exit 1 +## The test above should fail, but the recent changes skip instead echo test tls1 $ssltest -tls1 $extra || exit 1 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 2 17:24:18 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Wed, 02 Mar 2016 17:24:18 +0000 Subject: [openssl-dev] =?utf-8?b?562U5aSNOiBbb3BlbnNzbC5vcmcgIzQzNjBdIFtC?= =?utf-8?q?UG=5D_OpenSSL-1=2E0=2E1_crash_on_sha1=5Fblock=5Fdata=5Fo?= =?utf-8?q?rder=5Fssse3_asm?= In-Reply-To: <56D6B71B.5010508@openssl.org> References: <56D59088.2070006@openssl.org> <56D6B71B.5010508@openssl.org> Message-ID: > 0x00002b41740e8da7 <+2967>: je 0x2b41740e8f40 > 0x00002b41740e8dad <+2973>: movdqa 0x40(%r11),%xmm6 > 0x00002b41740e8db3 <+2979>: movdqa (%r11),%xmm9 > => 0x00002b41740e8db8 <+2984>: movdqu (%r9),%xmm0 --is this what you want ? And 'info reg' please. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 2 17:24:49 2016 From: rt at openssl.org (Bill Parker via RT) Date: Wed, 02 Mar 2016 17:24:49 +0000 Subject: [openssl-dev] [openssl.org #4371] [PATCH] Missing Sanity Check for malloc() in openssl-1.0.2g for 'apps/speed.c' In-Reply-To: References: Message-ID: Hello All, In reviewing source code for OpenSSL-1.0.2g, it would appear in file 'apps/speed.c', in function 'static int do_multi()', a call to malloc() is made without being tested for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- speed.c.orig 2016-03-01 18:19:44.213529059 -0800 +++ speed.c 2016-03-01 18:21:24.822315918 -0800 @@ -2614,6 +2614,10 @@ static char sep[] = ":"; fds = malloc(multi * sizeof *fds); + if (fds == NULL) { + fprintf(stderr, "out of memory\n"); + exit(1); + } for (n = 0; n < multi; ++n) { if (pipe(fd) == -1) { fprintf(stderr, "pipe failure\n"); Should the call to malloc() be changed to OPENSSL_malloc() as well? Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4371 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: speed.c.patch Type: application/octet-stream Size: 390 bytes Desc: not available URL: From rt at openssl.org Wed Mar 2 17:24:50 2016 From: rt at openssl.org (Bill Parker via RT) Date: Wed, 02 Mar 2016 17:24:50 +0000 Subject: [openssl-dev] [openssl.org #4372] [PATCH] Missing sanity check for OPENSSL_malloc() in openssl-1.0.2g in th-lock.c In-Reply-To: References: Message-ID: Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/threads', file 'th-lock.c', in function 'CRYPTO_thread_setup', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- th-lock.c.orig 2016-03-01 18:46:39.633840674 -0800 +++ th-lock.c 2016-03-01 18:47:40.408564829 -0800 @@ -177,6 +177,10 @@ return; } lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); + if (!lock_count) { + /* Nothing we can do about this...void function! */ + return; + } for (i = 0; i < CRYPTO_num_locks(); i++) { lock_count[i] = 0; # ifdef USE_MUTEX ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4372 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: th-lock.c.patch Type: application/octet-stream Size: 434 bytes Desc: not available URL: From rt at openssl.org Wed Mar 2 17:24:49 2016 From: rt at openssl.org (Bill Parker via RT) Date: Wed, 02 Mar 2016 17:24:49 +0000 Subject: [openssl-dev] [openssl.org #4370] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476) In-Reply-To: References: Message-ID: Hello All, In reviewing source code in directory 'openssl-1.0.2g/apps', in file 'ca.c', there are a few instances where OPENSSL_malloc() is called, but immediately afterwards a call to memcpy() is made with the return value from the call, but the check for NULL is made AFTER the memcpy(). However, if the 1st argument to memcpy() is NULL, a segmentation fault/ violation will occur. The patch file below should address/correct this issue: --- ca.c.orig 2016-03-01 18:08:42.795466224 -0800 +++ ca.c 2016-03-01 18:13:10.149445540 -0800 @@ -2107,6 +2107,10 @@ tm = X509_get_notAfter(ret); row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1); + if (row[DB_exp_date] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto err; + } memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; @@ -2116,7 +2120,7 @@ row[DB_file] = (char *)OPENSSL_malloc(8); row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0); - if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || + if ((row[DB_type] == NULL) || (row[DB_file] == NULL) || (row[DB_name] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); goto err; @@ -2375,6 +2379,10 @@ tm = X509_get_notAfter(x509); row[DB_exp_date] = (char *)OPENSSL_malloc(tm->length + 1); + if (row[DB_exp_date] == NULL) { + BIO_printf(bio_err, "Memory allocation failure\n"); + goto err; + } memcpy(row[DB_exp_date], tm->data, tm->length); row[DB_exp_date][tm->length] = '\0'; @@ -2385,8 +2393,7 @@ /* row[DB_name] done already */ - if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) || - (row[DB_file] == NULL)) { + if ((row[DB_type] == NULL) || (row[DB_file] == NULL)) { BIO_printf(bio_err, "Memory allocation failure\n"); goto err; } ======================================================================= In directory 'openssl-1.0.2g/crypto/engine', file 'eng_cryptodev.c', there is a call to OPENSSL_malloc() in function 'cryptodev_digest_copy()' where the return value is not checked for NULL, but immediately afterwards the statement: memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len); is processed, but if dstate->mac_data is NULL, this will cause a segmentation fault/violation. The patch file below should address/correct this issue: --- eng_cryptodev.c.orig 2016-03-01 19:31:03.315380900 -0800 +++ eng_cryptodev.c 2016-03-01 19:32:43.154069884 -0800 @@ -937,6 +937,10 @@ if (fstate->mac_len != 0) { if (fstate->mac_data != NULL) { dstate->mac_data = OPENSSL_malloc(fstate->mac_len); + if (dstate->mac_data == NULL) { + printf("cryptodev_digest_init: Memory allocation failed\n"); + return (0); + } memcpy(dstate->mac_data, fstate->mac_data, fstate->mac_len); dstate->mac_len = fstate->mac_len; } ======================================================================= In directory 'openssl-1.0.2g/crypto/x509v3', in file 'v3_alt.c', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure in function 'static int do_othername()', but immediately afterwards the statement: strncpy(objtmp, value, objlen); is processed, but if 'objtmp' is NULL, this will generate a segmentation fault/violation: The patch file below should address/correct this issue: --- v3_alt.c.orig 2016-03-01 19:51:02.114742135 -0800 +++ v3_alt.c 2016-03-01 19:51:52.816186027 -0800 @@ -573,6 +573,8 @@ return 0; objlen = p - value; objtmp = OPENSSL_malloc(objlen + 1); + if (objtmp == NULL) + return 0; strncpy(objtmp, value, objlen); objtmp[objlen] = 0; gen->d.otherName->type_id = OBJ_txt2obj(objtmp, 0); ======================================================================= In directory 'openssl-1.0.2g/crypto/ui', in file 'ui_lib.c', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure, but immediately afterwards the statement: BUF_strlcpy(prompt, prompt1, len + 1); is processed, but if 'prompt' is NULL, this will generate a segmentation fault/violation: The patch file below should address/correct this issue: --- ui_lib.c.orig 2015-09-12 09:05:14.193000000 -0700 +++ ui_lib.c 2015-09-12 09:56:53.328000000 -0700 @@ -413,6 +413,9 @@ len += sizeof(prompt3) - 1; prompt = (char *)OPENSSL_malloc(len + 1); + if (prompt == NULL) { + return NULL; + } BUF_strlcpy(prompt, prompt1, len + 1); BUF_strlcat(prompt, object_desc, len + 1); if (object_name) { ======================================================================= -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4370 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ui_lib.c.patch Type: application/octet-stream Size: 388 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: v3_alt.c.patch Type: application/octet-stream Size: 374 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: eng_cryptodev.c.patch Type: application/octet-stream Size: 535 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ca.c.patch Type: application/octet-stream Size: 1502 bytes Desc: not available URL: From uri at ll.mit.edu Wed Mar 2 21:05:44 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Wed, 2 Mar 2016 21:05:44 +0000 Subject: [openssl-dev] Test 80 fails in the current 1.1 build Message-ID: $ ./Configure darwin64-x86_64-cc enable-rfc3779 threads zlib enable-ec_nistp_64_gcc_128 shared --prefix=/Users/ur20980/src/openssl-1.1 --openssldir=/Users/ur20980/src/openssl-1.1/etc --unified ../test/recipes/80-test_cms.t ............. 3/4 # Failed test 'compressed content test streaming PEM format' # at ../test/recipes/80-test_cms.t line 452. # Looks like you failed 1 test of 11. ../test/recipes/80-test_cms.t ............. 4/4 # Failed test 'CMS <=> CMS consistency tests, modified key parameters # ' # at ../test/recipes/80-test_cms.t line 458. # Looks like you failed 1 test of 4. ../test/recipes/80-test_cms.t ............. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests ../test/recipes/80-test_ct.t .............. Ok . . . Test Summary Report ------------------- ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=70, Tests=389, 65 wallclock secs ( 0.63 usr 0.20 sys + 39.54 cusr 15.73 csys = 56.10 CPU) Result: FAIL Failed 1/70 test programs. 1/389 subtests failed. make: *** [test] Error 255 -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From rt at openssl.org Wed Mar 2 21:30:17 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 02 Mar 2016 21:30:17 +0000 Subject: [openssl-dev] [openssl.org #4373] OS X 10.5, 32-bit PPC, and missing symbols (_ASYNC_get_current_job, _EVP_MD_meth_set_init, _RSA_PKCS1_OpenSSL, _EVP_MD_meth_new...) In-Reply-To: References: Message-ID: Working from master: $ git reset --hard HEAD && git pull HEAD is now at e9b1c42 make errors Then: $ KERNEL_BITS=32 ./config ... $ make depend && make clean && make ... $ make ... LD_LIBRARY_PATH=..: cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib/engines" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -arch ppc -bundle -o ./dasync.dylib e_dasync.o -L.. -lcrypto Undefined symbols: "_ASYNC_get_current_job", referenced from: _dummy_pause_job in e_dasync.o "_EVP_MD_meth_set_init", referenced from: _dasync_sha1 in e_dasync.o "_RSA_PKCS1_OpenSSL", referenced from: _dasync_rsa_init in e_dasync.o _dasync_rsa_finish in e_dasync.o _dasync_rsa_mod_exp in e_dasync.o _dasync_rsa_priv_dec in e_dasync.o _dasync_rsa_priv_enc in e_dasync.o _dasync_pub_dec in e_dasync.o _dasync_pub_enc in e_dasync.o "_EVP_MD_meth_set_flags", referenced from: _dasync_sha1 in e_dasync.o "_ASYNC_get_wait_ctx", referenced from: _dummy_pause_job in e_dasync.o "_EVP_MD_meth_set_result_size", referenced from: _dasync_sha1 in e_dasync.o "_ASYNC_WAIT_CTX_set_wait_fd", referenced from: _dummy_pause_job in e_dasync.o "_EVP_MD_meth_set_app_datasize", referenced from: _dasync_sha1 in e_dasync.o "_EVP_MD_meth_set_input_blocksize", referenced from: _dasync_sha1 in e_dasync.o "_EVP_MD_meth_new", referenced from: _dasync_sha1 in e_dasync.o "_EVP_MD_meth_set_final", referenced from: _dasync_sha1 in e_dasync.o "_EVP_MD_meth_set_update", referenced from: _dasync_sha1 in e_dasync.o "_EVP_MD_type", referenced from: _dasync_digests in e_dasync.o "_ENGINE_get_static_state", referenced from: _bind_engine in e_dasync.o "_EVP_MD_CTX_md_data", referenced from: _dasync_sha1_final in e_dasync.o _dasync_sha1_update in e_dasync.o _dasync_sha1_init in e_dasync.o "_ASYNC_WAIT_CTX_get_fd", referenced from: _dummy_pause_job in e_dasync.o "_EVP_MD_meth_free", referenced from: _dasync_sha1 in e_dasync.o _dasync_destroy in e_dasync.o "_ASYNC_pause_job", referenced from: _dummy_pause_job in e_dasync.o ld: symbol(s) not found collect2: ld returned 1 exit status make[2]: *** [link_dso.darwin] Error 1 make[1]: *** [lib] Error 2 make: *** [build_engines] Error 1 ********** $ KERNEL_BITS=32 ./config Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Smartmatch is experimental at ./Configure line 2110. Smartmatch is experimental at ./Configure line 2110. Configuring for darwin-ppc-cc Smartmatch is experimental at ./Configure line 2110. Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-zlib [default] no-zlib-dynamic [forced] Configuring for darwin-ppc-cc IsMK1MF =no CC =cc CFLAG =-O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM LFLAG = PLIB_LFLAG =-Wl,-search_paths_first EX_LIBS = APPS_OBJ = CPUID_OBJ =ppccpuid.o ppccap.o UPLINK_OBJ = BN_ASM =bn-ppc.o ppc-mont.o ppc64-mont.o EC_ASM = DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghashp8-ppc.o PADLOCK_OBJ = CHACHA_ENC =chacha-ppc.o POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/opt/local/bin//perl5 THIRTY_TWO_BIT mode BN_LLONG mode Configured for darwin-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4373 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:21:54 2016 From: rt at openssl.org (Hejian via RT) Date: Thu, 03 Mar 2016 04:21:54 +0000 Subject: [openssl-dev] =?utf-8?b?562U5aSNOiAg562U5aSNOiBbb3BlbnNzbC5vcmcg?= =?utf-8?q?=234360=5D_=5BBUG=5D_OpenSSL-1=2E0=2E1_crash_on_sha1=5Fb?= =?utf-8?q?lock=5Fdata=5Forder=5Fssse3_asm?= In-Reply-To: References: <56D59088.2070006@openssl.org> <56D6B71B.5010508@openssl.org> Message-ID: Here is the info reg: (gdb) info reg rax 0x745dd1f0 1952305648 rbx 0xf92ba6dd 4180387549 rcx 0x7b69e2f6 2070536950 rdx 0x86dab00c 2262478860 rsi 0x6436d580 1681315200 rdi 0x4763c5a8 1197721000 rbp 0x72856ca1 0x72856ca1 rsp 0x50a7e100 0x50a7e100 r8 0x55555a419c60 93825074830432 r9 0x2b4174415ff8 47560123310072 r10 0x2b417433acb8 47560122412216 r11 0x2b41740e9080 47560119980160 r12 0xffffffffffffffe7 -25 r13 0x2b417433acf8 47560122412280 r14 0x55555a419c7c 93825074830460 r15 0x3ff 1023 rip 0x2b41740e8db8 0x2b41740e8db8 eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x63 99 gs 0x0 0 (gdb) -----????----- ???: Andy Polyakov via RT [mailto:rt at openssl.org] ????: 2016?3?3? 1:24 ???: Hejian (E) ??: openssl-dev at openssl.org ??: Re: [openssl-dev] ??: [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm > 0x00002b41740e8da7 <+2967>: je 0x2b41740e8f40 > 0x00002b41740e8dad <+2973>: movdqa 0x40(%r11),%xmm6 > 0x00002b41740e8db3 <+2979>: movdqa (%r11),%xmm9 > => 0x00002b41740e8db8 <+2984>: movdqu (%r9),%xmm0 --is this what you want ? And 'info reg' please. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:44:42 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 04:44:42 +0000 Subject: [openssl-dev] [openssl.org #3388] Locking inefficiency In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F49@USMBX1.msg.corp.akamai.com> References: <2A0EFB9C05D0164E98F19BB0AF3708C7130F434F49@USMBX1.msg.corp.akamai.com> Message-ID: fixed in master with the new locking and thread-local-storage facility. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3388 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:46:45 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 04:46:45 +0000 Subject: [openssl-dev] [openssl.org #2905] Double locking bug added in openssl-1.0.0h crypto/asn1/x_pubkey.c In-Reply-To: References: Message-ID: Sorry we didn't get to this earlier, but 1.0.0 is in maintenance -- security fixes only -- mode. This is also fixed, really well, in master. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2905 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:48:12 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 04:48:12 +0000 Subject: [openssl-dev] [openssl.org #3536] [PATCH] make locking code in load_builtin_compressions() look less scary In-Reply-To: <4661005.ORTavqubJa@devpool02> References: <4661005.ORTavqubJa@devpool02> Message-ID: This has been fixed in master with better init code, thread-portability, etc. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3536 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:49:27 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 04:49:27 +0000 Subject: [openssl-dev] [openssl.org #1743] crasher due to lack of threadsafety on names_lh In-Reply-To: <01d501c1fdd8$15722550$e528dcd5@tbsolutions.com> References: <01d501c1fdd8$15722550$e528dcd5@tbsolutions.com> Message-ID: fixed with the new threads and init code. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=1743 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:51:42 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 04:51:42 +0000 Subject: [openssl-dev] [openssl.org #684] Memory Leaks in RSA_eay_private_decrypt In-Reply-To: <3F5D9137.30528.702504@localhost> References: <3F5D9137.30528.702504@localhost> Message-ID: the code has changed a great deal in the past decade (!!!) -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=684 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:54:11 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 04:54:11 +0000 Subject: [openssl-dev] [openssl.org #2217] OpenSSL_add_all_algorithms() (and similar) aren't very suitable for library use In-Reply-To: <4BB4A06E.6090909@Sun.COM> References: <4BB4A06E.6090909@Sun.COM> Message-ID: addressed in master with the auto-init and thread-once facilities. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2217 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 04:59:08 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 04:59:08 +0000 Subject: [openssl-dev] [openssl.org #2815] Windows build with Cygwin perl redirecting output incorrectly In-Reply-To: <4FA92A33.4080003@pke.hr> References: <4FA92A33.4080003@pke.hr> Message-ID: fixed in upcoming 1.1 with new build system. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2815 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:02:20 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:02:20 +0000 Subject: [openssl-dev] [openssl.org #2967] Minor Bug - Options Missing from Application Usage In-Reply-To: References: Message-ID: fixed in master; all options are always listed with -help -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2967 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:03:34 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:03:34 +0000 Subject: [openssl-dev] [openssl.org #2977] CVS still mentioned on openssl.org pages In-Reply-To: <5113C391.5040502@oracle.com> References: <5113C391.5040502@oracle.com> Message-ID: fixed some time ago. :) -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2977 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:30:42 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:30:42 +0000 Subject: [openssl-dev] [openssl.org #3163] [PATCH] DSTU-4145-2002 engine implementation In-Reply-To: References: Message-ID: If this is still of interest, please do it as an external engine, like GOSTnow is. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3163 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:31:51 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:31:51 +0000 Subject: [openssl-dev] [openssl.org #3197] Patch for config and darwin64 on Mac OS X In-Reply-To: References: Message-ID: fixed in master with new config and build system. if there are still issues, please open a new ticket. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3197 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:34:36 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:34:36 +0000 Subject: [openssl-dev] [openssl.org #3579] [PATCH] support building with MinGW under msys2 In-Reply-To: References: Message-ID: fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3579 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:38:43 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:38:43 +0000 Subject: [openssl-dev] [openssl.org #3716] Patch for setting preferred cipher list In-Reply-To: <5CB97CA4-EABF-4C31-884D-82C30B93E396@akamai.com> References: <5CB97CA4-EABF-4C31-884D-82C30B93E396@akamai.com> Message-ID: a minor utility, can just have in your own app, right? -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3716 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:40:36 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:40:36 +0000 Subject: [openssl-dev] [openssl.org #3700] [PATCH] remove CRYPTO_strdup, switch callers to BUF_strdup In-Reply-To: <1423798111-29957-1-git-send-email-crrodriguez@opensuse.org> References: <1423798111-29957-1-git-send-email-crrodriguez@opensuse.org> Message-ID: addressed in upcoming 1.1 release. we went for consistency with OPENSLS_strdup, etc -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3700 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:41:58 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:41:58 +0000 Subject: [openssl-dev] [openssl.org #3701] [PATCH] Use BUF_memdup where appropiate In-Reply-To: <1423809277-3391-1-git-send-email-crrodriguez@opensuse.org> References: <1423809277-3391-1-git-send-email-crrodriguez@opensuse.org> Message-ID: addressed in the upcoming 1.1 we went with consistency and using OPENSSL_memdup, CRYPTO_memdup, etc. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3701 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:43:41 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:43:41 +0000 Subject: [openssl-dev] [openssl.org #1364] index.txt corruptions In-Reply-To: <200607141546.27162.pg@futureware.at> References: <200607141546.27162.pg@futureware.at> Message-ID: not enough information to reproduce this. the "ca" command does no locking, it does not support multiple simultaneous invocations. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=1364 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 3 05:44:54 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 03 Mar 2016 05:44:54 +0000 Subject: [openssl-dev] [openssl.org #4372] [PATCH] Missing sanity check for OPENSSL_malloc() in openssl-1.0.2g in th-lock.c In-Reply-To: References: Message-ID: th_lock is sample code :) fixed in 1.1 with the integration of ntive threads support. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4372 Please log in as guest with password guest if prompted From erik at efca.com Thu Mar 3 07:24:41 2016 From: erik at efca.com (Erik Forsberg) Date: Wed, 2 Mar 2016 23:24:41 -0800 Subject: [openssl-dev] Configure zlib broken in latest 1.1 git Message-ID: https://github.com/openssl/openssl/commit/98fdbce09144a8addc6682a0ffd8ac92b2ce70b1 broke Configure zlib the required -lz never makes it into the produced Makefile I used Configure solaris64-x86_64-cc but I think this is more generic From levitte at openssl.org Thu Mar 3 09:06:56 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 03 Mar 2016 10:06:56 +0100 (CET) Subject: [openssl-dev] Configure zlib broken in latest 1.1 git In-Reply-To: References: Message-ID: <20160303.100656.1390929706027333418.levitte@openssl.org> In message on Wed, 2 Mar 2016 23:24:41 -0800, "Erik Forsberg" said: erik> erik> https://github.com/openssl/openssl/commit/98fdbce09144a8addc6682a0ffd8ac92b2ce70b1 erik> erik> broke Configure zlib erik> the required -lz never makes it into the produced Makefile erik> erik> I used Configure solaris64-x86_64-cc but I think this is more generic I'm surprised it wasn't already broken here: bcb1977b7f4186b5551d83839286bc02991c2ad3 I seem to have broken down the logic behind zlib / zlib-dynamic right about there. Anyhow, the attached patch whould fix the problem, would you verify that it works for you too? Cheers, Richard -------------- next part -------------- A non-text attachment was scrubbed... Name: Configure.diff Type: text/x-patch Size: 742 bytes Desc: not available URL: From meissner at suse.de Thu Mar 3 11:54:54 2016 From: meissner at suse.de (Marcus Meissner) Date: Thu, 3 Mar 2016 12:54:54 +0100 Subject: [openssl-dev] overflow issue in b2i_PVK_bio Message-ID: <20160303115454.GJ22595@suse.de> Hi, https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/ Integer overflow in b2i_PVK_bio Have you assigned a CVE internally for that already? Ciao, Marcus From hanno at hboeck.de Thu Mar 3 12:28:06 2016 From: hanno at hboeck.de (Hanno =?UTF-8?B?QsO2Y2s=?=) Date: Thu, 3 Mar 2016 13:28:06 +0100 Subject: [openssl-dev] cipher order Message-ID: <20160303132806.73c3c465@pc1> Hi, Last year I proposed to change the ciphering order in OpenSSL to always prefer AEAD cipher suites before CBC/HMAC-based ones: https://mta.openssl.org/pipermail/openssl-dev/2015-January/000421.html I just checked openssl 1.1.0 alpha and it still orders ciphers in an imho problematic way. Browsers have largely decided to implement GCM-modes only with AES128. Chrome is now about to change that. Not sure if other browsers will follow. Right now if you configure a server with openssl's cipher suite ordering it is likely that a connection will happen with AES256 in CBC mode instead of the (most likely more secure) AES128 in GCM mode. Can this be changed before 1.1.0 gets out? -- Hanno B?ck https://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From rt at openssl.org Thu Mar 3 13:44:41 2016 From: rt at openssl.org (Short, Todd via RT) Date: Thu, 03 Mar 2016 13:44:41 +0000 Subject: [openssl-dev] [openssl.org #3716] Patch for setting preferred cipher list In-Reply-To: References: <5CB97CA4-EABF-4C31-884D-82C30B93E396@akamai.com> Message-ID: Yes, not absolutely necessary. -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3716 Please log in as guest with password guest if prompted From uri at ll.mit.edu Thu Mar 3 15:33:51 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Thu, 3 Mar 2016 15:33:51 +0000 Subject: [openssl-dev] cipher order Message-ID: <20160303153359.18296912.55573.55389@ll.mit.edu> +1 Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Hanno B?ck Sent: Thursday, March 3, 2016 07:28 To: openssl-dev at openssl.org Reply To: openssl-dev at openssl.org Subject: [openssl-dev] cipher order Hi, Last year I proposed to change the ciphering order in OpenSSL to always prefer AEAD cipher suites before CBC/HMAC-based ones: https://mta.openssl.org/pipermail/openssl-dev/2015-January/000421.html I just checked openssl 1.1.0 alpha and it still orders ciphers in an imho problematic way. Browsers have largely decided to implement GCM-modes only with AES128. Chrome is now about to change that. Not sure if other browsers will follow. Right now if you configure a server with openssl's cipher suite ordering it is likely that a connection will happen with AES256 in CBC mode instead of the (most likely more secure) AES128 in GCM mode. Can this be changed before 1.1.0 gets out? -- Hanno B?ck https://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4350 bytes Desc: not available URL: From emilia at openssl.org Thu Mar 3 16:18:57 2016 From: emilia at openssl.org (=?UTF-8?Q?Emilia_K=C3=A4sper?=) Date: Thu, 03 Mar 2016 16:18:57 +0000 Subject: [openssl-dev] cipher order In-Reply-To: <20160303153359.18296912.55573.55389@ll.mit.edu> References: <20160303153359.18296912.55573.55389@ll.mit.edu> Message-ID: https://github.com/openssl/openssl/pull/783 Courtesy of David Benjamin. On Thu, Mar 3, 2016 at 4:34 PM Blumenthal, Uri - 0553 - MITLL < uri at ll.mit.edu> wrote: > +1 > > Sent from my BlackBerry 10 smartphone on the > Verizon Wireless 4G LTE network. > Original Message > From: Hanno B?ck > Sent: Thursday, March 3, 2016 07:28 > To: openssl-dev at openssl.org > Reply To: openssl-dev at openssl.org > Subject: [openssl-dev] cipher order > > Hi, > > Last year I proposed to change the ciphering order in OpenSSL to always > prefer AEAD cipher suites before CBC/HMAC-based ones: > https://mta.openssl.org/pipermail/openssl-dev/2015-January/000421.html > > I just checked openssl 1.1.0 alpha and it still orders ciphers in an > imho problematic way. > > Browsers have largely decided to implement GCM-modes only with AES128. > Chrome is now about to change that. Not sure if other browsers will > follow. > > Right now if you configure a server with openssl's cipher suite > ordering it is likely that a connection will happen with AES256 in CBC > mode instead of the (most likely more secure) AES128 in GCM mode. > > Can this be changed before 1.1.0 gets out? > > -- > Hanno B?ck > https://hboeck.de/ > > mail/jabber: hanno at hboeck.de > GPG: BBB51E42 > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hanno at hboeck.de Thu Mar 3 16:30:02 2016 From: hanno at hboeck.de (Hanno =?UTF-8?B?QsO2Y2s=?=) Date: Thu, 3 Mar 2016 17:30:02 +0100 Subject: [openssl-dev] cipher order In-Reply-To: References: <20160303153359.18296912.55573.55389@ll.mit.edu> Message-ID: <20160303173002.47ffb73d@pc1> On Thu, 03 Mar 2016 16:18:57 +0000 Emilia K?sper wrote: > https://github.com/openssl/openssl/pull/783 This is different from what I had in mind. What this patch does is sort e.g. chacha/poly and aes256-gcm before aes256-cbc. It does however not sort aes128-gcm before aes256-cbc. (David Benjamin answered to me on the chrome security list that he wanted to avoid arguing about this and chose the lesser controversial variant.) I would argue that cbc/hmac is so fragile that it's always preferrable to have aead before cbc/hmac. The security difference between 128 and 256 bit aes is imho mostly irrelevant in practice. The difference between the two approaches may become mostly irrelevant once all major browsers support at least one aead mode with 256 bit, but I'm not sure if that's going to happen any time soon. -- Hanno B?ck https://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From uri at ll.mit.edu Thu Mar 3 16:33:17 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Thu, 3 Mar 2016 16:33:17 +0000 Subject: [openssl-dev] cipher order In-Reply-To: <20160303173002.47ffb73d@pc1> References: <20160303153359.18296912.55573.55389@ll.mit.edu> <20160303173002.47ffb73d@pc1> Message-ID: On 3/3/16, 11:30 , "openssl-dev on behalf of Hanno B?ck" wrote: >On Thu, 03 Mar 2016 16:18:57 +0000 Emilia K?sper >wrote: >>https://github.com/openssl/openssl/pull/783 > >This is different from what I had in mind. >... >I would argue that cbc/hmac is so fragile that it's always preferrable >to have aead before cbc/hmac. The security difference between 128 and >256 bit aes is imho mostly irrelevant in practice. Again, +1 Perhaps David can do his magic again? :-) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From uri at ll.mit.edu Thu Mar 3 16:57:34 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Thu, 3 Mar 2016 16:57:34 +0000 Subject: [openssl-dev] 1.1-pre: test 80 fails Message-ID: $ ./Configure darwin64-x86_64-cc enable-rfc3779 threads zlib enable-ec_nistp_64_gcc_128 shared --prefix=/Users/ur20980/src/openssl-1.1 --openssldir=/Users/ur20980/src/openssl-1.1/etc ?unified . . . . . . $ make depend && make clean && make all && make test && make install . . . . . . ../test/recipes/70-test_verify_extra.t .... ok ../test/recipes/80-test_ca.t .............. ok ../test/recipes/80-test_cms.t ............. 3/4 # Failed test 'compressed content test streaming PEM format' # at ../test/recipes/80-test_cms.t line 452. # Looks like you failed 1 test of 11. ../test/recipes/80-test_cms.t ............. 4/4 # Failed test 'CMS <=> CMS consistency tests, modified key parameters # ' # at ../test/recipes/80-test_cms.t line 458. # Looks like you failed 1 test of 4. ../test/recipes/80-test_cms.t ............. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests ../test/recipes/80-test_ct.t .............. ok ../test/recipes/80-test_dane.t ............ ok . . . . . . Test Summary Report ------------------- ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=70, Tests=389, 56 wallclock secs ( 0.55 usr 0.16 sys + 35.30 cusr 15.09 csys = 51.10 CPU) Result: FAIL Failed 1/70 test programs. 1/389 subtests failed. make: *** [test] Error 255 -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From emilia at openssl.org Thu Mar 3 17:16:49 2016 From: emilia at openssl.org (=?UTF-8?Q?Emilia_K=C3=A4sper?=) Date: Thu, 03 Mar 2016 17:16:49 +0000 Subject: [openssl-dev] cipher order In-Reply-To: References: <20160303153359.18296912.55573.55389@ll.mit.edu> <20160303173002.47ffb73d@pc1> Message-ID: Hm, I think that I actually agree. But David's done enough, so I'll have a look myself. On Thu, Mar 3, 2016 at 5:33 PM Blumenthal, Uri - 0553 - MITLL < uri at ll.mit.edu> wrote: > On 3/3/16, 11:30 , "openssl-dev on behalf of Hanno B?ck" > wrote: > > >On Thu, 03 Mar 2016 16:18:57 +0000 Emilia K?sper > >wrote: > >>https://github.com/openssl/openssl/pull/783 > > > >This is different from what I had in mind. > >... > >I would argue that cbc/hmac is so fragile that it's always preferrable > >to have aead before cbc/hmac. The security difference between 128 and > >256 bit aes is imho mostly irrelevant in practice. > > Again, +1 > > Perhaps David can do his magic again? :-) > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From erik at efca.com Thu Mar 3 17:51:30 2016 From: erik at efca.com (Erik Forsberg) Date: Thu, 3 Mar 2016 09:51:30 -0800 Subject: [openssl-dev] Solaris 10 80-test_ca failure Message-ID: <1jySB8Dc8GOydWR@srv.efca.com> I have been having 32-bit only test failures from test_ca for quite a while now on Solaris 10 (1.1.pre), Finally figured out what is wrong. I build both 32-bit and 64-bit libraries. My /usr/local/bin/perl is always 64-bit, used to be required for assembler support. LD_PRELOAD is used to force newly built libs into the test process using util/shlib_wrap.sh So, when building 32-bit libs, shlib_wrap tries to preload a 32-bit libcrypto/libssl into the 64-bit perl process when CA.pl is invoked. This causes failure on Solaris 10, but seems to be ignored on Solaris 11. There was specific support to handle 64-bit builds in shlib_wrap, this method also needs to be used for 32-bit builds. This patch makes it work in all cases for me. Someone using SPARC should review what /usr/bin/file reports for an old 32-bit SPARC library (if such still exists) I have no access to SPARC hardware. *** shlib_wrap.sh Tue Feb 16 23:55:51 2016 --- /usr/local/src/openssl-1.1//shlib_wrap.sh Tue Mar 1 23:21:23 2016 *************** *** 27,32 **** --- 27,37 ---- LD_PRELOAD_64="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_64 preload_var=LD_PRELOAD_64 ;; + *ELF\ 32*SPARC*|*ELF\ 32*80386*) + [ -n "$LD_LIBRARY_PATH_32" ] && rld_var=LD_LIBRARY_PATH_32 + LD_PRELOAD_32="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_32 + preload_var=LD_PRELOAD_32 + ;; # Why are newly built .so's preloaded anyway? Because run-time # .so lookup path embedded into application takes precedence # over LD_LIBRARY_PATH and as result application ends up linking From nick5990 at yahoo.co.uk Thu Mar 3 19:13:02 2016 From: nick5990 at yahoo.co.uk (Nicholas Prowse) Date: Thu, 3 Mar 2016 19:13:02 +0000 (UTC) Subject: [openssl-dev] Issue #616 on Github | ec_mult.c | ec_wNAF_mul() References: <1337145567.4757530.1457032382786.JavaMail.yahoo.ref@mail.yahoo.com> Message-ID: <1337145567.4757530.1457032382786.JavaMail.yahoo@mail.yahoo.com> Requesting input from people that have worked on the ec_mult.c file in the past. Issue on Github:https://github.com/openssl/openssl/issues/616 We would like to know the purpose of the dead code in question in the ec_wNAF_mul() function below (starts around line 323 of the file): if (tmp_len <= max_len) { /* * One of the other wNAFs is at least as long as the wNAF * belonging to the generator, so wNAF splitting will not buy * us anything. */ numblocks = 1; totalnum = num + 1; /* don't use wNAF splitting */ wNAF[num] = tmp_wNAF; wNAF[num + 1] = NULL; wNAF_len[num] = tmp_len; if (tmp_len > max_len)? max_len = tmp_len; Sent from Yahoo Mail on Android -------------- next part -------------- An HTML attachment was scrubbed... URL: From tshort at akamai.com Thu Mar 3 19:33:06 2016 From: tshort at akamai.com (Short, Todd) Date: Thu, 3 Mar 2016 19:33:06 +0000 Subject: [openssl-dev] ALPN and SNI callbacks in 1.0.2 Message-ID: <396E0F2B-8EFC-45B9-8879-0DAEB7F1F32D@akamai.com> We?ve run into an issue with the ALPN and SNI TLS extension callbacks in 1.0.2. The same behavior may be in master, but I have yet to check. In summary, the ALPN selection callback is invoked before the SNI/servername callback, yet the ALPN value returned may be dependent on the server being connected to. In other words, ALPN may be broken for virtual servers. There?s a comment in ssl_parse_clienthello_tlsext() that clearly states: /* * Internally supported extensions are parsed first so SNI can be handled * before custom extensions. An application processing SNI will typically * switch the parent context using SSL_set_SSL_CTX and custom extensions * need to be handled by the new SSL_CTX structure. */ There are 4 functions that handle TLS extensions, and are invoked in the following order ssl_scan_clienthello_tlsext() * saves servername * saves ec_point_formats * saves elliptic_curve list * saves opaque PRF input * calls session ticket callback * saves status request * saves heartbeat * notes NPN seen * calls ALPN callback ssl_check_clienthello_tlsext_early() * calls servername callback * calls PRF callback ssl_scan_clienthello_custom_tlsext() * parses custom extensions ssl_check_clienthello_tlsext_late() * calls status callback I would argue that ALPN data should be saved in ssl_scan_clienthello_tlsext() and processed in ssl_check_clienthello_tlsext_early() - after the servername callback -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." From rt at openssl.org Thu Mar 3 20:46:37 2016 From: rt at openssl.org (Bill Parker via RT) Date: Thu, 03 Mar 2016 20:46:37 +0000 Subject: [openssl-dev] [openssl.org #4374] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476) In-Reply-To: References: Message-ID: Hello All, In reviewing source code in directory 'openssl-1.0.2g/crypto/evp', in file 'openbsd_hw.c', there are a few instances where OPENSSL_malloc() is called, but immediately afterwards a call to memcpy() is made with the return value from the call to OPENSSL_malloc(), but no check for a return value of NULL is made after OPENSSL_malloc() returns. However, if the 1st argument to memcpy() is NULL, a segmentation fault/ violation will occur. The patch file below should address/correct this issue: --- openbsd_hw.c.orig 2016-03-02 15:36:57.236927351 -0800 +++ openbsd_hw.c 2016-03-02 15:40:29.525908189 -0800 @@ -133,6 +133,10 @@ return 0; CDATA(ctx)->key = OPENSSL_malloc(MAX_HW_KEY); + if (CDATA(ctx)->key == NULL { + err("CDATA(ctx)->key memory allocation failed"); + return 0; + } assert(ctx->cipher->iv_len <= MAX_HW_IV); @@ -186,6 +190,11 @@ if (((unsigned long)in & 3) || cinl != inl) { cin = OPENSSL_malloc(cinl); + if (cin == NULL) { + err("cin - memory allocation failed"); + abort(); + return 0; + } memcpy(cin, in, inl); cryp.src = cin; } @@ -334,6 +343,11 @@ char *dcopy; dcopy = OPENSSL_malloc(len); + if (dcopy == NULL) { + err("dcopy - memory allocation failed"); + abort(); + return 0; + } memcpy(dcopy, data, len); cryp.src = dcopy; cryp.dst = cryp.src; // FIXME!!! @@ -397,6 +411,10 @@ assert(from->digest->flags & EVP_MD_FLAG_ONESHOT); to_md->data = OPENSSL_malloc(from_md->len); + if (to_md->data == NULL) { + err("DEV_CRYPTO_MD5_COPY: unable to allocate memory"); + return 0; + } memcpy(to_md->data, from_md->data, from_md->len); return 1; ======================================================================= Hello All, In reviewing source code in directory 'engines/ccgost', in file 'gost_ameth.c', there are a few instances where OPENSSL_malloc() is called, but no check for a return value of NULL is made. However, immediately afterwards statments which access the allocated memory are used (array access/memset(), etc) which will result in a segmentation fault/violation occuring if NULL is returned from the OPENSSL_malloc() call. The patch file below should address/correct this issue: --- gost_ameth.c.orig 2016-03-02 16:43:36.014151374 -0800 +++ gost_ameth.c 2016-03-02 16:45:59.978448496 -0800 @@ -617,6 +617,10 @@ return 0; } databuf = OPENSSL_malloc(octet->length); + if (!databuf) { + GOSTerr(GOST_F_PUB_DECODE_GOST94, ERR_R_MALLOC_FAILURE); + return 0; + } for (i = 0, j = octet->length - 1; i < octet->length; i++, j--) { databuf[j] = octet->data[i]; } @@ -646,6 +650,8 @@ } data_len = BN_num_bytes(dsa->pub_key); databuf = OPENSSL_malloc(data_len); + if (!databuf) + return 0; BN_bn2bin(dsa->pub_key, databuf); octet = ASN1_OCTET_STRING_new(); ASN1_STRING_set(octet, NULL, data_len); @@ -686,6 +692,10 @@ return 0; } databuf = OPENSSL_malloc(octet->length); + if (!databuf) { + GOSTerr(GOST_F_PUB_DECODE_GOST01, ERR_R_MALLOC_FAILURE); + return 0; + } for (i = 0, j = octet->length - 1; i < octet->length; i++, j--) { databuf[j] = octet->data[i]; } @@ -760,6 +770,10 @@ data_len = 2 * BN_num_bytes(order); BN_free(order); databuf = OPENSSL_malloc(data_len); + if (!databuf) { + GOSTerr(GOST_F_PUB_DECODE_GOST01, ERR_R_MALLOC_FAILURE); + return 0; + } memset(databuf, 0, data_len); store_bignum(X, databuf + data_len / 2, data_len / 2); ======================================================================= Hello All, In reviewing source code in directory 'engines/ccgost', in file 'gost_pmeth.c', there are a few instances where OPENSSL_malloc() is called, but no check for a return value of NULL is made. However, immediately afterwards statments which access the allocated memory are used (memcpy()/memset(), etc) which will result in a segmentation fault/violation occuring if NULL is returned from the OPENSSL_malloc() call. The patch file below should address/correct this issue: --- gost_pmeth.c.orig 2016-03-02 17:24:49.503519153 -0800 +++ gost_pmeth.c 2016-03-02 17:27:27.179558967 -0800 @@ -107,6 +107,8 @@ return 1; case EVP_PKEY_CTRL_SET_IV: pctx->shared_ukm = OPENSSL_malloc((int)p1); + if (!pctx->shared_ukm) + return 0; memcpy(pctx->shared_ukm, p2, (int)p1); return 1; case EVP_PKEY_CTRL_PEER_KEY: @@ -533,6 +535,8 @@ return 0; } keydata = OPENSSL_malloc(32); + if (!keydata) + return 0; memcpy(keydata, data->key, 32); EVP_PKEY_assign(pkey, NID_id_Gost28147_89_MAC, keydata); return 1; ======================================================================= Hello All, In reviewing source code in directory 'ssl', in file 'd1_both.c', there are a few instances where OPENSSL_malloc() is called, but no check for a return value of NULL is made. However, immediately afterwards statments which access the allocated memory are used (memcpy()/memset(), etc) which will result in a segmentation fault/violation occuring if NULL is returned from the OPENSSL_malloc() call. The patch file below should address/correct this issue: --- d1_both.c.orig 2016-03-02 17:31:30.838526769 -0800 +++ d1_both.c 2016-03-02 17:33:49.002086647 -0800 @@ -1459,6 +1459,8 @@ * plus 2 bytes payload length, plus payload, plus padding */ buffer = OPENSSL_malloc(write_length); + if (buffer == NULL) + return -1; /* what should be returned here??? */ bp = buffer; /* Enter response type, length and copy payload */ @@ -1544,6 +1546,8 @@ * - Padding */ buf = OPENSSL_malloc(1 + 2 + payload + padding); + if (!buf) + goto err; p = buf; /* Message Type */ *p++ = TLS1_HB_REQUEST; ======================================================================= Hello All, In reviewing source code in directory 'ssl', in file 'd1_both.c', there is a instance where OPENSSL_malloc() is called, but no check for a return value of NULL is made. However, immediately afterwards a call to memcpy() is made, but if the return value from OPENSSL_malloc() is NULL, a segmentation fault/violation will occur. The patch file below should address/correct this issue: --- s3_clnt.c.orig 2016-03-02 17:43:33.256342358 -0800 +++ s3_clnt.c 2016-03-02 17:44:48.744936571 -0800 @@ -2111,6 +2111,10 @@ if (ctype_num > SSL3_CT_NUMBER) { /* If we exceed static buffer copy all to cert structure */ s->cert->ctypes = OPENSSL_malloc(ctype_num); + if (s->cert->ctypes == NULL) { + SSLerr(SSL_F_SSL3_GET_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE); + goto err; + } memcpy(s->cert->ctypes, p, ctype_num); s->cert->ctype_num = (size_t)ctype_num; ctype_num = SSL3_CT_NUMBER; ======================================================================= Hello All, In reviewing source code in directory 'ssl', in file 'ssl_sess.c', there is a instance where OPENSSL_malloc() is called, but no check for a return value of NULL is made. However, immediately afterwards a call to memcpy() is made, but if the return value from OPENSSL_malloc() is NULL, a segmentation fault/violation will occur. The patch file below should address/correct this issue: --- ssl_sess.c.orig 2016-03-02 17:48:47.180240472 -0800 +++ ssl_sess.c 2016-03-02 17:50:20.204063321 -0800 @@ -919,6 +919,10 @@ session->krb5_client_princ_len > 0) { s->kssl_ctx->client_princ = (char *)OPENSSL_malloc(session->krb5_client_princ_len + 1); + if (!s->kssl_ctx->client_princ) { + SSLerr(SSL_F_SSL_SESSION_NEW, ERR_R_MALLOC_FAILURE); + return (0); + } memcpy(s->kssl_ctx->client_princ, session->krb5_client_princ, session->krb5_client_princ_len); s->kssl_ctx->client_princ[session->krb5_client_princ_len] = '\0'; ======================================================================= Hello All, In reviewing source code in directory 'ssl', in file 's3_enc.c', there is a instance where OPENSSL_malloc() is called, but no check for a return value of NULL is made. However, immediately afterwards a call to memset() is made, but if the return value from OPENSSL_malloc() is NULL, a segmentation fault/violation will occur. The patch file below should address/correct this issue: --- s3_enc.c.orig 2016-03-02 17:53:14.248183434 -0800 +++ s3_enc.c 2016-03-02 17:55:05.883371692 -0800 @@ -607,6 +607,10 @@ ssl3_free_digest_list(s); s->s3->handshake_dgst = OPENSSL_malloc(SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); + if (s->s3->handshake_dgst == NULL) { + SSLerr(SSL_F_SSL3_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE); + return 0; + } memset(s->s3->handshake_dgst, 0, SSL_MAX_DIGEST * sizeof(EVP_MD_CTX *)); hdatalen = BIO_get_mem_data(s->s3->handshake_buffer, &hdata); if (hdatalen <= 0) { ======================================================================== Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4374 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openbsd_hw.c.patch Type: application/octet-stream Size: 1299 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gost_ameth.c.patch Type: application/octet-stream Size: 1312 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gost_pmeth.c.patch Type: application/octet-stream Size: 603 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: d1_both.c.patch Type: application/octet-stream Size: 618 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: s3_clnt.c.patch Type: application/octet-stream Size: 548 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ssl_sess.c.patch Type: application/octet-stream Size: 623 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: s3_enc.c.patch Type: application/octet-stream Size: 544 bytes Desc: not available URL: From rt at openssl.org Thu Mar 3 20:57:11 2016 From: rt at openssl.org (Bill Parker via RT) Date: Thu, 03 Mar 2016 20:57:11 +0000 Subject: [openssl-dev] [openssl.org #4375] [PATCH] Missing Sanity Checks for OPENSSL_malloc() in OpenSSL-1.0.2g In-Reply-To: References: Message-ID: Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file 'ssl_ciph.c', in function ''SSL_COMP_add_compression_method()'', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- ssl_ciph.c.orig 2016-03-02 17:39:01.677826126 -0800 +++ ssl_ciph.c 2016-03-02 17:40:51.942840242 -0800 @@ -1996,6 +1996,8 @@ MemCheck_off(); comp = (SSL_COMP *)OPENSSL_malloc(sizeof(SSL_COMP)); + if (comp == NULL) + return 1; comp->id = id; comp->method = cm; load_builtin_compressions(); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/bio', file 'bss_rtcp.c', in function 'rtcp_new()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- bss_rtcp.c.orig 2016-03-02 15:25:08.307826108 -0800 +++ bss_rtcp.c 2016-03-02 15:25:47.326785217 -0800 @@ -170,6 +170,8 @@ bi->num = 0; bi->flags = 0; bi->ptr = OPENSSL_malloc(sizeof(struct rpc_ctx)); + if (bi->ptr == NULL) + return (0); ctx = (struct rpc_ctx *)bi->ptr; ctx->filled = 0; ctx->pos = 0; ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'apps', file 'apps.c', in function 'args_from_file()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- apps.c.orig 2016-03-02 15:27:24.293109138 -0800 +++ apps.c 2016-03-02 15:27:48.108135906 -0800 @@ -215,7 +215,8 @@ if (arg != NULL) OPENSSL_free(arg); arg = (char **)OPENSSL_malloc(sizeof(char *) * (i * 2)); - + if (arg == NULL) + return (0); *argv = arg; num = 0; p = buf; ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/x509', file 'by_dir.c', in function 'get_cert_by_subject()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- by_dir.c.orig 2016-03-02 15:29:32.361385958 -0800 +++ by_dir.c 2016-03-02 15:30:04.762503973 -0800 @@ -401,6 +401,10 @@ } if (!hent) { hent = OPENSSL_malloc(sizeof(BY_DIR_HASH)); + if (hent == NULL) { + X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); + goto finish; + } hent->hash = h; hent->suffix = k; if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) { ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'engines', file 'e_capi.c', in function 'capi_get_provname()', there is a call to OPENSSL_malloc() or alloca() which is not checked for a return value of NULL, indicating failure. In function 'capi_cert_get_fname()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. In function '*capi_get_key()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- e_capi.c.orig 2016-03-02 15:31:15.011432251 -0800 +++ e_capi.c 2016-03-02 15:35:24.264110984 -0800 @@ -1106,6 +1106,10 @@ name = alloca(len); else name = OPENSSL_malloc(len); + if (name == NULL) { + CAPIerr(CAPI_F_CAPI_GET_PROVNAME, ERR_R_MALLOC_FAILURE); + return 0; + } if (!CryptEnumProviders(idx, NULL, 0, ptype, name, &len)) { err = GetLastError(); if (err == ERROR_NO_MORE_ITEMS) @@ -1286,6 +1290,10 @@ (cert, CERT_FRIENDLY_NAME_PROP_ID, NULL, &dlen)) return NULL; wfname = OPENSSL_malloc(dlen); + if (wfname == NULL) { + CAPIerr(CAPI_F_CAPI_CERT_GET_FNAME, ERR_R_MALLOC_FAILURE); + return NULL; + } if (CertGetCertificateContextProperty (cert, CERT_FRIENDLY_NAME_PROP_ID, wfname, &dlen)) { char *fname = wide_to_asc(wfname); @@ -1436,6 +1444,11 @@ CAPI_KEY *key; DWORD dwFlags = 0; key = OPENSSL_malloc(sizeof(CAPI_KEY)); + if (key == NULL) { + CAPIerr(CAPI_F_CAPI_GET_KEY, ERR_R_MALLOC_FAILURE); + capi_addlasterror(); + goto err; + } if (sizeof(TCHAR) == sizeof(char)) CAPI_trace(ctx, "capi_get_key, contname=%s, provname=%s, type=%d\n", contname, provname, ptype); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/jpake', file 'jpake.c', in function 'PAKE_CTX_new()', there is a call to OPENSSL_malloc() or alloca() which is not checked for a return value of NULL, indicating failure. In function 'hashbn()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- jpake.c.orig 2016-03-02 16:33:13.494032268 -0800 +++ jpake.c 2016-03-02 16:34:37.809748362 -0800 @@ -116,6 +116,8 @@ const BIGNUM *secret) { JPAKE_CTX *ctx = OPENSSL_malloc(sizeof *ctx); + if (ctx == NULL) + return NULL; JPAKE_CTX_init(ctx, name, peer_name, p, g, q, secret); @@ -150,6 +152,8 @@ { size_t l = BN_num_bytes(bn); unsigned char *bin = OPENSSL_malloc(l); + if (bin == NULL) + return NULL; /* oops, memory allocation failed... */ hashlength(sha, l); BN_bn2bin(bn, bin); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'ssl', file 't1_lib.c', in function 'tls1_process_heartbeat()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. In function 'tls1_heartbeat()', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- t1_lib.c.orig 2016-03-02 17:59:59.042630727 -0800 +++ t1_lib.c 2016-03-02 18:01:33.275607253 -0800 @@ -3856,6 +3856,8 @@ * plus 2 bytes payload length, plus payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); + if (!buffer) + return -1; bp = buffer; /* Enter response type, length and copy payload */ @@ -3942,6 +3944,8 @@ * - Padding */ buf = OPENSSL_malloc(1 + 2 + payload + padding); + if (!buf) + return -1; p = buf; /* Message Type */ *p++ = TLS1_HB_REQUEST; ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/asn1', file 'asn_mime.c', in function 'multi_split()', there is a call to BIO_new() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- asn_mime.c.orig 2016-03-03 09:50:57.496613461 -0800 +++ asn_mime.c 2016-03-03 09:52:36.254165038 -0800 @@ -623,6 +623,8 @@ if (bpart) sk_BIO_push(parts, bpart); bpart = BIO_new(BIO_s_mem()); + if (!bpart) + return 1; BIO_set_mem_eof_return(bpart, 0); } else if (eol) BIO_write(bpart, "\r\n", 2); ======================================================================= Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/asn1', file 'pk7_doit.c', in function 'PKCS7_dataDecode()', there is a call to BIO_new() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- pk7_doit.c.orig 2016-03-03 10:08:08.316625383 -0800 +++ pk7_doit.c 2016-03-03 10:09:19.093620776 -0800 @@ -642,6 +642,8 @@ } else { # if 0 bio = BIO_new(BIO_s_mem()); + if (bio == NULL) + goto err; /* * We need to set this so that when we have read all the data, the * encrypt BIO, if present, will read EOF and encode the last few ======================================================================= -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4375 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ssl_ciph.c.patch Type: application/octet-stream Size: 323 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: apps.c.patch Type: application/octet-stream Size: 315 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: by_dir.c.patch Type: application/octet-stream Size: 472 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: bss_rtcp.c.patch Type: application/octet-stream Size: 339 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: e_capi.c.patch Type: application/octet-stream Size: 1238 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: jpake.c.patch Type: application/octet-stream Size: 555 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: t1_lib.c.patch Type: application/octet-stream Size: 582 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: asn_mime.c.patch Type: application/octet-stream Size: 408 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pk7_doit.c.patch Type: application/octet-stream Size: 384 bytes Desc: not available URL: From angel at tls.16bits.net Fri Mar 4 01:07:29 2016 From: angel at tls.16bits.net (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Fri, 04 Mar 2016 02:07:29 +0100 Subject: [openssl-dev] [PATCH] Do not offer options like -ssl2, -tls1, -dtls if they are not compiled in Message-ID: <1457053649.3661.18.camel@16bits.net> They were showed in the help, but providing them failed with an ?unknown option? error, and showed the help which listed it as a valid option. --- Patch against the stable 1.0.2 branch. ?apps/s_client.c | 8 +++++++- ?1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/apps/s_client.c b/apps/s_client.c index 0c1102b..f68c581 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -376,16 +376,22 @@ static void sc_usage(void) ????????????????" -srp_strength int - minimal length in bits for N (default %d).\n", ????????????????SRP_MINIMAL_N); ?#endif +#ifndef OPENSSL_NO_SSL2 ?????BIO_printf(bio_err, " -ssl2?????????- just use SSLv2\n"); +#endif ?#ifndef OPENSSL_NO_SSL3_METHOD ?????BIO_printf(bio_err, " -ssl3?????????- just use SSLv3\n"); ?#endif +#ifndef OPENSSL_NO_TLS1 ?????BIO_printf(bio_err, " -tls1_2???????- just use TLSv1.2\n"); ?????BIO_printf(bio_err, " -tls1_1???????- just use TLSv1.1\n"); ?????BIO_printf(bio_err, " -tls1?????????- just use TLSv1\n"); +#endif +#ifndef OPENSSL_NO_DTLS1 ?????BIO_printf(bio_err, " -dtls1????????- just use DTLSv1\n"); -????BIO_printf(bio_err, " -fallback_scsv - send TLS_FALLBACK_SCSV\n"); ?????BIO_printf(bio_err, " -mtu??????????- set the link layer MTU\n"); +#endif +????BIO_printf(bio_err, " -fallback_scsv - send TLS_FALLBACK_SCSV\n"); ?????BIO_printf(bio_err, ????????????????" -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); ?????BIO_printf(bio_err, --? 2.7.2 From openssl-users at dukhovni.org Fri Mar 4 02:22:42 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 3 Mar 2016 21:22:42 -0500 Subject: [openssl-dev] [PATCH] Do not offer options like -ssl2, -tls1, -dtls if they are not compiled in In-Reply-To: <1457053649.3661.18.camel@16bits.net> References: <1457053649.3661.18.camel@16bits.net> Message-ID: <00ECA9D9-CD30-45D5-B92D-89904B85A158@dukhovni.org> > On Mar 3, 2016, at 8:07 PM, ?ngel Gonz?lez wrote: > > They were showed in the help, but providing them failed with an > ?unknown option? error, and showed the help which listed it > as a valid option. The patch is not right. For example, when TLSv1 is disabled, it is not the case that TLSv1.1 and TLSv1.2 are disabled. Secondly disabled features should report that the feature is disabled, not a bad usage message, as would be the case with a mistyped option. > Patch against the stable 1.0.2 branch. > > apps/s_client.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/apps/s_client.c b/apps/s_client.c > index 0c1102b..f68c581 100644 > --- a/apps/s_client.c > +++ b/apps/s_client.c > @@ -376,16 +376,22 @@ static void sc_usage(void) > " -srp_strength int - minimal length in bits for N > (default %d).\n", > SRP_MINIMAL_N); > #endif > +#ifndef OPENSSL_NO_SSL2 > BIO_printf(bio_err, " -ssl2 - just use SSLv2\n"); > +#endif > #ifndef OPENSSL_NO_SSL3_METHOD > BIO_printf(bio_err, " -ssl3 - just use SSLv3\n"); > #endif > +#ifndef OPENSSL_NO_TLS1 > BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); > BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); > BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); > +#endif > +#ifndef OPENSSL_NO_DTLS1 > BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); > - BIO_printf(bio_err, " -fallback_scsv - send TLS_FALLBACK_SCSV\n"); > BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); > +#endif > + BIO_printf(bio_err, " -fallback_scsv - send TLS_FALLBACK_SCSV\n"); > BIO_printf(bio_err, > " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - > turn off that protocol\n"); > BIO_printf(bio_err, > -- > 2.7.2 > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Viktor. From rainer.jung at kippdata.de Fri Mar 4 09:14:46 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Fri, 4 Mar 2016 10:14:46 +0100 Subject: [openssl-dev] Solaris 10 80-test_ca failure In-Reply-To: <1jySB8Dc8GOydWR@srv.efca.com> References: <1jySB8Dc8GOydWR@srv.efca.com> Message-ID: <56D95206.7080105@kippdata.de> Am 03.03.2016 um 18:51 schrieb Erik Forsberg: > > I have been having 32-bit only test failures from test_ca > for quite a while now on Solaris 10 (1.1.pre), Finally figured > out what is wrong. > > I build both 32-bit and 64-bit libraries. > My /usr/local/bin/perl is always 64-bit, > used to be required for assembler support. > > LD_PRELOAD is used to force newly built libs into the test process > using util/shlib_wrap.sh > > So, when building 32-bit libs, shlib_wrap tries to preload a 32-bit > libcrypto/libssl into the 64-bit perl process when CA.pl is invoked. > This causes failure on Solaris 10, but seems to be ignored on Solaris 11. > > There was specific support to handle 64-bit builds in shlib_wrap, this > method also needs to be used for 32-bit builds. > > This patch makes it work in all cases for me. > Someone using SPARC should review what /usr/bin/file > reports for an old 32-bit SPARC library (if such still exists) > I have no access to SPARC hardware. % /usr/bin/file /lib/libc.so.1 /lib/libc.so.1: ELF 32-bit MSB dynamic lib SPARC32PLUS Version 1, V8+ Required, dynamically linked, not stripped, no debugging information available % /usr/bin/file /lib/sparcv9/libc.so /lib/sparcv9/libc.so: ELF 64-bit MSB dynamic lib SPARCV9 Version 1, dynamically linked, not stripped, no debugging information available This was on Solaris 10 Sparc. Regards, Rainer > *** shlib_wrap.sh Tue Feb 16 23:55:51 2016 > --- /usr/local/src/openssl-1.1//shlib_wrap.sh Tue Mar 1 23:21:23 2016 > *************** > *** 27,32 **** > --- 27,37 ---- > LD_PRELOAD_64="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_64 > preload_var=LD_PRELOAD_64 > ;; > + *ELF\ 32*SPARC*|*ELF\ 32*80386*) > + [ -n "$LD_LIBRARY_PATH_32" ] && rld_var=LD_LIBRARY_PATH_32 > + LD_PRELOAD_32="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_32 > + preload_var=LD_PRELOAD_32 > + ;; > # Why are newly built .so's preloaded anyway? Because run-time > # .so lookup path embedded into application takes precedence > # over LD_LIBRARY_PATH and as result application ends up linking > From matt at openssl.org Fri Mar 4 09:59:01 2016 From: matt at openssl.org (Matt Caswell) Date: Fri, 4 Mar 2016 09:59:01 +0000 Subject: [openssl-dev] overflow issue in b2i_PVK_bio In-Reply-To: <20160303115454.GJ22595@suse.de> References: <20160303115454.GJ22595@suse.de> Message-ID: <56D95C65.60705@openssl.org> On 03/03/16 11:54, Marcus Meissner wrote: > Hi, > > https://guidovranken.wordpress.com/2016/03/01/public-disclosure-malformed-private-keys-lead-to-heap-corruption-in-b2i_pvk_bio/ > > Integer overflow in b2i_PVK_bio > > Have you assigned a CVE internally for that already? > > Ciao, Marcus > This has been fixed in commit 5f57abe2b15 (master version, similar commits in other branches): commit 5f57abe2b150139b8b057313d52b1fe8f126c952 Author: Dr. Stephen Henson AuthorDate: Thu Mar 3 23:37:36 2016 +0000 Commit: Dr. Stephen Henson CommitDate: Fri Mar 4 01:20:04 2016 +0000 Sanity check PVK file fields. PVK files with abnormally large length or salt fields can cause an integer overflow which can result in an OOB read and heap corruption. However this is an rarely used format and private key files do not normally come from untrusted sources the security implications not significant. Fix by limiting PVK length field to 100K and salt to 10K: these should be more than enough to cover any files encountered in practice. Issue reported by Guido Vranken. Reviewed-by: Rich Salz As per the notes in the commit we do not see the security implications as significant and therefore we are treating this as a bug and will not be issuing a CVE. Matt From michel.sales at free.fr Fri Mar 4 10:05:30 2016 From: michel.sales at free.fr (Michel) Date: Fri, 4 Mar 2016 11:05:30 +0100 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken Message-ID: <000b01d175fd$62472360$26d56a20$@sales@free.fr> Hi, Just to let you know that the links to EVP_PKEY_HKDF and EVP_PKEY_TLS1_PRF are not [yet ?] operational. https://www.openssl.org/docs/manmaster/apps/pkeyutl.html Regards, Michel. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Fri Mar 4 10:24:47 2016 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 4 Mar 2016 10:24:47 +0000 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: <000b01d175fd$62472360$26d56a20$@sales@free.fr> References: <000b01d175fd$62472360$26d56a20$@sales@free.fr> Message-ID: Yes, links across sections (apps/crypto etc) don?t work well. -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz From: Michel [mailto:michel.sales at free.fr] Sent: Friday, March 04, 2016 2:06 AM To: openssl-dev at openssl.org Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken Hi, Just to let you know that the links to EVP_PKEY_HKDF and EVP_PKEY_TLS1_PRF are not [yet ?] operational. https://www.openssl.org/docs/manmaster/apps/pkeyutl.html Regards, Michel. -------------- next part -------------- An HTML attachment was scrubbed... URL: From beldmit at gmail.com Fri Mar 4 10:28:48 2016 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Fri, 4 Mar 2016 13:28:48 +0300 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: References: Message-ID: Dear Rich, Is it possible to add a command line option to select hash algorithm used in the PRF calculations? GOST ciphersuites, for example, use TLS1 PRF based on the GOST digest algorithms. Thank you! On Fri, Mar 4, 2016 at 1:24 PM, Salz, Rich wrote: > Yes, links across sections (apps/crypto etc) don?t work well. > > > > -- > > Senior Architect, Akamai Technologies > > IM: richsalz at jabber.at Twitter: RichSalz > > > > *From:* Michel [mailto:michel.sales at free.fr] > *Sent:* Friday, March 04, 2016 2:06 AM > *To:* openssl-dev at openssl.org > *Subject:* [openssl-dev] links to KDF functions from pkeyutl man are > broken > > > > Hi, > > > > Just to let you know that the links to EVP_PKEY_HKDF and EVP_PKEY_TLS1_PRF > are not [yet ?] operational. > > https://www.openssl.org/docs/manmaster/apps/pkeyutl.html > > > > > Regards, > > > > Michel. > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Fri Mar 4 10:30:20 2016 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 4 Mar 2016 10:30:20 +0000 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: References: Message-ID: <2937391769b4414696803acd8597e1ea@usma1ex-dag1mb1.msg.corp.akamai.com> Send a patch ? -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz From: Dmitry Belyavsky [mailto:beldmit at gmail.com] Sent: Friday, March 04, 2016 2:29 AM To: openssl-dev at openssl.org Subject: Re: [openssl-dev] links to KDF functions from pkeyutl man are broken Dear Rich, Is it possible to add a command line option to select hash algorithm used in the PRF calculations? GOST ciphersuites, for example, use TLS1 PRF based on the GOST digest algorithms. Thank you! On Fri, Mar 4, 2016 at 1:24 PM, Salz, Rich > wrote: Yes, links across sections (apps/crypto etc) don?t work well. -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz From: Michel [mailto:michel.sales at free.fr] Sent: Friday, March 04, 2016 2:06 AM To: openssl-dev at openssl.org Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken Hi, Just to let you know that the links to EVP_PKEY_HKDF and EVP_PKEY_TLS1_PRF are not [yet ?] operational. https://www.openssl.org/docs/manmaster/apps/pkeyutl.html Regards, Michel. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Fri Mar 4 11:48:05 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Fri, 04 Mar 2016 11:48:05 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: <56D975ED.4080300@openssl.org> References: <56D975ED.4080300@openssl.org> Message-ID: > If the other EVP ciphers universally allow this then I think we must treat this > as a bug, because people may be relying on this behaviour. There is also > sporadic documentation in lower-level APIs (AES source and des.pod) that the > buffers may overlap. > > If it's inconsistent then, at the very least, we must document that it is not > allowed. I'd like to argue that EVP is not place to provide any guarantees about partially overlapping buffers. Even though all current ciphers process data in ascending address order, we shouldn't make assumption that there won't be one that processes data in reverse order. I'd even argue that not providing such guarantee is natural, i.e. can be naturally *implied*. Just like you may not expect a tablet to work after you glued wheels to it to make a skateboard, arguing that nowhere does it say that it's not a viable idea. It might work, and apparently did for somebody, but you may not *expect* it to, neither as tablet or skateboard. And tablet manufacturer has no obligation to disclaim it in writing. I'm not saying that this particular problem can't/won't be addressed, though I consider it kind of bad style. Because it kind of sets a precedent of creating an undesired illusion. BTW, further measurements have shown that unlike others, Core2 suffers 20% performance regression. Well, one can argue that nobody cares about Core2, but what if it was contemporary processor? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted From emilia at openssl.org Fri Mar 4 11:52:56 2016 From: emilia at openssl.org (=?UTF-8?Q?Emilia_K=C3=A4sper?=) Date: Fri, 04 Mar 2016 11:52:56 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: <56D975ED.4080300@openssl.org> Message-ID: On Fri, Mar 4, 2016 at 12:48 PM Andy Polyakov via RT wrote: > > If the other EVP ciphers universally allow this then I think we must > treat this > > as a bug, because people may be relying on this behaviour. There is also > > sporadic documentation in lower-level APIs (AES source and des.pod) that > the > > buffers may overlap. > > > > If it's inconsistent then, at the very least, we must document that it > is not > > allowed. > > I'd like to argue that EVP is not place to provide any guarantees about > partially overlapping buffers. Even though all current ciphers process > data in ascending address order, we shouldn't make assumption that there > won't be one that processes data in reverse order. I'm afraid that, since we haven't documented it, the world may already have made that assumption. > I'd even argue that > not providing such guarantee is natural, i.e. can be naturally > *implied*. Just like you may not expect a tablet to work after you glued > wheels to it to make a skateboard, arguing that nowhere does it say that > it's not a viable idea. It might work, and apparently did for somebody, > but you may not *expect* it to, neither as tablet or skateboard. And > tablet manufacturer has no obligation to disclaim it in writing. > > I'm not saying that this particular problem can't/won't be addressed, > though I consider it kind of bad style. Because it kind of sets a > precedent of creating an undesired illusion. BTW, further measurements > have shown that unlike others, Core2 suffers 20% performance regression. > Well, one can argue that nobody cares about Core2, but what if it was > contemporary processor? > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Fri Mar 4 11:53:08 2016 From: rt at openssl.org (emilia@openssl.org via RT) Date: Fri, 04 Mar 2016 11:53:08 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: <56D975ED.4080300@openssl.org> Message-ID: On Fri, Mar 4, 2016 at 12:48 PM Andy Polyakov via RT wrote: > > If the other EVP ciphers universally allow this then I think we must > treat this > > as a bug, because people may be relying on this behaviour. There is also > > sporadic documentation in lower-level APIs (AES source and des.pod) that > the > > buffers may overlap. > > > > If it's inconsistent then, at the very least, we must document that it > is not > > allowed. > > I'd like to argue that EVP is not place to provide any guarantees about > partially overlapping buffers. Even though all current ciphers process > data in ascending address order, we shouldn't make assumption that there > won't be one that processes data in reverse order. I'm afraid that, since we haven't documented it, the world may already have made that assumption. > I'd even argue that > not providing such guarantee is natural, i.e. can be naturally > *implied*. Just like you may not expect a tablet to work after you glued > wheels to it to make a skateboard, arguing that nowhere does it say that > it's not a viable idea. It might work, and apparently did for somebody, > but you may not *expect* it to, neither as tablet or skateboard. And > tablet manufacturer has no obligation to disclaim it in writing. > > I'm not saying that this particular problem can't/won't be addressed, > though I consider it kind of bad style. Because it kind of sets a > precedent of creating an undesired illusion. BTW, further measurements > have shown that unlike others, Core2 suffers 20% performance regression. > Well, one can argue that nobody cares about Core2, but what if it was > contemporary processor? > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 4 12:24:26 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Fri, 04 Mar 2016 12:24:26 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: <56D97E79.4050206@openssl.org> References: <56D975ED.4080300@openssl.org> <56D97E79.4050206@openssl.org> Message-ID: >>> If the other EVP ciphers universally allow this then I think we must >> treat this >>> as a bug, because people may be relying on this behaviour. There is also >>> sporadic documentation in lower-level APIs (AES source and des.pod) that >> the >>> buffers may overlap. >>> >>> If it's inconsistent then, at the very least, we must document that it >> is not >>> allowed. >> >> I'd like to argue that EVP is not place to provide any guarantees about >> partially overlapping buffers. Even though all current ciphers process >> data in ascending address order, we shouldn't make assumption that there >> won't be one that processes data in reverse order. > > > I'm afraid that, since we haven't documented it, the world may already have > made that assumption. Fear is irrational and destructive feeling. Having faith that world is better than that it nothing but healthy :-) What I'm saying is that let's put a little bit more substance into discourse. Would anybody consider it *sane* programming practice to rely on partially overlapping buffers in *general* case? I.e. without actually *knowing* (as opposite to *assuming*) what's gong on? [Control question: does compiler guarantee order of references to memory?] As said in last message I don't consider it sane and even consider it natural [which means that I'd expect majority to not consider it sane too]. Once again, I'm not saying that nothing would be done, I simply want to figure out where does line go. From my personal view point I'd say that nothing *has to* be done, but it's just me. You seem to say that we're obliged to support partially overlapping buffers. My question then is *any* overlap, *any* cost? Shall we settle for simply writing down that application developer may not rely on partially overlapping buffers? If so, do we fix the modules in question arguing that this quality might be desirable in different context [where modules in question can be used]? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted From steve at openssl.org Fri Mar 4 13:00:08 2016 From: steve at openssl.org (Dr. Stephen Henson) Date: Fri, 4 Mar 2016 13:00:08 +0000 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: References: Message-ID: <20160304130008.GA12412@openssl.org> On Fri, Mar 04, 2016, Dmitry Belyavsky wrote: > Dear Rich, > > Is it possible to add a command line option to select hash algorithm used > in the PRF calculations? > GOST ciphersuites, for example, use TLS1 PRF based on the GOST digest > algorithms. > I think it's already there -pkeyopt md: Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From beldmit at gmail.com Fri Mar 4 13:12:21 2016 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Fri, 4 Mar 2016 16:12:21 +0300 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: <20160304130008.GA12412@openssl.org> References: <20160304130008.GA12412@openssl.org> Message-ID: Dear Stephen, On Fri, Mar 4, 2016 at 4:00 PM, Dr. Stephen Henson wrote: > On Fri, Mar 04, 2016, Dmitry Belyavsky wrote: > > > Dear Rich, > > > > Is it possible to add a command line option to select hash algorithm used > > in the PRF calculations? > > GOST ciphersuites, for example, use TLS1 PRF based on the GOST digest > > algorithms. > > > > I think it's already there -pkeyopt md: > Thank you for the clarification. -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Fri Mar 4 14:13:34 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 4 Mar 2016 09:13:34 -0500 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: <56D975ED.4080300@openssl.org> <56D97E79.4050206@openssl.org> Message-ID: <36705A60-7295-407A-8F16-CD6807D840DE@dukhovni.org> > On Mar 4, 2016, at 7:24 AM, Andy Polyakov via RT wrote: > > Fear is irrational and destructive feeling. Having faith that world is > better than that it nothing but healthy :-) What I'm saying is that > let's put a little bit more substance into discourse. Would anybody > consider it *sane* programming practice to rely on partially overlapping > buffers in *general* case? I.e. without actually *knowing* (as opposite > to *assuming*) what's gong on? [Control question: does compiler > guarantee order of references to memory?] As said in last message I > don't consider it sane and even consider it natural [which means that > I'd expect majority to not consider it sane too]. One the cool features of the OCB code some folks I know to be using and relying on is that it supports in-place encryption. You give it a buffer, and it is encrypted in place. This is specifically promised by the API and is noticeably fast. No idea whether this is a useful datapoint... -- Viktor. From openssl-users at dukhovni.org Fri Mar 4 14:23:03 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 4 Mar 2016 09:23:03 -0500 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: References: <000b01d175fd$62472360$26d56a20$@sales@free.fr> Message-ID: <13170A2C-9B03-4D64-AC49-B506F67C42C4@dukhovni.org> > On Mar 4, 2016, at 5:24 AM, Salz, Rich wrote: > > Yes, links across sections (apps/crypto etc) don?t work well. We could put all the docs in a single directory. If we were worried about collisions, switch from: page.html => page.
.html where section is "1" or "3" as appropriate. Links across sections are useful. -- Viktor. From appro at openssl.org Fri Mar 4 14:26:11 2016 From: appro at openssl.org (Andy Polyakov) Date: Fri, 4 Mar 2016 15:26:11 +0100 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: <36705A60-7295-407A-8F16-CD6807D840DE@dukhovni.org> References: <56D975ED.4080300@openssl.org> <56D97E79.4050206@openssl.org> <36705A60-7295-407A-8F16-CD6807D840DE@dukhovni.org> Message-ID: <56D99B03.1050908@openssl.org> >> Fear is irrational and destructive feeling. Having faith that world is >> better than that it nothing but healthy :-) What I'm saying is that >> let's put a little bit more substance into discourse. Would anybody >> consider it *sane* programming practice to rely on partially overlapping >> buffers in *general* case? I.e. without actually *knowing* (as opposite >> to *assuming*) what's gong on? [Control question: does compiler >> guarantee order of references to memory?] As said in last message I >> don't consider it sane and even consider it natural [which means that >> I'd expect majority to not consider it sane too]. > > One the cool features of the OCB code some folks I know to be using > and relying on is that it supports in-place encryption. You give > it a buffer, and it is encrypted in place. This is specifically > promised by the API and is noticeably fast. > > No idea whether this is a useful datapoint... Question if specifically about *partially* overlapping buffers. Or in other words it's not a question whether or not *fully* overlapping buffers, a.k.a. in-place processing, should be supported (they should) or may be used (they may). From rt at openssl.org Fri Mar 4 14:35:31 2016 From: rt at openssl.org (=?UTF-8?B?0JDQvdC00YDQtdC5INCU0LDRgNC+0LLRgdC60LjRhQ==?= via RT) Date: Fri, 04 Mar 2016 14:35:31 +0000 Subject: [openssl-dev] [openssl.org #4376] pull request 785 In-Reply-To: References: Message-ID: Hi I'm using openssl 1.0.2 library for SSL connection. For supporting TLS1.2 protocol with client cert from windows cert store I modified openssl capi engine. In method capi_rsa_sign I initialize Microsoft Enhanced RSA and AES Cryptographic Provider. It support sha256 - sha512 hash algs. It used for create hash object. I'm create pull request for openssl with my changes. https://github.com/openssl/openssl/pull/785 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4376 Please log in as guest with password guest if prompted From rsalz at akamai.com Fri Mar 4 14:47:45 2016 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 4 Mar 2016 14:47:45 +0000 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: <13170A2C-9B03-4D64-AC49-B506F67C42C4@dukhovni.org> References: <000b01d175fd$62472360$26d56a20$@sales@free.fr> <13170A2C-9B03-4D64-AC49-B506F67C42C4@dukhovni.org> Message-ID: <5bb194a7865e43cf829717ea67a39756@usma1ex-dag1mb1.msg.corp.akamai.com> > where section is "1" or "3" as appropriate. Links across sections are useful. Absolutely. They're criticial. The build script on the website needs a tweak (or the manpage does), that's all. From tshort at akamai.com Fri Mar 4 15:48:01 2016 From: tshort at akamai.com (Short, Todd) Date: Fri, 4 Mar 2016 15:48:01 +0000 Subject: [openssl-dev] ALPN and SNI callbacks in 1.0.2 In-Reply-To: <396E0F2B-8EFC-45B9-8879-0DAEB7F1F32D@akamai.com> References: <396E0F2B-8EFC-45B9-8879-0DAEB7F1F32D@akamai.com> Message-ID: <50A974C3-8335-4D38-BD5E-FB72F64C7DE4@akamai.com> Hi, I created pull request to reorder SNI/ALPN processing, such that ALPN occurs after SNI. Since SNI may change the SSL_CTX, and the ALPN callback is defined on the SSL_CTX, it makes sense to allow SNI to possibly update the SSL_CTX, and then do ALPN processing (possibly for a new virtual server). https://github.com/openssl/openssl/pull/787 -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." On Mar 3, 2016, at 2:33 PM, Short, Todd wrote: We?ve run into an issue with the ALPN and SNI TLS extension callbacks in 1.0.2. The same behavior may be in master, but I have yet to check. In summary, the ALPN selection callback is invoked before the SNI/servername callback, yet the ALPN value returned may be dependent on the server being connected to. In other words, ALPN may be broken for virtual servers. There?s a comment in ssl_parse_clienthello_tlsext() that clearly states: /* * Internally supported extensions are parsed first so SNI can be handled * before custom extensions. An application processing SNI will typically * switch the parent context using SSL_set_SSL_CTX and custom extensions * need to be handled by the new SSL_CTX structure. */ There are 4 functions that handle TLS extensions, and are invoked in the following order ssl_scan_clienthello_tlsext() * saves servername * saves ec_point_formats * saves elliptic_curve list * saves opaque PRF input * calls session ticket callback * saves status request * saves heartbeat * notes NPN seen * calls ALPN callback ssl_check_clienthello_tlsext_early() * calls servername callback * calls PRF callback ssl_scan_clienthello_custom_tlsext() * parses custom extensions ssl_check_clienthello_tlsext_late() * calls status callback I would argue that ALPN data should be saved in ssl_scan_clienthello_tlsext() and processed in ssl_check_clienthello_tlsext_early() - after the servername callback -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Fri Mar 4 17:33:58 2016 From: rt at openssl.org (Bill Parker via RT) Date: Fri, 04 Mar 2016 17:33:58 +0000 Subject: [openssl-dev] [openssl.org #4377] Prevent potential NULL pointer dereference in OpenSSL-1.0.2g (CWE-476) In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'crypto/evp', in file 'openbsd_hw.c', there is a call to OPENSSL_realloc() which is NOT checked for a return value of NULL, indicating failure. However, the statement after this is memcpy(), which if the destination variable is NULL, will result in a segmentation fault/violation. The patch file below should address/correct this issue: --- openbsd_hw.c.orig 2016-03-02 15:36:57.236927351 -0800 +++ openbsd_hw.c 2016-03-03 18:56:58.169567807 -0800 @@ -364,6 +378,10 @@ return do_digest(md_data->sess.ses, md_data->md, data, len); md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len); + if (md_data->data == NULL) { + err("DEV_CRYPTO_MD5_UPDATE: unable to allocate memory"); + return 0; + } memcpy(md_data->data + md_data->len, data, len); md_data->len += len; ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4377 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: realloc_openbsd_hw.c.patch Type: application/octet-stream Size: 471 bytes Desc: not available URL: From rt at openssl.org Fri Mar 4 17:44:09 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 04 Mar 2016 17:44:09 +0000 Subject: [openssl-dev] [openssl.org #4366]: OS X 10.5, 64-bit PPC, and chacha-ppc.s:454:Parameter syntax error (parameter 1) In-Reply-To: References: Message-ID: >> cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN >> -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE >> -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM >> -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc64 >> -DB_ENDIAN -O3 -c -o chacha-ppc.o chacha-ppc.s >> chacha-ppc.s:454:Parameter syntax error (parameter 1) >> make[2]: *** [chacha-ppc.o] Error 1 >> make[1]: *** [subdirs] Error 1 >> make: *** [build_crypto] Error 1 This appears to be resolved as of commit a66ec57c6e5c303e288b9bee7272319375ce25ae. On Tue, Mar 1, 2016 at 10:16 PM, Jeffrey Walton wrote: > The issue exists with 32-bit builds, too: > > $ KERNEL_BITS=32 ./config > Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul > 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC > Configuring for darwin-ppc-cc > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-zlib [default] > no-zlib-dynamic [forced] > Configuring for darwin-ppc-cc > IsMK1MF =no > CC =cc > CFLAG = -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -O3 > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM > SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG =-Wl,-search_paths_first > EX_LIBS = > CPUID_OBJ =ppccpuid.o ppccap.o > BN_ASM =bn-ppc.o ppc-mont.o ppc64-mont.o > EC_ASM = > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4_enc.o rc4_skey.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM = > SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o > sha512p8-ppc.o > RMD160_OBJ_ASM= > CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o > MODES_OBJ =ghashp8-ppc.o > PADLOCK_OBJ = > CHACHA_ENC =chacha-ppc.o > POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/opt/local/bin//perl5 > > THIRTY_TWO_BIT mode > BN_LLONG mode > > Configured for darwin-ppc-cc. > > On Tue, Mar 1, 2016 at 9:15 PM, Jeffrey Walton wrote: >> $ make depend && make clean && make >> ... >> >> cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN >> -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE >> -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM >> -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -D_REENTRANT -arch ppc64 >> -DB_ENDIAN -O3 -c -o chacha-ppc.o chacha-ppc.s >> chacha-ppc.s:454:Parameter syntax error (parameter 1) >> make[2]: *** [chacha-ppc.o] Error 1 >> make[1]: *** [subdirs] Error 1 >> make: *** [build_crypto] Error 1 >> ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 4 17:46:17 2016 From: rt at openssl.org (Rich Salz via RT) Date: Fri, 04 Mar 2016 17:46:17 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: Message-ID: closing thanks! -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 4 18:40:07 2016 From: rt at openssl.org (Rich Salz via RT) Date: Fri, 04 Mar 2016 18:40:07 +0000 Subject: [openssl-dev] [openssl.org #4365] OS X 10.5, 64-bit PPC, and chacha-ppc.s:454:Parameter syntax error (parameter 1) In-Reply-To: References: Message-ID: per OP, clsoing this. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4365 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 4 18:56:57 2016 From: rt at openssl.org (Rich Salz via RT) Date: Fri, 04 Mar 2016 18:56:57 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: Message-ID: needs tersting once 4377 is fixec -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From erik at efca.com Fri Mar 4 19:26:25 2016 From: erik at efca.com (Erik Forsberg) Date: Fri, 4 Mar 2016 11:26:25 -0800 Subject: [openssl-dev] Solaris 10 80-test_ca failure In-Reply-To: <56D95206.7080105@kippdata.de> References: <1jySB8Dc8GOydWR@srv.efca.com><56D95206.7080105@kippdata.de> Message-ID: My patch will work for both solaris versions then. Can someone commit the fix ? >-- Original Message -- > >Am 03.03.2016 um 18:51 schrieb Erik Forsberg: >> >> I have been having 32-bit only test failures from test_ca >> for quite a while now on Solaris 10 (1.1.pre), Finally figured >> out what is wrong. >> >> I build both 32-bit and 64-bit libraries. >> My /usr/local/bin/perl is always 64-bit, >> used to be required for assembler support. >> >> LD_PRELOAD is used to force newly built libs into the test process >> using util/shlib_wrap.sh >> >> So, when building 32-bit libs, shlib_wrap tries to preload a 32-bit >> libcrypto/libssl into the 64-bit perl process when CA.pl is invoked. >> This causes failure on Solaris 10, but seems to be ignored on Solaris 11. >> >> There was specific support to handle 64-bit builds in shlib_wrap, this >> method also needs to be used for 32-bit builds. >> >> This patch makes it work in all cases for me. >> Someone using SPARC should review what /usr/bin/file >> reports for an old 32-bit SPARC library (if such still exists) >> I have no access to SPARC hardware. > >% /usr/bin/file /lib/libc.so.1 > >/lib/libc.so.1: ELF 32-bit MSB dynamic lib SPARC32PLUS Version 1, V8+ >Required, dynamically linked, not stripped, no debugging information >available > >% /usr/bin/file /lib/sparcv9/libc.so > >/lib/sparcv9/libc.so: ELF 64-bit MSB dynamic lib SPARCV9 Version 1, >dynamically linked, not stripped, no debugging information available > >This was on Solaris 10 Sparc. > >Regards, > >Rainer > >> *** shlib_wrap.sh Tue Feb 16 23:55:51 2016 >> --- /usr/local/src/openssl-1.1//shlib_wrap.sh Tue Mar 1 23:21:23 2016 >> *************** >> *** 27,32 **** >> --- 27,37 ---- >> LD_PRELOAD_64="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_64 >> preload_var=LD_PRELOAD_64 >> ;; >> + *ELF\ 32*SPARC*|*ELF\ 32*80386*) >> + [ -n "$LD_LIBRARY_PATH_32" ] && rld_var=LD_LIBRARY_PATH_32 >> + LD_PRELOAD_32="$LIBCRYPTOSO $LIBSSLSO"; export LD_PRELOAD_32 >> + preload_var=LD_PRELOAD_32 >> + ;; >> # Why are newly built .so's preloaded anyway? Because run-time >> # .so lookup path embedded into application takes precedence >> # over LD_LIBRARY_PATH and as result application ends up linking >> > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From emilia at openssl.org Fri Mar 4 20:57:19 2016 From: emilia at openssl.org (=?UTF-8?Q?Emilia_K=C3=A4sper?=) Date: Fri, 04 Mar 2016 20:57:19 +0000 Subject: [openssl-dev] cipher order In-Reply-To: References: <20160303153359.18296912.55573.55389@ll.mit.edu> <20160303173002.47ffb73d@pc1> Message-ID: I've updated the pull to do a much more substantial cleanup. On Thu, Mar 3, 2016 at 6:16 PM Emilia K?sper wrote: > Hm, I think that I actually agree. But David's done enough, so I'll have a > look myself. > > On Thu, Mar 3, 2016 at 5:33 PM Blumenthal, Uri - 0553 - MITLL < > uri at ll.mit.edu> wrote: > >> On 3/3/16, 11:30 , "openssl-dev on behalf of Hanno B?ck" >> wrote: >> >> >On Thu, 03 Mar 2016 16:18:57 +0000 Emilia K?sper >> >wrote: >> >>https://github.com/openssl/openssl/pull/783 >> > >> >This is different from what I had in mind. >> >... >> >I would argue that cbc/hmac is so fragile that it's always preferrable >> >to have aead before cbc/hmac. The security difference between 128 and >> >256 bit aes is imho mostly irrelevant in practice. >> >> Again, +1 >> >> Perhaps David can do his magic again? :-) >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rainer.jung at kippdata.de Fri Mar 4 21:01:05 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Fri, 4 Mar 2016 22:01:05 +0100 Subject: [openssl-dev] Solaris Sparc: Text relocation remains against symbol ecp_nistz256_point_add_vis3 Message-ID: <56D9F791.5030505@kippdata.de> OpenSSl 1.1.0 pre 3 on Solaris 10 Sparc using GCC 4.9.3 but Solaris linker and assembler % /usr/ccs/bin/as -V /usr/ccs/bin/as: SunOS 5.10 118683-08 Patch 07/05/2012 % /usr/ccs/bin/ld -V ld: Software Generation Utilities - Solaris Link Editors: 5.10-1.497 When linking other software against libcrypto.a (static lib) I get: Text relocation remains referenced against symbol offset in file ecp_nistz256_point_add_vis3 0x25f0c /shared/build/autobuild/install/openssl-1.1.0pre3sp1-1.solaris10.sparc/lib/libcrypto.a(ecp_nistz256-sparcv9.o) ld: fatal: relocations remain against allocatable but non-writable sections I know that I can work around this using -Bsymbolic for the linker, but since over the years the need for -Bsymbolic in the stable branches has gone away, I thought I let you know that there's now a new symbol (ecp_nistz256_point_add_vis3) with that problem. elfdump show the symbol as: [Index] Value Size Type Bind Other Shndx Name [19] | 161184| 1720|NOTY |GLOB |0 |2 |ecp_nistz256_point_add_vis3 I will happily test any suggested changes. Regards, Rainer From rt at openssl.org Fri Mar 4 21:15:49 2016 From: rt at openssl.org (Stephen Henson via RT) Date: Fri, 04 Mar 2016 21:15:49 +0000 Subject: [openssl-dev] [openssl.org #4376] pull request 785 In-Reply-To: References: Message-ID: On Fri Mar 04 14:35:30 2016, darovskikh.andrei at gmail.com wrote: > Hi > > I'm using openssl 1.0.2 library for SSL connection. > For supporting TLS1.2 protocol with client cert from windows cert store I > modified openssl capi engine. In method capi_rsa_sign I initialize > Microsoft Enhanced RSA and AES Cryptographic Provider. It support sha256 - > sha512 hash algs. It used for create hash object. > I'm create pull request for openssl with my changes. > > https://github.com/openssl/openssl/pull/785 Support is already in the master branch. The question is whether back porting to 1.0.2 is counted as a bug fix (which is allowed in stable branches) or a new feature (which is not). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4376 Please log in as guest with password guest if prompted From redi35 at hotmail.com Fri Mar 4 20:29:07 2016 From: redi35 at hotmail.com (MusseRedi) Date: Fri, 4 Mar 2016 13:29:07 -0700 (MST) Subject: [openssl-dev] Source code BIO_printf() function Message-ID: <1457123347582-64330.post@n7.nabble.com> I'm new to the OpenSSL project, and was wondering where I can find the source code for the BIO_printf() function. -- View this message in context: http://openssl.6102.n7.nabble.com/Source-code-BIO-printf-function-tp64330.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. From onicrypt at gmail.com Fri Mar 4 21:27:51 2016 From: onicrypt at gmail.com (Nich Ramsey) Date: Fri, 4 Mar 2016 13:27:51 -0800 Subject: [openssl-dev] Source code BIO_printf() function In-Reply-To: <1457123347582-64330.post@n7.nabble.com> References: <1457123347582-64330.post@n7.nabble.com> Message-ID: If you have the source downloaded, you can use fgrep, sed, or silversearcher to find all instances of `BIO_printf` in the source. Recursively search through entire project, or section by section if load gets too intense. On Mar 4, 2016 1:24 PM, "MusseRedi" wrote: > I'm new to the OpenSSL project, and was wondering where I can find the > source > code for the BIO_printf() function. > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/Source-code-BIO-printf-function-tp64330.html > Sent from the OpenSSL - Dev mailing list archive at Nabble.com. > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From anthony.chow at al-enterprise.com Fri Mar 4 21:30:09 2016 From: anthony.chow at al-enterprise.com (CHOW Anthony) Date: Fri, 4 Mar 2016 21:30:09 +0000 Subject: [openssl-dev] Source code BIO_printf() function In-Reply-To: <1457123347582-64330.post@n7.nabble.com> References: <1457123347582-64330.post@n7.nabble.com> Message-ID: Try Github: https://github.com/openssl/openssl -----Original Message----- From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of MusseRedi Sent: Friday, March 04, 2016 12:29 PM To: openssl-dev at openssl.org Subject: [openssl-dev] Source code BIO_printf() function I'm new to the OpenSSL project, and was wondering where I can find the source code for the BIO_printf() function. -- View this message in context: http://openssl.6102.n7.nabble.com/Source-code-BIO-printf-function-tp64330.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From angel at tls.16bits.net Fri Mar 4 21:33:38 2016 From: angel at tls.16bits.net (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) Date: Fri, 04 Mar 2016 22:33:38 +0100 Subject: [openssl-dev] [PATCH] Do not offer options like -ssl2, -tls1, -dtls if they are not compiled in In-Reply-To: <00ECA9D9-CD30-45D5-B92D-89904B85A158@dukhovni.org> References: <1457053649.3661.18.camel@tls.16bits.net> <00ECA9D9-CD30-45D5-B92D-89904B85A158@dukhovni.org> Message-ID: <1457127218.5211.18.camel@tls.16bits.net> Thanks for your promptly response, Viktor. Viktor Dukhovni wrote: > > On Mar 3, 2016, at 8:07 PM, ?ngel Gonz?lez > > wrote: > > > > They were showed in the help, but providing them failed with an > > ?unknown option? error, and showed the help which listed it > > as a valid option. > The patch is not right.??For example, when TLSv1 is disabled, it is > not the case that TLSv1.1 and TLSv1.2 are disabled.?? When?OPENSSL_NO_TLS1 is disabled, the?-tls1_2, -tls1_1 and?-tls1 options to s_client are not parsed. See lines 958-964: > #ifndef?OPENSSL_NO_TLS1 > ????????else if (strcmp(*argv, "-tls1_2") == 0) > ????????????meth = TLSv1_2_client_method(); > ????????else if (strcmp(*argv, "-tls1_1") == 0) > ????????????meth = TLSv1_1_client_method(); > ????????else if (strcmp(*argv, "-tls1") == 0) > ????????????meth = TLSv1_client_method(); > #endif I agree it doesn't seem the best name to control tls 1.2, but I assumed that they were all using some shared functions so that OPENSSL_NO_TLS1 meant you couldn't use any TLS x function. Also note that there are no other?OPENSSL_NO_TLS* macros which would apply to the minor versions (the most similar is OPENSSL_NO_TLS1_2_CLIENT). Do you have more information about *what* is the right behavior here? Sadly, the macros don't seem to be documented. > Secondly disabled > features should report that the feature is disabled, not a bad usage > message, as would be the case with a mistyped option. I agree it's a much more sensible way of erroring out, and I would be happy to prepare a patch that does that. Do note however that such is the way s_client works, see lines 878-1124 where dozens of argparsing strcmps are guarded by #ifdefs (as well as on sc_usage() function). I tried to fix the inconsistency in the least disruptive way. Additionally, do you have any preference about the branch? I prepared the patch against the stable branch, since it's the one on which I noticed the problem, but perhaps you prefer it against to master instead. Best regards From onicrypt at gmail.com Fri Mar 4 21:35:27 2016 From: onicrypt at gmail.com (Nich Ramsey) Date: Fri, 4 Mar 2016 13:35:27 -0800 Subject: [openssl-dev] Source code BIO_printf() function In-Reply-To: References: <1457123347582-64330.post@n7.nabble.com> Message-ID: Seconded CHOW Anthony's advice. GitHub is much quicker, and returns 11 pages of results. Much easier to parse thru their UI than command prompt/favorite text editor :) On Mar 4, 2016 1:30 PM, "CHOW Anthony" wrote: > Try Github: https://github.com/openssl/openssl > > -----Original Message----- > From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of > MusseRedi > Sent: Friday, March 04, 2016 12:29 PM > To: openssl-dev at openssl.org > Subject: [openssl-dev] Source code BIO_printf() function > > I'm new to the OpenSSL project, and was wondering where I can find the > source code for the BIO_printf() function. > > > > -- > View this message in context: > http://openssl.6102.n7.nabble.com/Source-code-BIO-printf-function-tp64330.html > Sent from the OpenSSL - Dev mailing list archive at Nabble.com. > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From redi35 at hotmail.com Fri Mar 4 20:41:43 2016 From: redi35 at hotmail.com (Musse Redi) Date: Fri, 4 Mar 2016 13:41:43 -0700 (MST) Subject: [openssl-dev] Source code BIO_printf() function In-Reply-To: <1457123347582-64330.post@n7.nabble.com> References: <1457123347582-64330.post@n7.nabble.com> Message-ID: <1457124103619-64335.post@n7.nabble.com> It's defined in openssl/crypto/bio/b_print.c -- View this message in context: http://openssl.6102.n7.nabble.com/Source-code-BIO-printf-function-tp64330p64335.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. From openssl-users at dukhovni.org Fri Mar 4 22:00:32 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 4 Mar 2016 17:00:32 -0500 Subject: [openssl-dev] cipher order In-Reply-To: References: <20160303153359.18296912.55573.55389@ll.mit.edu> <20160303173002.47ffb73d@pc1> Message-ID: <779D0601-8CB3-47C7-B16D-BC028C01D6C4@dukhovni.org> > On Mar 4, 2016, at 3:57 PM, Emilia K?sper wrote: > > I've updated the pull to do a much more substantial cleanup. What will @STRENGTH mean in this context? Will ignore the distinction between AES256 and AES128? What does this do to the @SECLEVEL interface which tries to provide NIST-compatible bit strengths across multiple features? Or we just changing the default order, and allowing @STRENGTH to perturb it back, and @SECLEVEL to prune-away 128 leaving just 256, ... In other words how does this fit into the larger picture? -- Viktor. From noloader at gmail.com Fri Mar 4 22:24:00 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 4 Mar 2016 17:24:00 -0500 Subject: [openssl-dev] cipher order In-Reply-To: <20160303132806.73c3c465@pc1> References: <20160303132806.73c3c465@pc1> Message-ID: > Browsers have largely decided to implement GCM-modes only with AES128. > Chrome is now about to change that. Not sure if other browsers will > follow. > > Right now if you configure a server with openssl's cipher suite > ordering it is likely that a connection will happen with AES256 in CBC > mode instead of the (most likely more secure) AES128 in GCM mode. The standard does not specify whether the client selects the cipher or the server selects the cipher. OpenSSL servers yield to the client's preference. That is, the server attempts to match the clients first preference, then the second preference, and so on. If you control the server's configuration, then order them how you see fit. Then use SSL_OP_CIPHER_SERVER_PREFERENCE context option to ensure the server's preference for ciphers are used. Jeff From emilia at openssl.org Sat Mar 5 00:36:54 2016 From: emilia at openssl.org (=?UTF-8?Q?Emilia_K=C3=A4sper?=) Date: Sat, 05 Mar 2016 00:36:54 +0000 Subject: [openssl-dev] cipher order In-Reply-To: <779D0601-8CB3-47C7-B16D-BC028C01D6C4@dukhovni.org> References: <20160303153359.18296912.55573.55389@ll.mit.edu> <20160303173002.47ffb73d@pc1> <779D0601-8CB3-47C7-B16D-BC028C01D6C4@dukhovni.org> Message-ID: On Fri, Mar 4, 2016 at 11:00 PM Viktor Dukhovni wrote: > > > On Mar 4, 2016, at 3:57 PM, Emilia K?sper wrote: > > > > I've updated the pull to do a much more substantial cleanup. > > What will @STRENGTH mean in this context? Will ignore > the distinction between AES256 and AES128? @STRENGTH will sort it back by symmetric encryption key strength. Which is a bit of a bummer but I have no good answer for how to avoid it, because this is what @STRENGTH's contract promises to do. What does this > do to the @SECLEVEL interface which tries to provide > NIST-compatible bit strengths across multiple features? > @SECLEVEL will continue to work as expected, i.e., it will filter out the ones that don't meet the level. (@SECLEVEL operates directly on the cert, and does nothing to the cipherlist alone. Which results in misleading output from the 'ciphers' app, but that is a separate bug.) > > Or we just changing the default order, and allowing > @STRENGTH to perturb it back, and @SECLEVEL to prune-away > 128 leaving just 256, ... > > In other words how does this fit into the larger picture? The ordering affects lists built from the predefined groups - ALL, DEFAULT, HIGH, MEDIUM, LOW etc. More generally, it sorts each cipher group separated by the ':'. For example, if you do 'CAMELLIA:AES' then you get CAMELLIA ciphers sorted by this preference, followed by AES ciphers sorted by this preference., and if you do 'CAMELLIA:AES at STRENGTH' then - sadly - you get the symmetric strength-sort back. We could add a variant of @STRENGTH that re-sorts by our internal implicit preferences (which we're allowed to change at any time), but that's not going to happen for 1.1.0. It is, however, possible, to achieve the same effect in multiple ways already: - start from DEFAULT, and remove more ciphers, e.g. "DEFAULT:!3DES:!AES128" - Or, if you want a superset of DEFAULT, start from ALL, and remove some ciphers: "ALL:!MEDIUM:!LOW:!aNULL:!eNULL:!IDEA:!SEED" Both of these operations will preserve the preferences. Anyway, the goal here is to improve the situation *if the user does nothing*. It does not solve all the other problems of the API, but it does not make them worse. Emilia > -- > Viktor. > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Sat Mar 5 02:21:06 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 05 Mar 2016 02:21:06 +0000 Subject: [openssl-dev] [openssl.org #4378] Multiple warnings under OpenBSD 5.7/64-bit In-Reply-To: References: Message-ID: OpenBSD uses GCC 4.2.1 $ egrep -B 1 'warning|error' openssl-log.txt ecp_nistz256.c: In function 'ecp_nistz256_points_mul': ecp_nistz256.c:1131: warning: ignoring alignment for stack allocated 't' ecp_nistz256.c:1131: warning: ignoring alignment for stack allocated 'p' -- b_addr.c: In function 'BIO_lookup': b_addr.c:728: warning: dereferencing type-punned pointer will break strict-aliasing rules -- x509_vpm.c: In function 'X509_VERIFY_PARAM_set1_ip': x509_vpm.c:476: warning: dereferencing type-punned pointer will break strict-aliasing rules -- ts_rsp_sign.c: In function 'TS_RESP_CTX_add_md': ts_rsp_sign.c:275: warning: passing argument 2 of 'sk_EVP_MD_push' discards qualifiers from pointer target type -- cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -DL_ENDIAN -Wall -O3 -pthread -D_THREAD_SAFE -D_REENTRANT -Wa,--noexecstack -fPIC -c srp_lib.c srp_lib.c:324: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:324: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:325: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:325: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:326: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:326: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:327: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:327: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:328: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:328: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:329: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:329: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:330: warning: type-punning to incomplete type might break strict-aliasing rules srp_lib.c:330: warning: type-punning to incomplete type might break strict-aliasing rules -- cm_pmeth.c: In function 'pkey_cmac_ctrl_str': cm_pmeth.c:165: warning: passing argument 4 of 'pkey_cmac_ctrl' discards qualifiers from pointer target type -- from async.c:62: arch/async_posix.h:67:24: error: ucontext.h: No such file or directory -- arch/async_posix.h: In function 'async_fibre_swapcontext': arch/async_posix.h:85: warning: implicit declaration of function 'setcontext' -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4378 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openbsd-log.tar.gz Type: application/x-gzip Size: 8778 bytes Desc: not available URL: From rt at openssl.org Sat Mar 5 02:22:00 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 05 Mar 2016 02:22:00 +0000 Subject: [openssl-dev] [openssl.org #4379] "arch/async_posix.h:67:24: error: ucontext.h: No such file or directory" under OpenBSD 5.7/64-bit In-Reply-To: References: Message-ID: cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -DL_ENDIAN -Wall -O3 -pthread -D_THREAD_SAFE -D_REENTRANT -Wa,--noexecstack -fPIC -c async.c -o async.o In file included from async_locl.h:69, from async.c:62: arch/async_posix.h:67:24: error: ucontext.h: No such file or directory In file included from async_locl.h:69, from async.c:62: arch/async_posix.h: In function 'async_fibre_swapcontext': arch/async_posix.h:85: warning: implicit declaration of function 'setcontext' *** Error 1 in crypto/async (Makefile:65 'async.o') *** Error 1 in crypto (Makefile:91 'subdirs') *** Error 1 in /home/jwalton/openssl (Makefile:291 'build_crypto') -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4379 Please log in as guest with password guest if prompted From rsalz at akamai.com Sat Mar 5 06:15:17 2016 From: rsalz at akamai.com (Salz, Rich) Date: Sat, 5 Mar 2016 06:15:17 +0000 Subject: [openssl-dev] links to KDF functions from pkeyutl man are broken In-Reply-To: <5bb194a7865e43cf829717ea67a39756@usma1ex-dag1mb1.msg.corp.akamai.com> References: <000b01d175fd$62472360$26d56a20$@sales@free.fr> <13170A2C-9B03-4D64-AC49-B506F67C42C4@dukhovni.org> <5bb194a7865e43cf829717ea67a39756@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <232b7010d7394490aacd85cdfe85b444@usma1ex-dag1mb1.msg.corp.akamai.com> First one is a typo diff --git a/doc/crypto/EVP_PKEY_HKDF.pod b/doc/crypto/EVP_PKEY_HKDF.pod index 00c0a76..8a5ef98 100644 --- a/doc/crypto/EVP_PKEY_HKDF.pod +++ b/doc/crypto/EVP_PKEY_HKDF.pod @@ -2,7 +2,7 @@ =head1 NAME -EVP_PKEY_HKDF; EVP_PKEY_CTX_set_hkdf_md, EVP_PKEY_CTX_set1_hkdf_salt, +EVP_PKEY_HKDF, EVP_PKEY_CTX_set_hkdf_md, EVP_PKEY_CTX_set1_hkdf_salt, EVP_PKEY_CTX_set1_hkdf_key, EVP_PKEY_CTX_add1_hkdf_info - HMAC-based Extract-and-Expand key derivation algorithm Not sure why the second doesn't work, yet. -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz > -----Original Message----- > From: Salz, Rich [mailto:rsalz at akamai.com] > Sent: Friday, March 04, 2016 9:48 AM > To: openssl-dev at openssl.org > Subject: Re: [openssl-dev] links to KDF functions from pkeyutl man are > broken > > > > where section is "1" or "3" as appropriate. Links across sections are useful. > > Absolutely. They're criticial. The build script on the website needs a tweak > (or the manpage does), that's all. > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From rt at openssl.org Sat Mar 5 09:01:48 2016 From: rt at openssl.org (Dr. Matthias St. Pierre via RT) Date: Sat, 05 Mar 2016 09:01:48 +0000 Subject: [openssl-dev] [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: <1E23EFC52F00C649B69F652AFD284ABD378659992D@ex07.ncp.local> References: <1422347341-5962-1-git-send-email-msp@ncp-e.com> <1E23EFC52F00C649B69F652AFD284ABD378659992D@ex07.ncp.local> Message-ID: Is there any chance that this change will find it's way into OpenSSL 1.1 ? Regards, Matthias St. Pierre -----Urspr?ngliche Nachricht----- Von: Rich Salz via RT [mailto:rt at openssl.org] Gesendet: Mittwoch, 2. M?rz 2016 15:28 An: Dr. Matthias St. Pierre Cc: openssl-dev at openssl.org Betreff: [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups Steve, what do you thnk? -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4328 bytes Desc: not available URL: From rt at openssl.org Sat Mar 5 10:57:26 2016 From: rt at openssl.org (Ignat Korchagin via RT) Date: Sat, 05 Mar 2016 10:57:26 +0000 Subject: [openssl-dev] [openssl.org #3163] [PATCH] DSTU-4145-2002 engine implementation In-Reply-To: References: Message-ID: Will do. But, is it still feasible to get DSTU NIDs merged to core code? Regards, Ignat 2016-03-03 5:30 GMT+00:00 Rich Salz via RT : > If this is still of interest, please do it as an external engine, like GOSTnow > is. > -- > Rich Salz, OpenSSL dev team; rsalz at openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3163 > Please log in as guest with password guest if prompted > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3163 Please log in as guest with password guest if prompted From tom.browder at gmail.com Sat Mar 5 12:24:35 2016 From: tom.browder at gmail.com (Tom Browder) Date: Sat, 5 Mar 2016 06:24:35 -0600 Subject: [openssl-dev] Static code checker research worth investigating (Communications of the ACM, 03/2016, Vol. 59, No. 03, p. 99) Message-ID: Interesting article in latest issue of subject titled: "A Differential Approach to Undefined Behavior Detection" which may describe procedures not used in other static analysis programs. Article references the authors' website here: http://css.csail.mit.edu/stack which contains more info links and a link to the software on github here: https://github.com/xiw/stack Best regards, -Tom From rt at openssl.org Sat Mar 5 16:52:40 2016 From: rt at openssl.org (Stephen Henson via RT) Date: Sat, 05 Mar 2016 16:52:40 +0000 Subject: [openssl-dev] [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: References: <1422347341-5962-1-git-send-email-msp@ncp-e.com> <1E23EFC52F00C649B69F652AFD284ABD378659992D@ex07.ncp.local> Message-ID: On Sat Mar 05 09:01:48 2016, Matthias.St.Pierre at ncp-e.com wrote: > Is there any chance that this change will find it's way into OpenSSL > 1.1 ? > The fact we don't export the DHparameters item I'd regard as a bug which should be fixed. The EC one I'm less sure about. This ends up exposing what were previously internal functions. I'll see if there is an alternative way to achieve the same result. Steve/ -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 5 18:42:00 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Sat, 05 Mar 2016 18:42:00 +0000 Subject: [openssl-dev] [openssl.org #3163] [PATCH] DSTU-4145-2002 engine implementation In-Reply-To: References: Message-ID: Can you make a PR for that? Or just post a diff to objects.txt? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3163 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 5 19:11:16 2016 From: rt at openssl.org (Ignat Korchagin via RT) Date: Sat, 05 Mar 2016 19:11:16 +0000 Subject: [openssl-dev] [openssl.org #3163] [PATCH] DSTU-4145-2002 engine implementation In-Reply-To: References: Message-ID: Probably, will make a PR. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3163 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 5 19:58:57 2016 From: rt at openssl.org (Dr. Matthias St. Pierre via RT) Date: Sat, 05 Mar 2016 19:58:57 +0000 Subject: [openssl-dev] [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: <1E23EFC52F00C649B69F652AFD284ABD3786599930@ex07.ncp.local> References: <1422347341-5962-1-git-send-email-msp@ncp-e.com> <1E23EFC52F00C649B69F652AFD284ABD378659992D@ex07.ncp.local> <1E23EFC52F00C649B69F652AFD284ABD3786599930@ex07.ncp.local> Message-ID: > Von: Stephen Henson via RT [mailto:rt at openssl.org] > Gesendet: Samstag, 5. M?rz 2016 17:53 > An: Dr. Matthias St. Pierre > Cc: openssl-dev at openssl.org > Betreff: [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups > > ... > > The fact we don't export the DHparameters item I'd regard as a bug which should > be fixed. > > The EC one I'm less sure about. This ends up exposing what were previously > internal functions. I'll see if there is an alternative way to achieve the same > result. > These functions, although internal, appear to me to be the natural way to serialize and deserialize private ECDH groups. They are well tested and reusable and the only reason why they are not public is probably because OpenSSL is focused on supplying standardized named curves for TLS. Using private ECDH curves might not make much sense for TLS, but in my case it did: I used it for a VPN client/server where the customer requested the ability to use private ECDH groups in the IKEv2 protocol, in addition to the official IANA groups. With the proposed change it was easy for me to serialize the entire set of all public and private [EC]DH-Groups in single file by creating a few ASN1 rules based on the existing ASN1 structures (DHparameters resp. EC[PK]PARAMETERS). So instead of reinventing the wheel, I let OpenSSL do the main part of the serialization. There is a thread that predates the creation of my ticket, where I discussed my motivation with Daniel Kahn Gillmor, see below. I hope my arguments convince you that it is a good idea to add these ASN1 structures and the related functions to the public api. Best Regards, Matthias St. Pierre http://thread.gmane.org/gmane.comp.encryption.openssl.devel/28272: >>> On Tue 2015-01-27 11:15:37 -0500, Dr. Matthias St. Pierre wrote: >>>> Add missing forward declarations and export declarations for DHparams >>>> and EC[PK]PARAMETERS. >>>> >>>> Add public functions to convert between EC_GROUP objects and EC[PK]PARAMETERS >>>> objects: EC_GROUP_new_from_ec[pk]parameters(), EC_GROUP_get_ec[pk]parameters(). >>> >>> fwiw, the IETF TLS WG is moving away from the possibility of arbitrary >>> EC groups, and toward the requirement of specified and vetted EC >>> groups. I'm not sure how much extra work should be done to maintain >>> that as a public-facing interface. >> >> As for TLS, you maybe right. However, the use of Diffie-Hellman is not limited >> to TLS (in my case, it's IKEv2). The proposed changes are not for libssl, but for >> the 'low level' libcrypto library, which is in my opinion a general purpose crypto >> library. As such, it should not make assumptions on or impose restrictions to possible >> use cases of the library. Neither should it enforce standards, but provide algorithms. >> >> My patch does not introduce new features or change existing ones. It just makes >> functionality available for reuse. I needed this particular functionality and I >> had the choice between 1) copy & paste the code 2) patch OpenSSL privately, or >> 3) submit a patch. So I chose the latter. > >Your choice of action makes sense to me, thanks! > > --dkg -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 5 21:34:58 2016 From: rt at openssl.org (Bill Parker via RT) Date: Sat, 05 Mar 2016 21:34:58 +0000 Subject: [openssl-dev] [openssl.org #4380] [PATCH] Missing Sanity Checks for EVP_PKEY_new() in OpenSSL-1.0.2g In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'crypto/evp', file 'pmeth_gn.c', in function 'EVP_PKEY_keygen()', there is a call to EVP_PKEY_new() which is not checked for a return value of NULL, indicating failure. This test is done in function 'EVP_PKEY_paramgen()', but looks like it was left out in function 'EVP_PKEY_keygen()' it would appear. The patch file below should address/correct this issue: --- pmeth_gn.c.orig 2016-03-05 06:15:29.530259070 -0800 +++ pmeth_gn.c 2016-03-05 06:18:17.940663167 -0800 @@ -152,6 +152,11 @@ if (!*ppkey) *ppkey = EVP_PKEY_new(); + if (*ppkey == NULL) { + EVPerr(EVP_F_EVP_PKEY_PARAMGEN, ERR_R_MALLOC_FAILURE); + return -1; + } + ret = ctx->pmeth->keygen(ctx, *ppkey); if (ret <= 0) { EVP_PKEY_free(*ppkey); ======================================================================= In directory 'engines/ccgost', file 'gost94_keyx.c', there is a call to 'EVP_PKEY_new()' which are not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- gost94_keyx.c.orig 2016-03-05 06:25:00.168784292 -0800 +++ gost94_keyx.c 2016-03-05 06:27:47.325028991 -0800 @@ -126,6 +126,8 @@ key_is_ephemeral = 1; if (out) { mykey = EVP_PKEY_new(); + if (!mykey) + goto memerr; EVP_PKEY_assign(mykey, EVP_PKEY_base_id(pubk), DSA_new()); EVP_PKEY_copy_parameters(mykey, pubk); if (!gost_sign_keygen(EVP_PKEY_get0(mykey))) { ======================================================================= In directory 'engines/ccgost', file 'gost2001_keyx.c', there is a call to 'EVP_PKEY_new()' which are not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- gost2001_keyx.c.orig 2016-03-05 06:29:48.056373325 -0800 +++ gost2001_keyx.c 2016-03-05 06:30:23.400865428 -0800 @@ -147,6 +147,8 @@ key_is_ephemeral = 1; if (out) { sec_key = EVP_PKEY_new(); + if (!sec_key) + goto memerr; EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new()); EVP_PKEY_copy_parameters(sec_key, pubk); if (!gost2001_keygen(EVP_PKEY_get0(sec_key))) { ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4380 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: pmeth_gn.c.patch Type: application/octet-stream Size: 385 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gost94_keyx.c.patch Type: application/octet-stream Size: 439 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: gost2001_keyx.c.patch Type: application/octet-stream Size: 455 bytes Desc: not available URL: From rt at openssl.org Sat Mar 5 23:25:42 2016 From: rt at openssl.org (Stephen Henson via RT) Date: Sat, 05 Mar 2016 23:25:42 +0000 Subject: [openssl-dev] [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: References: <1422347341-5962-1-git-send-email-msp@ncp-e.com> <1E23EFC52F00C649B69F652AFD284ABD378659992D@ex07.ncp.local> <1E23EFC52F00C649B69F652AFD284ABD3786599930@ex07.ncp.local> Message-ID: On Sat Mar 05 19:58:57 2016, Matthias.St.Pierre at ncp-e.com wrote: > > These functions, although internal, appear to me to be the natural way > to serialize > and deserialize private ECDH groups. They are well tested and reusable > and the only > reason why they are not public is probably because OpenSSL is focused > on supplying > standardized named curves for TLS. Using private ECDH curves might not > make much sense > for TLS, but in my case it did: I used it for a VPN client/server > where the customer > requested the ability to use private ECDH groups in the IKEv2 > protocol, in addition > to the official IANA groups. > > With the proposed change it was easy for me to serialize the entire > set of all public > and private [EC]DH-Groups in single file by creating a few ASN1 rules > based on the > existing ASN1 structures (DHparameters resp. EC[PK]PARAMETERS). So > instead of > reinventing the wheel, I let OpenSSL do the main part of the > serialization. > > There is a thread that predates the creation of my ticket, where I > discussed my motivation > with Daniel Kahn Gillmor, see below. I hope my arguments convince you > that it is a good > idea to add these ASN1 structures and the related functions to the > public api. > Well I agree that that ASN.1 structure is a natural way to encode/decode EC parameters I'm just wondering what alternatives there are. We'd be exposing internal structures with no accessors whose sole purpose would be to convert between EC_GROUP and back. The ideal situation would be an ASN.1 item which handle an EC_GROUP structure directly instead of the internal form. We don't currently have one though, Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From michel.sales at free.fr Sun Mar 6 10:38:04 2016 From: michel.sales at free.fr (Michel) Date: Sun, 6 Mar 2016 11:38:04 +0100 Subject: [openssl-dev] Default configure and build script no longer enable threads support Message-ID: <000301d17794$441afea0$cc50fbe0$@sales@free.fr> Hi, Looks like threading support is not the default for widows platform with latest git repo. Is it expected ? When explicitly configured as "PERL Configure threads VC-WIN32 --debug", then util\mk1mf.pl complains : "unknown option - enable-threads" Also it is not clear to me : Are locking callbacks() still needed with OpenSSL 1.1 ? Thanks, Michel. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ben at links.org Sun Mar 6 11:20:57 2016 From: ben at links.org (Ben Laurie) Date: Sun, 6 Mar 2016 11:20:57 +0000 Subject: [openssl-dev] MacOS defaults? Message-ID: Currently OpenSSL defaults to 32 bit in MacOS. I'm told it might be better to default to 64 bit these days. Does anyone have any views? -------------- next part -------------- An HTML attachment was scrubbed... URL: From uri at ll.mit.edu Sun Mar 6 15:27:03 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Sun, 6 Mar 2016 15:27:03 +0000 Subject: [openssl-dev] MacOS defaults? Message-ID: <20160306152712.18296912.69389.55951@ll.mit.edu> Yes I think it's way past time to make this change. 64-bit has been the norm for ages. Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. From: Ben Laurie Sent: Sunday, March 6, 2016 06:21 To: OpenSSL development Reply To: openssl-dev at openssl.org Subject: [openssl-dev] MacOS defaults? Currently OpenSSL defaults to 32 bit in MacOS. I'm told it might be better to default to 64 bit these days. Does anyone have any views? -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4350 bytes Desc: not available URL: From openssl-users at dukhovni.org Sun Mar 6 16:25:53 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 6 Mar 2016 11:25:53 -0500 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: Message-ID: <5114AF90-15F7-48D8-AF06-425BDFF65861@dukhovni.org> > On Mar 6, 2016, at 6:20 AM, Ben Laurie wrote: > > Currently OpenSSL defaults to 32 bit in MacOS. I'm told it might be better to default to 64 bit these days. > > Does anyone have any views? I support a switch to a 64bit default. -- Viktor. From ben at links.org Sun Mar 6 17:00:23 2016 From: ben at links.org (Ben Laurie) Date: Sun, 6 Mar 2016 17:00:23 +0000 Subject: [openssl-dev] MacOS defaults? In-Reply-To: <20160306152712.18296912.69389.55951@ll.mit.edu> References: <20160306152712.18296912.69389.55951@ll.mit.edu> Message-ID: Hmm. So why do I see this on my macbook? $ arch i386 On 6 March 2016 at 15:27, Blumenthal, Uri - 0553 - MITLL wrote: > Yes I think it's way past time to make this change. 64-bit has been the > norm for ages. > > > Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network. > *From: *Ben Laurie > *Sent: *Sunday, March 6, 2016 06:21 > *To: *OpenSSL development > *Reply To: *openssl-dev at openssl.org > *Subject: *[openssl-dev] MacOS defaults? > > Currently OpenSSL defaults to 32 bit in MacOS. I'm told it might be better > to default to 64 bit these days. > > Does anyone have any views? > > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From appro at openssl.org Sun Mar 6 17:05:33 2016 From: appro at openssl.org (Andy Polyakov) Date: Sun, 6 Mar 2016 18:05:33 +0100 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160306152712.18296912.69389.55951@ll.mit.edu> Message-ID: <56DC635D.5050108@openssl.org> > Hmm. So why do I see this on my macbook? > > $ arch > i386 I suppose you have to hook up BlackBerry 10 with Verizon LTE plan? :-) :-) :-) From cal at macports.org Sun Mar 6 21:31:09 2016 From: cal at macports.org (Clemens Lang) Date: Sun, 6 Mar 2016 22:31:09 +0100 Subject: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine) In-Reply-To: <56D60F06.2020204@monetra.com> References: <56D5D676.9010603@monetra.com> <20160301191513.GJ12869@mournblade.imrryr.org> <56D60743.9000607@monetra.com> <56D6092B.7020405@akamai.com> <56D60F06.2020204@monetra.com> Message-ID: <20160306213109.GB579@cBookPro.fritz.box> On Tue, Mar 01, 2016 at 04:52:06PM -0500, Brad House wrote: > On 03/01/2016 04:27 PM, Benjamin Kaduk wrote: > > On 03/01/2016 03:18 PM, Brad House wrote: > >> On 03/01/2016 02:15 PM, Viktor Dukhovni wrote: > >>> On Tue, Mar 01, 2016 at 12:50:46PM -0500, Brad House wrote: > >>> > >>> The only plausible change from 1.0.2f to 1.0.2g that I see that might > >>> be related to this is below. Does it work if you revert this change > >>> (patch -R): commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac [snip] > >> Confirmed. Reverting that commit fixes the build. > >> > > > > Does the alternate patch from RT #3885 (i.e., from > > https://github.com/openssl/openssl/pull/597) cause a similar build breakage? > > > > Confirmed, this alternate patch worked (or at least compiled) fine: > https://github.com/akamai/openssl/commit/c4af68c317c025c7d0c4f0495b8115d6426a25be.patch I can also confirm that this patch does not have the problem. The test suite passes. Is this going to be fixed? -- Clemens Lang MacPorts From openssl-users at dukhovni.org Sun Mar 6 22:40:26 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 6 Mar 2016 17:40:26 -0500 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160306152712.18296912.69389.55951@ll.mit.edu> Message-ID: > On Mar 6, 2016, at 12:00 PM, Ben Laurie wrote: > > Hmm. So why do I see this on my macbook? > > $ arch > i386 Try "uname -m" -- Viktor. From appro at openssl.org Sun Mar 6 23:05:38 2016 From: appro at openssl.org (Andy Polyakov) Date: Mon, 7 Mar 2016 00:05:38 +0100 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160306152712.18296912.69389.55951@ll.mit.edu> Message-ID: <56DCB7C2.8070101@openssl.org> >> Hmm. So why do I see this on my macbook? >> >> $ arch >> i386 > > Try "uname -m" This is not reliable. Because it must have changed recently, it used to be i386 even on 64-bit systems. sysctl -n hw.optional.x86_64 is the way to go, it's right there in ./config... From rt at openssl.org Mon Mar 7 03:24:52 2016 From: rt at openssl.org (Hejian via RT) Date: Mon, 07 Mar 2016 03:24:52 +0000 Subject: [openssl-dev] =?utf-8?b?562U5aSNOiAg562U5aSNOiDnrZTlpI06IFtvcGVu?= =?utf-8?q?ssl=2Eorg_=234360=5D_=5BBUG=5D_OpenSSL-1=2E0=2E1_crash_o?= =?utf-8?q?n_sha1=5Fblock=5Fdata=5Forder=5Fssse3_asm?= In-Reply-To: References: <56D59088.2070006@openssl.org> <56D6B71B.5010508@openssl.org> Message-ID: Hi Jeff Thanks for your reply, this are registers info: (gdb) info all-registers rax 0x745dd1f0 1952305648 rbx 0xf92ba6dd 4180387549 rcx 0x7b69e2f6 2070536950 rdx 0x86dab00c 2262478860 rsi 0x6436d580 1681315200 rdi 0x4763c5a8 1197721000 rbp 0x72856ca1 0x72856ca1 rsp 0x50a7e100 0x50a7e100 r8 0x55555a419c60 93825074830432 r9 0x2b4174415ff8 47560123310072 r10 0x2b417433acb8 47560122412216 r11 0x2b41740e9080 47560119980160 r12 0xffffffffffffffe7 -25 r13 0x2b417433acf8 47560122412280 r14 0x55555a419c7c 93825074830460 r15 0x3ff 1023 rip 0x2b41740e8db8 0x2b41740e8db8 eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x63 99 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0xd3, 0x54, 0x10, 0xaa, 0xa1, 0x94, 0x90, 0x33, 0x41, 0xcc, 0x30, 0x31, 0x73, 0x5c, 0x80, 0xac}, v8_int16 = {0x54d3, 0xaa10, 0x94a1, 0x3390, 0xcc41, 0x3130, 0x5c73, 0xac80}, v4_int32 = {0xaa1054d3, 0x339094a1, 0x3130cc41, 0xac805c73}, v2_int64 = {0x339094a1aa1054d3, 0xac805c733130cc41}, uint128 = 0xac805c733130cc41339094a1aa1054d3} ---Type to continue, or q to quit--- xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x32, 0x47, 0xe5, 0x7e, 0x72, 0x80, 0xf1, 0xf, 0x66, 0x60, 0x37, 0xf, 0x99, 0x44, 0x6, 0xb7}, v8_int16 = {0x4732, 0x7ee5, 0x8072, 0xff1, 0x6066, 0xf37, 0x4499, 0xb706}, v4_int32 = {0x7ee54732, 0xff18072, 0xf376066, 0xb7064499}, v2_int64 = {0xff180727ee54732, 0xb70644990f376066}, uint128 = 0xb70644990f3760660ff180727ee54732} xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x7d, 0xcc, 0xbf, 0xf8, 0xc3, 0xd1, 0x32, 0x9, 0x33, 0x61, 0xb0, 0xba, 0x6d, 0x9, 0xde, 0x80}, v8_int16 = {0xcc7d, 0xf8bf, 0xd1c3, 0x932, 0x6133, 0xbab0, 0x96d, 0x80de}, v4_int32 = {0xf8bfcc7d, 0x932d1c3, 0xbab06133, 0x80de096d}, v2_int64 = {0x932d1c3f8bfcc7d, 0x80de096dbab06133}, uint128 = 0x80de096dbab061330932d1c3f8bfcc7d} xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x8000000000000000}, v16_int8 = {0x7b, 0x59, 0xd6, 0x82, 0x4, 0xd2, 0x31, 0x1e, 0xf, 0x72, 0x86, 0x7e, 0x13, 0x23, 0x2d, 0x5b}, v8_int16 = {0x597b, 0x82d6, 0xd204, 0x1e31, 0x720f, 0x7e86, 0x2313, 0x5b2d}, v4_int32 = {0x82d6597b, 0x1e31d204, 0x7e86720f, 0x5b2d2313}, v2_int64 = {0x1e31d20482d6597b, 0x5b2d23137e86720f}, uint128 = 0x5b2d23137e86720f1e31d20482d6597b} xmm4 {v4_float = {0x0, 0x2eef0000, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0xec, 0x23, 0xe4, 0x91, 0x11, 0xd1, 0xa, 0xd3, 0x41, 0x2d, 0xb5, 0x7b, 0x89, 0x87, 0x99, 0xed}, v8_int16 = {0x23ec, 0x91e4, 0xd111, 0xd30a, 0x2d41, 0x7bb5, 0x8789, 0xed99}, v4_int32 = {0x91e423ec, 0xd30ad111, 0x7bb52d41, 0xed998789}, v2_int64 = {0xd30ad11191e423ec, 0xed9987897bb52d41}, uint128 = 0xed9987897bb52d41d30ad11191e423ec} xmm5 {v4_float = {0x1, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x79, 0x55, 0x93, 0x3f, 0x52, 0x79, 0x16, 0x14, 0xd2, 0xdc, 0x77, 0x1f, 0xa3, 0x65, 0x51, 0x33}, v8_int16 = {0x5579, 0x3f93, 0x7952, 0x1416, 0xdcd2, 0x1f77, 0x65a3, 0x3351}, v4_int32 = {0x3f935579, 0x14167952, 0x1f77dcd2, 0x335165a3}, v2_int64 = {0x141679523f935579, 0x335165a31f77dcd2}, uint128 = 0x335165a31f77dcd2141679523f935579} xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x3, 0x2, 0x1, 0x0, 0x7, 0x6, 0x5, 0x4, 0xb, 0xa, 0x9, 0x8, 0xf, 0xe, 0xd, 0xc}, v8_int16 = {0x203, 0x1, 0x607, 0x405, 0xa0b, 0x809, 0xe0f, 0xc0d}, v4_int32 = {0x10203, 0x4050607, 0x8090a0b, 0xc0d0e0f}, v2_int64 = {0x405060700010203, 0xc0d0e0f08090a0b}, uint128 = 0x0c0d0e0f08090a0b0405060700010203} xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x93, 0xbe, 0x6, 0x2c, 0x89, 0x10, 0x8f, 0x11, 0xdf, 0x4, 0xba, 0x9a, 0xca, 0x18, 0xd6, 0xab}, v8_int16 = {0xbe93, 0x2c06, 0x1089, 0x118f, 0x4df, 0x9aba, 0x18ca, 0xabd6}, v4_int32 = {0x2c06be93, 0x118f1089, 0x9aba04df, 0xabd618ca}, v2_int64 = {0x118f10892c06be93, 0xabd618ca9aba04df}, uint128 = 0xabd618ca9aba04df118f10892c06be93} xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0}, v8_int16 = {0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x3, 0x0}, v4_int32 = {0x3, 0x0, 0x3, 0x3}, v2_int64 = {0x3, 0x300000003}, uint128 = 0x00000003000000030000000000000003} xmm9 {v4_float = {0x80000000, 0x80000000, 0x80000000, 0x80000000}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a}, v8_int16 = {0x7999, 0x5a82, 0x7999, 0x5a82, 0x7999, 0x5a82, 0x7999, 0x5a82}, v4_int32 = {0x5a827999, 0x5a827999, 0x5a827999, 0x5a827999}, v2_int64 = {0x5a8279995a827999, 0x5a8279995a827999}, uint128 = 0x5a8279995a8279995a8279995a827999} xmm10 {v4_float = {0xb91b510, 0x0, 0x7499f, 0x0}, v2_double = {0x8000000000000000, 0x0}, v16_int8 = {0x51, 0x1b, 0x39, 0x4d, 0xda, 0x93, 0x94, 0xe8, 0xe5, 0x33, 0xe9, 0x48, 0xe9, 0xe4, 0x8f, 0x25}, v8_int16 = {0x1b51, 0x4d39, 0x93da, 0xe894, 0x33e5, 0x48e9, 0xe4e9, 0x258f}, v4_int32 = {0x4d391b51, 0xe89493da, 0x48e933e5, 0x258fe4e9}, v2_int64 = {0xe89493da4d391b51, 0x258fe4e948e933e5}, uint128 = 0x258fe4e948e933e5e89493da4d391b51} xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] (gdb) -----????----- ???: Jeffrey Walton [mailto:noloader at gmail.com] ????: 2016?3?3? 12:31 ???: Hejian (E) ??: Re: [openssl-dev] ??: ??: [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm Hi Hejian, He's probably going to want 'info all-registers' because of MMX/SSE3 and the problem with sha1_block_data_order_ssse3. Also see http://sourceware.org/gdb/onlinedocs/gdb/Registers.html. I'm just guessing, and my apologies for bringing it up. Jeff On Wed, Mar 2, 2016 at 11:21 PM, Hejian via RT wrote: > Here is the info reg: > > (gdb) info reg > rax 0x745dd1f0 1952305648 > rbx 0xf92ba6dd 4180387549 > rcx 0x7b69e2f6 2070536950 > rdx 0x86dab00c 2262478860 > rsi 0x6436d580 1681315200 > rdi 0x4763c5a8 1197721000 > rbp 0x72856ca1 0x72856ca1 > rsp 0x50a7e100 0x50a7e100 > r8 0x55555a419c60 93825074830432 > r9 0x2b4174415ff8 47560123310072 > r10 0x2b417433acb8 47560122412216 > r11 0x2b41740e9080 47560119980160 > r12 0xffffffffffffffe7 -25 > r13 0x2b417433acf8 47560122412280 > r14 0x55555a419c7c 93825074830460 > r15 0x3ff 1023 > rip 0x2b41740e8db8 0x2b41740e8db8 > eflags 0x10202 [ IF RF ] > cs 0x33 51 > ss 0x2b 43 > ds 0x0 0 > es 0x0 0 > fs 0x63 99 > gs 0x0 0 > (gdb) > > > -----????----- > ???: Andy Polyakov via RT [mailto:rt at openssl.org] > ????: 2016?3?3? 1:24 > ???: Hejian (E) > ??: openssl-dev at openssl.org > ??: Re: [openssl-dev] ??: [openssl.org #4360] [BUG] OpenSSL-1.0.1 > crash on sha1_block_data_order_ssse3 asm > >> 0x00002b41740e8da7 <+2967>: je 0x2b41740e8f40 >> 0x00002b41740e8dad <+2973>: movdqa 0x40(%r11),%xmm6 >> 0x00002b41740e8db3 <+2979>: movdqa (%r11),%xmm9 >> => 0x00002b41740e8db8 <+2984>: movdqu (%r9),%xmm0 --is this what you want ? > > And 'info reg' please. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From ben at links.org Mon Mar 7 09:21:51 2016 From: ben at links.org (Ben Laurie) Date: Mon, 7 Mar 2016 09:21:51 +0000 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160306152712.18296912.69389.55951@ll.mit.edu> Message-ID: On 6 March 2016 at 22:40, Viktor Dukhovni wrote: > >> On Mar 6, 2016, at 12:00 PM, Ben Laurie wrote: >> >> Hmm. So why do I see this on my macbook? >> >> $ arch >> i386 > > Try "uname -m" x86_64 But AIUI, uname -m tells me what hardware I've got, arch tells me what mode it is running in... From ben at links.org Mon Mar 7 09:23:46 2016 From: ben at links.org (Ben Laurie) Date: Mon, 7 Mar 2016 09:23:46 +0000 Subject: [openssl-dev] MacOS defaults? In-Reply-To: <56DCB7C2.8070101@openssl.org> References: <20160306152712.18296912.69389.55951@ll.mit.edu> <56DCB7C2.8070101@openssl.org> Message-ID: On 6 March 2016 at 23:05, Andy Polyakov wrote: >>> Hmm. So why do I see this on my macbook? >>> >>> $ arch >>> i386 >> >> Try "uname -m" > > This is not reliable. Because it must have changed recently, it used to > be i386 even on 64-bit systems. sysctl -n hw.optional.x86_64 is the way > to go, it's right there in ./config... Sure, and that is used to decide whether to offer the 64 bit version. But its not helping me on what should be default. From appro at openssl.org Mon Mar 7 09:59:20 2016 From: appro at openssl.org (Andy Polyakov) Date: Mon, 7 Mar 2016 10:59:20 +0100 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160306152712.18296912.69389.55951@ll.mit.edu> <56DCB7C2.8070101@openssl.org> Message-ID: <56DD50F8.5000509@openssl.org> >>>> Hmm. So why do I see this on my macbook? >>>> >>>> $ arch >>>> i386 >>> >>> Try "uname -m" >> >> This is not reliable. Because it must have changed recently, it used to >> be i386 even on 64-bit systems. sysctl -n hw.optional.x86_64 is the way >> to go, it's right there in ./config... > > Sure, and that is used to decide whether to offer the 64 bit version. > But its not helping me on what should be default. I thought suggestion was to default to 64 bit whenever it is an option. And uname -m *was* returning i386 even on system capable of executing 64-bit code. So that sysctl is something that works in *either* situation. From ben at links.org Mon Mar 7 10:01:50 2016 From: ben at links.org (Ben Laurie) Date: Mon, 7 Mar 2016 10:01:50 +0000 Subject: [openssl-dev] MacOS defaults? In-Reply-To: <56DD50F8.5000509@openssl.org> References: <20160306152712.18296912.69389.55951@ll.mit.edu> <56DCB7C2.8070101@openssl.org> <56DD50F8.5000509@openssl.org> Message-ID: On 7 March 2016 at 09:59, Andy Polyakov wrote: >>>>> Hmm. So why do I see this on my macbook? >>>>> >>>>> $ arch >>>>> i386 >>>> >>>> Try "uname -m" >>> >>> This is not reliable. Because it must have changed recently, it used to >>> be i386 even on 64-bit systems. sysctl -n hw.optional.x86_64 is the way >>> to go, it's right there in ./config... >> >> Sure, and that is used to decide whether to offer the 64 bit version. >> But its not helping me on what should be default. > > I thought suggestion was to default to 64 bit whenever it is an option. > And uname -m *was* returning i386 even on system capable of executing > 64-bit code. So that sysctl is something that works in *either* situation. The question is: which is better? I've been told there's no advantage to 64 bit on MacOS unless you need the extra address space - if that's so, then we should default to 32 bit, I think. From thomas.francis.jr at pobox.com Mon Mar 7 13:03:50 2016 From: thomas.francis.jr at pobox.com (Thomas Francis, Jr.) Date: Mon, 7 Mar 2016 08:03:50 -0500 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160306152712.18296912.69389.55951@ll.mit.edu> <56DCB7C2.8070101@openssl.org> <56DD50F8.5000509@openssl.org> Message-ID: <6260D489-8449-4633-84F1-7A39B25292EF@pobox.com> > On Mar 7, 2016, at 5:01 AM, Ben Laurie wrote: > > On 7 March 2016 at 09:59, Andy Polyakov wrote: >>>>>> Hmm. So why do I see this on my macbook? >>>>>> >>>>>> $ arch >>>>>> i386 >>>>> >>>>> Try "uname -m" >>>> >>>> This is not reliable. Because it must have changed recently, it used to >>>> be i386 even on 64-bit systems. sysctl -n hw.optional.x86_64 is the way >>>> to go, it's right there in ./config... >>> >>> Sure, and that is used to decide whether to offer the 64 bit version. >>> But its not helping me on what should be default. >> >> I thought suggestion was to default to 64 bit whenever it is an option. >> And uname -m *was* returning i386 even on system capable of executing >> 64-bit code. So that sysctl is something that works in *either* situation. > > The question is: which is better? I've been told there's no advantage > to 64 bit on MacOS unless you need the extra address space - if that's > so, then we should default to 32 bit, I think. As with all x86-64 systems, compiling for 64-bit will enable the compiler to use many more registers, generally resulting in faster code. The same is _not_ true of 64-bit PPC, where the advice you list above is (almost) accurate. Don?t compile for 64-bit PPC unless you need the extra address space, or you need instructions that are only available for the 64-bit processor. I suspect the advice you heard was geared toward Mac OS on PPC, not x86. I haven?t checked out everything in OpenSSL, but I can say that several programs I?ve written which use OpenSSL for SHA-2, SHA-1, MD5, AES, and 3DES run the crypto routines _much_ faster when compiled as 64-bit than as 32-bit (that was not isolating OpenSSL?s libcrypto, but isolating the code that invoked those routines). The overall application performance was also greatly improved. Memory usage was slightly higher, since pointers are larger, of course. And that held true for Mac OS X (10.6 and later), Windows (2003 Server - 2012 Server and 7 and later), Linux (don?t remember which kernels), and FreeBSD (8.0 and later). I expect it?ll continue to hold true, so I don?t expect to keep testing it. > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > From uri at ll.mit.edu Mon Mar 7 14:42:19 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 7 Mar 2016 14:42:19 +0000 Subject: [openssl-dev] MacOS defaults? Message-ID: <20160307144227.18296912.94312.56045@ll.mit.edu> Try? $ machine Apparently "arch" is not only old (the latest release was in July 2010), but it does not differentiate between Intel-32 and Intel-64.? On my own Mac (proven to be 64-bit :) arch returns "i386", machine returns "x86_64h". Oh, and do hook up BB-10 to LTE - an absolute must for running 64-bit stuff on Macs. :-) :) :) Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Ben Laurie Sent: Monday, March 7, 2016 04:22 To: OpenSSL development Reply To: openssl-dev at openssl.org Subject: Re: [openssl-dev] MacOS defaults? On 6 March 2016 at 22:40, Viktor Dukhovni wrote: > >> On Mar 6, 2016, at 12:00 PM, Ben Laurie wrote: >> >> Hmm. So why do I see this on my macbook? >> >> $ arch >> i386 > > Try "uname -m" x86_64 But AIUI, uname -m tells me what hardware I've got, arch tells me what mode it is running in... -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4350 bytes Desc: not available URL: From appro at openssl.org Mon Mar 7 16:05:14 2016 From: appro at openssl.org (Andy Polyakov) Date: Mon, 7 Mar 2016 17:05:14 +0100 Subject: [openssl-dev] MacOS defaults? In-Reply-To: <20160307144227.18296912.94312.56045@ll.mit.edu> References: <20160307144227.18296912.94312.56045@ll.mit.edu> Message-ID: <56DDA6BA.30402@openssl.org> > Try > $ machine > > Apparently "arch" is not only old (the latest release was in July 2010), but it does not differentiate between Intel-32 and Intel-64. > > On my own Mac (proven to be 64-bit :) arch returns "i386", machine returns "x86_64h". And I get i486 (sic!) on proven to be 64-bit Mac. As already mentioned, these things has changed recently (all right, at some point), and for this reason something that worked earlier and keeps working in the same way should be preferable. Or at least one should account for the fact that things has changed. What's h after x86_64h anyway? From rt at openssl.org Mon Mar 7 16:35:49 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 07 Mar 2016 16:35:49 +0000 Subject: [openssl-dev] [openssl.org #4373] OS X 10.5, 32-bit PPC, and missing symbols (_ASYNC_get_current_job, _EVP_MD_meth_set_init, _RSA_PKCS1_OpenSSL, _EVP_MD_meth_new...) In-Reply-To: <56DDADDC.8050708@openssl.org> References: <56DDADDC.8050708@openssl.org> Message-ID: > Working from master: > > $ git reset --hard HEAD && git pull > HEAD is now at e9b1c42 make errors > > Then: > > $ KERNEL_BITS=32 ./config > ... > > $ make depend && make clean && make > ... > > > $ make > ... > > LD_LIBRARY_PATH=..: cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > -DPOLY1305_ASM -DOPENSSLDIR="/usr/local/ssl" > -DENGINESDIR="/usr/local/lib/engines" -O3 -D_REENTRANT -arch ppc > -DB_ENDIAN -Wa,-force_cpusubtype_ALL -arch ppc -bundle -o > ./dasync.dylib e_dasync.o -L.. -lcrypto > Undefined symbols: > "_ASYNC_get_current_job", referenced from: > _dummy_pause_job in e_dasync.o Fixed by http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3ed1839dc3ad285ca83609007a18911d3c7bfdbe. Closing ticket. [As well as re-closing chacha.s ticket.] -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4373 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 7 16:46:37 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 07 Mar 2016 16:46:37 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: <56DDB06C.8040800@openssl.org> References: <56DDB06C.8040800@openssl.org> Message-ID: On 03/02/16 03:54, noloader at gmail.com via RT wrote: > $ make depend && make clean && make > ... > > $ make test > ... > > ../test/recipes/80-test_tsa.t ............. ok > ../test/recipes/90-test_async.t ........... 1/1 > # Failed test 'running asynctest' > # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > # Looks like you failed 1 test of 1. > ../test/recipes/90-test_async.t ........... Dubious, test returned 1 > (wstat 256, 0x100) > Failed 1/1 subtests > ... > Test Summary Report > ------------------- > ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=70, Tests=389, 213 wallclock secs ( 1.44 usr 0.75 sys + 166.97 > cusr 45.51 csys = 214.67 CPU) > Result: FAIL > Failed 1/70 test programs. 1/389 subtests failed. > make[1]: *** [tests] Error 255 > > ********** This apparently "derailed" off-topic. As for the problem above it boils down to the fact that getcontext always return failure to ppc64 program. There is nothing we can do about it, you just have to accept that this particular thing doesn't work on MacOS X/ppc64. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 7 17:11:58 2016 From: rt at openssl.org (Kaduk, Ben via RT) Date: Mon, 07 Mar 2016 17:11:58 +0000 Subject: [openssl-dev] [openssl.org #4378] Multiple warnings under OpenBSD 5.7/64-bit In-Reply-To: <56DDB65C.2060800@akamai.com> References: <56DDB65C.2060800@akamai.com> Message-ID: On 03/04/2016 08:21 PM, noloader at gmail.com via RT wrote: > OpenBSD uses GCC 4.2.1 > This report would be more useful if it gave some indication of what version of the openssl source it corresponded to. -Ben -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4378 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 7 17:12:33 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 07 Mar 2016 17:12:33 +0000 Subject: [openssl-dev] [openssl.org #4367] FEATURE: Please add -headerpad_max_install_names to LDFLAGS for dynamic libraries on OS X builds In-Reply-To: <56DDB680.9060505@openssl.org> References: <56DDB680.9060505@openssl.org> Message-ID: > OS X side steps the problems with selecting the wrong runtime library > and RPATHs by using something called an install name. Effectively, the > install name should be placed in libcrypto.dylib and libssl.dylib, and > it calls out the fully qualified path name. Programs linked to a > library with an install name will record the library, and dyld(1) will > link to the proper library at runtime. There's no need for tricks like > LD_LIBRARY_PATH on Linux (its called DYLD_LIBRARY_PATH on OS X). Well, formally speaking the feature was always there, all you needed to do is to pass -Wl,-headerpad_max_install_names at config time ;-) One can argue that it would be appropriate to run `which install_name_tool` in ./config and add the option automatically. Would it be acceptable? I mean would presence of install_name_tool be reliable indicator that linker supports -headerpad_max_install_names? > To make room for an install name that may change (for example, from > PWD to /usr/local/ssl/lib, you need to use the flag > -headerpad_max_install_names on libcrypto.dylib and libssl.dylib. > > To add the icing to the cake, 'make install' should add the following > to its recipe for OS X: > > cp libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib Does it really copy libcrypto.dylib and not libcrypto.1.1.dylib? For me it copies the latter... Anyway, the suggested additional step should not be required, because we do pass -install_name when linking .dylib. install_name_tool step would be required if you install it at alternative location, but it doesn't belong in our Makefile. I mean because our Makefile would install in same location as -install_name anyway. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted From appro at openssl.org Mon Mar 7 17:38:13 2016 From: appro at openssl.org (Andy Polyakov) Date: Mon, 7 Mar 2016 18:38:13 +0100 Subject: [openssl-dev] 1.0.2g MacOSX x86_64 build failure (1.0.2f and 1.0.1s are fine) In-Reply-To: <20160306213109.GB579@cBookPro.fritz.box> References: <56D5D676.9010603@monetra.com> <20160301191513.GJ12869@mournblade.imrryr.org> <56D60743.9000607@monetra.com> <56D6092B.7020405@akamai.com> <56D60F06.2020204@monetra.com> <20160306213109.GB579@cBookPro.fritz.box> Message-ID: <56DDBC85.4020409@openssl.org> >>>>> The only plausible change from 1.0.2f to 1.0.2g that I see that might >>>>> be related to this is below. Does it work if you revert this change >>>>> (patch -R): commit 10c639a8a56c90bec9e332c7ca76ef552b3952ac [snip] >>>> Confirmed. Reverting that commit fixes the build. >>>> >>> >>> Does the alternate patch from RT #3885 (i.e., from >>> https://github.com/openssl/openssl/pull/597) cause a similar build breakage? >>> >> >> Confirmed, this alternate patch worked (or at least compiled) fine: >> https://github.com/akamai/openssl/commit/c4af68c317c025c7d0c4f0495b8115d6426a25be.patch > > I can also confirm that this patch does not have the problem. The test > suite passes. Is this going to be fixed? It was addressed in http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=6e42e3ff9cde43830555549fdafa2a8b37b9485b (which was cherry-picked to 1.0.2). For the record, why other suggestions were effectively dismissed. For example there was suggestion to 'use bigint'. It was not considered as preferable, because as general rule I try to make *minimal* assumption about availability of add-on packages. In other words if there is a way to solve it without add-on package, it would be preferred. myoct was ok, but I've chosen to kind of emphasize commentary section that precedes those lines, i.e. that that conversion is really just a prequel to next expression that gets rid of multiplications (and divisions). I mean that oct thing was there exclusively in order to simplify that next expression. So I figured why convert at all, if there are no multiplications (or divisions). From dni.grosu at gmail.com Mon Mar 7 16:49:41 2016 From: dni.grosu at gmail.com (danigrosu) Date: Mon, 7 Mar 2016 09:49:41 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine Message-ID: <1457369381041-64385.post@n7.nabble.com> I want to build an OpenSSL RSA engine, starting from this existing source code file which is a faster method implemented by Intel. First of all I want to build this code so I'm using these commands: gcc -fPIC -m64 -o eng_rsax.o -c eng_rsax.c gcc -shared -o eng_rsax.so -lcrypto eng_rsax.o ... and no error shows up. Then, when I'm trying to test the engine by using the command: openssl engine -t -c `pwd`/eng_rsax.so ... I receive the following errors: 140470207960736:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(/some_path/eng_rsax.so): /some_path/eng_rsax.so: undefined symbol: mod_exp_512 140470207960736:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 140470207960736:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 140470207960736:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=/some_path/eng_rsax.so At this point I guess I'm not using the right flags and maybe the commands for building the engine are incomplete. What do I need to do in order to make this work? -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Mon Mar 7 17:47:28 2016 From: rt at openssl.org (Bill Parker via RT) Date: Mon, 07 Mar 2016 17:47:28 +0000 Subject: [openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g In-Reply-To: References: Message-ID: In reviewing code in directory 'crypto/asn1', file 'asn_moid.c', in function 'do_create()', there is a call to 'OBJ_nid2obj()' which is not checked for a return value of NULL. The patch file below adds the check and returns 0 if NULL is returned: --- asn_moid.c.orig 2016-03-06 17:09:03.019903938 -0800 +++ asn_moid.c 2016-03-06 17:09:41.778829998 -0800 @@ -146,6 +146,8 @@ memcpy(lntmp, ln, p - ln); lntmp[p - ln] = 0; oid = OBJ_nid2obj(nid); + if (oid == NULL) + return 0; oid->ln = lntmp; } ======================================================================= In reviewing code in directory 'crypto/asn1', file 'p5_pbev2.c', in function 'PKCS5_pbe2_set_iv()' and 'PKCS5_pbkdf2_set(), there are calls to 'OBJ_nid2obj()' which is not checked for a return value of NULL. The patch file below adds the check and goes to merr: if NULL is returned: --- p5_pbev2.c.orig 2016-03-06 17:21:56.612223544 -0800 +++ p5_pbev2.c 2016-03-06 17:23:25.049463462 -0800 @@ -105,6 +105,8 @@ goto err; } obj = OBJ_nid2obj(alg_nid); + if (obj == NULL) + goto merr; if (!(pbe2 = PBE2PARAM_new())) goto merr; @@ -169,6 +171,8 @@ goto merr; ret->algorithm = OBJ_nid2obj(NID_pbes2); + if (ret->algorithm == NULL) + goto merr; /* Encode PBE2PARAM into parameter */ @@ -258,6 +262,8 @@ goto merr; keyfunc->algorithm = OBJ_nid2obj(NID_id_pbkdf2); + if (!keyfunc->algorithm) + goto merr; /* Encode PBKDF2PARAM into parameter of pbe2 */ ======================================================================= In reviewing code in directory 'crypto/asn1', file 'x_attrib.c', in function 'X509_ATTRIBUTE_create()' there is a call to 'OBJ_nid2obj()' which is not checked for a return value of NULL. The patch file below adds the check and goes to err: if NULL is returned: --- x_attrib.c.orig 2016-03-06 17:35:12.565385098 -0800 +++ x_attrib.c 2016-03-06 17:37:35.383536550 -0800 @@ -105,6 +105,8 @@ if ((ret = X509_ATTRIBUTE_new()) == NULL) return (NULL); ret->object = OBJ_nid2obj(nid); + if (ret->object == NULL) + goto err; ret->single = 0; if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL) goto err; ======================================================================= In reviewing code in directory 'crypto/asn1', file 'tasn_new.c', in function 'ASN1_primitive_new()' there is a call to 'OBJ_nid2obj()' which is not checked for a return value of NULL. The patch file below adds the check and returns 0 if NULL is returned: --- tasn_new.c.orig 2016-03-06 17:39:25.320508974 -0800 +++ tasn_new.c 2016-03-06 17:40:31.614934655 -0800 @@ -328,6 +328,8 @@ switch (utype) { case V_ASN1_OBJECT: *pval = (ASN1_VALUE *)OBJ_nid2obj(NID_undef); + if (!pval) + return 0; return 1; case V_ASN1_BOOLEAN: ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4381 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: asn_moid.c.patch Type: application/octet-stream Size: 294 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: p5_pbev2.c.patch Type: application/octet-stream Size: 656 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: x_attrib.c.patch Type: application/octet-stream Size: 404 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: tasn_new.c.patch Type: application/octet-stream Size: 305 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 17:51:28 2016 From: rt at openssl.org (Bill Parker via RT) Date: Mon, 07 Mar 2016 17:51:28 +0000 Subject: [openssl-dev] [openssl.org #4382] [PATCH] Missing Sanity Check(s) for BUF_strdup() in OpenSSL-1.0.2g In-Reply-To: References: Message-ID: Hello All, In reviewing source code in directory 'crypto/conf', file 'conf_mod.c', there is a call to BUF_strdup() in function 'module_add()' which is not checked for a return value of NULL, indicating failure. The patch file below adds the check and calls OPENSSL_free(tmod) to release the previous allocation by OPENSSL_malloc(): --- conf_mod.c.orig 2016-03-06 05:46:50.424008381 -0800 +++ conf_mod.c 2016-03-06 05:47:49.031457086 -0800 @@ -288,6 +288,10 @@ tmod->dso = dso; tmod->name = BUF_strdup(name); + if (!tmod->name) { + OPENSSL_free(tmod); + return NULL; + } tmod->init = ifunc; tmod->finish = ffunc; tmod->links = 0; -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4382 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: conf_mod.c.patch Type: application/octet-stream Size: 330 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 17:52:28 2016 From: rt at openssl.org (Bill Parker via RT) Date: Mon, 07 Mar 2016 17:52:28 +0000 Subject: [openssl-dev] [openssl.org #4383] [PATCH] Add error checking for bn2_expand()/BN_new()/RSA_new_method() in file 'e_chil.c' for OpenSSL-1.0.2g In-Reply-To: References: Message-ID: Hello All, In reviewing source code in directory 'crypto/engines', file 'e_chil.c' there are some comments warning to check for error when bn_expand2() or BN_new() or RSA_new_method() is called. The patch file below adds the requested checks to the code: --- e_chil.c.orig 2016-03-06 06:51:53.783105250 -0800 +++ e_chil.c 2016-03-06 11:20:38.533253919 -0800 @@ -810,9 +810,17 @@ # endif # ifndef OPENSSL_NO_RSA rtmp = RSA_new_method(eng); + if (!rtmp == NULL) { + HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE); + goto err; + } RSA_set_ex_data(rtmp, hndidx_rsa, (char *)hptr); rtmp->e = BN_new(); rtmp->n = BN_new(); + if (!rtmp->e || !rtmp->n) { + HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE); + goto err; + } rtmp->flags |= RSA_FLAG_EXT_PKEY; MPI2BN(rtmp->e, e); MPI2BN(rtmp->n, n); @@ -823,8 +831,14 @@ goto err; } - bn_expand2(rtmp->e, e.size / sizeof(BN_ULONG)); - bn_expand2(rtmp->n, n.size / sizeof(BN_ULONG)); + if (bn_expand2(rtmp->e, e.size / sizeof(BN_ULONG)) == NULL) { + HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE); + goto err; + } + if (bn_expand2(rtmp->n, n.size / sizeof(BN_ULONG)) == NULL) { + HWCRHKerr(HWCRHK_F_HWCRHK_LOAD_PRIVKEY, ERR_R_MALLOC_FAILURE); + goto err; + } MPI2BN(rtmp->e, e); MPI2BN(rtmp->n, n); @@ -923,7 +937,10 @@ goto err; } /* Prepare the params */ - bn_expand2(r, m->top); /* Check for error !! */ + if (bn_expand2(r, m->top) == NULL) { /* Check for error !! */ + HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP, ERR_R_MALLOC_FAILURE); + goto err; + } BN2MPI(m_a, a); BN2MPI(m_p, p); BN2MPI(m_n, m); @@ -989,7 +1006,10 @@ } /* Prepare the params */ - bn_expand2(r, rsa->n->top); /* Check for error !! */ + if (bn_expand2(r, rsa->n->top) == NULL) { /* Check for error !! */ + HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP, ERR_R_MALLOC_FAILURE); + goto err; + } BN2MPI(m_a, I); MPI2BN(r, m_r); @@ -1026,7 +1046,10 @@ } /* Prepare the params */ - bn_expand2(r, rsa->n->top); /* Check for error !! */ + if (bn_expand2(r, rsa->n->top) == NULL) { /* Check for error !! */ + HWCRHKerr(HWCRHK_F_HWCRHK_MOD_EXP, ERR_R_MALLOC_FAILURE); + goto err; + } BN2MPI(m_a, I); BN2MPI(m_p, rsa->p); BN2MPI(m_q, rsa->q); -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4383 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: e_chil.c.patch Type: application/octet-stream Size: 2190 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 17:53:26 2016 From: rt at openssl.org (Bill Parker via RT) Date: Mon, 07 Mar 2016 17:53:26 +0000 Subject: [openssl-dev] [openssl.org #4384] [PATCH] Missing Sanity Check plus potential NULL pointer deref (CWE-476) In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'engines', file 'e_aep.c', there is a call to function 'bn_expand()', but it is not checked for a return value of NULL. However, a member of the variable 'bn' (bn->d) are used in memset()/memcpy() calls, but if 'bn' is NULL, a segmentation fault/violation will occur. The patch file below checks for a NULL return from 'bn_expand()', but I was not sure what should be returned from here (so I kludged something to fit): --- e_aep.c.orig 2016-03-06 10:47:23.113646348 -0800 +++ e_aep.c 2016-03-06 10:52:27.991394742 -0800 @@ -1137,7 +1137,9 @@ /* * Expand the result bn so that it can hold our big num. Size is in bits */ - bn_expand(bn, (int)(BigNumSize << 3)); + if (!bn_expand(bn, (int)(BigNumSize << 3)) == NULL) + /* what should we do here, a new error code, etc? */ + return 117; /* bn_expand could return NULL, could it not? */ # ifdef SIXTY_FOUR_BIT_LONG bn->top = BigNumSize >> 3; -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4384 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: e_aep.c.patch Type: application/octet-stream Size: 501 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 17:54:21 2016 From: rt at openssl.org (Bill Parker via RT) Date: Mon, 07 Mar 2016 17:54:21 +0000 Subject: [openssl-dev] [openssl.org #4385] [PATCH] Missing Sanity Checks for RSA_new_method() in OpenSSL-1.0.2g In-Reply-To: References: Message-ID: Hello All, In reviewing source code in directory 'engines', file 'e_4758cca.c', there are two calls to function 'RSA_new_method()' which are not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- e_4758cca.c.orig 2016-03-06 11:05:42.053315929 -0800 +++ e_4758cca.c 2016-03-06 11:06:54.996586643 -0800 @@ -463,6 +463,10 @@ (*(long *)keyToken) = keyTokenLength; rtmp = RSA_new_method(e); + if (rtmp == NULL) { + CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE); + goto err; + } RSA_set_ex_data(rtmp, hndidx, (char *)keyToken); rtmp->e = BN_bin2bn(exponent, exponentLength, NULL); @@ -535,6 +539,10 @@ (*(long *)keyToken) = keyTokenLength; rtmp = RSA_new_method(e); + if (rtmp == NULL) { + CAPIerr(CAPI_F_CAPI_GET_PKEY, ERR_R_MALLOC_FAILURE); + goto err; + } RSA_set_ex_data(rtmp, hndidx, (char *)keyToken); rtmp->e = BN_bin2bn(exponent, exponentLength, NULL); rtmp->n = BN_bin2bn(modulus, modulusFieldLength, NULL); -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4385 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: e_4758cca.c.patch Type: application/octet-stream Size: 788 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 17:55:23 2016 From: rt at openssl.org (Bill Parker via RT) Date: Mon, 07 Mar 2016 17:55:23 +0000 Subject: [openssl-dev] [openssl.org #4386] [PATCH] Add sanity checks for BN_new() in OpenSSL-1.0.2g In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'engines/ccgost', file 'gost2001.c', there are two calls to BN_new() which are not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- gost2001.c.orig 2016-03-06 11:32:49.676178425 -0800 +++ gost2001.c 2016-03-06 11:38:04.604204158 -0800 @@ -434,6 +434,10 @@ int gost2001_keygen(EC_KEY *ec) { BIGNUM *order = BN_new(), *d = BN_new(); + if (!order || !d) { + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_MALLOC_FAILURE); + return 0; + } const EC_GROUP *group = EC_KEY_get0_group(ec); if(!group || !EC_GROUP_get_order(group, order, NULL)) { -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4386 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: gost2001.c.patch Type: application/octet-stream Size: 426 bytes Desc: not available URL: From levitte at openssl.org Mon Mar 7 17:56:30 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 07 Mar 2016 18:56:30 +0100 (CET) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457369381041-64385.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> Message-ID: <20160307.185630.29267628196195539.levitte@openssl.org> In message <1457369381041-64385.post at n7.nabble.com> on Mon, 7 Mar 2016 09:49:41 -0700 (MST), danigrosu said: dni.grosu> I want to build an OpenSSL RSA engine, starting from this existing dni.grosu> source code file dni.grosu> which is a faster method implemented by Intel. First of all I want to dni.grosu> build this code so I'm using these commands: dni.grosu> dni.grosu> gcc -fPIC -m64 -o eng_rsax.o -c eng_rsax.c dni.grosu> gcc -shared -o eng_rsax.so -lcrypto eng_rsax.o You might want to try this: gcc -shared -o eng_rsax.so eng_rsax.o -lcrypto When linking, order is important. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From jeremy.farrell at oracle.com Mon Mar 7 18:25:17 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Mon, 7 Mar 2016 18:25:17 +0000 Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <20160307.185630.29267628196195539.levitte@openssl.org> References: <1457369381041-64385.post@n7.nabble.com> <20160307.185630.29267628196195539.levitte@openssl.org> Message-ID: <56DDC78D.8020507@oracle.com> On 07/03/2016 17:56, Richard Levitte wrote: > In message <1457369381041-64385.post at n7.nabble.com> on Mon, 7 Mar 2016 09:49:41 -0700 (MST), danigrosu said: > > dni.grosu> I want to build an OpenSSL RSA engine, starting from this existing > dni.grosu> source code file > dni.grosu> which is a faster method implemented by Intel. First of all I want to > dni.grosu> build this code so I'm using these commands: > dni.grosu> > dni.grosu> gcc -fPIC -m64 -o eng_rsax.o -c eng_rsax.c > dni.grosu> gcc -shared -o eng_rsax.so -lcrypto eng_rsax.o > > You might want to try this: > > gcc -shared -o eng_rsax.so eng_rsax.o -lcrypto > > When linking, order is important. In the spirit of teaching to fish, this could have been discovered by looking at the makefiles which build the engine. Those aren't always easy to decipher, so an alternative would have been just to build that OpenSSL release and look at all the output lines from the build which mention eng_rsax. -- J. J. Farrell -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Mon Mar 7 19:01:27 2016 From: rt at openssl.org (Rich Salz via RT) Date: Mon, 07 Mar 2016 19:01:27 +0000 Subject: [openssl-dev] [openssl.org #4265] [BUG/PATCH] OpenSSL does not compile when SRTP is disabled In-Reply-To: <512C3057-9DF0-4551-8CB5-F71D012E8582@akamai.com> References: <512C3057-9DF0-4551-8CB5-F71D012E8582@akamai.com> Message-ID: This fix is in master in commit d631602. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4265 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 7 19:08:57 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 7 Mar 2016 14:08:57 -0500 Subject: [openssl-dev] [openssl.org #4378] Multiple warnings under OpenBSD 5.7/64-bit In-Reply-To: References: <56DDB65C.2060800@akamai.com> Message-ID: On Mon, Mar 7, 2016 at 12:11 PM, Kaduk, Ben via RT wrote: > On 03/04/2016 08:21 PM, noloader at gmail.com via RT wrote: >> OpenBSD uses GCC 4.2.1 >> > > This report would be more useful if it gave some indication of what > version of the openssl source it corresponded to. Oh, sorry about that Ben. I was working from Master. Based on the date/time, it looks like it would have been up to commit 9829b5ab52cb5f1891fc48262503b7eec32351b3. Jeff From rt at openssl.org Mon Mar 7 19:09:07 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 07 Mar 2016 19:09:07 +0000 Subject: [openssl-dev] [openssl.org #4378] Multiple warnings under OpenBSD 5.7/64-bit In-Reply-To: References: <56DDB65C.2060800@akamai.com> Message-ID: On Mon, Mar 7, 2016 at 12:11 PM, Kaduk, Ben via RT wrote: > On 03/04/2016 08:21 PM, noloader at gmail.com via RT wrote: >> OpenBSD uses GCC 4.2.1 >> > > This report would be more useful if it gave some indication of what > version of the openssl source it corresponded to. Oh, sorry about that Ben. I was working from Master. Based on the date/time, it looks like it would have been up to commit 9829b5ab52cb5f1891fc48262503b7eec32351b3. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4378 Please log in as guest with password guest if prompted From uri at ll.mit.edu Mon Mar 7 19:23:23 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 7 Mar 2016 19:23:23 +0000 Subject: [openssl-dev] MacOS defaults? In-Reply-To: <56DDA6BA.30402@openssl.org> References: <20160307144227.18296912.94312.56045@ll.mit.edu> <56DDA6BA.30402@openssl.org> Message-ID: On 3/7/16, 11:05 , "openssl-dev on behalf of Andy Polyakov" wrote: >> Try >> $ machine >> >> Apparently "arch" is not only old (the latest release was in July >>2010), but it does not differentiate between Intel-32 and Intel-64. >> >> On my own Mac (proven to be 64-bit :) arch returns "i386", machine >>returns "x86_64h". > >And I get i486 (sic!) on proven to be 64-bit Mac. Yes another proof that we cannot rely on ?arch? on the newer Mac OS X boxes. >As already mentioned, >these things has changed recently (all right, at some point), and for >this reason something that worked earlier and keeps working in the same >way should be preferable. Or at least one should account for the fact >that things has changed. I agree. But don?t know how to accomplish that. >What's h after x86_64h anyway? Sorry, I don?t have the slightest idea. :-( -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From appro at openssl.org Mon Mar 7 19:51:28 2016 From: appro at openssl.org (Andy Polyakov) Date: Mon, 7 Mar 2016 20:51:28 +0100 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160307144227.18296912.94312.56045@ll.mit.edu> <56DDA6BA.30402@openssl.org> Message-ID: <56DDDBC0.2030604@openssl.org> >>> Try >>> $ machine >>> >>> Apparently "arch" is not only old (the latest release was in July >>> 2010), but it does not differentiate between Intel-32 and Intel-64. >>> >>> On my own Mac (proven to be 64-bit :) arch returns "i386", machine >>> returns "x86_64h". >> >> And I get i486 (sic!) on proven to be 64-bit Mac. > > Yes another proof that we cannot rely on ?arch? on the newer Mac OS X > boxes. I meant that I get i486 from 'machine'! I.e. what I tried to say all along is that one can't trust 'arch' *nor* 'machine' or 'uname -m' to identify 64-bit Darwin. Well, if you want something that works even with older versions. From uri at ll.mit.edu Mon Mar 7 20:22:17 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 7 Mar 2016 20:22:17 +0000 Subject: [openssl-dev] MacOS defaults? In-Reply-To: <56DDDBC0.2030604@openssl.org> References: <20160307144227.18296912.94312.56045@ll.mit.edu> <56DDA6BA.30402@openssl.org> <56DDDBC0.2030604@openssl.org> Message-ID: >>>And I get i486 (sic!) on proven to be 64-bit Mac. >> >> Yes another proof that we cannot rely on ?arch? on the newer Mac OS X >> boxes. > >I meant that I get i486 from 'machine?! I.e. what I tried to say all >along is that one can't trust 'arch' *nor* 'machine' or 'uname -m' to >identify 64-bit Darwin. Well, if you want something that works even with >older versions. OK, your point is taken. But what does tell 64-bit from 32-bit? And how badly do we need to know for sure? We were talking about what the *default* should be, not about how to determine 64-bit from 32-bit beyond any reasonable doubt (I think). I?d conjecture that the older versions are becoming less and less relevant as the time goes. So *now* we can (and should) safely set the default to x86_64 for Darwin, and those still on 32-bit architecture can run ?./Configure whatever?. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From noloader at gmail.com Mon Mar 7 20:57:29 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 7 Mar 2016 15:57:29 -0500 Subject: [openssl-dev] MacOS defaults? In-Reply-To: <56DCB7C2.8070101@openssl.org> References: <20160306152712.18296912.69389.55951@ll.mit.edu> <56DCB7C2.8070101@openssl.org> Message-ID: On Sun, Mar 6, 2016 at 6:05 PM, Andy Polyakov wrote: >>> Hmm. So why do I see this on my macbook? >>> >>> $ arch >>> i386 >> >> Try "uname -m" > > This is not reliable. Because it must have changed recently, it used to > be i386 even on 64-bit systems. sysctl -n hw.optional.x86_64 is the way > to go, it's right there in ./config... Throwing an OS X 10.5/PowerMac into the mix. Its a 64-bit PowerPC: $ machine ppc970 $ sysctl -n hw.optional.x86_64 second level name optional in hw.optional.x86_64 is invalid $ uname -m Power Macintosh However, there are two interesting ones on the PowerMac: $ sysctl -A 2>/dev/null | grep hw | egrep 'machine|64' hw.machine = Power Macintosh hw.physmem = 2147483648 hw.l2settings = 2147483648 hw.optional.64bitops: 1 hw.cpu64bit_capable: 1 And on a modern Intel with a Core-i7: $ sysctl -A 2>/dev/null | grep hw | egrep 'machine|64' hw.machine = x86_64 hw.physmem = 2147483648 hw.cachelinesize = 64 hw.cpu64bit_capable: 1 hw.cachelinesize: 64 hw.optional.x86_64: 1 From paul.dale at oracle.com Mon Mar 7 21:43:53 2016 From: paul.dale at oracle.com (Paul Dale) Date: Tue, 08 Mar 2016 07:43:53 +1000 Subject: [openssl-dev] [openssl.org #4386] [PATCH] Add sanity checks for BN_new() in OpenSSL-1.0.2g In-Reply-To: References: Message-ID: <2981304.aufexe8Cad@acid> If one of the allocation calls succeeds and the other fails, the patched code will leak memory. It needs something along the lines of: if (order != NULL) BN_clear_free(order); if (d != NULL) BN_clear_free(d); in the failure case code. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia On Mon, 7 Mar 2016 05:55:23 PM Bill Parker via RT wrote: > Hello All, > > In reviewing code in directory 'engines/ccgost', file 'gost2001.c', > there are two calls to BN_new() which are not checked for a return > value of NULL, indicating failure. > > The patch file below should address/correct this issue: > > --- gost2001.c.orig 2016-03-06 11:32:49.676178425 -0800 > +++ gost2001.c 2016-03-06 11:38:04.604204158 -0800 > @@ -434,6 +434,10 @@ > int gost2001_keygen(EC_KEY *ec) > { > BIGNUM *order = BN_new(), *d = BN_new(); > + if (!order || !d) { > + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_MALLOC_FAILURE); > + return 0; > + } > const EC_GROUP *group = EC_KEY_get0_group(ec); > > if(!group || !EC_GROUP_get_order(group, order, NULL)) { > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Mon Mar 7 21:44:20 2016 From: rt at openssl.org (paul.dale@oracle.com via RT) Date: Mon, 07 Mar 2016 21:44:20 +0000 Subject: [openssl-dev] [openssl.org #4386] [PATCH] Add sanity checks for BN_new() in OpenSSL-1.0.2g In-Reply-To: <2981304.aufexe8Cad@acid> References: <2981304.aufexe8Cad@acid> Message-ID: If one of the allocation calls succeeds and the other fails, the patched code will leak memory. It needs something along the lines of: if (order != NULL) BN_clear_free(order); if (d != NULL) BN_clear_free(d); in the failure case code. Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia On Mon, 7 Mar 2016 05:55:23 PM Bill Parker via RT wrote: > Hello All, > > In reviewing code in directory 'engines/ccgost', file 'gost2001.c', > there are two calls to BN_new() which are not checked for a return > value of NULL, indicating failure. > > The patch file below should address/correct this issue: > > --- gost2001.c.orig 2016-03-06 11:32:49.676178425 -0800 > +++ gost2001.c 2016-03-06 11:38:04.604204158 -0800 > @@ -434,6 +434,10 @@ > int gost2001_keygen(EC_KEY *ec) > { > BIGNUM *order = BN_new(), *d = BN_new(); > + if (!order || !d) { > + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_MALLOC_FAILURE); > + return 0; > + } > const EC_GROUP *group = EC_KEY_get0_group(ec); > > if(!group || !EC_GROUP_get_order(group, order, NULL)) { > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4386 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 7 21:45:45 2016 From: rt at openssl.org (Bill Parker via RT) Date: Mon, 07 Mar 2016 21:45:45 +0000 Subject: [openssl-dev] [openssl.org #4386] [PATCH] Add sanity checks for BN_new() in OpenSSL-1.0.2g In-Reply-To: References: <2981304.aufexe8Cad@acid> Message-ID: Dr. Dale, I actually saw that, but forgot to correct it before sending (my bad)...:( Bill On Mon, Mar 7, 2016 at 1:44 PM, paul.dale at oracle.com via RT wrote: > If one of the allocation calls succeeds and the other fails, the patched > code will leak memory. > It needs something along the lines of: > > if (order != NULL) BN_clear_free(order); > if (d != NULL) BN_clear_free(d); > > in the failure case code. > > > Pauli > > -- > Oracle > Dr Paul Dale | Cryptographer | Network Security & Encryption > Phone +61 7 3031 7217 > Oracle Australia > > On Mon, 7 Mar 2016 05:55:23 PM Bill Parker via RT wrote: > > Hello All, > > > > In reviewing code in directory 'engines/ccgost', file 'gost2001.c', > > there are two calls to BN_new() which are not checked for a return > > value of NULL, indicating failure. > > > > The patch file below should address/correct this issue: > > > > --- gost2001.c.orig 2016-03-06 11:32:49.676178425 -0800 > > +++ gost2001.c 2016-03-06 11:38:04.604204158 -0800 > > @@ -434,6 +434,10 @@ > > int gost2001_keygen(EC_KEY *ec) > > { > > BIGNUM *order = BN_new(), *d = BN_new(); > > + if (!order || !d) { > > + GOSTerr(GOST_F_GOST2001_KEYGEN, ERR_R_MALLOC_FAILURE); > > + return 0; > > + } > > const EC_GROUP *group = EC_KEY_get0_group(ec); > > > > if(!group || !EC_GROUP_get_order(group, order, NULL)) { > > > > > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4386 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4386 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 7 21:48:23 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 7 Mar 2016 16:48:23 -0500 Subject: [openssl-dev] MacOS defaults? In-Reply-To: References: <20160306152712.18296912.69389.55951@ll.mit.edu> <56DCB7C2.8070101@openssl.org> Message-ID: On Mon, Mar 7, 2016 at 3:57 PM, Jeffrey Walton wrote: > On Sun, Mar 6, 2016 at 6:05 PM, Andy Polyakov wrote: >>>> Hmm. So why do I see this on my macbook? >>>> >>>> $ arch >>>> i386 >>> >>> Try "uname -m" >> >> This is not reliable. Because it must have changed recently, it used to >> be i386 even on 64-bit systems. sysctl -n hw.optional.x86_64 is the way >> to go, it's right there in ./config... > > ... > However, there are two interesting ones on the PowerMac: > > $ sysctl -A 2>/dev/null | grep hw | egrep 'machine|64' > hw.machine = Power Macintosh > hw.physmem = 2147483648 > hw.l2settings = 2147483648 > hw.optional.64bitops: 1 > hw.cpu64bit_capable: 1 It looks like Apple is using either hw.optional.64bitops or hw.optional.x86_64 (http://opensource.apple.com/source/xnu/xnu-1504.7.4/tools/tests/xnu_quick_test/misc.c?txt): /* * Gets the bit'ed-ness of the current host. Returns either 32 or 64. * This get the hardware capability, but does not tell us whether this * binary is executing in 64 bit or 32 bit mode. Check sizeof long * or pointer to determine that. */ int get_bits() { int my_err, buf; size_t len = 0; int rval = 32; /* * On 32-bit systems the sysctls 64bitops and x86_64 don't * even exists, so if we don't find them then we assume * a 32-bit system. */ /* Check for PPC 64 */ if ((my_err = sysctlbyname("hw.optional.64bitops", NULL, &len, NULL, 0))) goto x86_64check; /* Request size */ if (len > sizeof(buf)) goto x86_64check; if ((my_err = sysctlbyname("hw.optional.64bitops", &buf, &len, NULL, 0))) goto x86_64check; /* Copy value out from kernel */ if (buf == 1) rval = 64; goto finished; x86_64check: /* Check for x86_64 */ if ((my_err = sysctlbyname("hw.optional.x86_64", NULL, &len, NULL, 0))) goto finished; /* Request size */ if (len > sizeof(buf)) goto finished; if ((my_err = sysctlbyname("hw.optional.x86_64", &buf, &len, NULL, 0))) goto finished; /* Copy value out from kernel */ if (buf == 1) rval = 64; finished: return rval; } From davidben at google.com Mon Mar 7 21:49:20 2016 From: davidben at google.com (David Benjamin) Date: Mon, 07 Mar 2016 21:49:20 +0000 Subject: [openssl-dev] Running against BoringSSL's SSL test suite Message-ID: Hi folks, So, we've by now built up a decent-sized SSL test suite in BoringSSL. I was bored and ran it against OpenSSL master. It revealed a number of bugs. One is https://github.com/openssl/openssl/pull/603. I'll be filing tickets shortly for the remaining ones I've triaged, but I thought I'd send this separately rather than duplicate it everywhere. Emilia also suggested there may be room to collaborate on testing. If nothing else, just borrowing ideas or porting tests to/from your TLSProxy setup. (Like, say, the ones that caught the bugs I'll be reporting. :-) ) So, here's an introduction on how it all works: To run the tests on OpenSSL, clone BoringSSL: https://boringssl.googlesource.com/boringssl/ Then patch in this change. (Click the "Download" in the upper-right for options.) https://boringssl-review.googlesource.com/#/c/7332/ Then follow the instructions in the commit message. The tests themselves and the runner logic live in ssl/test/runner/runner.go: https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922 They work by running an unmodified TLS stack in a shim binary against a copy of Go's. We patch our copy with options for weird behavior to test against: https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414 Go and shim communicate entirely with sockets and (tons of) command-line flags, though it is slightly overfit to BoringSSL's behavior and checks error strings a lot. The shim also has options like -async mode which we use on a subset of tests to stress state machine resumption. (This has saved me from state machine bugs so many times.) https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770 https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826 I hope this is useful! Bugs and patches will follow this mail, as I write them up. David -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Mon Mar 7 21:52:24 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 21:52:24 +0000 Subject: [openssl-dev] [openssl.org #4387] [PATCH] Fix V2ClientHello handling In-Reply-To: References: Message-ID: The V2ClientHello code creates an empty compression list, but the compression list must explicitly contain the null compression (and later code enforces this). As a result, all V2ClientHellos currently get rejected on master. The SendV2ClientHello-Sync test in BoringSSL's test suite can be used to repro this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4387 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Fix-V2ClientHello-handling.patch Type: application/octet-stream Size: 2032 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 21:55:14 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 21:55:14 +0000 Subject: [openssl-dev] [openssl.org #4388] [PATCH] Don't be sensitive to the order of ALPN and NPN. In-Reply-To: References: Message-ID: If the server consumer configures NPN and not ALPN, OpenSSL should still resolve NPN against clients which advertises it. (NB: Chrome will be removing NPN soon, so hopefully there won't be any such consumers.) Losing the alpn_select_cb check makes OpenSSL depend on whether ALPN or NPN comes first in the ClientHello. If NPN comes first, it will set next_proto_neg_seen but then the ALPN logic will unset next_proto_neg_seen even though tls1_alpn_handle_client_hello won't do anything. If ALPN comes first, it works. This check used to be there, but got lost in 062178678f5374b09f00d70796f6e692e8775aca. The NPN-Server-Sync test in BoringSSL's test suite can be used to repro this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html (Although I didn't actually add a test for this ordering issue explicitly. This was found on accident because the order our Go code happened to put ALPN and NPN in.) David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4388 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0002-Don-t-be-sensitive-to-the-order-of-ALPN-and-NPN.patch Type: application/octet-stream Size: 1391 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 21:56:25 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 21:56:25 +0000 Subject: [openssl-dev] [openssl.org #4389] [PATCH] The NewSessionTicket message is not optional. In-Reply-To: References: Message-ID: Per RFC 4507, section 3.3: This message [NewSessionTicket] MUST be sent if the server included a SessionTicket extension in the ServerHello. This message MUST NOT be sent if the server did not include a SessionTicket extension in the ServerHello. The presence of the NewSessionTicket message should be determined entirely from the ServerHello without probing. The SkipNewSessionTicket test in BoringSSL's test suite can be used to repro this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4389 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-The-NewSessionTicket-message-is-not-optional.patch Type: application/octet-stream Size: 1473 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 21:58:12 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 21:58:12 +0000 Subject: [openssl-dev] [openssl.org #4390] [PATCH] Don't send signature algorithms when client_version is below TLS 1.2. In-Reply-To: References: Message-ID: Per RFC 5246, Note: this extension is not meaningful for TLS versions prior to 1.2. Clients MUST NOT offer it if they are offering prior versions. However, even if clients do offer it, the rules specified in [TLSEXT] require servers to ignore extensions they do not understand. Although second sentence would suggest that there would be no interop problems in always offering the extension, WebRTC has reported issues with Bouncy Castle on < TLS 1.2 ClientHellos that still include signature_algorithms. See also https://bugs.chromium.org/p/webrtc/issues/detail?id=4223 Just about any TLS 1.2 client test in BoringSSL's test suite can be used to repro this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4390 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-Don-t-send-signature-algorithms-when-client_version-.patch Type: application/octet-stream Size: 1320 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 22:01:35 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 22:01:35 +0000 Subject: [openssl-dev] [openssl.org #4391] [PATCH] Tighten up logic around ChangeCipherSpec. In-Reply-To: References: Message-ID: ChangeCipherSpec messages have a defined value. They also may not occur in the middle of a handshake message. The current logic will accept a ChangeCipherSpec with value 2. It also would accept up to three bytes of handshake data before the ChangeCipherSpec which it would discard (because s->init_num gets reset). Instead, require that s->init_num is 0 when a ChangeCipherSpec comes in. The BadChangeCipherSpec-1 test in BoringSSL's test suite can be used to repro part of this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html We do also have a series of FragmentAcrossChangeCipherSpec tests, but they assume the buggy behavior was to concatenate the pre- and post-CCS fragments, rather than drop the pre-CCS fragment. Instead, applying this patch will repro: diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index 0232772..3a93d48 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go @@ -907,6 +907,9 @@ func (hs *serverHandshakeState) sendFinished(out []byte) error { hs.writeServerHash(hs.finishedBytes) postCCSBytes := hs.finishedBytes + if !c.isDTLS { + c.writeRecord(recordTypeHandshake, []byte{'A'}) + } if c.config.Bugs.FragmentAcrossChangeCipherSpec { c.writeRecord(recordTypeHandshake, postCCSBytes[:5]) postCCSBytes = postCCSBytes[5:] David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4391 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0005-Tighten-up-logic-around-ChangeCipherSpec.patch Type: application/octet-stream Size: 1624 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 22:03:20 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 22:03:20 +0000 Subject: [openssl-dev] [openssl.org #4392] [PATCH] Resolve DTLS cookie and version before session resumption. In-Reply-To: References: Message-ID: Session resumption involves a version check, so version negotiation must happen first. Currently, the DTLS implementation cannot do session resumption in DTLS 1.0 because the ssl_version check always checks against 1.2. Switching the order also removes the need to fixup ssl_version in DTLS version negotiation. The DTLS1-ECDHE-RSA-AES256-SHA-server test (and any other DTLS1-{cipher-name}-server test) in BoringSSL's test suite can be used to repro this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4392 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0006-Resolve-DTLS-cookie-and-version-before-session-resum.patch Type: application/octet-stream Size: 4150 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 22:04:22 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 22:04:22 +0000 Subject: [openssl-dev] [openssl.org #4393] [PATCH] Call EC_GROUP_order_bits in priv2opt. In-Reply-To: References: Message-ID: The private key is a scalar and should be sized by the order, not the degree. (Unlike my other recent emails, this has nothing to do with BoringSSL tests. :-) ) David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4393 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0007-Call-EC_GROUP_order_bits-in-priv2opt.patch Type: application/octet-stream Size: 819 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 22:08:27 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 22:08:27 +0000 Subject: [openssl-dev] [openssl.org #4394] OpenSSL 1.1.0 state machine can't read handshake headers async In-Reply-To: References: Message-ID: No patch for this one since I'm not that familiar with your state machine. If the peer sends handshake messages fragmented across records such that the handshake message header is split over two records AND the two records are received in different steps asynchronously, OpenSSL fails to reassemble the message. This is because every iteration through the READ_STATE_HEADER step in read_state_machine resets s->init_num. https://github.com/openssl/openssl/blob/0d4fb8439092ff8253af72ac6bc193e77ebbcf2f/ssl/statem/statem.c#L550 Instead, it should only get reset once between messages. The Basic-Server-Async-SplitHandshakeRecords test in BoringSSL's test suite can be used to repro this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html (Also most other tests that say Async and SplitHandshakeRecords in them.) David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4394 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 7 22:27:24 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 07 Mar 2016 22:27:24 +0000 Subject: [openssl-dev] [openssl.org #4395] OpenSSL doesn't reject out-of-context empty records In-Reply-To: References: Message-ID: ssl3_get_record silently discards empty records without much context, which means OpenSSL will happily accept, e.g., empty app data records mid-handshake or empty records of bogus type. They get silently discarded and never returned to the caller, so this is harmless, just a little odd. This is what we did to fix it: https://boringssl.googlesource.com/boringssl.git/+/4cf369b9204f066e0ffac8fa583bd19e72c82592%5E%21/ Something similar would probably work. The AppDataBeforeHandshake-Empty and AppDataAfterChangeCipherSpec-Empty tests in BoringSSL's test suite can be used to repro this: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4395 Please log in as guest with password guest if prompted From uri at ll.mit.edu Mon Mar 7 22:47:22 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 7 Mar 2016 22:47:22 +0000 Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <56DDC78D.8020507@oracle.com> References: <1457369381041-64385.post@n7.nabble.com> <20160307.185630.29267628196195539.levitte@openssl.org> <56DDC78D.8020507@oracle.com> Message-ID: A na?ve question. OpenSSL RSA engine (RSAX) by Intel wants to call function mod_exp_512() that is defined somewhere else. I checked, and that function is not defined anywhere in the sources of either OpenSSL-1.0.2h-dev, or OpenSSL-1.1.0-pre. $ clang -shared -o eng_rsax.so eng_rsax.o -L/opt/local/lib -lcrypto Undefined symbols for architecture x86_64: "_mod_exp_512", referenced from: _e_rsax_bn_mod_exp in eng_rsax.o ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) $ openssl version OpenSSL 1.0.2h-dev xx XXX xxxx $ Does it mean that this method has been deprecated and removed? If so, what functions should be used instead? Also, this Intel-optimized engine (from 2010) seems to be geared towards RSA-1024, which isn?t considered adequate by now. Does it mean this engine has been deprecated as well, and shouldn?t be used (assuming one can link a valid shared library, resolving that undefined reference)? Does the current OpenSSL RSA code contains optimizations proposed by that engine? Thanks! P.S. My OpenSSL-1.0.2h-dev installation was configured for darwin-x86_64-cc, and seems to function correctly. It also passed all the tests. -- Regards, Uri Blumenthal From: openssl-dev on behalf of Jeremy Farrell Organization: Oracle Corporation Reply-To: openssl-dev Date: Monday, March 7, 2016 at 13:25 To: openssl-dev Subject: Re: [openssl-dev] Errors when loading an OpenSSL RSA Engine > On 07/03/2016 17:56, Richard Levitte wrote: >> In message <1457369381041-64385.post at n7.nabble.com> >> on Mon, 7 Mar 2016 09:49:41 >> -0700 (MST), danigrosu >> said: >> >> dni.grosu> I want to build an OpenSSL RSA engine, starting from this existing >> dni.grosu> source code file >> dni.grosu> which is a faster method implemented by Intel. First of all I want >> to >> dni.grosu> build this code so I'm using these commands: >> dni.grosu> >> dni.grosu> gcc -fPIC -m64 -o eng_rsax.o -c eng_rsax.c >> dni.grosu> gcc -shared -o eng_rsax.so -lcrypto eng_rsax.o >> >> You might want to try this: >> >> gcc -shared -o eng_rsax.so eng_rsax.o -lcrypto >> >> When linking, order is important. > > In the spirit of teaching to fish, this could have been discovered by looking > at the makefiles which build the engine. Those aren't always easy to decipher, > so an alternative would have been just to build that OpenSSL release and look > at all the output lines from the build which mention eng_rsax. > -- > J. J. Farrell -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From rt at openssl.org Mon Mar 7 23:02:26 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 07 Mar 2016 23:02:26 +0000 Subject: [openssl-dev] [openssl.org #4396] OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: References: Message-ID: This just showed up on OS X 10-5, 64-bit PowerPC. Its not present under Linux. $ git reset --hard HEAD HEAD is now at e1d9f1a Remove kinv/r fields from DSA structure. $ git pull Already up-to-date. $ ./config && make depend && make clean && make ... c -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc64 -DB_ENDIAN -fPIC -c record/rec_layer_s3.c -o record/rec_layer_s3.o record/rec_layer_s3.c: In function 'ssl3_write_bytes': record/rec_layer_s3.c:645: error: 'split_send_fragment' undeclared (first use in this function) record/rec_layer_s3.c:645: error: (Each undeclared identifier is reported only once record/rec_layer_s3.c:645: error: for each function it appears in.) record/rec_layer_s3.c:652: error: 'maxpipes' undeclared (first use in this function) make[1]: *** [record/rec_layer_s3.o] Error 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4396 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 7 23:28:36 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 07 Mar 2016 23:28:36 +0000 Subject: [openssl-dev] [openssl.org #4396]: OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: References: Message-ID: On Mon, Mar 7, 2016 at 6:02 PM, Jeffrey Walton wrote: > This just showed up on OS X 10-5, 64-bit PowerPC. Its not present under Linux. > > $ git reset --hard HEAD > HEAD is now at e1d9f1a Remove kinv/r fields from DSA structure. > $ git pull > Already up-to-date. This can be duplicated on Linux with: $ ./config -DOPENSSL_NO_MULTIBLOCK Result: gcc -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSL_NO_MULTIBLOCK -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -fPIC -c record/rec_layer_s3.c -o record/rec_layer_s3.o record/rec_layer_s3.c: In function 'ssl3_write_bytes': record/rec_layer_s3.c:645:5: error: 'split_send_fragment' undeclared (first use in this function) split_send_fragment = s->split_send_fragment; ^ record/rec_layer_s3.c:645:5: note: each undeclared identifier is reported only once for each function it appears in record/rec_layer_s3.c:652:5: error: 'maxpipes' undeclared (first use in this function) maxpipes = s->max_pipelines; ^ record/rec_layer_s3.c:453:21: warning: unused variable 'nw' [-Wunused-variable] unsigned int n, nw; ^ make[1]: *** [record/rec_layer_s3.o] Error 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4396 Please log in as guest with password guest if prompted From matt at openssl.org Mon Mar 7 23:29:17 2016 From: matt at openssl.org (Matt Caswell) Date: Mon, 7 Mar 2016 23:29:17 +0000 Subject: [openssl-dev] [openssl.org #4396]: OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: References: Message-ID: <56DE0ECD.2020603@openssl.org> Fix already on the way. Matt On 07/03/16 23:28, noloader at gmail.com via RT wrote: > On Mon, Mar 7, 2016 at 6:02 PM, Jeffrey Walton wrote: >> This just showed up on OS X 10-5, 64-bit PowerPC. Its not present under Linux. >> >> $ git reset --hard HEAD >> HEAD is now at e1d9f1a Remove kinv/r fields from DSA structure. >> $ git pull >> Already up-to-date. > > This can be duplicated on Linux with: > > $ ./config -DOPENSSL_NO_MULTIBLOCK > > > Result: > > gcc -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSL_NO_MULTIBLOCK -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -Wa,--noexecstack -fPIC -c record/rec_layer_s3.c -o > record/rec_layer_s3.o > record/rec_layer_s3.c: In function 'ssl3_write_bytes': > record/rec_layer_s3.c:645:5: error: 'split_send_fragment' undeclared > (first use in this function) > split_send_fragment = s->split_send_fragment; > ^ > record/rec_layer_s3.c:645:5: note: each undeclared identifier is > reported only once for each function it appears in > record/rec_layer_s3.c:652:5: error: 'maxpipes' undeclared (first use > in this function) > maxpipes = s->max_pipelines; > ^ > record/rec_layer_s3.c:453:21: warning: unused variable 'nw' [-Wunused-variable] > unsigned int n, nw; > ^ > make[1]: *** [record/rec_layer_s3.o] Error 1 > > From rt at openssl.org Mon Mar 7 23:29:18 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Mon, 07 Mar 2016 23:29:18 +0000 Subject: [openssl-dev] [openssl.org #4396]: OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: <56DE0ECD.2020603@openssl.org> References: <56DE0ECD.2020603@openssl.org> Message-ID: Fix already on the way. Matt On 07/03/16 23:28, noloader at gmail.com via RT wrote: > On Mon, Mar 7, 2016 at 6:02 PM, Jeffrey Walton wrote: >> This just showed up on OS X 10-5, 64-bit PowerPC. Its not present under Linux. >> >> $ git reset --hard HEAD >> HEAD is now at e1d9f1a Remove kinv/r fields from DSA structure. >> $ git pull >> Already up-to-date. > > This can be duplicated on Linux with: > > $ ./config -DOPENSSL_NO_MULTIBLOCK > > > Result: > > gcc -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSL_NO_MULTIBLOCK -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -Wa,--noexecstack -fPIC -c record/rec_layer_s3.c -o > record/rec_layer_s3.o > record/rec_layer_s3.c: In function 'ssl3_write_bytes': > record/rec_layer_s3.c:645:5: error: 'split_send_fragment' undeclared > (first use in this function) > split_send_fragment = s->split_send_fragment; > ^ > record/rec_layer_s3.c:645:5: note: each undeclared identifier is > reported only once for each function it appears in > record/rec_layer_s3.c:652:5: error: 'maxpipes' undeclared (first use > in this function) > maxpipes = s->max_pipelines; > ^ > record/rec_layer_s3.c:453:21: warning: unused variable 'nw' [-Wunused-variable] > unsigned int n, nw; > ^ > make[1]: *** [record/rec_layer_s3.o] Error 1 > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4396 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 7 23:43:57 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 7 Mar 2016 18:43:57 -0500 Subject: [openssl-dev] [openssl.org #4396]: OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: References: <56DE0ECD.2020603@openssl.org> Message-ID: On Mon, Mar 7, 2016 at 6:29 PM, Matt Caswell via RT wrote: > Fix already on the way. > Thanks. I'm not sure what's triggering it on OS X because those defines don't seem to show up in the configuration gear: $ egrep -R 'EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK|OPENSSL_NO_MULTIBLOCK' * | cut -d ':' -f 1 | sort | uniq apps/speed.c crypto/evp/e_aes_cbc_hmac_sha1.c crypto/evp/e_aes_cbc_hmac_sha256.c doc/crypto/EVP_CIPHER_meth_new.pod include/openssl/evp.h ssl/record/rec_layer_s3.c Jeff From rt at openssl.org Mon Mar 7 23:43:59 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 07 Mar 2016 23:43:59 +0000 Subject: [openssl-dev] [openssl.org #4396]: OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: References: <56DE0ECD.2020603@openssl.org> Message-ID: On Mon, Mar 7, 2016 at 6:29 PM, Matt Caswell via RT wrote: > Fix already on the way. > Thanks. I'm not sure what's triggering it on OS X because those defines don't seem to show up in the configuration gear: $ egrep -R 'EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK|OPENSSL_NO_MULTIBLOCK' * | cut -d ':' -f 1 | sort | uniq apps/speed.c crypto/evp/e_aes_cbc_hmac_sha1.c crypto/evp/e_aes_cbc_hmac_sha256.c doc/crypto/EVP_CIPHER_meth_new.pod include/openssl/evp.h ssl/record/rec_layer_s3.c Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4396 Please log in as guest with password guest if prompted From matt at openssl.org Tue Mar 8 00:04:54 2016 From: matt at openssl.org (Matt Caswell) Date: Tue, 8 Mar 2016 00:04:54 +0000 Subject: [openssl-dev] [openssl.org #4396]: OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: References: <56DE0ECD.2020603@openssl.org> Message-ID: <56DE1726.4000205@openssl.org> On 07/03/16 23:43, noloader at gmail.com via RT wrote: > On Mon, Mar 7, 2016 at 6:29 PM, Matt Caswell via RT wrote: >> Fix already on the way. >> > > Thanks. I'm not sure what's triggering it on OS X because those > defines don't seem to show up in the configuration gear: EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is defined in evp.h: # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0x400000 Then at the top of rec_layer_s3.c we have this: #if defined(OPENSSL_SMALL_FOOTPRINT) || \ !( defined(AES_ASM) && ( \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined(_M_X64) || \ defined(__INTEL__) ) \ ) # undef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0 #endif So, if the above condition evaluates to true then EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is redefined to be 0 and then when we get here: #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK unsigned int max_send_fragment, split_send_fragment, maxpipes; unsigned int u_len = (unsigned int)len; #endif The condition will evaluate to false, and so the variables in question will not be defined. Matt From rt at openssl.org Tue Mar 8 00:04:58 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Tue, 08 Mar 2016 00:04:58 +0000 Subject: [openssl-dev] [openssl.org #4396]: OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: <56DE1726.4000205@openssl.org> References: <56DE0ECD.2020603@openssl.org> <56DE1726.4000205@openssl.org> Message-ID: On 07/03/16 23:43, noloader at gmail.com via RT wrote: > On Mon, Mar 7, 2016 at 6:29 PM, Matt Caswell via RT wrote: >> Fix already on the way. >> > > Thanks. I'm not sure what's triggering it on OS X because those > defines don't seem to show up in the configuration gear: EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is defined in evp.h: # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0x400000 Then at the top of rec_layer_s3.c we have this: #if defined(OPENSSL_SMALL_FOOTPRINT) || \ !( defined(AES_ASM) && ( \ defined(__x86_64) || defined(__x86_64__) || \ defined(_M_AMD64) || defined(_M_X64) || \ defined(__INTEL__) ) \ ) # undef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK # define EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK 0 #endif So, if the above condition evaluates to true then EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK is redefined to be 0 and then when we get here: #if !defined(OPENSSL_NO_MULTIBLOCK) && EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK unsigned int max_send_fragment, split_send_fragment, maxpipes; unsigned int u_len = (unsigned int)len; #endif The condition will evaluate to false, and so the variables in question will not be defined. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4396 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 8 00:49:56 2016 From: rt at openssl.org (Yuriy M. Kaminskiy via RT) Date: Tue, 08 Mar 2016 00:49:56 +0000 Subject: [openssl-dev] [openssl.org #4377] Prevent potential NULL pointer dereference in OpenSSL-1.0.2g (CWE-476) In-Reply-To: <56DE21AD.1030900@gmail.com> References: <56DE21AD.1030900@gmail.com> Message-ID: On 04.03.2016 20:33, Bill Parker via RT wrote: > In reviewing code in directory 'crypto/evp', in file 'openbsd_hw.c', > there is a call to OPENSSL_realloc() which is NOT checked for a return > value of NULL, indicating failure. However, the statement after this > is memcpy(), which if the destination variable is NULL, will result > in a segmentation fault/violation. > > The patch file below should address/correct this issue: > > --- openbsd_hw.c.orig 2016-03-02 15:36:57.236927351 -0800 > +++ openbsd_hw.c 2016-03-03 18:56:58.169567807 -0800 > @@ -364,6 +378,10 @@ > return do_digest(md_data->sess.ses, md_data->md, data, len); > > md_data->data = OPENSSL_realloc(md_data->data, md_data->len + len); > + if (md_data->data == NULL) { > + err("DEV_CRYPTO_MD5_UPDATE: unable to allocate memory"); > + return 0; > + } > memcpy(md_data->data + md_data->len, data, len); > md_data->len += len; 1) After return, it leaves with md_data->data = NULL and (possibly) md_data->len > 0, so next call to *update or *final will segfault. 2) Leaks old data that was pointed by md_data. P.S. md5, 3des and rc4. At least, it is not in master already. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4377 Please log in as guest with password guest if prompted From jeremy.farrell at oracle.com Tue Mar 8 01:49:39 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Tue, 8 Mar 2016 01:49:39 +0000 Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: References: <1457369381041-64385.post@n7.nabble.com> <20160307.185630.29267628196195539.levitte@openssl.org> <56DDC78D.8020507@oracle.com> Message-ID: <56DE2FB3.5050705@oracle.com> If I remember correctly, the RSAX engine was dropped from OpenSSL in 1.0.2 because equivalent code had been added to the core OpenSSL library. It built correctly in 1.0.1. Regards, jjf On 07/03/2016 22:47, Blumenthal, Uri - 0553 - MITLL wrote: > A na?ve question. > > OpenSSL RSA engine (RSAX) by Intel wants to call function > mod/_/exp/_/512() that is defined somewhere else. I checked, and that > function is not defined anywhere in the sources of either > OpenSSL-1.0.2h-dev, or OpenSSL-1.1.0-pre. > > $ clang -shared -o eng_rsax.so eng_rsax.o -L/opt/local/lib -lcrypto > > Undefined symbols for architecture x86_64: > > "_mod_exp_512", referenced from: > > _e_rsax_bn_mod_exp in eng_rsax.o > > ld: symbol(s) not found for architecture x86_64 > > clang: error: linker command failed with exit code 1 (use -v to see > invocation) > > $ openssl version > > OpenSSL 1.0.2h-dev xx XXX xxxx > > $ > > > Does it mean that this method has been deprecated and removed? If so, > what functions should be used instead? > > Also, this Intel-optimized engine (from 2010) seems to be geared > towards RSA-1024, which isn?t considered adequate by now. Does it mean > this engine has been deprecated as well, and shouldn?t be used > (assuming one can link a valid shared library, resolving that > undefined reference)? Does the current OpenSSL RSA code contains > optimizations proposed by that engine? > > Thanks! > > P.S. My OpenSSL-1.0.2h-dev installation was configured for > darwin-x86_64-cc, and seems to function correctly. It also passed all > the tests. > -- > Regards, > Uri Blumenthal > > From: openssl-dev > on behalf of Jeremy Farrell > > > Organization: Oracle Corporation > Reply-To: openssl-dev > > Date: Monday, March 7, 2016 at 13:25 > To: openssl-dev > > Subject: Re: [openssl-dev] Errors when loading an OpenSSL RSA Engine > > On 07/03/2016 17:56, Richard Levitte wrote: >> In message<1457369381041-64385.post at n7.nabble.com> on Mon, 7 Mar 2016 09:49:41 -0700 (MST), danigrosu said: >> >> dni.grosu> I want to build an OpenSSL RSA engine, starting from this existing >> dni.grosu> source code file >> dni.grosu> which is a faster method implemented by Intel. First of all I want to >> dni.grosu> build this code so I'm using these commands: >> dni.grosu> >> dni.grosu> gcc -fPIC -m64 -o eng_rsax.o -c eng_rsax.c >> dni.grosu> gcc -shared -o eng_rsax.so -lcrypto eng_rsax.o >> >> You might want to try this: >> >> gcc -shared -o eng_rsax.so eng_rsax.o -lcrypto >> >> When linking, order is important. > > In the spirit of teaching to fish, this could have been discovered > by looking at the makefiles which build the engine. Those aren't > always easy to decipher, so an alternative would have been just to > build that OpenSSL release and look at all the output lines from > the build which mention eng_rsax. > > -- > J. J. Farrell > > -- J. J. Farrell Not speaking for Oracle -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Tue Mar 8 02:19:49 2016 From: rt at openssl.org (Hejian via RT) Date: Tue, 08 Mar 2016 02:19:49 +0000 Subject: [openssl-dev] =?utf-8?b?562U5aSNOiAg562U5aSNOiDnrZTlpI06IFtvcGVu?= =?utf-8?q?ssl=2Eorg_=234360=5D_=5BBUG=5D_OpenSSL-1=2E0=2E1_crash_o?= =?utf-8?q?n_sha1=5Fblock=5Fdata=5Forder=5Fssse3_asm?= In-Reply-To: References: <56D59088.2070006@openssl.org> <56D6B71B.5010508@openssl.org> Message-ID: Hi Jeff, I'm not sure this information is enough, if you want more information about this problem, please tell me ASAP. Thank you. B/R -----????----- ???: Hejian (E) ????: 2016?3?7? 11:24 ???: 'noloader at gmail.com' ??: openssl-dev at openssl.org; Liubo (Liubo, OSS); 'rt at openssl.org' ??: ??: [openssl-dev] ??: ??: [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm Hi Jeff Thanks for your reply, this are registers info: (gdb) info all-registers rax 0x745dd1f0 1952305648 rbx 0xf92ba6dd 4180387549 rcx 0x7b69e2f6 2070536950 rdx 0x86dab00c 2262478860 rsi 0x6436d580 1681315200 rdi 0x4763c5a8 1197721000 rbp 0x72856ca1 0x72856ca1 rsp 0x50a7e100 0x50a7e100 r8 0x55555a419c60 93825074830432 r9 0x2b4174415ff8 47560123310072 r10 0x2b417433acb8 47560122412216 r11 0x2b41740e9080 47560119980160 r12 0xffffffffffffffe7 -25 r13 0x2b417433acf8 47560122412280 r14 0x55555a419c7c 93825074830460 r15 0x3ff 1023 rip 0x2b41740e8db8 0x2b41740e8db8 eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x63 99 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0xd3, 0x54, 0x10, 0xaa, 0xa1, 0x94, 0x90, 0x33, 0x41, 0xcc, 0x30, 0x31, 0x73, 0x5c, 0x80, 0xac}, v8_int16 = {0x54d3, 0xaa10, 0x94a1, 0x3390, 0xcc41, 0x3130, 0x5c73, 0xac80}, v4_int32 = {0xaa1054d3, 0x339094a1, 0x3130cc41, 0xac805c73}, v2_int64 = {0x339094a1aa1054d3, 0xac805c733130cc41}, uint128 = 0xac805c733130cc41339094a1aa1054d3} ---Type to continue, or q to quit--- xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x32, 0x47, 0xe5, 0x7e, 0x72, 0x80, 0xf1, 0xf, 0x66, 0x60, 0x37, 0xf, 0x99, 0x44, 0x6, 0xb7}, v8_int16 = {0x4732, 0x7ee5, 0x8072, 0xff1, 0x6066, 0xf37, 0x4499, 0xb706}, v4_int32 = {0x7ee54732, 0xff18072, 0xf376066, 0xb7064499}, v2_int64 = {0xff180727ee54732, 0xb70644990f376066}, uint128 = 0xb70644990f3760660ff180727ee54732} xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x7d, 0xcc, 0xbf, 0xf8, 0xc3, 0xd1, 0x32, 0x9, 0x33, 0x61, 0xb0, 0xba, 0x6d, 0x9, 0xde, 0x80}, v8_int16 = {0xcc7d, 0xf8bf, 0xd1c3, 0x932, 0x6133, 0xbab0, 0x96d, 0x80de}, v4_int32 = {0xf8bfcc7d, 0x932d1c3, 0xbab06133, 0x80de096d}, v2_int64 = {0x932d1c3f8bfcc7d, 0x80de096dbab06133}, uint128 = 0x80de096dbab061330932d1c3f8bfcc7d} xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x8000000000000000}, v16_int8 = {0x7b, 0x59, 0xd6, 0x82, 0x4, 0xd2, 0x31, 0x1e, 0xf, 0x72, 0x86, 0x7e, 0x13, 0x23, 0x2d, 0x5b}, v8_int16 = {0x597b, 0x82d6, 0xd204, 0x1e31, 0x720f, 0x7e86, 0x2313, 0x5b2d}, v4_int32 = {0x82d6597b, 0x1e31d204, 0x7e86720f, 0x5b2d2313}, v2_int64 = {0x1e31d20482d6597b, 0x5b2d23137e86720f}, uint128 = 0x5b2d23137e86720f1e31d20482d6597b} xmm4 {v4_float = {0x0, 0x2eef0000, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0xec, 0x23, 0xe4, 0x91, 0x11, 0xd1, 0xa, 0xd3, 0x41, 0x2d, 0xb5, 0x7b, 0x89, 0x87, 0x99, 0xed}, v8_int16 = {0x23ec, 0x91e4, 0xd111, 0xd30a, 0x2d41, 0x7bb5, 0x8789, 0xed99}, v4_int32 = {0x91e423ec, 0xd30ad111, 0x7bb52d41, 0xed998789}, v2_int64 = {0xd30ad11191e423ec, 0xed9987897bb52d41}, uint128 = 0xed9987897bb52d41d30ad11191e423ec} xmm5 {v4_float = {0x1, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x79, 0x55, 0x93, 0x3f, 0x52, 0x79, 0x16, 0x14, 0xd2, 0xdc, 0x77, 0x1f, 0xa3, 0x65, 0x51, 0x33}, v8_int16 = {0x5579, 0x3f93, 0x7952, 0x1416, 0xdcd2, 0x1f77, 0x65a3, 0x3351}, v4_int32 = {0x3f935579, 0x14167952, 0x1f77dcd2, 0x335165a3}, v2_int64 = {0x141679523f935579, 0x335165a31f77dcd2}, uint128 = 0x335165a31f77dcd2141679523f935579} xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x3, 0x2, 0x1, 0x0, 0x7, 0x6, 0x5, 0x4, 0xb, 0xa, 0x9, 0x8, 0xf, 0xe, 0xd, 0xc}, v8_int16 = {0x203, 0x1, 0x607, 0x405, 0xa0b, 0x809, 0xe0f, 0xc0d}, v4_int32 = {0x10203, 0x4050607, 0x8090a0b, 0xc0d0e0f}, v2_int64 = {0x405060700010203, 0xc0d0e0f08090a0b}, uint128 = 0x0c0d0e0f08090a0b0405060700010203} xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x93, 0xbe, 0x6, 0x2c, 0x89, 0x10, 0x8f, 0x11, 0xdf, 0x4, 0xba, 0x9a, 0xca, 0x18, 0xd6, 0xab}, v8_int16 = {0xbe93, 0x2c06, 0x1089, 0x118f, 0x4df, 0x9aba, 0x18ca, 0xabd6}, v4_int32 = {0x2c06be93, 0x118f1089, 0x9aba04df, 0xabd618ca}, v2_int64 = {0x118f10892c06be93, 0xabd618ca9aba04df}, uint128 = 0xabd618ca9aba04df118f10892c06be93} xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0}, v8_int16 = {0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x3, 0x0}, v4_int32 = {0x3, 0x0, 0x3, 0x3}, v2_int64 = {0x3, 0x300000003}, uint128 = 0x00000003000000030000000000000003} xmm9 {v4_float = {0x80000000, 0x80000000, 0x80000000, 0x80000000}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a}, v8_int16 = {0x7999, 0x5a82, 0x7999, 0x5a82, 0x7999, 0x5a82, 0x7999, 0x5a82}, v4_int32 = {0x5a827999, 0x5a827999, 0x5a827999, 0x5a827999}, v2_int64 = {0x5a8279995a827999, 0x5a8279995a827999}, uint128 = 0x5a8279995a8279995a8279995a827999} xmm10 {v4_float = {0xb91b510, 0x0, 0x7499f, 0x0}, v2_double = {0x8000000000000000, 0x0}, v16_int8 = {0x51, 0x1b, 0x39, 0x4d, 0xda, 0x93, 0x94, 0xe8, 0xe5, 0x33, 0xe9, 0x48, 0xe9, 0xe4, 0x8f, 0x25}, v8_int16 = {0x1b51, 0x4d39, 0x93da, 0xe894, 0x33e5, 0x48e9, 0xe4e9, 0x258f}, v4_int32 = {0x4d391b51, 0xe89493da, 0x48e933e5, 0x258fe4e9}, v2_int64 = {0xe89493da4d391b51, 0x258fe4e948e933e5}, uint128 = 0x258fe4e948e933e5e89493da4d391b51} xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] (gdb) -----????----- ???: Jeffrey Walton [mailto:noloader at gmail.com] ????: 2016?3?3? 12:31 ???: Hejian (E) ??: Re: [openssl-dev] ??: ??: [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm Hi Hejian, He's probably going to want 'info all-registers' because of MMX/SSE3 and the problem with sha1_block_data_order_ssse3. Also see http://sourceware.org/gdb/onlinedocs/gdb/Registers.html. I'm just guessing, and my apologies for bringing it up. Jeff On Wed, Mar 2, 2016 at 11:21 PM, Hejian via RT wrote: > Here is the info reg: > > (gdb) info reg > rax 0x745dd1f0 1952305648 > rbx 0xf92ba6dd 4180387549 > rcx 0x7b69e2f6 2070536950 > rdx 0x86dab00c 2262478860 > rsi 0x6436d580 1681315200 > rdi 0x4763c5a8 1197721000 > rbp 0x72856ca1 0x72856ca1 > rsp 0x50a7e100 0x50a7e100 > r8 0x55555a419c60 93825074830432 > r9 0x2b4174415ff8 47560123310072 > r10 0x2b417433acb8 47560122412216 > r11 0x2b41740e9080 47560119980160 > r12 0xffffffffffffffe7 -25 > r13 0x2b417433acf8 47560122412280 > r14 0x55555a419c7c 93825074830460 > r15 0x3ff 1023 > rip 0x2b41740e8db8 0x2b41740e8db8 > eflags 0x10202 [ IF RF ] > cs 0x33 51 > ss 0x2b 43 > ds 0x0 0 > es 0x0 0 > fs 0x63 99 > gs 0x0 0 > (gdb) > > > -----????----- > ???: Andy Polyakov via RT [mailto:rt at openssl.org] > ????: 2016?3?3? 1:24 > ???: Hejian (E) > ??: openssl-dev at openssl.org > ??: Re: [openssl-dev] ??: [openssl.org #4360] [BUG] OpenSSL-1.0.1 > crash on sha1_block_data_order_ssse3 asm > >> 0x00002b41740e8da7 <+2967>: je 0x2b41740e8f40 >> 0x00002b41740e8dad <+2973>: movdqa 0x40(%r11),%xmm6 >> 0x00002b41740e8db3 <+2979>: movdqa (%r11),%xmm9 >> => 0x00002b41740e8db8 <+2984>: movdqu (%r9),%xmm0 --is this what you want ? > > And 'info reg' please. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 8 02:41:19 2016 From: rt at openssl.org (Clemens Lang via RT) Date: Tue, 08 Mar 2016 02:41:19 +0000 Subject: [openssl-dev] [openssl.org #4397] BUG: 1.0.2g fails to build on Mac OS X 10.6.8 due to 0b assembly literals In-Reply-To: <20160304205851.GC2208@cBookPro.fritz.box> References: <20160304205851.GC2208@cBookPro.fritz.box> Message-ID: Some older versions of OS X (10.6.8 "Snow Leopard" and possibly below) ship with a toolchain that is based on an old version of the GNU assembler, which does not support binary literals. Assembling an expression that contains a 0b00011011 literal will cause a warning and treat the immediate as 0. This makes the build fail: sha1-x86_64.s:1243:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1243:suffix or operands invalid for `pshufd' sha1-x86_64.s:1245:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1245:suffix or operands invalid for `pshufd' sha1-x86_64.s:1395:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1395:suffix or operands invalid for `pshufd' sha1-x86_64.s:1396:missing or invalid immediate expression `0b00011011' taken as 0 sha1-x86_64.s:1396:suffix or operands invalid for `pshufd' make[2]: *** [sha1-x86_64.o] Error 1 An easy workaround is using hexadecimal literals, which are supported by the toolchain. Joshua Root has prepared a patch that I have sent as a pull request at https://github.com/openssl/openssl/pull/792 Please pull to avoid breaking openssl for users on Mac OS X 10.6.8. The problem was originally reported in the MacPorts bug tracker at https://trac.macports.org/ticket/50771 -- Clemens Lang MacPorts Developer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4397 Please log in as guest with password guest if prompted From matt at openssl.org Tue Mar 8 10:10:17 2016 From: matt at openssl.org (Matt Caswell) Date: Tue, 8 Mar 2016 10:10:17 +0000 Subject: [openssl-dev] Running against BoringSSL's SSL test suite In-Reply-To: References: Message-ID: <56DEA509.9020401@openssl.org> On 07/03/16 21:49, David Benjamin wrote: > Hi folks, > > So, we've by now built up a decent-sized SSL test suite in BoringSSL. I > was bored and ran it against OpenSSL master. It revealed a number of > bugs. One is https://github.com/openssl/openssl/pull/603. I'll be filing > tickets shortly for the remaining ones I've triaged, but I thought I'd > send this separately rather than duplicate it everywhere. Wow! That's awesome! Thanks David. > > Emilia also suggested there may be room to collaborate on testing. If > nothing else, just borrowing ideas or porting tests to/from your > TLSProxy setup. (Like, say, the ones that caught the bugs I'll be > reporting. :-) ) So, here's an introduction on how it all works: > > To run the tests on OpenSSL, clone BoringSSL: > https://boringssl.googlesource.com/boringssl/ > Then patch in this change. (Click the "Download" in the upper-right for > options.) > https://boringssl-review.googlesource.com/#/c/7332/ > Then follow the instructions in the commit message. > > The tests themselves and the runner logic live in ssl/test/runner/runner.go: > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922 > > They work by running an unmodified TLS stack in a shim binary against a > copy of Go's. We patch our copy with options for weird behavior to test > against: > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414 > > Go and shim communicate entirely with sockets and (tons of) command-line > flags, though it is slightly overfit to BoringSSL's behavior and checks > error strings a lot. The shim also has options like -async mode which we > use on a subset of tests to stress state machine resumption. (This has > saved me from state machine bugs so many times.) > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770 > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826 > > I hope this is useful! Bugs and patches will follow this mail, as I > write them up. Great. We're in the final few days prior to the 1.1.0 feature freeze and the team are working flat out at the moment. I'll try and start looking at them once we're past that milestone later this week. Matt From rt at openssl.org Tue Mar 8 10:13:52 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Tue, 08 Mar 2016 10:13:52 +0000 Subject: [openssl-dev] [openssl.org #4396] OS X 10-5, 64-bit PowerPC, error: 'split_send_fragment' undeclared (first use in this function) In-Reply-To: References: Message-ID: On Mon Mar 07 23:02:26 2016, noloader at gmail.com wrote: > This just showed up on OS X 10-5, 64-bit PowerPC. Its not present > under Linux. > > $ git reset --hard HEAD > HEAD is now at e1d9f1a Remove kinv/r fields from DSA structure. > $ git pull > Already up-to-date. > > $ ./config && make depend && make clean && make > ... > > c -I.. -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc64 > -DB_ENDIAN -fPIC -c record/rec_layer_s3.c -o record/rec_layer_s3.o > record/rec_layer_s3.c: In function 'ssl3_write_bytes': > record/rec_layer_s3.c:645: error: 'split_send_fragment' undeclared > (first use in this function) > record/rec_layer_s3.c:645: error: (Each undeclared identifier is > reported only once > record/rec_layer_s3.c:645: error: for each function it appears in.) > record/rec_layer_s3.c:652: error: 'maxpipes' undeclared (first use in > this function) > make[1]: *** [record/rec_layer_s3.o] Error 1 This issue should be fixed now. Closing ticket. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4396 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 8 13:43:48 2016 From: rt at openssl.org (Thomas Brunnthaler via RT) Date: Tue, 08 Mar 2016 13:43:48 +0000 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: References: Message-ID: CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 VC6 x86 TS. Error Message: OS cannot load %1 or so. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 Please log in as guest with password guest if prompted From dni.grosu at gmail.com Tue Mar 8 13:26:46 2016 From: dni.grosu at gmail.com (danigrosu) Date: Tue, 8 Mar 2016 06:26:46 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <20160307.185630.29267628196195539.levitte@openssl.org> References: <1457369381041-64385.post@n7.nabble.com> <20160307.185630.29267628196195539.levitte@openssl.org> Message-ID: <1457443606023-64438.post@n7.nabble.com> I tried your suggestion, but the error still appears. Richard Levitte - VMS Whacker-2 wrote > You might want to try this: > > gcc -shared -o eng_rsax.so eng_rsax.o -lcrypto > > When linking, order is important. Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64438.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Tue Mar 8 14:29:52 2016 From: rt at openssl.org (David Benjamin via RT) Date: Tue, 08 Mar 2016 14:29:52 +0000 Subject: [openssl-dev] [openssl.org #4394] OpenSSL 1.1.0 state machine can't read handshake headers async In-Reply-To: References: Message-ID: On Mon, Mar 7, 2016 at 5:08 PM David Benjamin via RT wrote: > No patch for this one since I'm not that familiar with your state machine. > If the peer sends handshake messages fragmented across records such that > the handshake message header is split over two records AND the two records > are received in different steps asynchronously, OpenSSL fails to reassemble > the message. > > This is because every iteration through the READ_STATE_HEADER step in > read_state_machine resets s->init_num. > > https://github.com/openssl/openssl/blob/0d4fb8439092ff8253af72ac6bc193e77ebbcf2f/ssl/statem/statem.c#L550 > Instead, it should only get reset once between messages. > > The Basic-Server-Async-SplitHandshakeRecords test in BoringSSL's test suite > can be used to repro this: > https://mta.openssl.org/pipermail/openssl-dev/2016-March/005779.html > (Also most other tests that say Async and SplitHandshakeRecords in them.) > Oh, I'd meant to elaborate on this test and forgot. It's part of a series of tests that tries to stress all the async bits of the state machine. SplitHandshakeRecords means each handshake message (I probably should have named it SplitHandshakeMessages), gets fragmented so each record contains only one byte. Async means we tell the shim to install a fake BIO that only releases one byte at a time. The combination does a good job at testing transport-related state machine resumption points. I'm not familiar with how one writes TLSProxy tests, but something proxy-based should also be able to simulate the handshake fragmentation, and then async mode is implemented in the tested process. David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4394 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Tue Mar 8 14:37:02 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 8 Mar 2016 14:37:02 +0000 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: References: Message-ID: <20160308143701.GD10917@mournblade.imrryr.org> On Tue, Mar 08, 2016 at 01:43:48PM +0000, Thomas Brunnthaler via RT wrote: > CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 VC6 > x86 TS. Error Message: OS cannot load %1 or so. Is this fixed by: https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe8c75a93fded445 -- Viktor. From rsbecker at nexbridge.com Tue Mar 8 14:57:47 2016 From: rsbecker at nexbridge.com (Randall S. Becker) Date: Tue, 8 Mar 2016 09:57:47 -0500 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: <20160308143701.GD10917@mournblade.imrryr.org> References: <20160308143701.GD10917@mournblade.imrryr.org> Message-ID: <002301d1794a$e46f5f60$ad4e1e20$@nexbridge.com> On March 8, 2016 9:37 AM, Viktor Dukhovni wrote: > To: rt at openssl.org; openssl-dev at openssl.org > Subject: Re: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL > extension > > On Tue, Mar 08, 2016 at 01:43:48PM +0000, Thomas Brunnthaler via RT > wrote: > > > CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 > VC6 > > x86 TS. Error Message: OS cannot load %1 or so. > > Is this fixed by: > > > https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe > 8c75a93fded445 We saw this on HPE NonStop NSE on all products using the OpenSSL DLL. Our solution was to reconfigure and rebuild OpenSSH, Curl, wget, git (to name a few). The configure scripts detect that those methods are not present and act appropriately. Cheers, Randall -- Brief whoami: NonStop&UNIX developer since approximately UNIX(421664400)/NonStop(211288444200000000) -- In my real life, I talk too much. From rt at openssl.org Tue Mar 8 15:09:39 2016 From: rt at openssl.org (Randall S. Becker via RT) Date: Tue, 08 Mar 2016 15:09:39 +0000 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: <002301d1794a$e46f5f60$ad4e1e20$@nexbridge.com> References: <20160308143701.GD10917@mournblade.imrryr.org> <002301d1794a$e46f5f60$ad4e1e20$@nexbridge.com> Message-ID: On March 8, 2016 9:37 AM, Viktor Dukhovni wrote: > To: rt at openssl.org; openssl-dev at openssl.org > Subject: Re: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL > extension > > On Tue, Mar 08, 2016 at 01:43:48PM +0000, Thomas Brunnthaler via RT > wrote: > > > CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 > VC6 > > x86 TS. Error Message: OS cannot load %1 or so. > > Is this fixed by: > > > https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe > 8c75a93fded445 We saw this on HPE NonStop NSE on all products using the OpenSSL DLL. Our solution was to reconfigure and rebuild OpenSSH, Curl, wget, git (to name a few). The configure scripts detect that those methods are not present and act appropriately. Cheers, Randall -- Brief whoami: NonStop&UNIX developer since approximately UNIX(421664400)/NonStop(211288444200000000) -- In my real life, I talk too much. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 Please log in as guest with password guest if prompted From uri at ll.mit.edu Tue Mar 8 15:15:06 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 8 Mar 2016 15:15:06 +0000 Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457443606023-64438.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> <20160307.185630.29267628196195539.levitte@openssl.org> <1457443606023-64438.post@n7.nabble.com> Message-ID: > I tried your suggestion, but the error still appears. I?ve observed those errors too. Am I correct that the interface for the engine changed between 1.0.1 and 1.0.2? That would explain the issues I saw. Of course, based on the Jeremy?s response, there probably is no need in RSA-X, so no point trying to get it up and running. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From doctor at doctor.nl2k.ab.ca Tue Mar 8 15:24:06 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 8 Mar 2016 08:24:06 -0700 Subject: [openssl-dev] openssl-SNAP-20160308 issues Message-ID: <20160308152406.GA4312@doctor.nl2k.ab.ca> When did assembler come into the equation? /usr/bin/perl5 asm/e_padlock-x86.pl elf -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PA RT_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -D SHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPO LY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" -DENGINESDIR="\"/usr/contrib/lib/eng ines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC 386 e_padlock-x86.s .file "asm/e_padlock-x86.s" .text .globl padlock_capability .type padlock_capability, at function .align 16 padlock_capability: .L_padlock_capability_begin: pushl %ebx pushfl popl %eax movl %eax,%ecx xorl $2097152,%eax pushl %eax popfl pushfl popl %eax xorl %eax,%ecx xorl %eax,%eax btl $21,%ecx jnc .L000noluck .byte 0x0f,0xa2 xorl %eax,%eax cmpl $0x746e6543,%ebx jne .L000noluck cmpl $0x48727561,%edx jne .L000noluck cmpl $0x736c7561,%ecx jne .L000noluck movl $3221225472,%eax .byte 0x0f,0xa2 movl %eax,%edx xorl %eax,%eax cmpl $3221225473,%edx jb .L000noluck movl $1,%eax .byte 0x0f,0xa2 orl $15,%eax xorl %ebx,%ebx andl $4095,%eax cmpl $1791,%eax sete %bl movl $3221225473,%eax pushl %ebx .byte 0x0f,0xa2 popl %ebx movl %edx,%eax shll $4,%ebx andl $4294967279,%eax orl %ebx,%eax .L000noluck: popl %ebx ret .size padlock_capability,.-.L_padlock_capability_begin .globl padlock_key_bswap .type padlock_key_bswap, at function .align 16 padlock_key_bswap: .L_padlock_key_bswap_begin: movl 4(%esp),%edx movl 240(%edx),%ecx .L001bswap_loop: movl (%edx),%eax bswap %eax movl %eax,(%edx) leal 4(%edx),%edx subl $1,%ecx jnz .L001bswap_loop ret .size padlock_key_bswap,.-.L_padlock_key_bswap_begin .globl padlock_verify_context .type padlock_verify_context, at function .align 16 padlock_verify_context: .L_padlock_verify_context_begin: movl 4(%esp),%edx leal .Lpadlock_saved_context-.L002verify_pic_point,%eax pushfl call _padlock_verify_ctx .L002verify_pic_point: leal 4(%esp),%esp ret .size padlock_verify_context,.-.L_padlock_verify_context_begin .type _padlock_verify_ctx, at function .align 16 _padlock_verify_ctx: addl (%esp),%eax btl $30,4(%esp) jnc .L003verified cmpl (%eax),%edx je .L003verified pushfl popfl .L003verified: movl %edx,(%eax) ret .size _padlock_verify_ctx,.-_padlock_verify_ctx .globl padlock_reload_key .type padlock_reload_key, at function .align 16 padlock_reload_key: .L_padlock_reload_key_begin: pushfl popfl ret .size padlock_reload_key,.-.L_padlock_reload_key_begin .globl padlock_aes_block .type padlock_aes_block, at function .align 16 padlock_aes_block: .L_padlock_aes_block_begin: pushl %edi pushl %esi pushl %ebx movl 16(%esp),%edi movl 20(%esp),%esi movl 24(%esp),%edx movl $1,%ecx leal 32(%edx),%ebx leal 16(%edx),%edx .byte 243,15,167,200 popl %ebx popl %esi popl %edi ret .size padlock_aes_block,.-.L_padlock_aes_block_begin .globl padlock_ecb_encrypt .type padlock_ecb_encrypt, at function .align 16 padlock_ecb_encrypt: .L_padlock_ecb_encrypt_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi movl 20(%esp),%edi movl 24(%esp),%esi movl 28(%esp),%edx movl 32(%esp),%ecx testl $15,%edx jnz .L004ecb_abort testl $15,%ecx jnz .L004ecb_abort leal .Lpadlock_saved_context-.L005ecb_pic_point,%eax pushfl cld call _padlock_verify_ctx .L005ecb_pic_point: leal 16(%edx),%edx xorl %eax,%eax xorl %ebx,%ebx testl $32,(%edx) jnz .L006ecb_aligned testl $15,%edi setz %al testl $15,%esi setz %bl testl %ebx,%eax jnz .L006ecb_aligned negl %eax movl $512,%ebx notl %eax leal -24(%esp),%ebp cmpl %ebx,%ecx cmovcl %ecx,%ebx andl %ebx,%eax movl %ecx,%ebx negl %eax andl $511,%ebx leal (%eax,%ebp,1),%esp movl $512,%eax cmovzl %eax,%ebx movl %ebp,%eax andl $-16,%ebp andl $-16,%esp movl %eax,16(%ebp) cmpl %ebx,%ecx ja .L007ecb_loop movl %esi,%eax cmpl %esp,%ebp cmovel %edi,%eax addl %ecx,%eax negl %eax andl $4095,%eax cmpl $128,%eax movl $-128,%eax cmovael %ebx,%eax andl %eax,%ebx jz .L008ecb_unaligned_tail jmp .L007ecb_loop .align 16 .L007ecb_loop: movl %edi,(%ebp) movl %esi,4(%ebp) movl %ecx,8(%ebp) movl %ebx,%ecx movl %ebx,12(%ebp) testl $15,%edi cmovnzl %esp,%edi testl $15,%esi jz .L009ecb_inp_aligned shrl $2,%ecx .byte 243,165 subl %ebx,%edi movl %ebx,%ecx movl %edi,%esi .L009ecb_inp_aligned: leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,200 movl (%ebp),%edi movl 12(%ebp),%ebx testl $15,%edi jz .L010ecb_out_aligned movl %ebx,%ecx leal (%esp),%esi shrl $2,%ecx .byte 243,165 subl %ebx,%edi .L010ecb_out_aligned: movl 4(%ebp),%esi movl 8(%ebp),%ecx addl %ebx,%edi addl %ebx,%esi subl %ebx,%ecx movl $512,%ebx jz .L011ecb_break cmpl %ebx,%ecx jae .L007ecb_loop .L008ecb_unaligned_tail: xorl %eax,%eax cmpl %ebp,%esp cmovel %ecx,%eax subl %eax,%esp movl %edi,%eax movl %ecx,%ebx shrl $2,%ecx leal (%esp),%edi .byte 243,165 movl %esp,%esi movl %eax,%edi movl %ebx,%ecx jmp .L007ecb_loop .align 16 .L011ecb_break: cmpl %ebp,%esp je .L012ecb_done pxor %xmm0,%xmm0 leal (%esp),%eax .L013ecb_bzero: movaps %xmm0,(%eax) leal 16(%eax),%eax cmpl %eax,%ebp ja .L013ecb_bzero .L012ecb_done: movl 16(%ebp),%ebp leal 24(%ebp),%esp jmp .L014ecb_exit .align 16 .L006ecb_aligned: leal (%esi,%ecx,1),%ebp negl %ebp andl $4095,%ebp xorl %eax,%eax cmpl $128,%ebp movl $127,%ebp cmovael %eax,%ebp andl %ecx,%ebp subl %ebp,%ecx jz .L015ecb_aligned_tail leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,200 testl %ebp,%ebp jz .L014ecb_exit .L015ecb_aligned_tail: movl %ebp,%ecx leal -24(%esp),%ebp movl %ebp,%esp movl %ebp,%eax subl %ecx,%esp andl $-16,%ebp andl $-16,%esp movl %eax,16(%ebp) movl %edi,%eax movl %ecx,%ebx shrl $2,%ecx leal (%esp),%edi .byte 243,165 movl %esp,%esi movl %eax,%edi movl %ebx,%ecx jmp .L007ecb_loop .L014ecb_exit: movl $1,%eax leal 4(%esp),%esp .L004ecb_abort: popl %edi popl %esi popl %ebx popl %ebp ret .size padlock_ecb_encrypt,.-.L_padlock_ecb_encrypt_begin .globl padlock_cbc_encrypt .type padlock_cbc_encrypt, at function .align 16 padlock_cbc_encrypt: .L_padlock_cbc_encrypt_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi movl 20(%esp),%edi movl 24(%esp),%esi movl 28(%esp),%edx movl 32(%esp),%ecx testl $15,%edx jnz .L016cbc_abort testl $15,%ecx jnz .L016cbc_abort leal .Lpadlock_saved_context-.L017cbc_pic_point,%eax pushfl cld call _padlock_verify_ctx .L017cbc_pic_point: leal 16(%edx),%edx xorl %eax,%eax xorl %ebx,%ebx testl $32,(%edx) jnz .L018cbc_aligned testl $15,%edi setz %al testl $15,%esi setz %bl testl %ebx,%eax jnz .L018cbc_aligned negl %eax movl $512,%ebx notl %eax leal -24(%esp),%ebp cmpl %ebx,%ecx cmovcl %ecx,%ebx andl %ebx,%eax movl %ecx,%ebx negl %eax andl $511,%ebx leal (%eax,%ebp,1),%esp movl $512,%eax cmovzl %eax,%ebx movl %ebp,%eax andl $-16,%ebp andl $-16,%esp movl %eax,16(%ebp) cmpl %ebx,%ecx ja .L019cbc_loop movl %esi,%eax cmpl %esp,%ebp cmovel %edi,%eax addl %ecx,%eax negl %eax andl $4095,%eax cmpl $64,%eax movl $-64,%eax cmovael %ebx,%eax andl %eax,%ebx jz .L020cbc_unaligned_tail jmp .L019cbc_loop .align 16 .L019cbc_loop: movl %edi,(%ebp) movl %esi,4(%ebp) movl %ecx,8(%ebp) movl %ebx,%ecx movl %ebx,12(%ebp) testl $15,%edi cmovnzl %esp,%edi testl $15,%esi jz .L021cbc_inp_aligned shrl $2,%ecx .byte 243,165 subl %ebx,%edi movl %ebx,%ecx movl %edi,%esi .L021cbc_inp_aligned: leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,208 movaps (%eax),%xmm0 movaps %xmm0,-16(%edx) movl (%ebp),%edi movl 12(%ebp),%ebx testl $15,%edi jz .L022cbc_out_aligned movl %ebx,%ecx leal (%esp),%esi shrl $2,%ecx .byte 243,165 subl %ebx,%edi .L022cbc_out_aligned: movl 4(%ebp),%esi movl 8(%ebp),%ecx addl %ebx,%edi addl %ebx,%esi subl %ebx,%ecx movl $512,%ebx jz .L023cbc_break cmpl %ebx,%ecx jae .L019cbc_loop .L020cbc_unaligned_tail: xorl %eax,%eax cmpl %ebp,%esp cmovel %ecx,%eax subl %eax,%esp movl %edi,%eax movl %ecx,%ebx shrl $2,%ecx leal (%esp),%edi .byte 243,165 movl %esp,%esi movl %eax,%edi movl %ebx,%ecx jmp .L019cbc_loop .align 16 .L023cbc_break: cmpl %ebp,%esp je .L024cbc_done pxor %xmm0,%xmm0 leal (%esp),%eax .L025cbc_bzero: movaps %xmm0,(%eax) leal 16(%eax),%eax cmpl %eax,%ebp ja .L025cbc_bzero .L024cbc_done: movl 16(%ebp),%ebp leal 24(%ebp),%esp jmp .L026cbc_exit .align 16 .L018cbc_aligned: leal (%esi,%ecx,1),%ebp negl %ebp andl $4095,%ebp xorl %eax,%eax cmpl $64,%ebp movl $63,%ebp cmovael %eax,%ebp andl %ecx,%ebp subl %ebp,%ecx jz .L027cbc_aligned_tail leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,208 movaps (%eax),%xmm0 movaps %xmm0,-16(%edx) testl %ebp,%ebp jz .L026cbc_exit .L027cbc_aligned_tail: movl %ebp,%ecx leal -24(%esp),%ebp movl %ebp,%esp movl %ebp,%eax subl %ecx,%esp andl $-16,%ebp andl $-16,%esp movl %eax,16(%ebp) movl %edi,%eax movl %ecx,%ebx shrl $2,%ecx leal (%esp),%edi .byte 243,165 movl %esp,%esi movl %eax,%edi movl %ebx,%ecx jmp .L019cbc_loop .L026cbc_exit: movl $1,%eax leal 4(%esp),%esp .L016cbc_abort: popl %edi popl %esi popl %ebx popl %ebp ret .size padlock_cbc_encrypt,.-.L_padlock_cbc_encrypt_begin .globl padlock_cfb_encrypt .type padlock_cfb_encrypt, at function .align 16 padlock_cfb_encrypt: .L_padlock_cfb_encrypt_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi movl 20(%esp),%edi movl 24(%esp),%esi movl 28(%esp),%edx movl 32(%esp),%ecx testl $15,%edx jnz .L028cfb_abort testl $15,%ecx jnz .L028cfb_abort leal .Lpadlock_saved_context-.L029cfb_pic_point,%eax pushfl cld call _padlock_verify_ctx .L029cfb_pic_point: leal 16(%edx),%edx xorl %eax,%eax xorl %ebx,%ebx testl $32,(%edx) jnz .L030cfb_aligned testl $15,%edi setz %al testl $15,%esi setz %bl testl %ebx,%eax jnz .L030cfb_aligned negl %eax movl $512,%ebx notl %eax leal -24(%esp),%ebp cmpl %ebx,%ecx cmovcl %ecx,%ebx andl %ebx,%eax movl %ecx,%ebx negl %eax andl $511,%ebx leal (%eax,%ebp,1),%esp movl $512,%eax cmovzl %eax,%ebx movl %ebp,%eax andl $-16,%ebp andl $-16,%esp movl %eax,16(%ebp) jmp .L031cfb_loop .align 16 .L031cfb_loop: movl %edi,(%ebp) movl %esi,4(%ebp) movl %ecx,8(%ebp) movl %ebx,%ecx movl %ebx,12(%ebp) testl $15,%edi cmovnzl %esp,%edi testl $15,%esi jz .L032cfb_inp_aligned shrl $2,%ecx .byte 243,165 subl %ebx,%edi movl %ebx,%ecx movl %edi,%esi .L032cfb_inp_aligned: leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,224 movaps (%eax),%xmm0 movaps %xmm0,-16(%edx) movl (%ebp),%edi movl 12(%ebp),%ebx testl $15,%edi jz .L033cfb_out_aligned movl %ebx,%ecx leal (%esp),%esi shrl $2,%ecx .byte 243,165 subl %ebx,%edi .L033cfb_out_aligned: movl 4(%ebp),%esi movl 8(%ebp),%ecx addl %ebx,%edi addl %ebx,%esi subl %ebx,%ecx movl $512,%ebx jnz .L031cfb_loop cmpl %ebp,%esp je .L034cfb_done pxor %xmm0,%xmm0 leal (%esp),%eax .L035cfb_bzero: movaps %xmm0,(%eax) leal 16(%eax),%eax cmpl %eax,%ebp ja .L035cfb_bzero .L034cfb_done: movl 16(%ebp),%ebp leal 24(%ebp),%esp jmp .L036cfb_exit .align 16 .L030cfb_aligned: leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,224 movaps (%eax),%xmm0 movaps %xmm0,-16(%edx) .L036cfb_exit: movl $1,%eax leal 4(%esp),%esp .L028cfb_abort: popl %edi popl %esi popl %ebx popl %ebp ret .size padlock_cfb_encrypt,.-.L_padlock_cfb_encrypt_begin .globl padlock_ofb_encrypt .type padlock_ofb_encrypt, at function .align 16 padlock_ofb_encrypt: .L_padlock_ofb_encrypt_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi movl 20(%esp),%edi movl 24(%esp),%esi movl 28(%esp),%edx movl 32(%esp),%ecx testl $15,%edx jnz .L037ofb_abort testl $15,%ecx jnz .L037ofb_abort leal .Lpadlock_saved_context-.L038ofb_pic_point,%eax pushfl cld call _padlock_verify_ctx .L038ofb_pic_point: leal 16(%edx),%edx xorl %eax,%eax xorl %ebx,%ebx testl $32,(%edx) jnz .L039ofb_aligned testl $15,%edi setz %al testl $15,%esi setz %bl testl %ebx,%eax jnz .L039ofb_aligned negl %eax movl $512,%ebx notl %eax leal -24(%esp),%ebp cmpl %ebx,%ecx cmovcl %ecx,%ebx andl %ebx,%eax movl %ecx,%ebx negl %eax andl $511,%ebx leal (%eax,%ebp,1),%esp movl $512,%eax cmovzl %eax,%ebx movl %ebp,%eax andl $-16,%ebp andl $-16,%esp movl %eax,16(%ebp) jmp .L040ofb_loop .align 16 .L040ofb_loop: movl %edi,(%ebp) movl %esi,4(%ebp) movl %ecx,8(%ebp) movl %ebx,%ecx movl %ebx,12(%ebp) testl $15,%edi cmovnzl %esp,%edi testl $15,%esi jz .L041ofb_inp_aligned shrl $2,%ecx .byte 243,165 subl %ebx,%edi movl %ebx,%ecx movl %edi,%esi .L041ofb_inp_aligned: leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,232 movaps (%eax),%xmm0 movaps %xmm0,-16(%edx) movl (%ebp),%edi movl 12(%ebp),%ebx testl $15,%edi jz .L042ofb_out_aligned movl %ebx,%ecx leal (%esp),%esi shrl $2,%ecx .byte 243,165 subl %ebx,%edi .L042ofb_out_aligned: movl 4(%ebp),%esi movl 8(%ebp),%ecx addl %ebx,%edi addl %ebx,%esi subl %ebx,%ecx movl $512,%ebx jnz .L040ofb_loop cmpl %ebp,%esp je .L043ofb_done pxor %xmm0,%xmm0 leal (%esp),%eax .L044ofb_bzero: movaps %xmm0,(%eax) leal 16(%eax),%eax cmpl %eax,%ebp ja .L044ofb_bzero .L043ofb_done: movl 16(%ebp),%ebp leal 24(%ebp),%esp jmp .L045ofb_exit .align 16 .L039ofb_aligned: leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,232 movaps (%eax),%xmm0 movaps %xmm0,-16(%edx) .L045ofb_exit: movl $1,%eax leal 4(%esp),%esp .L037ofb_abort: popl %edi popl %esi popl %ebx popl %ebp ret .size padlock_ofb_encrypt,.-.L_padlock_ofb_encrypt_begin .globl padlock_ctr32_encrypt .type padlock_ctr32_encrypt, at function .align 16 padlock_ctr32_encrypt: .L_padlock_ctr32_encrypt_begin: pushl %ebp pushl %ebx pushl %esi pushl %edi movl 20(%esp),%edi movl 24(%esp),%esi movl 28(%esp),%edx movl 32(%esp),%ecx testl $15,%edx jnz .L046ctr32_abort testl $15,%ecx jnz .L046ctr32_abort leal .Lpadlock_saved_context-.L047ctr32_pic_point,%eax pushfl cld call _padlock_verify_ctx .L047ctr32_pic_point: leal 16(%edx),%edx xorl %eax,%eax movq -16(%edx),%mm0 movl $512,%ebx notl %eax leal -24(%esp),%ebp cmpl %ebx,%ecx cmovcl %ecx,%ebx andl %ebx,%eax movl %ecx,%ebx negl %eax andl $511,%ebx leal (%eax,%ebp,1),%esp movl $512,%eax cmovzl %eax,%ebx movl %ebp,%eax andl $-16,%ebp andl $-16,%esp movl %eax,16(%ebp) jmp .L048ctr32_loop .align 16 .L048ctr32_loop: movl %edi,(%ebp) movl %esi,4(%ebp) movl %ecx,8(%ebp) movl %ebx,%ecx movl %ebx,12(%ebp) movl -4(%edx),%ecx xorl %edi,%edi movl -8(%edx),%eax .L049ctr32_prepare: movl %ecx,12(%esp,%edi,1) bswap %ecx movq %mm0,(%esp,%edi,1) incl %ecx movl %eax,8(%esp,%edi,1) bswap %ecx leal 16(%edi),%edi cmpl %ebx,%edi jb .L049ctr32_prepare movl %ecx,-4(%edx) leal (%esp),%esi leal (%esp),%edi movl %ebx,%ecx leal -16(%edx),%eax leal 16(%edx),%ebx shrl $4,%ecx .byte 243,15,167,200 movl (%ebp),%edi movl 12(%ebp),%ebx movl 4(%ebp),%esi xorl %ecx,%ecx .L050ctr32_xor: movups (%esi,%ecx,1),%xmm1 leal 16(%ecx),%ecx pxor -16(%esp,%ecx,1),%xmm1 movups %xmm1,-16(%edi,%ecx,1) cmpl %ebx,%ecx jb .L050ctr32_xor movl 8(%ebp),%ecx addl %ebx,%edi addl %ebx,%esi subl %ebx,%ecx movl $512,%ebx jnz .L048ctr32_loop pxor %xmm0,%xmm0 leal (%esp),%eax .L051ctr32_bzero: movaps %xmm0,(%eax) leal 16(%eax),%eax cmpl %eax,%ebp ja .L051ctr32_bzero .L052ctr32_done: movl 16(%ebp),%ebp leal 24(%ebp),%esp movl $1,%eax leal 4(%esp),%esp emms .L046ctr32_abort: popl %edi popl %esi popl %ebx popl %ebp ret .size padlock_ctr32_encrypt,.-.L_padlock_ctr32_encrypt_begin .globl padlock_xstore .type padlock_xstore, at function .align 16 padlock_xstore: .L_padlock_xstore_begin: pushl %edi movl 8(%esp),%edi movl 12(%esp),%edx .byte 15,167,192 popl %edi ret .size padlock_xstore,.-.L_padlock_xstore_begin .type _win32_segv_handler, at function .align 16 _win32_segv_handler: movl $1,%eax movl 4(%esp),%edx movl 12(%esp),%ecx cmpl $3221225477,(%edx) jne .L053ret addl $4,184(%ecx) movl $0,%eax .L053ret: ret .size _win32_segv_handler,.-_win32_segv_handler .globl padlock_sha1_oneshot .type padlock_sha1_oneshot, at function .align 16 padlock_sha1_oneshot: .L_padlock_sha1_oneshot_begin: pushl %edi pushl %esi xorl %eax,%eax movl 12(%esp),%edi movl 16(%esp),%esi movl 20(%esp),%ecx movl %esp,%edx addl $-128,%esp movups (%edi),%xmm0 andl $-16,%esp movl 16(%edi),%eax movaps %xmm0,(%esp) movl %esp,%edi movl %eax,16(%esp) xorl %eax,%eax .byte 243,15,166,200 movaps (%esp),%xmm0 movl 16(%esp),%eax movl %edx,%esp movl 12(%esp),%edi movups %xmm0,(%edi) movl %eax,16(%edi) popl %esi popl %edi ret .size padlock_sha1_oneshot,.-.L_padlock_sha1_oneshot_begin .globl padlock_sha1_blocks .type padlock_sha1_blocks, at function .align 16 padlock_sha1_blocks: .L_padlock_sha1_blocks_begin: pushl %edi pushl %esi movl 12(%esp),%edi movl 16(%esp),%esi movl %esp,%edx movl 20(%esp),%ecx addl $-128,%esp movups (%edi),%xmm0 andl $-16,%esp movl 16(%edi),%eax movaps %xmm0,(%esp) movl %esp,%edi movl %eax,16(%esp) movl $-1,%eax .byte 243,15,166,200 movaps (%esp),%xmm0 movl 16(%esp),%eax movl %edx,%esp movl 12(%esp),%edi movups %xmm0,(%edi) movl %eax,16(%edi) popl %esi popl %edi ret .size padlock_sha1_blocks,.-.L_padlock_sha1_blocks_begin .globl padlock_sha256_oneshot .type padlock_sha256_oneshot, at function .align 16 padlock_sha256_oneshot: .L_padlock_sha256_oneshot_begin: pushl %edi pushl %esi xorl %eax,%eax movl 12(%esp),%edi movl 16(%esp),%esi movl 20(%esp),%ecx movl %esp,%edx addl $-128,%esp movups (%edi),%xmm0 andl $-16,%esp movups 16(%edi),%xmm1 movaps %xmm0,(%esp) movl %esp,%edi movaps %xmm1,16(%esp) xorl %eax,%eax .byte 243,15,166,208 movaps (%esp),%xmm0 movaps 16(%esp),%xmm1 movl %edx,%esp movl 12(%esp),%edi movups %xmm0,(%edi) movups %xmm1,16(%edi) popl %esi popl %edi ret .size padlock_sha256_oneshot,.-.L_padlock_sha256_oneshot_begin .globl padlock_sha256_blocks .type padlock_sha256_blocks, at function .align 16 padlock_sha256_blocks: .L_padlock_sha256_blocks_begin: pushl %edi pushl %esi movl 12(%esp),%edi movl 16(%esp),%esi movl 20(%esp),%ecx movl %esp,%edx addl $-128,%esp movups (%edi),%xmm0 andl $-16,%esp movups 16(%edi),%xmm1 movaps %xmm0,(%esp) movl %esp,%edi movaps %xmm1,16(%esp) movl $-1,%eax .byte 243,15,166,208 movaps (%esp),%xmm0 movaps 16(%esp),%xmm1 movl %edx,%esp movl 12(%esp),%edi movups %xmm0,(%edi) movups %xmm1,16(%edi) popl %esi popl %edi ret .size padlock_sha256_blocks,.-.L_padlock_sha256_blocks_begin .globl padlock_sha512_blocks .type padlock_sha512_blocks, at function .align 16 padlock_sha512_blocks: .L_padlock_sha512_blocks_begin: pushl %edi pushl %esi movl 12(%esp),%edi movl 16(%esp),%esi movl 20(%esp),%ecx movl %esp,%edx addl $-128,%esp movups (%edi),%xmm0 andl $-16,%esp movups 16(%edi),%xmm1 movups 32(%edi),%xmm2 movups 48(%edi),%xmm3 movaps %xmm0,(%esp) movl %esp,%edi movaps %xmm1,16(%esp) movaps %xmm2,32(%esp) movaps %xmm3,48(%esp) .byte 243,15,166,224 movaps (%esp),%xmm0 movaps 16(%esp),%xmm1 movaps 32(%esp),%xmm2 movaps 48(%esp),%xmm3 movl %edx,%esp movups 16(%edi),%xmm1 movups 32(%edi),%xmm2 movups 48(%edi),%xmm3 movaps %xmm0,(%esp) movl %esp,%edi movaps %xmm1,16(%esp) movaps %xmm2,32(%esp) movaps %xmm3,48(%esp) .byte 243,15,166,224 movaps (%esp),%xmm0 movaps 16(%esp),%xmm1 movaps 32(%esp),%xmm2 movaps 48(%esp),%xmm3 movl %edx,%esp movl 12(%esp),%edi movups %xmm0,(%edi) movups %xmm1,16(%edi) movups %xmm2,32(%edi) movups %xmm3,48(%edi) popl %esi popl %edi ret .size padlock_sha512_blocks,.-.L_padlock_sha512_blocks_begin .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,32 .byte 109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65 .byte 77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101 .byte 110,115,115,108,46,111,114,103,62,0 .align 16 .data .align 4 .Lpadlock_saved_context: .long 0 gcc -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STAT IC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPE NSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -D AES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/cont rib\"" -DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g -c -o e_padlock-x86.o e_padlock- x86.s gcc: e_padlock-x86.s: No such file or directory gcc: no input files *** Error code 1 Stop. *** Error code 1 Please have a look. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From dni.grosu at gmail.com Tue Mar 8 14:38:47 2016 From: dni.grosu at gmail.com (danigrosu) Date: Tue, 8 Mar 2016 07:38:47 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457369381041-64385.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> Message-ID: <1457447927840-64445.post@n7.nabble.com> I'm just trying to implement an RSA engine and I thought that this would be a good start. I tryed successfully the MD5 Engine written by Richard Levitte and my next step is to build an RSA engine which I will use in my application. I think my problem is simple and it's just something that I miss. Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64445.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Tue Mar 8 15:38:31 2016 From: levitte at openssl.org (Richard Levitte) Date: Tue, 08 Mar 2016 16:38:31 +0100 (CET) Subject: [openssl-dev] openssl-SNAP-20160308 issues In-Reply-To: <20160308152406.GA4312@doctor.nl2k.ab.ca> References: <20160308152406.GA4312@doctor.nl2k.ab.ca> Message-ID: <20160308.163831.1064272130603044516.levitte@openssl.org> Known error, has been fixed during the day today, commit 6a6462f0f1fd83211d7de17691d1063e23cf10fb Cheers, Richard In message <20160308152406.GA4312 at doctor.nl2k.ab.ca> on Tue, 8 Mar 2016 08:24:06 -0700, The Doctor said: doctor> When did assembler come into the equation? doctor> doctor> /usr/bin/perl5 asm/e_padlock-x86.pl elf -I../include -DDSO_DLFCN -DHAVE_DLFCN_H doctor> -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PA doctor> RT_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -D doctor> SHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPO doctor> LY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" -DENGINESDIR="\"/usr/contrib/lib/eng doctor> ines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall doctor> -g -fPIC 386 e_padlock-x86.s doctor> .file "asm/e_padlock-x86.s" doctor> .text doctor> .globl padlock_capability doctor> .type padlock_capability, at function doctor> .align 16 doctor> padlock_capability: doctor> .L_padlock_capability_begin: doctor> pushl %ebx doctor> pushfl doctor> popl %eax doctor> movl %eax,%ecx doctor> xorl $2097152,%eax doctor> pushl %eax doctor> popfl doctor> pushfl doctor> popl %eax doctor> xorl %eax,%ecx doctor> xorl %eax,%eax doctor> btl $21,%ecx doctor> jnc .L000noluck doctor> .byte 0x0f,0xa2 doctor> xorl %eax,%eax doctor> cmpl $0x746e6543,%ebx doctor> jne .L000noluck doctor> cmpl $0x48727561,%edx doctor> jne .L000noluck doctor> cmpl $0x736c7561,%ecx doctor> jne .L000noluck doctor> movl $3221225472,%eax doctor> .byte 0x0f,0xa2 doctor> movl %eax,%edx doctor> xorl %eax,%eax doctor> cmpl $3221225473,%edx doctor> jb .L000noluck doctor> movl $1,%eax doctor> .byte 0x0f,0xa2 doctor> orl $15,%eax doctor> xorl %ebx,%ebx doctor> andl $4095,%eax doctor> cmpl $1791,%eax doctor> sete %bl doctor> movl $3221225473,%eax doctor> pushl %ebx doctor> .byte 0x0f,0xa2 doctor> popl %ebx doctor> movl %edx,%eax doctor> shll $4,%ebx doctor> andl $4294967279,%eax doctor> orl %ebx,%eax doctor> .L000noluck: doctor> popl %ebx doctor> ret doctor> .size padlock_capability,.-.L_padlock_capability_begin doctor> .globl padlock_key_bswap doctor> .type padlock_key_bswap, at function doctor> .align 16 doctor> padlock_key_bswap: doctor> .L_padlock_key_bswap_begin: doctor> movl 4(%esp),%edx doctor> movl 240(%edx),%ecx doctor> .L001bswap_loop: doctor> movl (%edx),%eax doctor> bswap %eax doctor> movl %eax,(%edx) doctor> leal 4(%edx),%edx doctor> subl $1,%ecx doctor> jnz .L001bswap_loop doctor> ret doctor> .size padlock_key_bswap,.-.L_padlock_key_bswap_begin doctor> .globl padlock_verify_context doctor> .type padlock_verify_context, at function doctor> .align 16 doctor> padlock_verify_context: doctor> .L_padlock_verify_context_begin: doctor> movl 4(%esp),%edx doctor> leal .Lpadlock_saved_context-.L002verify_pic_point,%eax doctor> pushfl doctor> call _padlock_verify_ctx doctor> .L002verify_pic_point: doctor> leal 4(%esp),%esp doctor> ret doctor> .size padlock_verify_context,.-.L_padlock_verify_context_begin doctor> .type _padlock_verify_ctx, at function doctor> .align 16 doctor> _padlock_verify_ctx: doctor> addl (%esp),%eax doctor> btl $30,4(%esp) doctor> jnc .L003verified doctor> cmpl (%eax),%edx doctor> je .L003verified doctor> pushfl doctor> popfl doctor> .L003verified: doctor> movl %edx,(%eax) doctor> ret doctor> .size _padlock_verify_ctx,.-_padlock_verify_ctx doctor> .globl padlock_reload_key doctor> .type padlock_reload_key, at function doctor> .align 16 doctor> padlock_reload_key: doctor> .L_padlock_reload_key_begin: doctor> pushfl doctor> popfl doctor> ret doctor> .size padlock_reload_key,.-.L_padlock_reload_key_begin doctor> .globl padlock_aes_block doctor> .type padlock_aes_block, at function doctor> .align 16 doctor> padlock_aes_block: doctor> .L_padlock_aes_block_begin: doctor> pushl %edi doctor> pushl %esi doctor> pushl %ebx doctor> movl 16(%esp),%edi doctor> movl 20(%esp),%esi doctor> movl 24(%esp),%edx doctor> movl $1,%ecx doctor> leal 32(%edx),%ebx doctor> leal 16(%edx),%edx doctor> .byte 243,15,167,200 doctor> popl %ebx doctor> popl %esi doctor> popl %edi doctor> ret doctor> .size padlock_aes_block,.-.L_padlock_aes_block_begin doctor> .globl padlock_ecb_encrypt doctor> .type padlock_ecb_encrypt, at function doctor> .align 16 doctor> padlock_ecb_encrypt: doctor> .L_padlock_ecb_encrypt_begin: doctor> pushl %ebp doctor> pushl %ebx doctor> pushl %esi doctor> pushl %edi doctor> movl 20(%esp),%edi doctor> movl 24(%esp),%esi doctor> movl 28(%esp),%edx doctor> movl 32(%esp),%ecx doctor> testl $15,%edx doctor> jnz .L004ecb_abort doctor> testl $15,%ecx doctor> jnz .L004ecb_abort doctor> leal .Lpadlock_saved_context-.L005ecb_pic_point,%eax doctor> pushfl doctor> cld doctor> call _padlock_verify_ctx doctor> .L005ecb_pic_point: doctor> leal 16(%edx),%edx doctor> xorl %eax,%eax doctor> xorl %ebx,%ebx doctor> testl $32,(%edx) doctor> jnz .L006ecb_aligned doctor> testl $15,%edi doctor> setz %al doctor> testl $15,%esi doctor> setz %bl doctor> testl %ebx,%eax doctor> jnz .L006ecb_aligned doctor> negl %eax doctor> movl $512,%ebx doctor> notl %eax doctor> leal -24(%esp),%ebp doctor> cmpl %ebx,%ecx doctor> cmovcl %ecx,%ebx doctor> andl %ebx,%eax doctor> movl %ecx,%ebx doctor> negl %eax doctor> andl $511,%ebx doctor> leal (%eax,%ebp,1),%esp doctor> movl $512,%eax doctor> cmovzl %eax,%ebx doctor> movl %ebp,%eax doctor> andl $-16,%ebp doctor> andl $-16,%esp doctor> movl %eax,16(%ebp) doctor> cmpl %ebx,%ecx doctor> ja .L007ecb_loop doctor> movl %esi,%eax doctor> cmpl %esp,%ebp doctor> cmovel %edi,%eax doctor> addl %ecx,%eax doctor> negl %eax doctor> andl $4095,%eax doctor> cmpl $128,%eax doctor> movl $-128,%eax doctor> cmovael %ebx,%eax doctor> andl %eax,%ebx doctor> jz .L008ecb_unaligned_tail doctor> jmp .L007ecb_loop doctor> .align 16 doctor> .L007ecb_loop: doctor> movl %edi,(%ebp) doctor> movl %esi,4(%ebp) doctor> movl %ecx,8(%ebp) doctor> movl %ebx,%ecx doctor> movl %ebx,12(%ebp) doctor> testl $15,%edi doctor> cmovnzl %esp,%edi doctor> testl $15,%esi doctor> jz .L009ecb_inp_aligned doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> movl %ebx,%ecx doctor> movl %edi,%esi doctor> .L009ecb_inp_aligned: doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,200 doctor> movl (%ebp),%edi doctor> movl 12(%ebp),%ebx doctor> testl $15,%edi doctor> jz .L010ecb_out_aligned doctor> movl %ebx,%ecx doctor> leal (%esp),%esi doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> .L010ecb_out_aligned: doctor> movl 4(%ebp),%esi doctor> movl 8(%ebp),%ecx doctor> addl %ebx,%edi doctor> addl %ebx,%esi doctor> subl %ebx,%ecx doctor> movl $512,%ebx doctor> jz .L011ecb_break doctor> cmpl %ebx,%ecx doctor> jae .L007ecb_loop doctor> .L008ecb_unaligned_tail: doctor> xorl %eax,%eax doctor> cmpl %ebp,%esp doctor> cmovel %ecx,%eax doctor> subl %eax,%esp doctor> movl %edi,%eax doctor> movl %ecx,%ebx doctor> shrl $2,%ecx doctor> leal (%esp),%edi doctor> .byte 243,165 doctor> movl %esp,%esi doctor> movl %eax,%edi doctor> movl %ebx,%ecx doctor> jmp .L007ecb_loop doctor> .align 16 doctor> .L011ecb_break: doctor> cmpl %ebp,%esp doctor> je .L012ecb_done doctor> pxor %xmm0,%xmm0 doctor> leal (%esp),%eax doctor> .L013ecb_bzero: doctor> movaps %xmm0,(%eax) doctor> leal 16(%eax),%eax doctor> cmpl %eax,%ebp doctor> ja .L013ecb_bzero doctor> .L012ecb_done: doctor> movl 16(%ebp),%ebp doctor> leal 24(%ebp),%esp doctor> jmp .L014ecb_exit doctor> .align 16 doctor> .L006ecb_aligned: doctor> leal (%esi,%ecx,1),%ebp doctor> negl %ebp doctor> andl $4095,%ebp doctor> xorl %eax,%eax doctor> cmpl $128,%ebp doctor> movl $127,%ebp doctor> cmovael %eax,%ebp doctor> andl %ecx,%ebp doctor> subl %ebp,%ecx doctor> jz .L015ecb_aligned_tail doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,200 doctor> testl %ebp,%ebp doctor> jz .L014ecb_exit doctor> .L015ecb_aligned_tail: doctor> movl %ebp,%ecx doctor> leal -24(%esp),%ebp doctor> movl %ebp,%esp doctor> movl %ebp,%eax doctor> subl %ecx,%esp doctor> andl $-16,%ebp doctor> andl $-16,%esp doctor> movl %eax,16(%ebp) doctor> movl %edi,%eax doctor> movl %ecx,%ebx doctor> shrl $2,%ecx doctor> leal (%esp),%edi doctor> .byte 243,165 doctor> movl %esp,%esi doctor> movl %eax,%edi doctor> movl %ebx,%ecx doctor> jmp .L007ecb_loop doctor> .L014ecb_exit: doctor> movl $1,%eax doctor> leal 4(%esp),%esp doctor> .L004ecb_abort: doctor> popl %edi doctor> popl %esi doctor> popl %ebx doctor> popl %ebp doctor> ret doctor> .size padlock_ecb_encrypt,.-.L_padlock_ecb_encrypt_begin doctor> .globl padlock_cbc_encrypt doctor> .type padlock_cbc_encrypt, at function doctor> .align 16 doctor> padlock_cbc_encrypt: doctor> .L_padlock_cbc_encrypt_begin: doctor> pushl %ebp doctor> pushl %ebx doctor> pushl %esi doctor> pushl %edi doctor> movl 20(%esp),%edi doctor> movl 24(%esp),%esi doctor> movl 28(%esp),%edx doctor> movl 32(%esp),%ecx doctor> testl $15,%edx doctor> jnz .L016cbc_abort doctor> testl $15,%ecx doctor> jnz .L016cbc_abort doctor> leal .Lpadlock_saved_context-.L017cbc_pic_point,%eax doctor> pushfl doctor> cld doctor> call _padlock_verify_ctx doctor> .L017cbc_pic_point: doctor> leal 16(%edx),%edx doctor> xorl %eax,%eax doctor> xorl %ebx,%ebx doctor> testl $32,(%edx) doctor> jnz .L018cbc_aligned doctor> testl $15,%edi doctor> setz %al doctor> testl $15,%esi doctor> setz %bl doctor> testl %ebx,%eax doctor> jnz .L018cbc_aligned doctor> negl %eax doctor> movl $512,%ebx doctor> notl %eax doctor> leal -24(%esp),%ebp doctor> cmpl %ebx,%ecx doctor> cmovcl %ecx,%ebx doctor> andl %ebx,%eax doctor> movl %ecx,%ebx doctor> negl %eax doctor> andl $511,%ebx doctor> leal (%eax,%ebp,1),%esp doctor> movl $512,%eax doctor> cmovzl %eax,%ebx doctor> movl %ebp,%eax doctor> andl $-16,%ebp doctor> andl $-16,%esp doctor> movl %eax,16(%ebp) doctor> cmpl %ebx,%ecx doctor> ja .L019cbc_loop doctor> movl %esi,%eax doctor> cmpl %esp,%ebp doctor> cmovel %edi,%eax doctor> addl %ecx,%eax doctor> negl %eax doctor> andl $4095,%eax doctor> cmpl $64,%eax doctor> movl $-64,%eax doctor> cmovael %ebx,%eax doctor> andl %eax,%ebx doctor> jz .L020cbc_unaligned_tail doctor> jmp .L019cbc_loop doctor> .align 16 doctor> .L019cbc_loop: doctor> movl %edi,(%ebp) doctor> movl %esi,4(%ebp) doctor> movl %ecx,8(%ebp) doctor> movl %ebx,%ecx doctor> movl %ebx,12(%ebp) doctor> testl $15,%edi doctor> cmovnzl %esp,%edi doctor> testl $15,%esi doctor> jz .L021cbc_inp_aligned doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> movl %ebx,%ecx doctor> movl %edi,%esi doctor> .L021cbc_inp_aligned: doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,208 doctor> movaps (%eax),%xmm0 doctor> movaps %xmm0,-16(%edx) doctor> movl (%ebp),%edi doctor> movl 12(%ebp),%ebx doctor> testl $15,%edi doctor> jz .L022cbc_out_aligned doctor> movl %ebx,%ecx doctor> leal (%esp),%esi doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> .L022cbc_out_aligned: doctor> movl 4(%ebp),%esi doctor> movl 8(%ebp),%ecx doctor> addl %ebx,%edi doctor> addl %ebx,%esi doctor> subl %ebx,%ecx doctor> movl $512,%ebx doctor> jz .L023cbc_break doctor> cmpl %ebx,%ecx doctor> jae .L019cbc_loop doctor> .L020cbc_unaligned_tail: doctor> xorl %eax,%eax doctor> cmpl %ebp,%esp doctor> cmovel %ecx,%eax doctor> subl %eax,%esp doctor> movl %edi,%eax doctor> movl %ecx,%ebx doctor> shrl $2,%ecx doctor> leal (%esp),%edi doctor> .byte 243,165 doctor> movl %esp,%esi doctor> movl %eax,%edi doctor> movl %ebx,%ecx doctor> jmp .L019cbc_loop doctor> .align 16 doctor> .L023cbc_break: doctor> cmpl %ebp,%esp doctor> je .L024cbc_done doctor> pxor %xmm0,%xmm0 doctor> leal (%esp),%eax doctor> .L025cbc_bzero: doctor> movaps %xmm0,(%eax) doctor> leal 16(%eax),%eax doctor> cmpl %eax,%ebp doctor> ja .L025cbc_bzero doctor> .L024cbc_done: doctor> movl 16(%ebp),%ebp doctor> leal 24(%ebp),%esp doctor> jmp .L026cbc_exit doctor> .align 16 doctor> .L018cbc_aligned: doctor> leal (%esi,%ecx,1),%ebp doctor> negl %ebp doctor> andl $4095,%ebp doctor> xorl %eax,%eax doctor> cmpl $64,%ebp doctor> movl $63,%ebp doctor> cmovael %eax,%ebp doctor> andl %ecx,%ebp doctor> subl %ebp,%ecx doctor> jz .L027cbc_aligned_tail doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,208 doctor> movaps (%eax),%xmm0 doctor> movaps %xmm0,-16(%edx) doctor> testl %ebp,%ebp doctor> jz .L026cbc_exit doctor> .L027cbc_aligned_tail: doctor> movl %ebp,%ecx doctor> leal -24(%esp),%ebp doctor> movl %ebp,%esp doctor> movl %ebp,%eax doctor> subl %ecx,%esp doctor> andl $-16,%ebp doctor> andl $-16,%esp doctor> movl %eax,16(%ebp) doctor> movl %edi,%eax doctor> movl %ecx,%ebx doctor> shrl $2,%ecx doctor> leal (%esp),%edi doctor> .byte 243,165 doctor> movl %esp,%esi doctor> movl %eax,%edi doctor> movl %ebx,%ecx doctor> jmp .L019cbc_loop doctor> .L026cbc_exit: doctor> movl $1,%eax doctor> leal 4(%esp),%esp doctor> .L016cbc_abort: doctor> popl %edi doctor> popl %esi doctor> popl %ebx doctor> popl %ebp doctor> ret doctor> .size padlock_cbc_encrypt,.-.L_padlock_cbc_encrypt_begin doctor> .globl padlock_cfb_encrypt doctor> .type padlock_cfb_encrypt, at function doctor> .align 16 doctor> padlock_cfb_encrypt: doctor> .L_padlock_cfb_encrypt_begin: doctor> pushl %ebp doctor> pushl %ebx doctor> pushl %esi doctor> pushl %edi doctor> movl 20(%esp),%edi doctor> movl 24(%esp),%esi doctor> movl 28(%esp),%edx doctor> movl 32(%esp),%ecx doctor> testl $15,%edx doctor> jnz .L028cfb_abort doctor> testl $15,%ecx doctor> jnz .L028cfb_abort doctor> leal .Lpadlock_saved_context-.L029cfb_pic_point,%eax doctor> pushfl doctor> cld doctor> call _padlock_verify_ctx doctor> .L029cfb_pic_point: doctor> leal 16(%edx),%edx doctor> xorl %eax,%eax doctor> xorl %ebx,%ebx doctor> testl $32,(%edx) doctor> jnz .L030cfb_aligned doctor> testl $15,%edi doctor> setz %al doctor> testl $15,%esi doctor> setz %bl doctor> testl %ebx,%eax doctor> jnz .L030cfb_aligned doctor> negl %eax doctor> movl $512,%ebx doctor> notl %eax doctor> leal -24(%esp),%ebp doctor> cmpl %ebx,%ecx doctor> cmovcl %ecx,%ebx doctor> andl %ebx,%eax doctor> movl %ecx,%ebx doctor> negl %eax doctor> andl $511,%ebx doctor> leal (%eax,%ebp,1),%esp doctor> movl $512,%eax doctor> cmovzl %eax,%ebx doctor> movl %ebp,%eax doctor> andl $-16,%ebp doctor> andl $-16,%esp doctor> movl %eax,16(%ebp) doctor> jmp .L031cfb_loop doctor> .align 16 doctor> .L031cfb_loop: doctor> movl %edi,(%ebp) doctor> movl %esi,4(%ebp) doctor> movl %ecx,8(%ebp) doctor> movl %ebx,%ecx doctor> movl %ebx,12(%ebp) doctor> testl $15,%edi doctor> cmovnzl %esp,%edi doctor> testl $15,%esi doctor> jz .L032cfb_inp_aligned doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> movl %ebx,%ecx doctor> movl %edi,%esi doctor> .L032cfb_inp_aligned: doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,224 doctor> movaps (%eax),%xmm0 doctor> movaps %xmm0,-16(%edx) doctor> movl (%ebp),%edi doctor> movl 12(%ebp),%ebx doctor> testl $15,%edi doctor> jz .L033cfb_out_aligned doctor> movl %ebx,%ecx doctor> leal (%esp),%esi doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> .L033cfb_out_aligned: doctor> movl 4(%ebp),%esi doctor> movl 8(%ebp),%ecx doctor> addl %ebx,%edi doctor> addl %ebx,%esi doctor> subl %ebx,%ecx doctor> movl $512,%ebx doctor> jnz .L031cfb_loop doctor> cmpl %ebp,%esp doctor> je .L034cfb_done doctor> pxor %xmm0,%xmm0 doctor> leal (%esp),%eax doctor> .L035cfb_bzero: doctor> movaps %xmm0,(%eax) doctor> leal 16(%eax),%eax doctor> cmpl %eax,%ebp doctor> ja .L035cfb_bzero doctor> .L034cfb_done: doctor> movl 16(%ebp),%ebp doctor> leal 24(%ebp),%esp doctor> jmp .L036cfb_exit doctor> .align 16 doctor> .L030cfb_aligned: doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,224 doctor> movaps (%eax),%xmm0 doctor> movaps %xmm0,-16(%edx) doctor> .L036cfb_exit: doctor> movl $1,%eax doctor> leal 4(%esp),%esp doctor> .L028cfb_abort: doctor> popl %edi doctor> popl %esi doctor> popl %ebx doctor> popl %ebp doctor> ret doctor> .size padlock_cfb_encrypt,.-.L_padlock_cfb_encrypt_begin doctor> .globl padlock_ofb_encrypt doctor> .type padlock_ofb_encrypt, at function doctor> .align 16 doctor> padlock_ofb_encrypt: doctor> .L_padlock_ofb_encrypt_begin: doctor> pushl %ebp doctor> pushl %ebx doctor> pushl %esi doctor> pushl %edi doctor> movl 20(%esp),%edi doctor> movl 24(%esp),%esi doctor> movl 28(%esp),%edx doctor> movl 32(%esp),%ecx doctor> testl $15,%edx doctor> jnz .L037ofb_abort doctor> testl $15,%ecx doctor> jnz .L037ofb_abort doctor> leal .Lpadlock_saved_context-.L038ofb_pic_point,%eax doctor> pushfl doctor> cld doctor> call _padlock_verify_ctx doctor> .L038ofb_pic_point: doctor> leal 16(%edx),%edx doctor> xorl %eax,%eax doctor> xorl %ebx,%ebx doctor> testl $32,(%edx) doctor> jnz .L039ofb_aligned doctor> testl $15,%edi doctor> setz %al doctor> testl $15,%esi doctor> setz %bl doctor> testl %ebx,%eax doctor> jnz .L039ofb_aligned doctor> negl %eax doctor> movl $512,%ebx doctor> notl %eax doctor> leal -24(%esp),%ebp doctor> cmpl %ebx,%ecx doctor> cmovcl %ecx,%ebx doctor> andl %ebx,%eax doctor> movl %ecx,%ebx doctor> negl %eax doctor> andl $511,%ebx doctor> leal (%eax,%ebp,1),%esp doctor> movl $512,%eax doctor> cmovzl %eax,%ebx doctor> movl %ebp,%eax doctor> andl $-16,%ebp doctor> andl $-16,%esp doctor> movl %eax,16(%ebp) doctor> jmp .L040ofb_loop doctor> .align 16 doctor> .L040ofb_loop: doctor> movl %edi,(%ebp) doctor> movl %esi,4(%ebp) doctor> movl %ecx,8(%ebp) doctor> movl %ebx,%ecx doctor> movl %ebx,12(%ebp) doctor> testl $15,%edi doctor> cmovnzl %esp,%edi doctor> testl $15,%esi doctor> jz .L041ofb_inp_aligned doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> movl %ebx,%ecx doctor> movl %edi,%esi doctor> .L041ofb_inp_aligned: doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,232 doctor> movaps (%eax),%xmm0 doctor> movaps %xmm0,-16(%edx) doctor> movl (%ebp),%edi doctor> movl 12(%ebp),%ebx doctor> testl $15,%edi doctor> jz .L042ofb_out_aligned doctor> movl %ebx,%ecx doctor> leal (%esp),%esi doctor> shrl $2,%ecx doctor> .byte 243,165 doctor> subl %ebx,%edi doctor> .L042ofb_out_aligned: doctor> movl 4(%ebp),%esi doctor> movl 8(%ebp),%ecx doctor> addl %ebx,%edi doctor> addl %ebx,%esi doctor> subl %ebx,%ecx doctor> movl $512,%ebx doctor> jnz .L040ofb_loop doctor> cmpl %ebp,%esp doctor> je .L043ofb_done doctor> pxor %xmm0,%xmm0 doctor> leal (%esp),%eax doctor> .L044ofb_bzero: doctor> movaps %xmm0,(%eax) doctor> leal 16(%eax),%eax doctor> cmpl %eax,%ebp doctor> ja .L044ofb_bzero doctor> .L043ofb_done: doctor> movl 16(%ebp),%ebp doctor> leal 24(%ebp),%esp doctor> jmp .L045ofb_exit doctor> .align 16 doctor> .L039ofb_aligned: doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,232 doctor> movaps (%eax),%xmm0 doctor> movaps %xmm0,-16(%edx) doctor> .L045ofb_exit: doctor> movl $1,%eax doctor> leal 4(%esp),%esp doctor> .L037ofb_abort: doctor> popl %edi doctor> popl %esi doctor> popl %ebx doctor> popl %ebp doctor> ret doctor> .size padlock_ofb_encrypt,.-.L_padlock_ofb_encrypt_begin doctor> .globl padlock_ctr32_encrypt doctor> .type padlock_ctr32_encrypt, at function doctor> .align 16 doctor> padlock_ctr32_encrypt: doctor> .L_padlock_ctr32_encrypt_begin: doctor> pushl %ebp doctor> pushl %ebx doctor> pushl %esi doctor> pushl %edi doctor> movl 20(%esp),%edi doctor> movl 24(%esp),%esi doctor> movl 28(%esp),%edx doctor> movl 32(%esp),%ecx doctor> testl $15,%edx doctor> jnz .L046ctr32_abort doctor> testl $15,%ecx doctor> jnz .L046ctr32_abort doctor> leal .Lpadlock_saved_context-.L047ctr32_pic_point,%eax doctor> pushfl doctor> cld doctor> call _padlock_verify_ctx doctor> .L047ctr32_pic_point: doctor> leal 16(%edx),%edx doctor> xorl %eax,%eax doctor> movq -16(%edx),%mm0 doctor> movl $512,%ebx doctor> notl %eax doctor> leal -24(%esp),%ebp doctor> cmpl %ebx,%ecx doctor> cmovcl %ecx,%ebx doctor> andl %ebx,%eax doctor> movl %ecx,%ebx doctor> negl %eax doctor> andl $511,%ebx doctor> leal (%eax,%ebp,1),%esp doctor> movl $512,%eax doctor> cmovzl %eax,%ebx doctor> movl %ebp,%eax doctor> andl $-16,%ebp doctor> andl $-16,%esp doctor> movl %eax,16(%ebp) doctor> jmp .L048ctr32_loop doctor> .align 16 doctor> .L048ctr32_loop: doctor> movl %edi,(%ebp) doctor> movl %esi,4(%ebp) doctor> movl %ecx,8(%ebp) doctor> movl %ebx,%ecx doctor> movl %ebx,12(%ebp) doctor> movl -4(%edx),%ecx doctor> xorl %edi,%edi doctor> movl -8(%edx),%eax doctor> .L049ctr32_prepare: doctor> movl %ecx,12(%esp,%edi,1) doctor> bswap %ecx doctor> movq %mm0,(%esp,%edi,1) doctor> incl %ecx doctor> movl %eax,8(%esp,%edi,1) doctor> bswap %ecx doctor> leal 16(%edi),%edi doctor> cmpl %ebx,%edi doctor> jb .L049ctr32_prepare doctor> movl %ecx,-4(%edx) doctor> leal (%esp),%esi doctor> leal (%esp),%edi doctor> movl %ebx,%ecx doctor> leal -16(%edx),%eax doctor> leal 16(%edx),%ebx doctor> shrl $4,%ecx doctor> .byte 243,15,167,200 doctor> movl (%ebp),%edi doctor> movl 12(%ebp),%ebx doctor> movl 4(%ebp),%esi doctor> xorl %ecx,%ecx doctor> .L050ctr32_xor: doctor> movups (%esi,%ecx,1),%xmm1 doctor> leal 16(%ecx),%ecx doctor> pxor -16(%esp,%ecx,1),%xmm1 doctor> movups %xmm1,-16(%edi,%ecx,1) doctor> cmpl %ebx,%ecx doctor> jb .L050ctr32_xor doctor> movl 8(%ebp),%ecx doctor> addl %ebx,%edi doctor> addl %ebx,%esi doctor> subl %ebx,%ecx doctor> movl $512,%ebx doctor> jnz .L048ctr32_loop doctor> pxor %xmm0,%xmm0 doctor> leal (%esp),%eax doctor> .L051ctr32_bzero: doctor> movaps %xmm0,(%eax) doctor> leal 16(%eax),%eax doctor> cmpl %eax,%ebp doctor> ja .L051ctr32_bzero doctor> .L052ctr32_done: doctor> movl 16(%ebp),%ebp doctor> leal 24(%ebp),%esp doctor> movl $1,%eax doctor> leal 4(%esp),%esp doctor> emms doctor> .L046ctr32_abort: doctor> popl %edi doctor> popl %esi doctor> popl %ebx doctor> popl %ebp doctor> ret doctor> .size padlock_ctr32_encrypt,.-.L_padlock_ctr32_encrypt_begin doctor> .globl padlock_xstore doctor> .type padlock_xstore, at function doctor> .align 16 doctor> padlock_xstore: doctor> .L_padlock_xstore_begin: doctor> pushl %edi doctor> movl 8(%esp),%edi doctor> movl 12(%esp),%edx doctor> .byte 15,167,192 doctor> popl %edi doctor> ret doctor> .size padlock_xstore,.-.L_padlock_xstore_begin doctor> .type _win32_segv_handler, at function doctor> .align 16 doctor> _win32_segv_handler: doctor> movl $1,%eax doctor> movl 4(%esp),%edx doctor> movl 12(%esp),%ecx doctor> cmpl $3221225477,(%edx) doctor> jne .L053ret doctor> addl $4,184(%ecx) doctor> movl $0,%eax doctor> .L053ret: doctor> ret doctor> .size _win32_segv_handler,.-_win32_segv_handler doctor> .globl padlock_sha1_oneshot doctor> .type padlock_sha1_oneshot, at function doctor> .align 16 doctor> padlock_sha1_oneshot: doctor> .L_padlock_sha1_oneshot_begin: doctor> pushl %edi doctor> pushl %esi doctor> xorl %eax,%eax doctor> movl 12(%esp),%edi doctor> movl 16(%esp),%esi doctor> movl 20(%esp),%ecx doctor> movl %esp,%edx doctor> addl $-128,%esp doctor> movups (%edi),%xmm0 doctor> andl $-16,%esp doctor> movl 16(%edi),%eax doctor> movaps %xmm0,(%esp) doctor> movl %esp,%edi doctor> movl %eax,16(%esp) doctor> xorl %eax,%eax doctor> .byte 243,15,166,200 doctor> movaps (%esp),%xmm0 doctor> movl 16(%esp),%eax doctor> movl %edx,%esp doctor> movl 12(%esp),%edi doctor> movups %xmm0,(%edi) doctor> movl %eax,16(%edi) doctor> popl %esi doctor> popl %edi doctor> ret doctor> .size padlock_sha1_oneshot,.-.L_padlock_sha1_oneshot_begin doctor> .globl padlock_sha1_blocks doctor> .type padlock_sha1_blocks, at function doctor> .align 16 doctor> padlock_sha1_blocks: doctor> .L_padlock_sha1_blocks_begin: doctor> pushl %edi doctor> pushl %esi doctor> movl 12(%esp),%edi doctor> movl 16(%esp),%esi doctor> movl %esp,%edx doctor> movl 20(%esp),%ecx doctor> addl $-128,%esp doctor> movups (%edi),%xmm0 doctor> andl $-16,%esp doctor> movl 16(%edi),%eax doctor> movaps %xmm0,(%esp) doctor> movl %esp,%edi doctor> movl %eax,16(%esp) doctor> movl $-1,%eax doctor> .byte 243,15,166,200 doctor> movaps (%esp),%xmm0 doctor> movl 16(%esp),%eax doctor> movl %edx,%esp doctor> movl 12(%esp),%edi doctor> movups %xmm0,(%edi) doctor> movl %eax,16(%edi) doctor> popl %esi doctor> popl %edi doctor> ret doctor> .size padlock_sha1_blocks,.-.L_padlock_sha1_blocks_begin doctor> .globl padlock_sha256_oneshot doctor> .type padlock_sha256_oneshot, at function doctor> .align 16 doctor> padlock_sha256_oneshot: doctor> .L_padlock_sha256_oneshot_begin: doctor> pushl %edi doctor> pushl %esi doctor> xorl %eax,%eax doctor> movl 12(%esp),%edi doctor> movl 16(%esp),%esi doctor> movl 20(%esp),%ecx doctor> movl %esp,%edx doctor> addl $-128,%esp doctor> movups (%edi),%xmm0 doctor> andl $-16,%esp doctor> movups 16(%edi),%xmm1 doctor> movaps %xmm0,(%esp) doctor> movl %esp,%edi doctor> movaps %xmm1,16(%esp) doctor> xorl %eax,%eax doctor> .byte 243,15,166,208 doctor> movaps (%esp),%xmm0 doctor> movaps 16(%esp),%xmm1 doctor> movl %edx,%esp doctor> movl 12(%esp),%edi doctor> movups %xmm0,(%edi) doctor> movups %xmm1,16(%edi) doctor> popl %esi doctor> popl %edi doctor> ret doctor> .size padlock_sha256_oneshot,.-.L_padlock_sha256_oneshot_begin doctor> .globl padlock_sha256_blocks doctor> .type padlock_sha256_blocks, at function doctor> .align 16 doctor> padlock_sha256_blocks: doctor> .L_padlock_sha256_blocks_begin: doctor> pushl %edi doctor> pushl %esi doctor> movl 12(%esp),%edi doctor> movl 16(%esp),%esi doctor> movl 20(%esp),%ecx doctor> movl %esp,%edx doctor> addl $-128,%esp doctor> movups (%edi),%xmm0 doctor> andl $-16,%esp doctor> movups 16(%edi),%xmm1 doctor> movaps %xmm0,(%esp) doctor> movl %esp,%edi doctor> movaps %xmm1,16(%esp) doctor> movl $-1,%eax doctor> .byte 243,15,166,208 doctor> movaps (%esp),%xmm0 doctor> movaps 16(%esp),%xmm1 doctor> movl %edx,%esp doctor> movl 12(%esp),%edi doctor> movups %xmm0,(%edi) doctor> movups %xmm1,16(%edi) doctor> popl %esi doctor> popl %edi doctor> ret doctor> .size padlock_sha256_blocks,.-.L_padlock_sha256_blocks_begin doctor> .globl padlock_sha512_blocks doctor> .type padlock_sha512_blocks, at function doctor> .align 16 doctor> padlock_sha512_blocks: doctor> .L_padlock_sha512_blocks_begin: doctor> pushl %edi doctor> pushl %esi doctor> movl 12(%esp),%edi doctor> movl 16(%esp),%esi doctor> movl 20(%esp),%ecx doctor> movl %esp,%edx doctor> addl $-128,%esp doctor> movups (%edi),%xmm0 doctor> andl $-16,%esp doctor> movups 16(%edi),%xmm1 doctor> movups 32(%edi),%xmm2 doctor> movups 48(%edi),%xmm3 doctor> movaps %xmm0,(%esp) doctor> movl %esp,%edi doctor> movaps %xmm1,16(%esp) doctor> movaps %xmm2,32(%esp) doctor> movaps %xmm3,48(%esp) doctor> .byte 243,15,166,224 doctor> movaps (%esp),%xmm0 doctor> movaps 16(%esp),%xmm1 doctor> movaps 32(%esp),%xmm2 doctor> movaps 48(%esp),%xmm3 doctor> movl %edx,%esp doctor> movups 16(%edi),%xmm1 doctor> movups 32(%edi),%xmm2 doctor> movups 48(%edi),%xmm3 doctor> movaps %xmm0,(%esp) doctor> movl %esp,%edi doctor> movaps %xmm1,16(%esp) doctor> movaps %xmm2,32(%esp) doctor> movaps %xmm3,48(%esp) doctor> .byte 243,15,166,224 doctor> movaps (%esp),%xmm0 doctor> movaps 16(%esp),%xmm1 doctor> movaps 32(%esp),%xmm2 doctor> movaps 48(%esp),%xmm3 doctor> movl %edx,%esp doctor> movl 12(%esp),%edi doctor> movups %xmm0,(%edi) doctor> movups %xmm1,16(%edi) doctor> movups %xmm2,32(%edi) doctor> movups %xmm3,48(%edi) doctor> popl %esi doctor> popl %edi doctor> ret doctor> .size padlock_sha512_blocks,.-.L_padlock_sha512_blocks_begin doctor> .byte 86,73,65,32,80,97,100,108,111,99,107,32,120,56,54,32 doctor> .byte 109,111,100,117,108,101,44,32,67,82,89,80,84,79,71,65 doctor> .byte 77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101 doctor> .byte 110,115,115,108,46,111,114,103,62,0 doctor> .align 16 doctor> .data doctor> .align 4 doctor> .Lpadlock_saved_context: doctor> .long 0 doctor> gcc -I../include -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STAT doctor> IC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPE doctor> NSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -D doctor> AES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/cont doctor> rib\"" -DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS doctor> -fomit-frame-pointer -O2 -march=i486 -Wall -g -c -o e_padlock-x86.o e_padlock- doctor> x86.s doctor> gcc: e_padlock-x86.s: No such file or directory doctor> gcc: no input files doctor> *** Error code 1 doctor> doctor> Stop. doctor> *** Error code 1 doctor> doctor> doctor> Please have a look. doctor> doctor> -- doctor> Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca doctor> God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! doctor> http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism doctor> Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! doctor> -- doctor> openssl-dev mailing list doctor> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev doctor> From uri at ll.mit.edu Tue Mar 8 15:51:55 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 8 Mar 2016 15:51:55 +0000 Subject: [openssl-dev] current github 1.1.0-pre "clang: error: unsupported option '--unified' Message-ID: $ ./Configure darwin64-x86_64-cc enable-rfc3779 threads zlib enable-ec_nistp_64_gcc_128 shared --prefix=/Users/ur20980/src/openssl-1.1 --openssldir=/Users/ur20980/src/openssl-1.1/etc --unified Smartmatch is experimental at ./Configure line 2144. Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib-dynamic [default] Configuring for darwin64-x86_64-cc IsMK1MF =no CC =clang CFLAG =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall --unified DEFINES =ZLIB DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG =-Wl,-search_paths_first EX_LIBS =-lz APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o PROCESSOR = RANLIB =ranlib -c ARFLAGS = PERL =/opt/local/bin/perl5 SIXTY_FOUR_BIT_LONG mode Configured for darwin64-x86_64-cc. $ make depend && make clean && make all && make test && make install rm -f libcrypto.1.1.dylib rm -f libcrypto.dylib rm -f libssl.1.1.dylib rm -f libssl.dylib rm -f libcrypto.a libssl.a rm -f apps/openssl test/afalgtest test/asynctest test/bftest test/bntest test/casttest test/clienthellotest test/constant_time_test test/ct_test test/danetest test/destest test/dhtest test/dsatest test/dtlsv1listentest test/ecdhtest test/ecdsatest test/ectest test/enginetest test/evp_extra_test test/evp_test test/exptest test/gmdifftest test/heartbeat_test test/hmactest test/ideatest test/igetest test/md2test test/md4test test/md5test test/mdc2test test/memleaktest test/nptest test/p5_crpt2_test test/packettest test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test test/rmdtest test/rsa_test test/secmemtest test/sha1test test/sha256t test/sha512t test/srptest test/ssltest test/threadstest test/v3nametest test/verify_extra_test test/wp_test rm -f `find . -name '*.d'` rm -f `find . -name '*.o'` rm -f ./core rm -f ./tags ./TAGS rm -f ./openssl.pc ./libcrypto.pc ./libssl.pc rm -f `find . -type l` rm -f ../openssl-1.1.0-pre4-dev.tar clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" -DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall --unified -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o crypto/aes/aes-x86_64.s clang: error: unsupported option '--unified' make: *** [crypto/aes/aes-x86_64.o] Error 1 $ -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From uri at ll.mit.edu Tue Mar 8 15:54:15 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 8 Mar 2016 15:54:15 +0000 Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457447927840-64445.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> Message-ID: > I'm just trying to implement an RSA engine and I thought that this would be a > good start. > I tryed successfully the MD5 Engine > ple-md5-engine/> written by Richard Levitte and my next step is to build an > RSA engine > which I will use in my application. Could you please confirm that you?re doing this on OpenSSL-1.0.2? > I think my problem is simple and it's just something that I miss. Frankly, I don?t think so. But let others, who are more experienced, comment on this. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From dni.grosu at gmail.com Tue Mar 8 15:03:50 2016 From: dni.grosu at gmail.com (danigrosu) Date: Tue, 8 Mar 2016 08:03:50 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> Message-ID: <1457449430892-64449.post@n7.nabble.com> Blumenthal, Uri - 0553 - MITLL wrote > Could you please confirm that you?re doing this on OpenSSL-1.0.2? # openssl version OpenSSL 1.0.1f 6 Jan 2014 So it appears I'm working with 1.0.1. Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64449.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Tue Mar 8 16:09:29 2016 From: rt at openssl.org (Thomas Brunnthaler via RT) Date: Tue, 08 Mar 2016 16:09:29 +0000 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: References: <20160308143701.GD10917@mournblade.imrryr.org> <002301d1794a$e46f5f60$ad4e1e20$@nexbridge.com> Message-ID: I am unable to recompile PHP 5.2.17 VC6 TS x86 and because of my old webserver (where source is not available) i cannot upgrade to any newer version with VC9+ Is the software change in OpenSSL so dramatic, that newer releases are totally incompatible with "old" software ? 2016-03-08 16:09 GMT+01:00 Randall S. Becker via RT : > On March 8, 2016 9:37 AM, Viktor Dukhovni wrote: > > To: rt at openssl.org; openssl-dev at openssl.org > > Subject: Re: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL > > extension > > > > On Tue, Mar 08, 2016 at 01:43:48PM +0000, Thomas Brunnthaler via RT > > wrote: > > > > > CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 > > VC6 > > > x86 TS. Error Message: OS cannot load %1 or so. > > > > Is this fixed by: > > > > > > https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe > > 8c75a93fded445 > > We saw this on HPE NonStop NSE on all products using the OpenSSL DLL. Our > solution was to reconfigure and rebuild OpenSSH, Curl, wget, git (to name a > few). The configure scripts detect that those methods are not present and > act appropriately. > > Cheers, > Randall > > -- Brief whoami: NonStop&UNIX developer since approximately > UNIX(421664400)/NonStop(211288444200000000) > -- In my real life, I talk too much. > > > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Tue Mar 8 16:18:17 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 8 Mar 2016 16:18:17 +0000 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: References: <20160308143701.GD10917@mournblade.imrryr.org> <002301d1794a$e46f5f60$ad4e1e20$@nexbridge.com> Message-ID: <20160308161817.GJ10917@mournblade.imrryr.org> On Tue, Mar 08, 2016 at 04:09:29PM +0000, Thomas Brunnthaler via RT wrote: > I am unable to recompile PHP 5.2.17 VC6 TS x86 and because of my old > webserver (where source is not available) i cannot upgrade to any newer > version with VC9+ Is the software change in OpenSSL so dramatic, that > newer releases are totally incompatible with "old" software ? No, but 1.0.2g in default builds omits three previously defined functions, SSLv2_method(), SSLv2_client_method(), SSLv2_server_method(). on platforms where symbol (function name) resolution is not "lazy" (delayed to first use), programs that can but don't in practice use SSLv2 may not start when the library no longer provides these functions. > > > Is this fixed by: > > > https://github.com/openssl/openssl/commit/133138569f37d149ed1d7641fe8c75a93fded445 The commit above restores the symbols. If you could build that version (checkout from git, or apply the patch) and confirm whether the issue is resolved, that would be great. -- Viktor. commit 133138569f37d149ed1d7641fe8c75a93fded445 Author: Viktor Dukhovni Date: Mon Mar 7 21:10:38 2016 +0000 Retain SSLv2 methods as functions that return NULL This improves ABI compatibility when symbol resolution is not lazy. Reviewed-by: Richard Levitte diff --git a/ssl/s2_meth.c b/ssl/s2_meth.c index b312f17..d46e2f5 100644 --- a/ssl/s2_meth.c +++ b/ssl/s2_meth.c @@ -74,8 +74,8 @@ IMPLEMENT_ssl2_meth_func(SSLv2_method, ssl2_accept, ssl2_connect, ssl2_get_method) #else /* !OPENSSL_NO_SSL2 */ -# if PEDANTIC -static void *dummy = &dummy; -# endif +SSL_METHOD *SSLv2_method(void) { return NULL; } +SSL_METHOD *SSLv2_client_method(void) { return NULL; } +SSL_METHOD *SSLv2_server_method(void) { return NULL; } #endif From matt at openssl.org Tue Mar 8 16:22:26 2016 From: matt at openssl.org (Matt Caswell) Date: Tue, 8 Mar 2016 16:22:26 +0000 Subject: [openssl-dev] current github 1.1.0-pre "clang: error: unsupported option '--unified' In-Reply-To: References: Message-ID: <56DEFC42.8010509@openssl.org> --unified has been removed and it is now the default. If you want "old" build use --classic. Matt On 08/03/16 15:51, Blumenthal, Uri - 0553 - MITLL wrote: > $ ./Configure darwin64-x86_64-cc enable-rfc3779 threads zlib > enable-ec_nistp_64_gcc_128 shared > --prefix=/Users/ur20980/src/openssl-1.1 > --openssldir=/Users/ur20980/src/openssl-1.1/etc --unified > > Smartmatch is experimental at ./Configure line 2144. > > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > > no-egd [default] OPENSSL_NO_EGD (skip dir) > > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > > no-zlib-dynamic [default] > > Configuring for darwin64-x86_64-cc > > IsMK1MF =no > > CC =clang > > CFLAG =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall --unified > > DEFINES =ZLIB DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 > OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM > SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM > ECP_NISTZ256_ASM POLY1305_ASM > > LFLAG = > > PLIB_LFLAG =-Wl,-search_paths_first > > EX_LIBS =-lz > > APPS_OBJ = > > CPUID_OBJ =x86_64cpuid.o > > UPLINK_OBJ = > > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o > x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > > DES_ENC =des_enc.o fcrypt_b.o > > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o > aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o > > BF_ENC =bf_enc.o > > CAST_ENC =c_enc.o > > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > > RC5_ENC =rc5_enc.o > > MD5_OBJ_ASM =md5-x86_64.o > > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o > sha1-mb-x86_64.o sha256-mb-x86_64.o > > RMD160_OBJ_ASM= > > CMLL_ENC =cmll-x86_64.o cmll_misc.o > > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > > PADLOCK_OBJ =e_padlock-x86_64.o > > CHACHA_ENC =chacha-x86_64.o > > POLY1305_OBJ =poly1305-x86_64.o > > PROCESSOR = > > RANLIB =ranlib -c > > ARFLAGS = > > PERL =/opt/local/bin/perl5 > > > SIXTY_FOUR_BIT_LONG mode > > > Configured for darwin64-x86_64-cc. > > $ make depend && make clean && make all && make test && make install > > rm -f libcrypto.1.1.dylib > > rm -f libcrypto.dylib > > rm -f libssl.1.1.dylib > > rm -f libssl.dylib > > rm -f libcrypto.a libssl.a > > rm -f apps/openssl test/afalgtest test/asynctest test/bftest test/bntest > test/casttest test/clienthellotest test/constant_time_test test/ct_test > test/danetest test/destest test/dhtest test/dsatest > test/dtlsv1listentest test/ecdhtest test/ecdsatest test/ectest > test/enginetest test/evp_extra_test test/evp_test test/exptest > test/gmdifftest test/heartbeat_test test/hmactest test/ideatest > test/igetest test/md2test test/md4test test/md5test test/mdc2test > test/memleaktest test/nptest test/p5_crpt2_test test/packettest > test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test > test/rmdtest test/rsa_test test/secmemtest test/sha1test test/sha256t > test/sha512t test/srptest test/ssltest test/threadstest test/v3nametest > test/verify_extra_test test/wp_test > > rm -f `find . -name '*.d'` > > rm -f `find . -name '*.o'` > > rm -f ./core > > rm -f ./tags ./TAGS > > rm -f ./openssl.pc ./libcrypto.pc ./libssl.pc > > rm -f `find . -type l` > > rm -f ../openssl-1.1.0-pre4-dev.tar > > clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" > -DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 > -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall --unified -fPIC -Iinclude > -I. -Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT > crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o > crypto/aes/aes-x86_64.s > > clang: error: unsupported option '--unified' > > make: *** [crypto/aes/aes-x86_64.o] Error 1 > > $ > > -- > Regards, > Uri Blumenthal > > From rt at openssl.org Tue Mar 8 17:41:40 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Tue, 08 Mar 2016 17:41:40 +0000 Subject: [openssl-dev] [openssl.org #4399] OS X 10.8: Make clean is leaving build artifacts In-Reply-To: References: Message-ID: $ KERNEL_BITS=64 ./config shared ... $ make depend && make clean && make ... $ make clean rm -f libcrypto.1.1.dylib rm -f libcrypto.dylib rm -f libssl.1.1.dylib rm -f libssl.dylib rm -f libcrypto.a libssl.a rm -f apps/openssl test/afalgtest test/asynctest test/bftest test/bntest test/casttest test/clienthellotest test/constant_time_test test/ct_test test/danetest test/destest test/dhtest test/dsatest test/dtlsv1listentest test/ecdhtest test/ecdsatest test/ectest test/enginetest test/evp_extra_test test/evp_test test/exptest test/gmdifftest test/heartbeat_test test/hmactest test/ideatest test/igetest test/md2test test/md4test test/md5test test/mdc2test test/memleaktest test/nptest test/p5_crpt2_test test/packettest test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test test/rmdtest test/rsa_test test/secmemtest test/sha1test test/sha256t test/sha512t test/srptest test/ssltest test/threadstest test/v3nametest test/verify_extra_test test/wp_test rm -f `find . -name '*.d'` rm -f `find . -name '*.o'` rm -f ./core rm -f ./tags ./TAGS rm -f ./openssl.pc ./libcrypto.pc ./libssl.pc rm -f `find . -type l` rm -f ../openssl-1.1.0-pre4-dev.tar $ find . -name *.dylib ./engines/capi.dylib ./engines/dasync.dylib ./engines/ossltest.dylib ./engines/padlock.dylib $ make distclean make: *** No rule to make target 'distclean'. Stop. $ make dclean make: *** No rule to make target 'dclean'. Stop. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4399 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 8 18:30:58 2016 From: rt at openssl.org (Bill Parker via RT) Date: Tue, 08 Mar 2016 18:30:58 +0000 Subject: [openssl-dev] [openssl.org #4400] [PATCH] plug potential memory leak in OpenSSL 1.1 pre 4 In-Reply-To: References: Message-ID: Hello All, In reviewing source code in directory 'crypto/ocsp', file 'ocsp_ht.c', there is a minor flaw in the test logic which could allow a small memory leak to develop. The patch file below should address/correct this issue: --- ocsp_ht.c.orig 2016-03-08 10:24:51.821632969 -0800 +++ ocsp_ht.c 2016-03-08 10:26:32.062373052 -0800 @@ -119,13 +119,18 @@ rctx->state = OHS_ERROR; rctx->max_resp_len = OCSP_MAX_RESP_LENGTH; rctx->mem = BIO_new(BIO_s_mem()); + if (rctx->mem == NULL) + OCSP_REQ_CTX_free(rctx); + return NULL; + } rctx->io = io; if (maxline > 0) rctx->iobuflen = maxline; else rctx->iobuflen = OCSP_MAX_LINE_LEN; rctx->iobuf = OPENSSL_malloc(rctx->iobuflen); - if (rctx->iobuf == NULL || rctx->mem == NULL) { + if (rctx->iobuf == NULL) { + OCSP_REQ_CTX_free(rctx->mem); OCSP_REQ_CTX_free(rctx); return NULL; } ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4400 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ocsp_ht.c.patch Type: application/octet-stream Size: 684 bytes Desc: not available URL: From rt at openssl.org Tue Mar 8 18:58:24 2016 From: rt at openssl.org (Bill Parker via RT) Date: Tue, 08 Mar 2016 18:58:24 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'crypto/ec', file 'ec_lib.c'', there appears to be allocated memory which is not released when a return 0; is encountered in some cases of OPENSSL_malloc(). The patch file below should address/correct these minor leaks: --- ec_lib.c.orig 2016-03-08 10:46:45.885643748 -0800 +++ ec_lib.c 2016-03-08 10:53:51.196698596 -0800 @@ -231,8 +231,11 @@ if (src->generator != NULL) { if (dest->generator == NULL) { dest->generator = EC_POINT_new(dest); - if (dest->generator == NULL) + if (dest->generator == NULL) { + if (dest->mont_data != NULL) + BN_MONT_CTX_free(dest->mont_data); return 0; + } } if (!EC_POINT_copy(dest->generator, src->generator)) return 0; @@ -256,7 +259,11 @@ if (src->seed) { OPENSSL_free(dest->seed); dest->seed = OPENSSL_malloc(src->seed_len); - if (dest->seed == NULL) + if (dest->seed == NULL) { + if (dest->mont_data != NULL) + EC_POINT_clear_free(dest->mont_data); + if (dest->generator != NULL) + EC_POINT_clear_free(dest->generator); return 0; if (!memcpy(dest->seed, src->seed, src->seed_len)) return 0; ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ec_lib.c.patch Type: application/octet-stream Size: 998 bytes Desc: not available URL: From rt at openssl.org Tue Mar 8 19:10:56 2016 From: rt at openssl.org (Clemens Lang via RT) Date: Tue, 08 Mar 2016 19:10:56 +0000 Subject: [openssl-dev] [openssl.org #4397] AutoReply: BUG: 1.0.2g fails to build on Mac OS X 10.6.8 due to 0b assembly literals In-Reply-To: <20160308191048.GD63457@cBookPro.fritz.box> References: <20160304205851.GC2208@cBookPro.fritz.box> <20160308191048.GD63457@cBookPro.fritz.box> Message-ID: This was fixed in 6e42e3ff9cde43830555549fdafa2a8b37b9485b, see https://mta.openssl.org/pipermail/openssl-dev/2016-March/005758.html. This can be closed. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4397 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 8 19:17:50 2016 From: rt at openssl.org (Rich Salz via RT) Date: Tue, 08 Mar 2016 19:17:50 +0000 Subject: [openssl-dev] [openssl.org #4397] BUG: 1.0.2g fails to build on Mac OS X 10.6.8 due to 0b assembly literals In-Reply-To: <20160304205851.GC2208@cBookPro.fritz.box> References: <20160304205851.GC2208@cBookPro.fritz.box> Message-ID: Per Clemengs Lang via email: This was fixed in 6e42e3ff9cde43830555549fdafa2a8b37b9485b, see https://mta.openssl.org/pipermail/openssl-dev/2016-March/005758.html. This can be closed -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4397 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 8 20:01:21 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Tue, 08 Mar 2016 20:01:21 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> References: <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > + if (dest->mont_data != NULL) > + BN_MONT_CTX_free(dest->mont_data); Free routines don't need to check for non-NULL. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From uri at ll.mit.edu Tue Mar 8 20:18:50 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 8 Mar 2016 20:18:50 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On 3/8/16, 15:01 , "openssl-dev on behalf of Salz, Rich via RT" wrote: > >> + if (dest->mont_data != NULL) >> + BN_MONT_CTX_free(dest->mont_data); > >Free routines don't need to check for non-NULL. Yes, don?t *have* to. But does it hurt to check? -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From tshort at akamai.com Tue Mar 8 20:57:07 2016 From: tshort at akamai.com (Short, Todd) Date: Tue, 8 Mar 2016 20:57:07 +0000 Subject: [openssl-dev] make depend issue: if [ Makefile -nt Makefile ] Message-ID: <1B05C047-CB6D-4082-8C8F-B5820D22AC46@akamai.com> Hi, I noticed the following oddity in commit f8d9d6e: depend: @catdepends=false; \ if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ I?m not sure of the intent or the fix, but it doesn?t seem right to compare the timestamp of a file to itself. -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Tue Mar 8 21:01:36 2016 From: levitte at openssl.org (Richard Levitte) Date: Tue, 08 Mar 2016 22:01:36 +0100 (CET) Subject: [openssl-dev] make depend issue: if [ Makefile -nt Makefile ] In-Reply-To: <1B05C047-CB6D-4082-8C8F-B5820D22AC46@akamai.com> References: <1B05C047-CB6D-4082-8C8F-B5820D22AC46@akamai.com> Message-ID: <20160308.220136.1151877382389999245.levitte@openssl.org> I suggest reading the comment just above depend:, especially this: # To check if test has the file age comparison operator, we # simply try, and rely test to exit with 0 if the comparison # was true, 1 if false, and most importantly, 2 if it doesn't # recognise the operator. Comparing Makefile with Makefile is because... well, it's as good a file as any, and since the result from the operation itself isn't the important part on that line, a bit of Makefile narcissism can't hurt ;-) Cheers, Richard In message <1B05C047-CB6D-4082-8C8F-B5820D22AC46 at akamai.com> on Tue, 8 Mar 2016 20:57:07 +0000, "Short, Todd" said: tshort> Hi, tshort> tshort> I noticed the following oddity in commit f8d9d6e: tshort> tshort> depend: tshort> @catdepends=false; \ tshort> if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ tshort> tshort> I?m not sure of the intent or the fix, but it doesn?t seem right to tshort> compare the timestamp of a file to itself. tshort> tshort> -- tshort> -Todd Short tshort> // tshort at akamai.com tshort> // "One if by land, two if by sea, three if by the Internet." tshort> From tshort at akamai.com Tue Mar 8 21:13:17 2016 From: tshort at akamai.com (Short, Todd) Date: Tue, 8 Mar 2016 21:13:17 +0000 Subject: [openssl-dev] make depend issue: if [ Makefile -nt Makefile ] In-Reply-To: <20160308.220136.1151877382389999245.levitte@openssl.org> References: <1B05C047-CB6D-4082-8C8F-B5820D22AC46@akamai.com> <20160308.220136.1151877382389999245.levitte@openssl.org> Message-ID: Never mind then! :) -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." On Mar 8, 2016, at 4:01 PM, Richard Levitte > wrote: I suggest reading the comment just above depend:, especially this: # To check if test has the file age comparison operator, we # simply try, and rely test to exit with 0 if the comparison # was true, 1 if false, and most importantly, 2 if it doesn't # recognise the operator. Comparing Makefile with Makefile is because... well, it's as good a file as any, and since the result from the operation itself isn't the important part on that line, a bit of Makefile narcissism can't hurt ;-) Cheers, Richard In message <1B05C047-CB6D-4082-8C8F-B5820D22AC46 at akamai.com> on Tue, 8 Mar 2016 20:57:07 +0000, "Short, Todd" > said: tshort> Hi, tshort> tshort> I noticed the following oddity in commit f8d9d6e: tshort> tshort> depend: tshort> @catdepends=false; \ tshort> if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ tshort> tshort> I?m not sure of the intent or the fix, but it doesn?t seem right to tshort> compare the timestamp of a file to itself. tshort> tshort> -- tshort> -Todd Short tshort> // tshort at akamai.com tshort> // "One if by land, two if by sea, three if by the Internet." tshort> -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Tue Mar 8 21:44:36 2016 From: rsalz at akamai.com (Salz, Rich) Date: Tue, 8 Mar 2016 21:44:36 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <2a9dfc10ec2245668cfa9fe85049a03d@usma1ex-dag1mb1.msg.corp.akamai.com> > >> + if (dest->mont_data != NULL) > >> + BN_MONT_CTX_free(dest->mont_data); > > > >Free routines don't need to check for non-NULL. > > Yes, don?t *have* to. But does it hurt to check? It makes folks wonder why the check is only there sometimes. It adds to code complexity/test-coverage issues. From rt at openssl.org Tue Mar 8 21:51:53 2016 From: rt at openssl.org (Bill Parker via RT) Date: Tue, 08 Mar 2016 21:51:53 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: I must be brain dead today, since free'ing something that is already NULL is not a problem (geez)... Heh On Tue, Mar 8, 2016 at 12:01 PM, Salz, Rich via RT wrote: > > > + if (dest->mont_data != NULL) > > + BN_MONT_CTX_free(dest->mont_data); > > Free routines don't need to check for non-NULL. > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From pwalten at au1.ibm.com Wed Mar 9 05:30:11 2016 From: pwalten at au1.ibm.com (Peter Waltenberg) Date: Wed, 9 Mar 2016 05:30:11 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: , <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <201603090530.u295UQFo006193@d23av03.au.ibm.com> An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 9 05:41:32 2016 From: rt at openssl.org (Peter Waltenberg via RT) Date: Wed, 09 Mar 2016 05:41:32 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: <201603090530.u295UQSR001457@d23av04.au.ibm.com> References: , <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> <201603090530.u295UQSR001457@d23av04.au.ibm.com> Message-ID: No, you got that right, NULL being 'safe' to free varies with OS. But - you aren't calling free() directly, THIS makes it safe. That's one of the other benefits of having objects allocated and released by internal functions rather than doing it directly. void BN_MONT_CTX_free(BN_MONT_CTX *mont) { if (mont == NULL) return; BN_clear_free(&(mont->RR)); BN_clear_free(&(mont->N)); BN_clear_free(&(mont->Ni)); if (mont->flags & BN_FLG_MALLOCED) OPENSSL_free(mont); } -----"openssl-dev" wrote: -----From: Bill Parker via RT Sent by: "openssl-dev" Date: 03/09/2016 07:53AM Cc: openssl-dev at openssl.org Subject: Re: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' I must be brain dead today, since free'ing something that is already NULL is not a problem (geez)... Heh On Tue, Mar 8, 2016 at 12:01 PM, Salz, Rich via RT wrote: > > > + if (dest->mont_data != NULL) > > + BN_MONT_CTX_free(dest->mont_data); > > Free routines don't need to check for non-NULL. > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From dni.grosu at gmail.com Wed Mar 9 07:06:44 2016 From: dni.grosu at gmail.com (danigrosu) Date: Wed, 9 Mar 2016 00:06:44 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457449430892-64449.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457449430892-64449.post@n7.nabble.com> Message-ID: So we are stuck with this error? Since we are using OpenSSL 1.0.1, I think we can handle it. Dani Grosu On 8 March 2016 at 17:03, danigrosu [via OpenSSL] < ml-node+s6102n64449h58 at n7.nabble.com> wrote: > Blumenthal, Uri - 0553 - MITLL wrote > Could you please confirm that you?re doing this on OpenSSL-1.0.2? > > # openssl version > OpenSSL 1.0.1f 6 Jan 2014 > So it appears I'm working with 1.0.1. > > Dani Grosu > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64449.html > To unsubscribe from Errors when loading an OpenSSL RSA Engine, click here > > . > NAML > > -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64473.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From richmoore44 at gmail.com Wed Mar 9 09:54:15 2016 From: richmoore44 at gmail.com (Richard Moore) Date: Wed, 9 Mar 2016 09:54:15 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: <201603090530.u295UQFo006193@d23av03.au.ibm.com> References: <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> <201603090530.u295UQFo006193@d23av03.au.ibm.com> Message-ID: On 9 March 2016 at 05:30, Peter Waltenberg wrote: > No, you got that right, NULL being 'safe' to free varies with OS. > > ?It shouldn't if you're programming in C, from the standard (C89): The free function causes the space pointed to by ptr to be deallocated, that is, made available for further allocation. If ptr is a null pointer, no action occurs. Otherwise, if the argument does not match a pointer earlier returned by the calloc , malloc , or realloc function, or if the space has been deallocated by a call to free or realloc , the behavior is undefined. Cheers Rich.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 9 09:54:35 2016 From: rt at openssl.org (Richard Moore via RT) Date: Wed, 09 Mar 2016 09:54:35 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> <201603090530.u295UQFo006193@d23av03.au.ibm.com> Message-ID: On 9 March 2016 at 05:30, Peter Waltenberg wrote: > No, you got that right, NULL being 'safe' to free varies with OS. > > ?It shouldn't if you're programming in C, from the standard (C89): The free function causes the space pointed to by ptr to be deallocated, that is, made available for further allocation. If ptr is a null pointer, no action occurs. Otherwise, if the argument does not match a pointer earlier returned by the calloc , malloc , or realloc function, or if the space has been deallocated by a call to free or realloc , the behavior is undefined. Cheers Rich.? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From kotamarthyd at gmail.com Wed Mar 9 10:07:06 2016 From: kotamarthyd at gmail.com (Kanaka Kotamarthy) Date: Wed, 9 Mar 2016 15:37:06 +0530 Subject: [openssl-dev] Running against BoringSSL's SSL test suite In-Reply-To: References: Message-ID: Hi I am even testing OpenSSL with BoringSSL's test cases using Openssl-1.1.0-pre2. Trying to find out reasons of OpenSSL's failures for particular cases. DTLS 1.0 session resumption has some thing wrong. If s_server started with -dtls and s_client -dtls1 -reconnect , session resumption is not being done. The reason for this may be, version negotiation for DTLS is done after loading previous session and check for s->version and s->session->version fails in tls_process_client_hello. And also Openssl fails with Resume-Client-NoResume cases. Do you have any report on which test cases do fail and reasons for the failure? Thank you Durga. On Tue, Mar 8, 2016 at 3:19 AM, David Benjamin wrote: > Hi folks, > > So, we've by now built up a decent-sized SSL test suite in BoringSSL. I was > bored and ran it against OpenSSL master. It revealed a number of bugs. One > is https://github.com/openssl/openssl/pull/603. I'll be filing tickets > shortly for the remaining ones I've triaged, but I thought I'd send this > separately rather than duplicate it everywhere. > > Emilia also suggested there may be room to collaborate on testing. If > nothing else, just borrowing ideas or porting tests to/from your TLSProxy > setup. (Like, say, the ones that caught the bugs I'll be reporting. :-) ) > So, here's an introduction on how it all works: > > To run the tests on OpenSSL, clone BoringSSL: > https://boringssl.googlesource.com/boringssl/ > Then patch in this change. (Click the "Download" in the upper-right for > options.) > https://boringssl-review.googlesource.com/#/c/7332/ > Then follow the instructions in the commit message. > > The tests themselves and the runner logic live in ssl/test/runner/runner.go: > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922 > > They work by running an unmodified TLS stack in a shim binary against a copy > of Go's. We patch our copy with options for weird behavior to test against: > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414 > > Go and shim communicate entirely with sockets and (tons of) command-line > flags, though it is slightly overfit to BoringSSL's behavior and checks > error strings a lot. The shim also has options like -async mode which we use > on a subset of tests to stress state machine resumption. (This has saved me > from state machine bugs so many times.) > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770 > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826 > > I hope this is useful! Bugs and patches will follow this mail, as I write > them up. > > David > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > From rt at openssl.org Wed Mar 9 13:03:29 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Wed, 09 Mar 2016 13:03:29 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: <736752c414df43f9b5e6ca34ac79e592@usma1ex-dag1mb1.msg.corp.akamai.com> References: , <3db83e38df894682849044ecc9c356a7@usma1ex-dag1mb1.msg.corp.akamai.com> <201603090530.u295UQFo006193@d23av03.au.ibm.com> <736752c414df43f9b5e6ca34ac79e592@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > No, you got that right, NULL being 'safe' to free varies with OS. Except we mandate ANSI C which means it's portable :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From dni.grosu at gmail.com Wed Mar 9 14:45:32 2016 From: dni.grosu at gmail.com (danigrosu) Date: Wed, 9 Mar 2016 07:45:32 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457447927840-64445.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> Message-ID: <1457534732287-64483.post@n7.nabble.com> danigrosu wrote > I'm just trying to implement an RSA engine and I thought that this would > be a good start. > I tryed successfully the > MD5 Engine > > written by Richard Levitte and my next step is to build an RSA engine > which I will use in my application. > > I think my problem is simple and it's just something that I miss. Relating to the MD5 Engine, I tryed to build the git version manually with these commands: $ gcc -fPIC -o rfc1321/md5c.o -c rfc1321/md5c.c $ gcc -fPIC -o md5-engine.o -c e_md5.c $ gcc -shared -o md5-engine.so -lcrypto md5-engine.o rfc1321/md5c.o ... and it failed when I tried to load the engine, but using the autotools and a few modifications it worked. So, maybe, the same problem is here, with the RSA-X engine. Maybe Mr. Levitte could clarify this. Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64483.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: From uri at ll.mit.edu Wed Mar 9 15:58:45 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Wed, 9 Mar 2016 15:58:45 +0000 Subject: [openssl-dev] Record of configuration parameters? Message-ID: Say, one configures an openssl build with parameters: ./Configure darwin-whatever ?prefix=/whereever enable-this enable-that ?etc My question is ? if after the fact I need to check what parameters exactly were passed to the configuration command, how can I do it? With ?normal? autotools, there?s a record preserved in the ?config.log? file. Is there an analog of that here? Thanks! -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From levitte at openssl.org Wed Mar 9 16:07:02 2016 From: levitte at openssl.org (Richard Levitte) Date: Wed, 09 Mar 2016 17:07:02 +0100 (CET) Subject: [openssl-dev] Record of configuration parameters? In-Reply-To: References: Message-ID: <20160309.170702.1733700839108816021.levitte@openssl.org> In message on Wed, 9 Mar 2016 15:58:45 +0000, "Blumenthal, Uri - 0553 - MITLL" said: uri> Say, one configures an openssl build with parameters: uri> uri> ./Configure darwin-whatever ?prefix=/whereever enable-this enable-that uri> ?etc uri> uri> My question is ? if after the fact I need to check what parameters uri> exactly were passed to the configuration command, how can I do it? uri> With ?normal? autotools, there?s a record preserved in the uri> ?config.log? file. Is there an analog of that here? In the master branch, the best is to look in configdata.pm. $config{perlargv} contains your arguments, that line looks like this: perlargv => [ "linux-x86_64", "-Wa,--noexecstack" ], In the earlier releases, you will find the corresponding data in Makefile, such as this: CONFIGURE_ARGS=linux-x86_64 -Wa,--noexecstack Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Wed Mar 9 16:27:52 2016 From: rt at openssl.org (Rich Salz via RT) Date: Wed, 09 Mar 2016 16:27:52 +0000 Subject: [openssl-dev] [openssl.org #4186] [Patch] DSA_dup() function missing in master In-Reply-To: References: Message-ID: DSAparams_dup() meets the need, closing ticket. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4186 Please log in as guest with password guest if prompted From uri at ll.mit.edu Wed Mar 9 16:28:59 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Wed, 9 Mar 2016 16:28:59 +0000 Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457534732287-64483.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> Message-ID: > Relating to the MD5 Engine, I tryed to build the git version > manually with these > commands: > $ gcc -fPIC -o rfc1321/md5c.o -c rfc1321/md5c.c > $ gcc -fPIC -o md5-engine.o -c e_md5.c > $ gcc -shared -o md5-engine.so -lcrypto md5-engine.o rfc1321/md5c.o > ... and it failed when I tried to load the engine, but using the autotools and > a few modifications it worked. When I try autotools, I get this: git clone https://github.com/engine-corner/Lesson-2-A-digest.git Cloning into 'Lesson-2-A-digest'... remote: Counting objects: 21, done. remote: Total 21 (delta 0), reused 0 (delta 0), pack-reused 21 Unpacking objects: 100% (21/21), done. Checking connectivity... done. $ cd Lesson-2-A-digest/ $ autoreconf -i aclocal: warning: couldn't open directory 'm4': No such file or directory glibtoolize: putting auxiliary files in '.'. glibtoolize: copying file './ltmain.sh' glibtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'. glibtoolize: copying file 'm4/libtool.m4' glibtoolize: copying file 'm4/ltoptions.m4' glibtoolize: copying file 'm4/ltsugar.m4' glibtoolize: copying file 'm4/ltversion.m4' glibtoolize: copying file 'm4/lt~obsolete.m4' configure.ac:18: error: possibly undefined macro: AC_MSG_FAILURE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /opt/local/bin/autoconf failed with exit status: 1 $ You probably want to post (a) the modifications you made to autotools-whatever, and (b) the resulting compile and link commands. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From levitte at openssl.org Wed Mar 9 16:38:25 2016 From: levitte at openssl.org (Richard Levitte) Date: Wed, 09 Mar 2016 17:38:25 +0100 (CET) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457534732287-64483.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> Message-ID: <20160309.173825.1637863753675413167.levitte@openssl.org> In message <1457534732287-64483.post at n7.nabble.com> on Wed, 9 Mar 2016 07:45:32 -0700 (MST), danigrosu said: dni.grosu> dni.grosu> danigrosu wrote dni.grosu> I'm just trying to implement an RSA engine and I thought that this dni.grosu> would be a good start. dni.grosu> I tryed successfully the MD5 Engine written by Richard Levitte and dni.grosu> my next step is to build an RSA engine dni.grosu> which I will use in my application. dni.grosu> dni.grosu> I think my problem is simple and it's just something that I miss. dni.grosu> dni.grosu> Relating to the MD5 Engine, I tryed to build the git version manually dni.grosu> with these commands: dni.grosu> $ gcc -fPIC -o rfc1321/md5c.o -c rfc1321/md5c.c dni.grosu> $ gcc -fPIC -o md5-engine.o -c e_md5.c dni.grosu> $ gcc -shared -o md5-engine.so -lcrypto md5-engine.o rfc1321/md5c.o dni.grosu> ... and it failed when I tried to load the engine, but using the dni.grosu> autotools and a few modifications it worked. Exactly how did it fail? It's a bit hard to diagnose unless you show us what you were told... I assume there were some error messages? dni.grosu> So, maybe, the same problem is here, with the RSA-X engine. dni.grosu> Maybe Mr. Levitte could clarify this. I'd say that my building lines worked for me ;-) Recent experience has shown me that it might not be true for everyone. libtool is good at figuring out what's needed on the local system, that's probably why you get better results that way. Cheers, Richard From rsalz at akamai.com Wed Mar 9 16:38:40 2016 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 9 Mar 2016 16:38:40 +0000 Subject: [openssl-dev] Record of configuration parameters? In-Reply-To: <20160309.170702.1733700839108816021.levitte@openssl.org> References: <20160309.170702.1733700839108816021.levitte@openssl.org> Message-ID: <346b821754c54c6a860aca3b49d5fde5@usma1ex-dag1mb1.msg.corp.akamai.com> > In the master branch, the best is to look in configdata.pm. > perlargv => [ "linux-x86_64", "-Wa,--noexecstack" ], Perhaps configdata.pm should have a comment like "# configured with ...args... At the top, to make it stand out? Or maybe even the command line to reproduce the config? From levitte at openssl.org Wed Mar 9 16:55:38 2016 From: levitte at openssl.org (Richard Levitte) Date: Wed, 09 Mar 2016 17:55:38 +0100 (CET) Subject: [openssl-dev] Record of configuration parameters? In-Reply-To: <346b821754c54c6a860aca3b49d5fde5@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20160309.170702.1733700839108816021.levitte@openssl.org> <346b821754c54c6a860aca3b49d5fde5@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <20160309.175538.266782403685487028.levitte@openssl.org> In message <346b821754c54c6a860aca3b49d5fde5 at usma1ex-dag1mb1.msg.corp.akamai.com> on Wed, 9 Mar 2016 16:38:40 +0000, "Salz, Rich" said: rsalz> > In the master branch, the best is to look in configdata.pm. rsalz> > perlargv => [ "linux-x86_64", "-Wa,--noexecstack" ], rsalz> rsalz> Perhaps configdata.pm should have a comment like rsalz> "# configured with ...args... rsalz> At the top, to make it stand out? rsalz> rsalz> Or maybe even the command line to reproduce the config? You mean like this? ./Configure reconf -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rsalz at akamai.com Wed Mar 9 16:59:12 2016 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 9 Mar 2016 16:59:12 +0000 Subject: [openssl-dev] Record of configuration parameters? In-Reply-To: <20160309.175538.266782403685487028.levitte@openssl.org> References: <20160309.170702.1733700839108816021.levitte@openssl.org> <346b821754c54c6a860aca3b49d5fde5@usma1ex-dag1mb1.msg.corp.akamai.com> <20160309.175538.266782403685487028.levitte@openssl.org> Message-ID: <10e2aaef99a34f97979f689470672295@usma1ex-dag1mb1.msg.corp.akamai.com> > You mean like this? > > ./Configure reconf Yes, but folks are used to seeing it echoed into the config.status file :) From uri at ll.mit.edu Wed Mar 9 17:05:59 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Wed, 9 Mar 2016 17:05:59 +0000 Subject: [openssl-dev] Record of configuration parameters? Message-ID: <20160309170606.18296912.11660.56601@ll.mit.edu> I like very much what you suggested! Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Salz, Rich Sent: Wednesday, March 9, 2016 12:02 To: openssl-dev at openssl.org Reply To: openssl-dev at openssl.org Subject: Re: [openssl-dev] Record of configuration parameters? > In the master branch, the best is to look in configdata.pm. > perlargv => [ "linux-x86_64", "-Wa,--noexecstack" ], Perhaps configdata.pm should have a comment like "# configured with ...args... At the top, to make it stand out? Or maybe even the command line to reproduce the config? -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4350 bytes Desc: not available URL: From davidben at google.com Wed Mar 9 17:08:21 2016 From: davidben at google.com (David Benjamin) Date: Wed, 09 Mar 2016 17:08:21 +0000 Subject: [openssl-dev] Running against BoringSSL's SSL test suite In-Reply-To: References: Message-ID: On Wed, Mar 9, 2016 at 5:07 AM Kanaka Kotamarthy wrote: > Hi > > I am even testing OpenSSL with BoringSSL's test cases using > Openssl-1.1.0-pre2. Trying to find out reasons of OpenSSL's failures > for particular cases. > > DTLS 1.0 session resumption has some thing wrong. If s_server started > with -dtls and s_client -dtls1 -reconnect , session resumption is not > being done. The reason for this may be, version negotiation for DTLS > is done after loading previous session and check for s->version and > s->session->version fails in tls_process_client_hello. > See RT #4392. https://rt.openssl.org/Ticket/Display.html?id=4392 > And also Openssl fails with Resume-Client-NoResume cases. Do you have > any report on which test cases do fail and reasons for the failure? > RT tickets 4387 through 4395 were the failures I've triaged. I'm sure there's more things in there to look through. I don't believe Resume-Client-NoResume fails for me. Perhaps something was fixed between master and 1.1.0-pre2. David > Thank you > Durga. > > On Tue, Mar 8, 2016 at 3:19 AM, David Benjamin > wrote: > > Hi folks, > > > > So, we've by now built up a decent-sized SSL test suite in BoringSSL. I > was > > bored and ran it against OpenSSL master. It revealed a number of bugs. > One > > is https://github.com/openssl/openssl/pull/603. I'll be filing tickets > > shortly for the remaining ones I've triaged, but I thought I'd send this > > separately rather than duplicate it everywhere. > > > > Emilia also suggested there may be room to collaborate on testing. If > > nothing else, just borrowing ideas or porting tests to/from your TLSProxy > > setup. (Like, say, the ones that caught the bugs I'll be reporting. :-) ) > > So, here's an introduction on how it all works: > > > > To run the tests on OpenSSL, clone BoringSSL: > > https://boringssl.googlesource.com/boringssl/ > > Then patch in this change. (Click the "Download" in the upper-right for > > options.) > > https://boringssl-review.googlesource.com/#/c/7332/ > > Then follow the instructions in the commit message. > > > > The tests themselves and the runner logic live in > ssl/test/runner/runner.go: > > > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922 > > > > They work by running an unmodified TLS stack in a shim binary against a > copy > > of Go's. We patch our copy with options for weird behavior to test > against: > > > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414 > > > > Go and shim communicate entirely with sockets and (tons of) command-line > > flags, though it is slightly overfit to BoringSSL's behavior and checks > > error strings a lot. The shim also has options like -async mode which we > use > > on a subset of tests to stress state machine resumption. (This has saved > me > > from state machine bugs so many times.) > > > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770 > > > https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826 > > > > I hope this is useful! Bugs and patches will follow this mail, as I write > > them up. > > > > David > > > > -- > > openssl-dev mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 9 17:27:53 2016 From: rt at openssl.org (Rich Salz via RT) Date: Wed, 09 Mar 2016 17:27:53 +0000 Subject: [openssl-dev] [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: <1422347341-5962-1-git-send-email-msp@ncp-e.com> References: <1422347341-5962-1-git-send-email-msp@ncp-e.com> Message-ID: done in master with commit 60b350a3ef9620866a43358ecd1874c6fc482d9c thanks! -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 9 18:00:30 2016 From: rt at openssl.org (Bill Parker via RT) Date: Wed, 09 Mar 2016 18:00:30 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: <201603090530.u295UQFo006193@d23av03.au.ibm.com> <736752c414df43f9b5e6ca34ac79e592@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: Geez, What did I start here (egad) :) Bill On Wed, Mar 9, 2016 at 5:03 AM, Salz, Rich via RT wrote: > > No, you got that right, NULL being 'safe' to free varies with OS. > > Except we mandate ANSI C which means it's portable :) > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 9 18:03:09 2016 From: rt at openssl.org (Bill Parker via RT) Date: Wed, 09 Mar 2016 18:03:09 +0000 Subject: [openssl-dev] [openssl.org #4402] [PATCH] Missing Sanity Check for BN_new in 'apps/prime.c' for OpenSSL-1.1 pre4 In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'apps', file 'prime.c', there is a call to BN_new() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- prime.c.orig 2016-03-08 16:13:24.841500061 -0800 +++ prime.c 2016-03-08 16:15:33.587863062 -0800 @@ -122,6 +122,10 @@ goto end; } bn = BN_new(); + if (bn == NULL) { + BIO_printf(bio_err, "Out of memory\n"); + goto end; + } BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL); s = hex ? BN_bn2hex(bn) : BN_bn2dec(bn); BIO_printf(bio_out, "%s\n", s); ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4402 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: prime.c.patch Type: application/octet-stream Size: 422 bytes Desc: not available URL: From rt at openssl.org Wed Mar 9 18:04:35 2016 From: rt at openssl.org (Bill Parker via RT) Date: Wed, 09 Mar 2016 18:04:35 +0000 Subject: [openssl-dev] [openssl.org #4403] [PATCH] prevent OPENSSL_realloc() from clobbering old pointer value on failure in OpenSSL-1.1 pre-4 In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'crypto/modes', file 'ocb128.c', there is a call to OPENSSL_realloc() which has the potential to clobber the old value of variable 'ctx->l', if the call returns NULL. The patch file below uses a void *tmp_ptr to prevent this from occuring: --- ocb128.c.orig 2016-03-08 16:29:47.856436204 -0800 +++ ocb128.c 2016-03-08 16:31:51.241117763 -0800 @@ -140,6 +140,7 @@ static OCB_BLOCK *ocb_lookup_l(OCB128_CONTEXT *ctx, size_t idx) { size_t l_index = ctx->l_index; + void *tmp_ptr; if (idx <= l_index) { return ctx->l + idx; @@ -157,10 +158,11 @@ * the index. */ ctx->max_l_index += (idx - ctx->max_l_index + 4) & ~3; - ctx->l = + tmp_ptr = OPENSSL_realloc(ctx->l, ctx->max_l_index * sizeof(OCB_BLOCK)); - if (ctx->l == NULL) + if (tmp_ptr == NULL) /* prevent ctx->l from being clobbered */ return NULL; + ctx->l = tmp_ptr; } while (l_index < idx) { ocb_double(ctx->l + l_index, ctx->l + l_index + 1); -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4403 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ocb128.c.patch Type: application/octet-stream Size: 785 bytes Desc: not available URL: From rt at openssl.org Wed Mar 9 18:05:25 2016 From: rt at openssl.org (Bill Parker via RT) Date: Wed, 09 Mar 2016 18:05:25 +0000 Subject: [openssl-dev] [openssl.org #4404] [PATCH] Missing Sanity Check for OPENSSL_strdup() in OpenSSL-1.1 pre-4 In-Reply-To: References: Message-ID: Hello All, In reviewing code in directory 'crypto/conf', file 'conf_mod.c', there is a call to OPENSSL_strdup() which is not checked for a return value of NULL, indicating failure. The patch file below adds the test, and releases the previously allocated memory assigned to 'tmod': --- conf_mod.c.orig 2016-03-08 18:05:52.017031376 -0800 +++ conf_mod.c 2016-03-08 18:08:22.865203402 -0800 @@ -284,6 +284,10 @@ tmod->dso = dso; tmod->name = OPENSSL_strdup(name); + if (tmod->name == NULL) { + OPENSSL_free(tmod); + return NULL; + } tmod->init = ifunc; tmod->finish = ffunc; ======================================================================= Bill Parker (wp02855 at gmail dot com) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4404 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl11-conf_mod.c.patch Type: application/octet-stream Size: 321 bytes Desc: not available URL: From dni.grosu at gmail.com Wed Mar 9 17:19:49 2016 From: dni.grosu at gmail.com (danigrosu) Date: Wed, 9 Mar 2016 10:19:49 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> Message-ID: <1457543989853-64500.post@n7.nabble.com> Blumenthal, Uri - 0553 - MITLL wrote > You probably want to post (a) the modifications you made to > autotools-whatever, and (b) the resulting compile and link commands. The answer of this question (asked by me) helped me to solve the problem. Richard Levitte - VMS wrote > Exactly how did it fail? It's a bit hard to diagnose unless you show > us what you were told... I assume there were some error messages? This is what I get if I use the the git version: ... and if I use the blog code for the e_md5.c file (called md5-engine.c on the blog) it simply works with the same commands. As I said above, I had to make some modifications in order to build the engine using autotools. Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64500.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. From dni.grosu at gmail.com Wed Mar 9 17:57:35 2016 From: dni.grosu at gmail.com (danigrosu) Date: Wed, 9 Mar 2016 10:57:35 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <20160309.173825.1637863753675413167.levitte@openssl.org> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> <20160309.173825.1637863753675413167.levitte@openssl.org> Message-ID: <1457546255766-64501.post@n7.nabble.com> In git version, if I comment the block / if (id && strcmp(id, engine_id)) { fprintf(stderr, "MD5 engine called with the unexpected id %s\n", id); fprintf(stderr, "The expected id is %s\n", engine_id); goto end; }/ ... then I type /$ gcc -fPIC -o rfc1321/md5c.o -c rfc1321/md5c.c $ gcc -fPIC -o md5-engine.o -c e_md5.c $ gcc -shared -o md5-engine.so -lcrypto md5-engine.o rfc1321/md5c.o $ echo whatever | openssl dgst -engine `pwd`/md5-engine.so -md5 engine "emd5" set. (stdin)= d8d77109f4a24efc3bd53d7cabb7ee35/ ... everithing goes well Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64501.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. From rt at openssl.org Wed Mar 9 19:00:17 2016 From: rt at openssl.org (Paul Kehrer via RT) Date: Wed, 09 Mar 2016 19:00:17 +0000 Subject: [openssl-dev] [openssl.org #4405] 1.1.0 compile failure with no-comp In-Reply-To: References: Message-ID: When trying to compile 1.1.0 with no-comp no-shared flags current master fails with the following error on linux: ./libcrypto.so: undefined reference to `COMP_zlib_cleanup' collect2: error: ld returned 1 exit status And perhaps a more instructive one on OS X: Undefined symbols for architecture x86_64: ? "_COMP_zlib_cleanup", referenced from: ? ? ? _OPENSSL_cleanup in libcrypto.a(init.o) ld: symbol(s) not found for architecture x86_64 clang: error: linker command failed with exit code 1 (use -v to see invocation) make[1]: *** [link_dso.darwin] Error 1 make: *** [engines/dasync.dylib] Error 2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4405 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 9 19:10:08 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Wed, 09 Mar 2016 19:10:08 +0000 Subject: [openssl-dev] [openssl.org #4276] AutoReply: Possible bug - ts -verify -digest, error:ts_rsp_verify.c:291: In-Reply-To: <7ffbcf8a04ed42cd9dc9a93781d838c5@usma1ex-dag1mb1.msg.corp.akamai.com> References: <56AA3226.3060801@andifyou.com> <56C47A52.6090404@andifyou.com> <56CC3593.9040709@andifyou.com> <7ffbcf8a04ed42cd9dc9a93781d838c5@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: TS is not a high priority for the OpenSSL team. A month is not a long time. We are busy right now working on the next release. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4276 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 9 19:41:17 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Wed, 09 Mar 2016 19:41:17 +0000 Subject: [openssl-dev] [openssl.org #4355] OpenSSL 1.0.2 branch fails to build with MSVC In-Reply-To: <20160309194113.GA21015@roeckx.be> References: <1405509101.5.1456612972774.JavaMail.jenkins@kicadjenkins> <56D2EE94.1050309@hogyros.de> <20160309194113.GA21015@roeckx.be> Message-ID: On Sun, Feb 28, 2016 at 02:33:34PM +0000, Simon Richter via RT wrote: > Hi, > > I just got this from our Jenkins instance that follows OpenSSL 1.0.2: That should have been fixed some time ago, but it seems your mail only got here today. Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4355 Please log in as guest with password guest if prompted From uri at ll.mit.edu Wed Mar 9 20:17:58 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Wed, 9 Mar 2016 20:17:58 +0000 Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457546255766-64501.post@n7.nabble.com> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> <20160309.173825.1637863753675413167.levitte@openssl.org> <1457546255766-64501.post@n7.nabble.com> Message-ID: On 3/9/16, 12:57 , "openssl-dev on behalf of danigrosu" wrote: >In git version, if I comment the block... I found that was not necessary. But autotools setup did not work (see my previous post in this thread). Perhaps Richard could shed some light on that. $ echo whatever | OPENSSL_ENGINES=. openssl dgst -md5 -engine emd5 engine "emd5" set. (stdin)= d8d77109f4a24efc3bd53d7cabb7ee35 $ Regarding RSA-X engine, it lacks the dynamic binding code necessary for being loaded, etc. That?s why it fails to load. Check the contents of e_md5.c and eng_rsax.c for differences. $ OPENSSL_ENGINES=. openssl engine -t -c rsax (rsax) RSAX engine support [RSA] [ available ] $ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From levitte at openssl.org Wed Mar 9 20:41:55 2016 From: levitte at openssl.org (Richard Levitte) Date: Wed, 09 Mar 2016 21:41:55 +0100 (CET) Subject: [openssl-dev] Record of configuration parameters? In-Reply-To: <20160309170606.18296912.11660.56601@ll.mit.edu> References: <20160309170606.18296912.11660.56601@ll.mit.edu> Message-ID: <20160309.214155.710452179738041939.levitte@openssl.org> That would be doable. A fairly simple perl fragment in Configurations/unix-template.tmpl and the others would do. In message <20160309170606.18296912.11660.56601 at ll.mit.edu> on Wed, 9 Mar 2016 17:05:59 +0000, "Blumenthal, Uri - 0553 - MITLL" said: uri> I like very much what you suggested! uri> uri> Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. uri> ? Original Message ? uri> From: Salz, Rich uri> Sent: Wednesday, March 9, 2016 12:02 uri> To: openssl-dev at openssl.org uri> Reply To: openssl-dev at openssl.org uri> Subject: Re: [openssl-dev] Record of configuration parameters? uri> uri> > In the master branch, the best is to look in configdata.pm. uri> > perlargv => [ "linux-x86_64", "-Wa,--noexecstack" ], uri> uri> Perhaps configdata.pm should have a comment like uri> "# configured with ...args... uri> At the top, to make it stand out? uri> uri> Or maybe even the command line to reproduce the config? uri> -- uri> openssl-dev mailing list uri> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev uri> From levitte at openssl.org Wed Mar 9 20:55:16 2016 From: levitte at openssl.org (Richard Levitte) Date: Wed, 09 Mar 2016 21:55:16 +0100 (CET) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457543989853-64500.post@n7.nabble.com> <1457546255766-64501.post@n7.nabble.com> References: <1457534732287-64483.post@n7.nabble.com> <1457543989853-64500.post@n7.nabble.com> Message-ID: <20160309.215516.204547014161263567.levitte@openssl.org> In message <1457543989853-64500.post at n7.nabble.com> on Wed, 9 Mar 2016 10:19:49 -0700 (MST), danigrosu said: dni.grosu> Richard Levitte - VMS wrote dni.grosu> > Exactly how did it fail? It's a bit hard to diagnose unless you show dni.grosu> > us what you were told... I assume there were some error messages? dni.grosu> dni.grosu> This is what I get if I use the the git version: dni.grosu> dni.grosu> ... and if I use the blog code for the e_md5.c file (called md5-engine.c on dni.grosu> the blog) dni.grosu> it simply works with the same commands. As I said above, I had to make some dni.grosu> modifications in order to build the engine using autotools. and you discovered why on your own: In message <1457546255766-64501.post at n7.nabble.com> on Wed, 9 Mar 2016 10:57:35 -0700 (MST), danigrosu said: dni.grosu> In git version, if I comment the block dni.grosu> dni.grosu> / if (id && strcmp(id, engine_id)) { dni.grosu> fprintf(stderr, "MD5 engine called with the unexpected id %s\n", id); dni.grosu> fprintf(stderr, "The expected id is %s\n", engine_id); dni.grosu> goto end; dni.grosu> }/ dni.grosu> dni.grosu> ... then I type dni.grosu> dni.grosu> /$ gcc -fPIC -o rfc1321/md5c.o -c rfc1321/md5c.c dni.grosu> $ gcc -fPIC -o md5-engine.o -c e_md5.c dni.grosu> $ gcc -shared -o md5-engine.so -lcrypto md5-engine.o rfc1321/md5c.o dni.grosu> dni.grosu> $ echo whatever | openssl dgst -engine `pwd`/md5-engine.so -md5 dni.grosu> engine "emd5" set. dni.grosu> (stdin)= d8d77109f4a24efc3bd53d7cabb7ee35/ dni.grosu> dni.grosu> ... everithing goes well Yes. The check that you commented away isn't strictly necessary, it's very much a paranoid check. Did you notice how, in the README, the example call is this? $ OPENSSL_ENGINES=.libs openssl engine -t -c emd5 The id that the engine's init function receives is exactly what the openssl app receives as an engine name on the command line, so if you give it the full path variant (like in my blog), that's what it gets, and if you do it with the OPENSSL_ENGINES env variable, it will get the name you gave ("emd5" in the example above). But yeah, strictly speaking, the id check in the engine's init function is not necessary. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Wed Mar 9 22:32:46 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Wed, 9 Mar 2016 17:32:46 -0500 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: References: Message-ID: On Tue, Mar 8, 2016 at 8:43 AM, Thomas Brunnthaler via RT wrote: > CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 VC6 > x86 TS. Error Message: OS cannot load %1 or so. > Is it possible to release an out-of-band update for this fix? Many folks are experiencing pain points because of it. See, for example: * http://stackoverflow.com/q/35895377/608639 * http://stackoverflow.com/q/35880228/608639 Jeff From rt at openssl.org Wed Mar 9 22:33:06 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 09 Mar 2016 22:33:06 +0000 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: References: Message-ID: On Tue, Mar 8, 2016 at 8:43 AM, Thomas Brunnthaler via RT wrote: > CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 VC6 > x86 TS. Error Message: OS cannot load %1 or so. > Is it possible to release an out-of-band update for this fix? Many folks are experiencing pain points because of it. See, for example: * http://stackoverflow.com/q/35895377/608639 * http://stackoverflow.com/q/35880228/608639 Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 9 22:39:57 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 09 Mar 2016 22:39:57 +0000 Subject: [openssl-dev] [openssl.org #4406] Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: Working from Master: $ git reset --hard HEAD HEAD is now at 64b9d84 When grepping something starting with a dash, remember to use -e $ git pull Already up-to-date. And then: $ ./config ... $ make depend && make clean && make ... gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o crypto/cast/c_skey.o crypto/cast/c_skey.c gcc -E crypto/chacha/chacha-armv8.S > crypto/chacha/chacha-armv8.s crypto/chacha/chacha-armv8.S:1:22: fatal error: arm_arch.h: No such file or directory #include "arm_arch.h" ^ compilation terminated. : recipe for target 'crypto/chacha/chacha-armv8.s' failed ********** $ ./config Operating system: aarch64-whatever-linux2 Configuring for linux-aarch64 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-aarch64 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM SHA256_ASM SHA512_ASM VPAES_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =armcap.o arm64cpuid.o mem_clr.o UPLINK_OBJ = BN_ASM =bn_asm.o armv8-mont.o EC_ASM =ecp_nistz256.o ecp_nistz256-armv8.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o aesv8-armx.o vpaes-armv8.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-armv8.o sha256-armv8.o sha512-armv8.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghashv8-armx.o PADLOCK_OBJ = CHACHA_ENC =chacha-armv8.o POLY1305_OBJ =poly1305-armv8.o PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-aarch64. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4406 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 9 22:49:15 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Wed, 09 Mar 2016 22:49:15 +0000 Subject: [openssl-dev] [openssl.org #4406] Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: <20160309.234912.1082908085423010236.levitte@openssl.org> References: <20160309.234912.1082908085423010236.levitte@openssl.org> Message-ID: In message on Wed, 09 Mar 2016 22:39:57 +0000, "noloader at gmail.com via RT" said: rt> Working from Master: rt> rt> $ git reset --hard HEAD rt> HEAD is now at 64b9d84 When grepping something starting with a rt> dash, remember to use -e rt> $ git pull rt> Already up-to-date. rt> rt> And then: rt> rt> $ ./config rt> ... rt> $ make depend && make clean && make rt> ... rt> rt> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS rt> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT rt> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DECP_NISTZ256_ASM rt> -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" rt> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread rt> -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o rt> crypto/cast/c_skey.o crypto/cast/c_skey.c rt> gcc -E crypto/chacha/chacha-armv8.S > crypto/chacha/chacha-armv8.s rt> crypto/chacha/chacha-armv8.S:1:22: fatal error: arm_arch.h: No such rt> file or directory rt> #include "arm_arch.h" rt> ^ rt> compilation terminated. rt> : recipe for target 'crypto/chacha/chacha-armv8.s' failed Ah, that's a bug in Configurations/unix-Makefile.tmpl, and probably also in Configurations/common.tmpl. Include dirs need to be passed to generatesrc() as well... Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4406 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Wed Mar 9 23:22:43 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Thu, 10 Mar 2016 00:22:43 +0100 Subject: [openssl-dev] [openssl-commits] [openssl] master update In-Reply-To: <1457560405.058739.32484.nullmailer@dev.openssl.org> References: <1457560405.058739.32484.nullmailer@dev.openssl.org> Message-ID: <56E0B043.40404@kippdata.de> Am 09.03.2016 um 22:53 schrieb Richard Levitte: > The branch master has been updated > via 64b9d84bfd0da0305a1df9b97ffbdc3898f59e62 (commit) > from 2b8fa1d56cd3a41d666994a1b2ed9df0f5e5d1ec (commit) > > > - Log ----------------------------------------------------------------- > commit 64b9d84bfd0da0305a1df9b97ffbdc3898f59e62 > Author: Richard Levitte > Date: Wed Mar 9 22:34:27 2016 +0100 > > When grepping something starting with a dash, remember to use -e Strictly speaking "grep -e" has another meaning. If a leading dash is the only problem to fix, one can use "grep --", so the below would become if echo "$CONFIG_OPTS" | grep -- "--classic" >/dev/null; then Regards, Rainer > Reviewed-by: Viktor Dukhovni > > ----------------------------------------------------------------------- > > Summary of changes: > .travis.yml | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/.travis.yml b/.travis.yml > index ce7e208..0865817 100644 > --- a/.travis.yml > +++ b/.travis.yml > @@ -60,7 +60,7 @@ matrix: > before_script: > - sh .travis-create-release.sh $TRAVIS_OS_NAME > - tar -xvzf _srcdist.tar.gz > - - if echo "$CONFIG_OPTS" | grep "--classic" >/dev/null; then > + - if echo "$CONFIG_OPTS" | grep -e "--classic" >/dev/null; then > srcdir=.; > cd _srcdist; > else > @@ -83,7 +83,7 @@ before_script: > - cd .. > > script: > - - if echo "$CONFIG_OPTS" | grep "--classic" >/dev/null; then > + - if echo "$CONFIG_OPTS" | grep -e "--classic" >/dev/null; then > cd _srcdist; > else > cd _build; From rt at openssl.org Wed Mar 9 23:50:40 2016 From: rt at openssl.org (Dr. Matthias St. Pierre via RT) Date: Wed, 09 Mar 2016 23:50:40 +0000 Subject: [openssl-dev] [openssl.org #3676] Resolved: [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: <1E23EFC52F00C649B69F652AFD284ABD3786599BFB@ex07.ncp.local> References: <1E23EFC52F00C649B69F652AFD284ABD3786599BFB@ex07.ncp.local> Message-ID: > According to our records, your request has been resolved. If you have any > further questions or concerns, please respond to this message. Thanks a lot for finally adding the patch. Since our software is not ready for version 1.1 yet, I can't try it directly with the master, but I will backport it for us to 1.0.2. Reviewing the commit everything looks perfect, except for a small omission: You probably overlooked the changes for exporting the DHparameters. According to Stephen, > The fact we don't export the DHparameters item I'd regard as a bug which should be fixed. Essentually it's the following changes to dh.h and libcrypto.num (formerly libeay.num), which are missing: include/openssl/dh.h: ==================== +#include ... +DECLARE_ASN1_ITEM(DHparams) util/libcrypto.num: ================== +DHparams_it 1_1_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DH +DHparams_it 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DH Regards, Matthias St. Pierre -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 01:02:32 2016 From: rt at openssl.org (Basney, Jim via RT) Date: Thu, 10 Mar 2016 01:02:32 +0000 Subject: [openssl-dev] [openssl.org #4407] avoid double-free in callers to OCSP_parse_url In-Reply-To: References: Message-ID: https://github.com/openssl/openssl/pull/837 This patch sets the path, port, and host parameters to NULL after they are freed in OCSP_parse_url, before they are returned to the caller, so the caller won't try to free them again. Thanks, Jim -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4407 Please log in as guest with password guest if prompted From levitte at openssl.org Thu Mar 10 02:46:52 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 10 Mar 2016 03:46:52 +0100 Subject: [openssl-dev] Still seeing this in openssl-SNAP-20160221 Re: Openssl SNAP 20160220 issues In-Reply-To: <20160221140919.GA18764@doctor.nl2k.ab.ca> References: <20160220134722.GA10611@doctor.nl2k.ab.ca> <20160221140919.GA18764@doctor.nl2k.ab.ca> Message-ID: <690F1D2D-EEF6-4B6F-BC59-A7A803E4C5A6@openssl.org> Hi, If you send me these two files, I'll see if I can figure out what's going on: configdata.pm Makefile Cheers Richard On February 21, 2016 3:09:19 PM GMT+01:00, The Doctor wrote: >On Sat, Feb 20, 2016 at 06:47:22AM -0700, The Doctor wrote: >> Major shop stopper >> >> ../test/recipes/30-test_pbelu.t ........... >> 1..1 >> ./pbelutest: can't load library 'ssl.so.1.1' >> not ok 1 - running pbelutest >> >> # Failed test 'running pbelutest' >> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >> # Looks like you failed 1 test of 1. >> Dubious, test returned 1 (wstat 256, 0x100) >> Failed 1/1 subtests >> ../test/recipes/40-test_rehash.t .......... ../apps/openssl: can't >load library 'ssl.so.1.1' >> >> 1..0 # SKIP test_rehash is not available on this platform >> skipped: test_rehash is not available on this platform >> ../test/recipes/70-test_clienthello.t ..... >> 1..1 >> ./clienthellotest: can't load library 'ssl.so.1.1' >> not ok 1 - running clienthellotest >> >> # Failed test 'running clienthellotest' >> # at ../test/recipes/70-test_clienthello.t line 13. >> # Looks like you failed 1 test of 1. >> Dubious, test returned 1 (wstat 256, 0x100) >> Failed 1/1 subtests >> ../test/recipes/70-test_packet.t .......... >> 1..1 >> ./packettest: can't load library 'ssl.so.1.1' >> not ok 1 - running packettest >> >> # Failed test 'running packettest' >> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >> # Looks like you failed 1 test of 1. >> Dubious, test returned 1 (wstat 256, 0x100) >> Failed 1/1 subtests >> ../test/recipes/70-test_sslcertstatus.t ... >> 1..1 >> Proxy started on port 4453 >> ../apps/openssl: can't load library 'ssl.so.1.1' >> ../apps/openssl: can't load library 'ssl.so.1.1' >> >> -- >> Member - Liberal International This is doctor@@nl2k.ab.ca Ici >doctor@@nl2k.ab.ca >> God,Queen and country!Never Satan President Republic!Beware >AntiChrist rising! >> http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on >Atheism >> Broadcasting the truth for 25 years >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > >And again today > > >Script started on Sun Feb 21 05:56:21 2016 >ns2.nl2k.ab.ca//usr/source/openssl-SNAP-20160221$ HARNESS_VERBOSE=yes >make test >ns2.nl2k.ab.ca//usr/source/openssl-SNAP-20160221$ >HARNESS_VERBOSE=yes make test > >{cut irrelevant recoding out] > >TOP=.. PERL=/usr/bin/perl5 /usr/bin/perl5 run_tests.pl alltests >../test/recipes/01-test_ordinals.t ........ >1..2 >ok 1 - Test libeay.num >ok 2 - Test ssleay.num >ok >../test/recipes/05-test_bf.t .............. >1..1 >./bftest: can't load library 'ssl.so.1.1' >not ok 1 - running bftest > ># Failed test 'running bftest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_cast.t ............ >1..1 >./casttest: can't load library 'ssl.so.1.1' >not ok 1 - running casttest > ># Failed test 'running casttest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_des.t ............. >1..1 >./destest: can't load library 'ssl.so.1.1' >not ok 1 - running destest > ># Failed test 'running destest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_hmac.t ............ >1..1 >./hmactest: can't load library 'ssl.so.1.1' >not ok 1 - running hmactest > ># Failed test 'running hmactest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_idea.t ............ >1..1 >./ideatest: can't load library 'ssl.so.1.1' >not ok 1 - running ideatest > ># Failed test 'running ideatest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_md2.t ............. >1..0 # SKIP md2 is not supported by this OpenSSL build >skipped: md2 is not supported by this OpenSSL build >../test/recipes/05-test_md4.t ............. >1..1 >./md4test: can't load library 'ssl.so.1.1' >not ok 1 - running md4test > ># Failed test 'running md4test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_md5.t ............. >1..1 >./md5test: can't load library 'ssl.so.1.1' >not ok 1 - running md5test > ># Failed test 'running md5test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_mdc2.t ............ >1..1 >./mdc2test: can't load library 'ssl.so.1.1' >not ok 1 - running mdc2test > ># Failed test 'running mdc2test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_rand.t ............ >1..1 >./randtest: can't load library 'ssl.so.1.1' >not ok 1 - running randtest > ># Failed test 'running randtest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_rc2.t ............. >1..1 >./rc2test: can't load library 'ssl.so.1.1' >not ok 1 - running rc2test > ># Failed test 'running rc2test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_rc4.t ............. >1..1 >./rc4test: can't load library 'ssl.so.1.1' >not ok 1 - running rc4test > ># Failed test 'running rc4test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_rc5.t ............. >1..1 >./rc5test: can't load library 'ssl.so.1.1' >not ok 1 - running rc5test > ># Failed test 'running rc5test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_rmd.t ............. >1..1 >./rmdtest: can't load library 'ssl.so.1.1' >not ok 1 - running rmdtest > ># Failed test 'running rmdtest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_sha1.t ............ >1..1 >./sha1test: can't load library 'ssl.so.1.1' >not ok 1 - running sha1test > ># Failed test 'running sha1test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_sha256.t .......... >1..1 >./sha256t: can't load library 'ssl.so.1.1' >not ok 1 - running sha256t > ># Failed test 'running sha256t' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_sha512.t .......... >1..1 >./sha512t: can't load library 'ssl.so.1.1' >not ok 1 - running sha512t > ># Failed test 'running sha512t' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/05-test_wp.t .............. >1..1 >./wp_test: can't load library 'ssl.so.1.1' >not ok 1 - running wp_test > ># Failed test 'running wp_test' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/10-test_bn.t .............. >1..3 >ok 1 - require '../test/recipes/bc.pl'; >./bntest: can't load library 'ssl.so.1.1' >not ok 2 - initialize > ># Failed test 'initialize' ># at ../test/recipes/10-test_bn.t line 17. >ok 3 # skip Initializing failed, skipping ># Looks like you failed 1 test of 3. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/3 subtests > (less 1 skipped subtest: 1 okay) >../test/recipes/10-test_exp.t ............. >1..1 >./exptest: can't load library 'ssl.so.1.1' >not ok 1 - running exptest > ># Failed test 'running exptest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/15-test_dh.t .............. >1..1 >./dhtest: can't load library 'ssl.so.1.1' >not ok 1 - running dhtest > ># Failed test 'running dhtest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/15-test_dsa.t ............. >1..6 >ok 1 - require '../test/recipes/tconversion.pl'; >./dsatest: can't load library 'ssl.so.1.1' >not ok 2 - running dsatest > ># Failed test 'running dsatest' ># at ../test/recipes/15-test_dsa.t line 16. >./dsatest: can't load library 'ssl.so.1.1' >not ok 3 - running dsatest -app2_1 > ># Failed test 'running dsatest -app2_1' ># at ../test/recipes/15-test_dsa.t line 17. > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 4 - dsa conversions -- private key > ># Failed test 'dsa conversions -- private key' ># at ../test/recipes/15-test_dsa.t line 25. > 1..10 >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 1 - initializing > > # Failed test 'initializing' > # at ../test/recipes/tconversion.pl line 39. > ok 2 # skip Not initialized, skipping... > ok 3 # skip Not initialized, skipping... > ok 4 # skip Not initialized, skipping... > ok 5 # skip Not initialized, skipping... > ok 6 # skip Not initialized, skipping... > ok 7 # skip Not initialized, skipping... > ok 8 # skip Not initialized, skipping... > ok 9 # skip Not initialized, skipping... > ok 10 # skip Not initialized, skipping... > ok 11 # skip Not initialized, skipping... > ok 12 # skip Not initialized, skipping... > ok 13 # skip Not initialized, skipping... > ok 14 # skip Not initialized, skipping... > ok 15 # skip Not initialized, skipping... > ok 16 # skip Not initialized, skipping... > ok 17 # skip Not initialized, skipping... > ok 18 # skip Not initialized, skipping... > ok 19 # skip Not initialized, skipping... > ok 20 # skip Not initialized, skipping... > ok 21 # skip Not initialized, skipping... > ok 22 # skip Not initialized, skipping... > ok 23 # skip Not initialized, skipping... >not ok 5 - dsa conversions -- private key PKCS\#8 > 1..10 > # Trying to copy ../test/testdsa.pem to dsa-fff.p : Illegal seek > # Looks like you planned 10 tests but ran 23. > # Looks like you failed 1 test of 23 run. > ># Failed test 'dsa conversions -- private key PKCS\#8' ># at ../test/recipes/15-test_dsa.t line 28. > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 6 - dsa conversions -- public key > ># Failed test 'dsa conversions -- public key' ># at ../test/recipes/15-test_dsa.t line 32. ># Looks like you failed 5 tests of 6. >Dubious, test returned 5 (wstat 1280, 0x500) >Failed 5/6 subtests >../test/recipes/15-test_ec.t .............. >1..5 >ok 1 - require '../test/recipes/tconversion.pl'; >./ectest: can't load library 'ssl.so.1.1' >not ok 2 - running ectest > ># Failed test 'running ectest' ># at ../test/recipes/15-test_ec.t line 16. > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 3 - ec conversions -- private key > ># Failed test 'ec conversions -- private key' ># at ../test/recipes/15-test_ec.t line 24. > 1..10 >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 1 - initializing > > # Failed test 'initializing' > # at ../test/recipes/tconversion.pl line 39. > # Trying to copy ../test/testec-p256.pem to ec-fff.p : Illegal seek > ok 2 # skip Not initialized, skipping... > ok 3 # skip Not initialized, skipping... > ok 4 # skip Not initialized, skipping... > ok 5 # skip Not initialized, skipping... > ok 6 # skip Not initialized, skipping... > ok 7 # skip Not initialized, skipping... > ok 8 # skip Not initialized, skipping... > ok 9 # skip Not initialized, skipping... > ok 10 # skip Not initialized, skipping... > ok 11 # skip Not initialized, skipping... > ok 12 # skip Not initialized, skipping... > ok 13 # skip Not initialized, skipping... > ok 14 # skip Not initialized, skipping... > ok 15 # skip Not initialized, skipping... > ok 16 # skip Not initialized, skipping... > ok 17 # skip Not initialized, skipping... > ok 18 # skip Not initialized, skipping... > ok 19 # skip Not initialized, skipping... > ok 20 # skip Not initialized, skipping... > ok 21 # skip Not initialized, skipping... > ok 22 # skip Not initialized, skipping... > ok 23 # skip Not initialized, skipping... >not ok 4 - ec conversions -- private key PKCS\#8 > 1..10 > # Looks like you planned 10 tests but ran 23. > # Looks like you failed 1 test of 23 run. > ># Failed test 'ec conversions -- private key PKCS\#8' ># at ../test/recipes/15-test_ec.t line 27. > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 5 - ec conversions -- public key > ># Failed test 'ec conversions -- public key' ># at ../test/recipes/15-test_ec.t line 30. ># Looks like you failed 4 tests of 5. >Dubious, test returned 4 (wstat 1024, 0x400) >Failed 4/5 subtests >../test/recipes/15-test_ecdh.t ............ >1..1 >./ecdhtest: can't load library 'ssl.so.1.1' >not ok 1 - running ecdhtest > ># Failed test 'running ecdhtest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/15-test_ecdsa.t ........... >1..1 >./ecdsatest: can't load library 'ssl.so.1.1' >not ok 1 - running ecdsatest > ># Failed test 'running ecdsatest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/15-test_rsa.t ............. >1..5 >ok 1 - require '../test/recipes/tconversion.pl'; >./rsa_test: can't load library 'ssl.so.1.1' >not ok 2 - running rsatest > ># Failed test 'running rsatest' ># at ../test/recipes/15-test_rsa.t line 16. > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 3 - rsa conversions -- private key > ># Failed test 'rsa conversions -- private key' ># at ../test/recipes/15-test_rsa.t line 24. > 1..10 >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 1 - initializing > > # Failed test 'initializing' > # at ../test/recipes/tconversion.pl line 39. > # Trying to copy ../test/testrsa.pem to rsa-fff.p : Illegal seek > ok 2 # skip Not initialized, skipping... > ok 3 # skip Not initialized, skipping... > ok 4 # skip Not initialized, skipping... > ok 5 # skip Not initialized, skipping... > ok 6 # skip Not initialized, skipping... > ok 7 # skip Not initialized, skipping... > ok 8 # skip Not initialized, skipping... > ok 9 # skip Not initialized, skipping... > ok 10 # skip Not initialized, skipping... > ok 11 # skip Not initialized, skipping... > ok 12 # skip Not initialized, skipping... > ok 13 # skip Not initialized, skipping... > ok 14 # skip Not initialized, skipping... > ok 15 # skip Not initialized, skipping... > ok 16 # skip Not initialized, skipping... > ok 17 # skip Not initialized, skipping... > ok 18 # skip Not initialized, skipping... > ok 19 # skip Not initialized, skipping... > ok 20 # skip Not initialized, skipping... > ok 21 # skip Not initialized, skipping... > ok 22 # skip Not initialized, skipping... > ok 23 # skip Not initialized, skipping... >not ok 4 - rsa conversions -- private key PKCS\#8 > 1..10 > # Looks like you planned 10 tests but ran 23. > # Looks like you failed 1 test of 23 run. > ># Failed test 'rsa conversions -- private key PKCS\#8' ># at ../test/recipes/15-test_rsa.t line 27. > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 5 - rsa conversions -- public key > ># Failed test 'rsa conversions -- public key' ># at ../test/recipes/15-test_rsa.t line 31. ># Looks like you failed 4 tests of 5. >Dubious, test returned 4 (wstat 1024, 0x400) >Failed 4/5 subtests >../test/recipes/20-test_enc.t ............. ../apps/openssl: can't load >library 'ssl.so.1.1' > >1..1 >ok 1 >ok >../test/recipes/25-test_crl.t ............. >1..2 >ok 1 - require '../test/recipes/tconversion.pl'; > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 2 - crl conversions > ># Failed test 'crl conversions' ># at ../test/recipes/25-test_crl.t line 17. ># Looks like you failed 1 test of 2. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/2 subtests >../test/recipes/25-test_gen.t ............. >1..1 > # There should be a 2 sequences of .'s and some +'s. > # There should not be more that at most 80 per line > 1..2 >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 1 - Generating request > > # Failed test 'Generating request' > # at ../test/recipes/25-test_gen.t line 37. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - Verifying signature on request > > # Failed test 'Verifying signature on request' > # at ../test/recipes/25-test_gen.t line 41. > # Looks like you failed 2 tests of 2. >not ok 1 - generating certificate requests > ># Failed test 'generating certificate requests' ># at ../test/recipes/25-test_gen.t line 44. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/25-test_pkcs7.t ........... >1..3 >ok 1 - require '../test/recipes/tconversion.pl'; > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 2 - pkcs7 conversions -- pkcs7 > ># Failed test 'pkcs7 conversions -- pkcs7' ># at ../test/recipes/25-test_pkcs7.t line 17. > 1..9 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 8 tests of 9. >not ok 3 - pkcs7 conversions -- pkcs7d > ># Failed test 'pkcs7 conversions -- pkcs7d' ># at ../test/recipes/25-test_pkcs7.t line 20. ># Looks like you failed 2 tests of 3. >Dubious, test returned 2 (wstat 512, 0x200) >Failed 2/3 subtests >../test/recipes/25-test_req.t ............. >1..3 >ok 1 - require '../test/recipes/tconversion.pl'; > 1..10 > not ok 1 - initializing > > # Failed test 'initializing' > # at ../test/recipes/tconversion.pl line 43. > # Trying to copy testreq.pem to req-fff.p : No such file or directory > ok 2 # skip Not initialized, skipping... > ok 3 # skip Not initialized, skipping... > ok 4 # skip Not initialized, skipping... > ok 5 # skip Not initialized, skipping... > ok 6 # skip Not initialized, skipping... > ok 7 # skip Not initialized, skipping... > ok 8 # skip Not initialized, skipping... > ok 9 # skip Not initialized, skipping... > ok 10 # skip Not initialized, skipping... > ok 11 # skip Not initialized, skipping... > ok 12 # skip Not initialized, skipping... > ok 13 # skip Not initialized, skipping... > ok 14 # skip Not initialized, skipping... > ok 15 # skip Not initialized, skipping... > ok 16 # skip Not initialized, skipping... > ok 17 # skip Not initialized, skipping... > ok 18 # skip Not initialized, skipping... > ok 19 # skip Not initialized, skipping... > ok 20 # skip Not initialized, skipping... > ok 21 # skip Not initialized, skipping... > ok 22 # skip Not initialized, skipping... > ok 23 # skip Not initialized, skipping... > not ok 24 - planned to run 10 but done_testing() expects 23 > > # Failed test 'planned to run 10 but done_testing() expects 23' > # at /usr/libdata/perl5/5.16.3/Test/More.pm line 221. > # Looks like you planned 10 tests but ran 24. > # Looks like you failed 2 tests of 24 run. >not ok 2 - req conversions > ># Failed test 'req conversions' ># at ../test/recipes/25-test_req.t line 42. > 1..10 > not ok 1 - initializing > > # Failed test 'initializing' > # at ../test/recipes/tconversion.pl line 43. > # Trying to copy testreq.pem to req-fff.p : No such file or directory > ok 2 # skip Not initialized, skipping... > ok 3 # skip Not initialized, skipping... > ok 4 # skip Not initialized, skipping... > ok 5 # skip Not initialized, skipping... > ok 6 # skip Not initialized, skipping... > ok 7 # skip Not initialized, skipping... > ok 8 # skip Not initialized, skipping... > ok 9 # skip Not initialized, skipping... > ok 10 # skip Not initialized, skipping... > ok 11 # skip Not initialized, skipping... > ok 12 # skip Not initialized, skipping... > ok 13 # skip Not initialized, skipping... > ok 14 # skip Not initialized, skipping... > ok 15 # skip Not initialized, skipping... > ok 16 # skip Not initialized, skipping... > ok 17 # skip Not initialized, skipping... > ok 18 # skip Not initialized, skipping... > ok 19 # skip Not initialized, skipping... > ok 20 # skip Not initialized, skipping... > ok 21 # skip Not initialized, skipping... > ok 22 # skip Not initialized, skipping... > ok 23 # skip Not initialized, skipping... > not ok 24 - planned to run 10 but done_testing() expects 23 > > # Failed test 'planned to run 10 but done_testing() expects 23' > # at /usr/libdata/perl5/5.16.3/Test/More.pm line 221. > # Looks like you planned 10 tests but ran 24. > # Looks like you failed 2 tests of 24 run. >not ok 3 - req conversions -- testreq2 > ># Failed test 'req conversions -- testreq2' ># at ../test/recipes/25-test_req.t line 42. ># Looks like you failed 2 tests of 3. >Dubious, test returned 2 (wstat 512, 0x200) >Failed 2/3 subtests >../test/recipes/25-test_sid.t ............. >1..2 >ok 1 - require '../test/recipes/tconversion.pl'; > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 2 - sid conversions > ># Failed test 'sid conversions' ># at ../test/recipes/25-test_sid.t line 17. ># Looks like you failed 1 test of 2. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/2 subtests >../test/recipes/25-test_verify.t .......... >1..81 >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 1 - accept compat trust > ># Failed test 'accept compat trust' ># at ../test/recipes/25-test_verify.t line 25. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 2 - fail trusted non-ca root >../apps/openssl: can't load library 'ssl.so.1.1' >ok 3 - fail server trust non-ca root >../apps/openssl: can't load library 'ssl.so.1.1' >ok 4 - fail wildcard trust non-ca root >../apps/openssl: can't load library 'ssl.so.1.1' >ok 5 - fail wrong root key >../apps/openssl: can't load library 'ssl.so.1.1' >ok 6 - fail wrong root DN >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 7 - accept server purpose > ># Failed test 'accept server purpose' ># at ../test/recipes/25-test_verify.t line 42. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 8 - fail client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 9 - accept server trust > ># Failed test 'accept server trust' ># at ../test/recipes/25-test_verify.t line 46. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 10 - accept server trust with server purpose > ># Failed test 'accept server trust with server purpose' ># at ../test/recipes/25-test_verify.t line 48. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 11 - accept server trust with client purpose > ># Failed test 'accept server trust with client purpose' ># at ../test/recipes/25-test_verify.t line 50. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 12 - accept wildcard trust > ># Failed test 'accept wildcard trust' ># at ../test/recipes/25-test_verify.t line 53. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 13 - accept wildcard trust with server purpose > ># Failed test 'accept wildcard trust with server purpose' ># at ../test/recipes/25-test_verify.t line 55. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 14 - accept wildcard trust with client purpose > ># Failed test 'accept wildcard trust with client purpose' ># at ../test/recipes/25-test_verify.t line 57. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 15 - accept client mistrust > ># Failed test 'accept client mistrust' ># at ../test/recipes/25-test_verify.t line 60. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 16 - accept client mistrust with server purpose > ># Failed test 'accept client mistrust with server purpose' ># at ../test/recipes/25-test_verify.t line 62. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 17 - fail client mistrust with client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 18 - fail client trust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 19 - fail client trust with server purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 20 - fail client trust with client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 21 - fail rejected EKU >../apps/openssl: can't load library 'ssl.so.1.1' >ok 22 - fail server mistrust with server purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 23 - fail server mistrust with client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 24 - fail wildcard mistrust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 25 - fail wildcard mistrust with server purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 26 - fail wildcard mistrust with client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 27 - accept trusted-first path > ># Failed test 'accept trusted-first path' ># at ../test/recipes/25-test_verify.t line 91. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 28 - accept trusted-first path with server trust > ># Failed test 'accept trusted-first path with server trust' ># at ../test/recipes/25-test_verify.t line 94. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 29 - fail trusted-first path with server mistrust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 30 - fail trusted-first path with client trust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 31 - fail non-CA untrusted intermediate >../apps/openssl: can't load library 'ssl.so.1.1' >ok 32 - fail non-CA trusted intermediate >../apps/openssl: can't load library 'ssl.so.1.1' >ok 33 - fail non-CA server trust intermediate >../apps/openssl: can't load library 'ssl.so.1.1' >ok 34 - fail non-CA wildcard trust intermediate >../apps/openssl: can't load library 'ssl.so.1.1' >ok 35 - fail wrong intermediate CA key >../apps/openssl: can't load library 'ssl.so.1.1' >ok 36 - fail wrong intermediate CA DN >../apps/openssl: can't load library 'ssl.so.1.1' >ok 37 - fail wrong intermediate CA issuer >../apps/openssl: can't load library 'ssl.so.1.1' >ok 38 - fail untrusted partial chain >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 39 - accept trusted partial chain > ># Failed test 'accept trusted partial chain' ># at ../test/recipes/25-test_verify.t line 121. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 40 - accept partial chain with server purpose > ># Failed test 'accept partial chain with server purpose' ># at ../test/recipes/25-test_verify.t line 123. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 41 - fail partial chain with client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 42 - accept server trust partial chain > ># Failed test 'accept server trust partial chain' ># at ../test/recipes/25-test_verify.t line 127. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 43 - accept server trust client purpose partial chain > ># Failed test 'accept server trust client purpose partial chain' ># at ../test/recipes/25-test_verify.t line 129. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 44 - accept client mistrust partial chain > ># Failed test 'accept client mistrust partial chain' ># at ../test/recipes/25-test_verify.t line 131. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 45 - accept wildcard trust partial chain > ># Failed test 'accept wildcard trust partial chain' ># at ../test/recipes/25-test_verify.t line 133. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 46 - fail untrusted partial issuer with ignored server trust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 47 - fail server mistrust partial chain >../apps/openssl: can't load library 'ssl.so.1.1' >ok 48 - fail client trust partial chain >../apps/openssl: can't load library 'ssl.so.1.1' >ok 49 - fail wildcard mistrust partial chain >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 50 - accept server trust > ># Failed test 'accept server trust' ># at ../test/recipes/25-test_verify.t line 147. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 51 - accept wildcard trust > ># Failed test 'accept wildcard trust' ># at ../test/recipes/25-test_verify.t line 149. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 52 - accept server purpose > ># Failed test 'accept server purpose' ># at ../test/recipes/25-test_verify.t line 151. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 53 - accept server trust and purpose > ># Failed test 'accept server trust and purpose' ># at ../test/recipes/25-test_verify.t line 153. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 54 - accept wildcard trust and server purpose > ># Failed test 'accept wildcard trust and server purpose' ># at ../test/recipes/25-test_verify.t line 155. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 55 - accept client mistrust and server purpose > ># Failed test 'accept client mistrust and server purpose' ># at ../test/recipes/25-test_verify.t line 157. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 56 - accept server trust and client purpose > ># Failed test 'accept server trust and client purpose' ># at ../test/recipes/25-test_verify.t line 159. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 57 - accept wildcard trust and client purpose > ># Failed test 'accept wildcard trust and client purpose' ># at ../test/recipes/25-test_verify.t line 161. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 58 - fail client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 59 - fail wildcard mistrust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 60 - fail server mistrust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 61 - fail client trust >../apps/openssl: can't load library 'ssl.so.1.1' >ok 62 - fail client trust and server purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 63 - fail client trust and client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 64 - fail server mistrust and client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 65 - fail client mistrust and client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 66 - fail server mistrust and server purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 67 - fail wildcard mistrust and server purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 68 - fail wildcard mistrust and client purpose >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 69 - accept client chain > ># Failed test 'accept client chain' ># at ../test/recipes/25-test_verify.t line 187. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 70 - fail server leaf purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 71 - fail client leaf purpose >../apps/openssl: can't load library 'ssl.so.1.1' >ok 72 - fail wrong intermediate CA key >../apps/openssl: can't load library 'ssl.so.1.1' >ok 73 - fail wrong intermediate CA DN >../apps/openssl: can't load library 'ssl.so.1.1' >ok 74 - fail expired leaf >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 75 - accept last-resort direct leaf match > ># Failed test 'accept last-resort direct leaf match' ># at ../test/recipes/25-test_verify.t line 199. >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 76 - accept last-resort direct leaf match > ># Failed test 'accept last-resort direct leaf match' ># at ../test/recipes/25-test_verify.t line 201. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 77 - fail last-resort direct leaf non-match >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 78 - accept direct match with server trust > ># Failed test 'accept direct match with server trust' ># at ../test/recipes/25-test_verify.t line 205. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 79 - fail direct match with server mistrust >../apps/openssl: can't load library 'ssl.so.1.1' >not ok 80 - accept direct match with client trust > ># Failed test 'accept direct match with client trust' ># at ../test/recipes/25-test_verify.t line 209. >../apps/openssl: can't load library 'ssl.so.1.1' >ok 81 - reject direct match with client mistrust ># Looks like you failed 31 tests of 81. >Dubious, test returned 31 (wstat 7936, 0x1f00) >Failed 31/81 subtests >../test/recipes/25-test_x509.t ............ >1..4 >ok 1 - require '../test/recipes/tconversion.pl'; > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 2 - x509 -- x.509 v1 certificate > ># Failed test 'x509 -- x.509 v1 certificate' ># at ../test/recipes/25-test_x509.t line 17. > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 3 - x509 -- first x.509 v3 certificate > ># Failed test 'x509 -- first x.509 v3 certificate' ># at ../test/recipes/25-test_x509.t line 20. > 1..10 > ok 1 - initializing >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 2 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 3 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 53. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 4 - d -> d > > # Failed test 'd -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 5 - p -> d > > # Failed test 'p -> d' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 6 - d -> p > > # Failed test 'd -> p' > # at ../test/recipes/tconversion.pl line 63. >../apps/openssl: can't load library 'ssl.so.1.1' > not ok 7 - p -> p > > # Failed test 'p -> p' > # at ../test/recipes/tconversion.pl line 63. > not ok 8 - comparing orig to p > > # Failed test 'comparing orig to p' > # at ../test/recipes/tconversion.pl line 72. > # got: '-1' > # expected: '0' > not ok 9 - comparing p to dp > > # Failed test 'comparing p to dp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > not ok 10 - comparing p to pp > > # Failed test 'comparing p to pp' > # at ../test/recipes/tconversion.pl line 80. > # got: '-1' > # expected: '0' > # Looks like you failed 9 tests of 10. >not ok 4 - x509 -- second x.509 v3 certificate > ># Failed test 'x509 -- second x.509 v3 certificate' ># at ../test/recipes/25-test_x509.t line 23. ># Looks like you failed 3 tests of 4. >Dubious, test returned 3 (wstat 768, 0x300) >Failed 3/4 subtests >../test/recipes/30-test_engine.t .......... >1..1 >./enginetest: can't load library 'ssl.so.1.1' >not ok 1 - running enginetest > ># Failed test 'running enginetest' ># at ../test/recipes/30-test_engine.t line 11. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/30-test_evp.t ............. >1..1 >./evp_test: can't load library 'ssl.so.1.1' >not ok 1 - running evp_test evptests.txt > ># Failed test 'running evp_test evptests.txt' ># at ../test/recipes/30-test_evp.t line 11. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/30-test_evp_extra.t ....... >1..1 >./evp_extra_test: can't load library 'ssl.so.1.1' >not ok 1 - running evp_extra_test > ># Failed test 'running evp_extra_test' ># at ../test/recipes/30-test_evp_extra.t line 11. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/30-test_pbelu.t ........... >1..1 >./pbelutest: can't load library 'ssl.so.1.1' >not ok 1 - running pbelutest > ># Failed test 'running pbelutest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/40-test_rehash.t .......... ../apps/openssl: can't load >library 'ssl.so.1.1' > >1..0 # SKIP test_rehash is not available on this platform >skipped: test_rehash is not available on this platform >../test/recipes/70-test_clienthello.t ..... >1..1 >./clienthellotest: can't load library 'ssl.so.1.1' >not ok 1 - running clienthellotest > ># Failed test 'running clienthellotest' ># at ../test/recipes/70-test_clienthello.t line 13. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/70-test_packet.t .......... >1..1 >./packettest: can't load library 'ssl.so.1.1' >not ok 1 - running packettest > ># Failed test 'running packettest' ># at ../test/testlib/OpenSSL/Test/Simple.pm line 70. ># Looks like you failed 1 test of 1. >Dubious, test returned 1 (wstat 256, 0x100) >Failed 1/1 subtests >../test/recipes/70-test_sslcertstatus.t ... >1..1 >Proxy started on port 4453 >../apps/openssl: can't load library 'ssl.so.1.1' >../apps/openssl: can't load library 'ssl.so.1.1' >^CYou have new mail in /var/mail/doctor >ns2.nl2k.ab.ca//usr/source/openssl-SNAP-20160221$ exit >exit > >Script done on Sun Feb 21 06:04:13 2016 > >Please fix -- levitte at openssl.org From rt at openssl.org Thu Mar 10 02:48:52 2016 From: rt at openssl.org (Stephen Henson via RT) Date: Thu, 10 Mar 2016 02:48:52 +0000 Subject: [openssl-dev] [openssl.org #3676] [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: References: <1E23EFC52F00C649B69F652AFD284ABD3786599BFB@ex07.ncp.local> Message-ID: On Wed Mar 09 23:50:40 2016, Matthias.St.Pierre at ncp-e.com wrote: > > According to our records, your request has been resolved. If you have > > any > > further questions or concerns, please respond to this message. > > Thanks a lot for finally adding the patch. Since our software is not > ready for version 1.1 > yet, I can't try it directly with the master, but I will backport it > for us to 1.0.2. > Note that there are ways of producing the same on the wire format with unmodified OpenSSL 1.0.2. You can use an ASN1_ANY or ASN1_SEQUENCE type which can contain the complete encoding of a SEQUENCE type without the need to have a surrounding OCTET STRING. Then by calling d2i/i2d to decode/encode the content octets it should work. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From kotamarthyd at gmail.com Thu Mar 10 06:30:23 2016 From: kotamarthyd at gmail.com (Kanaka Kotamarthy) Date: Thu, 10 Mar 2016 12:00:23 +0530 Subject: [openssl-dev] Running against BoringSSL's SSL test suite In-Reply-To: References: Message-ID: And also Openssl fails with Resume-Client-NoResume cases. Do you have any report on which test cases do fail and reasons for the failure? RT tickets 4387 through 4395 were the failures I've triaged. I'm sure there's more things in there to look through. I don't believe Resume-Client-NoResume fails for me. Perhaps something was fixed between master and 1.1.0-pre2. Openssl doesn't gives any error. For Resume-Client-NoResume-SSL3-TLS11 test case, we expect the new session's handshake to be done with TLS11. But with Openssl handshake is done using SSL3. As in ssl3_clear, we set back s->version to s->method->version. Thank you Durga. On Wed, Mar 9, 2016 at 10:38 PM, David Benjamin wrote: > On Wed, Mar 9, 2016 at 5:07 AM Kanaka Kotamarthy > wrote: > >> Hi >> >> I am even testing OpenSSL with BoringSSL's test cases using >> Openssl-1.1.0-pre2. Trying to find out reasons of OpenSSL's failures >> for particular cases. >> >> DTLS 1.0 session resumption has some thing wrong. If s_server started >> with -dtls and s_client -dtls1 -reconnect , session resumption is not >> being done. The reason for this may be, version negotiation for DTLS >> is done after loading previous session and check for s->version and >> s->session->version fails in tls_process_client_hello. >> > > See RT #4392. > https://rt.openssl.org/Ticket/Display.html?id=4392 > > >> And also Openssl fails with Resume-Client-NoResume cases. Do you have >> any report on which test cases do fail and reasons for the failure? >> > > RT tickets 4387 through 4395 were the failures I've triaged. I'm sure > there's more things in there to look through. > > I don't believe Resume-Client-NoResume fails for me. Perhaps something was > fixed between master and 1.1.0-pre2. > > David > > >> Thank you >> Durga. >> >> On Tue, Mar 8, 2016 at 3:19 AM, David Benjamin >> wrote: >> > Hi folks, >> > >> > So, we've by now built up a decent-sized SSL test suite in BoringSSL. I >> was >> > bored and ran it against OpenSSL master. It revealed a number of bugs. >> One >> > is https://github.com/openssl/openssl/pull/603. I'll be filing tickets >> > shortly for the remaining ones I've triaged, but I thought I'd send this >> > separately rather than duplicate it everywhere. >> > >> > Emilia also suggested there may be room to collaborate on testing. If >> > nothing else, just borrowing ideas or porting tests to/from your >> TLSProxy >> > setup. (Like, say, the ones that caught the bugs I'll be reporting. :-) >> ) >> > So, here's an introduction on how it all works: >> > >> > To run the tests on OpenSSL, clone BoringSSL: >> > https://boringssl.googlesource.com/boringssl/ >> > Then patch in this change. (Click the "Download" in the upper-right for >> > options.) >> > https://boringssl-review.googlesource.com/#/c/7332/ >> > Then follow the instructions in the commit message. >> > >> > The tests themselves and the runner logic live in >> ssl/test/runner/runner.go: >> > >> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922 >> > >> > They work by running an unmodified TLS stack in a shim binary against a >> copy >> > of Go's. We patch our copy with options for weird behavior to test >> against: >> > >> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414 >> > >> > Go and shim communicate entirely with sockets and (tons of) command-line >> > flags, though it is slightly overfit to BoringSSL's behavior and checks >> > error strings a lot. The shim also has options like -async mode which >> we use >> > on a subset of tests to stress state machine resumption. (This has >> saved me >> > from state machine bugs so many times.) >> > >> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770 >> > >> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826 >> > >> > I hope this is useful! Bugs and patches will follow this mail, as I >> write >> > them up. >> > >> > David >> > >> > -- >> > openssl-dev mailing list >> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> > >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Thu Mar 10 08:13:35 2016 From: rt at openssl.org (Mario Scalabrino via RT) Date: Thu, 10 Mar 2016 08:13:35 +0000 Subject: [openssl-dev] [openssl.org #4276] AutoReply: Possible bug - ts -verify -digest, error:ts_rsp_verify.c:291: In-Reply-To: <20160310081319.5406804.492.1327@andifyou.com> References: <56AA3226.3060801@andifyou.com> <56C47A52.6090404@andifyou.com> <56CC3593.9040709@andifyou.com> <7ffbcf8a04ed42cd9dc9a93781d838c5@usma1ex-dag1mb1.msg.corp.akamai.com> <20160310081319.5406804.492.1327@andifyou.com> Message-ID: do you know anybody who can help? an email or a forum? Sent?from?my?BlackBerry?10?smartphone. ? Original Message ? From: Salz, Rich via RT Sent: mi?rcoles, 9 de marzo de 2016 20:27 To: mario.scalabrino at andifyou.com Reply To: rt at openssl.org Cc: openssl-dev at openssl.org Subject: RE: [openssl-dev] [openssl.org #4276] AutoReply: Possible bug - ts -verify -digest, error:ts_rsp_verify.c:291: TS is not a high priority for the OpenSSL team. A month is not a long time. We are busy right now working on the next release. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4276 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4276 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 08:16:06 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 10 Mar 2016 08:16:06 +0000 Subject: [openssl-dev] [openssl.org #4406] Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: Hi, so I wonder, would you mind trying the attached patch for size, see if it makes your build better? Cheers, Richard Vid Ons, 09 Mar 2016 kl. 22.39.57, skrev noloader at gmail.com: > Working from Master: > > $ git reset --hard HEAD > HEAD is now at 64b9d84 When grepping something starting with a > dash, remember to use -e > $ git pull > Already up-to-date. > > And then: > > $ ./config > ... > $ make depend && make clean && make > ... > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DECP_NISTZ256_ASM > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread > -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o > crypto/cast/c_skey.o crypto/cast/c_skey.c > gcc -E crypto/chacha/chacha-armv8.S > crypto/chacha/chacha-armv8.s > crypto/chacha/chacha-armv8.S:1:22: fatal error: arm_arch.h: No such > file or directory > #include "arm_arch.h" > ^ > compilation terminated. > : recipe for target 'crypto/chacha/chacha-armv8.s' failed > > ********** > > $ ./config > Operating system: aarch64-whatever-linux2 > Configuring for linux-aarch64 > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 > (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip > dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-aarch64 > IsMK1MF =no > CC =gcc > CFLAG =-Wall -O3 -pthread -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM > SHA256_ASM SHA512_ASM VPAES_ASM ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-ldl > APPS_OBJ = > CPUID_OBJ =armcap.o arm64cpuid.o mem_clr.o > UPLINK_OBJ = > BN_ASM =bn_asm.o armv8-mont.o > EC_ASM =ecp_nistz256.o ecp_nistz256-armv8.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes_core.o aes_cbc.o aesv8-armx.o vpaes-armv8.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4_enc.o rc4_skey.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM = > SHA1_OBJ_ASM =sha1-armv8.o sha256-armv8.o sha512-armv8.o > RMD160_OBJ_ASM= > CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o > MODES_OBJ =ghashv8-armx.o > PADLOCK_OBJ = > CHACHA_ENC =chacha-armv8.o > POLY1305_OBJ =poly1305-armv8.o > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/usr/bin/perl > > SIXTY_FOUR_BIT_LONG mode > > Configured for linux-aarch64. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4406 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: incs.patch Type: text/x-patch Size: 2427 bytes Desc: not available URL: From rt at openssl.org Thu Mar 10 09:05:22 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 10 Mar 2016 09:05:22 +0000 Subject: [openssl-dev] [openssl.org #4406] Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: Sometimes, things happen fast. The diff I posted got into master just moments ago, commit d46057277f3b805e5f198e31fc81a892bf5c9141 Still, please try it and report back so I can (hopefully) close this ticket. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4406 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 09:15:28 2016 From: rt at openssl.org (David Woodhouse via RT) Date: Thu, 10 Mar 2016 09:15:28 +0000 Subject: [openssl-dev] [openssl.org #4408] [PATCH] Remove last traces of CRYPTO_dynlock for non-compatibility build In-Reply-To: <1457601311.118898.294.camel@infradead.org> References: <1457601311.118898.294.camel@infradead.org> Message-ID: Commit 2e52e7df5 ("Remove the old threading API") left a dummy definition of the CRYPTO_dynlock for compatibility, if OPENSSL_API_COMPAT < 1.1.0. However, there's still a DEFINE_STACK_OF(CRYPTO_dynlock) in cryptlib.h which isn't so masked, and breaks the build if you disable the API compatibility. Assuming that's supposed to be present too for the same reason, wrap it in a similar #ifdef. --- ?crypto/include/internal/cryptlib.h | 2 ++ ?1 file changed, 2 insertions(+) diff --git a/crypto/include/internal/cryptlib.h b/crypto/include/internal/cryptlib.h index a97e20b..18d205e 100644 --- a/crypto/include/internal/cryptlib.h +++ b/crypto/include/internal/cryptlib.h @@ -82,7 +82,9 @@ typedef struct ex_callback_st EX_CALLBACK; ? ?DEFINE_STACK_OF(EX_CALLBACK) ? +# if OPENSSL_API_COMPAT < 0x10100000L ?DEFINE_STACK_OF(CRYPTO_dynlock) +# endif ? ?typedef struct app_mem_info_st APP_INFO; ?DEFINE_LHASH_OF(APP_INFO); --? 2.5.0 -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4408 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: From dni.grosu at gmail.com Thu Mar 10 09:19:09 2016 From: dni.grosu at gmail.com (danigrosu) Date: Thu, 10 Mar 2016 02:19:09 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> <20160309.173825.1637863753675413167.levitte@openssl.org> <1457546255766-64501.post@n7.nabble.com> Message-ID: <1457601549609-64535.post@n7.nabble.com> Blumenthal, Uri - 0553 - MITLL wrote > But autotools setup did not work (see my > previous post in this thread). Perhaps Richard could shed some light on > that. I just did what that guy said and it worked. Basically I created a "m4" directory and I copied the "ax_check_openssl.m4" file to the "m4" directory, then I used the "autoreconf -fi -I m4" command, then ./configure, then make. -- "ax_check_openssl.m4" can be found here autoconf-archive-2015.09.25.tar.xz Blumenthal, Uri - 0553 - MITLL wrote > Regarding RSA-X engine, it lacks the dynamic binding code necessary for > being loaded, etc. That?s why it fails to load. Check the contents of > e_md5.c and eng_rsax.c for differences. > > $ OPENSSL_ENGINES=. openssl engine -t -c rsax > (rsax) RSAX engine support > [RSA] > [ available ] > $ Be aware that the name "rsax" is the name of the engine that OpenSSL already knows. Try to change it's name to something else, e.g. "rsax_smth". I get the same error after I change it's name to "rsax_dani": /140334964717216:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(./librsax_dani.so): ./librsax_dani.so: cannot open shared object file: No such file or directory 140334964717216:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 140334964717216:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 140334964717216:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=rsax_dani/ Then I tryed to use the following macros in order to dynamically bind the engine (as I saw in the md5 engine): /IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) IMPLEMENT_DYNAMIC_CHECK_FN()/ I changed the "bind_helper" function to be exactly like "bind" function from the md5 engine => /static int bind_helper(ENGINE *e, const char *id)/ and I get this error message: /eng_rsax.c: In function ?ENGINE_rsax?: eng_rsax.c:178:2: error: too few arguments to function ?bind_helper? if(!bind_helper(ret)) ^ eng_rsax.c:142:12: note: declared here static int bind_helper(ENGINE *e, const char *id) ^ 140334964717216:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(./librsax_dani.so): ./librsax_dani.so: cannot open shared object file: No such file or directory 140334964717216:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 140334964717216:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 140334964717216:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=rsax_dani/ Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64535.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. From dni.grosu at gmail.com Thu Mar 10 09:47:45 2016 From: dni.grosu at gmail.com (danigrosu) Date: Thu, 10 Mar 2016 02:47:45 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <20160309.215516.204547014161263567.levitte@openssl.org> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> <1457543989853-64500.post@n7.nabble.com> <20160309.215516.204547014161263567.levitte@openssl.org> Message-ID: <1457603265658-64536.post@n7.nabble.com> Ok Richard, I figured it out how the md5 engine works, and, I also realized that it is a bit different from the RSA engine: ---different structure (EVP_MD vs RSA_METHOD) ---missing the dynamic bind part, and I have no idea how to do it (see the above post) Maybe I should try something else in order to build a RSA engine. I think it is very hard to start it from scratch and that's why I choose to use the RSA-X. Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64536.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. From levitte at openssl.org Thu Mar 10 10:53:44 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 10 Mar 2016 11:53:44 +0100 (CET) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457601549609-64535.post@n7.nabble.com> References: <1457546255766-64501.post@n7.nabble.com> <1457601549609-64535.post@n7.nabble.com> Message-ID: <20160310.115344.799470193354937812.levitte@openssl.org> In message <1457601549609-64535.post at n7.nabble.com> on Thu, 10 Mar 2016 02:19:09 -0700 (MST), danigrosu said: dni.grosu> Blumenthal, Uri - 0553 - MITLL wrote dni.grosu> > But autotools setup did not work (see my dni.grosu> > previous post in this thread). Perhaps Richard could shed some light on dni.grosu> > that. dni.grosu> dni.grosu> I just did what that guy said and it worked. Basically I created a "m4" dni.grosu> directory dni.grosu> and I copied the "ax_check_openssl.m4" file to the "m4" directory, then I dni.grosu> used dni.grosu> the "autoreconf -fi -I m4" command, then ./configure, then make. dni.grosu> -- "ax_check_openssl.m4" can be found here dni.grosu> autoconf-archive-2015.09.25.tar.xz dni.grosu> dni.grosu> dni.grosu> dni.grosu> Blumenthal, Uri - 0553 - MITLL wrote dni.grosu> > Regarding RSA-X engine, it lacks the dynamic binding code necessary for dni.grosu> > being loaded, etc. That?s why it fails to load. Check the contents of dni.grosu> > e_md5.c and eng_rsax.c for differences. dni.grosu> > dni.grosu> > $ OPENSSL_ENGINES=. openssl engine -t -c rsax dni.grosu> > (rsax) RSAX engine support dni.grosu> > [RSA] dni.grosu> > [ available ] dni.grosu> > $ dni.grosu> dni.grosu> Be aware that the name "rsax" is the name of the engine that OpenSSL dni.grosu> already knows. Try to change it's name to something else, e.g. "rsax_smth". dni.grosu> I get the same error after I change it's name to "rsax_dani": dni.grosu> dni.grosu> /140334964717216:error:25066067:DSO support routines:DLFCN_LOAD:could not dni.grosu> load the shared library:dso_dlfcn.c:185:filename(./librsax_dani.so): dni.grosu> ./librsax_dani.so: cannot open shared object file: No such file or directory dni.grosu> 140334964717216:error:25070067:DSO support routines:DSO_load:could not load dni.grosu> the shared library:dso_lib.c:244: dni.grosu> 140334964717216:error:260B6084:engine routines:DYNAMIC_LOAD:dso not dni.grosu> found:eng_dyn.c:450: dni.grosu> 140334964717216:error:2606A074:engine routines:ENGINE_by_id:no such dni.grosu> engine:eng_list.c:417:id=rsax_dani/ dni.grosu> dni.grosu> Then I tryed to use the following macros in order to dynamically bind dni.grosu> the engine (as I saw in the md5 engine): dni.grosu> dni.grosu> /IMPLEMENT_DYNAMIC_BIND_FN(bind_helper) dni.grosu> IMPLEMENT_DYNAMIC_CHECK_FN()/ dni.grosu> dni.grosu> I changed the "bind_helper" function to be exactly like "bind" function dni.grosu> from the md5 engine => /static int bind_helper(ENGINE *e, const char *id)/ dni.grosu> and I get this error message: dni.grosu> dni.grosu> /eng_rsax.c: In function ?ENGINE_rsax?: dni.grosu> eng_rsax.c:178:2: error: too few arguments to function ?bind_helper? dni.grosu> if(!bind_helper(ret)) dni.grosu> ^ dni.grosu> eng_rsax.c:142:12: note: declared here dni.grosu> static int bind_helper(ENGINE *e, const char *id) dni.grosu> ^ dni.grosu> 140334964717216:error:25066067:DSO support routines:DLFCN_LOAD:could not dni.grosu> load the shared library:dso_dlfcn.c:185:filename(./librsax_dani.so): dni.grosu> ./librsax_dani.so: cannot open shared object file: No such file or directory dni.grosu> 140334964717216:error:25070067:DSO support routines:DSO_load:could not load dni.grosu> the shared library:dso_lib.c:244: dni.grosu> 140334964717216:error:260B6084:engine routines:DYNAMIC_LOAD:dso not dni.grosu> found:eng_dyn.c:450: dni.grosu> 140334964717216:error:2606A074:engine routines:ENGINE_by_id:no such dni.grosu> engine:eng_list.c:417:id=rsax_dani/ Yeah, the Intel seem to have been inspired by engines/e_chil.c but only kept the static engine parts. bind_helper in e_chil. is exactly that, a helper, and wasn't originally designed to be given directly to IMPLEMENT_DYNAMIC_BIND_FN. I'm not saying you did anything wrong, though... I'm just giving you some historical context. The issue is easily fixed by adding a parameter in the problematic call, like this: if(!bind_helper(ret, engine_e_rsax_id)) Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Thu Mar 10 10:55:45 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 10 Mar 2016 11:55:45 +0100 (CET) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <1457603265658-64536.post@n7.nabble.com> References: <1457543989853-64500.post@n7.nabble.com> <20160309.215516.204547014161263567.levitte@openssl.org> <1457603265658-64536.post@n7.nabble.com> Message-ID: <20160310.115545.1239840364424633459.levitte@openssl.org> In message <1457603265658-64536.post at n7.nabble.com> on Thu, 10 Mar 2016 02:47:45 -0700 (MST), danigrosu said: dni.grosu> Ok Richard, I figured it out how the md5 engine works, and, I also dni.grosu> realized that it is a bit different from the RSA engine: dni.grosu> ---different structure (EVP_MD vs RSA_METHOD) dni.grosu> ---missing the dynamic bind part, and I have no idea how to do it (see the dni.grosu> above post) dni.grosu> dni.grosu> Maybe I should try something else in order to build a RSA engine. I think it dni.grosu> is very dni.grosu> hard to start it from scratch and that's why I choose to use the RSA-X. Don't give up too soon, you seem to be getting there. Stumbling, like the rest of us, and that's ok. It's a learning experience, as frustrating as it may be. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From hkario at redhat.com Thu Mar 10 12:00:26 2016 From: hkario at redhat.com (Hubert Kario) Date: Thu, 10 Mar 2016 13:00:26 +0100 Subject: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity In-Reply-To: <20160226173710.GB12869@mournblade.imrryr.org> References: <20160226173710.GB12869@mournblade.imrryr.org> Message-ID: <2018340.02FTAFJ3mm@pintsize.usersys.redhat.com> On Friday 26 February 2016 17:37:11 Viktor Dukhovni wrote: > On Fri, Feb 26, 2016 at 05:29:26PM +0000, Salz, Rich wrote: > > As just about the only team member who trolls through RT and closes > > things with any quantity, I am not sure that I agree that fixing a > > bug requires documentation if the API isn't already documented. > > We should also get the word out that contributed patches (RT or > Github) without documentation will take much longer to get adopted > (will require someone else to find the time to create the > documentation). > > Priority will go to patches with sufficiently complete documentation. https://github.com/blog/1184-contributing-guidelines https://github.com/openssl/openssl/blob/master/CONTRIBUTING it just needs to be updated -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From rt at openssl.org Thu Mar 10 12:58:34 2016 From: rt at openssl.org (Irena Johnson via RT) Date: Thu, 10 Mar 2016 12:58:34 +0000 Subject: [openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015 In-Reply-To: References: Message-ID: Dear OpenSSL Support, Our clients are having trouble connecting to our GRAM server, which has a sha256 host certificate. The version of openssl on their site is: OpenSSL 1.0.1p 9 Jul 2015 and it appears it's not compatible with sha256 encryption: The command "openssl ciphers -v | grep 256" returns nothing. What version of openssl should they install? Thank you for your help, Irena -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 13:00:15 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 10 Mar 2016 13:00:15 +0000 Subject: [openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015 In-Reply-To: References: Message-ID: This is not a bug, it's a question :) They should install the most recent 1.0.2 release -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 13:59:01 2016 From: rt at openssl.org (taochen via RT) Date: Thu, 10 Mar 2016 13:59:01 +0000 Subject: [openssl-dev] [openssl.org #4410] [PATCH] add calculation of M1, M2 in srp, based on 1_0_2g In-Reply-To: References: Message-ID: -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4410 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: add_srp_m1_m2.patch Type: application/octet-stream Size: 3401 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: add_srp_m1_m2.patch Type: application/octet-stream Size: 3401 bytes Desc: not available URL: From rt at openssl.org Thu Mar 10 14:49:29 2016 From: rt at openssl.org (Irena Johnson via RT) Date: Thu, 10 Mar 2016 14:49:29 +0000 Subject: [openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015 In-Reply-To: References: Message-ID: Hello Rich, Thank you for your quick response. I am a bit confused, as on our server the openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013 I am not quite sure why a more recent version of openssl ( 1.0.1p 9 Jul 2015 ) does not support sha256. Thanks, Irena On Thu, Mar 10, 2016 at 8:00 AM, Rich Salz via RT wrote: > This is not a bug, it's a question :) > > They should install the most recent 1.0.2 release > -- > Rich Salz, OpenSSL dev team; rsalz at openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 Please log in as guest with password guest if prompted From dni.grosu at gmail.com Thu Mar 10 14:01:18 2016 From: dni.grosu at gmail.com (danigrosu) Date: Thu, 10 Mar 2016 07:01:18 -0700 (MST) Subject: [openssl-dev] Errors when loading an OpenSSL RSA Engine In-Reply-To: <20160310.115344.799470193354937812.levitte@openssl.org> References: <1457369381041-64385.post@n7.nabble.com> <1457447927840-64445.post@n7.nabble.com> <1457534732287-64483.post@n7.nabble.com> <20160309.173825.1637863753675413167.levitte@openssl.org> <1457546255766-64501.post@n7.nabble.com> <1457601549609-64535.post@n7.nabble.com> <20160310.115344.799470193354937812.levitte@openssl.org> Message-ID: <1457618478265-64547.post@n7.nabble.com> Richard Levitte - VMS Whacker-2 wrote > The issue is easily fixed by adding a parameter in the problematic > call, like this: > > if(!bind_helper(ret, engine_e_rsax_id)) Yes, indeed it was simple, I totally missed that. And now something really weird... Remember my first post in this topic when I said I encountered this: /Then, when I'm trying to test the engine by using the command: openssl engine -t -c `pwd`/eng_rsax.so ... I receive the following errors: 140470207960736:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:185:filename(/some_path/eng_rsax.so): /some_path/eng_rsax.so: *undefined symbol: mod_exp_512* 140470207960736:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:244: 140470207960736:error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: 140470207960736:error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:417:id=/some_path/eng_rsax.so/ I simply implemented the body of the "mod_exp_512" function, and the magic happend: /root at dani-pc:~/Desktop/CUDA/RSA-engine# openssl genrsa -out priv.pem -engine `pwd`/eng_rsax.so 1024 /home/dani/Desktop/CUDA/RSA-engine/eng_rsax.so engine "rsax_dani" set. Generating RSA private key, 1024 bit long modulus .................................++++++ ..........++++++ e is 65537 (0x10001)/ It seems that the solution was right in front of my eyes. Now let's put some CUDA code in this engine and increase the speedup. Thank you for support! Best wishes, Dani Grosu -- View this message in context: http://openssl.6102.n7.nabble.com/Errors-when-loading-an-OpenSSL-RSA-Engine-tp64385p64547.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. From rt at openssl.org Thu Mar 10 14:58:15 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 10 Mar 2016 14:58:15 +0000 Subject: [openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015 In-Reply-To: References: Message-ID: > I am a bit confused, as on our server the openssl version is OpenSSL > 1.0.1e-fips 11 Feb 2013 > > I am not quite sure why a more recent version of openssl ( 1.0.1p 9 Jul > 2015 ) does not support sha256. SHA-256 is in 1.0.1 You said you had issues and asked what to upgrade to, I gave a recommendation. Perhaps you're trying to use a different TLS version? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 15:01:17 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 10 Mar 2016 15:01:17 +0000 Subject: [openssl-dev] [openssl.org #4410] [PATCH] add calculation of M1, M2 in srp, based on 1_0_2g In-Reply-To: References: Message-ID: We need a little more explanation. Is this a new feature? Being added to 1.0.2? (That won't be accepted, only fixes go into released branches.) Or is this something that was dropped and should be restored? Unfortunately, the 1.1 freeze deadline is in 24 hours. This won't make it into 1.1 unless it is a bug-fix. I also noticed that there is no documentation of these new functions. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4410 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 15:04:18 2016 From: rt at openssl.org (Irena Johnson via RT) Date: Thu, 10 Mar 2016 15:04:18 +0000 Subject: [openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015 In-Reply-To: References: Message-ID: Sorry I was not very clear. I meant to say our server has OpenSSL 1.0.1e-fips 11 Feb 2013, which supports 256 encryption. Our client's side have a more recent version of OpenSSL ( 1.0.1p 9 Jul 2015 ), which apparently does not support 256 encryption. This is the reason I thought this is a bug (if an older version supports sha256, but a newer version does not). I am not quite sure how the version upgrades are done for OpenSSL and how TLS is involved. Thank you, On Thu, Mar 10, 2016 at 9:58 AM, Salz, Rich via RT wrote: > > I am a bit confused, as on our server the openssl version is OpenSSL > > 1.0.1e-fips 11 Feb 2013 > > > > I am not quite sure why a more recent version of openssl ( 1.0.1p 9 Jul > > 2015 ) does not support sha256. > > > SHA-256 is in 1.0.1 You said you had issues and asked what to upgrade > to, I gave a recommendation. > > Perhaps you're trying to use a different TLS version? > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 > Please log in as guest with password guest if prompted > > -- Irena -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 15:12:16 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 10 Mar 2016 15:12:16 +0000 Subject: [openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015 In-Reply-To: References: Message-ID: 256 encryption? You mean SHA-256? That's a digest, not encryption. My guess, without more information like reproducible test, or a packet dump, is that the client is configured to only use an earlier version of TLS/SSL, which did not define SHA256 in its crypto-suites. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4409 Please log in as guest with password guest if prompted From davidben at google.com Thu Mar 10 15:33:03 2016 From: davidben at google.com (David Benjamin) Date: Thu, 10 Mar 2016 15:33:03 +0000 Subject: [openssl-dev] Running against BoringSSL's SSL test suite In-Reply-To: References: Message-ID: On Thu, Mar 10, 2016 at 1:30 AM Kanaka Kotamarthy wrote: > And also Openssl fails with Resume-Client-NoResume cases. Do you have > any report on which test cases do fail and reasons for the failure? > > > RT tickets 4387 through 4395 were the failures I've triaged. I'm sure > there's more things in there to look through. > > I don't believe Resume-Client-NoResume fails for me. Perhaps something was > fixed between master and 1.1.0-pre2. > > > Openssl doesn't gives any error. For Resume-Client-NoResume-SSL3-TLS11 > test case, we expect the new session's handshake to be done with TLS11. But > with Openssl handshake is done using SSL3. As in ssl3_clear, we set back > s->version to s->method->version. > Oh, sorry, I keep forgetting our runner doesn't make it clear when a -test option fails to match anything. (I should fix that...) I looked for Resume-Client-NoResume without noticing it had suffixes. :-) I would expect most things addResumptionVersionTests to fail. See https://github.com/openssl/openssl/pull/603 David > Thank you > Durga. > > On Wed, Mar 9, 2016 at 10:38 PM, David Benjamin > wrote: > >> On Wed, Mar 9, 2016 at 5:07 AM Kanaka Kotamarthy >> wrote: >> >>> Hi >>> >>> I am even testing OpenSSL with BoringSSL's test cases using >>> Openssl-1.1.0-pre2. Trying to find out reasons of OpenSSL's failures >>> for particular cases. >>> >>> DTLS 1.0 session resumption has some thing wrong. If s_server started >>> with -dtls and s_client -dtls1 -reconnect , session resumption is not >>> being done. The reason for this may be, version negotiation for DTLS >>> is done after loading previous session and check for s->version and >>> s->session->version fails in tls_process_client_hello. >>> >> >> See RT #4392. >> https://rt.openssl.org/Ticket/Display.html?id=4392 >> >> >>> And also Openssl fails with Resume-Client-NoResume cases. Do you have >>> any report on which test cases do fail and reasons for the failure? >>> >> >> RT tickets 4387 through 4395 were the failures I've triaged. I'm sure >> there's more things in there to look through. >> >> I don't believe Resume-Client-NoResume fails for me. Perhaps something >> was fixed between master and 1.1.0-pre2. >> >> David >> >> >>> Thank you >>> Durga. >>> >>> On Tue, Mar 8, 2016 at 3:19 AM, David Benjamin >>> wrote: >>> > Hi folks, >>> > >>> > So, we've by now built up a decent-sized SSL test suite in BoringSSL. >>> I was >>> > bored and ran it against OpenSSL master. It revealed a number of bugs. >>> One >>> > is https://github.com/openssl/openssl/pull/603. I'll be filing tickets >>> > shortly for the remaining ones I've triaged, but I thought I'd send >>> this >>> > separately rather than duplicate it everywhere. >>> > >>> > Emilia also suggested there may be room to collaborate on testing. If >>> > nothing else, just borrowing ideas or porting tests to/from your >>> TLSProxy >>> > setup. (Like, say, the ones that caught the bugs I'll be reporting. >>> :-) ) >>> > So, here's an introduction on how it all works: >>> > >>> > To run the tests on OpenSSL, clone BoringSSL: >>> > https://boringssl.googlesource.com/boringssl/ >>> > Then patch in this change. (Click the "Download" in the upper-right for >>> > options.) >>> > https://boringssl-review.googlesource.com/#/c/7332/ >>> > Then follow the instructions in the commit message. >>> > >>> > The tests themselves and the runner logic live in >>> ssl/test/runner/runner.go: >>> > >>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922 >>> > >>> > They work by running an unmodified TLS stack in a shim binary against >>> a copy >>> > of Go's. We patch our copy with options for weird behavior to test >>> against: >>> > >>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414 >>> > >>> > Go and shim communicate entirely with sockets and (tons of) >>> command-line >>> > flags, though it is slightly overfit to BoringSSL's behavior and checks >>> > error strings a lot. The shim also has options like -async mode which >>> we use >>> > on a subset of tests to stress state machine resumption. (This has >>> saved me >>> > from state machine bugs so many times.) >>> > >>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770 >>> > >>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826 >>> > >>> > I hope this is useful! Bugs and patches will follow this mail, as I >>> write >>> > them up. >>> > >>> > David >>> > >>> > -- >>> > openssl-dev mailing list >>> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >>> > >>> -- >>> openssl-dev mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >>> >> >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> >> > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From davidben at google.com Thu Mar 10 15:51:19 2016 From: davidben at google.com (David Benjamin) Date: Thu, 10 Mar 2016 15:51:19 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: <201603090530.u295UQFo006193@d23av03.au.ibm.com> <736752c414df43f9b5e6ca34ac79e592@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: By the way, returning the original subject, I don't believe there is a leak here. If EC_GROUP_copy fails, dest still exists and is owned by the caller. It's the caller's obligation to call EC_GROUP_free and that will release the partially-copied EC_GROUP. (Which will, with this patch, cause a double-free because the unnecessarily freed pointers aren't nulled.) David On Wed, Mar 9, 2016 at 1:00 PM Bill Parker via RT wrote: > Geez, > > What did I start here (egad) :) > > Bill > > On Wed, Mar 9, 2016 at 5:03 AM, Salz, Rich via RT wrote: > > > > No, you got that right, NULL being 'safe' to free varies with OS. > > > > Except we mandate ANSI C which means it's portable :) > > > > -- > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 > > Please log in as guest with password guest if prompted > > > > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Thu Mar 10 15:51:36 2016 From: rt at openssl.org (David Benjamin via RT) Date: Thu, 10 Mar 2016 15:51:36 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: <201603090530.u295UQFo006193@d23av03.au.ibm.com> <736752c414df43f9b5e6ca34ac79e592@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: By the way, returning the original subject, I don't believe there is a leak here. If EC_GROUP_copy fails, dest still exists and is owned by the caller. It's the caller's obligation to call EC_GROUP_free and that will release the partially-copied EC_GROUP. (Which will, with this patch, cause a double-free because the unnecessarily freed pointers aren't nulled.) David On Wed, Mar 9, 2016 at 1:00 PM Bill Parker via RT wrote: > Geez, > > What did I start here (egad) :) > > Bill > > On Wed, Mar 9, 2016 at 5:03 AM, Salz, Rich via RT wrote: > > > > No, you got that right, NULL being 'safe' to free varies with OS. > > > > Except we mandate ANSI C which means it's portable :) > > > > -- > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 > > Please log in as guest with password guest if prompted > > > > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 16:42:06 2016 From: rt at openssl.org (David Benjamin via RT) Date: Thu, 10 Mar 2016 16:42:06 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: <56D975ED.4080300@openssl.org> <56D97E79.4050206@openssl.org> Message-ID: The current state is that, as far as I can tell, overlapping requirements are undocumented (or is it somewhere and I missed it?) and, for ChaCha, architecture-specific. I think something certainly needs to be done. Either changing chacha-x86.pl and allowing any out <= in overlap, or declaring that you want out == in (or something else) with, at minimum, a documentation change. I would actually suggest going further and updating EVP_CipherUpdate to enforce the rule and raise an error if the caller doesn't honor it. Otherwise we'll continue to be in the situation where callers may write code that works on some architectures but not others. (BoringSSL's EVP_AEAD API will fail with OUTPUT_ALIASES_INPUT if aliasing requirements aren't honored.) Actually, I'm not sure how to best translate an out == in rule to streaming EVP_CipherUpdate for block ciphers. Imagine feeding one byte at a time to EVP_CipherUpdate, in will naturally get ahead of out and then synchronize at block boundaries, so the rule can't be as straight forward as "out == in". (Whereas out <= in naturally covers this behavior.) Given the numbers in https://mta.openssl.org/pipermail/openssl-dev/2016-March/005625.html the cost seems fairly modest and this is only for 32-bit, not 64-bit. Based on that, and that other implementations I've tested handle the case fine, I think this is a reasonable requirement to impose. Of course, I am also biased here because out == in will cause me some nuisance. :-) One can certainly argue that out == in is perhaps easier to handle than out <= in and it is not worth allowing it. Either way, I'm not an OpenSSL team member and can't make a decision on behalf of you all. This is something you all have to pick from. David On Fri, Mar 4, 2016 at 7:24 AM Andy Polyakov via RT wrote: > >>> If the other EVP ciphers universally allow this then I think we must > >> treat this > >>> as a bug, because people may be relying on this behaviour. There is > also > >>> sporadic documentation in lower-level APIs (AES source and des.pod) > that > >> the > >>> buffers may overlap. > >>> > >>> If it's inconsistent then, at the very least, we must document that it > >> is not > >>> allowed. > >> > >> I'd like to argue that EVP is not place to provide any guarantees about > >> partially overlapping buffers. Even though all current ciphers process > >> data in ascending address order, we shouldn't make assumption that there > >> won't be one that processes data in reverse order. > > > > > > I'm afraid that, since we haven't documented it, the world may already > have > > made that assumption. > > Fear is irrational and destructive feeling. Having faith that world is > better than that it nothing but healthy :-) What I'm saying is that > let's put a little bit more substance into discourse. Would anybody > consider it *sane* programming practice to rely on partially overlapping > buffers in *general* case? I.e. without actually *knowing* (as opposite > to *assuming*) what's gong on? [Control question: does compiler > guarantee order of references to memory?] As said in last message I > don't consider it sane and even consider it natural [which means that > I'd expect majority to not consider it sane too]. > > Once again, I'm not saying that nothing would be done, I simply want to > figure out where does line go. From my personal view point I'd say that > nothing *has to* be done, but it's just me. You seem to say that we're > obliged to support partially overlapping buffers. My question then is > *any* overlap, *any* cost? Shall we settle for simply writing down that > application developer may not rely on partially overlapping buffers? If > so, do we fix the modules in question arguing that this quality might be > desirable in different context [where modules in question can be used]? > > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 Please log in as guest with password guest if prompted From davidben at google.com Thu Mar 10 16:41:50 2016 From: davidben at google.com (David Benjamin) Date: Thu, 10 Mar 2016 16:41:50 +0000 Subject: [openssl-dev] [openssl.org #4362] chacha-x86.pl has stricter aliasing requirements than other files In-Reply-To: References: <56D975ED.4080300@openssl.org> <56D97E79.4050206@openssl.org> Message-ID: The current state is that, as far as I can tell, overlapping requirements are undocumented (or is it somewhere and I missed it?) and, for ChaCha, architecture-specific. I think something certainly needs to be done. Either changing chacha-x86.pl and allowing any out <= in overlap, or declaring that you want out == in (or something else) with, at minimum, a documentation change. I would actually suggest going further and updating EVP_CipherUpdate to enforce the rule and raise an error if the caller doesn't honor it. Otherwise we'll continue to be in the situation where callers may write code that works on some architectures but not others. (BoringSSL's EVP_AEAD API will fail with OUTPUT_ALIASES_INPUT if aliasing requirements aren't honored.) Actually, I'm not sure how to best translate an out == in rule to streaming EVP_CipherUpdate for block ciphers. Imagine feeding one byte at a time to EVP_CipherUpdate, in will naturally get ahead of out and then synchronize at block boundaries, so the rule can't be as straight forward as "out == in". (Whereas out <= in naturally covers this behavior.) Given the numbers in https://mta.openssl.org/pipermail/openssl-dev/2016-March/005625.html the cost seems fairly modest and this is only for 32-bit, not 64-bit. Based on that, and that other implementations I've tested handle the case fine, I think this is a reasonable requirement to impose. Of course, I am also biased here because out == in will cause me some nuisance. :-) One can certainly argue that out == in is perhaps easier to handle than out <= in and it is not worth allowing it. Either way, I'm not an OpenSSL team member and can't make a decision on behalf of you all. This is something you all have to pick from. David On Fri, Mar 4, 2016 at 7:24 AM Andy Polyakov via RT wrote: > >>> If the other EVP ciphers universally allow this then I think we must > >> treat this > >>> as a bug, because people may be relying on this behaviour. There is > also > >>> sporadic documentation in lower-level APIs (AES source and des.pod) > that > >> the > >>> buffers may overlap. > >>> > >>> If it's inconsistent then, at the very least, we must document that it > >> is not > >>> allowed. > >> > >> I'd like to argue that EVP is not place to provide any guarantees about > >> partially overlapping buffers. Even though all current ciphers process > >> data in ascending address order, we shouldn't make assumption that there > >> won't be one that processes data in reverse order. > > > > > > I'm afraid that, since we haven't documented it, the world may already > have > > made that assumption. > > Fear is irrational and destructive feeling. Having faith that world is > better than that it nothing but healthy :-) What I'm saying is that > let's put a little bit more substance into discourse. Would anybody > consider it *sane* programming practice to rely on partially overlapping > buffers in *general* case? I.e. without actually *knowing* (as opposite > to *assuming*) what's gong on? [Control question: does compiler > guarantee order of references to memory?] As said in last message I > don't consider it sane and even consider it natural [which means that > I'd expect majority to not consider it sane too]. > > Once again, I'm not saying that nothing would be done, I simply want to > figure out where does line go. From my personal view point I'd say that > nothing *has to* be done, but it's just me. You seem to say that we're > obliged to support partially overlapping buffers. My question then is > *any* overlap, *any* cost? Shall we settle for simply writing down that > application developer may not rely on partially overlapping buffers? If > so, do we fix the modules in question arguing that this quality might be > desirable in different context [where modules in question can be used]? > > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4362 > Please log in as guest with password guest if prompted > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Thu Mar 10 17:14:02 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 10 Mar 2016 17:14:02 +0000 Subject: [openssl-dev] [openssl.org #4409] bug OpenSSL 1.0.1p 9 Jul 2015 In-Reply-To: References: Message-ID: <20160310171402.GB10917@mournblade.imrryr.org> On Thu, Mar 10, 2016 at 12:58:34PM +0000, Irena Johnson via RT wrote: > Our clients are having trouble connecting to our GRAM server, which has a > sha256 host certificate. The reason for the connection failures may be unrelated to the certificate signature algorithm. What specific symptoms lead to the conclusion that this is the problem? In OpenSSL 1.0.1 sha256 is enabled by default (via SSL_library_init() also known as OpenSSL_add_ssl_algorithms()). > and it appears it's not compatible with sha256 encryption: This is simply not the case. > The command "openssl ciphers -v | grep 256" returns nothing. Not even "AES256" ciphers? That's rather odd, those have been around since 0.9.8 IIRC. And, in any case, this is the wrong test for support for SHA256 in certificates. Your problem is with the server certificate, not the MAC algorithm used in TLS ciphers. > What version of openssl should they install? Thank you for your help, The problem is almost certainly elsewhere. It is of course possible to build OpenSSL with various algorithms disabled, including "no-sha256", ... so please report the output of $ openssl version -v -p -o -f and "ldd" output showing the library dependencies of both the "openssl" command, and your application. $ ldd /usr/bin/openssl | egrep 'lib(ssl|crypto)' $ ldd /some/executable | egrep 'lib(ssl|crypto)' -- Viktor. From noloader at gmail.com Thu Mar 10 17:48:33 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 10 Mar 2016 12:48:33 -0500 Subject: [openssl-dev] [openssl.org #4406] Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: On Thu, Mar 10, 2016 at 4:05 AM, Richard Levitte via RT wrote: > Sometimes, things happen fast. > > The diff I posted got into master just moments ago, commit > d46057277f3b805e5f198e31fc81a892bf5c9141 > > Still, please try it and report back so I can (hopefully) close this ticket. OK, so I'm clear.... there's nothing to patch because the commit already occurred. Is that correct? If so: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o crypto/ec/ecp_nistputil.o crypto/ec/ecp_nistputil.c gcc -E crypto/ec/ecp_nistz256-armv8.S > crypto/ec/ecp_nistz256-armv8.s crypto/ec/ecp_nistz256-armv8.S:1:22: fatal error: arm_arch.h: No such file or directory #include "arm_arch.h" Jeff From rt at openssl.org Thu Mar 10 17:48:44 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 10 Mar 2016 17:48:44 +0000 Subject: [openssl-dev] [openssl.org #4406] Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: On Thu, Mar 10, 2016 at 4:05 AM, Richard Levitte via RT wrote: > Sometimes, things happen fast. > > The diff I posted got into master just moments ago, commit > d46057277f3b805e5f198e31fc81a892bf5c9141 > > Still, please try it and report back so I can (hopefully) close this ticket. OK, so I'm clear.... there's nothing to patch because the commit already occurred. Is that correct? If so: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o crypto/ec/ecp_nistputil.o crypto/ec/ecp_nistputil.c gcc -E crypto/ec/ecp_nistz256-armv8.S > crypto/ec/ecp_nistz256-armv8.s crypto/ec/ecp_nistz256-armv8.S:1:22: fatal error: arm_arch.h: No such file or directory #include "arm_arch.h" Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4406 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 19:29:21 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 10 Mar 2016 19:29:21 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: Working from Master: $ git reset --hard HEAD && git pull HEAD is now at fb04434 In the recipe using "makedepend", make sure the object file extension is there Already up-to-date. $ ./config ... $ make depend && make clean && make ... $ make test ... ( cd test; \ SRCTOP=../. \ BLDTOP=../. \ EXE_EXT= \ /usr/bin/perl .././test/run_tests.pl ) ../test/recipes/01-test_ordinals.t ........ ok ../test/recipes/05-test_bf.t .............. ok ... ../test/recipes/25-test_x509.t ............ ok ../test/recipes/30-test_afalg.t ........... ^C (after about 20 minutes) ********** Machine is Lubuntu: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 15.10 Release: 15.10 Codename: wily $ uname -a Linux via 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux ********** $ ./config Operating system: i686-whatever-linux2 Configuring for linux-elf Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-elf IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -DL_ENDIAN -fomit-frame-pointer -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_PART_WORDS OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM RMD160_ASM AES_ASM VPAES_ASM WHIRLPOOL_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86cpuid.o UPLINK_OBJ = BN_ASM =bn-586.o co-586.o x86-mont.o x86-gf2m.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86.o DES_ENC =des-586.o crypt586.o AES_ENC =aes-586.o vpaes-x86.o aesni-x86.o BF_ENC =bf-586.o CAST_ENC =c_enc.o RC4_ENC =rc4-586.o RC5_ENC =rc5-586.o MD5_OBJ_ASM =md5-586.o SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o RMD160_OBJ_ASM=rmd-586.o CMLL_ENC =cmll-x86.o MODES_OBJ =ghash-x86.o PADLOCK_OBJ =e_padlock-x86.o CHACHA_ENC =chacha-x86.o POLY1305_OBJ =poly1305-x86.o PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl THIRTY_TWO_BIT mode BN_LLONG mode Configured for linux-elf. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 19:48:42 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 10 Mar 2016 19:48:42 +0000 Subject: [openssl-dev] [openssl.org #4406] Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: A new commit was just added to master, f0667b1430bac3b8c9c5b76985ad24cf9b13a0a9 It should solve this particular ticket and all future similar ones, I hope. Please try a fresh pull of master and tell me how it goes. Cheers, Richard -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4406 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 20:41:11 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 10 Mar 2016 20:41:11 +0000 Subject: [openssl-dev] [openssl.org #4412] Debian and ARM32 (armv7l): fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: Working from Master on a BeagleBone Black... $ git reset --hard HEAD && git pull HEAD is now at 0d4d5ab check reviewer --reviewer=emilia Already up-to-date. $ ./config ... $ make depend && make clean && make ... gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -march=armv7-a -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -Icrypto -MMD -MF crypto/aes/aesv8-armx.d.tmp -MT crypto/aes/aesv8-armx.o -c -o crypto/aes/aesv8-armx.o crypto/aes/aesv8-armx.s gcc -E crypto/aes/bsaes-armv7.S > crypto/aes/bsaes-armv7.s crypto/aes/bsaes-armv7.S:50:23: fatal error: arm_arch.h: No such file or directory # include "arm_arch.h" ^ compilation terminated. : recipe for target 'crypto/aes/bsaes-armv7.s' failed make: *** [crypto/aes/bsaes-armv7.s] Error 1 ********** $ ./config Operating system: armv7l-whatever-linux2 Configuring for linux-armv4 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-armv4 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -march=armv7-a -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =armcap.o armv4cpuid.o UPLINK_OBJ = BN_ASM =bn_asm.o armv4-mont.o armv4-gf2m.o EC_ASM =ecp_nistz256.o ecp_nistz256-armv4.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-armv4-large.o sha256-armv4.o sha512-armv4.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghash-armv4.o ghashv8-armx.o PADLOCK_OBJ = CHACHA_ENC =chacha-armv4.o POLY1305_OBJ =poly1305-armv4.o PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl THIRTY_TWO_BIT mode BN_LLONG mode Configured for linux-armv4. ********** I think this was a Debian console image from http://elinux.org/BeagleBoardDebian. $ uname -a Linux beaglebone 4.1.15-ti-rt-r40 #1 SMP PREEMPT RT Thu Jan 7 23:32:08 UTC 2016 armv7l GNU/Linux $ lsb_release -a -bash: lsb_release: command not found -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4412 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 20:53:25 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 10 Mar 2016 20:53:25 +0000 Subject: [openssl-dev] [openssl.org #4412] Debian and ARM32 (armv7l): fatal error: arm_arch.h: No such file or directory In-Reply-To: <20160310.215320.1390473486822971435.levitte@openssl.org> References: <20160310.215320.1390473486822971435.levitte@openssl.org> Message-ID: Ah, it seems I didn't think of looking for '# *include', only for '#include'... Fix coming up. In message on Thu, 10 Mar 2016 20:41:11 +0000, "noloader at gmail.com via RT" said: rt> Working from Master on a BeagleBone Black... rt> rt> $ git reset --hard HEAD && git pull rt> HEAD is now at 0d4d5ab check reviewer --reviewer=emilia rt> Already up-to-date. rt> rt> $ ./config rt> ... rt> $ make depend && make clean && make rt> ... rt> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS rt> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT rt> -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM rt> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM rt> -DOPENSSLDIR="\"/usr/local/ssl\"" rt> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread rt> -march=armv7-a -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include rt> -Icrypto -MMD -MF crypto/aes/aesv8-armx.d.tmp -MT rt> crypto/aes/aesv8-armx.o -c -o crypto/aes/aesv8-armx.o rt> crypto/aes/aesv8-armx.s rt> gcc -E crypto/aes/bsaes-armv7.S > crypto/aes/bsaes-armv7.s rt> crypto/aes/bsaes-armv7.S:50:23: fatal error: arm_arch.h: No such file rt> or directory rt> # include "arm_arch.h" rt> ^ rt> compilation terminated. rt> : recipe for target 'crypto/aes/bsaes-armv7.s' failed rt> make: *** [crypto/aes/bsaes-armv7.s] Error 1 rt> rt> ********** rt> rt> $ ./config rt> Operating system: armv7l-whatever-linux2 rt> Configuring for linux-armv4 rt> Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) rt> no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) rt> no-crypto-mdebug-backtrace [forced] rt> OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) rt> no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) rt> no-egd [default] OPENSSL_NO_EGD (skip dir) rt> no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) rt> no-md2 [default] OPENSSL_NO_MD2 (skip dir) rt> no-rc5 [default] OPENSSL_NO_RC5 (skip dir) rt> no-sctp [default] OPENSSL_NO_SCTP (skip dir) rt> no-shared [default] rt> no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) rt> no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) rt> no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) rt> no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) rt> no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) rt> no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) rt> no-zlib [default] rt> no-zlib-dynamic [default] rt> Configuring for linux-armv4 rt> IsMK1MF =no rt> CC =gcc rt> CFLAG =-Wall -O3 -pthread -march=armv7-a -Wa,--noexecstack rt> SHARED_CFLAG =-fPIC rt> DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS rt> OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT rt> OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM BSAES_ASM rt> GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM rt> LFLAG = rt> PLIB_LFLAG = rt> EX_LIBS =-ldl rt> APPS_OBJ = rt> CPUID_OBJ =armcap.o armv4cpuid.o rt> UPLINK_OBJ = rt> BN_ASM =bn_asm.o armv4-mont.o armv4-gf2m.o rt> EC_ASM =ecp_nistz256.o ecp_nistz256-armv4.o rt> DES_ENC =des_enc.o fcrypt_b.o rt> AES_ENC =aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o rt> BF_ENC =bf_enc.o rt> CAST_ENC =c_enc.o rt> RC4_ENC =rc4_enc.o rc4_skey.o rt> RC5_ENC =rc5_enc.o rt> MD5_OBJ_ASM = rt> SHA1_OBJ_ASM =sha1-armv4-large.o sha256-armv4.o sha512-armv4.o rt> RMD160_OBJ_ASM= rt> CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o rt> MODES_OBJ =ghash-armv4.o ghashv8-armx.o rt> PADLOCK_OBJ = rt> CHACHA_ENC =chacha-armv4.o rt> POLY1305_OBJ =poly1305-armv4.o rt> PROCESSOR = rt> RANLIB =/usr/bin/ranlib rt> ARFLAGS = rt> PERL =/usr/bin/perl rt> rt> THIRTY_TWO_BIT mode rt> BN_LLONG mode rt> rt> Configured for linux-armv4. rt> rt> ********** rt> rt> I think this was a Debian console image from rt> http://elinux.org/BeagleBoardDebian. rt> rt> $ uname -a rt> Linux beaglebone 4.1.15-ti-rt-r40 #1 SMP PREEMPT RT Thu Jan 7 23:32:08 rt> UTC 2016 armv7l GNU/Linux rt> rt> $ lsb_release -a rt> -bash: lsb_release: command not found rt> rt> rt> -- rt> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4412 rt> Please log in as guest with password guest if prompted rt> rt> -- rt> openssl-dev mailing list rt> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev rt> -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4412 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 10 21:07:27 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 10 Mar 2016 21:07:27 +0000 Subject: [openssl-dev] [openssl.org #4412] Debian and ARM32 (armv7l): fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: Should be resolved now, commit 603358de576217812cb3d752e97c78e476cdc879 Cheers, Richard -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4412 Please log in as guest with password guest if prompted From openssl at roumenpetrov.info Thu Mar 10 21:56:42 2016 From: openssl at roumenpetrov.info (Roumen Petrov) Date: Thu, 10 Mar 2016 23:56:42 +0200 Subject: [openssl-dev] unified build dependencies Message-ID: <56E1ED9A.6010209@roumenpetrov.info> Hello , It seems to me unified build system work quite well with simultaneous build jobs. I would like to report a minor issue - I have to run make 3 times until all decencies are resolved. Second make rebuild about 450 items. Third time only speed is rebuild. The build is in a clean source tree. After build into tree left a number of temporary dependency files (*.d.tmp). Regards, Roumen From openssl at roumenpetrov.info Thu Mar 10 22:21:28 2016 From: openssl at roumenpetrov.info (Roumen Petrov) Date: Fri, 11 Mar 2016 00:21:28 +0200 Subject: [openssl-dev] OPENSSL_cleanup new issue In-Reply-To: <56CCC037.5040403@roumenpetrov.info> References: <56CCC037.5040403@roumenpetrov.info> Message-ID: <56E1F368.5090308@roumenpetrov.info> Hello, With new thread model in some configurations openssl hands on unload of engine. Steps to reproduce: 1) after installation add following lines to openssl.cnf before section [ new_oids ] #begin openssl_conf = config [ config ] engines = engine_section [ engine_section ] engine1 = engine1_config [ engine1_config ] #engine_id = dasync dynamic_path = ${ENV::OPENSSL_ENGINES}/dasync.so #end 2) check for dasync engine $ OPENSSL_ENGINES=/usr/local/openssl64/master/lib/engines /usr/local/openssl64/master/bin/openssl engine -c dasync (dasync) Dummy Async engine support [RSA, AES-128-CBC, AES-128-CBC-HMAC-SHA1, SHA1] Program hang on library cleanup: (gdb) bt #0 0x00007f6b6ba7f4bc in __lll_lock_wait () from /lib64/libpthread.so.0 #1 0x00007f6b6ba7c5e1 in pthread_rwlock_wrlock () from /lib64/libpthread.so.0 #2 0x00007f6b6c03ace9 in CRYPTO_THREAD_write_lock (lock=) at crypto/threads_pthread.c:79 #3 0x00007f6b6bfbd813 in ENGINE_finish (e=0x1071ba0) at crypto/engine/eng_init.c:142 #4 0x00007f6b6bfbb9d8 in int_engine_module_finish (md=) at crypto/engine/eng_cnf.c:232 #5 0x00007f6b6bf627c6 in module_finish (imod=0x1071e80) at crypto/conf/conf_mod.c:445 #6 CONF_modules_finish () at crypto/conf/conf_mod.c:432 #7 0x00007f6b6bf62a39 in CONF_modules_free () at crypto/conf/conf_mod.c:465 #8 0x00007f6b6bfe047a in OPENSSL_cleanup () at crypto/init.c:477 #9 0x00007f6b6b6e1209 in __run_exit_handlers () from /lib64/libc.so.6 #10 0x00007f6b6b6e1255 in exit () from /lib64/libc.so.6 #11 0x000000000041cf5d in main (argc=, argv=) at apps/openssl.c:361 (gdb) My build is based on commit 603358de576217812cb3d752e97c78e476cdc879 -plus remaining modifications from issue "#4207 engine key format in 1.1" Regards, Roumen Petrov Roumen Petrov wrote: > Hello, > > I just finish tests with new initialization methods. Memory detection > tool report a number of memory leaks. > > Startup code is: > OPENSSL_init_crypto( > OPENSSL_INIT_ENGINE_ALL_BUILTIN | > OPENSSL_INIT_ADD_ALL_CIPHERS | > OPENSSL_INIT_ADD_ALL_DIGESTS | > OPENSSL_INIT_LOAD_CONFIG, NULL); > > Default configuration describes a cryptographic module : > ------------------ > #[ default ] > openssl_conf = config > > [ config ] > engines = engine_section > > [ engine_section ] > engine1 = engine_conf1 > > [ engine_conf1 ] > engine_id = foo > ... > ------------------ > > At exit OPENSSL_cleanup is not enough. > It seems to me call of ENGINE_cleanup() and CONF_modules_unload(1) > before cleanup suppress memory warnings. > > > Another point - why OPENSSL_config duplicate name of configuration file? > > > Regards, > Roumen From doctor at doctor.nl2k.ab.ca Thu Mar 10 22:40:38 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Thu, 10 Mar 2016 15:40:38 -0700 Subject: [openssl-dev] openssl-SNAP-20160310 issues Message-ID: <20160310224038.GA5331@doctor.nl2k.ab.ca> Here is your latest gaffe gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" -DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. -Icrypto/include -c -o crypto/ec/ec_asn1.o crypto/ec/ec_asn1.c crypto/ec/ec_asn1.c:183: redefinition of `ECPARAMETERS' include/openssl/ec.h:121: `ECPARAMETERS' previously declared here Please fix! -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From levitte at openssl.org Thu Mar 10 22:55:13 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 10 Mar 2016 23:55:13 +0100 (CET) Subject: [openssl-dev] openssl-SNAP-20160310 issues In-Reply-To: <20160310224038.GA5331@doctor.nl2k.ab.ca> References: <20160310224038.GA5331@doctor.nl2k.ab.ca> Message-ID: <20160310.235513.695504951328403585.levitte@openssl.org> In message <20160310224038.GA5331 at doctor.nl2k.ab.ca> on Thu, 10 Mar 2016 15:40:38 -0700, The Doctor said: doctor> Here is your latest gaffe doctor> doctor> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" -DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. -Icrypto/include -c -o crypto/ec/ec_asn1.o crypto/ec/ec_asn1.c doctor> crypto/ec/ec_asn1.c:183: redefinition of `ECPARAMETERS' doctor> include/openssl/ec.h:121: `ECPARAMETERS' previously declared here doctor> doctor> Please fix! Done hours ago commit 03f880e4fc5f4235006abdc152664c22aef6a506 Author: Richard Levitte Date: Thu Mar 10 11:29:08 2016 +0100 The typedef ECPARAMETERS is already defined, don't define it anew Reviewed-by: Matt Caswell Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Fri Mar 11 01:03:11 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 10 Mar 2016 20:03:11 -0500 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two Message-ID: Hi Everyone, Testing master on real hardware is showing some minor issues on a few platforms, including ARM32, ARM64, PowerPC and i686. In addition, there seems to be one-off issues on other combinations, like VIA's C7 processor on Linux. In addition to the base issues, there are other minor issues like failing to configure and compile with 'no-comp'. Other configuration dependent issues include failed self tests under PowerPC in a shared configuration. Please consider delaying the freeze for a week or two while the issues are being ironed out. Jeff From rt at openssl.org Fri Mar 11 01:36:55 2016 From: rt at openssl.org (taochen via RT) Date: Fri, 11 Mar 2016 01:36:55 +0000 Subject: [openssl-dev] [openssl.org #4410] [PATCH] add calculation of M1, M2 in srp, based on 1_0_2g(Internet mail) In-Reply-To: References: , , , , Message-ID: Sorry for no documentation. In SRP6a, after the client and server calculate a common session key, they must prove to each other that their keys are idential to finish authentication. That is client send the M1, and server verifies M1 and responses with M2, then client verifies M2. I notice that both the 1.0.2 and the master are not provide the method of calculate M1, M2, that is what the patch does. Hopefully, the patch will be added to the next release. Thank you. From: Salz, Rich via RT Date: 2016-03-10 23:01 To: taochen(??) CC: openssl-dev at openssl.org Subject: RE: [openssl-dev] [openssl.org #4410] [PATCH] add calculation of M1, M2 in srp, based on 1_0_2g(Internet mail) We need a little more explanation. Is this a new feature? Being added to 1.0.2? (That won't be accepted, only fixes go into released branches.) Or is this something that was dropped and should be restored? Unfortunately, the 1.1 freeze deadline is in 24 hours. This won't make it into 1.1 unless it is a bug-fix. I also noticed that there is no documentation of these new functions. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4410 Please log in as guest with password guest if prompted ???? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4410 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 11 02:06:16 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Fri, 11 Mar 2016 02:06:16 +0000 Subject: [openssl-dev] [openssl.org #4410] [PATCH] add calculation of M1, M2 in srp, based on 1_0_2g(Internet mail) In-Reply-To: <11b3f70edbc04b5a9ec516792030ba54@usma1ex-dag1mb1.msg.corp.akamai.com> References: , , , , <11b3f70edbc04b5a9ec516792030ba54@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: Sorry, no, it's too late to get this into 1.1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4410 Please log in as guest with password guest if prompted From levitte at openssl.org Fri Mar 11 07:56:11 2016 From: levitte at openssl.org (Richard Levitte) Date: Fri, 11 Mar 2016 08:56:11 +0100 (CET) Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: Message-ID: <20160311.085611.2233385219209923204.levitte@openssl.org> In message on Thu, 10 Mar 2016 20:03:11 -0500, Jeffrey Walton said: noloader> Hi Everyone, noloader> noloader> Testing master on real hardware is showing some minor issues on a few noloader> platforms, including ARM32, ARM64, PowerPC and i686. In addition, noloader> there seems to be one-off issues on other combinations, like VIA's C7 noloader> processor on Linux. noloader> noloader> In addition to the base issues, there are other minor issues like noloader> failing to configure and compile with 'no-comp'. Other configuration noloader> dependent issues include failed self tests under PowerPC in a shared noloader> configuration. noloader> noloader> Please consider delaying the freeze for a week or two while the issues noloader> are being ironed out. The upcoming release is the first beta of two planned, and we've already delayed the first for a few extra days. It is not a final release, so there's still time to fix things like these. Please see the bottom of the release strategy for the planned dates: http://openssl.org/policies/releasestrat.html Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Fri Mar 11 08:07:17 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 11 Mar 2016 08:07:17 +0000 Subject: [openssl-dev] [openssl.org #4413] Cygwin x86_64: make: *** No rule to make target '/openssl/Configurations/unix-Makefile.tmpl', needed by 'configdata.pm'. In-Reply-To: References: Message-ID: Working from master: $ git reset --hard HEAD && git pull HEAD is now at 603358d Add include directory options for assembler files that include from crypto/ Already up-to-date. $ ./config ... $ make depend $ make make: *** No rule to make target 'Walton/openssl/Configurations/unix-Makefile.tmpl', needed by 'configdata.pm'. Stop. And: $ echo $PWD /home/Jeffrey Walton/openssl HOME for Cygwin-x64 on the Windows filesystem is: "C:\cygwin-x86_64\home\Jeffrey Walton". Two weeks ago I was able to complete the exercise. ********** $ ./config Operating system: x86_64-pc-cygwin Configuring for Cygwin-x86_64 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for Cygwin-x86_64 IsMK1MF =no CC =gcc CFLAG =-DTERMIOS -DL_ENDIAN -Wall -O3 SHARED_CFLAG =-D_WINDLL DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS = APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o PROCESSOR = RANLIB =/usr/bin/ranlib.exe ARFLAGS = PERL =/usr/bin/perl.exe SIXTY_FOUR_BIT_LONG mode Configured for Cygwin-x86_64. The library could not be configured for supporting multi-threaded applications as the compiler options required on this system are not known. See file INSTALL for details if you need multi-threading. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4413 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 11 08:36:21 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 11 Mar 2016 08:36:21 +0000 Subject: [openssl-dev] [openssl.org #4413] Cygwin x86_64: make: *** No rule to make target '/openssl/Configurations/unix-Makefile.tmpl', needed by 'configdata.pm'. In-Reply-To: <20160311.093611.565145502733215850.levitte@openssl.org> References: <20160311.093611.565145502733215850.levitte@openssl.org> Message-ID: In message on Fri, 11 Mar 2016 08:07:17 +0000, "noloader at gmail.com via RT" said: rt> Working from master: rt> rt> $ git reset --hard HEAD && git pull rt> HEAD is now at 603358d Add include directory options for assembler rt> files that include from crypto/ rt> Already up-to-date. rt> rt> $ ./config rt> ... rt> $ make depend rt> rt> rt> $ make rt> make: *** No rule to make target rt> 'Walton/openssl/Configurations/unix-Makefile.tmpl', needed by rt> 'configdata.pm'. Stop. rt> rt> And: rt> rt> $ echo $PWD rt> /home/Jeffrey Walton/openssl rt> rt> HOME for Cygwin-x64 on the Windows filesystem is: rt> "C:\cygwin-x86_64\home\Jeffrey Walton". Spaces in paths, the usual nemesis. Will be fixed, of course. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4413 Please log in as guest with password guest if prompted From matt at openssl.org Fri Mar 11 09:21:40 2016 From: matt at openssl.org (Matt Caswell) Date: Fri, 11 Mar 2016 09:21:40 +0000 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: Message-ID: <56E28E24.1030808@openssl.org> On 11/03/16 01:03, Jeffrey Walton wrote: > Hi Everyone, > > Testing master on real hardware is showing some minor issues on a few > platforms, including ARM32, ARM64, PowerPC and i686. In addition, > there seems to be one-off issues on other combinations, like VIA's C7 > processor on Linux. > > In addition to the base issues, there are other minor issues like > failing to configure and compile with 'no-comp'. Other configuration > dependent issues include failed self tests under PowerPC in a shared > configuration. > > Please consider delaying the freeze for a week or two while the issues > are being ironed out. I'd argue that a freeze helps us to iron the issues out. Problems tend to get introduced when new features are added. By declaring a freeze we no longer accept new features and can instead divert our attention to stability and bug fixing. Matt From noloader at gmail.com Fri Mar 11 09:24:00 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 11 Mar 2016 04:24:00 -0500 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: <20160311.085611.2233385219209923204.levitte@openssl.org> References: <20160311.085611.2233385219209923204.levitte@openssl.org> Message-ID: > noloader> Testing master on real hardware is showing some minor issues on a few > noloader> platforms, including ARM32, ARM64, PowerPC and i686. In addition, > noloader> there seems to be one-off issues on other combinations, like VIA's C7 > noloader> processor on Linux. > noloader> > noloader> In addition to the base issues, there are other minor issues like > noloader> failing to configure and compile with 'no-comp'. Other configuration > noloader> dependent issues include failed self tests under PowerPC in a shared > noloader> configuration. > noloader> > noloader> Please consider delaying the freeze for a week or two while the issues > noloader> are being ironed out. > > The upcoming release is the first beta of two planned, and we've > already delayed the first for a few extra days. It is not a final > release, so there's still time to fix things like these. > > Please see the bottom of the release strategy for the planned dates: > > http://openssl.org/policies/releasestrat.html Well, would it be possible to survey supported platforms and see if it makes sense to move forward at this point? Does the library maintain a matrix of test platforms and results? Releasing a Beta-1 seems like its missing the point if the the point of the beta is to test it. There are issues in {configure|build|test} on ARM32, ARM64, OpenBSD, Windows and some Linux i686 and x86_64 targets/configurations. I'm also wondering about MIPS, NetBSD, FreeBSD and Gentoo. Maybe something else to ponder in the big picture of release engineering... Why are the breaks occurring and not being caught? Why is the engineering process not catching them? (I think its OK to break things on occasion. You can't make an omelet without breaking eggs. But the idea is you have to catch them quickly and early before the user experiences the pain point. If the break is fixed before the user experiences the pain, then it "no blood, no foul" in my book). There's no need to rush the process. OpenSSL does not answer to anyone except its own quality standards. It seems like stepping back, coming up for some air, catching your breath and then diving back in will produce better results in the end. Jeff From rt at openssl.org Fri Mar 11 10:11:43 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 11 Mar 2016 10:11:43 +0000 Subject: [openssl-dev] [openssl.org #4414] NetBSD 7.0: make test fails with "don't know how to make usr/include/stddef.h" In-Reply-To: References: Message-ID: Working from Master. $ make test make: don't know how to make usr/include/stddef.h. Stop make: stopped in /root/openssl -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4414 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 11 10:14:33 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 11 Mar 2016 10:14:33 +0000 Subject: [openssl-dev] [openssl.org #4414] NetBSD 7.0: make test fails with "don't know how to make usr/include/stddef.h" In-Reply-To: <20160311.111429.725843299902991786.levitte@openssl.org> References: <20160311.111429.725843299902991786.levitte@openssl.org> Message-ID: In message on Fri, 11 Mar 2016 10:11:43 +0000, "noloader at gmail.com via RT" said: rt> Working from Master. rt> rt> $ make test rt> make: don't know how to make usr/include/stddef.h. Stop rt> rt> make: stopped in /root/openssl Is there a /usr/include/stddef.h? -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4414 Please log in as guest with password guest if prompted From ashwini.vpatil at siemens.com Fri Mar 11 09:54:53 2016 From: ashwini.vpatil at siemens.com (Patil, Ashwini IN BLR SHC) Date: Fri, 11 Mar 2016 15:24:53 +0530 Subject: [openssl-dev] Patent Issues for openssl version Message-ID: Hello Team, The following procedure is used to Integrate compiled openssl-fips2.0 in openssl-1.0.1e : a. Extract the contents of openssl-1.0.1e.tar.gz to C:\openssl-1.0.1e-fips-compliant\ b. Open Visual Studio 2008 Command Prompt. c. cd C:\openssl-1.0.1e-fips-compliant\ d. Copy all the contents of "C:\Program Files\NASM" in this source folder e. perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0 perl Configure debug-VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0 f. ms\do_nasm g. nmake -f ms\nt.mak h. For Testing, use the following command: nmake -f ms\nt.mak test i. nmake -f ms\nt.mak install j. (If you want to create DLL files then Use the following commands nmake -f ms\ntdll.mak && nmake -f ms\ntdll.mak install) To avoid patent issues: I have used the below compiler switches mentioned to Disable known patented or outdated algorithms . > 1) perl Configure VC-WIN32 fips > --with-fipslibdir=C:\usr\local\ssl\fips-2.0 no-ec2m no-idea no-mdc2 > no-rc5 Hope , this will take care of disabling the algorithms. But please let me know how to cross verify the algorithms are disabled. Any script files are generated mentioned that patents are disabled.. Please help. Regards Ashwini V Patil With best regards, Ashwini V Patil Siemens Healthcare Private Limited HC SI DC IN H1-FH STD IBP 6 84, Hosur Road Bengaluru 560100, Indien Mobil: +91 9008132565 mailto:ashwini.vpatil at siemens.com Registered Office: 130, Pandurang Budhkar Marg, Worli, Mumbai 400 018. Telephone +91 22 39677000. Fax +91 22 39677075. Other Offices: Bengaluru. Corporate Identity number: U74999MH2015PTC264859 -------------- next part -------------- An HTML attachment was scrubbed... URL: From noloader at gmail.com Fri Mar 11 10:25:29 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 11 Mar 2016 05:25:29 -0500 Subject: [openssl-dev] [openssl.org #4414] NetBSD 7.0: make test fails with "don't know how to make usr/include/stddef.h" In-Reply-To: References: <20160311.111429.725843299902991786.levitte@openssl.org> Message-ID: On Fri, Mar 11, 2016 at 5:14 AM, Richard Levitte via RT wrote: > In message on Fri, 11 Mar 2016 10:11:43 +0000, "noloader at gmail.com via RT" said: > > rt> Working from Master. > rt> > rt> $ make test > rt> make: don't know how to make usr/include/stddef.h. Stop > rt> > rt> make: stopped in /root/openssl > > Is there a /usr/include/stddef.h? Yes, but test appears to be using "usr/include/stddef.h", and not "/usr/include/stddef.h" Jeff From rt at openssl.org Fri Mar 11 10:25:32 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 11 Mar 2016 10:25:32 +0000 Subject: [openssl-dev] [openssl.org #4414] NetBSD 7.0: make test fails with "don't know how to make usr/include/stddef.h" In-Reply-To: References: <20160311.111429.725843299902991786.levitte@openssl.org> Message-ID: On Fri, Mar 11, 2016 at 5:14 AM, Richard Levitte via RT wrote: > In message on Fri, 11 Mar 2016 10:11:43 +0000, "noloader at gmail.com via RT" said: > > rt> Working from Master. > rt> > rt> $ make test > rt> make: don't know how to make usr/include/stddef.h. Stop > rt> > rt> make: stopped in /root/openssl > > Is there a /usr/include/stddef.h? Yes, but test appears to be using "usr/include/stddef.h", and not "/usr/include/stddef.h" Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4414 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 11 10:31:38 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 11 Mar 2016 10:31:38 +0000 Subject: [openssl-dev] [openssl.org #4414] NetBSD 7.0: make test fails with "don't know how to make usr/include/stddef.h" In-Reply-To: <20160311.113136.314561962751792832.levitte@openssl.org> References: <20160311.111429.725843299902991786.levitte@openssl.org> <20160311.113136.314561962751792832.levitte@openssl.org> Message-ID: In message on Fri, 11 Mar 2016 05:25:29 -0500, Jeffrey Walton said: noloader> On Fri, Mar 11, 2016 at 5:14 AM, Richard Levitte via RT wrote: noloader> > In message on Fri, 11 Mar 2016 10:11:43 +0000, "noloader at gmail.com via RT" said: noloader> > noloader> > rt> Working from Master. noloader> > rt> noloader> > rt> $ make test noloader> > rt> make: don't know how to make usr/include/stddef.h. Stop noloader> > rt> noloader> > rt> make: stopped in /root/openssl noloader> > noloader> > Is there a /usr/include/stddef.h? noloader> noloader> Yes, but test appears to be using "usr/include/stddef.h", and not noloader> "/usr/include/stddef.h" "appears" being the point, methinks. I can't recall that we have "usr/include" specified as an include directory anywhere, and that this is the result of the dependency generation parts in Makefile. What do you get if you grep for 'makedepprog' in configdata.pm? If it's makedepend (probably full path to it), it may be faulty. It may also be the sed script that's used to clean up the result (have a look in Makefile, look for any use of $(MAKEDEPEND) and the sed script following it) Can you help figuring it out? -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4414 Please log in as guest with password guest if prompted From ben at links.org Fri Mar 11 11:11:27 2016 From: ben at links.org (Ben Laurie) Date: Fri, 11 Mar 2016 11:11:27 +0000 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: <20160311.085611.2233385219209923204.levitte@openssl.org> Message-ID: On 11 March 2016 at 09:24, Jeffrey Walton wrote: >> noloader> Testing master on real hardware is showing some minor issues on a few >> noloader> platforms, including ARM32, ARM64, PowerPC and i686. In addition, >> noloader> there seems to be one-off issues on other combinations, like VIA's C7 >> noloader> processor on Linux. >> noloader> >> noloader> In addition to the base issues, there are other minor issues like >> noloader> failing to configure and compile with 'no-comp'. Other configuration >> noloader> dependent issues include failed self tests under PowerPC in a shared >> noloader> configuration. >> noloader> >> noloader> Please consider delaying the freeze for a week or two while the issues >> noloader> are being ironed out. >> >> The upcoming release is the first beta of two planned, and we've >> already delayed the first for a few extra days. It is not a final >> release, so there's still time to fix things like these. >> >> Please see the bottom of the release strategy for the planned dates: >> >> http://openssl.org/policies/releasestrat.html > > Well, would it be possible to survey supported platforms and see if it > makes sense to move forward at this point? Does the library maintain a > matrix of test platforms and results? > > Releasing a Beta-1 seems like its missing the point if the the point > of the beta is to test it. There are issues in {configure|build|test} > on ARM32, ARM64, OpenBSD, Windows and some Linux i686 and x86_64 > targets/configurations. I'm also wondering about MIPS, NetBSD, FreeBSD > and Gentoo. FreeBSD hangs in the networking tests (70-*) currently. From rt at openssl.org Fri Mar 11 12:05:32 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 11 Mar 2016 12:05:32 +0000 Subject: [openssl-dev] [openssl.org #4415] test/certs/mkcert.sh uses "#! /binbash" In-Reply-To: References: Message-ID: test/certs/mkcert.sh uses: #! /binbash" It does not work as expected on some platforms, like OpenBSD and FreeBSD where Bash is located in, say, /usr/local/bin or /usr/pkg/bin/bash. Instead, I believe you should use: #! /usr/bin/env bash Another potential pain point is PERL: grep -iIR perl * | grep '#' | grep -v 'env' | wc -l 232 It looks like most uses of PERL are expected to be at /usr/local/bin/perl. 160 of them use /usr/bin/env, but 230 or so use the potentially incorrect path. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4415 Please log in as guest with password guest if prompted From jaroslav.imrich at gmail.com Fri Mar 11 12:17:50 2016 From: jaroslav.imrich at gmail.com (Jaroslav Imrich) Date: Fri, 11 Mar 2016 13:17:50 +0100 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: <56E28E24.1030808@openssl.org> References: <56E28E24.1030808@openssl.org> Message-ID: On 11 March 2016 at 10:21, Matt Caswell wrote: > I'd argue that a freeze helps us to iron the issues out. Problems tend > to get introduced when new features are added. By declaring a freeze we > no longer accept new features and can instead divert our attention to > stability and bug fixing. > I would like to point out that there are several already reviewed pull requests with new features - e.g. [0] and [1] - waiting to be merged. Do openssl devs plan to address these before 1.1 freeze? [0] https://github.com/openssl/openssl/pull/576 [1] https://github.com/openssl/openssl/pull/771 Regards, Jaroslav -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Fri Mar 11 12:24:54 2016 From: rt at openssl.org (=?UTF-8?B?RW1pbGlhIEvDpHNwZXI=?= via RT) Date: Fri, 11 Mar 2016 12:24:54 +0000 Subject: [openssl-dev] [openssl.org #4401] [PATCH] plug potential memory leak(s) in OpenSSL 1.1 pre 4 in 'ec_lib.c' In-Reply-To: References: Message-ID: Yep, there is no need to clean up early here (we don't guarantee that errored calls leave everything in a pristine unmodified state). Plus this does indeed forget to zero the pointer. Closing. Thanks for submitting, though, and thanks David for the review! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4401 Please log in as guest with password guest if prompted From matt at openssl.org Fri Mar 11 13:40:46 2016 From: matt at openssl.org (Matt Caswell) Date: Fri, 11 Mar 2016 13:40:46 +0000 Subject: [openssl-dev] OPENSSL_cleanup new issue In-Reply-To: <56E1F368.5090308@roumenpetrov.info> References: <56CCC037.5040403@roumenpetrov.info> <56E1F368.5090308@roumenpetrov.info> Message-ID: <56E2CADE.2090208@openssl.org> Hi Roumen On 10/03/16 22:21, Roumen Petrov wrote: > Hello, > > With new thread model in some configurations openssl hands on unload of > engine. I just pushed commit 773fd0bad4 to master which should hopefully resolve this issue. Matt From rt at openssl.org Fri Mar 11 13:43:23 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Fri, 11 Mar 2016 13:43:23 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: Hi Jeff On Thu Mar 10 19:29:21 2016, noloader at gmail.com wrote: > Working from Master: > > $ git reset --hard HEAD && git pull > HEAD is now at fb04434 In the recipe using "makedepend", make sure the > object file extension is there > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > $ make test > ... > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ ok > ../test/recipes/05-test_bf.t .............. ok > ... > ../test/recipes/25-test_x509.t ............ ok > ../test/recipes/30-test_afalg.t ........... > ^C (after about 20 minutes) > > ********** I've not been able to reproduce this issue. However it is plausible that it is the same problem that Roumen recently reported on openssl-dev. Please can you try again with the latest master (including commit 773fd0bad4). Thanks Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From rsalz at akamai.com Fri Mar 11 14:22:03 2016 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 11 Mar 2016 14:22:03 +0000 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: <56E28E24.1030808@openssl.org> Message-ID: > I would like to point out that there are several already reviewed pull requests with new features - e.g. [0] and [1] - waiting to be merged. Do openssl devs plan to address these before 1.1 freeze? >[0] https://github.com/openssl/openssl/pull/576 > [1] https://github.com/openssl/openssl/pull/771 Some yes, and some no. In these particular cases 576 is a bugfix and can make it after. 771, sadly, seems unlikely. Both of these have commentary in the text that indicates their status. We've tried to be upfront about the state of everything. Sometimes responses get delayed. If there are any PR's that you (or anyone) are particularly interested in, please post a comment there. Freeze is in a few hours. Anything that is not already in progress (dual review going on, for example) will probably not make it, unless it's a bugfix. From rt at openssl.org Fri Mar 11 14:25:38 2016 From: rt at openssl.org (H.Merijn Brand via RT) Date: Fri, 11 Mar 2016 14:25:38 +0000 Subject: [openssl-dev] [openssl.org #4416] 1.0.1s makes porting to HP-UX much harder than before In-Reply-To: <20160311151614.125857bc@pc09.procura.nl> References: <20160311151614.125857bc@pc09.procura.nl> Message-ID: https://github.com/openssl/openssl/issues/806 Let me take HP-UX 11.11/PA2 as an example. Up to and including 1.0.1r, I just unpacked from the distributes .tar.gz and ran $ ./Configure zlib zlib-dynamic no-asm hpux64-parisc2-cc $ perl -pi -e's/\+O3/+O2 +Z -AC99/' Makefile $ make $ make test $ make install And all went well. As of 1.0.1s, a new tool is required that is not available in HP-UX land: makedepend $ ./Configure zlib zlib-dynamic no-asm hpux64-parisc2-cc ? make[1]: Leaving directory `/pro/3gl/openssl-1.0.1s/test' Configured for hpux64-parisc2-cc. *** Because of configuration changes, you MUST do the following before *** building: make depend $ make depend making depend in crypto... make[1]: Entering directory `/pro/3gl/openssl-1.0.1s/crypto' ../util/domd[30]: makedepend: not found. mv: Makefile.new: cannot access: No such file or directory make[1]: *** [local_depend] Error 127 make[1]: Leaving directory `/pro/3gl/openssl-1.0.1s/crypto' make: *** [depend] Error 1 The makedepend tool is very hard to build from scratch on HP-UX, as it depends on a plethora of (recent) GNU tools that are obviously also not available on HP-UX. I build a lot of OpenSource projects on HP-UX, and this is the first that needs makedepend. Building makedepend requires pkg-config, which also fails to build. For 11.11, makedepend is available in HP's imake package (imake-6.00 from 2002), if I install that, I do have makedepend, but it might not do what is expected: I have no way to tell. $ perl -pi -e's/\+O3/+O2 +Z -AC99/' Makefile $ make depend ? $ make ? $ make test ? rc4-40 rc4-40 base64 seed seed base64 seed-cbc seed-cbc base64 seed-cfb seed-cfb base64 seed-ecb seed-ecb base64 seed-ofb seed-ofb base64 zlib 9223376434892769432:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libz.so): Unable to find library 'libz.so'. 9223376434892769432:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:232: 9223376434892769432:error:29064065:lib(41):BIO_ZLIB_NEW:zlib not supported:c_zlib.c:463: 9223376434892769432:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libz.so): Unable to find library 'libz.so'. 9223376434892769432:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:232: 9223376434892769432:error:29064065:lib(41):BIO_ZLIB_NEW:zlib not supported:c_zlib.c:463: cmp: EOF on ./p.zlib.clear make[1]: *** [test_enc] Error 1 make[1]: Leaving directory `/pro/3gl/openssl-1.0.1s/test' make: *** [tests] Error 2 That used to pass. The problem in above fail is that something is told to look for libz.so, where on HP-UX/PA the naming convention for shared libraries is libz.sl I did not spot an obvious location in the build procedure to fix that So Where does the sudden need for makedepend come from and can it please be removed? (as there are no packages available anywhere that make makedepend available for HP-UX 11.00 and older, they are ruled out forgood by this change) Where should I look for having PA-RISC search for .sl instead of .so (Note that AIX only has .a, and it is shared by default) -- H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ using perl5.00307 .. 5.23 porting perl5 on HP-UX, AIX, and openSUSE http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4416 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 490 bytes Desc: not available URL: From thomas.francis.jr at pobox.com Fri Mar 11 14:55:05 2016 From: thomas.francis.jr at pobox.com (Thomas Francis, Jr.) Date: Fri, 11 Mar 2016 09:55:05 -0500 Subject: [openssl-dev] [openssl.org #4416] 1.0.1s makes porting to HP-UX much harder than before In-Reply-To: References: <20160311151614.125857bc@pc09.procura.nl> Message-ID: > On Mar 11, 2016, at 9:25 AM, H.Merijn Brand via RT wrote: > > https://github.com/openssl/openssl/issues/806 > > Let me take HP-UX 11.11/PA2 as an example. > Up to and including 1.0.1r, I just unpacked from the > distributes .tar.gz and ran > > $ ./Configure zlib zlib-dynamic no-asm hpux64-parisc2-cc > $ perl -pi -e's/\+O3/+O2 +Z -AC99/? Makefile Yeah, don?t do this. Instead, install HP?s ANSI C/C++ compiler (or whatever they?re calling it these days). You can often (but not always) obtain it for free. HP also makes pre-compiled binaries for GCC available (and if not ? sometimes they disappear), you can find a GCC package for your version of HP-UX at http://hpux.connect.org.uk/ I think they only have packages for HP-UX 11.11 and newer, though. Likewise, HP is unlikely to be providing binaries for anything older than that. > $ make > $ make test > $ make install > > And all went well. > As of 1.0.1s, a new tool is required that is not available in HP-UX > land: makedepend > > $ ./Configure zlib zlib-dynamic no-asm hpux64-parisc2-cc > ? > make[1]: Leaving directory `/pro/3gl/openssl-1.0.1s/test' > > Configured for hpux64-parisc2-cc. > > *** Because of configuration changes, you MUST do the following before > *** building: > > make depend > $ make depend > making depend in crypto... > make[1]: Entering directory `/pro/3gl/openssl-1.0.1s/crypto' > ../util/domd[30]: makedepend: not found. > mv: Makefile.new: cannot access: No such file or directory > make[1]: *** [local_depend] Error 127 > make[1]: Leaving directory `/pro/3gl/openssl-1.0.1s/crypto' > make: *** [depend] Error 1 > > The makedepend tool is very hard to build from scratch on HP-UX, as it > depends on a plethora of (recent) GNU tools that are obviously also not > available on HP-UX. I build a lot of OpenSource projects on HP-UX, and > this is the first that needs makedepend. Building makedepend requires > pkg-config, which also fails to build. > > For 11.11, makedepend is available in HP's imake package (imake-6.00 > from 2002), if I install that, I do have makedepend, but it might not > do what is expected: I have no way to tell. That is _exactly_ what you want, if you really want to use makedepend, which you probably don't. Don?t try to build the GNU makedepend; it?ll work, but it has a lot of dependencies, as you?ve noticed. > $ perl -pi -e's/\+O3/+O2 +Z -AC99/' Makefile > $ make depend > ? > $ make > ? > $ make test > ? > rc4-40 > rc4-40 base64 > seed > seed base64 > seed-cbc > seed-cbc base64 > seed-cfb > seed-cfb base64 > seed-ecb > seed-ecb base64 > seed-ofb > seed-ofb base64 > zlib > 9223376434892769432:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libz.so): Unable to find library 'libz.so'. > 9223376434892769432:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:232: > 9223376434892769432:error:29064065:lib(41):BIO_ZLIB_NEW:zlib not supported:c_zlib.c:463: > 9223376434892769432:error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library:dso_dlfcn.c:187:filename(libz.so): Unable to find library 'libz.so'. > 9223376434892769432:error:25070067:DSO support routines:DSO_load:could not load the shared library:dso_lib.c:232: > 9223376434892769432:error:29064065:lib(41):BIO_ZLIB_NEW:zlib not supported:c_zlib.c:463: > cmp: EOF on ./p.zlib.clear > make[1]: *** [test_enc] Error 1 > make[1]: Leaving directory `/pro/3gl/openssl-1.0.1s/test' > make: *** [tests] Error 2 > > That used to pass. The problem in above fail is that something is told > to look for libz.so, where on HP-UX/PA the naming convention for shared > libraries is libz.sl I did not spot an obvious location in the build > procedure to fix that > > So > > Where does the sudden need for makedepend come from and can it please > be removed? (as there are no packages available anywhere that make > makedepend available for HP-UX 11.00 and older, they are ruled out > forgood by this change) If you use HP?s ANSI C compiler, or GCC, you won?t need makedepend. If you?re using HP-UX prior to 11.11 (well, I?m not sure about prior to 9.0), the imake package (and makedepend) are part of the base install; just run swinstall and point it to the original HP-UX media, and you should be able to install it. For HP-UX 11.23, IIRC, the imake package will work, but I might be mis-remembering (it?s been a long time). > Where should I look for having PA-RISC search for .sl instead of .so > > (Note that AIX only has .a, and it is shared by default) > > -- > H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/ > using perl5.00307 .. 5.23 porting perl5 on HP-UX, AIX, and openSUSE > http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/ > http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/ > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4416 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From jaroslav.imrich at gmail.com Fri Mar 11 14:55:29 2016 From: jaroslav.imrich at gmail.com (Jaroslav Imrich) Date: Fri, 11 Mar 2016 15:55:29 +0100 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: <56E28E24.1030808@openssl.org> Message-ID: On 11 March 2016 at 15:22, Salz, Rich wrote: > > I would like to point out that there are several already reviewed pull > requests with new features - e.g. [0] and [1] - waiting to be merged. Do > openssl devs plan to address these before 1.1 freeze? > > >[0] https://github.com/openssl/openssl/pull/576 > > [1] https://github.com/openssl/openssl/pull/771 > > Some yes, and some no. In these particular cases 576 is a bugfix and can > make it after. 771, sadly, seems unlikely. Both of these have commentary > in the text that indicates their status. We've tried to be upfront about > the state of everything. Sometimes responses get delayed. If there are > any PR's that you (or anyone) are particularly interested in, please post a > comment there. > > Freeze is in a few hours. Anything that is not already in progress (dual > review going on, for example) will probably not make it, unless it's a > bugfix. > Rich, you are my personal hero for all the work you do on OpenSSL (active in discussions, a lot of PR reviews, RT cleanup ...) but from my point of view it is really hard to contribute code to OpenSSL. I have already mentioned in comments [2][3] that I am particularly interested in getting PR#576 and PR#771 into 1.1 but IMO it is too hard to attract the attention of the rest of core devs - reviewed PR is waiting on GitHub, bug is opened in RT, message was posted to openssl-dev mailinglist. I feel really sorry for the authors of PR's that got first review but their code won't get into 1.1 because of missing second review. I know their pain since I've been waiting 5 years for the inclusion of my last patch [4] but let's hope it will get better for 1.2 :) [2] https://github.com/openssl/openssl/pull/576#issuecomment-189364178 [3] https://github.com/openssl/openssl/pull/771#issuecomment-193145172 [4] https://rt.openssl.org/Ticket/Display.html?id=2145&user=guest&pass=guest -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Fri Mar 11 15:17:28 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 11 Mar 2016 15:17:28 +0000 Subject: [openssl-dev] [openssl.org #4415] test/certs/mkcert.sh uses "#! /binbash" In-Reply-To: References: Message-ID: <20160311151728.GT10917@mournblade.imrryr.org> On Fri, Mar 11, 2016 at 12:05:32PM +0000, noloader at gmail.com via RT wrote: > test/certs/mkcert.sh uses: > > #! /bin/bash" This shell script is only used in test development, it is not used during either compilation or testing of OpenSSL. It need not be especially portable. -- Viktor. From uri at ll.mit.edu Fri Mar 11 15:29:34 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Fri, 11 Mar 2016 15:29:34 +0000 Subject: [openssl-dev] CRYPTO_lock definition gone? Message-ID: In a commit done in the last two days, definition of CRYPTO_lock() seems to have disappeared or moved. As a result, libp11 cannot compile on openssl-1.1-pre4: p11_cert.c:50:3: warning: implicit declaration of function 'CRYPTO_lock' is invalid in C99 [-Wimplicit-function-declaration] pkcs11_w_lock(cpriv->lockid); ^ ./libp11-int.h:142:11: note: expanded from macro 'pkcs11_w_lock' if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:50:3: error: use of undeclared identifier 'CRYPTO_LOCK' ./libp11-int.h:142:23: note: expanded from macro 'pkcs11_w_lock' if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:50:3: error: use of undeclared identifier 'CRYPTO_WRITE' ./libp11-int.h:142:35: note: expanded from macro 'pkcs11_w_lock' if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:52:3: error: use of undeclared identifier 'CRYPTO_UNLOCK' pkcs11_w_unlock(cpriv->lockid); ^ ./libp11-int.h:144:23: note: expanded from macro 'pkcs11_w_unlock' if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:52:3: error: use of undeclared identifier 'CRYPTO_WRITE' ./libp11-int.h:144:37: note: expanded from macro 'pkcs11_w_unlock' if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ 1 warning and 4 errors generated. make[2]: *** [libp11_la-p11_cert.lo] Error 1 -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From rsalz at akamai.com Fri Mar 11 16:32:24 2016 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 11 Mar 2016 16:32:24 +0000 Subject: [openssl-dev] CRYPTO_lock definition gone? In-Reply-To: References: Message-ID: Yes, the old locking ?stuff? is gone now. Look in threads.pod for information about CRYPTO_THREAD_lock_new, etc. Its cross-platform and better-integrated with the native OS -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz From: Blumenthal, Uri - 0553 - MITLL [mailto:uri at ll.mit.edu] Sent: Friday, March 11, 2016 10:30 AM To: openssl-dev Subject: [openssl-dev] CRYPTO_lock definition gone? In a commit done in the last two days, definition of CRYPTO_lock() seems to have disappeared or moved. As a result, libp11 cannot compile on openssl-1.1-pre4: p11_cert.c:50:3: warning: implicit declaration of function 'CRYPTO_lock' is invalid in C99 [-Wimplicit-function-declaration] pkcs11_w_lock(cpriv->lockid); ^ ./libp11-int.h:142:11: note: expanded from macro 'pkcs11_w_lock' if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:50:3: error: use of undeclared identifier 'CRYPTO_LOCK' ./libp11-int.h:142:23: note: expanded from macro 'pkcs11_w_lock' if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:50:3: error: use of undeclared identifier 'CRYPTO_WRITE' ./libp11-int.h:142:35: note: expanded from macro 'pkcs11_w_lock' if(type) CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:52:3: error: use of undeclared identifier 'CRYPTO_UNLOCK' pkcs11_w_unlock(cpriv->lockid); ^ ./libp11-int.h:144:23: note: expanded from macro 'pkcs11_w_unlock' if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ p11_cert.c:52:3: error: use of undeclared identifier 'CRYPTO_WRITE' ./libp11-int.h:144:37: note: expanded from macro 'pkcs11_w_unlock' if(type) CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) ^ 1 warning and 4 errors generated. make[2]: *** [libp11_la-p11_cert.lo] Error 1 -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Fri Mar 11 16:36:22 2016 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 11 Mar 2016 16:36:22 +0000 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: <56E28E24.1030808@openssl.org> Message-ID: <388d7be43d9d4d76b63eb3e5bcb4141a@usma1ex-dag1mb1.msg.corp.akamai.com> > but from my point of view it is really hard to contribute code to OpenSSL. Things are much better, but it is still harder than we'd like. Hopefully it will continue to improve. > I feel really sorry for the authors of PR's that got first review but their code won't get into 1.1 because of missing second review. Yes, it's a particularly bad kind of limbo to be stuck in. Again, thanks for sticking with us, and keep pushing to get better. /r$ From erik at efca.com Fri Mar 11 18:24:13 2016 From: erik at efca.com (Erik Forsberg) Date: Fri, 11 Mar 2016 10:24:13 -0800 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: Message-ID: add Solaris to the platforms that are not at beta-level yet. Richard Levitte and myself are helping each other out though, so we should be close >-- Original Message -- > >> noloader> Testing master on real hardware is showing some minor issues on a few >> noloader> platforms, including ARM32, ARM64, PowerPC and i686. In addition, >> noloader> there seems to be one-off issues on other combinations, like VIA's C7 >> noloader> processor on Linux. >> noloader> >> noloader> In addition to the base issues, there are other minor issues like >> noloader> failing to configure and compile with 'no-comp'. Other configuration >> noloader> dependent issues include failed self tests under PowerPC in a shared >> noloader> configuration. >> noloader> >> noloader> Please consider delaying the freeze for a week or two while the issues >> noloader> are being ironed out. >> >> The upcoming release is the first beta of two planned, and we've >> already delayed the first for a few extra days. It is not a final >> release, so there's still time to fix things like these. >> >> Please see the bottom of the release strategy for the planned dates: >> >> http://openssl.org/policies/releasestrat.html > >Well, would it be possible to survey supported platforms and see if it >makes sense to move forward at this point? Does the library maintain a >matrix of test platforms and results? > >Releasing a Beta-1 seems like its missing the point if the the point >of the beta is to test it. There are issues in {configure|build|test} >on ARM32, ARM64, OpenBSD, Windows and some Linux i686 and x86_64 >targets/configurations. I'm also wondering about MIPS, NetBSD, FreeBSD >and Gentoo. > >Maybe something else to ponder in the big picture of release >engineering... Why are the breaks occurring and not being caught? Why >is the engineering process not catching them? > >(I think its OK to break things on occasion. You can't make an omelet >without breaking eggs. But the idea is you have to catch them quickly >and early before the user experiences the pain point. If the break is >fixed before the user experiences the pain, then it "no blood, no >foul" in my book). > >There's no need to rush the process. OpenSSL does not answer to anyone >except its own quality standards. It seems like stepping back, coming >up for some air, catching your breath and then diving back in will >produce better results in the end. > >Jeff >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From noloader at gmail.com Fri Mar 11 19:38:18 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 11 Mar 2016 14:38:18 -0500 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: On Thu, Mar 10, 2016 at 2:29 PM, noloader at gmail.com via RT wrote: > Working from Master: > It looks like the hang is still present as of 603358d. When the following runs: ../test/recipes/30-test_afalg.t What is actually running? How can I get it under a debugger? Jeff From rt at openssl.org Fri Mar 11 19:38:26 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 11 Mar 2016 19:38:26 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: On Thu, Mar 10, 2016 at 2:29 PM, noloader at gmail.com via RT wrote: > Working from Master: > It looks like the hang is still present as of 603358d. When the following runs: ../test/recipes/30-test_afalg.t What is actually running? How can I get it under a debugger? Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From emilia at openssl.org Fri Mar 11 20:19:39 2016 From: emilia at openssl.org (=?UTF-8?Q?Emilia_K=C3=A4sper?=) Date: Fri, 11 Mar 2016 20:19:39 +0000 Subject: [openssl-dev] Please consider delaying the Beta-1 freeze for a week or two In-Reply-To: References: Message-ID: Returning to the issue at hand: https://github.com/openssl/openssl/pull/851 On Fri, Mar 11, 2016 at 7:24 PM Erik Forsberg wrote: > add Solaris to the platforms that are not at beta-level yet. > Richard Levitte and myself are helping each other out though, so we should > be close > > >-- Original Message -- > > > >> noloader> Testing master on real hardware is showing some minor issues > on a few > >> noloader> platforms, including ARM32, ARM64, PowerPC and i686. In > addition, > >> noloader> there seems to be one-off issues on other combinations, like > VIA's C7 > >> noloader> processor on Linux. > >> noloader> > >> noloader> In addition to the base issues, there are other minor issues > like > >> noloader> failing to configure and compile with 'no-comp'. Other > configuration > >> noloader> dependent issues include failed self tests under PowerPC in a > shared > >> noloader> configuration. > >> noloader> > >> noloader> Please consider delaying the freeze for a week or two while > the issues > >> noloader> are being ironed out. > >> > >> The upcoming release is the first beta of two planned, and we've > >> already delayed the first for a few extra days. It is not a final > >> release, so there's still time to fix things like these. > >> > >> Please see the bottom of the release strategy for the planned dates: > >> > >> http://openssl.org/policies/releasestrat.html > > > >Well, would it be possible to survey supported platforms and see if it > >makes sense to move forward at this point? Does the library maintain a > >matrix of test platforms and results? > > > >Releasing a Beta-1 seems like its missing the point if the the point > >of the beta is to test it. There are issues in {configure|build|test} > >on ARM32, ARM64, OpenBSD, Windows and some Linux i686 and x86_64 > >targets/configurations. I'm also wondering about MIPS, NetBSD, FreeBSD > >and Gentoo. > > > >Maybe something else to ponder in the big picture of release > >engineering... Why are the breaks occurring and not being caught? Why > >is the engineering process not catching them? > > > >(I think its OK to break things on occasion. You can't make an omelet > >without breaking eggs. But the idea is you have to catch them quickly > >and early before the user experiences the pain point. If the break is > >fixed before the user experiences the pain, then it "no blood, no > >foul" in my book). > > > >There's no need to rush the process. OpenSSL does not answer to anyone > >except its own quality standards. It seems like stepping back, coming > >up for some air, catching your breath and then diving back in will > >produce better results in the end. > > > >Jeff > >-- > >openssl-dev mailing list > >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Fri Mar 11 21:15:53 2016 From: matt at openssl.org (Matt Caswell) Date: Fri, 11 Mar 2016 21:15:53 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: <56E33589.1020404@openssl.org> On 11/03/16 19:38, noloader at gmail.com via RT wrote: > On Thu, Mar 10, 2016 at 2:29 PM, noloader at gmail.com via RT > wrote: >> Working from Master: >> > > It looks like the hang is still present as of 603358d. > > When the following runs: > > ../test/recipes/30-test_afalg.t > > What is actually running? How can I get it under a debugger? $ ./config -d $ make $ make test/afalgtest $ cd test $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest Matt From rt at openssl.org Fri Mar 11 21:16:03 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Fri, 11 Mar 2016 21:16:03 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <56E33589.1020404@openssl.org> References: <56E33589.1020404@openssl.org> Message-ID: On 11/03/16 19:38, noloader at gmail.com via RT wrote: > On Thu, Mar 10, 2016 at 2:29 PM, noloader at gmail.com via RT > wrote: >> Working from Master: >> > > It looks like the hang is still present as of 603358d. > > When the following runs: > > ../test/recipes/30-test_afalg.t > > What is actually running? How can I get it under a debugger? $ ./config -d $ make $ make test/afalgtest $ cd test $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From michel.sales at free.fr Fri Mar 11 21:21:33 2016 From: michel.sales at free.fr (Michel) Date: Fri, 11 Mar 2016 22:21:33 +0100 Subject: [openssl-dev] libcryto 1.1 leaks since old locks are removed Message-ID: <000001d17bdb$fd248ba0$f76da2e0$@sales@free.fr> Hi, I have just removed the old locking "stuff" from my Windows 7 tests programs, and now they leak again. :'( If someone have time to look at this issue, here under is the call stack : Detected memory leaks! Dumping objects -> {3750} normal block at 0x002F34B8, 24 bytes long. Data: < 4/ > F0 34 2F 00 FF FF FF FF 00 00 00 00 00 00 00 00 {3744} normal block at 0x002F3168, 24 bytes long. Data: < . > 00 04 2E 00 FF FF FF FF 00 00 00 00 00 00 00 00 Object dump complete. WARNING: Visual Leak Detector detected memory leaks! ---------- Block 3744 at 0x002F3168: 24 bytes ---------- Leak Hash: 0x95C9B33F, Count: 1, Total 24 bytes Call Stack (TID 6060): ntdll.dll!RtlAllocateHeap() f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): TestsCrypto-11.exe!malloc() + 0x15 bytes e:\openssl-1.1.git\crypto\mem.c (140): TestsCrypto-11.exe!CRYPTO_malloc() + 0x9 bytes e:\openssl-1.1.git\crypto\mem.c (148): TestsCrypto-11.exe!CRYPTO_zalloc() + 0x11 bytes e:\openssl-1.1.git\crypto\threads_win.c (57): TestsCrypto-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes e:\openssl-1.1.git\crypto\ex_data.c (143): TestsCrypto-11.exe!do_ex_data_init() + 0x5 bytes e:\openssl-1.1.git\crypto\threads_win.c (117): TestsCrypto-11.exe!CRYPTO_THREAD_run_once() e:\openssl-1.1.git\crypto\ex_data.c (160): TestsCrypto-11.exe!get_and_lock() + 0xF bytes e:\openssl-1.1.git\crypto\ex_data.c (295): TestsCrypto-11.exe!CRYPTO_new_ex_data() + 0x9 bytes e:\openssl-1.1.git\crypto\bio\bio_lib.c (96): TestsCrypto-11.exe!BIO_set() + 0x12 bytes e:\openssl-1.1.git\crypto\bio\bio_lib.c (73): TestsCrypto-11.exe!BIO_new() + 0xD bytes e:\openssl-1.1.git\crypto\bio\bss_file.c (181): TestsCrypto-11.exe!BIO_new_file() + 0xB bytes p:\mes programmes\shared\ocrypto-11\pkcs12.cpp (29): TestsCrypto-11.exe!OCrypto::PKCS12Load() + 0xE bytes p:\mes programmes\tests\_testsshared\testscrypto-11\testscrypto.cpp (392): TestsCrypto-11.exe!main() + 0x17 bytes f:\dd\vctools\crt\crtw32\startup\crt0.c (165): TestsCrypto-11.exe!mainCRTStartup() ---------- Block 3750 at 0x002F34B8: 24 bytes ---------- Leak Hash: 0x6A94EEB4, Count: 1, Total 24 bytes Call Stack (TID 6060): ntdll.dll!RtlAllocateHeap() f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): TestsCrypto-11.exe!malloc() + 0x15 bytes e:\openssl-1.1.git\crypto\mem.c (140): TestsCrypto-11.exe!CRYPTO_malloc() + 0x9 bytes e:\openssl-1.1.git\crypto\mem.c (148): TestsCrypto-11.exe!CRYPTO_zalloc() + 0x11 bytes e:\openssl-1.1.git\crypto\threads_win.c (57): TestsCrypto-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes e:\openssl-1.1.git\crypto\err\err.c (393): TestsCrypto-11.exe!do_err_strings_init() + 0x5 bytes e:\openssl-1.1.git\crypto\threads_win.c (117): TestsCrypto-11.exe!CRYPTO_THREAD_run_once() e:\openssl-1.1.git\crypto\err\err.c (400): TestsCrypto-11.exe!ERR_load_ERR_strings() + 0xF bytes e:\openssl-1.1.git\crypto\err\err_all.c (114): TestsCrypto-11.exe!err_load_crypto_strings_intern() e:\openssl-1.1.git\crypto\init.c (151): TestsCrypto-11.exe!ossl_init_load_crypto_strings() e:\openssl-1.1.git\crypto\threads_win.c (117): TestsCrypto-11.exe!CRYPTO_THREAD_run_once() e:\openssl-1.1.git\crypto\init.c (514): TestsCrypto-11.exe!OPENSSL_init_crypto() + 0x29 bytes e:\openssl-1.1.git\crypto\err\err.c (779): TestsCrypto-11.exe!ERR_get_state() + 0xB bytes e:\openssl-1.1.git\crypto\err\err.c (502): TestsCrypto-11.exe!ERR_clear_error() + 0x5 bytes e:\openssl-1.1.git\crypto\asn1\a_d2i_fp.c (163): TestsCrypto-11.exe!asn1_d2i_read_bio() e:\openssl-1.1.git\crypto\asn1\a_d2i_fp.c (112): TestsCrypto-11.exe!ASN1_item_d2i_bio() + 0xD bytes e:\openssl-1.1.git\crypto\pkcs12\p12_utl.c (122): TestsCrypto-11.exe!d2i_PKCS12_bio() + 0x13 bytes p:\mes programmes\shared\ocrypto-11\pkcs12.cpp (31): TestsCrypto-11.exe!OCrypto::PKCS12Load() + 0xB bytes p:\mes programmes\tests\_testsshared\testscrypto-11\testscrypto.cpp (392): TestsCrypto-11.exe!main() + 0x17 bytes f:\dd\vctools\crt\crtw32\startup\crt0.c (165): TestsCrypto-11.exe!mainCRTStartup() Michel. -------------- next part -------------- An HTML attachment was scrubbed... URL: From noloader at gmail.com Fri Mar 11 22:30:16 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 11 Mar 2016 17:30:16 -0500 Subject: [openssl-dev] [openssl.org #4414] NetBSD 7.0: make test fails with "don't know how to make usr/include/stddef.h" Message-ID: Close it; it was cleared around bb26842d1c8f99c1267b45361a2fc76822c0f913. On Fri, Mar 11, 2016 at 5:11 AM, noloader at gmail.com via RT wrote: > Working from Master. > > $ make test > make: don't know how to make usr/include/stddef.h. Stop > > make: stopped in /root/openssl From rt at openssl.org Fri Mar 11 22:30:37 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 11 Mar 2016 22:30:37 +0000 Subject: [openssl-dev] [openssl.org #4414] NetBSD 7.0: make test fails with "don't know how to make usr/include/stddef.h" In-Reply-To: References: Message-ID: Close it; it was cleared around bb26842d1c8f99c1267b45361a2fc76822c0f913. On Fri, Mar 11, 2016 at 5:11 AM, noloader at gmail.com via RT wrote: > Working from Master. > > $ make test > make: don't know how to make usr/include/stddef.h. Stop > > make: stopped in /root/openssl -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4414 Please log in as guest with password guest if prompted From noloader at gmail.com Sat Mar 12 00:12:27 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 11 Mar 2016 19:12:27 -0500 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> Message-ID: >> What is actually running? How can I get it under a debugger? > > > $ ./config -d > $ make > $ make test/afalgtest > $ cd test > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest > Ooh, -d looks like a new option. Would that be for Debug builds? Jeff From rt at openssl.org Sat Mar 12 00:12:41 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 12 Mar 2016 00:12:41 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> Message-ID: >> What is actually running? How can I get it under a debugger? > > > $ ./config -d > $ make > $ make test/afalgtest > $ cd test > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest > Ooh, -d looks like a new option. Would that be for Debug builds? Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From matt at openssl.org Sat Mar 12 00:14:24 2016 From: matt at openssl.org (Matt Caswell) Date: Sat, 12 Mar 2016 00:14:24 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> Message-ID: <56E35F60.8090800@openssl.org> On 12/03/16 00:12, noloader at gmail.com via RT wrote: >>> What is actually running? How can I get it under a debugger? >> >> >> $ ./config -d >> $ make >> $ make test/afalgtest >> $ cd test >> $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest >> > > Ooh, -d looks like a new option. Would that be for Debug builds? Yes...but its not new. Matt From rt at openssl.org Sat Mar 12 00:26:25 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 12 Mar 2016 00:26:25 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <20160312.012617.626718740990919000.levitte@openssl.org> References: <56E33589.1020404@openssl.org> <20160312.012617.626718740990919000.levitte@openssl.org> Message-ID: In message on Fri, 11 Mar 2016 19:12:27 -0500, Jeffrey Walton said: noloader> >> What is actually running? How can I get it under a debugger? noloader> > noloader> > noloader> > $ ./config -d noloader> > $ make noloader> > $ make test/afalgtest noloader> > $ cd test noloader> > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest noloader> > noloader> noloader> Ooh, -d looks like a new option. Would that be for Debug builds? New? No, sorry, it's been around for ages. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From noloader at gmail.com Sat Mar 12 00:48:50 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 11 Mar 2016 19:48:50 -0500 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> <20160312.012617.626718740990919000.levitte@openssl.org> Message-ID: On Fri, Mar 11, 2016 at 7:26 PM, Richard Levitte via RT wrote: > In message on Fri, 11 Mar 2016 19:12:27 -0500, Jeffrey Walton said: > > noloader> >> What is actually running? How can I get it under a debugger? > noloader> > > noloader> > > noloader> > $ ./config -d > noloader> > $ make > noloader> > $ make test/afalgtest > noloader> > $ cd test > noloader> > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest > noloader> > > noloader> > noloader> Ooh, -d looks like a new option. Would that be for Debug builds? > > New? No, sorry, it's been around for ages. Man, I don't think I have ever used it because I don't recall reading about it. I took the long road and used sed on Makefile.org. Jeff From rt at openssl.org Sat Mar 12 00:49:00 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 12 Mar 2016 00:49:00 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> <20160312.012617.626718740990919000.levitte@openssl.org> Message-ID: On Fri, Mar 11, 2016 at 7:26 PM, Richard Levitte via RT wrote: > In message on Fri, 11 Mar 2016 19:12:27 -0500, Jeffrey Walton said: > > noloader> >> What is actually running? How can I get it under a debugger? > noloader> > > noloader> > > noloader> > $ ./config -d > noloader> > $ make > noloader> > $ make test/afalgtest > noloader> > $ cd test > noloader> > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest > noloader> > > noloader> > noloader> Ooh, -d looks like a new option. Would that be for Debug builds? > > New? No, sorry, it's been around for ages. Man, I don't think I have ever used it because I don't recall reading about it. I took the long road and used sed on Makefile.org. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From doctor at doctor.nl2k.ab.ca Sat Mar 12 03:56:11 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Fri, 11 Mar 2016 20:56:11 -0700 Subject: [openssl-dev] AI_ADDRCONFIG test from configure Message-ID: <20160312035611.GA13862@doctor.nl2k.ab.ca> Here is a segment that should work { $as_echo "$as_me:${as_lineno-$LINENO}: checking for working AI_ADDRCONFIG fla g" >&5 $as_echo_n "checking for working AI_ADDRCONFIG flag... " >&6; } if ${inn_cv_func_getaddrinfo_addrconfig_works+:} false; then : $as_echo_n "(cached) " >&6 else if test "$cross_compiling" = yes; then : inn_cv_func_getaddrinfo_addrconfig_works=no else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include int main(void) { struct addrinfo hints, *ai; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_ADDRCONFIG; return (getaddrinfo("localhost", NULL, &hints, &ai) != 0); } _ACEOF if ac_fn_c_try_run "$LINENO"; then : inn_cv_func_getaddrinfo_addrconfig_works=yes else inn_cv_func_getaddrinfo_addrconfig_works=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $inn_cv_func_getaddrinfo_addrc onfig_works" >&5 $as_echo "$inn_cv_func_getaddrinfo_addrconfig_works" >&6; } if test x"$inn_cv_func_getaddrinfo_addrconfig_works" = xyes; then : $as_echo "#define HAVE_GETADDRINFO_ADDRCONFIG 1" >>confdefs.h -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From openssl-users at dukhovni.org Sat Mar 12 19:20:37 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sat, 12 Mar 2016 19:20:37 +0000 Subject: [openssl-dev] Question: Make X509_V_FLAG_TRUSTED_FIRST default in 1.0.2? In-Reply-To: <20160311055457.GO10917@mournblade.imrryr.org> References: <56E1F538.5000400@wisemo.com> <20160310224132.GI10917@mournblade.imrryr.org> <56E20994.1080000@wisemo.com> <20160311001827.GK10917@mournblade.imrryr.org> <56E21694.10202@wisemo.com> <20160311012325.GL10917@mournblade.imrryr.org> <56E2231B.7080103@wisemo.com> <20160311022757.GM10917@mournblade.imrryr.org> <56E254BD.5040000@wisemo.com> <20160311055457.GO10917@mournblade.imrryr.org> Message-ID: <20160312192037.GH10917@mournblade.imrryr.org> On Fri, Mar 11, 2016 at 05:54:57AM +0000, Viktor Dukhovni wrote: > Absent augmentation as a "trusted certificate" for a given purpose, > and with the application not enabling "partial chain" semantics, > intermediate certs from the store just augment missing certificates > from the wire, and should be verified in the same manner. The > changes I want to backport from 1.1.0 ensure identical treatment > of untrusted intermediates regardless of provenance. I have an important question for the list. At present the pending patches to backport from 1.1.0 to 1.0.2 do not change the default chain construction strategy to X509_V_FLAG_TRUSTED_FIRST commit ca9051b136284a96ea6c10ac4efd355cfc4716a0 Author: Viktor Dukhovni Date: Thu Feb 4 01:04:02 2016 -0500 Check chain extensions also for trusted certificates This includes basic constraints, key usages, issuer EKUs and auxiliary trust OIDs (given a trust suitably related to the intended purpose). Note, for this to work consistently, the X509_V_FLAG_TRUSTED_FIRST flag must be set. This is the default in 1.1.0-dev, but is likely too big a change for the 1.0.2 stable release. (Backport from 1.1.0-dev) What this means is that treatment of auxiliary trust "decorations" for intermediate CAs is not predictable unless that flag is explicitly set by the application. IIRC some people have been asking for this flag to become the default (or at least requested its creation). So I'd like to hear whether the above mentioned (pending) commit is the right judgement call, or whether I should go ahead and update X509_V_FLAG_TRUSTED_FIRST to be the default also in the next 1.0.2 release. -- Viktor. From doctor at doctor.nl2k.ab.ca Sat Mar 12 20:14:03 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sat, 12 Mar 2016 13:14:03 -0700 Subject: [openssl-dev] OPenSSL SNAP 20160312 issue Message-ID: <20160312201402.GA13400@doctor.nl2k.ab.ca> make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop This was working yesterday. -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From rsalz at akamai.com Sat Mar 12 20:22:47 2016 From: rsalz at akamai.com (Salz, Rich) Date: Sat, 12 Mar 2016 20:22:47 +0000 Subject: [openssl-dev] OPenSSL SNAP 20160312 issue In-Reply-To: <20160312201402.GA13400@doctor.nl2k.ab.ca> References: <20160312201402.GA13400@doctor.nl2k.ab.ca> Message-ID: > make: don't know how to make > crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > > This was working yesterday. And it will probably work again by tomorrow :) Please include your config/setup command when you report things. Please don't be surprised if a daily snapshot is broken for a day, consider waiting a day or two to see if the problem is fixed. This is not the first time we've asked for this. From rt at openssl.org Sun Mar 13 04:21:21 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 04:21:21 +0000 Subject: [openssl-dev] [openssl.org #4417] Re: Linaro and ARM/64/AARCH64: fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: I think this was closed earlier... retesting at 4c1cf7e confirmed the issue was cleared. On Wed, Mar 9, 2016 at 5:39 PM, Jeffrey Walton wrote: > Working from Master: > > $ git reset --hard HEAD > HEAD is now at 64b9d84 When grepping something starting with a > dash, remember to use -e > $ git pull > Already up-to-date. > > And then: > > $ ./config > ... > $ make depend && make clean && make > ... > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DECP_NISTZ256_ASM > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread > -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o > crypto/cast/c_skey.o crypto/cast/c_skey.c > gcc -E crypto/chacha/chacha-armv8.S > crypto/chacha/chacha-armv8.s > crypto/chacha/chacha-armv8.S:1:22: fatal error: arm_arch.h: No such > file or directory > #include "arm_arch.h" > ^ > compilation terminated. > : recipe for target 'crypto/chacha/chacha-armv8.s' failed ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4417 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 04:27:07 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 04:27:07 +0000 Subject: [openssl-dev] [openssl.org #4418] Apple configuration delay does not respond to Ctrl-C, proceeds with configuration In-Reply-To: References: Message-ID: When running a naked "./config" on Apple platforms (both Intel and PowerPC), the following message is displayed: PowerMac:openssl$ ./config Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC WARNING! If you wish to build 64-bit library, then you have to invoke './Configure darwin64-ppc-cc' *manually*. You have about 5 seconds to press Ctrl-C to abort. The problem is, the script does _not_ respond to Ctrl-C. It waits and then configures itself. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4418 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 04:33:52 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 04:33:52 +0000 Subject: [openssl-dev] [openssl.org #4419] OS X, 32-bit PowerPC: Makefile:4398: *** unterminated variable reference. Stop. In-Reply-To: References: Message-ID: Working from Master at 4c1cf7e. $ KERNEL_BITS=32 ./config ... $ make depend && make clean && make ... cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/poly1305/poly1305.d.tmp -MT crypto/poly1305/poly1305.o -c -o crypto/poly1305/poly1305.o crypto/poly1305/poly1305.c cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/ppccap.d.tmp -MT crypto/ppccap.o -c -o crypto/ppccap.o crypto/ppccap.c Makefile:4398: *** unterminated variable reference. Stop. ********** $ KERNEL_BITS=32 ./config Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin-ppc-cc Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for darwin-ppc-cc IsMK1MF =no CC =cc CFLAG =-O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_MONT SHA1_ASM SHA256_ASM SHA512_ASM AES_ASM VPAES_ASM POLY1305_ASM LFLAG = PLIB_LFLAG =-Wl,-search_paths_first EX_LIBS = APPS_OBJ = CPUID_OBJ =ppccpuid.o ppccap.o UPLINK_OBJ = BN_ASM =bn-ppc.o ppc-mont.o ppc64-mont.o EC_ASM = DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4_enc.o rc4_skey.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM = SHA1_OBJ_ASM =sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o RMD160_OBJ_ASM= CMLL_ENC =camellia.o cmll_misc.o cmll_cbc.o MODES_OBJ =ghashp8-ppc.o PADLOCK_OBJ = CHACHA_ENC =chacha-ppc.o POLY1305_OBJ =poly1305-ppc.o poly1305-ppcfp.o BLAKE2_OBJ = PROCESSOR = RANLIB =ranlib -c ARFLAGS = PERL =/opt/local/bin//perl5 THIRTY_TWO_BIT mode BN_LLONG mode Configured for darwin-ppc-cc. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4419 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 04:37:39 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 12 Mar 2016 23:37:39 -0500 Subject: [openssl-dev] [openssl.org #4379] "arch/async_posix.h:67:24: error: ucontext.h: No such file or directory" under OpenBSD 5.7/64-bit In-Reply-To: References: Message-ID: Bump... Still present in Master at 4c1cf7e. On Fri, Mar 4, 2016 at 9:22 PM, noloader at gmail.com via RT wrote: > cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE > -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM > -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -DL_ENDIAN -Wall -O3 > -pthread -D_THREAD_SAFE -D_REENTRANT -Wa,--noexecstack -fPIC -c > async.c -o async.o > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h:67:24: error: ucontext.h: No such file or directory > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h: In function 'async_fibre_swapcontext': > arch/async_posix.h:85: warning: implicit declaration of function 'setcontext' > *** Error 1 in crypto/async (Makefile:65 'async.o') > *** Error 1 in crypto (Makefile:91 'subdirs') > *** Error 1 in /home/jwalton/openssl (Makefile:291 'build_crypto') From rt at openssl.org Sun Mar 13 04:37:47 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 04:37:47 +0000 Subject: [openssl-dev] [openssl.org #4379] "arch/async_posix.h:67:24: error: ucontext.h: No such file or directory" under OpenBSD 5.7/64-bit In-Reply-To: References: Message-ID: Bump... Still present in Master at 4c1cf7e. On Fri, Mar 4, 2016 at 9:22 PM, noloader at gmail.com via RT wrote: > cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE > -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM > -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -DL_ENDIAN -Wall -O3 > -pthread -D_THREAD_SAFE -D_REENTRANT -Wa,--noexecstack -fPIC -c > async.c -o async.o > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h:67:24: error: ucontext.h: No such file or directory > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h: In function 'async_fibre_swapcontext': > arch/async_posix.h:85: warning: implicit declaration of function 'setcontext' > *** Error 1 in crypto/async (Makefile:65 'async.o') > *** Error 1 in crypto (Makefile:91 'subdirs') > *** Error 1 in /home/jwalton/openssl (Makefile:291 'build_crypto') -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4379 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 04:41:11 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 12 Mar 2016 23:41:11 -0500 Subject: [openssl-dev] [openssl.org #4412] Debian and ARM32 (armv7l): fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: I think this was closed earlier... retesting at 4c1cf7e confirmed the issue was cleared. On Thu, Mar 10, 2016 at 3:41 PM, noloader at gmail.com via RT wrote: > Working from Master on a BeagleBone Black... > > $ git reset --hard HEAD && git pull > HEAD is now at 0d4d5ab check reviewer --reviewer=emilia > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread > -march=armv7-a -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include > -Icrypto -MMD -MF crypto/aes/aesv8-armx.d.tmp -MT > crypto/aes/aesv8-armx.o -c -o crypto/aes/aesv8-armx.o > crypto/aes/aesv8-armx.s > gcc -E crypto/aes/bsaes-armv7.S > crypto/aes/bsaes-armv7.s > crypto/aes/bsaes-armv7.S:50:23: fatal error: arm_arch.h: No such file > or directory > # include "arm_arch.h" > ^ > compilation terminated. > : recipe for target 'crypto/aes/bsaes-armv7.s' failed > make: *** [crypto/aes/bsaes-armv7.s] Error 1 > > ... From rt at openssl.org Sun Mar 13 04:41:20 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 04:41:20 +0000 Subject: [openssl-dev] [openssl.org #4412] Debian and ARM32 (armv7l): fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: I think this was closed earlier... retesting at 4c1cf7e confirmed the issue was cleared. On Thu, Mar 10, 2016 at 3:41 PM, noloader at gmail.com via RT wrote: > Working from Master on a BeagleBone Black... > > $ git reset --hard HEAD && git pull > HEAD is now at 0d4d5ab check reviewer --reviewer=emilia > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread > -march=armv7-a -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include > -Icrypto -MMD -MF crypto/aes/aesv8-armx.d.tmp -MT > crypto/aes/aesv8-armx.o -c -o crypto/aes/aesv8-armx.o > crypto/aes/aesv8-armx.s > gcc -E crypto/aes/bsaes-armv7.S > crypto/aes/bsaes-armv7.s > crypto/aes/bsaes-armv7.S:50:23: fatal error: arm_arch.h: No such file > or directory > # include "arm_arch.h" > ^ > compilation terminated. > : recipe for target 'crypto/aes/bsaes-armv7.s' failed > make: *** [crypto/aes/bsaes-armv7.s] Error 1 > > ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4412 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 04:46:56 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 12 Mar 2016 23:46:56 -0500 Subject: [openssl-dev] [openssl.org #4419] OS X, 32-bit PowerPC: Makefile:4398: *** unterminated variable reference. Stop. In-Reply-To: References: Message-ID: The issue is present under 64-bit OS X PowerPC builds, also. On Sat, Mar 12, 2016 at 11:33 PM, noloader at gmail.com via RT wrote: > Working from Master at 4c1cf7e. > > $ KERNEL_BITS=32 ./config > ... > $ make depend && make clean && make > ... > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc > -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. > -Icrypto/include -MMD -MF crypto/poly1305/poly1305.d.tmp -MT > crypto/poly1305/poly1305.o -c -o crypto/poly1305/poly1305.o > crypto/poly1305/poly1305.c > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc > -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. > -Icrypto/include -MMD -MF crypto/ppccap.d.tmp -MT crypto/ppccap.o -c > -o crypto/ppccap.o crypto/ppccap.c > Makefile:4398: *** unterminated variable reference. Stop. From rt at openssl.org Sun Mar 13 04:47:04 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 04:47:04 +0000 Subject: [openssl-dev] [openssl.org #4419] OS X, 32-bit PowerPC: Makefile:4398: *** unterminated variable reference. Stop. In-Reply-To: References: Message-ID: The issue is present under 64-bit OS X PowerPC builds, also. On Sat, Mar 12, 2016 at 11:33 PM, noloader at gmail.com via RT wrote: > Working from Master at 4c1cf7e. > > $ KERNEL_BITS=32 ./config > ... > $ make depend && make clean && make > ... > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc > -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. > -Icrypto/include -MMD -MF crypto/poly1305/poly1305.d.tmp -MT > crypto/poly1305/poly1305.o -c -o crypto/poly1305/poly1305.o > crypto/poly1305/poly1305.c > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc > -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. > -Icrypto/include -MMD -MF crypto/ppccap.d.tmp -MT crypto/ppccap.o -c > -o crypto/ppccap.o crypto/ppccap.c > Makefile:4398: *** unterminated variable reference. Stop. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4419 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:03:11 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 05:03:11 +0000 Subject: [openssl-dev] [openssl.org #4420] Re: OS X 10.8: Make clean is leaving build artifacts In-Reply-To: References: Message-ID: This issue is no longer present as of 4c1cf7e. 2016-03-08 12:41 GMT-05:00 Jeffrey Walton : > $ KERNEL_BITS=64 ./config shared > ... > $ make depend && make clean && make > ... > > $ make clean > rm -f libcrypto.1.1.dylib > rm -f libcrypto.dylib > rm -f libssl.1.1.dylib > rm -f libssl.dylib > rm -f libcrypto.a libssl.a > rm -f apps/openssl test/afalgtest test/asynctest test/bftest > test/bntest test/casttest test/clienthellotest test/constant_time_test > test/ct_test test/danetest test/destest test/dhtest test/dsatest > test/dtlsv1listentest test/ecdhtest test/ecdsatest test/ectest > test/enginetest test/evp_extra_test test/evp_test test/exptest > test/gmdifftest test/heartbeat_test test/hmactest test/ideatest > test/igetest test/md2test test/md4test test/md5test test/mdc2test > test/memleaktest test/nptest test/p5_crpt2_test test/packettest > test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test > test/rmdtest test/rsa_test test/secmemtest test/sha1test test/sha256t > test/sha512t test/srptest test/ssltest test/threadstest > test/v3nametest test/verify_extra_test test/wp_test > rm -f `find . -name '*.d'` > rm -f `find . -name '*.o'` > rm -f ./core > rm -f ./tags ./TAGS > rm -f ./openssl.pc ./libcrypto.pc ./libssl.pc > rm -f `find . -type l` > rm -f ../openssl-1.1.0-pre4-dev.tar > > $ find . -name *.dylib > ./engines/capi.dylib > ./engines/dasync.dylib > ./engines/ossltest.dylib > ./engines/padlock.dylib > > $ make distclean > make: *** No rule to make target 'distclean'. Stop. > $ make dclean > make: *** No rule to make target 'dclean'. Stop. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4420 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:07:01 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:07:01 +0000 Subject: [openssl-dev] [openssl.org #4420] Re: OS X 10.8: Make clean is leaving build artifacts In-Reply-To: References: Message-ID: thanks for the update, closing. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4420 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:09:01 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:09:01 +0000 Subject: [openssl-dev] [openssl.org #4220] Simple BIO demo make memory leak In-Reply-To: <001101d14853$4522d090$cf6871b0$@haitaichina.com> References: <001101d14853$4522d090$cf6871b0$@haitaichina.com> Message-ID: In 1.1 you don't need to do anything, openssl will free its internal resources. before 1.1 you have to call various free/release routines to remove internal state. see what is done in the apps, for example. closing this ticket. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4220 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:09:53 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:09:53 +0000 Subject: [openssl-dev] [openssl.org #3331] [PATCH] respect LDFLAGS during build In-Reply-To: <1398564613-9254-1-git-send-email-vapier@gentoo.org> References: <1398564613-9254-1-git-send-email-vapier@gentoo.org> Message-ID: fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3331 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:10:55 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:10:55 +0000 Subject: [openssl-dev] [openssl.org #3447] Build environment updates In-Reply-To: References: Message-ID: PR closed. Fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3447 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:11:36 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:11:36 +0000 Subject: [openssl-dev] [openssl.org #3989] Bug report - clang fails to build openssl-1.0.2d In-Reply-To: References: Message-ID: fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3989 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:12:16 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:12:16 +0000 Subject: [openssl-dev] [openssl.org #4150] bug: Makefile.shared has race condition with SYMLINK_SO when building in parallel In-Reply-To: References: Message-ID: fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4150 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:12:48 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:12:48 +0000 Subject: [openssl-dev] [openssl.org #4203] OpenSSL 1.0.2e. Failed build due to (possibly) wrong include of dummytest.c In-Reply-To: <567E7056.2050005@prytkov.com> References: <567E7056.2050005@prytkov.com> Message-ID: fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4203 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:13:21 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:13:21 +0000 Subject: [openssl-dev] [openssl.org #4253] [PATCH] Build system fixes for GCC In-Reply-To: <20160118001706.GB974@kronk.local> References: <20160118001706.GB974@kronk.local> Message-ID: fixed in 1.1. thanks for your help :) -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4253 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:14:24 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:14:24 +0000 Subject: [openssl-dev] [openssl.org #4408] [PATCH] Remove last traces of CRYPTO_dynlock for non-compatibility build In-Reply-To: <1457601311.118898.294.camel@infradead.org> References: <1457601311.118898.294.camel@infradead.org> Message-ID: fied; matt removed the dynlock reference. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4408 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:15:03 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:15:03 +0000 Subject: [openssl-dev] [openssl.org #3814] make dclean breaks build and tests In-Reply-To: References: Message-ID: believed to be fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3814 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:15:51 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:15:51 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: <566478DD.4030105@gmail.com> References: <566478DD.4030105@gmail.com> Message-ID: fixed in 1.1 -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:20:14 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:20:14 +0000 Subject: [openssl-dev] [openssl.org #1747] capi engine and mingw In-Reply-To: <48D94EAA.9090807@roumenpetrov.info> References: <48D94EAA.9090807@roumenpetrov.info> Message-ID: does this work in 1.1? (CAPI engine and MingW)? -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=1747 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:21:58 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:21:58 +0000 Subject: [openssl-dev] [openssl.org #1634] [PATCH] FIPS186 PRNG for OpenSSL In-Reply-To: <270A8A26F088AE4DA76B5B7EC6B1CD1A32CE3697B9@aclmailbox.corp.audiocodes.com> References: <270A8A26F088AE4DA76B5B7EC6B1CD1A32CE3697B9@aclmailbox.corp.audiocodes.com> Message-ID: Nobody's looked at this, and when I did I see that the patch got truncated :( Closing ticket. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=1634 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:23:14 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:23:14 +0000 Subject: [openssl-dev] [openssl.org #1401] Proxy module In-Reply-To: <006301c6e725$bee3e390$17c55a99@mcs.anl.gov> References: <6b9359640609291240r3991c6ay9a4e87244fcc7e5b@mail.gmail.com> <006301c6e725$bee3e390$17c55a99@mcs.anl.gov> Message-ID: Proxy cert support is already enabled. -- Rich Salz, OpenSSL dev team; rsalz at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=1401 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 05:51:46 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sun, 13 Mar 2016 05:51:46 +0000 Subject: [openssl-dev] [openssl.org #2019] [PATCH] Optimize handling of TLS SNI extension when resuming a session (server side) In-Reply-To: <4A91836F.7080608@velox.ch> References: <4A91836F.7080608@velox.ch> Message-ID: Fxied in master. Fixes pending for 1.0.02; closing. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2019 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 06:10:32 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 01:10:32 -0500 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <56E33589.1020404@openssl.org> References: <56E33589.1020404@openssl.org> Message-ID: >> It looks like the hang is still present as of 603358d. >> >> When the following runs: >> >> ../test/recipes/30-test_afalg.t >> >> What is actually running? How can I get it under a debugger? > > > $ ./config -d > $ make > $ make test/afalgtest > $ cd test > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest Thanks Matt. I'm having trouble attaching to afalgtest when its running under 'make test'. I'm also having trouble starting afalgtest when using the procedure above: it loads OK in GDB, but nothing happens after 'r'. 'top' is not showing anything out of the ordinary. I'm guessing its a problem with afalgtest startup code. I want to isolate this a little more. How can I remove electric fence but keep the debugging configuration? Can I configure with something like './config -d no-electric-fence' Jeff From rt at openssl.org Sun Mar 13 06:10:43 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 06:10:43 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> Message-ID: >> It looks like the hang is still present as of 603358d. >> >> When the following runs: >> >> ../test/recipes/30-test_afalg.t >> >> What is actually running? How can I get it under a debugger? > > > $ ./config -d > $ make > $ make test/afalgtest > $ cd test > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest Thanks Matt. I'm having trouble attaching to afalgtest when its running under 'make test'. I'm also having trouble starting afalgtest when using the procedure above: it loads OK in GDB, but nothing happens after 'r'. 'top' is not showing anything out of the ordinary. I'm guessing its a problem with afalgtest startup code. I want to isolate this a little more. How can I remove electric fence but keep the debugging configuration? Can I configure with something like './config -d no-electric-fence' Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 06:29:05 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 01:29:05 -0500 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <56E33589.1020404@openssl.org> References: <56E33589.1020404@openssl.org> Message-ID: >> It looks like the hang is still present as of 603358d. >> >> When the following runs: >> >> ../test/recipes/30-test_afalg.t >> >> What is actually running? How can I get it under a debugger? > > > $ ./config -d > $ make > $ make test/afalgtest > $ cd test > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest OK, I've got two hung processes from two attempts to debug this: $ ps -A | grep afalgtest 1030 pts/0 00:00:00 afalgtest 1196 pts/0 00:00:00 afalgtest Both appear to be hanging in syscall 248: via:test$ sudo cat /proc/1030/syscall 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8 $ sudo cat /proc/1196/syscall 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8 According to: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 15.10 Release: 15.10 Codename: wily And: $ uname -a Linux via 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux So I have a Lubuntu 15 machine (it supports the VIA PM400 graphics chipset) with a 4.2.0 kernel. According to http://lxr.free-electrons.com/source/include/linux/syscalls.h?v=4.2, its hanging in `sys_acct`. Any ideas why this would be hanging in sys_acct? Jeff From rt at openssl.org Sun Mar 13 06:29:14 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 06:29:14 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> Message-ID: >> It looks like the hang is still present as of 603358d. >> >> When the following runs: >> >> ../test/recipes/30-test_afalg.t >> >> What is actually running? How can I get it under a debugger? > > > $ ./config -d > $ make > $ make test/afalgtest > $ cd test > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest OK, I've got two hung processes from two attempts to debug this: $ ps -A | grep afalgtest 1030 pts/0 00:00:00 afalgtest 1196 pts/0 00:00:00 afalgtest Both appear to be hanging in syscall 248: via:test$ sudo cat /proc/1030/syscall 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8 $ sudo cat /proc/1196/syscall 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 0xbfff986c 0xb7fdbbe8 According to: $ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 15.10 Release: 15.10 Codename: wily And: $ uname -a Linux via 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux So I have a Lubuntu 15 machine (it supports the VIA PM400 graphics chipset) with a 4.2.0 kernel. According to http://lxr.free-electrons.com/source/include/linux/syscalls.h?v=4.2, its hanging in `sys_acct`. Any ideas why this would be hanging in sys_acct? Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 06:55:10 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 01:55:10 -0500 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> Message-ID: > OK, I've got two hung processes from two attempts to debug this: > > $ ps -A | grep afalgtest > 1030 pts/0 00:00:00 afalgtest > 1196 pts/0 00:00:00 afalgtest > > Both appear to be hanging in syscall 248: > > via:test$ sudo cat /proc/1030/syscall > 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 > 0xbfff986c 0xb7fdbbe8 > $ sudo cat /proc/1196/syscall > 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 > 0xbfff986c 0xb7fdbbe8 > I found this in dmesg/syslog. I'm guessing this is a kernel bug? [ 671.209915] BUG: unable to handle kernel NULL pointer dereference at 00000008 [ 671.209931] IP: [] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] [ 671.209945] *pdpt = 000000003363b001 *pde = 0000000000000000 [ 671.209952] Oops: 0000 [#2] SMP [ 671.209959] Modules linked in: jitterentropy_rng drbg ansi_cprng algif_skcipher af_alg snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi padlock_sha snd_seq padlock_aes snd_seq_device via_cputemp snd_timer hwmon_vid via_rng snd input_leds serio_raw soundcore i2c_viapro shpchp 8250_fintek mac_hid parport_pc ppdev lp parport autofs4 pata_acpi hid_generic usbhid hid psmouse r8169 pata_via sata_via mii [ 671.210026] CPU: 0 PID: 1196 Comm: afalgtest Tainted: G D 4.2.0-30-generic #36-Ubuntu [ 671.210033] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Weibu, BIOS 080014 11/17/2011 [ 671.210038] task: f4e0cec0 ti: f3fa8000 task.ti: f3fa8000 [ 671.210043] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 [ 671.210050] EIP is at skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] [ 671.210055] EAX: f3f99400 EBX: f3f63c00 ECX: f3f99400 EDX: 00000000 [ 671.210059] ESI: f3f63c00 EDI: 00000ff0 EBP: f3fa9dc8 ESP: f3fa9d70 [ 671.210064] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 671.210069] CR0: 80050033 CR2: 00000008 CR3: 32fd0de0 CR4: 000006b0 [ 671.210073] Stack: [ 671.210076] f3f995f4 f3f99400 f3f995e0 00000000 f3f99404 00000020 f3fa9d00 00000018 [ 671.210088] 00001ff0 f3f98c00 f3f99404 00000ff0 f3fa9e40 f3f995e8 f3fa9e38 f3f99000 [ 671.210099] 00000002 00000002 f3f99400 f1f58480 c1210510 f3fa9e38 f3fa9df4 f8a6cd6b [ 671.210110] Call Trace: [ 671.210125] [] ? free_ioctx_users+0xa0/0xa0 [ 671.210133] [] skcipher_recvmsg+0x2b/0x1f0 [algif_skcipher] [ 671.210140] [] ? skcipher_check_key.isra.8+0x2a/0xb0 [algif_skcipher] [ 671.210148] [] skcipher_recvmsg_nokey+0x31/0x40 [algif_skcipher] [ 671.210157] [] sock_recvmsg+0x3d/0x50 [ 671.210164] [] sock_read_iter+0x84/0xd0 [ 671.210171] [] ? sock_recvmsg+0x50/0x50 [ 671.210177] [] aio_run_iocb+0x110/0x2c0 [ 671.210183] [] ? sock_recvmsg+0x50/0x50 [ 671.210192] [] ? error_code+0x67/0x6c [ 671.210203] [] ? kmem_cache_alloc+0x1b4/0x1e0 [ 671.210212] [] ? __fdget+0x12/0x20 [ 671.210219] [] do_io_submit+0x1ef/0x4a0 [ 671.210230] [] ? security_file_alloc+0x2f/0x50 [ 671.210238] [] SyS_io_submit+0x20/0x30 [ 671.210249] [] sysenter_do_call+0x12/0x12 [ 671.210252] Code: 00 00 00 75 24 8b 45 ac ff 52 0c 89 c7 83 ff 8d 75 8f 8b 45 e4 3e ff 80 fc 01 00 00 bf ef fd ff ff e9 62 fc ff ff 8d 76 00 89 c8 52 08 89 c7 eb db 8b 45 e4 31 d2 8b 80 20 02 00 00 8b 58 1c [ 671.210319] EIP: [] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] SS:ESP 0068:f3fa9d70 [ 671.210328] CR2: 0000000000000008 [ 671.210334] ---[ end trace 3cce7cc6be0ad95f ]--- From rt at openssl.org Sun Mar 13 06:55:24 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 06:55:24 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <56E33589.1020404@openssl.org> Message-ID: > OK, I've got two hung processes from two attempts to debug this: > > $ ps -A | grep afalgtest > 1030 pts/0 00:00:00 afalgtest > 1196 pts/0 00:00:00 afalgtest > > Both appear to be hanging in syscall 248: > > via:test$ sudo cat /proc/1030/syscall > 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 > 0xbfff986c 0xb7fdbbe8 > $ sudo cat /proc/1196/syscall > 248 0xb7fd6000 0x1 0xbfff98d4 0xb7fb9270 0xbfff98e0 0xb7ec45f7 > 0xbfff986c 0xb7fdbbe8 > I found this in dmesg/syslog. I'm guessing this is a kernel bug? [ 671.209915] BUG: unable to handle kernel NULL pointer dereference at 00000008 [ 671.209931] IP: [] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] [ 671.209945] *pdpt = 000000003363b001 *pde = 0000000000000000 [ 671.209952] Oops: 0000 [#2] SMP [ 671.209959] Modules linked in: jitterentropy_rng drbg ansi_cprng algif_skcipher af_alg snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi padlock_sha snd_seq padlock_aes snd_seq_device via_cputemp snd_timer hwmon_vid via_rng snd input_leds serio_raw soundcore i2c_viapro shpchp 8250_fintek mac_hid parport_pc ppdev lp parport autofs4 pata_acpi hid_generic usbhid hid psmouse r8169 pata_via sata_via mii [ 671.210026] CPU: 0 PID: 1196 Comm: afalgtest Tainted: G D 4.2.0-30-generic #36-Ubuntu [ 671.210033] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Weibu, BIOS 080014 11/17/2011 [ 671.210038] task: f4e0cec0 ti: f3fa8000 task.ti: f3fa8000 [ 671.210043] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 [ 671.210050] EIP is at skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] [ 671.210055] EAX: f3f99400 EBX: f3f63c00 ECX: f3f99400 EDX: 00000000 [ 671.210059] ESI: f3f63c00 EDI: 00000ff0 EBP: f3fa9dc8 ESP: f3fa9d70 [ 671.210064] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 671.210069] CR0: 80050033 CR2: 00000008 CR3: 32fd0de0 CR4: 000006b0 [ 671.210073] Stack: [ 671.210076] f3f995f4 f3f99400 f3f995e0 00000000 f3f99404 00000020 f3fa9d00 00000018 [ 671.210088] 00001ff0 f3f98c00 f3f99404 00000ff0 f3fa9e40 f3f995e8 f3fa9e38 f3f99000 [ 671.210099] 00000002 00000002 f3f99400 f1f58480 c1210510 f3fa9e38 f3fa9df4 f8a6cd6b [ 671.210110] Call Trace: [ 671.210125] [] ? free_ioctx_users+0xa0/0xa0 [ 671.210133] [] skcipher_recvmsg+0x2b/0x1f0 [algif_skcipher] [ 671.210140] [] ? skcipher_check_key.isra.8+0x2a/0xb0 [algif_skcipher] [ 671.210148] [] skcipher_recvmsg_nokey+0x31/0x40 [algif_skcipher] [ 671.210157] [] sock_recvmsg+0x3d/0x50 [ 671.210164] [] sock_read_iter+0x84/0xd0 [ 671.210171] [] ? sock_recvmsg+0x50/0x50 [ 671.210177] [] aio_run_iocb+0x110/0x2c0 [ 671.210183] [] ? sock_recvmsg+0x50/0x50 [ 671.210192] [] ? error_code+0x67/0x6c [ 671.210203] [] ? kmem_cache_alloc+0x1b4/0x1e0 [ 671.210212] [] ? __fdget+0x12/0x20 [ 671.210219] [] do_io_submit+0x1ef/0x4a0 [ 671.210230] [] ? security_file_alloc+0x2f/0x50 [ 671.210238] [] SyS_io_submit+0x20/0x30 [ 671.210249] [] sysenter_do_call+0x12/0x12 [ 671.210252] Code: 00 00 00 75 24 8b 45 ac ff 52 0c 89 c7 83 ff 8d 75 8f 8b 45 e4 3e ff 80 fc 01 00 00 bf ef fd ff ff e9 62 fc ff ff 8d 76 00 89 c8 52 08 89 c7 eb db 8b 45 e4 31 d2 8b 80 20 02 00 00 8b 58 1c [ 671.210319] EIP: [] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] SS:ESP 0068:f3fa9d70 [ 671.210328] CR2: 0000000000000008 [ 671.210334] ---[ end trace 3cce7cc6be0ad95f ]--- -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 07:47:12 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 03:47:12 -0400 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: On Thu, Mar 10, 2016 at 2:29 PM, noloader at gmail.com via RT wrote: > Working from Master: > > $ git reset --hard HEAD && git pull > HEAD is now at fb04434 In the recipe using "makedepend", make sure the > object file extension is there > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > $ make test > ... > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ ok > ../test/recipes/05-test_bf.t .............. ok > ... > ../test/recipes/25-test_x509.t ............ ok > ../test/recipes/30-test_afalg.t ........... > ^C (after about 20 minutes) > Now open on Launchpad: https://bugs.launchpad.net/linux-kernel-no-pae/+bug/1556562. From rt at openssl.org Sun Mar 13 07:47:15 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 07:47:15 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: On Thu, Mar 10, 2016 at 2:29 PM, noloader at gmail.com via RT wrote: > Working from Master: > > $ git reset --hard HEAD && git pull > HEAD is now at fb04434 In the recipe using "makedepend", make sure the > object file extension is there > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > $ make test > ... > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ ok > ../test/recipes/05-test_bf.t .............. ok > ... > ../test/recipes/25-test_x509.t ............ ok > ../test/recipes/30-test_afalg.t ........... > ^C (after about 20 minutes) > Now open on Launchpad: https://bugs.launchpad.net/linux-kernel-no-pae/+bug/1556562. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 10:04:28 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Sun, 13 Mar 2016 10:04:28 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <20160313100421.GA23910@roeckx.be> References: <56E33589.1020404@openssl.org> <20160313100421.GA23910@roeckx.be> Message-ID: On Sun, Mar 13, 2016 at 06:29:14AM +0000, noloader at gmail.com via RT wrote: > >> It looks like the hang is still present as of 603358d. > >> > >> When the following runs: > >> > >> ../test/recipes/30-test_afalg.t > >> > >> What is actually running? How can I get it under a debugger? > > > > > > $ ./config -d > > $ make > > $ make test/afalgtest > > $ cd test > > $ OPENSSL_ENGINES=../engines/afalg gdb ./afalgtest > > OK, I've got two hung processes from two attempts to debug this: > > $ ps -A | grep afalgtest > 1030 pts/0 00:00:00 afalgtest > 1196 pts/0 00:00:00 afalgtest > > Both appear to be hanging in syscall 248: So that appears to be: ./engines/afalg/e_afalg.c: return syscall(__NR_io_submit, ctx, n, iocb); Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 10:14:08 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 10:14:08 +0000 Subject: [openssl-dev] [openssl.org #4419] OS X, 32-bit PowerPC: Makefile:4398: *** unterminated variable reference. Stop. In-Reply-To: References: Message-ID: Identified and corrected, waiting to pass internal review. I've attached the fix for your viewing and application before it lands in master. Cheers, Richard Vid Sun, 13 Mar 2016 kl. 04.47.04, skrev noloader at gmail.com: > The issue is present under 64-bit OS X PowerPC builds, also. > > On Sat, Mar 12, 2016 at 11:33 PM, noloader at gmail.com via RT > wrote: > > Working from Master at 4c1cf7e. > > > > $ KERNEL_BITS=32 ./config > > ... > > $ make depend && make clean && make > > ... > > > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc > > -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. > > -Icrypto/include -MMD -MF crypto/poly1305/poly1305.d.tmp -MT > > crypto/poly1305/poly1305.o -c -o crypto/poly1305/poly1305.o > > crypto/poly1305/poly1305.c > > > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM > > -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc > > -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. > > -Icrypto/include -MMD -MF crypto/ppccap.d.tmp -MT crypto/ppccap.o -c > > -o crypto/ppccap.o crypto/ppccap.c > > Makefile:4398: *** unterminated variable reference. Stop. > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4419 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: build.info.patch Type: text/x-patch Size: 602 bytes Desc: not available URL: From rt at openssl.org Sun Mar 13 10:22:15 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 10:22:15 +0000 Subject: [openssl-dev] [openssl.org #4421] Make clean leaving tmp.bak artifacts In-Reply-To: References: Message-ID: $ make clean && find . -name '*tmp.bak' | wc -l rm -f rm -f rm -f libcrypto.a libssl.a ... rm -f `find . -name '*.d'` rm -f `find . -name '*.o'` rm -f core rm -f tags TAGS rm -f openssl.pc libcrypto.pc libssl.pc rm -f `find . -type l` rm -f ../openssl-1.1.0-pre4-dev.tar 755 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4421 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 10:30:54 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 10:30:54 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: References: Message-ID: cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/blake2/blake2b.d.tmp -MT crypto/blake2/blake2b.o -c -o crypto/blake2/blake2b.o crypto/blake2/blake2b.c crypto/blake2/blake2b.c:27: warning: integer constant is too large for 'unsigned long' type crypto/blake2/blake2b.c:27: warning: integer constant is too large for 'unsigned long' type crypto/blake2/blake2b.c:28: warning: integer constant is too large for 'unsigned long' type crypto/blake2/blake2b.c:28: warning: integer constant is too large for 'unsigned long' type crypto/blake2/blake2b.c:29: warning: integer constant is too large for 'unsigned long' type crypto/blake2/blake2b.c:29: warning: integer constant is too large for 'unsigned long' type crypto/blake2/blake2b.c:30: warning: integer constant is too large for 'unsigned long' type crypto/blake2/blake2b.c:30: warning: integer constant is too large for 'unsigned long' type -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 10:41:43 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 10:41:43 +0000 Subject: [openssl-dev] [openssl.org #4418] Apple configuration delay does not respond to Ctrl-C, proceeds with configuration In-Reply-To: References: Message-ID: I just witnessed it freeze when pressing ^C, never getting out of read. That fix seems to be to add `exit 0` in the trap string. That fix is currently in review. Vid Sun, 13 Mar 2016 kl. 04.27.06, skrev noloader at gmail.com: > When running a naked "./config" on Apple platforms (both Intel and > PowerPC), the following message is displayed: > > PowerMac:openssl$ ./config > Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul > 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC > WARNING! If you wish to build 64-bit library, then you have to > invoke './Configure darwin64-ppc-cc' *manually*. > You have about 5 seconds to press Ctrl-C to abort. > > The problem is, the script does _not_ respond to Ctrl-C. It waits and > then configures itself. > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4418 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 10:44:13 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 06:44:13 -0400 Subject: [openssl-dev] [openssl.org #4415] test/certs/mkcert.sh uses "#! /binbash" In-Reply-To: References: Message-ID: > ... > Another potential pain point is PERL: > > grep -iIR perl * | grep '#' | grep -v 'env' | wc -l > 232 > > It looks like most uses of PERL are expected to be at > /usr/local/bin/perl. 160 of them use /usr/bin/env, but 230 or so use > the potentially incorrect path. This is testing OK if the change is acceptable: $ cd openssl $ find $PWD -name '*.pl' -exec sed -i 's|#!/usr/bin/perl|#!/usr/bin/env perl|g' {} \; $ find $PWD -name '*.pl' -exec sed -i 's|#!/usr/local/bin/perl|#!/usr/bin/env perl|g' {} \; $ find $PWD -name '*.pl' -exec sed -i 's|#! /usr/bin/perl|#!/usr/bin/env perl|g' {} \; $ find $PWD -name '*.pl' -exec sed -i 's|#! /usr/local/bin/perl|#!/usr/bin/env perl|g' {} \; -------------- next part -------------- diff --git a/VMS/VMSify-conf.pl b/VMS/VMSify-conf.pl index 9890362..a726c26 100644 --- a/VMS/VMSify-conf.pl +++ b/VMS/VMSify-conf.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/VMS/translatesyms.pl b/VMS/translatesyms.pl index de3db6c..fec735c 100644 --- a/VMS/translatesyms.pl +++ b/VMS/translatesyms.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl # This script will translate any SYMBOL_VECTOR item that has a translation # in CXX$DEMANGLER_DB. The latter is generated by and CC/DECC command that diff --git a/apps/progs.pl b/apps/progs.pl index f24b91b..219bd2c 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl # Generate progs.h file by looking for command mains in list of C files # passed on the command line. diff --git a/crypto/asn1/charmap.pl b/crypto/asn1/charmap.pl index 878504f..cdfd80c 100644 --- a/crypto/asn1/charmap.pl +++ b/crypto/asn1/charmap.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w # Written by Dr Stephen N Henson (steve at openssl.org). # Licensed under the terms of the OpenSSL license. diff --git a/crypto/bf/asm/bf-586.pl b/crypto/bf/asm/bf-586.pl index 319a638..271e842 100644 --- a/crypto/bf/asm/bf-586.pl +++ b/crypto/bf/asm/bf-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/bn/asm/bn-586.pl b/crypto/bn/asm/bn-586.pl index 3f34abe..096bb9c 100644 --- a/crypto/bn/asm/bn-586.pl +++ b/crypto/bn/asm/bn-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/bn/asm/co-586.pl b/crypto/bn/asm/co-586.pl index ec3ea34..d0fe8ce 100644 --- a/crypto/bn/asm/co-586.pl +++ b/crypto/bn/asm/co-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/bn/asm/x86.pl b/crypto/bn/asm/x86.pl index c1cab72..a4441cf 100644 --- a/crypto/bn/asm/x86.pl +++ b/crypto/bn/asm/x86.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl push(@INC,"perlasm","../../perlasm"); require "x86asm.pl"; diff --git a/crypto/cast/asm/cast-586.pl b/crypto/cast/asm/cast-586.pl index 267d699..ce9a06c 100644 --- a/crypto/cast/asm/cast-586.pl +++ b/crypto/cast/asm/cast-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # This flag makes the inner loop one cycle longer, but generates # code that runs %30 faster on the pentium pro/II, 44% faster diff --git a/crypto/conf/keysets.pl b/crypto/conf/keysets.pl index a9baca4..bd14872 100644 --- a/crypto/conf/keysets.pl +++ b/crypto/conf/keysets.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $NUMBER=0x01; $UPPER=0x02; diff --git a/crypto/des/asm/crypt586.pl b/crypto/des/asm/crypt586.pl index d94528f..4affa39 100644 --- a/crypto/des/asm/crypt586.pl +++ b/crypto/des/asm/crypt586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # The inner loop instruction sequence and the IP/FP modifications are from # Svend Olaf Mikkelsen diff --git a/crypto/des/asm/des-586.pl b/crypto/des/asm/des-586.pl index e56eae4..236af07 100644 --- a/crypto/des/asm/des-586.pl +++ b/crypto/des/asm/des-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # The inner loop instruction sequence and the IP/FP modifications are from # Svend Olaf Mikkelsen diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl index eec0088..aa5e9fe 100644 --- a/crypto/des/asm/desboth.pl +++ b/crypto/des/asm/desboth.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $L="edi"; $R="esi"; diff --git a/crypto/lhash/num.pl b/crypto/lhash/num.pl index 4440a99..3dad9b1 100644 --- a/crypto/lhash/num.pl +++ b/crypto/lhash/num.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl #node 10 -> 4 diff --git a/crypto/md5/asm/md5-586.pl b/crypto/md5/asm/md5-586.pl index b3b756c..3dfbdb7 100644 --- a/crypto/md5/asm/md5-586.pl +++ b/crypto/md5/asm/md5-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # Normal is the # md5_block_x86(MD5_CTX *c, ULONG *X); diff --git a/crypto/md5/asm/md5-x86_64.pl b/crypto/md5/asm/md5-x86_64.pl index 8d820e1..1009711 100755 --- a/crypto/md5/asm/md5-x86_64.pl +++ b/crypto/md5/asm/md5-x86_64.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/env perl -w # # MD5 optimized for AMD64. # diff --git a/crypto/objects/obj_dat.pl b/crypto/objects/obj_dat.pl index 0bf1e48..34ecf78 100644 --- a/crypto/objects/obj_dat.pl +++ b/crypto/objects/obj_dat.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # fixes bug in floating point emulation on sparc64 when # this script produces off-by-one output on sparc64 diff --git a/crypto/objects/objects.pl b/crypto/objects/objects.pl index 107647a..a58e7c6 100644 --- a/crypto/objects/objects.pl +++ b/crypto/objects/objects.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]"; $max_nid=0; diff --git a/crypto/objects/objxref.pl b/crypto/objects/objxref.pl index 7ebd74c..666b71e 100644 --- a/crypto/objects/objxref.pl +++ b/crypto/objects/objxref.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use strict; diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl index 24561e7..4612638 100644 --- a/crypto/perlasm/cbc.pl +++ b/crypto/perlasm/cbc.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # void des_ncbc_encrypt(input, output, length, schedule, ivec, enc) # des_cblock (*input); diff --git a/crypto/rc5/asm/rc5-586.pl b/crypto/rc5/asm/rc5-586.pl index a0d85f2..3958bc1 100644 --- a/crypto/rc5/asm/rc5-586.pl +++ b/crypto/rc5/asm/rc5-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/ripemd/asm/rmd-586.pl b/crypto/ripemd/asm/rmd-586.pl index fd32a73..924cf11 100644 --- a/crypto/ripemd/asm/rmd-586.pl +++ b/crypto/ripemd/asm/rmd-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # Normal is the # ripemd160_block_asm_data_order(RIPEMD160_CTX *c, ULONG *X,int blocks); diff --git a/ms/cmp.pl b/ms/cmp.pl index 95b257f..7e03fae 100644 --- a/ms/cmp.pl +++ b/ms/cmp.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl ($#ARGV == 1) || die "usage: cmp.pl \n"; diff --git a/os2/backwardify.pl b/os2/backwardify.pl index 272423c..55c2dec 100644 --- a/os2/backwardify.pl +++ b/os2/backwardify.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/env perl -w use strict; # Use as $0 diff --git a/test/recipes/bc.pl b/test/recipes/bc.pl index 29a4a8a..6de2e8b 100644 --- a/test/recipes/bc.pl +++ b/test/recipes/bc.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index eeb25d0..3a2fd87 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/test/run_tests.pl b/test/run_tests.pl index f7bd623..fd5819c 100644 --- a/test/run_tests.pl +++ b/test/run_tests.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/util/add_cr.pl b/util/add_cr.pl index c7b62c1..825c238 100755 --- a/util/add_cr.pl +++ b/util/add_cr.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This adds a copyright message to a souce code file. # It also gets the file name correct. diff --git a/util/check-buildinfo.pl b/util/check-buildinfo.pl index f7d3baa..5e7e518 100644 --- a/util/check-buildinfo.pl +++ b/util/check-buildinfo.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl my %MINFO_source = (); diff --git a/util/ck_errf.pl b/util/ck_errf.pl index 922e5f6..8835e12 100755 --- a/util/ck_errf.pl +++ b/util/ck_errf.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This is just a quick script to scan for cases where the 'error' # function name in a XXXerr() macro is wrong. diff --git a/util/copy-if-different.pl b/util/copy-if-different.pl index ec99e08..2ab65ef 100755 --- a/util/copy-if-different.pl +++ b/util/copy-if-different.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use strict; diff --git a/util/copy.pl b/util/copy.pl index eba6d58..134503d 100644 --- a/util/copy.pl +++ b/util/copy.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use Fcntl; diff --git a/util/dirname.pl b/util/dirname.pl index d7a66d9..2995cb9 100644 --- a/util/dirname.pl +++ b/util/dirname.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl if ($#ARGV < 0) { die "dirname.pl: too few arguments\n"; diff --git a/util/dofile.pl b/util/dofile.pl index 983778f..703d639 100644 --- a/util/dofile.pl +++ b/util/dofile.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl # # Reads one or more template files and runs it through Text::Template # diff --git a/util/extract-names.pl b/util/extract-names.pl index 0f69335..5f1f2c4 100644 --- a/util/extract-names.pl +++ b/util/extract-names.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl $/ = ""; # Eat a paragraph at once. while() { diff --git a/util/extract-section.pl b/util/extract-section.pl index 7a0ba4f..2649e72 100644 --- a/util/extract-section.pl +++ b/util/extract-section.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl while() { if (/=for\s+comment\s+openssl_manual_section:(\S+)/) diff --git a/util/files.pl b/util/files.pl index 32e7125..3b46442 100755 --- a/util/files.pl +++ b/util/files.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # used to generate the file MINFO for use by util/mk1mf.pl # It is basically a list of all variables from the passed makefile diff --git a/util/fipslink.pl b/util/fipslink.pl index 7b16e04..a0720db 100644 --- a/util/fipslink.pl +++ b/util/fipslink.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl sub check_env { diff --git a/util/mkbuildinf.pl b/util/mkbuildinf.pl index a809f71..21b86f6 100755 --- a/util/mkbuildinf.pl +++ b/util/mkbuildinf.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl my ($cflags, $platform) = @ARGV; diff --git a/util/mkdef.pl b/util/mkdef.pl index 4578c9a..ac3f962 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w # # generate a .def file # diff --git a/util/mkdir-p.pl b/util/mkdir-p.pl index e73d02b..bf054bd 100755 --- a/util/mkdir-p.pl +++ b/util/mkdir-p.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # mkdir-p.pl diff --git a/util/mkerr.pl b/util/mkerr.pl index 4fd5520..f0dca2c 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w my $config = "crypto/err/openssl.ec"; my $hprefix = "openssl/"; diff --git a/util/mkfiles.pl b/util/mkfiles.pl index 0e4f71e..e8c2d01 100755 --- a/util/mkfiles.pl +++ b/util/mkfiles.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This is a hacked version of files.pl for systems that can't do a 'make files'. # Do a perl util/mkminfo.pl >MINFO to build MINFO diff --git a/util/perlpath.pl b/util/perlpath.pl index a1f236b..517f326 100755 --- a/util/perlpath.pl +++ b/util/perlpath.pl @@ -1,6 +1,6 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # -# modify the '#!/usr/local/bin/perl' +# modify the '#!/usr/bin/env perl' # line in all scripts that rely on perl. # diff --git a/util/pl/BC-32.pl b/util/pl/BC-32.pl index ef21b58..a21da2f 100644 --- a/util/pl/BC-32.pl +++ b/util/pl/BC-32.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # Borland C++ builder 3 and 4 -- Janez Jere # diff --git a/util/pl/Mingw32.pl b/util/pl/Mingw32.pl index 55c85f6..feab3e2 100644 --- a/util/pl/Mingw32.pl +++ b/util/pl/Mingw32.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # Mingw32.pl -- Mingw # diff --git a/util/pl/OS2-EMX.pl b/util/pl/OS2-EMX.pl index 92a332e..5f54d36 100644 --- a/util/pl/OS2-EMX.pl +++ b/util/pl/OS2-EMX.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # OS2-EMX.pl - for EMX GCC on OS/2 # diff --git a/util/pl/VC-32.pl b/util/pl/VC-32.pl index 8ed6508..7750644 100644 --- a/util/pl/VC-32.pl +++ b/util/pl/VC-32.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # VC-32.pl - unified script for Microsoft Visual C++, covering Win32, # Win64 and WinCE [follow $FLAVOR variable to trace the differences]. # diff --git a/util/pl/linux.pl b/util/pl/linux.pl index cb5dd59..054b825 100644 --- a/util/pl/linux.pl +++ b/util/pl/linux.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # linux.pl - the standard unix makefile stuff. # diff --git a/util/pl/ultrix.pl b/util/pl/ultrix.pl index 2cccd11..d5b14d1 100644 --- a/util/pl/ultrix.pl +++ b/util/pl/ultrix.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # linux.pl - the standard unix makefile stuff. # diff --git a/util/pl/unix.pl b/util/pl/unix.pl index 6add39a..2693287 100644 --- a/util/pl/unix.pl +++ b/util/pl/unix.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # unix.pl - the standard unix makefile stuff. # diff --git a/util/selftest.pl b/util/selftest.pl index 06d494a..803115e 100644 --- a/util/selftest.pl +++ b/util/selftest.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w # # Run the test suite and generate a report # diff --git a/util/sp-diff.pl b/util/sp-diff.pl index 57e635b..8997110 100755 --- a/util/sp-diff.pl +++ b/util/sp-diff.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This file takes as input, the files that have been output from # ssleay speed. From rt at openssl.org Sun Mar 13 10:44:19 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 10:44:19 +0000 Subject: [openssl-dev] [openssl.org #4415] test/certs/mkcert.sh uses "#! /binbash" In-Reply-To: References: Message-ID: > ... > Another potential pain point is PERL: > > grep -iIR perl * | grep '#' | grep -v 'env' | wc -l > 232 > > It looks like most uses of PERL are expected to be at > /usr/local/bin/perl. 160 of them use /usr/bin/env, but 230 or so use > the potentially incorrect path. This is testing OK if the change is acceptable: $ cd openssl $ find $PWD -name '*.pl' -exec sed -i 's|#!/usr/bin/perl|#!/usr/bin/env perl|g' {} \; $ find $PWD -name '*.pl' -exec sed -i 's|#!/usr/local/bin/perl|#!/usr/bin/env perl|g' {} \; $ find $PWD -name '*.pl' -exec sed -i 's|#! /usr/bin/perl|#!/usr/bin/env perl|g' {} \; $ find $PWD -name '*.pl' -exec sed -i 's|#! /usr/local/bin/perl|#!/usr/bin/env perl|g' {} \; -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4415 Please log in as guest with password guest if prompted -------------- next part -------------- diff --git a/VMS/VMSify-conf.pl b/VMS/VMSify-conf.pl index 9890362..a726c26 100644 --- a/VMS/VMSify-conf.pl +++ b/VMS/VMSify-conf.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/VMS/translatesyms.pl b/VMS/translatesyms.pl index de3db6c..fec735c 100644 --- a/VMS/translatesyms.pl +++ b/VMS/translatesyms.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl # This script will translate any SYMBOL_VECTOR item that has a translation # in CXX$DEMANGLER_DB. The latter is generated by and CC/DECC command that diff --git a/apps/progs.pl b/apps/progs.pl index f24b91b..219bd2c 100644 --- a/apps/progs.pl +++ b/apps/progs.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl # Generate progs.h file by looking for command mains in list of C files # passed on the command line. diff --git a/crypto/asn1/charmap.pl b/crypto/asn1/charmap.pl index 878504f..cdfd80c 100644 --- a/crypto/asn1/charmap.pl +++ b/crypto/asn1/charmap.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w # Written by Dr Stephen N Henson (steve at openssl.org). # Licensed under the terms of the OpenSSL license. diff --git a/crypto/bf/asm/bf-586.pl b/crypto/bf/asm/bf-586.pl index 319a638..271e842 100644 --- a/crypto/bf/asm/bf-586.pl +++ b/crypto/bf/asm/bf-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/bn/asm/bn-586.pl b/crypto/bn/asm/bn-586.pl index 3f34abe..096bb9c 100644 --- a/crypto/bn/asm/bn-586.pl +++ b/crypto/bn/asm/bn-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/bn/asm/co-586.pl b/crypto/bn/asm/co-586.pl index ec3ea34..d0fe8ce 100644 --- a/crypto/bn/asm/co-586.pl +++ b/crypto/bn/asm/co-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/bn/asm/x86.pl b/crypto/bn/asm/x86.pl index c1cab72..a4441cf 100644 --- a/crypto/bn/asm/x86.pl +++ b/crypto/bn/asm/x86.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl push(@INC,"perlasm","../../perlasm"); require "x86asm.pl"; diff --git a/crypto/cast/asm/cast-586.pl b/crypto/cast/asm/cast-586.pl index 267d699..ce9a06c 100644 --- a/crypto/cast/asm/cast-586.pl +++ b/crypto/cast/asm/cast-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # This flag makes the inner loop one cycle longer, but generates # code that runs %30 faster on the pentium pro/II, 44% faster diff --git a/crypto/conf/keysets.pl b/crypto/conf/keysets.pl index a9baca4..bd14872 100644 --- a/crypto/conf/keysets.pl +++ b/crypto/conf/keysets.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $NUMBER=0x01; $UPPER=0x02; diff --git a/crypto/des/asm/crypt586.pl b/crypto/des/asm/crypt586.pl index d94528f..4affa39 100644 --- a/crypto/des/asm/crypt586.pl +++ b/crypto/des/asm/crypt586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # The inner loop instruction sequence and the IP/FP modifications are from # Svend Olaf Mikkelsen diff --git a/crypto/des/asm/des-586.pl b/crypto/des/asm/des-586.pl index e56eae4..236af07 100644 --- a/crypto/des/asm/des-586.pl +++ b/crypto/des/asm/des-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # The inner loop instruction sequence and the IP/FP modifications are from # Svend Olaf Mikkelsen diff --git a/crypto/des/asm/desboth.pl b/crypto/des/asm/desboth.pl index eec0088..aa5e9fe 100644 --- a/crypto/des/asm/desboth.pl +++ b/crypto/des/asm/desboth.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $L="edi"; $R="esi"; diff --git a/crypto/lhash/num.pl b/crypto/lhash/num.pl index 4440a99..3dad9b1 100644 --- a/crypto/lhash/num.pl +++ b/crypto/lhash/num.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl #node 10 -> 4 diff --git a/crypto/md5/asm/md5-586.pl b/crypto/md5/asm/md5-586.pl index b3b756c..3dfbdb7 100644 --- a/crypto/md5/asm/md5-586.pl +++ b/crypto/md5/asm/md5-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # Normal is the # md5_block_x86(MD5_CTX *c, ULONG *X); diff --git a/crypto/md5/asm/md5-x86_64.pl b/crypto/md5/asm/md5-x86_64.pl index 8d820e1..1009711 100755 --- a/crypto/md5/asm/md5-x86_64.pl +++ b/crypto/md5/asm/md5-x86_64.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/env perl -w # # MD5 optimized for AMD64. # diff --git a/crypto/objects/obj_dat.pl b/crypto/objects/obj_dat.pl index 0bf1e48..34ecf78 100644 --- a/crypto/objects/obj_dat.pl +++ b/crypto/objects/obj_dat.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # fixes bug in floating point emulation on sparc64 when # this script produces off-by-one output on sparc64 diff --git a/crypto/objects/objects.pl b/crypto/objects/objects.pl index 107647a..a58e7c6 100644 --- a/crypto/objects/objects.pl +++ b/crypto/objects/objects.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl open (NUMIN,"$ARGV[1]") || die "Can't open number file $ARGV[1]"; $max_nid=0; diff --git a/crypto/objects/objxref.pl b/crypto/objects/objxref.pl index 7ebd74c..666b71e 100644 --- a/crypto/objects/objxref.pl +++ b/crypto/objects/objxref.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use strict; diff --git a/crypto/perlasm/cbc.pl b/crypto/perlasm/cbc.pl index 24561e7..4612638 100644 --- a/crypto/perlasm/cbc.pl +++ b/crypto/perlasm/cbc.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # void des_ncbc_encrypt(input, output, length, schedule, ivec, enc) # des_cblock (*input); diff --git a/crypto/rc5/asm/rc5-586.pl b/crypto/rc5/asm/rc5-586.pl index a0d85f2..3958bc1 100644 --- a/crypto/rc5/asm/rc5-586.pl +++ b/crypto/rc5/asm/rc5-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; push(@INC,"${dir}","${dir}../../perlasm"); diff --git a/crypto/ripemd/asm/rmd-586.pl b/crypto/ripemd/asm/rmd-586.pl index fd32a73..924cf11 100644 --- a/crypto/ripemd/asm/rmd-586.pl +++ b/crypto/ripemd/asm/rmd-586.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # Normal is the # ripemd160_block_asm_data_order(RIPEMD160_CTX *c, ULONG *X,int blocks); diff --git a/ms/cmp.pl b/ms/cmp.pl index 95b257f..7e03fae 100644 --- a/ms/cmp.pl +++ b/ms/cmp.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl ($#ARGV == 1) || die "usage: cmp.pl \n"; diff --git a/os2/backwardify.pl b/os2/backwardify.pl index 272423c..55c2dec 100644 --- a/os2/backwardify.pl +++ b/os2/backwardify.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!/usr/bin/env perl -w use strict; # Use as $0 diff --git a/test/recipes/bc.pl b/test/recipes/bc.pl index 29a4a8a..6de2e8b 100644 --- a/test/recipes/bc.pl +++ b/test/recipes/bc.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/test/recipes/tconversion.pl b/test/recipes/tconversion.pl index eeb25d0..3a2fd87 100644 --- a/test/recipes/tconversion.pl +++ b/test/recipes/tconversion.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/test/run_tests.pl b/test/run_tests.pl index f7bd623..fd5819c 100644 --- a/test/run_tests.pl +++ b/test/run_tests.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl use strict; use warnings; diff --git a/util/add_cr.pl b/util/add_cr.pl index c7b62c1..825c238 100755 --- a/util/add_cr.pl +++ b/util/add_cr.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This adds a copyright message to a souce code file. # It also gets the file name correct. diff --git a/util/check-buildinfo.pl b/util/check-buildinfo.pl index f7d3baa..5e7e518 100644 --- a/util/check-buildinfo.pl +++ b/util/check-buildinfo.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl my %MINFO_source = (); diff --git a/util/ck_errf.pl b/util/ck_errf.pl index 922e5f6..8835e12 100755 --- a/util/ck_errf.pl +++ b/util/ck_errf.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This is just a quick script to scan for cases where the 'error' # function name in a XXXerr() macro is wrong. diff --git a/util/copy-if-different.pl b/util/copy-if-different.pl index ec99e08..2ab65ef 100755 --- a/util/copy-if-different.pl +++ b/util/copy-if-different.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use strict; diff --git a/util/copy.pl b/util/copy.pl index eba6d58..134503d 100644 --- a/util/copy.pl +++ b/util/copy.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl use Fcntl; diff --git a/util/dirname.pl b/util/dirname.pl index d7a66d9..2995cb9 100644 --- a/util/dirname.pl +++ b/util/dirname.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl if ($#ARGV < 0) { die "dirname.pl: too few arguments\n"; diff --git a/util/dofile.pl b/util/dofile.pl index 983778f..703d639 100644 --- a/util/dofile.pl +++ b/util/dofile.pl @@ -1,4 +1,4 @@ -#! /usr/bin/perl +#!/usr/bin/env perl # # Reads one or more template files and runs it through Text::Template # diff --git a/util/extract-names.pl b/util/extract-names.pl index 0f69335..5f1f2c4 100644 --- a/util/extract-names.pl +++ b/util/extract-names.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl $/ = ""; # Eat a paragraph at once. while() { diff --git a/util/extract-section.pl b/util/extract-section.pl index 7a0ba4f..2649e72 100644 --- a/util/extract-section.pl +++ b/util/extract-section.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl while() { if (/=for\s+comment\s+openssl_manual_section:(\S+)/) diff --git a/util/files.pl b/util/files.pl index 32e7125..3b46442 100755 --- a/util/files.pl +++ b/util/files.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # used to generate the file MINFO for use by util/mk1mf.pl # It is basically a list of all variables from the passed makefile diff --git a/util/fipslink.pl b/util/fipslink.pl index 7b16e04..a0720db 100644 --- a/util/fipslink.pl +++ b/util/fipslink.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/env perl sub check_env { diff --git a/util/mkbuildinf.pl b/util/mkbuildinf.pl index a809f71..21b86f6 100755 --- a/util/mkbuildinf.pl +++ b/util/mkbuildinf.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl my ($cflags, $platform) = @ARGV; diff --git a/util/mkdef.pl b/util/mkdef.pl index 4578c9a..ac3f962 100755 --- a/util/mkdef.pl +++ b/util/mkdef.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w # # generate a .def file # diff --git a/util/mkdir-p.pl b/util/mkdir-p.pl index e73d02b..bf054bd 100755 --- a/util/mkdir-p.pl +++ b/util/mkdir-p.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # mkdir-p.pl diff --git a/util/mkerr.pl b/util/mkerr.pl index 4fd5520..f0dca2c 100644 --- a/util/mkerr.pl +++ b/util/mkerr.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w my $config = "crypto/err/openssl.ec"; my $hprefix = "openssl/"; diff --git a/util/mkfiles.pl b/util/mkfiles.pl index 0e4f71e..e8c2d01 100755 --- a/util/mkfiles.pl +++ b/util/mkfiles.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This is a hacked version of files.pl for systems that can't do a 'make files'. # Do a perl util/mkminfo.pl >MINFO to build MINFO diff --git a/util/perlpath.pl b/util/perlpath.pl index a1f236b..517f326 100755 --- a/util/perlpath.pl +++ b/util/perlpath.pl @@ -1,6 +1,6 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # -# modify the '#!/usr/local/bin/perl' +# modify the '#!/usr/bin/env perl' # line in all scripts that rely on perl. # diff --git a/util/pl/BC-32.pl b/util/pl/BC-32.pl index ef21b58..a21da2f 100644 --- a/util/pl/BC-32.pl +++ b/util/pl/BC-32.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # Borland C++ builder 3 and 4 -- Janez Jere # diff --git a/util/pl/Mingw32.pl b/util/pl/Mingw32.pl index 55c85f6..feab3e2 100644 --- a/util/pl/Mingw32.pl +++ b/util/pl/Mingw32.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # Mingw32.pl -- Mingw # diff --git a/util/pl/OS2-EMX.pl b/util/pl/OS2-EMX.pl index 92a332e..5f54d36 100644 --- a/util/pl/OS2-EMX.pl +++ b/util/pl/OS2-EMX.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # OS2-EMX.pl - for EMX GCC on OS/2 # diff --git a/util/pl/VC-32.pl b/util/pl/VC-32.pl index 8ed6508..7750644 100644 --- a/util/pl/VC-32.pl +++ b/util/pl/VC-32.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # VC-32.pl - unified script for Microsoft Visual C++, covering Win32, # Win64 and WinCE [follow $FLAVOR variable to trace the differences]. # diff --git a/util/pl/linux.pl b/util/pl/linux.pl index cb5dd59..054b825 100644 --- a/util/pl/linux.pl +++ b/util/pl/linux.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # linux.pl - the standard unix makefile stuff. # diff --git a/util/pl/ultrix.pl b/util/pl/ultrix.pl index 2cccd11..d5b14d1 100644 --- a/util/pl/ultrix.pl +++ b/util/pl/ultrix.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # linux.pl - the standard unix makefile stuff. # diff --git a/util/pl/unix.pl b/util/pl/unix.pl index 6add39a..2693287 100644 --- a/util/pl/unix.pl +++ b/util/pl/unix.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # unix.pl - the standard unix makefile stuff. # diff --git a/util/selftest.pl b/util/selftest.pl index 06d494a..803115e 100644 --- a/util/selftest.pl +++ b/util/selftest.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl -w +#!/usr/bin/env perl -w # # Run the test suite and generate a report # diff --git a/util/sp-diff.pl b/util/sp-diff.pl index 57e635b..8997110 100755 --- a/util/sp-diff.pl +++ b/util/sp-diff.pl @@ -1,4 +1,4 @@ -#!/usr/local/bin/perl +#!/usr/bin/env perl # # This file takes as input, the files that have been output from # ssleay speed. From rt at openssl.org Sun Mar 13 10:45:36 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 10:45:36 +0000 Subject: [openssl-dev] [openssl.org #4412] Debian and ARM32 (armv7l): fatal error: arm_arch.h: No such file or directory In-Reply-To: References: Message-ID: Great, thank you. Closing ticket. Vid Sun, 13 Mar 2016 kl. 04.41.20, skrev noloader at gmail.com: > I think this was closed earlier... retesting at 4c1cf7e confirmed the > issue was cleared. > > On Thu, Mar 10, 2016 at 3:41 PM, noloader at gmail.com via RT > wrote: > > Working from Master on a BeagleBone Black... > > > > $ git reset --hard HEAD && git pull > > HEAD is now at 0d4d5ab check reviewer --reviewer=emilia > > Already up-to-date. > > > > $ ./config > > ... > > $ make depend && make clean && make > > ... > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT > > -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM > > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > > -DOPENSSLDIR="\"/usr/local/ssl\"" > > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread > > -march=armv7-a -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include > > -Icrypto -MMD -MF crypto/aes/aesv8-armx.d.tmp -MT > > crypto/aes/aesv8-armx.o -c -o crypto/aes/aesv8-armx.o > > crypto/aes/aesv8-armx.s > > gcc -E crypto/aes/bsaes-armv7.S > crypto/aes/bsaes-armv7.s > > crypto/aes/bsaes-armv7.S:50:23: fatal error: arm_arch.h: No such file > > or directory > > # include "arm_arch.h" > > ^ > > compilation terminated. > > : recipe for target 'crypto/aes/bsaes-armv7.s' failed > > make: *** [crypto/aes/bsaes-armv7.s] Error 1 > > > > ... > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4412 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 10:48:46 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 10:48:46 +0000 Subject: [openssl-dev] [openssl.org #4421] Make clean leaving tmp.bak artifacts In-Reply-To: References: Message-ID: Could you check again? I believe it should have been fixed when I did away with `sed` for dependency post-processing. Vid Sun, 13 Mar 2016 kl. 10.22.15, skrev noloader at gmail.com: > $ make clean && find . -name '*tmp.bak' | wc -l > rm -f > rm -f > rm -f libcrypto.a libssl.a > ... > rm -f `find . -name '*.d'` > rm -f `find . -name '*.o'` > rm -f core > rm -f tags TAGS > rm -f openssl.pc libcrypto.pc libssl.pc > rm -f `find . -type l` > rm -f ../openssl-1.1.0-pre4-dev.tar > > 755 > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4421 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 10:57:22 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Sun, 13 Mar 2016 10:57:22 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: <20160313105718.GA26936@roeckx.be> References: <20160313105718.GA26936@roeckx.be> Message-ID: On Sun, Mar 13, 2016 at 10:30:54AM +0000, noloader at gmail.com via RT wrote: > crypto/blake2/blake2b.c:27: warning: integer constant is too large for > 'unsigned long' type That's a uint64_t. Why do you have an "unsigned long" as 64 bit uint64_t? Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 10:58:10 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 06:58:10 -0400 Subject: [openssl-dev] [openssl.org #4419] OS X, 32-bit PowerPC: Makefile:4398: *** unterminated variable reference. Stop. In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 6:14 AM, Richard Levitte via RT wrote: > Identified and corrected, waiting to pass internal review. I've attached the > fix for your viewing and application before it lands in master. > It looks like the change was pushed with 6d505f2. It tested OK under both 32-bit and 64-bit PoweMac. From rt at openssl.org Sun Mar 13 10:58:12 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 10:58:12 +0000 Subject: [openssl-dev] [openssl.org #4419] OS X, 32-bit PowerPC: Makefile:4398: *** unterminated variable reference. Stop. In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 6:14 AM, Richard Levitte via RT wrote: > Identified and corrected, waiting to pass internal review. I've attached the > fix for your viewing and application before it lands in master. > It looks like the change was pushed with 6d505f2. It tested OK under both 32-bit and 64-bit PoweMac. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4419 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 11:06:38 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 11:06:38 +0000 Subject: [openssl-dev] [openssl.org #4419] OS X, 32-bit PowerPC: Makefile:4398: *** unterminated variable reference. Stop. In-Reply-To: References: Message-ID: Thank you. Closing Vid Sun, 13 Mar 2016 kl. 10.58.12, skrev noloader at gmail.com: > On Sun, Mar 13, 2016 at 6:14 AM, Richard Levitte via RT > wrote: > > Identified and corrected, waiting to pass internal review. I've > > attached the > > fix for your viewing and application before it lands in master. > > > > It looks like the change was pushed with 6d505f2. > > It tested OK under both 32-bit and 64-bit PoweMac. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4419 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 11:15:52 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 07:15:52 -0400 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: References: <20160313105718.GA26936@roeckx.be> Message-ID: On Sun, Mar 13, 2016 at 6:57 AM, Kurt Roeckx via RT wrote: > On Sun, Mar 13, 2016 at 10:30:54AM +0000, noloader at gmail.com via RT wrote: >> crypto/blake2/blake2b.c:27: warning: integer constant is too large for >> 'unsigned long' type > > That's a uint64_t. Why do you have an "unsigned long" as 64 bit > uint64_t? > Hmmm... Not sure. Looking at the declaration: static const uint64_t blake2b_IV[8] = { 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U }; I've run into this before, but in C++. I think you need ULL, and not U. But I don't know if it will adversely affect other compilers and platforms. $ diff --git a/crypto/blake2/blake2b.c b/crypto/blake2/blake2b.c index 6219490..aa0e814 100644 --- a/crypto/blake2/blake2b.c +++ b/crypto/blake2/blake2b.c @@ -24,10 +24,10 @@ static const uint64_t blake2b_IV[8] = { - 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, - 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, - 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, - 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL }; $ make crypto/blake2/blake2b.o cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/blake2/blake2b.d.tmp -MT crypto/blake2/blake2b.o -c -o crypto/blake2/blake2b.o crypto/blake2/blake2b.c $ ********** For completeness... I configured with 'KERNEL_BITS=32 ./config', but that should not affect uint64_t. Maybe its a GCC 4.0.1 issue? $ find /usr/include -name stdint.h /usr/include/gcc/darwin/4.0/stdint.h /usr/include/gcc/darwin/4.2/stdint.h /usr/include/stdint.h Then: $ grep -B 2 -A2 uint64_t /usr/include/gcc/darwin/4.0/stdint.h #ifndef _UINT64_T #define _UINT64_T typedef unsigned long long uint64_t; #endif /* _UINT64_T */ ... $ grep -B 2 -A2 uint64_t /usr/include/gcc/darwin/4.2/stdint.h #ifndef _UINT64_T #define _UINT64_T typedef unsigned long long uint64_t; #endif /* _UINT64_T */ $ grep -B 2 -A2 uint64_t /usr/include/stdint.h #ifndef _UINT64_T #define _UINT64_T typedef unsigned long long uint64_t; #endif /* _UINT64_T */ From rt at openssl.org Sun Mar 13 11:16:02 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 11:16:02 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: References: <20160313105718.GA26936@roeckx.be> Message-ID: On Sun, Mar 13, 2016 at 6:57 AM, Kurt Roeckx via RT wrote: > On Sun, Mar 13, 2016 at 10:30:54AM +0000, noloader at gmail.com via RT wrote: >> crypto/blake2/blake2b.c:27: warning: integer constant is too large for >> 'unsigned long' type > > That's a uint64_t. Why do you have an "unsigned long" as 64 bit > uint64_t? > Hmmm... Not sure. Looking at the declaration: static const uint64_t blake2b_IV[8] = { 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U }; I've run into this before, but in C++. I think you need ULL, and not U. But I don't know if it will adversely affect other compilers and platforms. $ diff --git a/crypto/blake2/blake2b.c b/crypto/blake2/blake2b.c index 6219490..aa0e814 100644 --- a/crypto/blake2/blake2b.c +++ b/crypto/blake2/blake2b.c @@ -24,10 +24,10 @@ static const uint64_t blake2b_IV[8] = { - 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, - 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, - 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, - 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL }; $ make crypto/blake2/blake2b.o cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/blake2/blake2b.d.tmp -MT crypto/blake2/blake2b.o -c -o crypto/blake2/blake2b.o crypto/blake2/blake2b.c $ ********** For completeness... I configured with 'KERNEL_BITS=32 ./config', but that should not affect uint64_t. Maybe its a GCC 4.0.1 issue? $ find /usr/include -name stdint.h /usr/include/gcc/darwin/4.0/stdint.h /usr/include/gcc/darwin/4.2/stdint.h /usr/include/stdint.h Then: $ grep -B 2 -A2 uint64_t /usr/include/gcc/darwin/4.0/stdint.h #ifndef _UINT64_T #define _UINT64_T typedef unsigned long long uint64_t; #endif /* _UINT64_T */ ... $ grep -B 2 -A2 uint64_t /usr/include/gcc/darwin/4.2/stdint.h #ifndef _UINT64_T #define _UINT64_T typedef unsigned long long uint64_t; #endif /* _UINT64_T */ $ grep -B 2 -A2 uint64_t /usr/include/stdint.h #ifndef _UINT64_T #define _UINT64_T typedef unsigned long long uint64_t; #endif /* _UINT64_T */ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 11:19:37 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 07:19:37 -0400 Subject: [openssl-dev] [openssl.org #4421] Make clean leaving tmp.bak artifacts In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 6:48 AM, Richard Levitte via RT wrote: > Could you check again? I believe it should have been fixed when I did away with > `sed` for dependency post-processing. > Yes, you're right. My bad. Close it. From rt at openssl.org Sun Mar 13 11:19:46 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 11:19:46 +0000 Subject: [openssl-dev] [openssl.org #4421] Make clean leaving tmp.bak artifacts In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 6:48 AM, Richard Levitte via RT wrote: > Could you check again? I believe it should have been fixed when I did away with > `sed` for dependency post-processing. > Yes, you're right. My bad. Close it. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4421 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 11:23:54 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 07:23:54 -0400 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: References: <20160313105718.GA26936@roeckx.be> Message-ID: > static const uint64_t blake2b_IV[8] = > { > 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, > 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, > 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, > 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U > }; > > I've run into this before, but in C++. I think you need ULL, and not > U. But I don't know if it will adversely affect other compilers and > platforms. > > $ diff --git a/crypto/blake2/blake2b.c b/crypto/blake2/blake2b.c > index 6219490..aa0e814 100644 > --- a/crypto/blake2/blake2b.c > +++ b/crypto/blake2/blake2b.c > @@ -24,10 +24,10 @@ > > static const uint64_t blake2b_IV[8] = > { > - 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, > - 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, > - 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, > - 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U > + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, > + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, > + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, > + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL > }; It looks like the ULL suffix should be safe today; cf, http://stackoverflow.com/q/9606455. It looks like its safe in c89 mode, too: $ KERNEL_BITS=32 ./config -std=c89 && make crypto/blake2/blake2b.o Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin-ppc-cc ... cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -std=c89 -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/blake2/blake2b.d.tmp -MT crypto/blake2/blake2b.o -c -o crypto/blake2/blake2b.o crypto/blake2/blake2b.c $ From rt at openssl.org Sun Mar 13 11:24:03 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 11:24:03 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: References: <20160313105718.GA26936@roeckx.be> Message-ID: > static const uint64_t blake2b_IV[8] = > { > 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, > 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, > 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, > 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U > }; > > I've run into this before, but in C++. I think you need ULL, and not > U. But I don't know if it will adversely affect other compilers and > platforms. > > $ diff --git a/crypto/blake2/blake2b.c b/crypto/blake2/blake2b.c > index 6219490..aa0e814 100644 > --- a/crypto/blake2/blake2b.c > +++ b/crypto/blake2/blake2b.c > @@ -24,10 +24,10 @@ > > static const uint64_t blake2b_IV[8] = > { > - 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, > - 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, > - 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, > - 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U > + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, > + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, > + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, > + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL > }; It looks like the ULL suffix should be safe today; cf, http://stackoverflow.com/q/9606455. It looks like its safe in c89 mode, too: $ KERNEL_BITS=32 ./config -std=c89 && make crypto/blake2/blake2b.o Operating system: ppc-apple-darwinDarwin Kernel Version 9.8.0: Wed Jul 15 16:57:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_PPC Configuring for darwin-ppc-cc ... cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DVPAES_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL -std=c89 -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/blake2/blake2b.d.tmp -MT crypto/blake2/blake2b.o -c -o crypto/blake2/blake2b.o crypto/blake2/blake2b.c $ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From kurt at roeckx.be Sun Mar 13 11:24:06 2016 From: kurt at roeckx.be (Kurt Roeckx) Date: Sun, 13 Mar 2016 12:24:06 +0100 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: References: <20160313105718.GA26936@roeckx.be> Message-ID: <20160313112406.GA32632@roeckx.be> On Sun, Mar 13, 2016 at 07:15:52AM -0400, Jeffrey Walton wrote: > On Sun, Mar 13, 2016 at 6:57 AM, Kurt Roeckx via RT wrote: > > On Sun, Mar 13, 2016 at 10:30:54AM +0000, noloader at gmail.com via RT wrote: > >> crypto/blake2/blake2b.c:27: warning: integer constant is too large for > >> 'unsigned long' type > > > > That's a uint64_t. Why do you have an "unsigned long" as 64 bit > > uint64_t? > > > > Hmmm... Not sure. > > Looking at the declaration: > > static const uint64_t blake2b_IV[8] = > { > 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, > 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, > 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, > 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U > }; > > I've run into this before, but in C++. I think you need ULL, and not > U. But I don't know if it will adversely affect other compilers and > platforms. So I guess where in the situation where "U" is not supported by some compilers and "ULL" not by others, where both should be valid. Kurt From rt at openssl.org Sun Mar 13 11:24:10 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Sun, 13 Mar 2016 11:24:10 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: <20160313112406.GA32632@roeckx.be> References: <20160313105718.GA26936@roeckx.be> <20160313112406.GA32632@roeckx.be> Message-ID: On Sun, Mar 13, 2016 at 07:15:52AM -0400, Jeffrey Walton wrote: > On Sun, Mar 13, 2016 at 6:57 AM, Kurt Roeckx via RT wrote: > > On Sun, Mar 13, 2016 at 10:30:54AM +0000, noloader at gmail.com via RT wrote: > >> crypto/blake2/blake2b.c:27: warning: integer constant is too large for > >> 'unsigned long' type > > > > That's a uint64_t. Why do you have an "unsigned long" as 64 bit > > uint64_t? > > > > Hmmm... Not sure. > > Looking at the declaration: > > static const uint64_t blake2b_IV[8] = > { > 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, > 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, > 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, > 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U > }; > > I've run into this before, but in C++. I think you need ULL, and not > U. But I don't know if it will adversely affect other compilers and > platforms. So I guess where in the situation where "U" is not supported by some compilers and "ULL" not by others, where both should be valid. Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 11:27:19 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 07:27:19 -0400 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: <20160313112406.GA32632@roeckx.be> References: <20160313105718.GA26936@roeckx.be> <20160313112406.GA32632@roeckx.be> Message-ID: >> static const uint64_t blake2b_IV[8] = >> { >> 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, >> 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, >> 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, >> 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U >> }; >> >> I've run into this before, but in C++. I think you need ULL, and not >> U. But I don't know if it will adversely affect other compilers and >> platforms. > > So I guess where in the situation where "U" is not supported by > some compilers and "ULL" not by others, where both should be > valid. I'm guessing GCC 4.0.1 is using an intermediate 32-bit value when it encounters the U. Its triggering a warning, but its not causing a failure of the self test (presuming there's good code coverage). Also see http://gcc.gnu.org/onlinedocs/gcc/Long-Long.html. Jeff From rt at openssl.org Sun Mar 13 11:27:23 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 11:27:23 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: References: <20160313105718.GA26936@roeckx.be> <20160313112406.GA32632@roeckx.be> Message-ID: >> static const uint64_t blake2b_IV[8] = >> { >> 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, >> 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, >> 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, >> 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U >> }; >> >> I've run into this before, but in C++. I think you need ULL, and not >> U. But I don't know if it will adversely affect other compilers and >> platforms. > > So I guess where in the situation where "U" is not supported by > some compilers and "ULL" not by others, where both should be > valid. I'm guessing GCC 4.0.1 is using an intermediate 32-bit value when it encounters the U. Its triggering a warning, but its not causing a failure of the self test (presuming there's good code coverage). Also see http://gcc.gnu.org/onlinedocs/gcc/Long-Long.html. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 11:40:22 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Sun, 13 Mar 2016 11:40:22 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: <20160313114019.GA446@roeckx.be> References: <20160313105718.GA26936@roeckx.be> <20160313112406.GA32632@roeckx.be> <20160313114019.GA446@roeckx.be> Message-ID: On Sun, Mar 13, 2016 at 11:27:23AM +0000, noloader at gmail.com via RT wrote: > >> static const uint64_t blake2b_IV[8] = > >> { > >> 0x6a09e667f3bcc908U, 0xbb67ae8584caa73bU, > >> 0x3c6ef372fe94f82bU, 0xa54ff53a5f1d36f1U, > >> 0x510e527fade682d1U, 0x9b05688c2b3e6c1fU, > >> 0x1f83d9abfb41bd6bU, 0x5be0cd19137e2179U > >> }; > >> > >> I've run into this before, but in C++. I think you need ULL, and not > >> U. But I don't know if it will adversely affect other compilers and > >> platforms. > > > > So I guess where in the situation where "U" is not supported by > > some compilers and "ULL" not by others, where both should be > > valid. > > I'm guessing GCC 4.0.1 is using an intermediate 32-bit value when it > encounters the U. Its triggering a warning, but its not causing a > failure of the self test (presuming there's good code coverage). > > Also see http://gcc.gnu.org/onlinedocs/gcc/Long-Long.html. If you look at: http://en.cppreference.com/w/c/language/integer_constant You'll see that "U" can be "unsigned int", "unsigned long int" or "unsigned long long int". "ULL" just forces it to an unsigned long long. It might be that in C89/C90 mode it gives a warning about it and that in C99 it should work, don't know enough about this. But since this compiles and passes the test suite for you I think I'll ignore it. Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 11:56:30 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 11:56:30 +0000 Subject: [openssl-dev] [openssl.org #4421] Make clean leaving tmp.bak artifacts In-Reply-To: References: Message-ID: Vid Sun, 13 Mar 2016 kl. 11.19.45, skrev noloader at gmail.com: > On Sun, Mar 13, 2016 at 6:48 AM, Richard Levitte via RT > wrote: > > Could you check again? I believe it should have been fixed when I did > > away with > > `sed` for dependency post-processing. > > > > Yes, you're right. My bad. No problem, just making sure. > Close it. Yup. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4421 Please log in as guest with password guest if prompted From doctor at doctor.nl2k.ab.ca Sun Mar 13 12:32:11 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Sun, 13 Mar 2016 06:32:11 -0600 Subject: [openssl-dev] Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: References: <20160312201402.GA13400@doctor.nl2k.ab.ca> Message-ID: <20160313123211.GA24618@doctor.nl2k.ab.ca> On Sat, Mar 12, 2016 at 08:22:47PM +0000, Salz, Rich wrote: > > > make: don't know how to make > > crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > > > > This was working yesterday. > > And it will probably work again by tomorrow :) > > Please include your config/setup command when you report things. > > Please don't be surprised if a daily snapshot is broken for a day, consider waiting a day or two to see if the problem is fixed. > > This is not the first time we've asked for this. Now add Openssl-SNAP-20160313 issues /bin/sh ../configopenssl11 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug-backtrace [option] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-sctp [option] OPENSSL_NO_SCTP (skip dir) no-sse2 [option] no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) Configuring for debug-bsdi-x86-elf IsMK1MF =no CC =gcc CFLAG =-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_PART_WORDS OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM RMD160_ASM AES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG =-ldl -lgmp -lm -lc -lz PLIB_LFLAG = EX_LIBS = APPS_OBJ = CPUID_OBJ =mem_clr.o UPLINK_OBJ = BN_ASM =bn-586.o co-586.o x86-mont.o x86-gf2m.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86.o DES_ENC =des-586.o crypt586.o AES_ENC =aes-586.o BF_ENC =bf-586.o CAST_ENC =c_enc.o RC4_ENC =rc4-586.o RC5_ENC =rc5-586.o MD5_OBJ_ASM =md5-586.o SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o RMD160_OBJ_ASM=rmd-586.o CMLL_ENC =cmll-x86.o MODES_OBJ =ghash-x86.o PADLOCK_OBJ =e_padlock-x86.o CHACHA_ENC =chacha-x86.o POLY1305_OBJ =poly1305-x86.o BLAKE2_OBJ = PROCESSOR =386 RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl5 THIRTY_TWO_BIT mode BN_LLONG mode Configured for debug-bsdi-x86-elf. ( cd .; /usr/bin/perl5 util/ck_errf.pl -strict */*.c */*/*.c ) crypto/ex_data.c:254:crypto_get_ex_new_index:get_and_lock FATAL: error discrepancy *** Error code 1 Stop. ns2.nl2k.ab.ca//usr/source/openssl-SNAP-20160313$ less ../configopenssl11 ./Configure \ 386 \ threads \ shared \ no-sse2 \ enable-srtp \ no-sctp \ no-crypto-mdebug-backtrace \ enable-capieng \ enable-crypto-mdebug \ enable-seed \ enable-ssl-trace \ enable-camellia \ enable-rfc3779 enable-mdc2 enable-md5 \ enable-rc5 \ enable-unit-test \ enable-dh \ enable-bf \ enable-cast \ enable-chacha \ enable-cmac \ enable-cms \ enable-ct \ enable-des \ enable-dsa \ enable-dso \ enable-ec \ enable-engine \ enable-err\ enable-hmac \ enable-poly1305 \ enable-rsa \ enable-sha \ enable-srp \ enable-aes \ enable-egd \ enable-zlib \ zlib-dynamic \ --prefix=/usr/contrib \ --openssldir=/usr/contrib debug-bsdi-x86-elf ; make update; make depend and what is debug-bsdi-x86-elf? "debug-bsdi-x86-elf" => { inherit_from => [ asm("x86_elf_asm") ], cc => "gcc", cflags => "-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g", thread_cflag => "-pthread -D_THREAD_SAFE -D_REENTRANT", lflags => "-ldl -lgmp -lm -lc -lz", bn_ops => "THIRTY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ", dso_scheme => "dlfcn", shared_target => "bsd-gcc-shared", shared_cflag => "-fPIC", shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", }, I have to drop this each day in Configurations/10-main.conf > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From rich at kde.org Sun Mar 13 13:34:45 2016 From: rich at kde.org (Richard Moore) Date: Sun, 13 Mar 2016 13:34:45 +0000 Subject: [openssl-dev] API Problems in current master Message-ID: I'm currently testing the new release by trying to port Qt to use it (with the compatibility stuff disabled). Here are the first problems I've hit: How do we get the certificate serial number? We were doing x509->cert_info->serialNumber to get it as an ASN1_INTEGER. https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_type.html says: "EVP_PKEY_type() returns the type of key corresponding to the value type. The type of a key can be obtained with EVP_PKEY_type(pkey->type)." except it can't because the structure is now opaque. Cheers Rich. -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Sun Mar 13 13:53:17 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 13 Mar 2016 14:53:17 +0100 (CET) Subject: [openssl-dev] Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160313123211.GA24618@doctor.nl2k.ab.ca> References: <20160312201402.GA13400@doctor.nl2k.ab.ca> <20160313123211.GA24618@doctor.nl2k.ab.ca> Message-ID: <20160313.145317.1352296580688800557.levitte@openssl.org> In message <20160313123211.GA24618 at doctor.nl2k.ab.ca> on Sun, 13 Mar 2016 06:32:11 -0600, The Doctor said: doctor> On Sat, Mar 12, 2016 at 08:22:47PM +0000, Salz, Rich wrote: doctor> > doctor> > > make: don't know how to make doctor> > > crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop doctor> > > doctor> > > This was working yesterday. doctor> > doctor> > And it will probably work again by tomorrow :) doctor> > doctor> > Please include your config/setup command when you report things. doctor> > doctor> > Please don't be surprised if a daily snapshot is broken for a day, consider waiting a day or two to see if the problem is fixed. doctor> > doctor> > This is not the first time we've asked for this. doctor> doctor> Now add Openssl-SNAP-20160313 issues doctor> doctor> /bin/sh ../configopenssl11 doctor> Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) doctor> no-crypto-mdebug-backtrace [option] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) doctor> no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) doctor> no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) doctor> no-md2 [default] OPENSSL_NO_MD2 (skip dir) doctor> no-sctp [option] OPENSSL_NO_SCTP (skip dir) doctor> no-sse2 [option] doctor> no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) doctor> no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) doctor> no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) doctor> no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) doctor> Configuring for debug-bsdi-x86-elf doctor> IsMK1MF =no doctor> CC =gcc doctor> CFLAG =-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g doctor> SHARED_CFLAG =-fPIC doctor> DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_PART_WORDS OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM RMD160_ASM AES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM doctor> LFLAG =-ldl -lgmp -lm -lc -lz doctor> PLIB_LFLAG = doctor> EX_LIBS = doctor> APPS_OBJ = doctor> CPUID_OBJ =mem_clr.o doctor> UPLINK_OBJ = doctor> BN_ASM =bn-586.o co-586.o x86-mont.o x86-gf2m.o doctor> EC_ASM =ecp_nistz256.o ecp_nistz256-x86.o doctor> DES_ENC =des-586.o crypt586.o doctor> AES_ENC =aes-586.o doctor> BF_ENC =bf-586.o doctor> CAST_ENC =c_enc.o doctor> RC4_ENC =rc4-586.o doctor> RC5_ENC =rc5-586.o doctor> MD5_OBJ_ASM =md5-586.o doctor> SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o doctor> RMD160_OBJ_ASM=rmd-586.o doctor> CMLL_ENC =cmll-x86.o doctor> MODES_OBJ =ghash-x86.o doctor> PADLOCK_OBJ =e_padlock-x86.o doctor> CHACHA_ENC =chacha-x86.o doctor> POLY1305_OBJ =poly1305-x86.o doctor> BLAKE2_OBJ = doctor> PROCESSOR =386 doctor> RANLIB =/usr/bin/ranlib doctor> ARFLAGS = doctor> PERL =/usr/bin/perl5 doctor> doctor> THIRTY_TWO_BIT mode doctor> BN_LLONG mode doctor> doctor> Configured for debug-bsdi-x86-elf. doctor> ( cd .; /usr/bin/perl5 util/ck_errf.pl -strict */*.c */*/*.c ) doctor> crypto/ex_data.c:254:crypto_get_ex_new_index:get_and_lock doctor> FATAL: error discrepancy doctor> *** Error code 1 Thank you, that is indeed something still lingering. Will be fixed. doctor> Stop. doctor> ns2.nl2k.ab.ca//usr/source/openssl-SNAP-20160313$ less ../configopenssl11 doctor> ./Configure \ doctor> 386 \ doctor> threads \ doctor> shared \ doctor> no-sse2 \ doctor> enable-srtp \ doctor> no-sctp \ doctor> no-crypto-mdebug-backtrace \ doctor> enable-capieng \ doctor> enable-crypto-mdebug \ doctor> enable-seed \ doctor> enable-ssl-trace \ doctor> enable-camellia \ doctor> enable-rfc3779 enable-mdc2 enable-md5 \ doctor> enable-rc5 \ doctor> enable-unit-test \ doctor> enable-dh \ doctor> enable-bf \ doctor> enable-cast \ doctor> enable-chacha \ doctor> enable-cmac \ doctor> enable-cms \ doctor> enable-ct \ doctor> enable-des \ doctor> enable-dsa \ doctor> enable-dso \ doctor> enable-ec \ doctor> enable-engine \ doctor> enable-err\ doctor> enable-hmac \ doctor> enable-poly1305 \ doctor> enable-rsa \ doctor> enable-sha \ doctor> enable-srp \ doctor> enable-aes \ doctor> enable-egd \ doctor> enable-zlib \ doctor> zlib-dynamic \ doctor> --prefix=/usr/contrib \ doctor> --openssldir=/usr/contrib debug-bsdi-x86-elf ; make update; make depend doctor> doctor> and what is debug-bsdi-x86-elf? doctor> doctor> "debug-bsdi-x86-elf" => { doctor> inherit_from => [ asm("x86_elf_asm") ], doctor> cc => "gcc", doctor> cflags => "-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer doctor> -O2 -march=i486 -Wall -g", doctor> thread_cflag => "-pthread -D_THREAD_SAFE -D_REENTRANT", doctor> lflags => "-ldl -lgmp -lm -lc -lz", doctor> bn_ops => "THIRTY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ", doctor> dso_scheme => "dlfcn", doctor> shared_target => "bsd-gcc-shared", doctor> shared_cflag => "-fPIC", doctor> shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", doctor> }, doctor> doctor> doctor> I have to drop this each day in doctor> doctor> Configurations/10-main.conf Why do you have to drop in that file? I suggest you make your own, for example Configurations/20-doctor.conf. That one will be picked up along with the rest. Also, if I may suggest, the "debug-" prefix is antiquated and has been replaced with the '-d' option to 'config', which will use additional debug flags where appropriate. Unfortunately, the "bsdi-elf-gcc" config has never had any debug variant to my knowledge, so I fully understand your need there. The config you have put together has a lot of similarities with the "BSD-x86-elf" one, with just a few additions, so it could be made much simpler like this: "bsdi-x86-elf" => { inherit_from => [ "BSD-x86-elf" ], cflags => add(picker(default => "-DPERL5 -DTERMIOS -march=i486", debug => "-O2")), lflags => add("-ldl -lgmp -lm -lc"), }, Note the 'debug => ...' line... which flags will be added to the cflags when you run './config' with the option '-d'. All that I have removed is there in BSD-x86-elf, or default in the case of the bn_ops (except for THIRTY_TWO_BIT_LONG that simply doesn't exist and is silently ignored). Note that '-lz' is added automatically when you enable zlib, which your script does. You may have copy copy the function 'picker' from that start of 10-main.conf. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Sun Mar 13 14:09:34 2016 From: rt at openssl.org (Olaf Kirfel via RT) Date: Sun, 13 Mar 2016 14:09:34 +0000 Subject: [openssl-dev] [openssl.org #4424] openssl 1.0.2.g and Indy-Procjet In-Reply-To: <56E522F8.6090409@web.de> References: <56E522F8.6090409@web.de> Message-ID: Hallo I am using Embarcadero/Borland C++-Builder for my personal interest and I have the problem, that after the update to openssl 1.0.2g the indy-components are not working. They are delivering an error message like "ssl-security library could not be loaded" (I tried to translate it, sorry). I read, that the reason might be, that you turn off the support for SSL2. I guess, the problem seems to be, that you removed some functions from the library, so older software seems not to be able to load the dll, even though one is trying to use SSL3. Is there a way that you just add the old function-bodies and let them return an error-code? By that one would be able to use the old indy-components with SSL3. If my assumption is wrong, sorry. With best regards Olaf Kirfel -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4424 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Sun Mar 13 14:41:21 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Sun, 13 Mar 2016 15:41:21 +0100 Subject: [openssl-dev] API Problems in current master In-Reply-To: References: Message-ID: <56E57C11.1090202@kippdata.de> Am 13.03.2016 um 14:34 schrieb Richard Moore: > I'm currently testing the new release by trying to port Qt to use it > (with the compatibility stuff disabled). Here are the first problems > I've hit: > > How do we get the certificate serial number? We were doing > x509->cert_info->serialNumber to get it as an ASN1_INTEGER. ASN1_INTEGER *X509_get_serialNumber(X509 *x); implemented in crypto/x509/x509_cmp.c: ASN1_INTEGER *X509_get_serialNumber(X509 *a) { return &a->cert_info.serialNumber; } > https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_type.html says: > "EVP_PKEY_type() returns the type of key corresponding to the value > type. The type of a key can be obtained with EVP_PKEY_type(pkey->type)." > except it can't > because the structure is now opaque. The docs should be fixed, but there's: int EVP_PKEY_id(const EVP_PKEY *pkey); int EVP_PKEY_base_id(const EVP_PKEY *pkey); implemented in crypto/evp/p_lib.c: int EVP_PKEY_id(const EVP_PKEY *pkey) { return pkey->type; } int EVP_PKEY_base_id(const EVP_PKEY *pkey) { return EVP_PKEY_type(pkey->type); } HTH Regards, Rainer From rt at openssl.org Sun Mar 13 15:22:19 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Sun, 13 Mar 2016 15:22:19 +0000 Subject: [openssl-dev] [openssl.org #4424] openssl 1.0.2.g and Indy-Procjet In-Reply-To: <20160313152213.GA31183@roeckx.be> References: <56E522F8.6090409@web.de> <20160313152213.GA31183@roeckx.be> Message-ID: On Sun, Mar 13, 2016 at 02:09:34PM +0000, Olaf Kirfel via RT wrote: > Hallo > I am using Embarcadero/Borland C++-Builder for my personal interest and > I have the problem, that after the update to openssl 1.0.2g the > indy-components are not working. > They are delivering an error message like "ssl-security library could > not be loaded" (I tried to translate it, sorry). > > I read, that the reason might be, that you turn off the support for SSL2. > I guess, the problem seems to be, that you removed some functions from > the library, so older software seems not to be able to load the dll, > even though one is trying to use SSL3. > > Is there a way that you just add the old function-bodies and let them > return an error-code? > By that one would be able to use the old indy-components with SSL3. The SSLv2 functions were removed, but they should come back in the next version. You could use a current git snapshot for this. Also, you should stop using SSLv3. You want to use TLS 1.2. Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4424 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Sun Mar 13 21:34:23 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sun, 13 Mar 2016 17:34:23 -0400 Subject: [openssl-dev] API Problems in current master In-Reply-To: <56E57C11.1090202@kippdata.de> References: <56E57C11.1090202@kippdata.de> Message-ID: <79923FBC-CED6-43EF-ACF6-B8ED11DEF82D@dukhovni.org> > On Mar 13, 2016, at 10:41 AM, Rainer Jung wrote: > > The docs should be fixed, but there's: > > int EVP_PKEY_id(const EVP_PKEY *pkey); > int EVP_PKEY_base_id(const EVP_PKEY *pkey); Thanks for the nudge: https://github.com/openssl/openssl/commit/b36a2efd55078a5fff32b2755046b23cb3c5d8a3 -- Viktor. From rt at openssl.org Sun Mar 13 21:44:18 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 21:44:18 +0000 Subject: [openssl-dev] [openssl.org #4425] CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: This is kind of odd... Working from Master at b36a2ef. It appears Configure is trying to create the directory "/include" rather than "$PWD/include". $ git clone ... $ ls -Al | grep openssl drwxrwxr-x 19 jwalton jwalton 4096 Mar 13 17:37 openssl $ cd openssl $ ./config Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 mkdir /include: Permission denied at ./Configure line 1248 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4425 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 22:05:21 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 22:05:21 +0000 Subject: [openssl-dev] [openssl.org #4426] Re: CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: Line 1248 is the 'mkpath' below. sub cleandir { my $base = shift; my $dir = shift; my $relativeto = shift || "."; $dir = catdir($base,$dir) unless isabsolute($dir); # Make sure the directories we're building in exists mkpath($dir); my $res = abs2rel(absolutedir($dir), rel2abs($relativeto)); #print STDERR "DEBUG[cleandir]: $dir , $base => $res\n"; return $res; } $ perl --version This is perl, v5.8.8 built for x86_64-linux-thread-multi $ sed --version GNU sed version 4.1.5 $ awk --version GNU Awk 3.1.5 On Sun, Mar 13, 2016 at 5:44 PM, Jeffrey Walton wrote: > This is kind of odd... Working from Master at b36a2ef. > > It appears Configure is trying to create the directory "/include" > rather than "$PWD/include". > > $ git clone ... > $ ls -Al | grep openssl > drwxrwxr-x 19 jwalton jwalton 4096 Mar 13 17:37 openssl > > $ cd openssl > $ ./config > Operating system: x86_64-whatever-linux2 > Configuring for linux-x86_64 > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-x86_64 > mkdir /include: Permission denied at ./Configure line 1248 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4426 Please log in as guest with password guest if prompted From richmoore44 at gmail.com Sun Mar 13 22:29:25 2016 From: richmoore44 at gmail.com (Richard Moore) Date: Sun, 13 Mar 2016 22:29:25 +0000 Subject: [openssl-dev] API Problems in current master In-Reply-To: <56E57C11.1090202@kippdata.de> References: <56E57C11.1090202@kippdata.de> Message-ID: That's great, thanks Rainer. I'll give those a try. Rich. On 13 March 2016 at 14:41, Rainer Jung wrote: > Am 13.03.2016 um 14:34 schrieb Richard Moore: > >> I'm currently testing the new release by trying to port Qt to use it >> (with the compatibility stuff disabled). Here are the first problems >> I've hit: >> >> How do we get the certificate serial number? We were doing >> x509->cert_info->serialNumber to get it as an ASN1_INTEGER. >> > > ASN1_INTEGER *X509_get_serialNumber(X509 *x); > > implemented in crypto/x509/x509_cmp.c: > > ASN1_INTEGER *X509_get_serialNumber(X509 *a) > { > return &a->cert_info.serialNumber; > } > > https://www.openssl.org/docs/manmaster/crypto/EVP_PKEY_type.html says: >> "EVP_PKEY_type() returns the type of key corresponding to the value >> type. The type of a key can be obtained with EVP_PKEY_type(pkey->type)." >> except it can't >> because the structure is now opaque. >> > > The docs should be fixed, but there's: > > int EVP_PKEY_id(const EVP_PKEY *pkey); > int EVP_PKEY_base_id(const EVP_PKEY *pkey); > > implemented in crypto/evp/p_lib.c: > > int EVP_PKEY_id(const EVP_PKEY *pkey) > { > return pkey->type; > } > > int EVP_PKEY_base_id(const EVP_PKEY *pkey) > { > return EVP_PKEY_type(pkey->type); > } > > HTH > > Regards, > > Rainer > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From richmoore44 at gmail.com Sun Mar 13 22:30:08 2016 From: richmoore44 at gmail.com (Richard Moore) Date: Sun, 13 Mar 2016 22:30:08 +0000 Subject: [openssl-dev] API Problems in current master In-Reply-To: <79923FBC-CED6-43EF-ACF6-B8ED11DEF82D@dukhovni.org> References: <56E57C11.1090202@kippdata.de> <79923FBC-CED6-43EF-ACF6-B8ED11DEF82D@dukhovni.org> Message-ID: On 13 March 2016 at 21:34, Viktor Dukhovni wrote: > > > On Mar 13, 2016, at 10:41 AM, Rainer Jung > wrote: > > > > The docs should be fixed, but there's: > > > > int EVP_PKEY_id(const EVP_PKEY *pkey); > > int EVP_PKEY_base_id(const EVP_PKEY *pkey); > > Thanks for the nudge: > > > https://github.com/openssl/openssl/commit/b36a2efd55078a5fff32b2755046b23cb3c5d8a3 ?Nice one! Rich.? -------------- next part -------------- An HTML attachment was scrubbed... URL: From richmoore44 at gmail.com Sun Mar 13 22:42:19 2016 From: richmoore44 at gmail.com (Richard Moore) Date: Sun, 13 Mar 2016 22:42:19 +0000 Subject: [openssl-dev] API Problems in current master In-Reply-To: References: <56E57C11.1090202@kippdata.de> <79923FBC-CED6-43EF-ACF6-B8ED11DEF82D@dukhovni.org> Message-ID: By the way, the serial number accessors are missing from the docs too or is that just a problem with the website? Cheers Rich. On 13 March 2016 at 22:30, Richard Moore wrote: > On 13 March 2016 at 21:34, Viktor Dukhovni > wrote: > >> >> > On Mar 13, 2016, at 10:41 AM, Rainer Jung >> wrote: >> > >> > The docs should be fixed, but there's: >> > >> > int EVP_PKEY_id(const EVP_PKEY *pkey); >> > int EVP_PKEY_base_id(const EVP_PKEY *pkey); >> >> Thanks for the nudge: >> >> >> https://github.com/openssl/openssl/commit/b36a2efd55078a5fff32b2755046b23cb3c5d8a3 > > > ?Nice one! > > Rich.? > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Sun Mar 13 23:09:00 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 23:09:00 +0000 Subject: [openssl-dev] [openssl.org #4425] CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: Vid Sun, 13 Mar 2016 kl. 22.05.21, skrev noloader at gmail.com: > $ perl --version > This is perl, v5.8.8 built for x86_64-linux-thread-multi This is a problem. We don't really support perl older than 5.10, so 5.8.x is potentially challenging. It's quite possible you found a problem area. As far as I understand the issue, it seems that the File::Spec perl module might be a bit dicy and could use an upgrade. If it was me, I'd upgrade Perl. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4425 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 13 23:16:38 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 19:16:38 -0400 Subject: [openssl-dev] [openssl.org #4425] CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 7:09 PM, Richard Levitte via RT wrote: > Vid Sun, 13 Mar 2016 kl. 22.05.21, skrev noloader at gmail.com: >> $ perl --version >> This is perl, v5.8.8 built for x86_64-linux-thread-multi > > This is a problem. We don't really support perl older than 5.10, so 5.8.x is > potentially challenging. It's quite possible you found a problem area. > > As far as I understand the issue, it seems that the File::Spec perl module > might be a bit dicy and could use an upgrade. If it was me, I'd upgrade Perl. > I don't have any PERL-fu, so forgive my ignorance here... At the moment, I only see that one failure, so it may not be as bad as it appears. Before this executes: $dir = catdir($base,$dir) unless isabsolute($dir); It seems $base is . Would it be possible to fallback to $PWD if $base is ? Does it make sense for $base to be empty? Jeff From rt at openssl.org Sun Mar 13 23:16:45 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 23:16:45 +0000 Subject: [openssl-dev] [openssl.org #4425] CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 7:09 PM, Richard Levitte via RT wrote: > Vid Sun, 13 Mar 2016 kl. 22.05.21, skrev noloader at gmail.com: >> $ perl --version >> This is perl, v5.8.8 built for x86_64-linux-thread-multi > > This is a problem. We don't really support perl older than 5.10, so 5.8.x is > potentially challenging. It's quite possible you found a problem area. > > As far as I understand the issue, it seems that the File::Spec perl module > might be a bit dicy and could use an upgrade. If it was me, I'd upgrade Perl. > I don't have any PERL-fu, so forgive my ignorance here... At the moment, I only see that one failure, so it may not be as bad as it appears. Before this executes: $dir = catdir($base,$dir) unless isabsolute($dir); It seems $base is . Would it be possible to fallback to $PWD if $base is ? Does it make sense for $base to be empty? Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4425 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 13 23:56:21 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 13 Mar 2016 23:56:21 +0000 Subject: [openssl-dev] [openssl.org #4425] CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: Vid Sun, 13 Mar 2016 kl. 23.16.45, skrev noloader at gmail.com: > On Sun, Mar 13, 2016 at 7:09 PM, Richard Levitte via RT > wrote: > > Vid Sun, 13 Mar 2016 kl. 22.05.21, skrev noloader at gmail.com: > >> $ perl --version > >> This is perl, v5.8.8 built for x86_64-linux-thread-multi > > > > This is a problem. We don't really support perl older than 5.10, so > > 5.8.x is > > potentially challenging. It's quite possible you found a problem > > area. > > > > As far as I understand the issue, it seems that the File::Spec perl > > module > > might be a bit dicy and could use an upgrade. If it was me, I'd > > upgrade Perl. > > > > I don't have any PERL-fu, so forgive my ignorance here... At the > moment, I only see that one failure, so it may not be as bad as it > appears. > > Before this executes: > > $dir = catdir($base,$dir) unless isabsolute($dir); > > It seems $base is . Would it be possible to fallback to $PWD if > $base is ? Does it make sense for $base to be empty? Kinda sorta makes sense. That would be if 'dirname' misbehaves, i.e. gives back '' in some cases. Would you please test the attached patch, see if that makes a difference? -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4425 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: Configure.patch Type: text/x-patch Size: 558 bytes Desc: not available URL: From noloader at gmail.com Mon Mar 14 00:38:21 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 20:38:21 -0400 Subject: [openssl-dev] [openssl.org #4425] CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 7:56 PM, Richard Levitte via RT wrote: > Vid Sun, 13 Mar 2016 kl. 23.16.45, skrev noloader at gmail.com: >> On Sun, Mar 13, 2016 at 7:09 PM, Richard Levitte via RT >> wrote: >> > Vid Sun, 13 Mar 2016 kl. 22.05.21, skrev noloader at gmail.com: >> >> $ perl --version >> >> This is perl, v5.8.8 built for x86_64-linux-thread-multi >> > >> > This is a problem. We don't really support perl older than 5.10, so >> > 5.8.x is >> > potentially challenging. It's quite possible you found a problem >> > area. >> > >> > As far as I understand the issue, it seems that the File::Spec perl >> > module >> > might be a bit dicy and could use an upgrade. If it was me, I'd >> > upgrade Perl. >> > >> >> I don't have any PERL-fu, so forgive my ignorance here... At the >> moment, I only see that one failure, so it may not be as bad as it >> appears. >> >> Before this executes: >> >> $dir = catdir($base,$dir) unless isabsolute($dir); >> >> It seems $base is . Would it be possible to fallback to $PWD if >> $base is ? Does it make sense for $base to be empty? > > Kinda sorta makes sense. That would be if 'dirname' misbehaves, i.e. gives back > '' in some cases. > > Would you please test the attached patch, see if that makes a difference? OK, so I got to dig a little further... The problem appears to be the "unless isabsolute($dir)". First, instrument with print's (my apologies; I no almost no PERL): sub cleandir { my $base = shift; print "base directory: ", "$base", "\n"; my $dir = shift; print "dir directory: ", "$dir", "\n"; my $relativeto = shift || "."; my $this_catdir = catdir($base,$dir); print "this_catdir: ", "$this_catdir", "\n"; my $is_absolute = isabsolute($dir); print "is_absolute: ", "$is_absolute", "\n"; $dir = catdir($base,$dir) unless isabsolute($dir); print "catdir directory: ", "$dir", "\n"; # Make sure the directories we're building in exists mkpath($dir); my $res = abs2rel(absolutedir($dir), rel2abs($relativeto)); #print STDERR "DEBUG[cleandir]: $dir , $base => $res\n"; return $res; } It produces: base directory: /home/jwalton/Desktop/openssl dir directory: /include this_catdir: /home/jwalton/Desktop/openssl/include is_absolute: 1 catdir directory: /include It seems like I should be able to drop the "unless isabsolute($dir)", but it causes problems in later invocations when using "../". Maybe it needs some like "not isrelative($dir)", too. Would you like access to the VM? You should be able to jump to it from the PowerMac to 172.16.4.16 . Jeff From rt at openssl.org Mon Mar 14 00:38:26 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 14 Mar 2016 00:38:26 +0000 Subject: [openssl-dev] [openssl.org #4425] CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: On Sun, Mar 13, 2016 at 7:56 PM, Richard Levitte via RT wrote: > Vid Sun, 13 Mar 2016 kl. 23.16.45, skrev noloader at gmail.com: >> On Sun, Mar 13, 2016 at 7:09 PM, Richard Levitte via RT >> wrote: >> > Vid Sun, 13 Mar 2016 kl. 22.05.21, skrev noloader at gmail.com: >> >> $ perl --version >> >> This is perl, v5.8.8 built for x86_64-linux-thread-multi >> > >> > This is a problem. We don't really support perl older than 5.10, so >> > 5.8.x is >> > potentially challenging. It's quite possible you found a problem >> > area. >> > >> > As far as I understand the issue, it seems that the File::Spec perl >> > module >> > might be a bit dicy and could use an upgrade. If it was me, I'd >> > upgrade Perl. >> > >> >> I don't have any PERL-fu, so forgive my ignorance here... At the >> moment, I only see that one failure, so it may not be as bad as it >> appears. >> >> Before this executes: >> >> $dir = catdir($base,$dir) unless isabsolute($dir); >> >> It seems $base is . Would it be possible to fallback to $PWD if >> $base is ? Does it make sense for $base to be empty? > > Kinda sorta makes sense. That would be if 'dirname' misbehaves, i.e. gives back > '' in some cases. > > Would you please test the attached patch, see if that makes a difference? OK, so I got to dig a little further... The problem appears to be the "unless isabsolute($dir)". First, instrument with print's (my apologies; I no almost no PERL): sub cleandir { my $base = shift; print "base directory: ", "$base", "\n"; my $dir = shift; print "dir directory: ", "$dir", "\n"; my $relativeto = shift || "."; my $this_catdir = catdir($base,$dir); print "this_catdir: ", "$this_catdir", "\n"; my $is_absolute = isabsolute($dir); print "is_absolute: ", "$is_absolute", "\n"; $dir = catdir($base,$dir) unless isabsolute($dir); print "catdir directory: ", "$dir", "\n"; # Make sure the directories we're building in exists mkpath($dir); my $res = abs2rel(absolutedir($dir), rel2abs($relativeto)); #print STDERR "DEBUG[cleandir]: $dir , $base => $res\n"; return $res; } It produces: base directory: /home/jwalton/Desktop/openssl dir directory: /include this_catdir: /home/jwalton/Desktop/openssl/include is_absolute: 1 catdir directory: /include It seems like I should be able to drop the "unless isabsolute($dir)", but it causes problems in later invocations when using "../". Maybe it needs some like "not isrelative($dir)", too. Would you like access to the VM? You should be able to jump to it from the PowerMac to 172.16.4.16 . Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4425 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 01:59:19 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 14 Mar 2016 01:59:19 +0000 Subject: [openssl-dev] [openssl.org #4427] PERL requirements disconnect In-Reply-To: References: Message-ID: The README.PERL states: You MUST have at least Perl version 5.10.0 installed. This minimum requirement is due to... However, the Configure source files use: #! /usr/bin/env perl # -*- mode: perl; -*- ## ## Configure -- OpenSSL source tree configuration script ## If editing this file, run this command before committing ## make -f Makefile.in TABLE ## require 5.000; ... Other hits: $ grep -R 'require 5' * Configure:require 5.000; external/perl/Text-Template-1.46/lib/Text/Template.pm:require 5.004; And: $ find $PWD -name '*.pl' -exec grep 'require [0-9]' {} \; $ It seems like there's a disconnect between the sources and the documentation. 1.1.0 seems like a perfect time to consolidate and align the requirements. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4427 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 14 02:00:45 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 13 Mar 2016 22:00:45 -0400 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: Message-ID: Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. 32-bit tests OK. The relevant snippets are: $ make test ... ../test/recipes/90-test_async.t ........... 1/1 # Failed test 'running asynctest' # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. # Looks like you failed 1 test of 1. ../test/recipes/90-test_async.t ........... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ... Test Summary Report ------------------- ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=71, Tests=366, 164 wallclock secs ( 1.28 usr 0.73 sys + 124.36 cusr 36.66 csys = 163.03 CPU) Result: FAIL Failed 1/71 test programs. 1/366 subtests failed. On Tue, Mar 1, 2016 at 9:54 PM, noloader at gmail.com via RT wrote: > $ make depend && make clean && make > ... > > $ make test > ... > > ../test/recipes/80-test_tsa.t ............. ok > ../test/recipes/90-test_async.t ........... 1/1 > # Failed test 'running asynctest' > # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > # Looks like you failed 1 test of 1. > ../test/recipes/90-test_async.t ........... Dubious, test returned 1 > (wstat 256, 0x100) > Failed 1/1 subtests > ... > Test Summary Report > ------------------- > ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=70, Tests=389, 213 wallclock secs ( 1.44 usr 0.75 sys + 166.97 > cusr 45.51 csys = 214.67 CPU) > Result: FAIL > Failed 1/70 test programs. 1/389 subtests failed. > make[1]: *** [tests] Error 255 > > ... From rt at openssl.org Mon Mar 14 02:00:48 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 14 Mar 2016 02:00:48 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: Message-ID: Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. 32-bit tests OK. The relevant snippets are: $ make test ... ../test/recipes/90-test_async.t ........... 1/1 # Failed test 'running asynctest' # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. # Looks like you failed 1 test of 1. ../test/recipes/90-test_async.t ........... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ... Test Summary Report ------------------- ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 Files=71, Tests=366, 164 wallclock secs ( 1.28 usr 0.73 sys + 124.36 cusr 36.66 csys = 163.03 CPU) Result: FAIL Failed 1/71 test programs. 1/366 subtests failed. On Tue, Mar 1, 2016 at 9:54 PM, noloader at gmail.com via RT wrote: > $ make depend && make clean && make > ... > > $ make test > ... > > ../test/recipes/80-test_tsa.t ............. ok > ../test/recipes/90-test_async.t ........... 1/1 > # Failed test 'running asynctest' > # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > # Looks like you failed 1 test of 1. > ../test/recipes/90-test_async.t ........... Dubious, test returned 1 > (wstat 256, 0x100) > Failed 1/1 subtests > ... > Test Summary Report > ------------------- > ../test/recipes/90-test_async.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > Files=70, Tests=389, 213 wallclock secs ( 1.44 usr 0.75 sys + 166.97 > cusr 45.51 csys = 214.67 CPU) > Result: FAIL > Failed 1/70 test programs. 1/389 subtests failed. > make[1]: *** [tests] Error 255 > > ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 02:58:36 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 14 Mar 2016 02:58:36 +0000 Subject: [openssl-dev] [openssl.org #4428] Gentoo 12.1, x86_64: crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set In-Reply-To: References: Message-ID: Working from Master... gentoo at Gentoo-2012 ~/openssl $ ./config Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-x86_64. gentoo at Gentoo-2012 ~/openssl $ make depend && make clean && make rm -f rm -f rm -f libcrypto.a libssl.a rm -f apps/openssl test/afalgtest test/asynctest test/bftest test/bntest test/casttest test/clienthellotest test/constant_time_test test/ct_test test/danetest test/destest test/dhtest test/dsatest test/dtlsv1listentest test/ecdhtest test/ecdsatest test/ectest test/enginetest test/evp_extra_test test/evp_test test/exptest test/gmdifftest test/heartbeat_test test/hmactest test/ideatest test/igetest test/md2test test/md4test test/md5test test/mdc2test test/memleaktest test/nptest test/p5_crpt2_test test/packettest test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test test/rmdtest test/rsa_test test/secmemtest test/sha1test test/sha256t test/sha512t test/srptest test/ssltest test/threadstest test/v3nametest test/verify_extra_test test/wp_test apps/CA.pl tools/c_rehash rm -f crypto/sha/sha512-sparcv9.s crypto/chacha/chacha-ppc.s crypto/sha/sha256-mips.s crypto/sha/sha256-armv8.s crypto/rc4/rc4-586.s crypto/bn/ia64-mont.s crypto/x86cpuid.s crypto/aes/bsaes-x86_64.s crypto/sha/sha512-ppc.s crypto/sha/sha512-mips.s crypto/sha/sha1-mips.s crypto/ec/ecp_nistz256-armv4.s crypto/sha/sha1-mb-x86_64.s crypto/chacha/chacha-x86.s crypto/bn/alpha-mont.s engines/e_padlock-x86.s crypto/sha/sha512-586.s crypto/bn/sparcv9-gf2m.s crypto/aes/aes-armv4.s crypto/sha/sha256p8-ppc.s crypto/modes/ghash-x86.s crypto/modes/ghash-ia64.s crypto/sha/sha256-586.s crypto/aes/bsaes-armv7.s crypto/bn/sparct4-mont.s crypto/ia64cpuid.s crypto/camellia/cmll-x86.s crypto/x86_64cpuid.s crypto/poly1305/poly1305-armv4.s crypto/bn/rsaz-avx2.s crypto/bn/x86-mont.s crypto/modes/ghash-parisc.s crypto/aes/aest4-sparcv9.s crypto/bn/sparcv9-mont.s crypto/bf/bf-586.s crypto/des/crypt586.s crypto/bn/ppc-mont.s crypto/ec/ecp_nistz256-avx2.s crypto/aes/aesp8-ppc.s crypto/bn/parisc-mont.s crypto/sha/sha256-ppc.s crypto/sha/sha512-parisc.s crypto/aes/aesv8-armx.s crypto/bn/sparcv9a-mont.s crypto/aes/aes-sparcv9.s crypto/bn/x86-gf2m.s crypto/bn/bn-mips.s crypto/ec/ecp_nistz256-armv8.s crypto/sha/sha256-ia64.s crypto/chacha/chacha-armv4.s crypto/sha/sha512-x86_64.s crypto/camellia/cmll-x86_64.s crypto/sha/sha256-armv4.s crypto/poly1305/poly1305-x86.s crypto/bn/ppc64-mont.s crypto/modes/aesni-gcm-x86_64.s crypto/aes/vpaes-x86_64.s crypto/modes/ghash-alpha.s crypto/ec/ecp_nistz256-x86.s crypto/armv4cpuid.s crypto/bn/armv4-mont.s crypto/aes/aes-parisc.s crypto/buildinf.h crypto/aes/aes-ppc.s crypto/bn/bn-586.s crypto/bn/x86_64-mont5.s engines/e_padlock-x86_64.s crypto/aes/vpaes-x86.s crypto/sha/sha512-armv8.s crypto/bn/x86_64-mont.s crypto/camellia/cmllt4-sparcv9.s crypto/modes/ghash-sparcv9.s crypto/chacha/chacha-x86_64.s crypto/modes/ghashv8-armx.s crypto/bn/x86_64-gf2m.s crypto/des/dest4-sparcv9.s crypto/aes/aesni-sha1-x86_64.s crypto/aes/aesni-x86_64.s crypto/sha/sha256-mb-x86_64.s crypto/bn/armv8-mont.s crypto/sha/sha1-ppc.s crypto/whrlpool/wp-mmx.s crypto/modes/ghash-armv4.s crypto/bn/armv4-gf2m.s crypto/ec/ecp_nistz256-x86_64.s crypto/md5/md5-586.s crypto/sha/sha256-sparcv9.s crypto/aes/aes-586.s crypto/ppccpuid.s crypto/uplink-x86.s crypto/sha/sha256-x86_64.s crypto/poly1305/poly1305-x86_64.s crypto/bn/s390x-mont.s crypto/aes/aesni-x86.s crypto/sha/sha1-sparcv9.s crypto/poly1305/poly1305-armv8.s crypto/sha/sha1-armv8.s crypto/des/des_enc-sparc.s crypto/pariscid.s crypto/ripemd/rmd-586.s crypto/poly1305/poly1305-ppc.s crypto/aes/aes-mips.s crypto/sha/sha1-parisc.s crypto/aes/vpaes-ppc.s crypto/cast/cast-586.s crypto/aes/aesni-sha256-x86_64.s crypto/sha/sha512-ia64.s crypto/bn/bn-ppc.s crypto/poly1305/poly1305-sparcv9.s crypto/sha/sha512-armv4.s crypto/bn/rsaz-x86_64.s crypto/modes/ghashp8-ppc.s crypto/rc4/rc4-parisc.s crypto/bn/mips-mont.s crypto/des/des-586.s crypto/sha/sha1-armv4-large.s crypto/sha/sha1-586.s crypto/bn/s390x-gf2m.s crypto/aes/aes-ia64.s crypto/arm64cpuid.s crypto/sha/sha1-x86_64.s crypto/md5/md5-sparcv9.s crypto/whrlpool/wp-x86_64.s crypto/rc4/rc4-x86_64.s crypto/rc4/rc4-ia64.s crypto/sha/sha256-parisc.s crypto/aes/aesni-mb-x86_64.s crypto/bn/bn-ia64.s crypto/alphacpuid.s crypto/md5/md5-x86_64.s crypto/aes/vpaes-armv8.s crypto/rc4/rc4-md5-x86_64.s crypto/sha/sha512p8-ppc.s crypto/ec/ecp_nistz256-sparcv9.s crypto/chacha/chacha-armv8.s crypto/bn/vis3-mont.s crypto/modes/ghash-x86_64.s crypto/aes/aes-x86_64.s crypto/bn/co-586.s crypto/poly1305/poly1305-ppcfp.s crypto/sha/sha1-alpha.s crypto/sha/sha1-ia64.s rm -f `find . -name '*.d'` rm -f `find . -name '*.o'` rm -f core rm -f tags TAGS rm -f openssl.pc libcrypto.pc libssl.pc rm -f `find . -type l` rm -f ../openssl-1.1.0-pre4-dev.tar CC="gcc" /usr/bin/perl crypto/aes/asm/aes-x86_64.pl elf crypto/aes/aes-x86_64.s gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o crypto/aes/aes-x86_64.s gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/aes/aes_cfb.d.tmp -MT crypto/aes/aes_cfb.o -c -o crypto/aes/aes_cfb.o crypto/aes/aes_cfb.c crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set make: *** [crypto/aes/aes_cfb.o] Error 1 gentoo at Gentoo-2012 ~/openssl $ qotom:~$ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4428 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Mon Mar 14 11:45:35 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Mon, 14 Mar 2016 12:45:35 +0100 Subject: [openssl-dev] API Problems in current master In-Reply-To: References: <56E57C11.1090202@kippdata.de> <79923FBC-CED6-43EF-ACF6-B8ED11DEF82D@dukhovni.org> Message-ID: <56E6A45F.1070500@kippdata.de> Am 13.03.2016 um 23:42 schrieb Richard Moore: > By the way, the serial number accessors are missing from the docs too or > is that just a problem with the website? Fixed by Steve today as https://github.com/openssl/openssl/commit/bae26b582e6cbff4bce5edc46907e6f331bc19e5. Regards, Rainer From rt at openssl.org Mon Mar 14 14:35:49 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Mon, 14 Mar 2016 14:35:49 +0000 Subject: [openssl-dev] [openssl.org #4427] PERL requirements disconnect In-Reply-To: References: Message-ID: Vid Mon, 14 Mar 2016 kl. 01.59.19, skrev noloader at gmail.com: > The README.PERL states: > > You MUST have at least Perl version 5.10.0 installed. This > minimum requirement is due to... > > However, the Configure source files use: ... > require 5.000; Fixed. > $ grep -R 'require 5' * ... > external/perl/Text-Template-1.46/lib/Text/Template.pm:require 5.004; That's an external module that we've bundled because it's not part of the core perl modules. > And: > > $ find $PWD -name '*.pl' -exec grep 'require [0-9]' {} \; > $ > > It seems like there's a disconnect between the sources and the > documentation. 1.1.0 seems like a perfect time to consolidate and > align the requirements. The other perl scripts don't necessarely have the same demands. The primary ones that we do comment on in README.PERL are configuration stuff and testing stuff. Closing this ticket, as it seems the goal is reached re Configure, where the version check was lacking Cheers, Richard -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4427 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 14:52:24 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 14 Mar 2016 14:52:24 +0000 Subject: [openssl-dev] [openssl.org #4428] Gentoo 12.1, x86_64: crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set In-Reply-To: <56E6D020.5020906@openssl.org> References: <56E6D020.5020906@openssl.org> Message-ID: On 03/14/16 03:58, noloader at gmail.com via RT wrote: > Working from Master... > > gentoo at Gentoo-2012 ~/openssl $ ./config > Operating system: x86_64-whatever-linux2 > Configuring for linux-x86_64 > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-x86_64 > IsMK1MF =no > CC =gcc > CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 > OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM > SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM > ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-ldl > APPS_OBJ = > CPUID_OBJ =x86_64cpuid.o > UPLINK_OBJ = > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o > x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o > aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o > aesni-mb-x86_64.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM =md5-x86_64.o > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o > sha1-mb-x86_64.o sha256-mb-x86_64.o > RMD160_OBJ_ASM= > CMLL_ENC =cmll-x86_64.o cmll_misc.o > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > PADLOCK_OBJ =e_padlock-x86_64.o > CHACHA_ENC =chacha-x86_64.o > POLY1305_OBJ =poly1305-x86_64.o > BLAKE2_OBJ = > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/usr/bin/perl > > SIXTY_FOUR_BIT_LONG mode > > Configured for linux-x86_64. > gentoo at Gentoo-2012 ~/openssl $ make depend && make clean && make > rm -f > rm -f > rm -f libcrypto.a libssl.a > rm -f apps/openssl test/afalgtest test/asynctest test/bftest > test/bntest test/casttest test/clienthellotest test/constant_time_test > test/ct_test test/danetest test/destest test/dhtest test/dsatest > test/dtlsv1listentest test/ecdhtest test/ecdsatest test/ectest > test/enginetest test/evp_extra_test test/evp_test test/exptest > test/gmdifftest test/heartbeat_test test/hmactest test/ideatest > test/igetest test/md2test test/md4test test/md5test test/mdc2test > test/memleaktest test/nptest test/p5_crpt2_test test/packettest > test/pbelutest test/randtest test/rc2test test/rc4test test/rc5test > test/rmdtest test/rsa_test test/secmemtest test/sha1test test/sha256t > test/sha512t test/srptest test/ssltest test/threadstest > test/v3nametest test/verify_extra_test test/wp_test apps/CA.pl > tools/c_rehash > rm -f crypto/sha/sha512-sparcv9.s crypto/chacha/chacha-ppc.s > crypto/sha/sha256-mips.s crypto/sha/sha256-armv8.s > crypto/rc4/rc4-586.s crypto/bn/ia64-mont.s crypto/x86cpuid.s > crypto/aes/bsaes-x86_64.s crypto/sha/sha512-ppc.s > crypto/sha/sha512-mips.s crypto/sha/sha1-mips.s > crypto/ec/ecp_nistz256-armv4.s crypto/sha/sha1-mb-x86_64.s > crypto/chacha/chacha-x86.s crypto/bn/alpha-mont.s > engines/e_padlock-x86.s crypto/sha/sha512-586.s > crypto/bn/sparcv9-gf2m.s crypto/aes/aes-armv4.s > crypto/sha/sha256p8-ppc.s crypto/modes/ghash-x86.s > crypto/modes/ghash-ia64.s crypto/sha/sha256-586.s > crypto/aes/bsaes-armv7.s crypto/bn/sparct4-mont.s crypto/ia64cpuid.s > crypto/camellia/cmll-x86.s crypto/x86_64cpuid.s > crypto/poly1305/poly1305-armv4.s crypto/bn/rsaz-avx2.s > crypto/bn/x86-mont.s crypto/modes/ghash-parisc.s > crypto/aes/aest4-sparcv9.s crypto/bn/sparcv9-mont.s crypto/bf/bf-586.s > crypto/des/crypt586.s crypto/bn/ppc-mont.s > crypto/ec/ecp_nistz256-avx2.s crypto/aes/aesp8-ppc.s > crypto/bn/parisc-mont.s crypto/sha/sha256-ppc.s > crypto/sha/sha512-parisc.s crypto/aes/aesv8-armx.s > crypto/bn/sparcv9a-mont.s crypto/aes/aes-sparcv9.s > crypto/bn/x86-gf2m.s crypto/bn/bn-mips.s > crypto/ec/ecp_nistz256-armv8.s crypto/sha/sha256-ia64.s > crypto/chacha/chacha-armv4.s crypto/sha/sha512-x86_64.s > crypto/camellia/cmll-x86_64.s crypto/sha/sha256-armv4.s > crypto/poly1305/poly1305-x86.s crypto/bn/ppc64-mont.s > crypto/modes/aesni-gcm-x86_64.s crypto/aes/vpaes-x86_64.s > crypto/modes/ghash-alpha.s crypto/ec/ecp_nistz256-x86.s > crypto/armv4cpuid.s crypto/bn/armv4-mont.s crypto/aes/aes-parisc.s > crypto/buildinf.h crypto/aes/aes-ppc.s crypto/bn/bn-586.s > crypto/bn/x86_64-mont5.s engines/e_padlock-x86_64.s > crypto/aes/vpaes-x86.s crypto/sha/sha512-armv8.s > crypto/bn/x86_64-mont.s crypto/camellia/cmllt4-sparcv9.s > crypto/modes/ghash-sparcv9.s crypto/chacha/chacha-x86_64.s > crypto/modes/ghashv8-armx.s crypto/bn/x86_64-gf2m.s > crypto/des/dest4-sparcv9.s crypto/aes/aesni-sha1-x86_64.s > crypto/aes/aesni-x86_64.s crypto/sha/sha256-mb-x86_64.s > crypto/bn/armv8-mont.s crypto/sha/sha1-ppc.s crypto/whrlpool/wp-mmx.s > crypto/modes/ghash-armv4.s crypto/bn/armv4-gf2m.s > crypto/ec/ecp_nistz256-x86_64.s crypto/md5/md5-586.s > crypto/sha/sha256-sparcv9.s crypto/aes/aes-586.s crypto/ppccpuid.s > crypto/uplink-x86.s crypto/sha/sha256-x86_64.s > crypto/poly1305/poly1305-x86_64.s crypto/bn/s390x-mont.s > crypto/aes/aesni-x86.s crypto/sha/sha1-sparcv9.s > crypto/poly1305/poly1305-armv8.s crypto/sha/sha1-armv8.s > crypto/des/des_enc-sparc.s crypto/pariscid.s crypto/ripemd/rmd-586.s > crypto/poly1305/poly1305-ppc.s crypto/aes/aes-mips.s > crypto/sha/sha1-parisc.s crypto/aes/vpaes-ppc.s crypto/cast/cast-586.s > crypto/aes/aesni-sha256-x86_64.s crypto/sha/sha512-ia64.s > crypto/bn/bn-ppc.s crypto/poly1305/poly1305-sparcv9.s > crypto/sha/sha512-armv4.s crypto/bn/rsaz-x86_64.s > crypto/modes/ghashp8-ppc.s crypto/rc4/rc4-parisc.s > crypto/bn/mips-mont.s crypto/des/des-586.s > crypto/sha/sha1-armv4-large.s crypto/sha/sha1-586.s > crypto/bn/s390x-gf2m.s crypto/aes/aes-ia64.s crypto/arm64cpuid.s > crypto/sha/sha1-x86_64.s crypto/md5/md5-sparcv9.s > crypto/whrlpool/wp-x86_64.s crypto/rc4/rc4-x86_64.s > crypto/rc4/rc4-ia64.s crypto/sha/sha256-parisc.s > crypto/aes/aesni-mb-x86_64.s crypto/bn/bn-ia64.s crypto/alphacpuid.s > crypto/md5/md5-x86_64.s crypto/aes/vpaes-armv8.s > crypto/rc4/rc4-md5-x86_64.s crypto/sha/sha512p8-ppc.s > crypto/ec/ecp_nistz256-sparcv9.s crypto/chacha/chacha-armv8.s > crypto/bn/vis3-mont.s crypto/modes/ghash-x86_64.s > crypto/aes/aes-x86_64.s crypto/bn/co-586.s > crypto/poly1305/poly1305-ppcfp.s crypto/sha/sha1-alpha.s > crypto/sha/sha1-ia64.s > rm -f `find . -name '*.d'` > rm -f `find . -name '*.o'` > rm -f core > rm -f tags TAGS > rm -f openssl.pc libcrypto.pc libssl.pc > rm -f `find . -type l` > rm -f ../openssl-1.1.0-pre4-dev.tar > CC="gcc" /usr/bin/perl crypto/aes/asm/aes-x86_64.pl elf crypto/aes/aes-x86_64.s > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include > -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o > crypto/aes/aes-x86_64.o crypto/aes/aes-x86_64.s > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include > -MMD -MF crypto/aes/aes_cfb.d.tmp -MT crypto/aes/aes_cfb.o -c -o > crypto/aes/aes_cfb.o crypto/aes/aes_cfb.c > crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support > x86-64 instruction set > make: *** [crypto/aes/aes_cfb.o] Error 1 > gentoo at Gentoo-2012 ~/openssl $ Can you confirm that it's not a problem to compile "hello, world" with above flags? Because if you can't, then it can't be OpenSSL problem. Is it possible that real target is so called x32, i.e. x86_64 with 32-bit address space limitation? In such case linux-x32 would be the right target... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4428 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 14:57:52 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 14 Mar 2016 14:57:52 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: <56E6D16F.8010604@openssl.org> References: <56E6D16F.8010604@openssl.org> Message-ID: > Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. > 32-bit tests OK. > > The relevant snippets are: > > $ make test > ... > ../test/recipes/90-test_async.t ........... 1/1 > # Failed test 'running asynctest' > # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > # Looks like you failed 1 test of 1. > ../test/recipes/90-test_async.t ........... Dubious, test returned 1 > (wstat 256, 0x100) > Failed 1/1 subtests Once again, "it boils down to the fact that getcontext always returns failure to ppc64 program. There is nothing we can do about it, you just have to accept that this particular thing doesn't work on MacOS X/ppc64." getcontext is part of libc equivalent, which is why there is nothing that can be done about it. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From matt at openssl.org Mon Mar 14 15:03:17 2016 From: matt at openssl.org (Matt Caswell) Date: Mon, 14 Mar 2016 15:03:17 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: <56E6D16F.8010604@openssl.org> Message-ID: <56E6D2B5.3030807@openssl.org> On 14/03/16 14:57, Andy Polyakov via RT wrote: >> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >> 32-bit tests OK. >> >> The relevant snippets are: >> >> $ make test >> ... >> ../test/recipes/90-test_async.t ........... 1/1 >> # Failed test 'running asynctest' >> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >> # Looks like you failed 1 test of 1. >> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >> (wstat 256, 0x100) >> Failed 1/1 subtests > > Once again, "it boils down to the fact that getcontext always returns > failure to ppc64 program. There is nothing we can do about it, you just > have to accept that this particular thing doesn't work on MacOS > X/ppc64." getcontext is part of libc equivalent, which is why there is > nothing that can be done about it. > > Can we detect the platform in async_posix.h so that if we work out we're on ppc64 then we default to ASYNC_NULL? Matt From rt at openssl.org Mon Mar 14 15:03:19 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Mon, 14 Mar 2016 15:03:19 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: <56E6D2B5.3030807@openssl.org> References: <56E6D16F.8010604@openssl.org> <56E6D2B5.3030807@openssl.org> Message-ID: On 14/03/16 14:57, Andy Polyakov via RT wrote: >> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >> 32-bit tests OK. >> >> The relevant snippets are: >> >> $ make test >> ... >> ../test/recipes/90-test_async.t ........... 1/1 >> # Failed test 'running asynctest' >> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >> # Looks like you failed 1 test of 1. >> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >> (wstat 256, 0x100) >> Failed 1/1 subtests > > Once again, "it boils down to the fact that getcontext always returns > failure to ppc64 program. There is nothing we can do about it, you just > have to accept that this particular thing doesn't work on MacOS > X/ppc64." getcontext is part of libc equivalent, which is why there is > nothing that can be done about it. > > Can we detect the platform in async_posix.h so that if we work out we're on ppc64 then we default to ASYNC_NULL? Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 15:05:58 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 14 Mar 2016 15:05:58 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: <56E6D355.6090908@openssl.org> References: <56E6D16F.8010604@openssl.org> <56E6D2B5.3030807@openssl.org> <56E6D355.6090908@openssl.org> Message-ID: >>> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >>> 32-bit tests OK. >>> >>> The relevant snippets are: >>> >>> $ make test >>> ... >>> ../test/recipes/90-test_async.t ........... 1/1 >>> # Failed test 'running asynctest' >>> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >>> # Looks like you failed 1 test of 1. >>> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >>> (wstat 256, 0x100) >>> Failed 1/1 subtests >> >> Once again, "it boils down to the fact that getcontext always returns >> failure to ppc64 program. There is nothing we can do about it, you just >> have to accept that this particular thing doesn't work on MacOS >> X/ppc64." getcontext is part of libc equivalent, which is why there is >> nothing that can be done about it. >> >> > Can we detect the platform in async_posix.h so that if we work out we're > on ppc64 then we default to ASYNC_NULL? #if defined(__APPLE__) && (defined(__ppc64__) || defined(_ARCH_PPC64)) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 15:08:03 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 14 Mar 2016 15:08:03 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: <56E6D3D3.50709@openssl.org> References: <56E6D2B5.3030807@openssl.org> <56E6D355.6090908@openssl.org> <56E6D3D3.50709@openssl.org> Message-ID: >>>> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >>>> 32-bit tests OK. >>>> >>>> The relevant snippets are: >>>> >>>> $ make test >>>> ... >>>> ../test/recipes/90-test_async.t ........... 1/1 >>>> # Failed test 'running asynctest' >>>> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >>>> # Looks like you failed 1 test of 1. >>>> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >>>> (wstat 256, 0x100) >>>> Failed 1/1 subtests >>> >>> Once again, "it boils down to the fact that getcontext always returns >>> failure to ppc64 program. There is nothing we can do about it, you just >>> have to accept that this particular thing doesn't work on MacOS >>> X/ppc64." getcontext is part of libc equivalent, which is why there is >>> nothing that can be done about it. >>> >>> >> Can we detect the platform in async_posix.h so that if we work out we're >> on ppc64 then we default to ASYNC_NULL? > > #if defined(__APPLE__) && (defined(__ppc64__) || defined(_ARCH_PPC64)) add even && defined(__MACH__) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From doctor at doctor.nl2k.ab.ca Mon Mar 14 15:02:56 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Mon, 14 Mar 2016 09:02:56 -0600 Subject: [openssl-dev] Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160313.145317.1352296580688800557.levitte@openssl.org> References: <20160312201402.GA13400@doctor.nl2k.ab.ca> <20160313123211.GA24618@doctor.nl2k.ab.ca> <20160313.145317.1352296580688800557.levitte@openssl.org> Message-ID: <20160314150256.GA18839@doctor.nl2k.ab.ca> On Sun, Mar 13, 2016 at 02:53:17PM +0100, Richard Levitte wrote: > In message <20160313123211.GA24618 at doctor.nl2k.ab.ca> on Sun, 13 Mar 2016 06:32:11 -0600, The Doctor said: > > doctor> On Sat, Mar 12, 2016 at 08:22:47PM +0000, Salz, Rich wrote: > doctor> > > doctor> > > make: don't know how to make > doctor> > > crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > doctor> > > > doctor> > > This was working yesterday. > doctor> > > doctor> > And it will probably work again by tomorrow :) > doctor> > > doctor> > Please include your config/setup command when you report things. > doctor> > > doctor> > Please don't be surprised if a daily snapshot is broken for a day, consider waiting a day or two to see if the problem is fixed. > doctor> > > doctor> > This is not the first time we've asked for this. > doctor> > doctor> Now add Openssl-SNAP-20160313 issues > doctor> > doctor> /bin/sh ../configopenssl11 > doctor> Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > doctor> no-crypto-mdebug-backtrace [option] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > doctor> no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > doctor> no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > doctor> no-md2 [default] OPENSSL_NO_MD2 (skip dir) > doctor> no-sctp [option] OPENSSL_NO_SCTP (skip dir) > doctor> no-sse2 [option] > doctor> no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > doctor> no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > doctor> no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > doctor> no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > doctor> Configuring for debug-bsdi-x86-elf > doctor> IsMK1MF =no > doctor> CC =gcc > doctor> CFLAG =-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g > doctor> SHARED_CFLAG =-fPIC > doctor> DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_PART_WORDS OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM RMD160_ASM AES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM > doctor> LFLAG =-ldl -lgmp -lm -lc -lz > doctor> PLIB_LFLAG = > doctor> EX_LIBS = > doctor> APPS_OBJ = > doctor> CPUID_OBJ =mem_clr.o > doctor> UPLINK_OBJ = > doctor> BN_ASM =bn-586.o co-586.o x86-mont.o x86-gf2m.o > doctor> EC_ASM =ecp_nistz256.o ecp_nistz256-x86.o > doctor> DES_ENC =des-586.o crypt586.o > doctor> AES_ENC =aes-586.o > doctor> BF_ENC =bf-586.o > doctor> CAST_ENC =c_enc.o > doctor> RC4_ENC =rc4-586.o > doctor> RC5_ENC =rc5-586.o > doctor> MD5_OBJ_ASM =md5-586.o > doctor> SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o > doctor> RMD160_OBJ_ASM=rmd-586.o > doctor> CMLL_ENC =cmll-x86.o > doctor> MODES_OBJ =ghash-x86.o > doctor> PADLOCK_OBJ =e_padlock-x86.o > doctor> CHACHA_ENC =chacha-x86.o > doctor> POLY1305_OBJ =poly1305-x86.o > doctor> BLAKE2_OBJ = > doctor> PROCESSOR =386 > doctor> RANLIB =/usr/bin/ranlib > doctor> ARFLAGS = > doctor> PERL =/usr/bin/perl5 > doctor> > doctor> THIRTY_TWO_BIT mode > doctor> BN_LLONG mode > doctor> > doctor> Configured for debug-bsdi-x86-elf. > doctor> ( cd .; /usr/bin/perl5 util/ck_errf.pl -strict */*.c */*/*.c ) > doctor> crypto/ex_data.c:254:crypto_get_ex_new_index:get_and_lock > doctor> FATAL: error discrepancy > doctor> *** Error code 1 > > Thank you, that is indeed something still lingering. Will be fixed. > > doctor> Stop. > doctor> ns2.nl2k.ab.ca//usr/source/openssl-SNAP-20160313$ less ../configopenssl11 > doctor> ./Configure \ > doctor> 386 \ > doctor> threads \ > doctor> shared \ > doctor> no-sse2 \ > doctor> enable-srtp \ > doctor> no-sctp \ > doctor> no-crypto-mdebug-backtrace \ > doctor> enable-capieng \ > doctor> enable-crypto-mdebug \ > doctor> enable-seed \ > doctor> enable-ssl-trace \ > doctor> enable-camellia \ > doctor> enable-rfc3779 enable-mdc2 enable-md5 \ > doctor> enable-rc5 \ > doctor> enable-unit-test \ > doctor> enable-dh \ > doctor> enable-bf \ > doctor> enable-cast \ > doctor> enable-chacha \ > doctor> enable-cmac \ > doctor> enable-cms \ > doctor> enable-ct \ > doctor> enable-des \ > doctor> enable-dsa \ > doctor> enable-dso \ > doctor> enable-ec \ > doctor> enable-engine \ > doctor> enable-err\ > doctor> enable-hmac \ > doctor> enable-poly1305 \ > doctor> enable-rsa \ > doctor> enable-sha \ > doctor> enable-srp \ > doctor> enable-aes \ > doctor> enable-egd \ > doctor> enable-zlib \ > doctor> zlib-dynamic \ > doctor> --prefix=/usr/contrib \ > doctor> --openssldir=/usr/contrib debug-bsdi-x86-elf ; make update; make depend > doctor> > doctor> and what is debug-bsdi-x86-elf? > doctor> > doctor> "debug-bsdi-x86-elf" => { > doctor> inherit_from => [ asm("x86_elf_asm") ], > doctor> cc => "gcc", > doctor> cflags => "-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer > doctor> -O2 -march=i486 -Wall -g", > doctor> thread_cflag => "-pthread -D_THREAD_SAFE -D_REENTRANT", > doctor> lflags => "-ldl -lgmp -lm -lc -lz", > doctor> bn_ops => "THIRTY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ", > doctor> dso_scheme => "dlfcn", > doctor> shared_target => "bsd-gcc-shared", > doctor> shared_cflag => "-fPIC", > doctor> shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", > doctor> }, > doctor> > doctor> > doctor> I have to drop this each day in > doctor> > doctor> Configurations/10-main.conf > > Why do you have to drop in that file? I suggest you make your own, > for example Configurations/20-doctor.conf. That one will be picked up > along with the rest. > > Also, if I may suggest, the "debug-" prefix is antiquated and has been > replaced with the '-d' option to 'config', which will use additional > debug flags where appropriate. Unfortunately, the "bsdi-elf-gcc" > config has never had any debug variant to my knowledge, so I fully > understand your need there. > > The config you have put together has a lot of similarities with the > "BSD-x86-elf" one, with just a few additions, so it could be made much > simpler like this: > > "bsdi-x86-elf" => { > inherit_from => [ "BSD-x86-elf" ], > cflags => add(picker(default => "-DPERL5 -DTERMIOS -march=i486", > debug => "-O2")), > lflags => add("-ldl -lgmp -lm -lc"), > }, > > Note the 'debug => ...' line... which flags will be added to the > cflags when you run './config' with the option '-d'. > > All that I have removed is there in BSD-x86-elf, or default in the > case of the bn_ops (except for THIRTY_TWO_BIT_LONG that simply doesn't > exist and is silently ignored). Note that '-lz' is added > automatically when you enable zlib, which your script does. > > You may have copy copy the function 'picker' from that start of > 10-main.conf. > I will stick with what works. Also this showed up on openssl-SNAP-20160314 //usr/source/openssl-SNAP-20160314$ make make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop I got a bit compiled until this happened. Last working package was openssl-SNAP-20160311 . > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From matt at openssl.org Mon Mar 14 15:21:21 2016 From: matt at openssl.org (Matt Caswell) Date: Mon, 14 Mar 2016 15:21:21 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: <56E6D16F.8010604@openssl.org> <56E6D2B5.3030807@openssl.org> <56E6D355.6090908@openssl.org> Message-ID: <56E6D6F1.2080402@openssl.org> On 14/03/16 15:05, Andy Polyakov via RT wrote: >>>> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >>>> 32-bit tests OK. >>>> >>>> The relevant snippets are: >>>> >>>> $ make test >>>> ... >>>> ../test/recipes/90-test_async.t ........... 1/1 >>>> # Failed test 'running asynctest' >>>> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >>>> # Looks like you failed 1 test of 1. >>>> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >>>> (wstat 256, 0x100) >>>> Failed 1/1 subtests >>> >>> Once again, "it boils down to the fact that getcontext always returns >>> failure to ppc64 program. There is nothing we can do about it, you just >>> have to accept that this particular thing doesn't work on MacOS >>> X/ppc64." getcontext is part of libc equivalent, which is why there is >>> nothing that can be done about it. >>> >>> >> Can we detect the platform in async_posix.h so that if we work out we're >> on ppc64 then we default to ASYNC_NULL? > > #if defined(__APPLE__) && (defined(__ppc64__) || defined(_ARCH_PPC64)) > > So something like the attached? Jeff, can you test this? Matt -------------- next part -------------- A non-text attachment was scrubbed... Name: async-ppc64.patch Type: text/x-patch Size: 1985 bytes Desc: not available URL: From rt at openssl.org Mon Mar 14 15:21:24 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Mon, 14 Mar 2016 15:21:24 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: <56E6D6F1.2080402@openssl.org> References: <56E6D2B5.3030807@openssl.org> <56E6D355.6090908@openssl.org> <56E6D6F1.2080402@openssl.org> Message-ID: On 14/03/16 15:05, Andy Polyakov via RT wrote: >>>> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >>>> 32-bit tests OK. >>>> >>>> The relevant snippets are: >>>> >>>> $ make test >>>> ... >>>> ../test/recipes/90-test_async.t ........... 1/1 >>>> # Failed test 'running asynctest' >>>> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >>>> # Looks like you failed 1 test of 1. >>>> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >>>> (wstat 256, 0x100) >>>> Failed 1/1 subtests >>> >>> Once again, "it boils down to the fact that getcontext always returns >>> failure to ppc64 program. There is nothing we can do about it, you just >>> have to accept that this particular thing doesn't work on MacOS >>> X/ppc64." getcontext is part of libc equivalent, which is why there is >>> nothing that can be done about it. >>> >>> >> Can we detect the platform in async_posix.h so that if we work out we're >> on ppc64 then we default to ASYNC_NULL? > > #if defined(__APPLE__) && (defined(__ppc64__) || defined(_ARCH_PPC64)) > > So something like the attached? Jeff, can you test this? Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: async-ppc64.patch Type: text/x-patch Size: 1985 bytes Desc: not available URL: From uri at ll.mit.edu Mon Mar 14 15:28:13 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 14 Mar 2016 15:28:13 +0000 Subject: [openssl-dev] 1.1-pre4 documentation fails to install Message-ID: Current Github version: EVP_PKEY_print_public.3 => EVP_PKEY_print_private.3 link /Users/ur20980/share/man/man3/EVP_PKEY_print_params.3 -> /Users/ur20980/share/man/man3/EVP_PKEY_print_private.3 EVP_PKEY_print_params.3 => EVP_PKEY_print_private.3 install ./doc/crypto/EVP_PKEY_set1_RSA.pod -> /Users/ur20980/share/man/man3/EVP_PKEY_set1_RSA.3 IO::File=IO(0x7feb8c8029c0) around line 62: Unterminated B<...> sequence POD document had syntax errors at /opt/local/bin/pod2man line 68. make: *** [install_man_docs] Error 1 -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Mon Mar 14 15:45:53 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 14 Mar 2016 15:45:53 +0000 Subject: [openssl-dev] 1.1-pre4 documentation fails to install In-Reply-To: References: Message-ID: <20160314154553.GK10917@mournblade.imrryr.org> On Mon, Mar 14, 2016 at 03:28:13PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > install ./doc/crypto/EVP_PKEY_set1_RSA.pod -> /Users/ur20980/share/man/man3/EVP_PKEY_set1_RSA.3 > > IO::File=IO(0x7feb8c8029c0) around line 62: Unterminated B<...> sequence > POD document had syntax errors at /opt/local/bin/pod2man line 68. Try: diff --git a/doc/crypto/EVP_PKEY_set1_RSA.pod b/doc/crypto/EVP_PKEY_set1_RSA.pod index de31bc1..c7fd8e9 100644 --- a/doc/crypto/EVP_PKEY_set1_RSA.pod +++ b/doc/crypto/EVP_PKEY_set1_RSA.pod @@ -62,7 +62,7 @@ an RSA key will return B. EVP_PKEY_id() returns the actual OID associated with B. Historically keys using the same algorithm could use different OIDs. For example an RSA key could use the OIDs corresponding to the NIDs B (equivalent to -B (equivalent to B). The use of +B) or B (equivalent to B). The use of alternative non-standard OIDs is now rare so B et al are not often seen in practice. -- Viktor. From rt at openssl.org Mon Mar 14 16:12:58 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 14 Mar 2016 16:12:58 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: <56E6E307.8050707@openssl.org> References: <20160313105718.GA26936@roeckx.be> <56E6E307.8050707@openssl.org> Message-ID: > It looks like the ULL suffix should be safe today; This is misleading statement. *Today* U suffix should be safe, because standard specifies that compiler should pick type automatically depending on value of the constant. In order words suffices beyond U are required only if you need constant to be of wider type, wider than its value, e.g. 13ULL. Well, even then it might be superfluous, because type promotion rules might do it for you. Going back to beginning, to "today U suffix should be safe". Thing is that we kind of live between today and yesterday, making it work not only with contemporary platforms, but even older ones. So real question is if there is compiler supporting 64-bit integer (which is OpenSSL minimum requirement) which would *truncate* constants in question, i.e. with U alone? I'm not aware of any. Next question is if there is compiler that would *fail* to parse ULL? Yes, older Microsoft 32-bit compilers would. Do you see where is it going? It's going toward leaving U alone. One can wonder if warning is actually justified. I'd argue that this would be a trick question. Compiler in question obviously accepts long long, but it's an *extension* to c89 [which we require and rely on]. Now if compiler already accepts extensions, why would it have to complain about extended constant values? I mean you either process extensions and don't complain, or reject extension and complain. Anyway, the U is here to stay. If warnings sting the eye that much, then the only appropriate action would be to bump standard compliance by passing -std=c9x as additional argument to config/Configure. One can argue that it should be in Configuration/10-main.conf, or be automatically added by ./config. Yes, I suppose it's appropriate assuming that compilers shipped with MacOS X all recognize the option. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 16:24:50 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 14 Mar 2016 16:24:50 +0000 Subject: [openssl-dev] [openssl.org #4428] Gentoo 12.1, x86_64: crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set In-Reply-To: <56E6E5D1.8000204@openssl.org> References: <56E6D020.5020906@openssl.org> <56E6E5D1.8000204@openssl.org> Message-ID: > Is it possible that real target is so called x32, i.e. x86_64 with > 32-bit address space limitation? In such case linux-x32 would be the > right target... On side note, I'm getting make test failures for linux-x32 target. I mean if it turns out that it's the right target for you, and you see make test failure, there is no need to report it for now, it's being looked into. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4428 Please log in as guest with password guest if prompted From uri at ll.mit.edu Mon Mar 14 16:34:19 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 14 Mar 2016 16:34:19 +0000 Subject: [openssl-dev] 1.1-pre4 documentation fails to install In-Reply-To: <20160314154553.GK10917@mournblade.imrryr.org> References: <20160314154553.GK10917@mournblade.imrryr.org> Message-ID: Yes, that diff fixes the problem, thank you! (Hope to see it in Github :) On 3/14/16, 11:45, "openssl-dev on behalf of Viktor Dukhovni" wrote: >On Mon, Mar 14, 2016 at 03:28:13PM +0000, Blumenthal, Uri - 0553 - MITLL >wrote: >> install ./doc/crypto/EVP_PKEY_set1_RSA.pod -> >>/Users/ur20980/share/man/man3/EVP_PKEY_set1_RSA.3 >> >> IO::File=IO(0x7feb8c8029c0) around line 62: Unterminated B<...> sequence >> POD document had syntax errors at /opt/local/bin/pod2man line 68. > >Try: > >diff --git a/doc/crypto/EVP_PKEY_set1_RSA.pod >b/doc/crypto/EVP_PKEY_set1_RSA.pod >index de31bc1..c7fd8e9 100644 >--- a/doc/crypto/EVP_PKEY_set1_RSA.pod >+++ b/doc/crypto/EVP_PKEY_set1_RSA.pod >@@ -62,7 +62,7 @@ an RSA key will return B. > EVP_PKEY_id() returns the actual OID associated with B. >Historically keys > using the same algorithm could use different OIDs. For example an RSA >key could > use the OIDs corresponding to the NIDs B (equivalent >to >-B (equivalent to B). The use >of >+B) or B (equivalent to B). The use >of > alternative non-standard OIDs is now rare so B et al are >not > often seen in practice. From rt at openssl.org Mon Mar 14 17:45:34 2016 From: rt at openssl.org (Nicholas Prowse via RT) Date: Mon, 14 Mar 2016 17:45:34 +0000 Subject: [openssl-dev] [openssl.org #4430] #1852: [BUG] Invalid Proxy Certificates Pass Validation In-Reply-To: <630646519.2108403.1457973490945.JavaMail.yahoo@mail.yahoo.com> References: <630646519.2108403.1457973490945.JavaMail.yahoo.ref@mail.yahoo.com> <630646519.2108403.1457973490945.JavaMail.yahoo@mail.yahoo.com> Message-ID: My view is that code should follow the RFC (in this case RFC3820) where possible, and hence this should be put in the queue as higher priority - especially since it could have potential security implications. Regards,Nick Prowse ------------------- Wed?Feb?03?13:53:45?2016 Rich Salz - Correspondence added Download (untitled) / with headers text/html 149bRe-opening it.? It would be good to decide soon if we should do this. --? Rich Salz, OpenSSL dev team; rsalz at openssl.org -------------------- Date: ??? Tue, 2 Feb 2016 01:44:36 +0000 Subject: ??? Re: [openssl-dev] [openssl.org #1852] [BUG] Invalid Proxy Certificates Pass Validation From: ??? Viktor Dukhovni CC: ??? chad.lajoie at switch.ch To: ??? rt at openssl.org, openssl-dev at openssl.org On Mon, Feb 01, 2016 at 07:18:04PM +0000, Rich Salz via RT wrote: Hide quoted text > This is reported against 0.9.x; please open a new ticket if still a problem > with current releases. The same behaviour is present in all releases including master. I don't see any code in OpenSSL that imposes any constraints on the subject names of proxy certificates. If strict adherence to the rules in RFC3820 is important for security (I don't where proxy certs are used and what real semantics applications expect), then this issue remains to be addressed. Perhaps reopen this one. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4430 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 17:45:34 2016 From: rt at openssl.org (=?UTF-8?B?U3RlcGhhbiBNw7xobHN0cmFzc2Vy?= via RT) Date: Mon, 14 Mar 2016 17:45:34 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <56E67126.5040706@pdflib.com> References: <56E67126.5040706@pdflib.com> Message-ID: I had written a message about this issue to openssl-users, but received no reaction. As OpenSSL cannot decrypt data encrypted by itself, this looks like a defect. It is also not possible to decrypt RC4-encrypted CMS objects created by third-party software. This was reproduced with the current HEAD revision from the OpenSSL_1_0_2-stable branch, namely with Git revision e76f48539109829819aabc03953cf2cfd4612961. How to reproduce: Create a self-signed certificate, encrypt some data as a CMS message with "-rc4" using the certificate as a recipient, and try to decrypt it again. This fails with an error message: $ echo "abcdefg" >data.txt $ openssl req -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 100 -subj "/CN=RC4 CMS Test" Generating a 2048 bit RSA private key ............................................................+++ ...+++ writing new private key to 'key.pem' ----- $ openssl cms -rc4 -encrypt -binary -in data.txt -out data.txt.cms -outform DER cert.pem $ openssl cms -decrypt -in data.txt.cms -inform DER -out data2.txt -inkey key.pem -recip cert.pem Error decrypting CMS structure 140735291474768:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:cms_enc.c:128: With other encryption algorithms, this works as expected. The same problem is also reproducible with the "openssl smime" command. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 17:48:58 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Mon, 14 Mar 2016 17:48:58 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <7085de166ddf47309f3bb988856c9979@usma1ex-dag1mb1.msg.corp.akamai.com> References: <56E67126.5040706@pdflib.com> <7085de166ddf47309f3bb988856c9979@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: Did you enable RC4 when you built openssl? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 18:15:55 2016 From: rt at openssl.org (=?UTF-8?B?U3RlcGhhbiBNw7xobHN0cmFzc2Vy?= via RT) Date: Mon, 14 Mar 2016 18:15:55 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <56E6FE94.6020602@pdflib.com> References: <56E67126.5040706@pdflib.com> <7085de166ddf47309f3bb988856c9979@usma1ex-dag1mb1.msg.corp.akamai.com> <56E6FE94.6020602@pdflib.com> Message-ID: Am 14.03.2016 um 18:48 schrieb Salz, Rich via RT: > Did you enable RC4 when you built openssl? Yes, more specifically I did not disable it. Otherwise it would not have been possible to encrypt with RC4 with "openssl cms -rc4 -encrypt", would it? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 18:24:11 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Mon, 14 Mar 2016 18:24:11 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> <7085de166ddf47309f3bb988856c9979@usma1ex-dag1mb1.msg.corp.akamai.com> <56E6FE94.6020602@pdflib.com> Message-ID: > Otherwise it would not have been possible to encrypt with RC4 with "openssl > cms -rc4 -encrypt", would it? It wasn't clear that it was the same version of openssl :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4429 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 18:25:58 2016 From: rt at openssl.org (Rich Salz via RT) Date: Mon, 14 Mar 2016 18:25:58 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: <566478DD.4030105@gmail.com> References: <566478DD.4030105@gmail.com> Message-ID: Okay, the focus on this ticket is now to update the configure script output. :) As previously described here, you can ignore the recommendation to run make depend. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Mon Mar 14 18:45:37 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 14 Mar 2016 18:45:37 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> Message-ID: <20160314184536.GA6602@mournblade.imrryr.org> On Mon, Mar 14, 2016 at 05:45:34PM +0000, Stephan M?hlstrasser via RT wrote: > I had written a message about this issue to openssl-users, but received > no reaction. IIRC RC4 (more generally all stream ciphers) are not supported with CMS, and the bug is that OpenSSL allowed you to use RC4, not that the result failed to decrypt. -- Viktor. From uri at ll.mit.edu Mon Mar 14 19:03:04 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 14 Mar 2016 19:03:04 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <20160314184536.GA6602@mournblade.imrryr.org> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> Message-ID: On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni" wrote: >On Mon, Mar 14, 2016 at 05:45:34PM +0000, Stephan M?hlstrasser via RT >wrote: >> I had written a message about this issue to openssl-users, but received >> no reaction. > >IIRC RC4 (more generally all stream ciphers) are not supported with >CMS, and the bug is that OpenSSL allowed you to use RC4, not that >the result failed to decrypt. Is there any reason why stream ciphers are not supported with CMS? Along the same line, is there any reason why AE(AD) ciphers are not supported with ?openssl enc?? From rsalz at akamai.com Mon Mar 14 19:09:56 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 14 Mar 2016 19:09:56 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> Message-ID: <6e2d228cf7494d8899890cf779b8af26@usma1ex-dag1mb1.msg.corp.akamai.com> > Is there any reason why stream ciphers are not supported with CMS? Go ask CMS folks? :) > Along the same line, is there any reason why AE(AD) ciphers are not > supported with ?openssl enc?? A known bug. https://rt.openssl.org/Ticket/Display.html?id=4228 user guess / pass guest if needed. From uri at ll.mit.edu Mon Mar 14 19:24:49 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 14 Mar 2016 19:24:49 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <6e2d228cf7494d8899890cf779b8af26@usma1ex-dag1mb1.msg.corp.akamai.com> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <6e2d228cf7494d8899890cf779b8af26@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: In that bug description I see a reference to code in ?enc.c? that aborts if the cipher is AEAD or XTS (and an offer to submit PR that hasn?t materialized so far). Would you be able to elaborate why those checks that forbid AEAD were put in? -- Regards, Uri Blumenthal On 3/14/16, 15:09, "openssl-dev on behalf of Salz, Rich" wrote: >> Is there any reason why stream ciphers are not supported with CMS? > >Go ask CMS folks? :) > >> Along the same line, is there any reason why AE(AD) ciphers are not >> supported with ?openssl enc?? > >A known bug. https://rt.openssl.org/Ticket/Display.html?id=4228 user >guess / pass guest if needed. > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From rsalz at akamai.com Mon Mar 14 19:27:18 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 14 Mar 2016 19:27:18 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <6e2d228cf7494d8899890cf779b8af26@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <50ea360db5b84f7aaa3ab5b414a8ed86@usma1ex-dag1mb1.msg.corp.akamai.com> > Would you be able to elaborate why those checks that forbid AEAD were put > in? Because it doesn't work. I don't know the details why; probably around setting the IV or such. But before that the program would just crash. From uri at ll.mit.edu Mon Mar 14 19:27:41 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 14 Mar 2016 19:27:41 +0000 Subject: [openssl-dev] openssl cms unable to access keys on token? Message-ID: $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt -outform engine "pkcs11:object=KEY%20MAN%20pubkey;object-type=public" engine "pkcs11" set. Error opening recipient certificate file pkcs11:object=KEY%20MAN%20pubkey;object-type=public 140735201178448:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('pkcs11:object=KEY%20MAN%20pubkey;object-type=public','r') 140735201178448:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt -outform engine "pkcs11:object=Certificate%20for%20Key%20Management;object-type=certificate" engine "pkcs11" set. Error opening recipient certificate file pkcs11:object=Certificate%20for%20Key%20Management;object-type=certificate 140735201178448:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('pkcs11:object=Certificate%20for%20Key%20Management;object-type=certificate','r') 140735201178448:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt -outform engine "pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert" engine "pkcs11" set. Error opening recipient certificate file pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert 140735201178448:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert','r') 140735201178448:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate $ -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Mon Mar 14 19:32:37 2016 From: rt at openssl.org (PGNet Dev via RT) Date: Mon, 14 Mar 2016 19:32:37 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> Message-ID: On 03/14/2016 11:25 AM, Rich Salz via RT wrote: > Okay, the focus on this ticket is now to update the configure script output. :) > As previously described here, you can ignore the recommendation to run make > depend. Not quite ... currently, without `make depend` make clean ./config ... make -j$CORES ... making all in crypto/err... make[2]: Entering directory '/usr/local/src/openssl/openssl-1.0.2g/crypto/err' /usr/bin/gcc-5 -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -D_GNU_SOURCE -DOPENSSL_NO_BUF_FREELISTS -DOPENSSL_NO_HEARTBEAT -DPURIFY -DSSL_FORBID_ENULL -DTERMIO -Wa,--noexecstack -Wall -fno-common -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -O3 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous-unwind-tables -fmessage-length=0 -grecord-gcc-switches -march=x86-64 -mtune=nocona -c -o err.o err.c make[2]: *** No rule to make target '../../include/openssl/comp.h', needed by 'err_all.o'. Stop. make[2]: Leaving directory '/usr/local/src/openssl/openssl-1.0.2g/crypto/err' Makefile:88: recipe for target 'subdirs' failed make[1]: *** [subdirs] Error 1 make[1]: Leaving directory '/usr/local/src/openssl/openssl-1.0.2g/crypto' Makefile:284: recipe for target 'build_crypto' failed make: *** [build_crypto] Error 1 whereas make clean ./config ... (same) make depend ( ... lots of warnings, unable to find include files ... ) make builds OK. So the choice is NO `make depend` -> fail to build. or WITH buggy `make depend` -> builds, but is it reliable? Here, atm, I've no working path to a 'clean' (warning/error-free) build. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From rsalz at akamai.com Mon Mar 14 19:34:47 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 14 Mar 2016 19:34:47 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> Message-ID: <05c3798d1d9e4aacab3b404a7955b3d2@usma1ex-dag1mb1.msg.corp.akamai.com> > Here, atm, I've no working path to a 'clean' (warning/error-free) build. Yes, 'make clean' is just as good as 'make depend' From rt at openssl.org Mon Mar 14 19:34:50 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Mon, 14 Mar 2016 19:34:50 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: <05c3798d1d9e4aacab3b404a7955b3d2@usma1ex-dag1mb1.msg.corp.akamai.com> References: <566478DD.4030105@gmail.com> <05c3798d1d9e4aacab3b404a7955b3d2@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > Here, atm, I've no working path to a 'clean' (warning/error-free) build. Yes, 'make clean' is just as good as 'make depend' -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 19:37:53 2016 From: rt at openssl.org (PGNet Dev via RT) Date: Mon, 14 Mar 2016 19:37:53 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> <05c3798d1d9e4aacab3b404a7955b3d2@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On 03/14/2016 12:34 PM, Salz, Rich via RT wrote: > >> Here, atm, I've no working path to a 'clean' (warning/error-free) build. > > Yes, 'make clean' is just as good as 'make depend' > We're obviously not communicating. 'make clean', without 'make depend' does NOT build. using 'make depend' BUILDS, but not without 1000's of lines of 'warnings'. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From rsalz at akamai.com Mon Mar 14 19:41:20 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 14 Mar 2016 19:41:20 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> <05c3798d1d9e4aacab3b404a7955b3d2@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > We're obviously not communicating. No, sorry. > 'make clean', without 'make depend' does NOT build. > > using 'make depend' BUILDS, but not without 1000's of lines of 'warnings'. Ignore them. 'make depend' attempts to optimize dependencies so that only what's needed is built. In this particular case it's more trouble than it's worth. A future update to 1.0.2 might just remove that. From rt at openssl.org Mon Mar 14 19:41:24 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Mon, 14 Mar 2016 19:41:24 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> <05c3798d1d9e4aacab3b404a7955b3d2@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > We're obviously not communicating. No, sorry. > 'make clean', without 'make depend' does NOT build. > > using 'make depend' BUILDS, but not without 1000's of lines of 'warnings'. Ignore them. 'make depend' attempts to optimize dependencies so that only what's needed is built. In this particular case it's more trouble than it's worth. A future update to 1.0.2 might just remove that. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 19:47:00 2016 From: rt at openssl.org (PGNet Dev via RT) Date: Mon, 14 Mar 2016 19:47:00 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> References: <566478DD.4030105@gmail.com> <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> Message-ID: On 03/14/2016 12:41 PM, Salz, Rich via RT wrote: >> 'make clean', without 'make depend' does NOT build. >> >> using 'make depend' BUILDS, but not without 1000's of lines of 'warnings'. > > Ignore them. 'make depend' attempts to optimize dependencies so that only what's needed is built. In this particular case it's more trouble than it's worth. So we're back to -- In order build openssl 1.0.2g use `make depend` when prompted -- i.e., do NOT ignore the advice but DO ignore the 1000's of lines of output, and just proceed to subsequent `make` And that resultant build is considered a reliable build. Is that correct? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 14 19:53:38 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Mon, 14 Mar 2016 19:53:38 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: <408f84a070db4db98b5114c1bda56929@usma1ex-dag1mb1.msg.corp.akamai.com> References: <566478DD.4030105@gmail.com> <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> <408f84a070db4db98b5114c1bda56929@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > In order build openssl 1.0.2g > > use `make depend` when prompted -- i.e., do NOT ignore the advice > but DO ignore the 1000's of lines of output, and just proceed to > subsequent `make` > > And that resultant build is considered a reliable build. > > Is that correct? Yes. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From ssx at av8n.com Mon Mar 14 20:23:08 2016 From: ssx at av8n.com (John Denker) Date: Mon, 14 Mar 2016 13:23:08 -0700 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> <408f84a070db4db98b5114c1bda56929@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <56E71DAC.8050402@av8n.com> On 03/14/2016 12:53 PM, Salz, Rich via RT wrote: >> In order build openssl 1.0.2g >> >> use `make depend` when prompted -- i.e., do NOT ignore the advice >> but DO ignore the 1000's of lines of output, and just proceed to >> subsequent `make` >> >> And that resultant build is considered a reliable build. >> >> Is that correct? > Yes. How do you know it's reliable? In particular, how do you know there is not one important warning hiding among the thousands of others? To assume that "any warning must be a false warning" seems tantamount to assuming there cannot possibly be any bugs in openssl. When I'm writing code, for many many years I have treated all warnings as fatal errors. That applies to all my code, not just mission-critical and security-critical code. It's very trendy these days to use "formal methods" to increase reliability and security. Getting the code to compile without warnings seems like 0.01% of a baby step in the right direction. Conversely, training users to ignore warnings seems antisocial. It is the opposite of good security practice. > In this particular case it's more trouble than it's worth. > > A future update to 1.0.2 might just remove that. If it's not supported it should be stricken from the list of supported features. Conversely, if it's a supported feature it should do the right thing. Code that generates thousands of warnings is not doing the right thing. From rsalz at akamai.com Mon Mar 14 20:31:25 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 14 Mar 2016 20:31:25 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: <56E71DAC.8050402@av8n.com> References: <566478DD.4030105@gmail.com> <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> <408f84a070db4db98b5114c1bda56929@usma1ex-dag1mb1.msg.corp.akamai.com> <56E71DAC.8050402@av8n.com> Message-ID: > In particular, how do you know there is not one important warning hiding > among the thousands of others? We're talking "make depend" Not compiling. From rt at openssl.org Mon Mar 14 20:37:27 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 14 Mar 2016 20:37:27 +0000 Subject: [openssl-dev] [openssl.org #4367] FEATURE: Please add -headerpad_max_install_names to LDFLAGS for dynamic libraries on OS X builds In-Reply-To: <56E72103.8050907@openssl.org> References: <56DDB680.9060505@openssl.org> <56E72103.8050907@openssl.org> Message-ID: >> OS X side steps the problems with selecting the wrong runtime library >> and RPATHs by using something called an install name. Effectively, the >> install name should be placed in libcrypto.dylib and libssl.dylib, and >> it calls out the fully qualified path name. Programs linked to a >> library with an install name will record the library, and dyld(1) will >> link to the proper library at runtime. There's no need for tricks like >> LD_LIBRARY_PATH on Linux (its called DYLD_LIBRARY_PATH on OS X). > > Well, formally speaking the feature was always there, all you needed to > do is to pass -Wl,-headerpad_max_install_names at config time ;-) One > can argue that it would be appropriate to run `which install_name_tool` > in ./config and add the option automatically. Would it be acceptable? I > mean would presence of install_name_tool be reliable indicator that > linker supports -headerpad_max_install_names? > >> To make room for an install name that may change (for example, from >> PWD to /usr/local/ssl/lib, you need to use the flag >> -headerpad_max_install_names on libcrypto.dylib and libssl.dylib. >> >> To add the icing to the cake, 'make install' should add the following >> to its recipe for OS X: >> >> cp libcrypto.dylib $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib >> install_name_tool -id $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib >> $(DESTDIR)$(OPENSSLDIR)/lib/libcrypto.dylib > > Does it really copy libcrypto.dylib and not libcrypto.1.1.dylib? For me > it copies the latter... Anyway, the suggested additional step should not > be required, because we do pass -install_name when linking .dylib. > install_name_tool step would be required if you install it at > alternative location, but it doesn't belong in our Makefile. I mean > because our Makefile would install in same location as -install_name anyway. This was discussed a little bit off-list. It was confirmed that build procedure writes correct install path in right places, so that default install procedure doesn't require any adjustments, and therefore -headerpad_max_install_names is not normally required. Or in other words it's required only in *special* cases. And it's argued that special cases can and should be treated by special means, e.g. by adding -Wl,-headerpad_max_install_names at config time as mentioned above. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4367 Please log in as guest with password guest if prompted From ben at links.org Mon Mar 14 21:03:17 2016 From: ben at links.org (Ben Laurie) Date: Mon, 14 Mar 2016 21:03:17 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> <408f84a070db4db98b5114c1bda56929@usma1ex-dag1mb1.msg.corp.akamai.com> <56E71DAC.8050402@av8n.com> Message-ID: On 14 March 2016 at 20:31, Salz, Rich wrote: >> In particular, how do you know there is not one important warning hiding >> among the thousands of others? > > We're talking "make depend" Is there some good reason to not fix make depend? It should also be warning free. > Not compiling. > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From rsalz at akamai.com Mon Mar 14 21:04:24 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 14 Mar 2016 21:04:24 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> <408f84a070db4db98b5114c1bda56929@usma1ex-dag1mb1.msg.corp.akamai.com> <56E71DAC.8050402@av8n.com> Message-ID: > Is there some good reason to not fix make depend? It should also be warning > free. No, it should be fixed. Especially since 1.0.2 is an LTS release (for TLS, henh). But ignoring it's errors is okay until then. From ben at links.org Mon Mar 14 21:04:46 2016 From: ben at links.org (Ben Laurie) Date: Mon, 14 Mar 2016 21:04:46 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: References: <566478DD.4030105@gmail.com> <9143f3c6-787c-c044-158d-bc8b5733cd2e@gmail.com> <408f84a070db4db98b5114c1bda56929@usma1ex-dag1mb1.msg.corp.akamai.com> <56E71DAC.8050402@av8n.com> Message-ID: BTW, there's something very suspicious about make clean; make _not_ working, when (presumably) make clean; make depend; make does work. On 14 March 2016 at 21:03, Ben Laurie wrote: > On 14 March 2016 at 20:31, Salz, Rich wrote: >>> In particular, how do you know there is not one important warning hiding >>> among the thousands of others? >> >> We're talking "make depend" > > Is there some good reason to not fix make depend? It should also be > warning free. > >> Not compiling. >> >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From dwmw2 at infradead.org Mon Mar 14 21:08:28 2016 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 14 Mar 2016 21:08:28 +0000 Subject: [openssl-dev] openssl cms unable to access keys on token? In-Reply-To: References: Message-ID: <1457989708.78634.46.camel@infradead.org> On Mon, 2016-03-14 at 19:27 +0000, Blumenthal, Uri - 0553 - MITLL wrote: > $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt > -outform engine "pkcs11:object=KEY%20MAN%20pubkey;object-type=public" That isn't what -outform does. It controls the output format of the encrypted result: $ openssl cms?-aes256 -encrypt -binary -in data.txt -outform PEM cert.pem -----BEGIN CMS----- MIICIgYJKoZIhvcNAQcDoIICEzCCAg8CAQAxggHKMIIBxgIBADCBrTCBpzELMAkG ... There is no option which makes it obtain the *certificate* (to which it is encrypting the CMS message) from an engine. There isn't even a standard way for an engine to provide such functionality ? the PKCS#11 engine currently exposes it only with a custom "LOAD_CERT_CTRL" command. This is just one of many reasons why libp11/engine_pkcs11 needs to die as a separate project, and we need to incorporate proper PKCS#11 support into OpenSSL natively. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: From rt at openssl.org Mon Mar 14 21:13:22 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Mon, 14 Mar 2016 21:13:22 +0000 Subject: [openssl-dev] [openssl.org #4169] openssl-1.0.2e build still recommends deprecated (unnecessary?) `make depend`, returns numerous warnings abt not finding stddef.h In-Reply-To: <566478DD.4030105@gmail.com> References: <566478DD.4030105@gmail.com> Message-ID: Hi, I'll answer to the original report... there's a lot of confusion going on here... Vid Sun, 06 Dec 2015 kl. 22.48.57, skrev pgnet.dev at gmail.com: > Building openssl-1.0.2e from src > > wget http://www.openssl.org/source/openssl-1.0.2e.tar.gz > tar zxvf openssl-1.0.2e.tar.gz > cd openssl-1.0.2e > > on > > lsb_release -rd > Description: openSUSE Leap 42.1 (x86_64) > Release: 42.1 > gcc -v > Using built-in specs. > COLLECT_GCC=gcc > COLLECT_LTO_WRAPPER=/usr/lib64/gcc/x86_64-suse-linux/5/lto- > wrapper > Target: x86_64-suse-linux > Configured with: ../configure --prefix=/usr > --infodir=/usr/share/info > --mandir=/usr/share/man --libdir=/usr/lib64 --libexecdir=/usr/lib64 > --enable-languages=c,c++,objc,fortran,obj-c++,java,ada,go > --enable-checking=release --with-gxx-include-dir=/usr/include/c++/5 > --enable-ssp --disable-libssp --disable-libvtv --enable-libmpx > --disable-plugin --with-bugurl=http://bugs.opensuse.org/ > --with-pkgversion='SUSE Linux' --disable-libgcj --with-slibdir=/lib64 > --with-system-zlib --enable-__cxa_atexit > --enable-libstdcxx-allocator=new --disable-libstdcxx-pch > --with-default-libstdcxx-abi=gcc4-compatible > --enable-version-specific-runtime-libs --enable-linker-build-id > --enable-linux-futex --program-suffix=-5 --without-system-libunwind > --enable-multilib --with-arch-32=x86-64 --with-tune=generic > --build=x86_64-suse-linux --host=x86_64-suse-linux > Thread model: posix > gcc version 5.2.1 20151130 [gcc-5-branch revision 231058] > (SUSE Linux) > gcc -print-search-dirs > install: /usr/lib64/gcc/x86_64-suse-linux/5/ > programs: > =/usr/lib64/gcc/x86_64-suse-linux/5/:/usr/lib64/gcc/x86_64-suse- > linux/5/:/usr/lib64/gcc/x86_64-suse-linux/:/usr/lib64/gcc/x86_64-suse- > linux/5/:/usr/lib64/gcc/x86_64-suse-linux/:/usr/lib64/gcc/x86_64-suse- > linux/5/../../../../x86_64-suse-linux/bin/x86_64-suse- > linux/5/:/usr/lib64/gcc/x86_64-suse-linux/5/../../../../x86_64-suse- > linux/bin/ > libraries: > =/usr/lib64/gcc/x86_64-suse-linux/5/:/usr/lib64/gcc/x86_64-suse- > linux/5/../../../../x86_64-suse-linux/lib/x86_64-suse- > linux/5/:/usr/lib64/gcc/x86_64-suse-linux/5/../../../../x86_64-suse- > linux/lib/../lib64/:/usr/lib64/gcc/x86_64-suse- > linux/5/../../../x86_64-suse-linux/5/:/usr/lib64/gcc/x86_64-suse- > linux/5/../../../../lib64/:/lib/x86_64-suse- > linux/5/:/lib/../lib64/:/usr/lib/x86_64-suse- > linux/5/:/usr/lib/../lib64/:/usr/lib64/gcc/x86_64-suse- > linux/5/../../../../x86_64-suse-linux/lib/:/usr/lib64/gcc/x86_64-suse- > linux/5/../../../:/lib/:/usr/lib/ > > with following config > > ./config ... \ > enable-ec_nistp_64_gcc_128 \ > enable-rfc3779 \ > enable-ecdsa \ > no-idea \ > no-ssl2 \ > no-rc5 \ > no-rc2 \ > no-mdc2 > > invokes need for subsequent `make depend` > > ... > Since you've disabled or enabled at least one algorithm, you need to > do > the following before building: > > make depend This is correct, 'make depend' *is* needed here. It is for all disabled features that have a corresponding directory in crypto/. The reason is that the default dependencies in the various Makefile are made for a default configuration, and header files from each crypto/ subdirectory are symlinked into include/openssl/, only for those directories that haven't been disabled. So, for example, because of 'no-idea', crypto/idea/idea.h wouldn't get symlinked into include/openssl/, and if there's *any* target in *any* Makefile that has include/openssl/idea.h as a dependency, make will fail since it wants to try to rebuild it. That's why there are cases when 'make depend' is mandatory, to correct the faulty dependencies However, there are also options that do not affect what is being built, or symlinked for that matter, and in those cases, configuration might tell you to 'make depend' although it might sometimes not be necessary. I'm sorry, all this was not explained too well before, and considering there's also and entirely different building scheme with upcoming 1.1 where 'make depend' truly isn't necessary, it's no wonder if things are a bit confusing for everyone. > > Configured for linux-x86_64. > > which completes, but reports many instances of 'stddef.h' not found, > > make depend > making depend in crypto... > make[1]: Entering directory > '/usr/local/src/openssl-TEST/openssl-1.0.2e/crypto' > makedepend: warning: cryptlib.c (reading > /usr/include/stdlib.h, line > 32): cannot find include file "stddef.h" > not in ./stddef.h > not in ../stddef.h > not in ../include/stddef.h > not in /usr/include/stddef.h > makedepend: warning: /usr/include/time.h includes > /usr/include/bits/types.h more than once! > Already have > /usr/include/bits/types.h > makedepend: warning: /usr/include/time.h includes > /usr/include/bits/types.h more than once! > Already have > /usr/include/bits/types.h > makedepend: warning: /usr/include/time.h includes > /usr/include/bits/types.h more than once! > Already have > /usr/include/bits/types.h > makedepend: warning: cryptlib.c (reading > /usr/include/sys/types.h, > line 146): cannot find include file "stddef.h" > not in ./stddef.h > not in ../stddef.h > not in ../include/stddef.h > not in /usr/include/stddef.h > ... This is makedepend (the program, thus no space) not being quite in tune with the system, so it seems to be missing the presence of stdddef.h in the place you find it in. However, that isn't a problem per se, as this is system headers, and there's no need for them whatsoever in the dependencies of the various OpenSSL Makefiles. makedepend will still keep searching for all header files, and it will find those that belong to the OpenSSL source, which are the only ones important to build OpenSSL. That's why can be safely ignored, even though the thousands of warning lines are annoying indeed. Cheers, Richard -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4169 Please log in as guest with password guest if prompted From uri at ll.mit.edu Mon Mar 14 21:28:45 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 14 Mar 2016 21:28:45 +0000 Subject: [openssl-dev] openssl cms unable to access keys on token? In-Reply-To: <1457989708.78634.46.camel@infradead.org> References: <1457989708.78634.46.camel@infradead.org> Message-ID: You are right - the command line was wrong. Here?s the correct line, which should work, but doesn?t: $ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary -outform PEM -out data.txt.enc "pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert" engine "pkcs11" set. Error opening recipient certificate file pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert 140735201178448:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('pkcs11:object=Certificate%20for%20Key%20Man agement;object-type=cert','r') 140735201178448:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate $ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary -outform PEM -out data.txt.enc token.cert.pem engine "pkcs11" set. $ And yes, it?s about time for OpenSSL to incorporate proper support for PKCS#11. -- Regards, Uri Blumenthal On 3/14/16, 17:08, "David Woodhouse" wrote: >On Mon, 2016-03-14 at 19:27 +0000, Blumenthal, Uri - 0553 - MITLL >wrote: >> $ openssl cms -engine pkcs11 -aes256 -encrypt -binary -in data.txt >> -outform engine "pkcs11:object=KEY%20MAN%20pubkey;object-type=public" > >That isn't what -outform does. It controls the output format of the >encrypted result: > >$ openssl cms -aes256 -encrypt -binary -in data.txt -outform PEM cert.pem >-----BEGIN CMS----- >MIICIgYJKoZIhvcNAQcDoIICEzCCAg8CAQAxggHKMIIBxgIBADCBrTCBpzELMAkG >... > >There is no option which makes it obtain the *certificate* (to which it >is encrypting the CMS message) from an engine. There isn't even a >standard way for an engine to provide such functionality ? the PKCS#11 >engine currently exposes it only with a custom "LOAD_CERT_CTRL" >command. > >This is just one of many reasons why libp11/engine_pkcs11 needs to die >as a separate project, and we need to incorporate proper PKCS#11 >support into OpenSSL natively. > >-- >David Woodhouse Open Source Technology Centre >David.Woodhouse at intel.com Intel Corporation > -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5211 bytes Desc: not available URL: From dwmw2 at infradead.org Mon Mar 14 21:33:52 2016 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 14 Mar 2016 21:33:52 +0000 Subject: [openssl-dev] openssl cms unable to access keys on token? In-Reply-To: References: <1457989708.78634.46.camel@infradead.org> Message-ID: <1457991232.78634.49.camel@infradead.org> On Mon, 2016-03-14 at 21:28 +0000, Blumenthal, Uri - 0553 - MITLL wrote: > You are right - the command line was wrong. Here?s the correct line, > which > should work, but doesn?t: > > $ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary > -outform PEM -out data.txt.enc > "pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert" Yeah, that won't work either.? Perhaps you need the "-certform engine" option. Which doesn't exist. :) (My mailer doesn't seem to trust your signing cert, btw. Should you be including an intermediate certificate in your messages? For that matter, should I? :) -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: From openssl-users at dukhovni.org Mon Mar 14 21:39:13 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 14 Mar 2016 21:39:13 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> Message-ID: <20160314213912.GC6602@mournblade.imrryr.org> On Mon, Mar 14, 2016 at 07:03:04PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > >IIRC RC4 (more generally all stream ciphers) are not supported with > >CMS, and the bug is that OpenSSL allowed you to use RC4, not that > >the result failed to decrypt. > > Is there any reason why stream ciphers are not supported with CMS? At least in part because code does not write itself, and support was never implemented. The main issue seems to be related to handling of "parameters", such as the IV for CBC ciphers. With RC4 there is no IV, nor any other parameters, but the CMS decoder expects parameters to be present. Would it work if the requirement were relaxed? Perhaps, but that requires someone to implement said change. As for GCM/CCM ciphers with CMS that's described in https://tools.ietf.org/html/rfc5084 and someone would have to implement that. -- Viktor. From noloader at gmail.com Mon Mar 14 21:48:44 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 14 Mar 2016 17:48:44 -0400 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <6e2d228cf7494d8899890cf779b8af26@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Mon, Mar 14, 2016 at 3:24 PM, Blumenthal, Uri - 0553 - MITLL wrote: > In that bug description I see a reference to code in ?enc.c? that aborts > if the cipher is AEAD or XTS (and an offer to submit PR that hasn?t > materialized so far). > > Would you be able to elaborate why those checks that forbid AEAD were put > in? Also see "v1.0.1g command line gcm error", https://groups.google.com/forum/#!topic/mailing.openssl.users/hGggWxfrZbA. Its a bit dated, but its the first time I remember it being discussed in detail with a canonical answer from Dr. Henson. Jeff From steve at openssl.org Mon Mar 14 22:34:17 2016 From: steve at openssl.org (Dr. Stephen Henson) Date: Mon, 14 Mar 2016 22:34:17 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> Message-ID: <20160314223417.GA12921@openssl.org> On Mon, Mar 14, 2016, Blumenthal, Uri - 0553 - MITLL wrote: > On 3/14/16, 14:45, "openssl-dev on behalf of Viktor Dukhovni" > > wrote: > > >On Mon, Mar 14, 2016 at 05:45:34PM +0000, Stephan M?hlstrasser via RT > >wrote: > >> I had written a message about this issue to openssl-users, but received > >> no reaction. > > > >IIRC RC4 (more generally all stream ciphers) are not supported with > >CMS, and the bug is that OpenSSL allowed you to use RC4, not that > >the result failed to decrypt. > > Is there any reason why stream ciphers are not supported with CMS? > Well one reason is that I'm not aware of any standard which defines how to use stream ciphers with CMS. OpenSSL should really reject these with an appropriate error. > Along the same line, is there any reason why AE(AD) ciphers are not > supported with ???openssl enc???? > The require additional handling such setting parameters and how to handle the tag. That functionality is not currently present in the enc utility. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org From uri at ll.mit.edu Mon Mar 14 22:34:10 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 14 Mar 2016 22:34:10 +0000 Subject: [openssl-dev] openssl cms unable to access keys on token? In-Reply-To: <1457991232.78634.49.camel@infradead.org> References: <1457989708.78634.46.camel@infradead.org> <1457991232.78634.49.camel@infradead.org> Message-ID: On 3/14/16, 17:33, "David Woodhouse" wrote: >On Mon, 2016-03-14 at 21:28 +0000, Blumenthal, Uri - 0553 - MITLL >wrote: >> You are right - the command line was wrong. Here?s the correct line, >> which >> should work, but doesn?t: >> >> $ openssl cms -engine pkcs11 -aes256 -encrypt -in data.txt -binary >> -outform PEM -out data.txt.enc >> "pkcs11:object=Certificate%20for%20Key%20Management;object-type=cert" > >Yeah, that won't work either. Yep? >Perhaps you need the "-certform engine" option. > >Which doesn't exist. :) I?d personally prefer the cms app to have internal logic ?if -engine is specified and the cert name starts with ?pksc11:? then load it via engine?. It?s been suggested in another forum that perhaps openssl should automatically load the appropriate engine if the resource (key || pubkey || cert) is specified via URI that starts with the engine name (like ?pkcs11:?). Does it mean I need to come up with a PR? :-) >(My mailer doesn't seem to trust your signing cert, btw. Should you be >including an intermediate certificate in your messages? For that >matter, should I? :) Yours appear OK. Perhaps because I know StartCom. ;) I?ll send you mine. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5211 bytes Desc: not available URL: From dwmw2 at infradead.org Mon Mar 14 22:56:25 2016 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 14 Mar 2016 22:56:25 +0000 Subject: [openssl-dev] openssl cms unable to access keys on token? In-Reply-To: References: <1457989708.78634.46.camel@infradead.org> <1457991232.78634.49.camel@infradead.org> Message-ID: <1457996185.78634.75.camel@infradead.org> On Mon, 2016-03-14 at 22:34 +0000, Blumenthal, Uri - 0553 - MITLL wrote: > I?d personally prefer the cms app to have internal logic ?if -engine is > specified and the cert name starts with ?pksc11:? then load it via > engine?. So you don't want the -keyform argument to exist either? That would also be redundant, by the same logic. And I'm not sure it's true. > It?s been suggested in another forum that perhaps openssl should > automatically load the appropriate engine if the resource (key || pubkey > || cert) is specified via URI that starts with the engine name (like > ?pkcs11:?). I dislike this, because it could be used to provoke OpenSSL into loading arbitrary engines. It also dramatically increases the chance of accidental collision with real filenames. But I suppose if it was restricted to explicitly-configured prefixes, that would be tolerable. But seriously, I was mostly planning to ditch the engine completely for PKCS#11, and add code to crypto/pkcs11/ to do things directly. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: From rt at openssl.org Mon Mar 14 23:58:25 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 14 Mar 2016 23:58:25 +0000 Subject: [openssl-dev] [openssl.org #4425] AutoReply: CentOS 5: mkdir /include: Permission denied at ./Configure line 1248 In-Reply-To: References: Message-ID: Close it, cleared as of 580b557. Under original PERL (5.8), there's a clear and succinct error message. Under new PERL (5.22.1), self tests are OK. On Sun, Mar 13, 2016 at 5:44 PM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "CentOS 5: mkdir /include: Permission denied at ./Configure line 1248", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4425]. > > Please include the string: > > [openssl.org #4425] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > rt at openssl.org > > ------------------------------------------------------------------------- > This is kind of odd... Working from Master at b36a2ef. > > It appears Configure is trying to create the directory "/include" > rather than "$PWD/include". > > $ git clone ... > $ ls -Al | grep openssl > drwxrwxr-x 19 jwalton jwalton 4096 Mar 13 17:37 openssl > > $ cd openssl > $ ./config > Operating system: x86_64-whatever-linux2 > Configuring for linux-x86_64 > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-x86_64 > mkdir /include: Permission denied at ./Configure line 1248 > > > > ------------------------------------------------------------------------- > http://rt.openssl.org/Ticket/Display.html?id=4425&user=guest&pass=guest -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4425 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 15 00:28:08 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Tue, 15 Mar 2016 00:28:08 +0000 Subject: [openssl-dev] [openssl.org #4431] Fedroa 23, x86_64: Can't locate Test/Harness.pm in @INC (you may need to install the Test::Harness module) ... In-Reply-To: References: Message-ID: $ perl --version This is perl 5, version 22, subversion 1 (v5.22.1) built for x86_64-linux-thread-multi (with 14 registered patches, see perl -V for more detail) Is this PERL module supposed to be in external? ********** LD_LIBRARY_PATH=.: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib64/engines" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -o apps/openssl apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o -L. -lssl -L. -lcrypto -ldl make[1]: Leaving directory '/home/jwalton/Desktop/openssl' ( cd test; \ SRCTOP=../. \ BLDTOP=../. \ EXE_EXT= \ /usr/bin/perl .././test/run_tests.pl ) Can't locate Test/Harness.pm in @INC (you may need to install the Test::Harness module) (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at .././test/run_tests.pl line 8. BEGIN failed--compilation aborted at .././test/run_tests.pl line 8. Makefile:122: recipe for target 'test' failed make: *** [test] Error 2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4431 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Tue Mar 15 06:33:32 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 15 Mar 2016 06:33:32 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <20160314223417.GA12921@openssl.org> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <20160314223417.GA12921@openssl.org> Message-ID: <20160315063332.GD6602@mournblade.imrryr.org> On Mon, Mar 14, 2016 at 10:34:17PM +0000, Dr. Stephen Henson wrote: > > Is there any reason why stream ciphers are not supported with CMS? > > Well one reason is that I'm not aware of any standard which defines how to use > stream ciphers with CMS. > > OpenSSL should really reject these with an appropriate error. Mind you, it seems that e.g. BouncyCastle supports CMS EnvelopedData with RC4 (1.2.840.113549.3.4) as the AlgorithmIdentifier, and that OpenSSL likely produces a compatible encoding (RC4 OID and no parameters). In which case it may suffice to handle absent parameters for ciphers that don't need any, and RC4 might then "just work". In crypto/cms/cms_enc.c we have: unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL; ... if (enc) { int ivlen; calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); /* Generate a random IV if we need one */ ivlen = EVP_CIPHER_CTX_iv_length(ctx); if (ivlen > 0) { if (RAND_bytes(iv, ivlen) <= 0) goto err; piv = iv; } } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } ... if (piv) { calg->parameter = ASN1_TYPE_new(); if (calg->parameter == NULL) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, ERR_R_MALLOC_FAILURE); goto err; } if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) { CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); goto err; } } which omits encoding parameters for ciphers with ivlen <= 0 when encrypting (e.g. with RC4), but the first "else" clause insists on valid parameters when decrypting. So stream cipher support basically boils down to what makes for valid parameters in EVP_CIPHER_asn1_param(). To that end, the below patch might make RC4 "work" (in master). The semantic diff is quite small just return 1 when type == NULL and we have a stream cipher with no get_asn1_parameters method. The patch is larger because I took the opportunity to reorganize the code a bit: int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { if (c->cipher->get_asn1_parameters != NULL) return c->cipher->get_asn1_parameters(c, type); if (!(c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)) { if (type == NULL && EVP_CIPHER_CTX_mode(c) == EVP_CIPH_STREAM_CIPHER) return 1; return -1; } switch (EVP_CIPHER_CTX_mode(c)) { default: return EVP_CIPHER_get_asn1_iv(c, type); case EVP_CIPH_WRAP_MODE: return 1; case EVP_CIPH_GCM_MODE: case EVP_CIPH_CCM_MODE: case EVP_CIPH_XTS_MODE: case EVP_CIPH_OCB_MODE: return -1; } } This is completely untested, may not even compile! Enjoy. -- Viktor. diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index bc24d5a..8957de2 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -93,31 +93,29 @@ int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) int EVP_CIPHER_asn1_to_param(EVP_CIPHER_CTX *c, ASN1_TYPE *type) { - int ret; - if (c->cipher->get_asn1_parameters != NULL) - ret = c->cipher->get_asn1_parameters(c, type); - else if (c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1) { - switch (EVP_CIPHER_CTX_mode(c)) { + return c->cipher->get_asn1_parameters(c, type); - case EVP_CIPH_WRAP_MODE: - ret = 1; - break; + if (!(c->cipher->flags & EVP_CIPH_FLAG_DEFAULT_ASN1)) { + if (type == NULL && + EVP_CIPHER_CTX_mode(c) == EVP_CIPH_STREAM_CIPHER) + return 1; + return -1; + } - case EVP_CIPH_GCM_MODE: - case EVP_CIPH_CCM_MODE: - case EVP_CIPH_XTS_MODE: - case EVP_CIPH_OCB_MODE: - ret = -1; - break; + switch (EVP_CIPHER_CTX_mode(c)) { + default: + return EVP_CIPHER_get_asn1_iv(c, type); - default: - ret = EVP_CIPHER_get_asn1_iv(c, type); - break; - } - } else - ret = -1; - return (ret); + case EVP_CIPH_WRAP_MODE: + return 1; + + case EVP_CIPH_GCM_MODE: + case EVP_CIPH_CCM_MODE: + case EVP_CIPH_XTS_MODE: + case EVP_CIPH_OCB_MODE: + return -1; + } } int EVP_CIPHER_get_asn1_iv(EVP_CIPHER_CTX *c, ASN1_TYPE *type) From rt at openssl.org Tue Mar 15 07:14:38 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Tue, 15 Mar 2016 07:14:38 +0000 Subject: [openssl-dev] [openssl.org #4431] Fedroa 23, x86_64: Can't locate Test/Harness.pm in @INC (you may need to install the Test::Harness module) ... In-Reply-To: References: Message-ID: This means that you need to install the package 'perl-core', as explained in README.PERL -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4431 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Tue Mar 15 07:47:17 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 15 Mar 2016 07:47:17 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <20160315063332.GD6602@mournblade.imrryr.org> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <20160314223417.GA12921@openssl.org> <20160315063332.GD6602@mournblade.imrryr.org> Message-ID: <20160315074717.GF6602@mournblade.imrryr.org> On Tue, Mar 15, 2016 at 06:33:32AM +0000, Viktor Dukhovni wrote: > This is completely untested, may not even compile! Enjoy. It does seem to work, so one key remaining questions is whether it is interoperable: $ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf -new -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 100 -subj "/CN=RC4 CMS Test" $ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial serial=ACD5DEDE758B9AA6 $ echo sesame > data.txt $ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in data.txt -out data.txt.cms -outform DER cert.pem $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms -inform DER -out data2.txt -inkey key.pem -recip cert.pem $ diff -u data.txt data2.txt $ openssl asn1parse -inform DER -in data.txt.cms 0:d=0 hl=4 l= 380 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData 15:d=1 hl=4 l= 365 cons: cont [ 0 ] 19:d=2 hl=4 l= 361 cons: SEQUENCE 23:d=3 hl=2 l= 1 prim: INTEGER :00 26:d=3 hl=4 l= 320 cons: SET 30:d=4 hl=4 l= 316 cons: SEQUENCE 34:d=5 hl=2 l= 1 prim: INTEGER :00 37:d=5 hl=2 l= 36 cons: SEQUENCE 39:d=6 hl=2 l= 23 cons: SEQUENCE 41:d=7 hl=2 l= 21 cons: SET 43:d=8 hl=2 l= 19 cons: SEQUENCE 45:d=9 hl=2 l= 3 prim: OBJECT :commonName 50:d=9 hl=2 l= 12 prim: UTF8STRING :RC4 CMS Test 64:d=6 hl=2 l= 9 prim: INTEGER :ACD5DEDE758B9AA6 75:d=5 hl=2 l= 13 cons: SEQUENCE 77:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption 88:d=6 hl=2 l= 0 prim: NULL 90:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:70BD8B31ACD24F8184A54AF52446D10898DC09E4636456B8E14B3073701CAD5226C0AA03C0AD45B7056DB0A10F01487DC4DE0D35FDE7291875D665DEBB76049C6D660C885A011949A051874DF0CCEA181F9D60BC6BB8BD989B69900E917CCE170F60A34DC77A0EEFB935E13578F3AC9703AE02D972F853DBB3302BEB28F1F8E54964E7528E9E24EEA6950535EF2D1027C31CCAEB1FAB8F454ADBEB1DB9FD2A0F61F276498E64931483FDD40E90DD956BF991C3524C9EDA70211A256BEEFED941474B26ED7A4516873A12240C505813B6BD6EDFE6ED367FEAC86AEC2602A8E1C0C5ACE9C2745FA1B6702F1550FD1ECE322CD7F165DA621E984F1186CA981829AE 350:d=3 hl=2 l= 32 cons: SEQUENCE 352:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 363:d=4 hl=2 l= 10 cons: SEQUENCE 365:d=5 hl=2 l= 8 prim: OBJECT :rc4 375:d=4 hl=2 l= 7 prim: cont [ 0 ] $ tail -c8 data.txt.cms | od -tx1 0000000 07 c3 e2 69 a0 ab 3b ec 0000010 That said, stream ciphers with unsigned CMS are especially unsafe. Since the payload has no MAC or padding of any kind, it is trivial to XOR any desired mask into the received plaintext: $ < data.txt.cms perl -e ' ($a, $b) = map { unpack("Q", "0$_\n") } qw(sesame unsafe); $/ = undef; $cms = ; substr($cms, -8) = pack("Q", unpack("Q", substr($cms, -8)) ^ $a ^ $b); print $cms' > data.txt.cms2 $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms2 -inform DER -out data3.txt -inkey key.pem -recip cert.pem $ cat data3.txt unsafe In the above example, a ciphertext-only transformation changes 'sesame' to 'unsafe'. That, plus RC4's biases, make it unwise in this context. At the very least the CMS message MUST be signed, and the first 256 bytes should not contain sensitive and yet frequently transmitted content. Don't let your children play with RC4 in CMS. Of course, unsigned CMS payloads are also vulnerable to silent corruption even with block ciphers in CBC mode, XOR of a mask into a ciphertext block randomizes the plaintext of that block, but makes a predictable change in the plaintext of the next block. So, don't expect data integrity from unsigned CMS. -- Viktor. From michel.sales at free.fr Tue Mar 15 14:33:50 2016 From: michel.sales at free.fr (Michel) Date: Tue, 15 Mar 2016 15:33:50 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL Message-ID: <002601d17ec7$b1861080$14923180$@sales@free.fr> Hi, Just to let you know that conflicting CRT switches are produced when configure for Windows DLL : cl : Command line warning D9025 : overriding '/MD' with '/MT' (and ct_test.exe can't be linked) Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Tue Mar 15 14:41:23 2016 From: rt at openssl.org (Tuyen Tran via RT) Date: Tue, 15 Mar 2016 14:41:23 +0000 Subject: [openssl-dev] [openssl.org #4432] [BUG] Building with "no-des" fails at crypto/cms/cms_kari.c In-Reply-To: References: Message-ID: ../libcrypto.a(cms_kari.o): In function `cms_RecipientInfo_kari_encrypt': cms_kari.c:(.text+0x647): undefined reference to `EVP_des_ede3_wrap' Using: $ uname -s -r -v -m -p -i -o Linux 2.6.32-573.18.1.el6.x86_64 #1 SMP Wed Jan 6 11:20:49 EST 2016 x86_64 x86_64 x86_64 GNU/Linux ~/sandbox/openssl-1.0.2g Please see https://github.com/openssl/openssl/pull/872 -- Tuyen Tran -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4432 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 15 15:17:12 2016 From: rt at openssl.org (Ramunas Jurgilas via RT) Date: Tue, 15 Mar 2016 15:17:12 +0000 Subject: [openssl-dev] [openssl.org #4433] Memory leak in X509_REQ_to_X509 In-Reply-To: References: Message-ID: Hello OpenSSL Team, During memory leak hunting on iOS platform I noticed, that function X509_REQ_to_X509 generates memory. Bellow you can found code snapshot. As well I would like to know do you plan to fix this memory leak? If yes, then when? Best regards, Ramunas X509_REQ *req = NULL; EVP_PKEY *key = EVP_PKEY_new(); // Setup key ... X509_REQ_set_pubkey(req,key); X509_REQ_sign(req,key,EVP_sha256()) X509 *cert = X509_REQ_to_X509(req, 365, key); // Memory leak here!!! // Free the memory. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4433 Please log in as guest with password guest if prompted From doctor at doctor.nl2k.ab.ca Tue Mar 15 15:32:42 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 15 Mar 2016 09:32:42 -0600 Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160314150256.GA18839@doctor.nl2k.ab.ca> References: <20160312201402.GA13400@doctor.nl2k.ab.ca> <20160313123211.GA24618@doctor.nl2k.ab.ca> <20160313.145317.1352296580688800557.levitte@openssl.org> <20160314150256.GA18839@doctor.nl2k.ab.ca> Message-ID: <20160315153241.GA3975@doctor.nl2k.ab.ca> On Mon, Mar 14, 2016 at 09:02:56AM -0600, The Doctor wrote: > On Sun, Mar 13, 2016 at 02:53:17PM +0100, Richard Levitte wrote: > > In message <20160313123211.GA24618 at doctor.nl2k.ab.ca> on Sun, 13 Mar 2016 06:32:11 -0600, The Doctor said: > > > > doctor> On Sat, Mar 12, 2016 at 08:22:47PM +0000, Salz, Rich wrote: > > doctor> > > > doctor> > > make: don't know how to make > > doctor> > > crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > > doctor> > > > > doctor> > > This was working yesterday. > > doctor> > > > doctor> > And it will probably work again by tomorrow :) > > doctor> > > > doctor> > Please include your config/setup command when you report things. > > doctor> > > > doctor> > Please don't be surprised if a daily snapshot is broken for a day, consider waiting a day or two to see if the problem is fixed. > > doctor> > > > doctor> > This is not the first time we've asked for this. > > doctor> > > doctor> Now add Openssl-SNAP-20160313 issues > > doctor> > > doctor> /bin/sh ../configopenssl11 > > doctor> Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > > doctor> no-crypto-mdebug-backtrace [option] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > > doctor> no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > > doctor> no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > > doctor> no-md2 [default] OPENSSL_NO_MD2 (skip dir) > > doctor> no-sctp [option] OPENSSL_NO_SCTP (skip dir) > > doctor> no-sse2 [option] > > doctor> no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > > doctor> no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > > doctor> no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > > doctor> no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > > doctor> Configuring for debug-bsdi-x86-elf > > doctor> IsMK1MF =no > > doctor> CC =gcc > > doctor> CFLAG =-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g > > doctor> SHARED_CFLAG =-fPIC > > doctor> DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_PART_WORDS OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM RMD160_ASM AES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM > > doctor> LFLAG =-ldl -lgmp -lm -lc -lz > > doctor> PLIB_LFLAG = > > doctor> EX_LIBS = > > doctor> APPS_OBJ = > > doctor> CPUID_OBJ =mem_clr.o > > doctor> UPLINK_OBJ = > > doctor> BN_ASM =bn-586.o co-586.o x86-mont.o x86-gf2m.o > > doctor> EC_ASM =ecp_nistz256.o ecp_nistz256-x86.o > > doctor> DES_ENC =des-586.o crypt586.o > > doctor> AES_ENC =aes-586.o > > doctor> BF_ENC =bf-586.o > > doctor> CAST_ENC =c_enc.o > > doctor> RC4_ENC =rc4-586.o > > doctor> RC5_ENC =rc5-586.o > > doctor> MD5_OBJ_ASM =md5-586.o > > doctor> SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o > > doctor> RMD160_OBJ_ASM=rmd-586.o > > doctor> CMLL_ENC =cmll-x86.o > > doctor> MODES_OBJ =ghash-x86.o > > doctor> PADLOCK_OBJ =e_padlock-x86.o > > doctor> CHACHA_ENC =chacha-x86.o > > doctor> POLY1305_OBJ =poly1305-x86.o > > doctor> BLAKE2_OBJ = > > doctor> PROCESSOR =386 > > doctor> RANLIB =/usr/bin/ranlib > > doctor> ARFLAGS = > > doctor> PERL =/usr/bin/perl5 > > doctor> > > doctor> THIRTY_TWO_BIT mode > > doctor> BN_LLONG mode > > doctor> > > doctor> Configured for debug-bsdi-x86-elf. > > doctor> ( cd .; /usr/bin/perl5 util/ck_errf.pl -strict */*.c */*/*.c ) > > doctor> crypto/ex_data.c:254:crypto_get_ex_new_index:get_and_lock > > doctor> FATAL: error discrepancy > > doctor> *** Error code 1 > > > > Thank you, that is indeed something still lingering. Will be fixed. > > > > doctor> Stop. > > doctor> ns2.nl2k.ab.ca//usr/source/openssl-SNAP-20160313$ less ../configopenssl11 > > doctor> ./Configure \ > > doctor> 386 \ > > doctor> threads \ > > doctor> shared \ > > doctor> no-sse2 \ > > doctor> enable-srtp \ > > doctor> no-sctp \ > > doctor> no-crypto-mdebug-backtrace \ > > doctor> enable-capieng \ > > doctor> enable-crypto-mdebug \ > > doctor> enable-seed \ > > doctor> enable-ssl-trace \ > > doctor> enable-camellia \ > > doctor> enable-rfc3779 enable-mdc2 enable-md5 \ > > doctor> enable-rc5 \ > > doctor> enable-unit-test \ > > doctor> enable-dh \ > > doctor> enable-bf \ > > doctor> enable-cast \ > > doctor> enable-chacha \ > > doctor> enable-cmac \ > > doctor> enable-cms \ > > doctor> enable-ct \ > > doctor> enable-des \ > > doctor> enable-dsa \ > > doctor> enable-dso \ > > doctor> enable-ec \ > > doctor> enable-engine \ > > doctor> enable-err\ > > doctor> enable-hmac \ > > doctor> enable-poly1305 \ > > doctor> enable-rsa \ > > doctor> enable-sha \ > > doctor> enable-srp \ > > doctor> enable-aes \ > > doctor> enable-egd \ > > doctor> enable-zlib \ > > doctor> zlib-dynamic \ > > doctor> --prefix=/usr/contrib \ > > doctor> --openssldir=/usr/contrib debug-bsdi-x86-elf ; make update; make depend > > doctor> > > doctor> and what is debug-bsdi-x86-elf? > > doctor> > > doctor> "debug-bsdi-x86-elf" => { > > doctor> inherit_from => [ asm("x86_elf_asm") ], > > doctor> cc => "gcc", > > doctor> cflags => "-DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer > > doctor> -O2 -march=i486 -Wall -g", > > doctor> thread_cflag => "-pthread -D_THREAD_SAFE -D_REENTRANT", > > doctor> lflags => "-ldl -lgmp -lm -lc -lz", > > doctor> bn_ops => "THIRTY_TWO_BIT_LONG RC4_CHUNK BN_LLONG ", > > doctor> dso_scheme => "dlfcn", > > doctor> shared_target => "bsd-gcc-shared", > > doctor> shared_cflag => "-fPIC", > > doctor> shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", > > doctor> }, > > doctor> > > doctor> > > doctor> I have to drop this each day in > > doctor> > > doctor> Configurations/10-main.conf > > > > Why do you have to drop in that file? I suggest you make your own, > > for example Configurations/20-doctor.conf. That one will be picked up > > along with the rest. > > > > Also, if I may suggest, the "debug-" prefix is antiquated and has been > > replaced with the '-d' option to 'config', which will use additional > > debug flags where appropriate. Unfortunately, the "bsdi-elf-gcc" > > config has never had any debug variant to my knowledge, so I fully > > understand your need there. > > > > The config you have put together has a lot of similarities with the > > "BSD-x86-elf" one, with just a few additions, so it could be made much > > simpler like this: > > > > "bsdi-x86-elf" => { > > inherit_from => [ "BSD-x86-elf" ], > > cflags => add(picker(default => "-DPERL5 -DTERMIOS -march=i486", > > debug => "-O2")), > > lflags => add("-ldl -lgmp -lm -lc"), > > }, > > > > Note the 'debug => ...' line... which flags will be added to the > > cflags when you run './config' with the option '-d'. > > > > All that I have removed is there in BSD-x86-elf, or default in the > > case of the bn_ops (except for THIRTY_TWO_BIT_LONG that simply doesn't > > exist and is silently ignored). Note that '-lz' is added > > automatically when you enable zlib, which your script does. > > > > You may have copy copy the function 'picker' from that start of > > 10-main.conf. > > > > I will stick with what works. > > Also this showed up on > > openssl-SNAP-20160314 > > //usr/source/openssl-SNAP-20160314$ make > make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > > I got a bit compiled until this happened. > > Last working package was > > openssl-SNAP-20160311 . > Still the same issue with openssl-SNAP-20160315 . What is the problem with crypto/aes/aes_cfb.o ?? > > -- > > Richard Levitte levitte at openssl.org > > OpenSSL Project http://www.openssl.org/~levitte/ > > -- > > openssl-dev mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > -- > Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca > God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! > http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism > Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From rt at openssl.org Sun Mar 13 14:09:34 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 13 Mar 2016 14:09:34 +0000 Subject: [openssl-dev] [openssl.org #4423] CentOS 7 x86_64, multiple self test failures In-Reply-To: References: Message-ID: Working form Master at 4c1cf7e. $ which perl /usr/bin/perl $ perl --version This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi ********** $ make test ... make[1]: Leaving directory `/home/jwalton/Desktop/openssl' ( cd test; \ SRCTOP=../. \ BLDTOP=../. \ EXE_EXT= \ /usr/bin/perl .././test/run_tests.pl ) ../test/recipes/01-test_ordinals.t ........ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/01-test_ordinals.t line 56. BEGIN failed--compilation aborted at ../test/recipes/01-test_ordinals.t line 56. ../test/recipes/01-test_ordinals.t ........ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_bf.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_bf.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_bf.t line 3. ../test/recipes/05-test_bf.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_cast.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_cast.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_cast.t line 3. ../test/recipes/05-test_cast.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_des.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_des.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_des.t line 3. ../test/recipes/05-test_des.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_hmac.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_hmac.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_hmac.t line 3. ../test/recipes/05-test_hmac.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_idea.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_idea.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_idea.t line 3. ../test/recipes/05-test_idea.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_md2.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_md2.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_md2.t line 3. ../test/recipes/05-test_md2.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_md4.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_md4.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_md4.t line 3. ../test/recipes/05-test_md4.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_md5.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_md5.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_md5.t line 3. ../test/recipes/05-test_md5.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_mdc2.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_mdc2.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_mdc2.t line 3. ../test/recipes/05-test_mdc2.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_rand.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_rand.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_rand.t line 3. ../test/recipes/05-test_rand.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_rc2.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_rc2.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_rc2.t line 3. ../test/recipes/05-test_rc2.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_rc4.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_rc4.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_rc4.t line 3. ../test/recipes/05-test_rc4.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_rc5.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_rc5.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_rc5.t line 3. ../test/recipes/05-test_rc5.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_rmd.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_rmd.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_rmd.t line 3. ../test/recipes/05-test_rmd.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_sha1.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_sha1.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_sha1.t line 3. ../test/recipes/05-test_sha1.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_sha256.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_sha256.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_sha256.t line 3. ../test/recipes/05-test_sha256.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_sha512.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_sha512.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_sha512.t line 3. ../test/recipes/05-test_sha512.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/05-test_wp.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/05-test_wp.t line 3. BEGIN failed--compilation aborted at ../test/recipes/05-test_wp.t line 3. ../test/recipes/05-test_wp.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/10-test_bn.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/10-test_bn.t line 8. BEGIN failed--compilation aborted at ../test/recipes/10-test_bn.t line 8. ../test/recipes/10-test_bn.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/10-test_exp.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/10-test_exp.t line 3. BEGIN failed--compilation aborted at ../test/recipes/10-test_exp.t line 3. ../test/recipes/10-test_exp.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/15-test_dh.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/15-test_dh.t line 3. BEGIN failed--compilation aborted at ../test/recipes/15-test_dh.t line 3. ../test/recipes/15-test_dh.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/15-test_dsa.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/15-test_dsa.t line 7. BEGIN failed--compilation aborted at ../test/recipes/15-test_dsa.t line 7. ../test/recipes/15-test_dsa.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/15-test_ec.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/15-test_ec.t line 7. BEGIN failed--compilation aborted at ../test/recipes/15-test_ec.t line 7. ../test/recipes/15-test_ec.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/15-test_ecdh.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/15-test_ecdh.t line 3. BEGIN failed--compilation aborted at ../test/recipes/15-test_ecdh.t line 3. ../test/recipes/15-test_ecdh.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/15-test_ecdsa.t ........... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/15-test_ecdsa.t line 3. BEGIN failed--compilation aborted at ../test/recipes/15-test_ecdsa.t line 3. ../test/recipes/15-test_ecdsa.t ........... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/15-test_rsa.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/15-test_rsa.t line 7. BEGIN failed--compilation aborted at ../test/recipes/15-test_rsa.t line 7. ../test/recipes/15-test_rsa.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/20-test_enc.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/20-test_enc.t line 10. BEGIN failed--compilation aborted at ../test/recipes/20-test_enc.t line 10. ../test/recipes/20-test_enc.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/25-test_crl.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/25-test_crl.t line 7. BEGIN failed--compilation aborted at ../test/recipes/25-test_crl.t line 7. ../test/recipes/25-test_crl.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/25-test_gen.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/25-test_gen.t line 7. BEGIN failed--compilation aborted at ../test/recipes/25-test_gen.t line 7. ../test/recipes/25-test_gen.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/25-test_pkcs7.t ........... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/25-test_pkcs7.t line 7. BEGIN failed--compilation aborted at ../test/recipes/25-test_pkcs7.t line 7. ../test/recipes/25-test_pkcs7.t ........... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/25-test_req.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/25-test_req.t line 7. BEGIN failed--compilation aborted at ../test/recipes/25-test_req.t line 7. ../test/recipes/25-test_req.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/25-test_sid.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/25-test_sid.t line 7. BEGIN failed--compilation aborted at ../test/recipes/25-test_sid.t line 7. ../test/recipes/25-test_sid.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/25-test_verify.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/25-test_verify.t line 7. BEGIN failed--compilation aborted at ../test/recipes/25-test_verify.t line 7. ../test/recipes/25-test_verify.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/25-test_x509.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/25-test_x509.t line 7. BEGIN failed--compilation aborted at ../test/recipes/25-test_x509.t line 7. ../test/recipes/25-test_x509.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/30-test_afalg.t ........... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/30-test_afalg.t line 55. BEGIN failed--compilation aborted at ../test/recipes/30-test_afalg.t line 55. ../test/recipes/30-test_afalg.t ........... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/30-test_engine.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/30-test_engine.t line 6. BEGIN failed--compilation aborted at ../test/recipes/30-test_engine.t line 6. ../test/recipes/30-test_engine.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/30-test_evp.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/30-test_evp.t line 6. BEGIN failed--compilation aborted at ../test/recipes/30-test_evp.t line 6. ../test/recipes/30-test_evp.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/30-test_evp_extra.t ....... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/30-test_evp_extra.t line 6. BEGIN failed--compilation aborted at ../test/recipes/30-test_evp_extra.t line 6. ../test/recipes/30-test_evp_extra.t ....... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/30-test_pbelu.t ........... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/30-test_pbelu.t line 3. BEGIN failed--compilation aborted at ../test/recipes/30-test_pbelu.t line 3. ../test/recipes/30-test_pbelu.t ........... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/40-test_rehash.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/40-test_rehash.t line 9. BEGIN failed--compilation aborted at ../test/recipes/40-test_rehash.t line 9. ../test/recipes/40-test_rehash.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_clienthello.t ..... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_clienthello.t line 3. BEGIN failed--compilation aborted at ../test/recipes/70-test_clienthello.t line 3. ../test/recipes/70-test_clienthello.t ..... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_packet.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/70-test_packet.t line 3. BEGIN failed--compilation aborted at ../test/recipes/70-test_packet.t line 3. ../test/recipes/70-test_packet.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_sslcertstatus.t ... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_sslcertstatus.t line 56. BEGIN failed--compilation aborted at ../test/recipes/70-test_sslcertstatus.t line 56. ../test/recipes/70-test_sslcertstatus.t ... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_sslextension.t .... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_sslextension.t line 56. BEGIN failed--compilation aborted at ../test/recipes/70-test_sslextension.t line 56. ../test/recipes/70-test_sslextension.t .... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_sslsessiontick.t .. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_sslsessiontick.t line 56. BEGIN failed--compilation aborted at ../test/recipes/70-test_sslsessiontick.t line 56. ../test/recipes/70-test_sslsessiontick.t .. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_sslskewith0p.t .... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_sslskewith0p.t line 56. BEGIN failed--compilation aborted at ../test/recipes/70-test_sslskewith0p.t line 56. ../test/recipes/70-test_sslskewith0p.t .... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_sslvertol.t ....... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_sslvertol.t line 56. BEGIN failed--compilation aborted at ../test/recipes/70-test_sslvertol.t line 56. ../test/recipes/70-test_sslvertol.t ....... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_tlsextms.t ........ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_tlsextms.t line 56. BEGIN failed--compilation aborted at ../test/recipes/70-test_tlsextms.t line 56. ../test/recipes/70-test_tlsextms.t ........ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/70-test_verify_extra.t .... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/70-test_verify_extra.t line 3. BEGIN failed--compilation aborted at ../test/recipes/70-test_verify_extra.t line 3. ../test/recipes/70-test_verify_extra.t .... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_ca.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/80-test_ca.t line 8. BEGIN failed--compilation aborted at ../test/recipes/80-test_ca.t line 8. ../test/recipes/80-test_ca.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_cms.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/80-test_cms.t line 9. BEGIN failed--compilation aborted at ../test/recipes/80-test_cms.t line 9. ../test/recipes/80-test_cms.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_ct.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/80-test_ct.t line 3. BEGIN failed--compilation aborted at ../test/recipes/80-test_ct.t line 3. ../test/recipes/80-test_ct.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_dane.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/80-test_dane.t line 5. BEGIN failed--compilation aborted at ../test/recipes/80-test_dane.t line 5. ../test/recipes/80-test_dane.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_dtlsv1listen.t .... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/80-test_dtlsv1listen.t line 3. BEGIN failed--compilation aborted at ../test/recipes/80-test_dtlsv1listen.t line 3. ../test/recipes/80-test_dtlsv1listen.t .... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_ocsp.t ............ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/80-test_ocsp.t line 9. BEGIN failed--compilation aborted at ../test/recipes/80-test_ocsp.t line 9. ../test/recipes/80-test_ocsp.t ............ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_ssl.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/80-test_ssl.t line 9. BEGIN failed--compilation aborted at ../test/recipes/80-test_ssl.t line 9. ../test/recipes/80-test_ssl.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/80-test_tsa.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/80-test_tsa.t line 9. BEGIN failed--compilation aborted at ../test/recipes/80-test_tsa.t line 9. ../test/recipes/80-test_tsa.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_async.t ........... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_async.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_async.t line 3. ../test/recipes/90-test_async.t ........... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_constant_time.t ... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_constant_time.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_constant_time.t line 3. ../test/recipes/90-test_constant_time.t ... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_gmdiff.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_gmdiff.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_gmdiff.t line 3. ../test/recipes/90-test_gmdiff.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_heartbeat.t ....... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_heartbeat.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_heartbeat.t line 3. ../test/recipes/90-test_heartbeat.t ....... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_ige.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_ige.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_ige.t line 3. ../test/recipes/90-test_ige.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_memleak.t ......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/90-test_memleak.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_memleak.t line 3. ../test/recipes/90-test_memleak.t ......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_networking.t ...... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/recipes/90-test_networking.t line 56. BEGIN failed--compilation aborted at ../test/recipes/90-test_networking.t line 56. ../test/recipes/90-test_networking.t ...... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_np.t .............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_np.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_np.t line 3. ../test/recipes/90-test_np.t .............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_p5_crpt2.t ........ Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_p5_crpt2.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_p5_crpt2.t line 3. ../test/recipes/90-test_p5_crpt2.t ........ Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_secmem.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_secmem.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_secmem.t line 3. ../test/recipes/90-test_secmem.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_srp.t ............. Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_srp.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_srp.t line 3. ../test/recipes/90-test_srp.t ............. Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_threads.t ......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_threads.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_threads.t line 3. ../test/recipes/90-test_threads.t ......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run ../test/recipes/90-test_v3name.t .......... Can't locate Test/More.pm in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ../test/testlib/OpenSSL/Test.pm line 6. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm line 6. Compilation failed in require at ../test/testlib/OpenSSL/Test/Simple.pm line 30. BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test/Simple.pm line 30. Compilation failed in require at ../test/recipes/90-test_v3name.t line 3. BEGIN failed--compilation aborted at ../test/recipes/90-test_v3name.t line 3. ../test/recipes/90-test_v3name.t .......... Dubious, test returned 2 (wstat 512, 0x200) No subtests run Test Summary Report ------------------- ../test/recipes/01-test_ordinals.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_bf.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_cast.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_des.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_hmac.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_idea.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_md2.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_md4.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_md5.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_mdc2.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_rand.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_rc2.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_rc4.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_rc5.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_rmd.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_sha1.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_sha256.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_sha512.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/05-test_wp.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/10-test_bn.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/10-test_exp.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/15-test_dh.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/15-test_dsa.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/15-test_ec.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/15-test_ecdh.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/15-test_ecdsa.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/15-test_rsa.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/20-test_enc.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/25-test_crl.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/25-test_gen.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/25-test_pkcs7.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/25-test_req.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/25-test_sid.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/25-test_verify.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/25-test_x509.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/30-test_afalg.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/30-test_engine.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/30-test_evp.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/30-test_evp_extra.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/30-test_pbelu.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/40-test_rehash.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_clienthello.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_packet.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslcertstatus.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslextension.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslsessiontick.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslskewith0p.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_sslvertol.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_tlsextms.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/70-test_verify_extra.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_ca.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_cms.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_ct.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_dane.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_dtlsv1listen.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_ocsp.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_ssl.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/80-test_tsa.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_async.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_constant_time.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_gmdiff.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_heartbeat.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_ige.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_memleak.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_networking.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_np.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_p5_crpt2.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_secmem.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_srp.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_threads.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output ../test/recipes/90-test_v3name.t (Wstat: 512 Tests: 0 Failed: 0) Non-zero exit status: 2 Parse errors: No plan found in TAP output Files=71, Tests=0, 0 wallclock secs ( 0.13 usr 0.10 sys + 0.37 cusr 0.18 csys = 0.78 CPU) Result: FAIL Failed 71/71 test programs. 0/0 subtests failed. make: *** [test] Error 2 [jwalton at localhost openssl]$ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4423 Please log in as guest with password guest if prompted From levitte at openssl.org Tue Mar 15 17:09:08 2016 From: levitte at openssl.org (Richard Levitte) Date: Tue, 15 Mar 2016 18:09:08 +0100 (CET) Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160315153241.GA3975@doctor.nl2k.ab.ca> References: <20160313.145317.1352296580688800557.levitte@openssl.org> <20160314150256.GA18839@doctor.nl2k.ab.ca> <20160315153241.GA3975@doctor.nl2k.ab.ca> Message-ID: <20160315.180908.1144685507025336281.levitte@openssl.org> In message <20160315153241.GA3975 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 09:32:42 -0600, The Doctor said: doctor> On Mon, Mar 14, 2016 at 09:02:56AM -0600, The Doctor wrote: doctor> > //usr/source/openssl-SNAP-20160314$ make doctor> > make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop doctor> > doctor> > I got a bit compiled until this happened. doctor> > doctor> > Last working package was doctor> > doctor> > openssl-SNAP-20160311 . doctor> > doctor> doctor> Still the same issue with openssl-SNAP-20160315 . doctor> doctor> What is the problem with crypto/aes/aes_cfb.o doctor> ?? Hmmm, the seems like an issue with dependency making, somehow. could you run this command and send me the result (I hope your grep understands -A and -B, which is used to display a number of lines After and Before a match)? $ grep -A5 -B5 aes_cfb.o:crypto Makefile -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Tue Mar 15 17:28:21 2016 From: rt at openssl.org (Jeremy Farrell via RT) Date: Tue, 15 Mar 2016 17:28:21 +0000 Subject: [openssl-dev] [openssl.org #4432] [BUG] Building with "no-des" fails at crypto/cms/cms_kari.c In-Reply-To: <56E84618.7080301@oracle.com> References: <56E84618.7080301@oracle.com> Message-ID: On 15/03/2016 14:41, Tuyen Tran via RT wrote: > ../libcrypto.a(cms_kari.o): In function `cms_RecipientInfo_kari_encrypt': > cms_kari.c:(.text+0x647): undefined reference to `EVP_des_ede3_wrap' > > Using: > > $ uname -s -r -v -m -p -i -o > Linux 2.6.32-573.18.1.el6.x86_64 #1 SMP Wed Jan 6 11:20:49 EST 2016 x86_64 > x86_64 x86_64 GNU/Linux > ~/sandbox/openssl-1.0.2g > > Please see https://github.com/openssl/openssl/pull/872 Duplicate of https://rt.openssl.org/Ticket/Display.html?id=3893, https://rt.openssl.org/Ticket/Display.html?id=3910, and https://rt.openssl.org/Ticket/Display.html?id=4316. 4316 offers an alternative approach to the fix (don't know which is more appropriate) and also handles the no-aes case. -- J. J. Farrell Not speaking for Oracle. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4432 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 15 18:40:38 2016 From: rt at openssl.org (Tuyen Tran via RT) Date: Tue, 15 Mar 2016 18:40:38 +0000 Subject: [openssl-dev] [openssl.org #4432] [BUG] Building with "no-des" fails at crypto/cms/cms_kari.c In-Reply-To: References: Message-ID: Thank you Jeremy. I have add a commit to handle no-aes as well. -- Tuyen Tran -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4432 Please log in as guest with password guest if prompted From uri at ll.mit.edu Tue Mar 15 19:09:36 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 15 Mar 2016 19:09:36 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <20160315074717.GF6602@mournblade.imrryr.org> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <20160314223417.GA12921@openssl.org> <20160315063332.GD6602@mournblade.imrryr.org> <20160315074717.GF6602@mournblade.imrryr.org> Message-ID: First of all - thank you! It is great to see useful capabilities added (I consider stream ciphers and AEAD modes very useful :). I fully agree that unsigned CMS is an invitation to trouble. If I understand correctly, the intended openssl use is ?openssl cms -encrypt ? | openssl cms -sign ?? (or the other way around :). $ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf -new -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days 100 -subj "/CN=RC4 CMS Test" Generating a 2048 bit RSA private key ..........................................+++ .....+++ writing new private key to 'key.pem' ----- $ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial serial=B83C7468CCE8930E $ echo sesame > data.txt $ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in data.txt -out data.txt.cms -outform DER cert.pem $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms -inform DER -out data2.txt -inkey key.pem -recip cert.pem $ diff -u data.txt data2.txt $ openssl asn1parse -inform DER -in data.txt.cms 0:d=0 hl=4 l= 380 cons: SEQUENCE 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData 15:d=1 hl=4 l= 365 cons: cont [ 0 ] . . . . . . . 90:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:362DC32CD6520D3765255D9549BEC058766499C0581430E84929419730B08C31C6E78 D22CB8D8C026EEB75203D19148C97F8F73C7066D158E6E85FEA41972B50EB245ACB15C23209 7DD3046901882B95C9AD102F8E34E0E049B4A374F1EF61C48E1F90F95A3F8E2306161AF0882 99F7A4949D706FBF6A92DB8BB5DF293E1B3BA135BAA8E63FE94C0BBD7A29D31AD28E9137D66 41CF7490257BEE23161A478B6FCBDEE05B1578592272335713196C3F26139A41B76A3EA1371 FA875A4DD09C150D4674AF7A399F886A09D245EE1A81AEC8A96B4647C712D366A0FBC7964FE C6EF69A076CB58A81ED8DBD466FAA1E9CD072C8242B5D68F3CDB95C5CF04AFE71795 350:d=3 hl=2 l= 32 cons: SEQUENCE 352:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data 363:d=4 hl=2 l= 10 cons: SEQUENCE 365:d=5 hl=2 l= 8 prim: OBJECT :rc4 375:d=4 hl=2 l= 7 prim: cont [ 0 ] $ The only problem - now I have one test failing: ../test/recipes/80-test_ca.t .............. ok ../test/recipes/80-test_cms.t ............. 2/4 # Failed test 'encrypted content test streaming PEM format, 128 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 40 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Looks like you failed 2 tests of 27. ../test/recipes/80-test_cms.t ............. 3/4 # Failed test 'CMS <=> CMS consistency tests # ' # at ../test/recipes/80-test_cms.t line 423. ../test/recipes/80-test_cms.t ............. 4/4 # Looks like you failed 1 test of 4. ../test/recipes/80-test_cms.t ............. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests ../test/recipes/80-test_ct.t .............. Ok I wonder how difficult would it be to add AEAD support, considering that they (usually) can take 96-bit nonce (treated as IV), and the authentication tag often is just appended to the ciphertext (and expected at the end of the ciphertext during decryption). -- Regards, Uri Blumenthal On 3/15/16, 3:47 , "openssl-dev on behalf of Viktor Dukhovni" wrote: >On Tue, Mar 15, 2016 at 06:33:32AM +0000, Viktor Dukhovni wrote: > >> This is completely untested, may not even compile! Enjoy. > >It does seem to work, so one key remaining questions is whether it >is interoperable: > > $ ./util/shlib_wrap.sh ./apps/openssl req -config apps/openssl.cnf >-new -x509 -newkey rsa:2048 -keyout key.pem -nodes -out cert.pem -days >100 -subj "/CN=RC4 CMS Test" > > $ ./util/shlib_wrap.sh ./apps/openssl x509 -in cert.pem -noout -serial > serial=ACD5DEDE758B9AA6 > $ echo sesame > data.txt > $ ./util/shlib_wrap.sh ./apps/openssl cms -rc4 -encrypt -binary -in >data.txt -out data.txt.cms -outform DER cert.pem > $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms >-inform DER -out data2.txt -inkey key.pem -recip cert.pem > $ diff -u data.txt data2.txt > > $ openssl asn1parse -inform DER -in data.txt.cms > 0:d=0 hl=4 l= 380 cons: SEQUENCE > 4:d=1 hl=2 l= 9 prim: OBJECT :pkcs7-envelopedData > 15:d=1 hl=4 l= 365 cons: cont [ 0 ] > 19:d=2 hl=4 l= 361 cons: SEQUENCE > 23:d=3 hl=2 l= 1 prim: INTEGER :00 > 26:d=3 hl=4 l= 320 cons: SET > 30:d=4 hl=4 l= 316 cons: SEQUENCE > 34:d=5 hl=2 l= 1 prim: INTEGER :00 > 37:d=5 hl=2 l= 36 cons: SEQUENCE > 39:d=6 hl=2 l= 23 cons: SEQUENCE > 41:d=7 hl=2 l= 21 cons: SET > 43:d=8 hl=2 l= 19 cons: SEQUENCE > 45:d=9 hl=2 l= 3 prim: OBJECT :commonName > 50:d=9 hl=2 l= 12 prim: UTF8STRING :RC4 CMS Test > 64:d=6 hl=2 l= 9 prim: INTEGER :ACD5DEDE758B9AA6 > 75:d=5 hl=2 l= 13 cons: SEQUENCE > 77:d=6 hl=2 l= 9 prim: OBJECT :rsaEncryption > 88:d=6 hl=2 l= 0 prim: NULL > 90:d=5 hl=4 l= 256 prim: OCTET STRING [HEX >DUMP]:70BD8B31ACD24F8184A54AF52446D10898DC09E4636456B8E14B3073701CAD5226C0 >AA03C0AD45B7056DB0A10F01487DC4DE0D35FDE7291875D665DEBB76049C6D660C885A0119 >49A051874DF0CCEA181F9D60BC6BB8BD989B69900E917CCE170F60A34DC77A0EEFB935E135 >78F3AC9703AE02D972F853DBB3302BEB28F1F8E54964E7528E9E24EEA6950535EF2D1027C3 >1CCAEB1FAB8F454ADBEB1DB9FD2A0F61F276498E64931483FDD40E90DD956BF991C3524C9E >DA70211A256BEEFED941474B26ED7A4516873A12240C505813B6BD6EDFE6ED367FEAC86AEC >2602A8E1C0C5ACE9C2745FA1B6702F1550FD1ECE322CD7F165DA621E984F1186CA981829AE > 350:d=3 hl=2 l= 32 cons: SEQUENCE > 352:d=4 hl=2 l= 9 prim: OBJECT :pkcs7-data > 363:d=4 hl=2 l= 10 cons: SEQUENCE > 365:d=5 hl=2 l= 8 prim: OBJECT :rc4 > 375:d=4 hl=2 l= 7 prim: cont [ 0 ] > $ tail -c8 data.txt.cms | od -tx1 > 0000000 07 c3 e2 69 a0 ab 3b ec > 0000010 > >That said, stream ciphers with unsigned CMS are especially unsafe. >Since the payload has no MAC or padding of any kind, it is trivial >to XOR any desired mask into the received plaintext: > > $ < data.txt.cms perl -e ' > ($a, $b) = map { unpack("Q", "0$_\n") } qw(sesame unsafe); > $/ = undef; $cms = ; > substr($cms, -8) = pack("Q", unpack("Q", substr($cms, -8)) ^ $a ^ $b); > print $cms' > data.txt.cms2 > $ ./util/shlib_wrap.sh ./apps/openssl cms -decrypt -in data.txt.cms2 >-inform DER -out data3.txt -inkey key.pem -recip cert.pem > $ cat data3.txt > unsafe > >In the above example, a ciphertext-only transformation changes >'sesame' to 'unsafe'. That, plus RC4's biases, make it unwise in >this context. At the very least the CMS message MUST be signed, >and the first 256 bytes should not contain sensitive and yet >frequently transmitted content. > >Don't let your children play with RC4 in CMS. > >Of course, unsigned CMS payloads are also vulnerable to silent >corruption even with block ciphers in CBC mode, XOR of a mask into >a ciphertext block randomizes the plaintext of that block, but >makes a predictable change in the plaintext of the next block. > >So, don't expect data integrity from unsigned CMS. > >-- > Viktor. >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From openssl-users at dukhovni.org Tue Mar 15 19:29:04 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 15 Mar 2016 19:29:04 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <20160314223417.GA12921@openssl.org> <20160315063332.GD6602@mournblade.imrryr.org> <20160315074717.GF6602@mournblade.imrryr.org> Message-ID: <20160315192904.GK6602@mournblade.imrryr.org> On Tue, Mar 15, 2016 at 07:09:36PM +0000, Blumenthal, Uri - 0553 - MITLL wrote: > First of all - thank you! It is great to see useful capabilities added (I > consider stream ciphers and AEAD modes very useful :). I fully agree that > unsigned CMS is an invitation to trouble. If I understand correctly, the > intended openssl use is ?openssl cms -encrypt ? | openssl cms -sign ?? (or > the other way around :). These days, most people recommend encrypt then sign. CMS and S/MIME natively support sign-then-encrypt, but encapsulating encrypted content as signed content as above also works. > The only problem - now I have one test failing: > > ../test/recipes/80-test_ca.t .............. ok > ../test/recipes/80-test_cms.t ............. 2/4 The CMS tests pass when I run them: $ HARNESS_VERBOSE=yes make TESTS=test_cms test ( cd test; SRCTOP=../. BLDTOP=../. EXE_EXT= /usr/pkg/bin/perl .././test/run_tests.pl test_cms ) ../test/recipes/80-test_cms.t .. 1..4 # Subtest: CMS => PKCS#7 compatibility tests 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 1 - CMS => PKCS\#7 compatibility tests # # Subtest: CMS <= PKCS#7 compatibility tests 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 2 - CMS <= PKCS\#7 compatibility tests # # Subtest: CMS <=> CMS consistency tests 1..27 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients Verification successful ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid Verification successful ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys Verification successful ok 18 - signed content MIME format, RSA key, signed receipt request Verification successful ok 19 - signed receipt MIME format, RSA key ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid ok 21 - enveloped content test streaming PEM format, KEK ok 22 - enveloped content test streaming PEM format, KEK, key only ok 23 - data content test streaming PEM format ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key ok 26 - encrypted content test streaming PEM format, triple DES key ok 27 - encrypted content test streaming PEM format, 128 bit AES key ok 3 - CMS <=> CMS consistency tests # # Subtest: CMS <=> CMS consistency tests, modified key parameters 1..11 Verification successful ok 1 - signed content test streaming PEM format, RSA keys, PSS signature Verification successful ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes Verification successful ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 ok 6 - enveloped content test streaming S/MIME format, ECDH ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH ok 10 - enveloped content test streaming S/MIME format, X9.42 DH ok 11 # skip Zlib not supported: compression tests skipped ok 4 - CMS <=> CMS consistency tests, modified key parameters # ok All tests successful. Files=1, Tests=4, 6 wallclock secs ( 0.05 usr 0.01 sys + 2.68 cusr 4.76 csys = 7.50 CPU) Result: PASS > I wonder how difficult would it be to add AEAD support, considering that > they (usually) can take 96-bit nonce (treated as IV), and the > authentication tag often is just appended to the ciphertext (and expected > at the end of the ciphertext during decryption). Take a look at the RFC and the code... -- Viktor. From openssl-users at dukhovni.org Tue Mar 15 19:54:02 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Tue, 15 Mar 2016 19:54:02 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <20160315192904.GK6602@mournblade.imrryr.org> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <20160314223417.GA12921@openssl.org> <20160315063332.GD6602@mournblade.imrryr.org> <20160315074717.GF6602@mournblade.imrryr.org> <20160315192904.GK6602@mournblade.imrryr.org> Message-ID: <20160315195402.GL6602@mournblade.imrryr.org> On Tue, Mar 15, 2016 at 07:29:04PM +0000, Viktor Dukhovni wrote: > ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key > ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key The underlying test commands amount to: $ cd test $ openssl cms -EncryptedData_encrypt -in smcont.txt -outform PEM -rc2 -secretkey 000102030405060708090A0B0C0D0E0F -stream -out test.cms $ openssl cms -EncryptedData_decrypt -in test.cms -inform PEM -secretkey 000102030405060708090A0B0C0D0E0F -out smtst.txt For me these succeed and result in smtst.txt identical to smcont.txt. -- Viktor. From uri at ll.mit.edu Tue Mar 15 19:56:12 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 15 Mar 2016 19:56:12 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <20160315192904.GK6602@mournblade.imrryr.org> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <20160314223417.GA12921@openssl.org> <20160315063332.GD6602@mournblade.imrryr.org> <20160315074717.GF6602@mournblade.imrryr.org> <20160315192904.GK6602@mournblade.imrryr.org> Message-ID: On 3/15/16, 15:29 , "openssl-dev on behalf of Viktor Dukhovni" wrote: >These days, most people recommend encrypt then sign. CMS and S/MIME >natively support sign-then-encrypt, but encapsulating encrypted >content as signed content as above also works. Please excuse my ignorance - how do you invoke ?openssl cms? to accomplish native ?sign-then-encrypt? (which in some cases is still OK)? >>The only problem - now I have one test failing: >> >> ../test/recipes/80-test_ca.t .............. ok >> ../test/recipes/80-test_cms.t ............. 2/4 > >The CMS tests pass when I run them: > >$ HARNESS_VERBOSE=yes make TESTS=test_cms test >( cd test; SRCTOP=../. BLDTOP=../. EXE_EXT= /usr/pkg/bin/perl >.././test/run_tests.pl test_cms ) >../test/recipes/80-test_cms.t .. Alas, for some reason does not work here: ../test/recipes/80-test_ca.t .............. ok ../test/recipes/80-test_cms.t ............. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 376. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 376. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 376. # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 376. # Looks like you failed 4 tests of 15. ../test/recipes/80-test_cms.t ............. 1/4 # Failed test 'CMS => PKCS\#7 compatibility tests # ' # at ../test/recipes/80-test_cms.t line 381. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 391. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 391. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 391. # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 391. # Looks like you failed 4 tests of 15. ../test/recipes/80-test_cms.t ............. 2/4 # Failed test 'CMS <= PKCS\#7 compatibility tests # ' # at ../test/recipes/80-test_cms.t line 396. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 407. # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, keyid' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'enveloped content test streaming PEM format, KEK' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'enveloped content test streaming PEM format, KEK, key only' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 128 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 40 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, triple DES key' # at ../test/recipes/80-test_cms.t line 418. # Failed test 'encrypted content test streaming PEM format, 128 bit AES key' # at ../test/recipes/80-test_cms.t line 418. # Looks like you failed 11 tests of 27. ../test/recipes/80-test_cms.t ............. 3/4 # Failed test 'CMS <=> CMS consistency tests # ' # at ../test/recipes/80-test_cms.t line 423. # Failed test 'enveloped content test streaming S/MIME format, OAEP default parameters' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, OAEP SHA256' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, ECDH' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, ECDH, key identifier' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH' # at ../test/recipes/80-test_cms.t line 435. # Failed test 'enveloped content test streaming S/MIME format, X9.42 DH' # at ../test/recipes/80-test_cms.t line 435. # Looks like you failed 7 tests of 11. # Failed test 'CMS <=> CMS consistency tests, modified key parameters # ' # at ../test/recipes/80-test_cms.t line 458. # Looks like you failed 4 tests of 4. ../test/recipes/80-test_cms.t ............. Dubious, test returned 4 (wstat 1024, 0x400) Failed 4/4 subtests ../test/recipes/80-test_ct.t .............. ok ../test/recipes/80-test_dane.t ............ ok ../test/recipes/80-test_dtlsv1listen.t .... ok ../test/recipes/80-test_ocsp.t ............ ok ../test/recipes/80-test_ssl.t ............. ok ../test/recipes/80-test_tsa.t ............. ok ../test/recipes/90-test_async.t ........... ok ../test/recipes/90-test_constant_time.t ... ok ../test/recipes/90-test_gmdiff.t .......... ok ../test/recipes/90-test_heartbeat.t ....... skipped: heartbeats is not supported by this OpenSSL build ../test/recipes/90-test_ige.t ............. ok ../test/recipes/90-test_memleak.t ......... ok ../test/recipes/90-test_networking.t ...... ok ../test/recipes/90-test_np.t .............. ok ../test/recipes/90-test_p5_crpt2.t ........ ok ../test/recipes/90-test_secmem.t .......... ok ../test/recipes/90-test_srp.t ............. ok ../test/recipes/90-test_threads.t ......... ok ../test/recipes/90-test_v3name.t .......... ok Test Summary Report ------------------- ../test/recipes/80-test_cms.t (Wstat: 1024 Tests: 4 Failed: 4) Failed tests: 1-4 Non-zero exit status: 4 Files=71, Tests=394, 51 wallclock secs ( 0.50 usr 0.16 sys + 32.64 cusr 14.65 csys = 47.95 CPU) Result: FAIL Failed 1/71 test programs. 4/394 subtests failed. make: *** [test] Error 255 And here?s the detailed output: $ HARNESS_VERBOSE=yes make TESTS=test_cms test ( cd test; \ SRCTOP=../. \ BLDTOP=../. \ EXE_EXT= \ /opt/local/bin/perl5 .././test/run_tests.pl test_cms ) ../test/recipes/80-test_cms.t .. 1..4 # Subtest: CMS => PKCS#7 compatibility tests 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 12 - enveloped content test streaming S/MIME format, 3 recipients # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 376. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 376. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 376. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 376. # Looks like you failed 4 tests of 15. not ok 1 - CMS => PKCS\#7 compatibility tests # # Failed test 'CMS => PKCS\#7 compatibility tests # ' # at ../test/recipes/80-test_cms.t line 381. # Subtest: CMS <= PKCS#7 compatibility tests 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys Error writing output 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 12 - enveloped content test streaming S/MIME format, 3 recipients # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 391. Error writing output 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 391. Error writing output 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 391. Error writing output 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 391. # Looks like you failed 4 tests of 15. not ok 2 - CMS <= PKCS\#7 compatibility tests # # Failed test 'CMS <= PKCS\#7 compatibility tests # ' # at ../test/recipes/80-test_cms.t line 396. # Subtest: CMS <=> CMS consistency tests 1..27 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 12 - enveloped content test streaming S/MIME format, 3 recipients # Failed test 'enveloped content test streaming S/MIME format, 3 recipients' # at ../test/recipes/80-test_cms.t line 407. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, 3rd used' # at ../test/recipes/80-test_cms.t line 407. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, key only used' # at ../test/recipes/80-test_cms.t line 407. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients # Failed test 'enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients' # at ../test/recipes/80-test_cms.t line 407. Verification successful ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid Verification successful ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys Verification successful ok 18 - signed content MIME format, RSA key, signed receipt request Verification successful ok 19 - signed receipt MIME format, RSA key 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid # Failed test 'enveloped content test streaming S/MIME format, 3 recipients, keyid' # at ../test/recipes/80-test_cms.t line 418. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 21 - enveloped content test streaming PEM format, KEK # Failed test 'enveloped content test streaming PEM format, KEK' # at ../test/recipes/80-test_cms.t line 418. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 22 - enveloped content test streaming PEM format, KEK, key only # Failed test 'enveloped content test streaming PEM format, KEK, key only' # at ../test/recipes/80-test_cms.t line 418. ok 23 - data content test streaming PEM format 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key # Failed test 'encrypted content test streaming PEM format, 128 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key # Failed test 'encrypted content test streaming PEM format, 40 bit RC2 key' # at ../test/recipes/80-test_cms.t line 418. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 26 - encrypted content test streaming PEM format, triple DES key # Failed test 'encrypted content test streaming PEM format, triple DES key' # at ../test/recipes/80-test_cms.t line 418. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 27 - encrypted content test streaming PEM format, 128 bit AES key # Failed test 'encrypted content test streaming PEM format, 128 bit AES key' # at ../test/recipes/80-test_cms.t line 418. # Looks like you failed 11 tests of 27. not ok 3 - CMS <=> CMS consistency tests # # Failed test 'CMS <=> CMS consistency tests # ' # at ../test/recipes/80-test_cms.t line 423. # Subtest: CMS <=> CMS consistency tests, modified key parameters 1..11 Verification successful ok 1 - signed content test streaming PEM format, RSA keys, PSS signature Verification successful ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes Verification successful ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters # Failed test 'enveloped content test streaming S/MIME format, OAEP default parameters' # at ../test/recipes/80-test_cms.t line 435. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 # Failed test 'enveloped content test streaming S/MIME format, OAEP SHA256' # at ../test/recipes/80-test_cms.t line 435. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 6 - enveloped content test streaming S/MIME format, ECDH # Failed test 'enveloped content test streaming S/MIME format, ECDH' # at ../test/recipes/80-test_cms.t line 435. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier # Failed test 'enveloped content test streaming S/MIME format, ECDH, key identifier' # at ../test/recipes/80-test_cms.t line 435. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF # Failed test 'enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF' # at ../test/recipes/80-test_cms.t line 435. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH # Failed test 'enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH' # at ../test/recipes/80-test_cms.t line 435. 140735094448896:error:0D08706D:asn1 encoding routines:ASN1_TYPE_get_octetstring:data is wrong:crypto/asn1/evp_asn1.c:84: 140735094448896:error:2E078066:CMS routines:cms_EncryptedContent_init_bio:cipher parameter initialisation error:crypto/cms/cms_enc.c:187: 140735094448896:error:0D0D3041:asn1 encoding routines:i2d_ASN1_bio_stream:malloc failure:crypto/asn1/asn_mime.c:119: not ok 10 - enveloped content test streaming S/MIME format, X9.42 DH # Failed test 'enveloped content test streaming S/MIME format, X9.42 DH' # at ../test/recipes/80-test_cms.t line 435. ok 11 - compressed content test streaming PEM format # Looks like you failed 7 tests of 11. not ok 4 - CMS <=> CMS consistency tests, modified key parameters # # Failed test 'CMS <=> CMS consistency tests, modified key parameters # ' # at ../test/recipes/80-test_cms.t line 458. # Looks like you failed 4 tests of 4. Dubious, test returned 4 (wstat 1024, 0x400) Failed 4/4 subtests Test Summary Report ------------------- ../test/recipes/80-test_cms.t (Wstat: 1024 Tests: 4 Failed: 4) Failed tests: 1-4 Non-zero exit status: 4 Files=1, Tests=4, 3 wallclock secs ( 0.04 usr 0.01 sys + 1.02 cusr 1.07 csys = 2.14 CPU) Result: FAIL Failed 1/1 test programs. 4/4 subtests failed. make: *** [test] Error 4 In case it matters, the configuration: ./Configure darwin64-x86_64-cc threads shared zlib enable-ec_nistp_64_gcc_128 enable-rfc3779 --prefix=/Users/ur20980/src/openssl-1.1 --openssldir=/Users/ur20980/src/openssl-1.1/etc >>I wonder how difficult would it be to add AEAD support, considering that >> they (usually) can take 96-bit nonce (treated as IV), and the >> authentication tag often is just appended to the ciphertext (and >>expected >> at the end of the ciphertext during decryption). > >Take a look at the RFC and the code... :-) Did you mean https://tools.ietf.org/html/rfc5652, or https://tools.ietf.org/html/rfc5116, or both? P.S. You might like to know that (a) I retrofitted that patch to 1.0.2h-dev, and (b) it works fine with the private key on the token: $ pkcs15-tool -r 03 -o token.cert.pem Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID $ openssl cms -rc4 -encrypt -binary -in data.txt -out data3.txt.cms -outform DER rsa-token.cert.pem $ openssl cms -engine pkcs11 -decrypt -in data3.txt.cms -inform DER -out data3.txt -keyform engine -inkey id_03 -recip rsa-token.cert.pem engine "pkcs11" set. PKCS#11 token PIN: $ diff -u data.txt data3.txt $ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From doctor at doctor.nl2k.ab.ca Tue Mar 15 20:01:07 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 15 Mar 2016 14:01:07 -0600 Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160315.180908.1144685507025336281.levitte@openssl.org> References: <20160313.145317.1352296580688800557.levitte@openssl.org> <20160314150256.GA18839@doctor.nl2k.ab.ca> <20160315153241.GA3975@doctor.nl2k.ab.ca> <20160315.180908.1144685507025336281.levitte@openssl.org> Message-ID: <20160315200107.GA12050@doctor.nl2k.ab.ca> On Tue, Mar 15, 2016 at 06:09:08PM +0100, Richard Levitte wrote: > In message <20160315153241.GA3975 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 09:32:42 -0600, The Doctor said: > > doctor> On Mon, Mar 14, 2016 at 09:02:56AM -0600, The Doctor wrote: > doctor> > //usr/source/openssl-SNAP-20160314$ make > doctor> > make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > doctor> > > doctor> > I got a bit compiled until this happened. > doctor> > > doctor> > Last working package was > doctor> > > doctor> > openssl-SNAP-20160311 . > doctor> > > doctor> > doctor> Still the same issue with openssl-SNAP-20160315 . > doctor> > doctor> What is the problem with crypto/aes/aes_cfb.o > doctor> ?? > > Hmmm, the seems like an issue with dependency making, somehow. > > could you run this command and send me the result (I hope your grep > understands -A and -B, which is used to display a number of lines > After and Before a match)? > > $ grep -A5 -B5 aes_cfb.o:crypto Makefile > The result is crypto/comp/c_zlib.o:crypto/comp/c_zlib.o: crypto/comp/comp_lcl.h # DO NOT DELETE crypto/aes/aes_cfb.o: include/openssl/aes.h crypto/aes/aes_cfb.o: include/openssl/opensslconf.h crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o: include/openssl/modes.h # DO NOT DELETE crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/crypto.h crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/e_os2.h crypto/asn1/asn_mstbl.o: include/openssl/opensslconf.h > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From levitte at openssl.org Tue Mar 15 20:22:49 2016 From: levitte at openssl.org (Richard Levitte) Date: Tue, 15 Mar 2016 21:22:49 +0100 (CET) Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160315200107.GA12050@doctor.nl2k.ab.ca> References: <20160315153241.GA3975@doctor.nl2k.ab.ca> <20160315.180908.1144685507025336281.levitte@openssl.org> <20160315200107.GA12050@doctor.nl2k.ab.ca> Message-ID: <20160315.212249.2292198922030225804.levitte@openssl.org> In message <20160315200107.GA12050 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:01:07 -0600, The Doctor said: doctor> On Tue, Mar 15, 2016 at 06:09:08PM +0100, Richard Levitte wrote: doctor> > In message <20160315153241.GA3975 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 09:32:42 -0600, The Doctor said: doctor> > doctor> > doctor> On Mon, Mar 14, 2016 at 09:02:56AM -0600, The Doctor wrote: doctor> > doctor> > //usr/source/openssl-SNAP-20160314$ make doctor> > doctor> > make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop doctor> > doctor> > doctor> > doctor> > I got a bit compiled until this happened. doctor> > doctor> > doctor> > doctor> > Last working package was doctor> > doctor> > doctor> > doctor> > openssl-SNAP-20160311 . doctor> > doctor> > doctor> > doctor> doctor> > doctor> Still the same issue with openssl-SNAP-20160315 . doctor> > doctor> doctor> > doctor> What is the problem with crypto/aes/aes_cfb.o doctor> > doctor> ?? doctor> > doctor> > Hmmm, the seems like an issue with dependency making, somehow. doctor> > doctor> > could you run this command and send me the result (I hope your grep doctor> > understands -A and -B, which is used to display a number of lines doctor> > After and Before a match)? doctor> > doctor> > $ grep -A5 -B5 aes_cfb.o:crypto Makefile doctor> > doctor> doctor> The result is doctor> doctor> crypto/comp/c_zlib.o:crypto/comp/c_zlib.o: crypto/comp/comp_lcl.h doctor> # DO NOT DELETE doctor> doctor> crypto/aes/aes_cfb.o: include/openssl/aes.h doctor> crypto/aes/aes_cfb.o: include/openssl/opensslconf.h doctor> crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o: include/openssl/modes.h doctor> # DO NOT DELETE doctor> doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/crypto.h doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/e_os2.h doctor> crypto/asn1/asn_mstbl.o: include/openssl/opensslconf.h Ok, that's what I expected. So there seems to be some odd interaction between the makedepend and the post-processing perl snippet. Could you do the following for me? $ rm crypto/aes/aes_cfb.d $ make crypto/aes/aes_cfb.d And then, copy-n-paste only the makedepend command and execute it, and send me the resulting crypto/aes/aes_cfb.d.tmp as an attachment. I want to see its exact content to see what perl does wrong. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From doctor at doctor.nl2k.ab.ca Tue Mar 15 20:50:22 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 15 Mar 2016 14:50:22 -0600 Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160315.212249.2292198922030225804.levitte@openssl.org> References: <20160315153241.GA3975@doctor.nl2k.ab.ca> <20160315.180908.1144685507025336281.levitte@openssl.org> <20160315200107.GA12050@doctor.nl2k.ab.ca> <20160315.212249.2292198922030225804.levitte@openssl.org> Message-ID: <20160315205022.GA26917@doctor.nl2k.ab.ca> On Tue, Mar 15, 2016 at 09:22:49PM +0100, Richard Levitte wrote: > In message <20160315200107.GA12050 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:01:07 -0600, The Doctor said: > > doctor> On Tue, Mar 15, 2016 at 06:09:08PM +0100, Richard Levitte wrote: > doctor> > In message <20160315153241.GA3975 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 09:32:42 -0600, The Doctor said: > doctor> > > doctor> > doctor> On Mon, Mar 14, 2016 at 09:02:56AM -0600, The Doctor wrote: > doctor> > doctor> > //usr/source/openssl-SNAP-20160314$ make > doctor> > doctor> > make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > doctor> > doctor> > > doctor> > doctor> > I got a bit compiled until this happened. > doctor> > doctor> > > doctor> > doctor> > Last working package was > doctor> > doctor> > > doctor> > doctor> > openssl-SNAP-20160311 . > doctor> > doctor> > > doctor> > doctor> > doctor> > doctor> Still the same issue with openssl-SNAP-20160315 . > doctor> > doctor> > doctor> > doctor> What is the problem with crypto/aes/aes_cfb.o > doctor> > doctor> ?? > doctor> > > doctor> > Hmmm, the seems like an issue with dependency making, somehow. > doctor> > > doctor> > could you run this command and send me the result (I hope your grep > doctor> > understands -A and -B, which is used to display a number of lines > doctor> > After and Before a match)? > doctor> > > doctor> > $ grep -A5 -B5 aes_cfb.o:crypto Makefile > doctor> > > doctor> > doctor> The result is > doctor> > doctor> crypto/comp/c_zlib.o:crypto/comp/c_zlib.o: crypto/comp/comp_lcl.h > doctor> # DO NOT DELETE > doctor> > doctor> crypto/aes/aes_cfb.o: include/openssl/aes.h > doctor> crypto/aes/aes_cfb.o: include/openssl/opensslconf.h > doctor> crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o: include/openssl/modes.h > doctor> # DO NOT DELETE > doctor> > doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/crypto.h > doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/e_os2.h > doctor> crypto/asn1/asn_mstbl.o: include/openssl/opensslconf.h > > Ok, that's what I expected. So there seems to be some odd interaction > between the makedepend and the post-processing perl snippet. > > Could you do the following for me? > > $ rm crypto/aes/aes_cfb.d > $ make crypto/aes/aes_cfb.d We get /usr/X11/bin/makedepend -fcrypto/aes/aes_cfb.d.tmp -o"|crypto/aes/aes_cfb.o" -- -DZLIB_SHARED -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" -DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. -Icrypto/include -- crypto/aes/aes_cfb.c 2>/dev/null perl -i -pe 's/^.*\|//; s/ \/(\\.|[^ ])*//; # $_ = undef if (/: *$/ || /^(#.*| *)$/); # $_.="\n" unless !defined($_) or /\R$/g;' crypto/aes/aes_cfb.d.tmp > > And then, copy-n-paste only the makedepend command and execute it, and > send me the resulting crypto/aes/aes_cfb.d.tmp as an attachment. I > want to see its exact content to see what perl does wrong. > The crypto/aes/aes_cfb.d.tmp is just a blank file cat crypto/aes/aes_cfb.d.tmp cat: crypto/aes/aes_cfb.d.tmp: No such file or directory Next? > Cheers, > Richard > > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From uri at ll.mit.edu Tue Mar 15 21:10:43 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 15 Mar 2016 21:10:43 +0000 Subject: [openssl-dev] [openssl.org #4429] Cannot decrypt RC4-encrypted CMS object In-Reply-To: <20160315195402.GL6602@mournblade.imrryr.org> References: <56E67126.5040706@pdflib.com> <20160314184536.GA6602@mournblade.imrryr.org> <20160314223417.GA12921@openssl.org> <20160315063332.GD6602@mournblade.imrryr.org> <20160315074717.GF6602@mournblade.imrryr.org> <20160315192904.GK6602@mournblade.imrryr.org> <20160315195402.GL6602@mournblade.imrryr.org> Message-ID: My apologies - it appears that the patch was screwed up on my system. When I just replaced the EVP_CIPHER_asn1_to_param() with your new code, the tests passed OK. . . . . . . ../test/recipes/70-test_verify_extra.t .... ok ../test/recipes/80-test_ca.t .............. ok ../test/recipes/80-test_cms.t ............. ok ../test/recipes/80-test_ct.t .............. ok ../test/recipes/80-test_dane.t ............ ok ../test/recipes/80-test_dtlsv1listen.t .... ok ../test/recipes/80-test_ocsp.t ............ ok ../test/recipes/80-test_ssl.t ............. ok ../test/recipes/80-test_tsa.t ............. ok ../test/recipes/90-test_async.t ........... ok ../test/recipes/90-test_constant_time.t ... ok ../test/recipes/90-test_gmdiff.t .......... ok ../test/recipes/90-test_heartbeat.t ....... skipped: heartbeats is not supported by this OpenSSL build ../test/recipes/90-test_ige.t ............. ok ../test/recipes/90-test_memleak.t ......... ok ../test/recipes/90-test_networking.t ...... ok ../test/recipes/90-test_np.t .............. ok ../test/recipes/90-test_p5_crpt2.t ........ ok ../test/recipes/90-test_secmem.t .......... ok ../test/recipes/90-test_srp.t ............. ok ../test/recipes/90-test_threads.t ......... ok ../test/recipes/90-test_v3name.t .......... ok All tests successful. Files=71, Tests=394, 53 wallclock secs ( 0.51 usr 0.17 sys + 32.96 cusr 15.10 csys = 48.74 CPU) Result: PASS $ -- Regards, Uri Blumenthal On 3/15/16, 15:54 , "openssl-dev on behalf of Viktor Dukhovni" wrote: >On Tue, Mar 15, 2016 at 07:29:04PM +0000, Viktor Dukhovni wrote: > >> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key >> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key > >The underlying test commands amount to: > > $ cd test > $ openssl cms -EncryptedData_encrypt -in smcont.txt -outform PEM -rc2 >-secretkey 000102030405060708090A0B0C0D0E0F -stream -out test.cms > $ openssl cms -EncryptedData_decrypt -in test.cms -inform PEM -secretkey >000102030405060708090A0B0C0D0E0F -out smtst.txt > >For me these succeed and result in smtst.txt identical to smcont.txt. > >-- > Viktor. >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From levitte at openssl.org Tue Mar 15 21:13:50 2016 From: levitte at openssl.org (Richard Levitte) Date: Tue, 15 Mar 2016 22:13:50 +0100 (CET) Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160315205022.GA26917@doctor.nl2k.ab.ca> References: <20160315200107.GA12050@doctor.nl2k.ab.ca> <20160315.212249.2292198922030225804.levitte@openssl.org> <20160315205022.GA26917@doctor.nl2k.ab.ca> Message-ID: <20160315.221350.1725521770011152083.levitte@openssl.org> In message <20160315205022.GA26917 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:50:22 -0600, The Doctor said: doctor> On Tue, Mar 15, 2016 at 09:22:49PM +0100, Richard Levitte wrote: doctor> > In message <20160315200107.GA12050 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:01:07 -0600, The Doctor said: doctor> > doctor> > doctor> On Tue, Mar 15, 2016 at 06:09:08PM +0100, Richard Levitte wrote: doctor> > doctor> > In message <20160315153241.GA3975 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 09:32:42 -0600, The Doctor said: doctor> > doctor> > doctor> > doctor> > doctor> On Mon, Mar 14, 2016 at 09:02:56AM -0600, The Doctor wrote: doctor> > doctor> > doctor> > //usr/source/openssl-SNAP-20160314$ make doctor> > doctor> > doctor> > make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop doctor> > doctor> > doctor> > doctor> > doctor> > doctor> > I got a bit compiled until this happened. doctor> > doctor> > doctor> > doctor> > doctor> > doctor> > Last working package was doctor> > doctor> > doctor> > doctor> > doctor> > doctor> > openssl-SNAP-20160311 . doctor> > doctor> > doctor> > doctor> > doctor> > doctor> doctor> > doctor> > doctor> Still the same issue with openssl-SNAP-20160315 . doctor> > doctor> > doctor> doctor> > doctor> > doctor> What is the problem with crypto/aes/aes_cfb.o doctor> > doctor> > doctor> ?? doctor> > doctor> > doctor> > doctor> > Hmmm, the seems like an issue with dependency making, somehow. doctor> > doctor> > doctor> > doctor> > could you run this command and send me the result (I hope your grep doctor> > doctor> > understands -A and -B, which is used to display a number of lines doctor> > doctor> > After and Before a match)? doctor> > doctor> > doctor> > doctor> > $ grep -A5 -B5 aes_cfb.o:crypto Makefile doctor> > doctor> > doctor> > doctor> doctor> > doctor> The result is doctor> > doctor> doctor> > doctor> crypto/comp/c_zlib.o:crypto/comp/c_zlib.o: crypto/comp/comp_lcl.h doctor> > doctor> # DO NOT DELETE doctor> > doctor> doctor> > doctor> crypto/aes/aes_cfb.o: include/openssl/aes.h doctor> > doctor> crypto/aes/aes_cfb.o: include/openssl/opensslconf.h doctor> > doctor> crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o: include/openssl/modes.h doctor> > doctor> # DO NOT DELETE doctor> > doctor> doctor> > doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/crypto.h doctor> > doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/e_os2.h doctor> > doctor> crypto/asn1/asn_mstbl.o: include/openssl/opensslconf.h doctor> > doctor> > Ok, that's what I expected. So there seems to be some odd interaction doctor> > between the makedepend and the post-processing perl snippet. doctor> > doctor> > Could you do the following for me? doctor> > doctor> > $ rm crypto/aes/aes_cfb.d doctor> > $ make crypto/aes/aes_cfb.d doctor> doctor> We get doctor> doctor> /usr/X11/bin/makedepend -fcrypto/aes/aes_cfb.d.tmp -o"|crypto/aes/aes_cfb.o" -- -DZLIB_SHARED -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" -DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. -Icrypto/include -- crypto/aes/aes_cfb.c 2>/dev/null doctor> perl -i -pe 's/^.*\|//; s/ \/(\\.|[^ ])*//; # $_ = undef if (/: *$/ || /^(#.*| *)$/); # $_.="\n" unless !defined($_) or /\R$/g;' crypto/aes/aes_cfb.d.tmp Actually, that perl line explained the issue just fine. Thanks, I know how to resolve this. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From openssl at roumenpetrov.info Tue Mar 15 21:22:20 2016 From: openssl at roumenpetrov.info (Roumen Petrov) Date: Tue, 15 Mar 2016 23:22:20 +0200 Subject: [openssl-dev] OPENSSL_cleanup new issue In-Reply-To: <56E2CADE.2090208@openssl.org> References: <56CCC037.5040403@roumenpetrov.info> <56E1F368.5090308@roumenpetrov.info> <56E2CADE.2090208@openssl.org> Message-ID: <56E87D0C.1060209@roumenpetrov.info> Hi Matt, Matt Caswell wrote: > Hi Roumen > > On 10/03/16 22:21, Roumen Petrov wrote: >> Hello, >> >> With new thread model in some configurations openssl hands on unload of >> engine. > I just pushed commit 773fd0bad4 to master which should hopefully resolve > this issue. It seems to me hang is resolved after recent changes in init.c - commit "Fix the init cleanup order" ( 58a8fc25d73d8558df25d998f85d4714fbbe74ac) . May be cleanup function could free error list after all other clean-up code. I would like to test engine "reference counters but build fail - please apply patch 0003-build-with-defined-ENGINE_REF_COUNT_DEBUG.patch. I'm not sure that memory leaks are resolved - valgrind report that err_string_lock and ex_data_lock are not freed. Now some regression tests of an engine fail with "corrupted double-linked list" .Tests call openssl dgst command with key from file or engine. Keys are rsa, dsa and ec. Digest verify command fail only if key format is from engine , key is EC key with prime256v1 or secp521r1. Tests pass with EC secp384r1. Also all test pass if engine code print debug messages to stderr. Stack trace *** Error in '/apps/openssl': corrupted double-linked list: 0x00000000006de730 *** ^C Program received signal SIGINT, Interrupt. 0x00007ffff6fb338b in __lll_lock_wait_private () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff6fb338b in __lll_lock_wait_private () from /lib64/libc.so.6 #1 0x00007ffff6f3024a in _L_lock_12669 () from /lib64/libc.so.6 #2 0x00007ffff6f2d975 in malloc () from /lib64/libc.so.6 #3 0x00007ffff7de1b26 in _dl_map_object () from /lib64/ld-linux-x86-64.so.2 #4 0x00007ffff7ded387 in dl_open_worker () from /lib64/ld-linux-x86-64.so.2 #5 0x00007ffff7de8924 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 #6 0x00007ffff7decc7b in _dl_open () from /lib64/ld-linux-x86-64.so.2 #7 0x00007ffff6fe0752 in do_dlopen () from /lib64/libc.so.6 #8 0x00007ffff7de8924 in _dl_catch_error () from /lib64/ld-linux-x86-64.so.2 #9 0x00007ffff6fe0812 in __libc_dlopen_mode () from /lib64/libc.so.6 #10 0x00007ffff6fb9825 in init () from /lib64/libc.so.6 #11 0x00007ffff7282120 in pthread_once () from /lib64/libpthread.so.0 #12 0x00007ffff6fb993c in backtrace () from /lib64/libc.so.6 #13 0x00007ffff6f232a4 in __libc_message () from /lib64/libc.so.6 #14 0x00007ffff6f293d7 in malloc_printerr () from /lib64/libc.so.6 #15 0x00007ffff6f2ab0c in _int_free () from /lib64/libc.so.6 #16 0x00007ffff781b962 in CRYPTO_free (str=0x6de850, file=0x7ffff78eb3e6 "crypto/threads_pthread.c", line=99) at crypto/mem.c:226 #17 0x00007ffff787e7f5 in CRYPTO_THREAD_lock_free (lock=0x6de850) at crypto/threads_pthread.c:99 #18 0x00007ffff780eda5 in EVP_PKEY_free_it (x=0x6e9310) at crypto/evp/p_lib.c:447 #19 0x00007ffff780ecf4 in EVP_PKEY_free (x=0x6e9310) at crypto/evp/p_lib.c:431 #20 0x00007ffff7811307 in EVP_PKEY_CTX_free (ctx=0x6de3a0) at crypto/evp/pmeth_lib.c:331 #21 0x00007ffff77f7cd3 in EVP_MD_CTX_reset (ctx=0x6be5d0) at crypto/evp/digest.c:138 #22 0x00007ffff77f7d34 in EVP_MD_CTX_free (ctx=0x6be5d0) at crypto/evp/digest.c:154 #23 0x00007ffff77f59a3 in md_free (a=0x6be510) at crypto/evp/bio_md.c:116 #24 0x00007ffff77359b8 in BIO_free (a=0x6be510) at crypto/bio/bio_lib.c:138 #25 0x000000000042d54a in dgst_main (argc=1, argv=0x7fffffffd950) at apps/dgst.c:444 #26 0x0000000000438844 in do_cmd (prog=0x6b5f20, argc=11, argv=0x7fffffffd900) at apps/openssl.c:570 #27 0x0000000000437ff3 in main (argc=11, argv=0x7fffffffd900) at apps/openssl.c:274 (gdb) I use "0004-avoid-corrupted-double-linked-list-in-EVP_PKEY.patch" as work-around. Roumen -------------- next part -------------- A non-text attachment was scrubbed... Name: 0003-build-with-defined-ENGINE_REF_COUNT_DEBUG.patch Type: text/x-diff Size: 775 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0004-avoid-corrupted-double-linked-list-in-EVP_PKEY.patch Type: text/x-diff Size: 660 bytes Desc: not available URL: From noloader at gmail.com Wed Mar 16 05:52:35 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Wed, 16 Mar 2016 01:52:35 -0400 Subject: [openssl-dev] [openssl.org #4428] Gentoo 12.1, x86_64: crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set In-Reply-To: References: <56E6D020.5020906@openssl.org> Message-ID: On Mon, Mar 14, 2016 at 10:52 AM, Andy Polyakov via RT wrote: > On 03/14/16 03:58, noloader at gmail.com via RT wrote: >> Working from Master... >> >> gentoo at Gentoo-2012 ~/openssl $ ./config >> Operating system: x86_64-whatever-linux2 >> ... > > Can you confirm that it's not a problem to compile "hello, world" with > above flags? Because if you can't, then it can't be OpenSSL problem. Using those flags should produce the same error. > Is it possible that real target is so called x32, i.e. x86_64 with > 32-bit address space limitation? In such case linux-x32 would be the > right target... I don't believe this is x32 since {x86_64|amd64} and __ILP32__ are not defined; see preprocessor output below. The compiler reports its i686: # gcc -dumpmachine i686-pc-linux-gnu The machine appears to be i686: # readelf -h /bin/ls | grep -i 'class\|machine' Class: ELF32 Machine: Intel 80386 The machine reports that its x86_64 through uname, though: # uname -m x86_64 Maybe uname cannot be trusted for Gentoo? # cat /etc/gentoo-release Gentoo Base System release 2.2 ---------- # gcc -march=native -dM -E - 0) ? 2 : 0) #define __FXSR__ 1 #define __GCC_ATOMIC_BOOL_LOCK_FREE 2 #define __GCC_ATOMIC_CHAR16_T_LOCK_FREE 2 #define __GCC_ATOMIC_CHAR32_T_LOCK_FREE 2 #define __GCC_ATOMIC_CHAR_LOCK_FREE 2 #define __GCC_ATOMIC_INT_LOCK_FREE 2 #define __GCC_ATOMIC_LLONG_LOCK_FREE 2 #define __GCC_ATOMIC_LONG_LOCK_FREE 2 #define __GCC_ATOMIC_POINTER_LOCK_FREE 2 #define __GCC_ATOMIC_SHORT_LOCK_FREE 2 #define __GCC_ATOMIC_TEST_AND_SET_TRUEVAL 1 #define __GCC_ATOMIC_WCHAR_T_LOCK_FREE 2 #define __GCC_HAVE_DWARF2_CFI_ASM 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 1 #define __GNUC__ 4 #define __GNUC_GNU_INLINE__ 1 #define __GNUC_MINOR__ 8 #define __GNUC_PATCHLEVEL__ 3 #define __gnu_linux__ 1 #define __GXX_ABI_VERSION 1002 #define __i386 1 #define __i386__ 1 #define i386 1 #define __INT16_C(c) c #define __INT16_MAX__ 32767 #define __INT16_TYPE__ short int #define __INT32_C(c) c #define __INT32_MAX__ 2147483647 #define __INT32_TYPE__ int #define __INT64_C(c) c ## LL #define __INT64_MAX__ 9223372036854775807LL #define __INT64_TYPE__ long long int #define __INT8_C(c) c #define __INT8_MAX__ 127 #define __INT8_TYPE__ signed char #define __INT_FAST16_MAX__ 2147483647 #define __INT_FAST16_TYPE__ int #define __INT_FAST32_MAX__ 2147483647 #define __INT_FAST32_TYPE__ int #define __INT_FAST64_MAX__ 9223372036854775807LL #define __INT_FAST64_TYPE__ long long int #define __INT_FAST8_MAX__ 127 #define __INT_FAST8_TYPE__ signed char #define __INT_LEAST16_MAX__ 32767 #define __INT_LEAST16_TYPE__ short int #define __INT_LEAST32_MAX__ 2147483647 #define __INT_LEAST32_TYPE__ int #define __INT_LEAST64_MAX__ 9223372036854775807LL #define __INT_LEAST64_TYPE__ long long int #define __INT_LEAST8_MAX__ 127 #define __INT_LEAST8_TYPE__ signed char #define __INT_MAX__ 2147483647 #define __INTMAX_C(c) c ## LL #define __INTMAX_MAX__ 9223372036854775807LL #define __INTMAX_TYPE__ long long int #define __INTPTR_MAX__ 2147483647 #define __INTPTR_TYPE__ int #define __LDBL_DENORM_MIN__ 3.64519953188247460253e-4951L #define __LDBL_DIG__ 18 #define __LDBL_EPSILON__ 1.08420217248550443401e-19L #define __LDBL_HAS_DENORM__ 1 #define __LDBL_HAS_INFINITY__ 1 #define __LDBL_HAS_QUIET_NAN__ 1 #define __LDBL_MANT_DIG__ 64 #define __LDBL_MAX_10_EXP__ 4932 #define __LDBL_MAX__ 1.18973149535723176502e+4932L #define __LDBL_MAX_EXP__ 16384 #define __LDBL_MIN_10_EXP__ (-4931) #define __LDBL_MIN__ 3.36210314311209350626e-4932L #define __LDBL_MIN_EXP__ (-16381) #define __linux 1 #define __linux__ 1 #define linux 1 #define __LONG_LONG_MAX__ 9223372036854775807LL #define __LONG_MAX__ 2147483647L #define __MMX__ 1 #define __NO_INLINE__ 1 #define __ORDER_BIG_ENDIAN__ 4321 #define __ORDER_LITTLE_ENDIAN__ 1234 #define __ORDER_PDP_ENDIAN__ 3412 #define __PCLMUL__ 1 #define __POPCNT__ 1 #define __PRAGMA_REDEFINE_EXTNAME 1 #define __PTRDIFF_MAX__ 2147483647 #define __PTRDIFF_TYPE__ int #define __REGISTER_PREFIX__ #define __SCHAR_MAX__ 127 #define __SHRT_MAX__ 32767 #define __SIG_ATOMIC_MAX__ 2147483647 #define __SIG_ATOMIC_MIN__ (-__SIG_ATOMIC_MAX__ - 1) #define __SIG_ATOMIC_TYPE__ int #define __SIZE_MAX__ 4294967295U #define __SIZEOF_DOUBLE__ 8 #define __SIZEOF_FLOAT__ 4 #define __SIZEOF_INT__ 4 #define __SIZEOF_LONG__ 4 #define __SIZEOF_LONG_DOUBLE__ 12 #define __SIZEOF_LONG_LONG__ 8 #define __SIZEOF_POINTER__ 4 #define __SIZEOF_PTRDIFF_T__ 4 #define __SIZEOF_SHORT__ 2 #define __SIZEOF_SIZE_T__ 4 #define __SIZEOF_WCHAR_T__ 4 #define __SIZEOF_WINT_T__ 4 #define __SIZE_TYPE__ unsigned int #define __SSE__ 1 #define __SSE2__ 1 #define __SSE3__ 1 #define __SSE4_1__ 1 #define __SSE4_2__ 1 #define __SSP__ 1 #define __SSSE3__ 1 #define __STDC__ 1 #define __STDC_HOSTED__ 1 #define __STDC_IEC_559__ 1 #define __STDC_IEC_559_COMPLEX__ 1 #define __STDC_ISO_10646__ 201103L #define __STDC_NO_THREADS__ 1 #define _STDC_PREDEF_H 1 #define __tune_corei7__ 1 #define __UINT16_C(c) c #define __UINT16_MAX__ 65535 #define __UINT16_TYPE__ short unsigned int #define __UINT32_C(c) c ## U #define __UINT32_MAX__ 4294967295U #define __UINT32_TYPE__ unsigned int #define __UINT64_C(c) c ## ULL #define __UINT64_MAX__ 18446744073709551615ULL #define __UINT64_TYPE__ long long unsigned int #define __UINT8_C(c) c #define __UINT8_MAX__ 255 #define __UINT8_TYPE__ unsigned char #define __UINT_FAST16_MAX__ 4294967295U #define __UINT_FAST16_TYPE__ unsigned int #define __UINT_FAST32_MAX__ 4294967295U #define __UINT_FAST32_TYPE__ unsigned int #define __UINT_FAST64_MAX__ 18446744073709551615ULL #define __UINT_FAST64_TYPE__ long long unsigned int #define __UINT_FAST8_MAX__ 255 #define __UINT_FAST8_TYPE__ unsigned char #define __UINT_LEAST16_MAX__ 65535 #define __UINT_LEAST16_TYPE__ short unsigned int #define __UINT_LEAST32_MAX__ 4294967295U #define __UINT_LEAST32_TYPE__ unsigned int #define __UINT_LEAST64_MAX__ 18446744073709551615ULL #define __UINT_LEAST64_TYPE__ long long unsigned int #define __UINT_LEAST8_MAX__ 255 #define __UINT_LEAST8_TYPE__ unsigned char #define __UINTMAX_C(c) c ## ULL #define __UINTMAX_MAX__ 18446744073709551615ULL #define __UINTMAX_TYPE__ long long unsigned int #define __UINTPTR_MAX__ 4294967295U #define __UINTPTR_TYPE__ unsigned int #define __unix 1 #define __unix__ 1 #define unix 1 #define __USER_LABEL_PREFIX__ #define __VERSION__ "4.8.3" #define __WCHAR_MAX__ 2147483647L #define __WCHAR_MIN__ (-__WCHAR_MAX__ - 1) #define __WCHAR_TYPE__ long int #define __WINT_MAX__ 4294967295U #define __WINT_MIN__ 0U #define __WINT_TYPE__ unsigned int #define __XSAVE__ 1 #define __XSAVEOPT__ 1 From rt at openssl.org Wed Mar 16 05:52:49 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 16 Mar 2016 05:52:49 +0000 Subject: [openssl-dev] [openssl.org #4428] Gentoo 12.1, x86_64: crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set In-Reply-To: References: <56E6D020.5020906@openssl.org> Message-ID: On Mon, Mar 14, 2016 at 10:52 AM, Andy Polyakov via RT wrote: > On 03/14/16 03:58, noloader at gmail.com via RT wrote: >> Working from Master... >> >> gentoo at Gentoo-2012 ~/openssl $ ./config >> Operating system: x86_64-whatever-linux2 >> ... > > Can you confirm that it's not a problem to compile "hello, world" with > above flags? Because if you can't, then it can't be OpenSSL problem. Using those flags should produce the same error. > Is it possible that real target is so called x32, i.e. x86_64 with > 32-bit address space limitation? In such case linux-x32 would be the > right target... I don't believe this is x32 since {x86_64|amd64} and __ILP32__ are not defined; see preprocessor output below. The compiler reports its i686: # gcc -dumpmachine i686-pc-linux-gnu The machine appears to be i686: # readelf -h /bin/ls | grep -i 'class\|machine' Class: ELF32 Machine: Intel 80386 The machine reports that its x86_64 through uname, though: # uname -m x86_64 Maybe uname cannot be trusted for Gentoo? # cat /etc/gentoo-release Gentoo Base System release 2.2 ---------- # gcc -march=native -dM -E - 0) ? 2 : 0) #define __FXSR__ 1 #define __GCC_ATOMIC_BOOL_LOCK_FREE 2 #define __GCC_ATOMIC_CHAR16_T_LOCK_FREE 2 #define __GCC_ATOMIC_CHAR32_T_LOCK_FREE 2 #define __GCC_ATOMIC_CHAR_LOCK_FREE 2 #define __GCC_ATOMIC_INT_LOCK_FREE 2 #define __GCC_ATOMIC_LLONG_LOCK_FREE 2 #define __GCC_ATOMIC_LONG_LOCK_FREE 2 #define __GCC_ATOMIC_POINTER_LOCK_FREE 2 #define __GCC_ATOMIC_SHORT_LOCK_FREE 2 #define __GCC_ATOMIC_TEST_AND_SET_TRUEVAL 1 #define __GCC_ATOMIC_WCHAR_T_LOCK_FREE 2 #define __GCC_HAVE_DWARF2_CFI_ASM 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_1 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_2 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_4 1 #define __GCC_HAVE_SYNC_COMPARE_AND_SWAP_8 1 #define __GNUC__ 4 #define __GNUC_GNU_INLINE__ 1 #define __GNUC_MINOR__ 8 #define __GNUC_PATCHLEVEL__ 3 #define __gnu_linux__ 1 #define __GXX_ABI_VERSION 1002 #define __i386 1 #define __i386__ 1 #define i386 1 #define __INT16_C(c) c #define __INT16_MAX__ 32767 #define __INT16_TYPE__ short int #define __INT32_C(c) c #define __INT32_MAX__ 2147483647 #define __INT32_TYPE__ int #define __INT64_C(c) c ## LL #define __INT64_MAX__ 9223372036854775807LL #define __INT64_TYPE__ long long int #define __INT8_C(c) c #define __INT8_MAX__ 127 #define __INT8_TYPE__ signed char #define __INT_FAST16_MAX__ 2147483647 #define __INT_FAST16_TYPE__ int #define __INT_FAST32_MAX__ 2147483647 #define __INT_FAST32_TYPE__ int #define __INT_FAST64_MAX__ 9223372036854775807LL #define __INT_FAST64_TYPE__ long long int #define __INT_FAST8_MAX__ 127 #define __INT_FAST8_TYPE__ signed char #define __INT_LEAST16_MAX__ 32767 #define __INT_LEAST16_TYPE__ short int #define __INT_LEAST32_MAX__ 2147483647 #define __INT_LEAST32_TYPE__ int #define __INT_LEAST64_MAX__ 9223372036854775807LL #define __INT_LEAST64_TYPE__ long long int #define __INT_LEAST8_MAX__ 127 #define __INT_LEAST8_TYPE__ signed char #define __INT_MAX__ 2147483647 #define __INTMAX_C(c) c ## LL #define __INTMAX_MAX__ 9223372036854775807LL #define __INTMAX_TYPE__ long long int #define __INTPTR_MAX__ 2147483647 #define __INTPTR_TYPE__ int #define __LDBL_DENORM_MIN__ 3.64519953188247460253e-4951L #define __LDBL_DIG__ 18 #define __LDBL_EPSILON__ 1.08420217248550443401e-19L #define __LDBL_HAS_DENORM__ 1 #define __LDBL_HAS_INFINITY__ 1 #define __LDBL_HAS_QUIET_NAN__ 1 #define __LDBL_MANT_DIG__ 64 #define __LDBL_MAX_10_EXP__ 4932 #define __LDBL_MAX__ 1.18973149535723176502e+4932L #define __LDBL_MAX_EXP__ 16384 #define __LDBL_MIN_10_EXP__ (-4931) #define __LDBL_MIN__ 3.36210314311209350626e-4932L #define __LDBL_MIN_EXP__ (-16381) #define __linux 1 #define __linux__ 1 #define linux 1 #define __LONG_LONG_MAX__ 9223372036854775807LL #define __LONG_MAX__ 2147483647L #define __MMX__ 1 #define __NO_INLINE__ 1 #define __ORDER_BIG_ENDIAN__ 4321 #define __ORDER_LITTLE_ENDIAN__ 1234 #define __ORDER_PDP_ENDIAN__ 3412 #define __PCLMUL__ 1 #define __POPCNT__ 1 #define __PRAGMA_REDEFINE_EXTNAME 1 #define __PTRDIFF_MAX__ 2147483647 #define __PTRDIFF_TYPE__ int #define __REGISTER_PREFIX__ #define __SCHAR_MAX__ 127 #define __SHRT_MAX__ 32767 #define __SIG_ATOMIC_MAX__ 2147483647 #define __SIG_ATOMIC_MIN__ (-__SIG_ATOMIC_MAX__ - 1) #define __SIG_ATOMIC_TYPE__ int #define __SIZE_MAX__ 4294967295U #define __SIZEOF_DOUBLE__ 8 #define __SIZEOF_FLOAT__ 4 #define __SIZEOF_INT__ 4 #define __SIZEOF_LONG__ 4 #define __SIZEOF_LONG_DOUBLE__ 12 #define __SIZEOF_LONG_LONG__ 8 #define __SIZEOF_POINTER__ 4 #define __SIZEOF_PTRDIFF_T__ 4 #define __SIZEOF_SHORT__ 2 #define __SIZEOF_SIZE_T__ 4 #define __SIZEOF_WCHAR_T__ 4 #define __SIZEOF_WINT_T__ 4 #define __SIZE_TYPE__ unsigned int #define __SSE__ 1 #define __SSE2__ 1 #define __SSE3__ 1 #define __SSE4_1__ 1 #define __SSE4_2__ 1 #define __SSP__ 1 #define __SSSE3__ 1 #define __STDC__ 1 #define __STDC_HOSTED__ 1 #define __STDC_IEC_559__ 1 #define __STDC_IEC_559_COMPLEX__ 1 #define __STDC_ISO_10646__ 201103L #define __STDC_NO_THREADS__ 1 #define _STDC_PREDEF_H 1 #define __tune_corei7__ 1 #define __UINT16_C(c) c #define __UINT16_MAX__ 65535 #define __UINT16_TYPE__ short unsigned int #define __UINT32_C(c) c ## U #define __UINT32_MAX__ 4294967295U #define __UINT32_TYPE__ unsigned int #define __UINT64_C(c) c ## ULL #define __UINT64_MAX__ 18446744073709551615ULL #define __UINT64_TYPE__ long long unsigned int #define __UINT8_C(c) c #define __UINT8_MAX__ 255 #define __UINT8_TYPE__ unsigned char #define __UINT_FAST16_MAX__ 4294967295U #define __UINT_FAST16_TYPE__ unsigned int #define __UINT_FAST32_MAX__ 4294967295U #define __UINT_FAST32_TYPE__ unsigned int #define __UINT_FAST64_MAX__ 18446744073709551615ULL #define __UINT_FAST64_TYPE__ long long unsigned int #define __UINT_FAST8_MAX__ 255 #define __UINT_FAST8_TYPE__ unsigned char #define __UINT_LEAST16_MAX__ 65535 #define __UINT_LEAST16_TYPE__ short unsigned int #define __UINT_LEAST32_MAX__ 4294967295U #define __UINT_LEAST32_TYPE__ unsigned int #define __UINT_LEAST64_MAX__ 18446744073709551615ULL #define __UINT_LEAST64_TYPE__ long long unsigned int #define __UINT_LEAST8_MAX__ 255 #define __UINT_LEAST8_TYPE__ unsigned char #define __UINTMAX_C(c) c ## ULL #define __UINTMAX_MAX__ 18446744073709551615ULL #define __UINTMAX_TYPE__ long long unsigned int #define __UINTPTR_MAX__ 4294967295U #define __UINTPTR_TYPE__ unsigned int #define __unix 1 #define __unix__ 1 #define unix 1 #define __USER_LABEL_PREFIX__ #define __VERSION__ "4.8.3" #define __WCHAR_MAX__ 2147483647L #define __WCHAR_MIN__ (-__WCHAR_MAX__ - 1) #define __WCHAR_TYPE__ long int #define __WINT_MAX__ 4294967295U #define __WINT_MIN__ 0U #define __WINT_TYPE__ unsigned int #define __XSAVE__ 1 #define __XSAVEOPT__ 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4428 Please log in as guest with password guest if prompted From matt at openssl.org Wed Mar 16 11:11:27 2016 From: matt at openssl.org (Matt Caswell) Date: Wed, 16 Mar 2016 11:11:27 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: <56E6D2B5.3030807@openssl.org> <56E6D355.6090908@openssl.org> <56E6D6F1.2080402@openssl.org> Message-ID: <56E93F5F.30202@openssl.org> On 14/03/16 15:21, Matt Caswell via RT wrote: > > > On 14/03/16 15:05, Andy Polyakov via RT wrote: >>>>> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >>>>> 32-bit tests OK. >>>>> >>>>> The relevant snippets are: >>>>> >>>>> $ make test >>>>> ... >>>>> ../test/recipes/90-test_async.t ........... 1/1 >>>>> # Failed test 'running asynctest' >>>>> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >>>>> # Looks like you failed 1 test of 1. >>>>> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >>>>> (wstat 256, 0x100) >>>>> Failed 1/1 subtests >>>> >>>> Once again, "it boils down to the fact that getcontext always returns >>>> failure to ppc64 program. There is nothing we can do about it, you just >>>> have to accept that this particular thing doesn't work on MacOS >>>> X/ppc64." getcontext is part of libc equivalent, which is why there is >>>> nothing that can be done about it. >>>> >>>> >>> Can we detect the platform in async_posix.h so that if we work out we're >>> on ppc64 then we default to ASYNC_NULL? >> >> #if defined(__APPLE__) && (defined(__ppc64__) || defined(_ARCH_PPC64)) >> >> > So something like the attached? > > Jeff, can you test this? Jeff reported to me off list that this did not work. Jeff - please can you try the attached alternative patch? Thanks Matt -------------- next part -------------- A non-text attachment was scrubbed... Name: bad-getcontext.patch Type: text/x-patch Size: 2749 bytes Desc: not available URL: From rt at openssl.org Wed Mar 16 11:11:34 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Wed, 16 Mar 2016 11:11:34 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: <56E93F5F.30202@openssl.org> References: <56E6D355.6090908@openssl.org> <56E6D6F1.2080402@openssl.org> <56E93F5F.30202@openssl.org> Message-ID: On 14/03/16 15:21, Matt Caswell via RT wrote: > > > On 14/03/16 15:05, Andy Polyakov via RT wrote: >>>>> Bump... The issue is still present as of b36a2ef for OS X 10.6 64-bit. >>>>> 32-bit tests OK. >>>>> >>>>> The relevant snippets are: >>>>> >>>>> $ make test >>>>> ... >>>>> ../test/recipes/90-test_async.t ........... 1/1 >>>>> # Failed test 'running asynctest' >>>>> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. >>>>> # Looks like you failed 1 test of 1. >>>>> ../test/recipes/90-test_async.t ........... Dubious, test returned 1 >>>>> (wstat 256, 0x100) >>>>> Failed 1/1 subtests >>>> >>>> Once again, "it boils down to the fact that getcontext always returns >>>> failure to ppc64 program. There is nothing we can do about it, you just >>>> have to accept that this particular thing doesn't work on MacOS >>>> X/ppc64." getcontext is part of libc equivalent, which is why there is >>>> nothing that can be done about it. >>>> >>>> >>> Can we detect the platform in async_posix.h so that if we work out we're >>> on ppc64 then we default to ASYNC_NULL? >> >> #if defined(__APPLE__) && (defined(__ppc64__) || defined(_ARCH_PPC64)) >> >> > So something like the attached? > > Jeff, can you test this? Jeff reported to me off list that this did not work. Jeff - please can you try the attached alternative patch? Thanks Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: bad-getcontext.patch Type: text/x-patch Size: 2749 bytes Desc: not available URL: From rt at openssl.org Wed Mar 16 12:05:53 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 16 Mar 2016 12:05:53 +0000 Subject: [openssl-dev] [openssl.org #4366] OS X 10.5, 64-bit PPC, no-asm, and "Failed test 'running asynctest'" In-Reply-To: References: <56E6D6F1.2080402@openssl.org> <56E93F5F.30202@openssl.org> Message-ID: > Jeff - please can you try the attached alternative patch? > It tested OK under both 'KERNEL_BITS=32' and 'KERNEL_BITS=64': ... ../test/recipes/25-test_verify.t .......... ok ../test/recipes/25-test_x509.t ............ ok ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not supported for this build ../test/recipes/30-test_engine.t .......... ok ... Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4366 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 16 13:52:11 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 16 Mar 2016 13:52:11 +0000 Subject: [openssl-dev] [openssl.org #4434] Gentoo 13, x86_64: 4 failed self tests In-Reply-To: References: Message-ID: Working from Master on a Gentoo 13 machine, x86_64. The test was run as root which explains one of the failures (I don't have users or SSH set up yet). Kernel is 4.1.15, GCC is 4.9.3. $ make test ... ( cd test; \ SRCTOP=../. \ BLDTOP=../. \ EXE_EXT= \ /usr/bin/perl .././test/run_tests.pl ) ../test/recipes/01-test_ordinals.t ........ ok ../test/recipes/05-test_bf.t .............. ok ../test/recipes/05-test_cast.t ............ ok ../test/recipes/05-test_des.t ............. ok ../test/recipes/05-test_hmac.t ............ ok ../test/recipes/05-test_idea.t ............ ok ../test/recipes/05-test_md2.t ............. skipped: md2 is not supported by this OpenSSL build ../test/recipes/05-test_md4.t ............. ok ../test/recipes/05-test_md5.t ............. ok ../test/recipes/05-test_mdc2.t ............ ok ../test/recipes/05-test_rand.t ............ ok ../test/recipes/05-test_rc2.t ............. ok ../test/recipes/05-test_rc4.t ............. ok ../test/recipes/05-test_rc5.t ............. skipped: rc5 is not supported by this OpenSSL build ../test/recipes/05-test_rmd.t ............. ok ../test/recipes/05-test_sha1.t ............ ok ../test/recipes/05-test_sha256.t .......... ok ../test/recipes/05-test_sha512.t .......... ok ../test/recipes/05-test_wp.t .............. ok ../test/recipes/10-test_bn.t .............. ok ../test/recipes/10-test_exp.t ............. ok ../test/recipes/15-test_dh.t .............. ok ../test/recipes/15-test_dsa.t ............. ok ../test/recipes/15-test_ec.t .............. ok ../test/recipes/15-test_ecdh.t ............ ok ../test/recipes/15-test_ecdsa.t ........... ok ../test/recipes/15-test_rsa.t ............. ok ../test/recipes/20-test_enc.t ............. ok ../test/recipes/25-test_crl.t ............. ok ../test/recipes/25-test_gen.t ............. ok ../test/recipes/25-test_pkcs7.t ........... ok ../test/recipes/25-test_req.t ............. ok ../test/recipes/25-test_sid.t ............. ok ../test/recipes/25-test_verify.t .......... ok ../test/recipes/25-test_x509.t ............ ok # Failed test 'running afalgtest' # at ../test/recipes/30-test_afalg.t line 68. # Looks like you failed 1 test of 1. ../test/recipes/30-test_afalg.t ........... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/30-test_engine.t .......... ok ../test/recipes/30-test_evp.t ............. ok ../test/recipes/30-test_evp_extra.t ....... ok ../test/recipes/30-test_pbelu.t ........... ok # Failed test 'Testing that we aren't running as a privileged user, such as root' # at ../test/recipes/40-test_rehash.t line 41. # Looks like you failed 1 test of 5. ../test/recipes/40-test_rehash.t .......... Dubious, test returned 1 (wstat 256, 0x100) Failed 1/5 subtests (less 1 skipped subtest: 3 okay) ../test/recipes/70-test_clienthello.t ..... ok ../test/recipes/70-test_packet.t .......... ok ../test/recipes/70-test_sslcertstatus.t ... skipped: test_sslcertstatus needs the dynamic engine feature enabled ../test/recipes/70-test_sslextension.t .... skipped: test_sslextension needs the dynamic engine feature enabled ../test/recipes/70-test_sslsessiontick.t .. skipped: test_sslsessiontick needs the dynamic engine feature enabled ../test/recipes/70-test_sslskewith0p.t .... skipped: test_sslskewith0p needs the dynamic engine feature enabled ../test/recipes/70-test_sslvertol.t ....... skipped: test_sslextension needs the dynamic engine feature enabled ../test/recipes/70-test_tlsextms.t ........ skipped: test_tlsextms needs the dynamic engine feature enabled ../test/recipes/70-test_verify_extra.t .... ok ../test/recipes/80-test_ca.t .............. ok ../test/recipes/80-test_cms.t ............. ok ../test/recipes/80-test_ct.t .............. ok ../test/recipes/80-test_dane.t ............ ok ../test/recipes/80-test_dtlsv1listen.t .... ok ../test/recipes/80-test_ocsp.t ............ ok ../test/recipes/80-test_ssl.t ............. ok ../test/recipes/80-test_tsa.t ............. ok ../test/recipes/90-test_async.t ........... ok ../test/recipes/90-test_constant_time.t ... ok ../test/recipes/90-test_gmdiff.t .......... ok ../test/recipes/90-test_heartbeat.t ....... skipped: heartbeats is not supported by this OpenSSL build ../test/recipes/90-test_ige.t ............. ok ../test/recipes/90-test_memleak.t ......... ok ../test/recipes/90-test_networking.t ...... skipped: test_networking needs the dynamic engine feature enabled ../test/recipes/90-test_np.t .............. ok ../test/recipes/90-test_p5_crpt2.t ........ ok ../test/recipes/90-test_secmem.t .......... ok ../test/recipes/90-test_srp.t ............. ok ../test/recipes/90-test_threads.t ......... ok ../test/recipes/90-test_v3name.t .......... ok Test Summary Report ------------------- ../test/recipes/30-test_afalg.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/40-test_rehash.t (Wstat: 256 Tests: 5 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=71, Tests=367, 31 wallclock secs ( 0.41 usr 0.10 sys + 22.79 cusr 4.20 csys = 27.50 CPU) Result: FAIL Failed 2/71 test programs. 2/367 subtests failed. Makefile:122: recipe for target 'test' failed make: *** [test] Error 255 ----- $ ./config Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-x86_64. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4434 Please log in as guest with password guest if prompted From rt at openssl.org Wed Mar 16 13:53:24 2016 From: rt at openssl.org (Thomas Brunnthaler via RT) Date: Wed, 16 Mar 2016 13:53:24 +0000 Subject: [openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension In-Reply-To: References: Message-ID: Hello ! I build a release package with the suggested fix in github but php wont load curl anyway. Any other suggestions ? I used MS VC2013 with NASM when using 1.0.2 branch. PHP Warning: PHP Startup: Unable to load dynamic library '\php5\php_curl.dll' - Das Betriebssystem kann php[1912] nicht ausf?hren. in Unknown on line 0. 2016-03-09 23:33 GMT+01:00 noloader at gmail.com via RT : > On Tue, Mar 8, 2016 at 8:43 AM, Thomas Brunnthaler via RT > wrote: > > CURL not working since upgrade to 1.0.2g on windows. I use PHP 5.2.17 VC6 > > x86 TS. Error Message: OS cannot load %1 or so. > > > > Is it possible to release an out-of-band update for this fix? > > Many folks are experiencing pain points because of it. See, for example: > > * http://stackoverflow.com/q/35895377/608639 > * http://stackoverflow.com/q/35880228/608639 > > Jeff > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 Please log in as guest with password guest if prompted From matt at openssl.org Wed Mar 16 14:02:55 2016 From: matt at openssl.org (Matt Caswell) Date: Wed, 16 Mar 2016 14:02:55 +0000 Subject: [openssl-dev] [openssl.org #4434] Gentoo 13, x86_64: 4 failed self tests In-Reply-To: References: Message-ID: <56E9678F.6060004@openssl.org> What happens if you run the afalgtest directly? $ cd test $ ./afalgtest Matt On 16/03/16 13:52, noloader at gmail.com via RT wrote: > Working from Master on a Gentoo 13 machine, x86_64. The test was run > as root which explains one of the failures (I don't have users or SSH > set up yet). > > Kernel is 4.1.15, GCC is 4.9.3. > > $ make test > ... > > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ ok > ../test/recipes/05-test_bf.t .............. ok > ../test/recipes/05-test_cast.t ............ ok > ../test/recipes/05-test_des.t ............. ok > ../test/recipes/05-test_hmac.t ............ ok > ../test/recipes/05-test_idea.t ............ ok > ../test/recipes/05-test_md2.t ............. skipped: md2 is not > supported by this OpenSSL build > ../test/recipes/05-test_md4.t ............. ok > ../test/recipes/05-test_md5.t ............. ok > ../test/recipes/05-test_mdc2.t ............ ok > ../test/recipes/05-test_rand.t ............ ok > ../test/recipes/05-test_rc2.t ............. ok > ../test/recipes/05-test_rc4.t ............. ok > ../test/recipes/05-test_rc5.t ............. skipped: rc5 is not > supported by this OpenSSL build > ../test/recipes/05-test_rmd.t ............. ok > ../test/recipes/05-test_sha1.t ............ ok > ../test/recipes/05-test_sha256.t .......... ok > ../test/recipes/05-test_sha512.t .......... ok > ../test/recipes/05-test_wp.t .............. ok > ../test/recipes/10-test_bn.t .............. ok > ../test/recipes/10-test_exp.t ............. ok > ../test/recipes/15-test_dh.t .............. ok > ../test/recipes/15-test_dsa.t ............. ok > ../test/recipes/15-test_ec.t .............. ok > ../test/recipes/15-test_ecdh.t ............ ok > ../test/recipes/15-test_ecdsa.t ........... ok > ../test/recipes/15-test_rsa.t ............. ok > ../test/recipes/20-test_enc.t ............. ok > ../test/recipes/25-test_crl.t ............. ok > ../test/recipes/25-test_gen.t ............. ok > ../test/recipes/25-test_pkcs7.t ........... ok > ../test/recipes/25-test_req.t ............. ok > ../test/recipes/25-test_sid.t ............. ok > ../test/recipes/25-test_verify.t .......... ok > ../test/recipes/25-test_x509.t ............ ok > > # Failed test 'running afalgtest' > # at ../test/recipes/30-test_afalg.t line 68. > # Looks like you failed 1 test of 1. > ../test/recipes/30-test_afalg.t ........... > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/1 subtests > ../test/recipes/30-test_engine.t .......... ok > ../test/recipes/30-test_evp.t ............. ok > ../test/recipes/30-test_evp_extra.t ....... ok > ../test/recipes/30-test_pbelu.t ........... ok > > # Failed test 'Testing that we aren't running as a privileged user, > such as root' > # at ../test/recipes/40-test_rehash.t line 41. > # Looks like you failed 1 test of 5. > ../test/recipes/40-test_rehash.t .......... > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/5 subtests > (less 1 skipped subtest: 3 okay) > ../test/recipes/70-test_clienthello.t ..... ok > ../test/recipes/70-test_packet.t .......... ok > ../test/recipes/70-test_sslcertstatus.t ... skipped: > test_sslcertstatus needs the dynamic engine feature enabled > ../test/recipes/70-test_sslextension.t .... skipped: test_sslextension > needs the dynamic engine feature enabled > ../test/recipes/70-test_sslsessiontick.t .. skipped: > test_sslsessiontick needs the dynamic engine feature enabled > ../test/recipes/70-test_sslskewith0p.t .... skipped: test_sslskewith0p > needs the dynamic engine feature enabled > ../test/recipes/70-test_sslvertol.t ....... skipped: test_sslextension > needs the dynamic engine feature enabled > ../test/recipes/70-test_tlsextms.t ........ skipped: test_tlsextms > needs the dynamic engine feature enabled > ../test/recipes/70-test_verify_extra.t .... ok > ../test/recipes/80-test_ca.t .............. ok > ../test/recipes/80-test_cms.t ............. ok > ../test/recipes/80-test_ct.t .............. ok > ../test/recipes/80-test_dane.t ............ ok > ../test/recipes/80-test_dtlsv1listen.t .... ok > ../test/recipes/80-test_ocsp.t ............ ok > ../test/recipes/80-test_ssl.t ............. ok > ../test/recipes/80-test_tsa.t ............. ok > ../test/recipes/90-test_async.t ........... ok > ../test/recipes/90-test_constant_time.t ... ok > ../test/recipes/90-test_gmdiff.t .......... ok > ../test/recipes/90-test_heartbeat.t ....... skipped: heartbeats is not > supported by this OpenSSL build > ../test/recipes/90-test_ige.t ............. ok > ../test/recipes/90-test_memleak.t ......... ok > ../test/recipes/90-test_networking.t ...... skipped: test_networking > needs the dynamic engine feature enabled > ../test/recipes/90-test_np.t .............. ok > ../test/recipes/90-test_p5_crpt2.t ........ ok > ../test/recipes/90-test_secmem.t .......... ok > ../test/recipes/90-test_srp.t ............. ok > ../test/recipes/90-test_threads.t ......... ok > ../test/recipes/90-test_v3name.t .......... ok > > Test Summary Report > ------------------- > ../test/recipes/30-test_afalg.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > ../test/recipes/40-test_rehash.t (Wstat: 256 Tests: 5 Failed: 1) > Failed test: 4 > Non-zero exit status: 1 > Files=71, Tests=367, 31 wallclock secs ( 0.41 usr 0.10 sys + 22.79 > cusr 4.20 csys = 27.50 CPU) > Result: FAIL > Failed 2/71 test programs. 2/367 subtests failed. > Makefile:122: recipe for target 'test' failed > make: *** [test] Error 255 > > ----- > > $ ./config > Operating system: x86_64-whatever-linux2 > Configuring for linux-x86_64 > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-x86_64 > IsMK1MF =no > CC =gcc > CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 > OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM > SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM > ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-ldl > APPS_OBJ = > CPUID_OBJ =x86_64cpuid.o > UPLINK_OBJ = > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o > x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o > aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o > aesni-mb-x86_64.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM =md5-x86_64.o > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o > sha1-mb-x86_64.o sha256-mb-x86_64.o > RMD160_OBJ_ASM= > CMLL_ENC =cmll-x86_64.o cmll_misc.o > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > PADLOCK_OBJ =e_padlock-x86_64.o > CHACHA_ENC =chacha-x86_64.o > POLY1305_OBJ =poly1305-x86_64.o > BLAKE2_OBJ = > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/usr/bin/perl > > SIXTY_FOUR_BIT_LONG mode > > Configured for linux-x86_64. > > From rt at openssl.org Wed Mar 16 14:02:57 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Wed, 16 Mar 2016 14:02:57 +0000 Subject: [openssl-dev] [openssl.org #4434] Gentoo 13, x86_64: 4 failed self tests In-Reply-To: <56E9678F.6060004@openssl.org> References: <56E9678F.6060004@openssl.org> Message-ID: What happens if you run the afalgtest directly? $ cd test $ ./afalgtest Matt On 16/03/16 13:52, noloader at gmail.com via RT wrote: > Working from Master on a Gentoo 13 machine, x86_64. The test was run > as root which explains one of the failures (I don't have users or SSH > set up yet). > > Kernel is 4.1.15, GCC is 4.9.3. > > $ make test > ... > > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ ok > ../test/recipes/05-test_bf.t .............. ok > ../test/recipes/05-test_cast.t ............ ok > ../test/recipes/05-test_des.t ............. ok > ../test/recipes/05-test_hmac.t ............ ok > ../test/recipes/05-test_idea.t ............ ok > ../test/recipes/05-test_md2.t ............. skipped: md2 is not > supported by this OpenSSL build > ../test/recipes/05-test_md4.t ............. ok > ../test/recipes/05-test_md5.t ............. ok > ../test/recipes/05-test_mdc2.t ............ ok > ../test/recipes/05-test_rand.t ............ ok > ../test/recipes/05-test_rc2.t ............. ok > ../test/recipes/05-test_rc4.t ............. ok > ../test/recipes/05-test_rc5.t ............. skipped: rc5 is not > supported by this OpenSSL build > ../test/recipes/05-test_rmd.t ............. ok > ../test/recipes/05-test_sha1.t ............ ok > ../test/recipes/05-test_sha256.t .......... ok > ../test/recipes/05-test_sha512.t .......... ok > ../test/recipes/05-test_wp.t .............. ok > ../test/recipes/10-test_bn.t .............. ok > ../test/recipes/10-test_exp.t ............. ok > ../test/recipes/15-test_dh.t .............. ok > ../test/recipes/15-test_dsa.t ............. ok > ../test/recipes/15-test_ec.t .............. ok > ../test/recipes/15-test_ecdh.t ............ ok > ../test/recipes/15-test_ecdsa.t ........... ok > ../test/recipes/15-test_rsa.t ............. ok > ../test/recipes/20-test_enc.t ............. ok > ../test/recipes/25-test_crl.t ............. ok > ../test/recipes/25-test_gen.t ............. ok > ../test/recipes/25-test_pkcs7.t ........... ok > ../test/recipes/25-test_req.t ............. ok > ../test/recipes/25-test_sid.t ............. ok > ../test/recipes/25-test_verify.t .......... ok > ../test/recipes/25-test_x509.t ............ ok > > # Failed test 'running afalgtest' > # at ../test/recipes/30-test_afalg.t line 68. > # Looks like you failed 1 test of 1. > ../test/recipes/30-test_afalg.t ........... > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/1 subtests > ../test/recipes/30-test_engine.t .......... ok > ../test/recipes/30-test_evp.t ............. ok > ../test/recipes/30-test_evp_extra.t ....... ok > ../test/recipes/30-test_pbelu.t ........... ok > > # Failed test 'Testing that we aren't running as a privileged user, > such as root' > # at ../test/recipes/40-test_rehash.t line 41. > # Looks like you failed 1 test of 5. > ../test/recipes/40-test_rehash.t .......... > Dubious, test returned 1 (wstat 256, 0x100) > Failed 1/5 subtests > (less 1 skipped subtest: 3 okay) > ../test/recipes/70-test_clienthello.t ..... ok > ../test/recipes/70-test_packet.t .......... ok > ../test/recipes/70-test_sslcertstatus.t ... skipped: > test_sslcertstatus needs the dynamic engine feature enabled > ../test/recipes/70-test_sslextension.t .... skipped: test_sslextension > needs the dynamic engine feature enabled > ../test/recipes/70-test_sslsessiontick.t .. skipped: > test_sslsessiontick needs the dynamic engine feature enabled > ../test/recipes/70-test_sslskewith0p.t .... skipped: test_sslskewith0p > needs the dynamic engine feature enabled > ../test/recipes/70-test_sslvertol.t ....... skipped: test_sslextension > needs the dynamic engine feature enabled > ../test/recipes/70-test_tlsextms.t ........ skipped: test_tlsextms > needs the dynamic engine feature enabled > ../test/recipes/70-test_verify_extra.t .... ok > ../test/recipes/80-test_ca.t .............. ok > ../test/recipes/80-test_cms.t ............. ok > ../test/recipes/80-test_ct.t .............. ok > ../test/recipes/80-test_dane.t ............ ok > ../test/recipes/80-test_dtlsv1listen.t .... ok > ../test/recipes/80-test_ocsp.t ............ ok > ../test/recipes/80-test_ssl.t ............. ok > ../test/recipes/80-test_tsa.t ............. ok > ../test/recipes/90-test_async.t ........... ok > ../test/recipes/90-test_constant_time.t ... ok > ../test/recipes/90-test_gmdiff.t .......... ok > ../test/recipes/90-test_heartbeat.t ....... skipped: heartbeats is not > supported by this OpenSSL build > ../test/recipes/90-test_ige.t ............. ok > ../test/recipes/90-test_memleak.t ......... ok > ../test/recipes/90-test_networking.t ...... skipped: test_networking > needs the dynamic engine feature enabled > ../test/recipes/90-test_np.t .............. ok > ../test/recipes/90-test_p5_crpt2.t ........ ok > ../test/recipes/90-test_secmem.t .......... ok > ../test/recipes/90-test_srp.t ............. ok > ../test/recipes/90-test_threads.t ......... ok > ../test/recipes/90-test_v3name.t .......... ok > > Test Summary Report > ------------------- > ../test/recipes/30-test_afalg.t (Wstat: 256 Tests: 1 Failed: 1) > Failed test: 1 > Non-zero exit status: 1 > ../test/recipes/40-test_rehash.t (Wstat: 256 Tests: 5 Failed: 1) > Failed test: 4 > Non-zero exit status: 1 > Files=71, Tests=367, 31 wallclock secs ( 0.41 usr 0.10 sys + 22.79 > cusr 4.20 csys = 27.50 CPU) > Result: FAIL > Failed 2/71 test programs. 2/367 subtests failed. > Makefile:122: recipe for target 'test' failed > make: *** [test] Error 255 > > ----- > > $ ./config > Operating system: x86_64-whatever-linux2 > Configuring for linux-x86_64 > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-x86_64 > IsMK1MF =no > CC =gcc > CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 > OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM > SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM > ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-ldl > APPS_OBJ = > CPUID_OBJ =x86_64cpuid.o > UPLINK_OBJ = > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o > x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o > aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o > aesni-mb-x86_64.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM =md5-x86_64.o > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o > sha1-mb-x86_64.o sha256-mb-x86_64.o > RMD160_OBJ_ASM= > CMLL_ENC =cmll-x86_64.o cmll_misc.o > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > PADLOCK_OBJ =e_padlock-x86_64.o > CHACHA_ENC =chacha-x86_64.o > POLY1305_OBJ =poly1305-x86_64.o > BLAKE2_OBJ = > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/usr/bin/perl > > SIXTY_FOUR_BIT_LONG mode > > Configured for linux-x86_64. > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4434 Please log in as guest with password guest if prompted From appro at openssl.org Wed Mar 16 14:35:39 2016 From: appro at openssl.org (Andy Polyakov) Date: Wed, 16 Mar 2016 15:35:39 +0100 Subject: [openssl-dev] [openssl.org #4428] Gentoo 12.1, x86_64: crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set In-Reply-To: References: <56E6D020.5020906@openssl.org> Message-ID: <56E96F3B.5060107@openssl.org> >> Is it possible that real target is so called x32, i.e. x86_64 with >> 32-bit address space limitation? In such case linux-x32 would be the >> right target... > > I don't believe this is x32 since {x86_64|amd64} and __ILP32__ are not > defined; see preprocessor output below. Got it. But just in case x32 was fixed anyway :-) > The compiler reports its i686: > > # gcc -dumpmachine > i686-pc-linux-gnu > > The machine appears to be i686: > > # readelf -h /bin/ls | grep -i 'class\|machine' > Class: ELF32 > Machine: Intel 80386 > > The machine reports that its x86_64 through uname, though: > > # uname -m > x86_64 > > Maybe uname cannot be trusted for Gentoo? Well, x86_64 is a string kernel returns to a user-land program, right? And the thing is that it doesn't care if the program is 32- or 64-bit one (unless you've changed "personality" for the said program). So that above simply means that you have ended up with so to say 32-bit /, i.e. with 32-bit /bin/ls, 32-bit compiler, the whole thing, but booted 64-bit kernel. There is no reason why it wouldn't work. I mean such mix of kernel and user-land. It's not common, but it works. Question is if it's really the way all Gentoos get installed. On certain level it makes sense to have all the system programs to be 32-bit, because they are not performance-critical, so you can afford to trade a bit worse performance to minimize memory and disk space consumption (latter can be surely appropriate for a LiveCD). But they ought to provide compiler capable of generating 64-bit code. So that user can compiler performance-critical applications. Yes, 32-bit compiler can actually be configured to generate code of either bitness, but it's not common nowadays. Very much like 64-bit compiler can be configured to generate code of either bitness, which is commonplace. The fact that it managed to compile first assembly module simply means that assembler was configured to assemble code of either bitness. As they are configured separately, binutils and compiler, it's not impossible combination. > # cat /etc/gentoo-release > Gentoo Base System release 2.2 Once again, is it really average Gentoo installation? If it's not, then I'd say that it's not OpenSSL problem. If you still have to compile for this installation, then just invoke './Configure linux-elf ...' manually. On side note, this is also the way to test 32-bit builds on 64-bit OS, though it normally takes extra option, './Configure linux-elf -m32 ...' From rt at openssl.org Wed Mar 16 14:38:32 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Wed, 16 Mar 2016 14:38:32 +0000 Subject: [openssl-dev] [openssl.org #4428] Gentoo 12.1, x86_64: crypto/aes/aes_cfb.c:1:0: error: CPU you selected does not support x86-64 instruction set In-Reply-To: <56E96FE7.4090605@openssl.org> References: <56E6D020.5020906@openssl.org> <56E96FE7.4090605@openssl.org> Message-ID: >> Is it possible that real target is so called x32, i.e. x86_64 with >> 32-bit address space limitation? In such case linux-x32 would be the >> right target... > > I don't believe this is x32 since {x86_64|amd64} and __ILP32__ are not > defined; see preprocessor output below. Got it. But just in case x32 was fixed anyway :-) > The compiler reports its i686: > > # gcc -dumpmachine > i686-pc-linux-gnu > > The machine appears to be i686: > > # readelf -h /bin/ls | grep -i 'class\|machine' > Class: ELF32 > Machine: Intel 80386 > > The machine reports that its x86_64 through uname, though: > > # uname -m > x86_64 > > Maybe uname cannot be trusted for Gentoo? Well, x86_64 is a string kernel returns to a user-land program, right? And the thing is that it doesn't care if the program is 32- or 64-bit one (unless you've changed "personality" for the said program). So that above simply means that you have ended up with so to say 32-bit /, i.e. with 32-bit /bin/ls, 32-bit compiler, the whole thing, but booted 64-bit kernel. There is no reason why it wouldn't work. I mean such mix of kernel and user-land. It's not common, but it works. Question is if it's really the way all Gentoos get installed. On certain level it makes sense to have all the system programs to be 32-bit, because they are not performance-critical, so you can afford to trade a bit worse performance to minimize memory and disk space consumption (latter can be surely appropriate for a LiveCD). But they ought to provide compiler capable of generating 64-bit code. So that user can compiler performance-critical applications. Yes, 32-bit compiler can actually be configured to generate code of either bitness, but it's not common nowadays. Very much like 64-bit compiler can be configured to generate code of either bitness, which is commonplace. The fact that it managed to compile first assembly module simply means that assembler was configured to assemble code of either bitness. As they are configured separately, binutils and compiler, it's not impossible combination. > # cat /etc/gentoo-release > Gentoo Base System release 2.2 Once again, is it really average Gentoo installation? If it's not, then I'd say that it's not OpenSSL problem. If you still have to compile for this installation, then just invoke './Configure linux-elf ...' manually. On side note, this is also the way to test 32-bit builds on 64-bit OS, though it normally takes extra option, './Configure linux-elf -m32 ...' -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4428 Please log in as guest with password guest if prompted From openssldev at gmail.com Wed Mar 16 16:36:15 2016 From: openssldev at gmail.com (Nonce Word) Date: Wed, 16 Mar 2016 17:36:15 +0100 Subject: [openssl-dev] EVP possibly leaking bytes Message-ID: Using the guide posted here: https://wiki.openssl.org/index.php/EVP_Symmetric_Encryption_and_Decryption I was getting a fairly large amount of bytes "still reachable", so I decided to throw in all of the options to free up whatever was left over. Originally, all that was suggested in the wiki was to EVP_cleanup() and ERR_free_strings(). But by adding in CRYPTO_cleanup_all_ex_data(), ERR_remove_thread_state(0), ENGINE_cleanup(), and CONF_modules_unload(0), I was able to significantly cut down on the bytes still reachable. Full leak check below. The code is the exact same as in the wiki, but with the additions mentioned above. root at openssl:~# valgrind ./test --leak-check=full --tool=memcheck -v ==31040== Memcheck, a memory error detector ==31040== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==31040== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==31040== Command: ./test --leak-check=full --tool=memcheck -v ==31040== --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.21.so: --31040-- Ignoring non-Dwarf2/3/4 block in .debug_info --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.21.so: --31040-- Last block truncated in .debug_info; ignoring --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.21.so: --31040-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4 --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.21.so: --31040-- Ignoring non-Dwarf2/3/4 block in .debug_info --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.21.so: --31040-- Last block truncated in .debug_info; ignoring --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.21.so: --31040-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4 --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.21.so: --31040-- Ignoring non-Dwarf2/3/4 block in .debug_info --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.21.so: --31040-- Last block truncated in .debug_info; ignoring --31040-- WARNING: Serious error when reading debug info --31040-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.21.so: --31040-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4 Ciphertext is: 0000 - e0 6f 63 a7 11 e8 b7 aa-9f 94 40 10 7d 46 80 a1 .oc....... at .}F.. 0010 - 17 99 43 80 ea 31 d2 a2-99 b9 53 02 d4 39 b9 70 ..C..1....S..9.p 0020 - 2c 8e 65 a9 92 36 ec 92-07 04 91 5c f1 a9 8a 44 ,.e..6.....\...D Decrypted text is: The quick brown fox jumps over the lazy dog ==31040== ==31040== HEAP SUMMARY: ==31040== in use at exit: 240 bytes in 8 blocks ==31040== total heap usage: 3,295 allocs, 3,287 frees, 121,451 bytes allocated ==31040== ==31040== LEAK SUMMARY: ==31040== definitely lost: 0 bytes in 0 blocks ==31040== indirectly lost: 0 bytes in 0 blocks ==31040== possibly lost: 0 bytes in 0 blocks ==31040== still reachable: 240 bytes in 8 blocks ==31040== suppressed: 0 bytes in 0 blocks ==31040== Rerun with --leak-check=full to see details of leaked memory ==31040== ==31040== For counts of detected and suppressed errors, rerun with: -v ==31040== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) Code: #include #include #include #include #include void handleErrors(void) { ERR_print_errors_fp(stderr); abort(); } int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key, unsigned char *iv, unsigned char *plaintext) { EVP_CIPHER_CTX *ctx; int len; int plaintext_len; /* Create and initialise the context */ if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors(); /* Initialise the decryption operation. IMPORTANT - ensure you use a key * and IV size appropriate for your cipher * In this example we are using 256 bit AES (i.e. a 256 bit key). The * IV size for *most* modes is the same as the block size. For AES this * is 128 bits */ if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) handleErrors(); /* Provide the message to be decrypted, and obtain the plaintext output. * EVP_DecryptUpdate can be called multiple times if necessary */ if(1 != EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len)) handleErrors(); plaintext_len = len; /* Finalise the decryption. Further plaintext bytes may be written at * this stage. */ if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, &len)) handleErrors(); plaintext_len += len; /* Clean up */ EVP_CIPHER_CTX_free(ctx); return plaintext_len; } int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key, unsigned char *iv, unsigned char *ciphertext) { EVP_CIPHER_CTX *ctx; int len; int ciphertext_len; /* Create and initialise the context */ if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors(); /* Initialise the encryption operation. IMPORTANT - ensure you use a key * and IV size appropriate for your cipher * In this example we are using 256 bit AES (i.e. a 256 bit key). The * IV size for *most* modes is the same as the block size. For AES this * is 128 bits */ if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) handleErrors(); /* Provide the message to be encrypted, and obtain the encrypted output. * EVP_EncryptUpdate can be called multiple times if necessary */ if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len)) handleErrors(); ciphertext_len = len; /* Finalise the encryption. Further ciphertext bytes may be written at * this stage. */ if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) handleErrors(); ciphertext_len += len; /* Clean up */ EVP_CIPHER_CTX_free(ctx); return ciphertext_len; } int main (void) { /* Set up the key and iv. Do I need to say to not hard code these in a * real application? :-) */ /* A 256 bit key */ unsigned char *key = (unsigned char *)"01234567890123456789012345678901"; /* A 128 bit IV */ unsigned char *iv = (unsigned char *)"01234567890123456"; /* Message to be encrypted */ unsigned char *plaintext = (unsigned char *)"The quick brown fox jumps over the lazy dog"; /* Buffer for ciphertext. Ensure the buffer is long enough for the * ciphertext which may be longer than the plaintext, dependant on the * algorithm and mode */ unsigned char ciphertext[128]; /* Buffer for the decrypted text */ unsigned char decryptedtext[128]; int decryptedtext_len, ciphertext_len; /* Initialise the library */ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); OPENSSL_config(NULL); /* Encrypt the plaintext */ ciphertext_len = encrypt (plaintext, strlen ((char *)plaintext), key, iv, ciphertext); /* Do something useful with the ciphertext here */ printf("Ciphertext is:\n"); BIO_dump_fp (stdout, (const char *)ciphertext, ciphertext_len); /* Decrypt the ciphertext */ decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv, decryptedtext); /* Add a NULL terminator. We are expecting printable text */ decryptedtext[decryptedtext_len] = '\0'; /* Show the decrypted text */ printf("Decrypted text is:\n"); printf("%s\n", decryptedtext); /* Clean up */ EVP_cleanup(); ERR_free_strings(); ENGINE_cleanup(); CONF_modules_unload(0); CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(0); return 0; } -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl at openssl.org Wed Mar 16 17:50:15 2016 From: openssl at openssl.org (OpenSSL) Date: Wed, 16 Mar 2016 17:50:15 +0000 Subject: [openssl-dev] OpenSSL version 1.1.0 pre release 4 published Message-ID: <20160316175015.GA18842@openssl.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.1.0 pre release 4 (beta) =========================================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ OpenSSL 1.1.0 is currently in beta. OpenSSL 1.1.0 pre release 4 has now been made available. For details of changes and known issues see the release notes at: http://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): * http://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre4.tar.gz Size: 5325012 SHA1 checksum: 58119f6c784055a50622afc75b5b817eeae2a365 SHA256 checksum: a2fe0bd293cdedde193ff0377cab75cbd042a9c20c11622d6b350890855a0a69 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre4.tar.gz openssl sha256 openssl-1.1.0-pre4.tar.gz Please download and check this beta release as soon as possible. Bug reports should go to rt at openssl.org. Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJW6ZYnAAoJENXp5D99+e6MLLEP/jqfZLP8ziXZ/LwOCvtIwe7x aCyYmRff8lsNfFbgb6IWFoUqA5oEwq2nAUSeJ5FWX4hhsIdvLrBskT5o47cDo+fA 8CQBXYfEcEq9Qvdezw20242TPpCpBDFBFh7L972yVElbvwGgsV0OaiJ5oGss7u1A ZWXhrnpiYBr04Ovx5CtN5QedtV4U5ZEhQOumKpM+BgWD3lt2AlYGRrc9f3DytdQ/ cIVW5p2NlixQkKp2qqcsa5tXMtPoPz1IwJi3BpBR5ViBWCqzlSWAUqxuHL8t0piH AQZr1dN+ABiSoM9B7wa1PHUZWNlUlK4aF8t6o4sg0deaaHOZbi/skitKgPhbuYtW Zs4/et2SA7lctNODKPjwYL80KVCrvx+Hk3rUf6tLWhcCyfcAIIR0Bg8o86nD9SNU fJ5fEoe6HpADWdF/RcoWVsWkLJbqq33VouXYuOlOrQTJ+11bxVyraMdwoC0NmnBm 4PdHkjVcfH3t1GwKp02aRw33VL/xa6x6gTT3OtTkVhwXXF0q5nDtxbUf421lVPvo ZMB2UHnhnaNZhDO9X6m2ZBkizzjLMooqeMuAIiAXdwQZ4+Tee/Gcrf4wMP34pa6j FvDqEBTa19BC6joLhC+mmfHgmQTTQWg7GiZ0a9VAjmnom9CxUNBzYVAdL4SYrk4z jf78Hj1qn1w+4dVLo/o1 =O2sR -----END PGP SIGNATURE----- From doctor at doctor.nl2k.ab.ca Wed Mar 16 18:26:29 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Wed, 16 Mar 2016 12:26:29 -0600 Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160315.221350.1725521770011152083.levitte@openssl.org> References: <20160315200107.GA12050@doctor.nl2k.ab.ca> <20160315.212249.2292198922030225804.levitte@openssl.org> <20160315205022.GA26917@doctor.nl2k.ab.ca> <20160315.221350.1725521770011152083.levitte@openssl.org> Message-ID: <20160316182629.GA10733@doctor.nl2k.ab.ca> On Tue, Mar 15, 2016 at 10:13:50PM +0100, Richard Levitte wrote: > In message <20160315205022.GA26917 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:50:22 -0600, The Doctor said: > > doctor> On Tue, Mar 15, 2016 at 09:22:49PM +0100, Richard Levitte wrote: > doctor> > In message <20160315200107.GA12050 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:01:07 -0600, The Doctor said: > doctor> > > doctor> > doctor> On Tue, Mar 15, 2016 at 06:09:08PM +0100, Richard Levitte wrote: > doctor> > doctor> > In message <20160315153241.GA3975 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 09:32:42 -0600, The Doctor said: > doctor> > doctor> > > doctor> > doctor> > doctor> On Mon, Mar 14, 2016 at 09:02:56AM -0600, The Doctor wrote: > doctor> > doctor> > doctor> > //usr/source/openssl-SNAP-20160314$ make > doctor> > doctor> > doctor> > make: don't know how to make crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:. Stop > doctor> > doctor> > doctor> > > doctor> > doctor> > doctor> > I got a bit compiled until this happened. > doctor> > doctor> > doctor> > > doctor> > doctor> > doctor> > Last working package was > doctor> > doctor> > doctor> > > doctor> > doctor> > doctor> > openssl-SNAP-20160311 . > doctor> > doctor> > doctor> > > doctor> > doctor> > doctor> > doctor> > doctor> > doctor> Still the same issue with openssl-SNAP-20160315 . > doctor> > doctor> > doctor> > doctor> > doctor> > doctor> What is the problem with crypto/aes/aes_cfb.o > doctor> > doctor> > doctor> ?? > doctor> > doctor> > > doctor> > doctor> > Hmmm, the seems like an issue with dependency making, somehow. > doctor> > doctor> > > doctor> > doctor> > could you run this command and send me the result (I hope your grep > doctor> > doctor> > understands -A and -B, which is used to display a number of lines > doctor> > doctor> > After and Before a match)? > doctor> > doctor> > > doctor> > doctor> > $ grep -A5 -B5 aes_cfb.o:crypto Makefile > doctor> > doctor> > > doctor> > doctor> > doctor> > doctor> The result is > doctor> > doctor> > doctor> > doctor> crypto/comp/c_zlib.o:crypto/comp/c_zlib.o: crypto/comp/comp_lcl.h > doctor> > doctor> # DO NOT DELETE > doctor> > doctor> > doctor> > doctor> crypto/aes/aes_cfb.o: include/openssl/aes.h > doctor> > doctor> crypto/aes/aes_cfb.o: include/openssl/opensslconf.h > doctor> > doctor> crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o:crypto/aes/aes_cfb.o: include/openssl/modes.h > doctor> > doctor> # DO NOT DELETE > doctor> > doctor> > doctor> > doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/crypto.h > doctor> > doctor> crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o:crypto/asn1/asn_mstbl.o: include/openssl/e_os2.h > doctor> > doctor> crypto/asn1/asn_mstbl.o: include/openssl/opensslconf.h > doctor> > > doctor> > Ok, that's what I expected. So there seems to be some odd interaction > doctor> > between the makedepend and the post-processing perl snippet. > doctor> > > doctor> > Could you do the following for me? > doctor> > > doctor> > $ rm crypto/aes/aes_cfb.d > doctor> > $ make crypto/aes/aes_cfb.d > doctor> > doctor> We get > doctor> > doctor> /usr/X11/bin/makedepend -fcrypto/aes/aes_cfb.d.tmp -o"|crypto/aes/aes_cfb.o" -- -DZLIB_SHARED -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" -DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. -Icrypto/include -- crypto/aes/aes_cfb.c 2>/dev/null > doctor> perl -i -pe 's/^.*\|//; s/ \/(\\.|[^ ])*//; # $_ = undef if (/: *$/ || /^(#.*| *)$/); # $_.="\n" unless !defined($_) or /\R$/g;' crypto/aes/aes_cfb.d.tmp > > Actually, that perl line explained the issue just fine. Thanks, I > know how to resolve this. > Just looked atthe Makefile. May I suggest instead of using perl, use -${PERL} instead. When I did a symbolic like to perl, that worked Also from my non-root account HARNESS_VERBOSE=yes make tests TESTS='test_evp test_packet test_cms' yielded ../test/recipes/30-test_evp.t ..... 1..1 Test line 2548: unexpected error KEY_MISMATCH Expected: 77D6576238657B203B19CA42C18A0497F16B4844E3074AE8DFDFFA3FEDE21442FCD0069DED0948F8326A753A0FC81F17E8D3E0FB2E0D3628CF35E20C38D18906 Got: 1E206D019AE5CD5575A1CD9BD56AF7AF094ACC8A903E163BF22A417CC7073B7B864FE17944690473DBED7E2FAA5A42069150BE9FF727AC1A251E04E52537B961 Test line 2556: unexpected error KEY_MISMATCH Expected: FDBABE1C9D3472007856E7190D01E9FE7C6AD7CBC8237830E77376634B3731622EAF30D92E22A3886FF109279D9830DAC727AFB94A83EE6D8360CBDFA2CC0640 Got: 4D0B8D57109EF588586B7812B70CD2FBD4DDE5F9AD1E45A17C565E24FE247DE986CA22CFDFF6C64346C62436F301EAE987A0E424B080EACB04E70830C3B9ACE0 Test line 2564: unexpected error KEY_MISMATCH Expected: 7023BDCB3AFD7348461C06CD81FD38EBFDA8FBBA904F8E3EA9B543F6545DA1F2D5432955613F0FCF62D49705242A9AF9E61E85DC0D651E40DFCF017B45575887 Got: BF7268686B9059DAA738213780F8EEE8BC2FDD65D50DE1298B5ED2142040DB72E0CC5C6649C682EB8BC998A70D1CA8BCB73FF7367C1027403201F663239520D6 480 tests completed with 3 errors, 0 skipped not ok 1 - running evp_test evptests.txt # Failed test 'running evp_test evptests.txt' # at ../test/recipes/30-test_evp.t line 11. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/70-test_packet.t .. 1..1 test_PACKET_buf_init() failed not ok 1 - running packettest # Failed test 'running packettest' # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/80-test_cms.t ..... 1..4 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 1 - CMS => PKCS\#7 compatibility tests # 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 2 - CMS <= PKCS\#7 compatibility tests # 1..27 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients Verification successful ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid Verification successful ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys Verification successful ok 18 - signed content MIME format, RSA key, signed receipt request Verification successful ok 19 - signed receipt MIME format, RSA key ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid ok 21 - enveloped content test streaming PEM format, KEK ok 22 - enveloped content test streaming PEM format, KEK, key only ok 23 - data content test streaming PEM format ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key ok 26 - encrypted content test streaming PEM format, triple DES key ok 27 - encrypted content test streaming PEM format, 128 bit AES key ok 3 - CMS <=> CMS consistency tests # 1..11 Verification successful ok 1 - signed content test streaming PEM format, RSA keys, PSS signature Verification successful ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes Verification successful ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 ok 6 - enveloped content test streaming S/MIME format, ECDH ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH ok 10 - enveloped content test streaming S/MIME format, X9.42 DH Error creating CMS structure 135045376:error:2E068097:CMS routines:CMS_compress:unsupported compression algorithm:crypto/cms/cms_smime.c:879: not ok 11 - compressed content test streaming PEM format # Failed test 'compressed content test streaming PEM format' # at ../test/recipes/80-test_cms.t line 452. # Looks like you failed 1 test of 11. not ok 4 - CMS <=> CMS consistency tests, modified key parameters # # Failed test 'CMS <=> CMS consistency tests, modified key parameters # ' # at ../test/recipes/80-test_cms.t line 458. # Looks like you failed 1 test of 4. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests Test Summary Report ------------------- ../test/recipes/30-test_evp.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/70-test_packet.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=3, Tests=6, 24 wallclock secs ( 0.15 usr 0.08 sys + 12.15 cusr 15.10 csys = 27.48 CPU) Result: FAIL Failed 3/3 test programs. 3/6 subtests failed. *** Error code 1 Stop. The rest was fine. > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From levitte at openssl.org Wed Mar 16 19:09:15 2016 From: levitte at openssl.org (Richard Levitte) Date: Wed, 16 Mar 2016 20:09:15 +0100 (CET) Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160316182629.GA10733@doctor.nl2k.ab.ca> References: <20160315205022.GA26917@doctor.nl2k.ab.ca> <20160315.221350.1725521770011152083.levitte@openssl.org> <20160316182629.GA10733@doctor.nl2k.ab.ca> Message-ID: <20160316.200915.964875523300370144.levitte@openssl.org> In message <20160316182629.GA10733 at doctor.nl2k.ab.ca> on Wed, 16 Mar 2016 12:26:29 -0600, The Doctor said: doctor> On Tue, Mar 15, 2016 at 10:13:50PM +0100, Richard Levitte wrote: doctor> > In message <20160315205022.GA26917 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:50:22 -0600, The Doctor said: doctor> > doctor> perl -i -pe 's/^.*\|//; s/ \/(\\.|[^ ])*//; # $_ = undef if (/: *$/ || /^(#.*| *)$/); # $_.="\n" unless !defined($_) or /\R$/g;' crypto/aes/aes_cfb.d.tmp doctor> > doctor> > Actually, that perl line explained the issue just fine. Thanks, I doctor> > know how to resolve this. doctor> > doctor> Just looked atthe Makefile. doctor> doctor> May I suggest instead of using perl, use -${PERL} instead. Good idea, I'll fix that. doctor> When I did a symbolic like to perl, that worked doctor> doctor> Also from my non-root account doctor> doctor> HARNESS_VERBOSE=yes make tests TESTS='test_evp test_packet test_cms' doctor> doctor> yielded doctor> doctor> ../test/recipes/30-test_evp.t ..... doctor> 1..1 doctor> Test line 2548: unexpected error KEY_MISMATCH doctor> Expected: 77D6576238657B203B19CA42C18A0497F16B4844E3074AE8DFDFFA3FEDE21442FCD0069DED0948F8326A753A0FC81F17E8D3E0FB2E0D3628CF35E20C38D18906 doctor> Got: 1E206D019AE5CD5575A1CD9BD56AF7AF094ACC8A903E163BF22A417CC7073B7B864FE17944690473DBED7E2FAA5A42069150BE9FF727AC1A251E04E52537B961 doctor> Test line 2556: unexpected error KEY_MISMATCH doctor> Expected: FDBABE1C9D3472007856E7190D01E9FE7C6AD7CBC8237830E77376634B3731622EAF30D92E22A3886FF109279D9830DAC727AFB94A83EE6D8360CBDFA2CC0640 doctor> Got: 4D0B8D57109EF588586B7812B70CD2FBD4DDE5F9AD1E45A17C565E24FE247DE986CA22CFDFF6C64346C62436F301EAE987A0E424B080EACB04E70830C3B9ACE0 doctor> Test line 2564: unexpected error KEY_MISMATCH doctor> Expected: 7023BDCB3AFD7348461C06CD81FD38EBFDA8FBBA904F8E3EA9B543F6545DA1F2D5432955613F0FCF62D49705242A9AF9E61E85DC0D651E40DFCF017B45575887 doctor> Got: BF7268686B9059DAA738213780F8EEE8BC2FDD65D50DE1298B5ED2142040DB72E0CC5C6649C682EB8BC998A70D1CA8BCB73FF7367C1027403201F663239520D6 doctor> 480 tests completed with 3 errors, 0 skipped doctor> not ok 1 - running evp_test evptests.txt doctor> doctor> # Failed test 'running evp_test evptests.txt' doctor> # at ../test/recipes/30-test_evp.t line 11. doctor> # Looks like you failed 1 test of 1. doctor> Dubious, test returned 1 (wstat 256, 0x100) doctor> Failed 1/1 subtests doctor> ../test/recipes/70-test_packet.t .. doctor> 1..1 doctor> test_PACKET_buf_init() failed doctor> not ok 1 - running packettest doctor> doctor> # Failed test 'running packettest' doctor> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. doctor> # Looks like you failed 1 test of 1. doctor> Dubious, test returned 1 (wstat 256, 0x100) doctor> Failed 1/1 subtests doctor> ../test/recipes/80-test_cms.t ..... doctor> 1..4 doctor> 1..15 doctor> Verification successful doctor> ok 1 - signed content DER format, RSA key doctor> Verification successful doctor> ok 2 - signed detached content DER format, RSA key doctor> Verification successful doctor> ok 3 - signed content test streaming BER format, RSA doctor> Verification successful doctor> ok 4 - signed content DER format, DSA key doctor> Verification successful doctor> ok 5 - signed detached content DER format, DSA key doctor> Verification successful doctor> ok 6 - signed detached content DER format, add RSA signer doctor> Verification successful doctor> ok 7 - signed content test streaming BER format, DSA key doctor> Verification successful doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys doctor> Verification successful doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes doctor> Verification successful doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys doctor> Verification successful doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients doctor> ok 1 - CMS => PKCS\#7 compatibility tests doctor> # doctor> 1..15 doctor> Verification successful doctor> ok 1 - signed content DER format, RSA key doctor> Verification successful doctor> ok 2 - signed detached content DER format, RSA key doctor> Verification successful doctor> ok 3 - signed content test streaming BER format, RSA doctor> Verification successful doctor> ok 4 - signed content DER format, DSA key doctor> Verification successful doctor> ok 5 - signed detached content DER format, DSA key doctor> Verification successful doctor> ok 6 - signed detached content DER format, add RSA signer doctor> Verification successful doctor> ok 7 - signed content test streaming BER format, DSA key doctor> Verification successful doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys doctor> Verification successful doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes doctor> Verification successful doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys doctor> Verification successful doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients doctor> ok 2 - CMS <= PKCS\#7 compatibility tests doctor> # doctor> 1..27 doctor> Verification successful doctor> ok 1 - signed content DER format, RSA key doctor> Verification successful doctor> ok 2 - signed detached content DER format, RSA key doctor> Verification successful doctor> ok 3 - signed content test streaming BER format, RSA doctor> Verification successful doctor> ok 4 - signed content DER format, DSA key doctor> Verification successful doctor> ok 5 - signed detached content DER format, DSA key doctor> Verification successful doctor> ok 6 - signed detached content DER format, add RSA signer doctor> Verification successful doctor> ok 7 - signed content test streaming BER format, DSA key doctor> Verification successful doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys doctor> Verification successful doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes doctor> Verification successful doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys doctor> Verification successful doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients doctor> Verification successful doctor> ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid doctor> Verification successful doctor> ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys doctor> Verification successful doctor> ok 18 - signed content MIME format, RSA key, signed receipt request doctor> Verification successful doctor> ok 19 - signed receipt MIME format, RSA key doctor> ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid doctor> ok 21 - enveloped content test streaming PEM format, KEK doctor> ok 22 - enveloped content test streaming PEM format, KEK, key only doctor> ok 23 - data content test streaming PEM format doctor> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key doctor> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key doctor> ok 26 - encrypted content test streaming PEM format, triple DES key doctor> ok 27 - encrypted content test streaming PEM format, 128 bit AES key doctor> ok 3 - CMS <=> CMS consistency tests doctor> # doctor> 1..11 doctor> Verification successful doctor> ok 1 - signed content test streaming PEM format, RSA keys, PSS signature doctor> Verification successful doctor> ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes doctor> Verification successful doctor> ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 doctor> ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters doctor> ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 doctor> ok 6 - enveloped content test streaming S/MIME format, ECDH doctor> ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier doctor> ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF doctor> ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH doctor> ok 10 - enveloped content test streaming S/MIME format, X9.42 DH doctor> Error creating CMS structure doctor> 135045376:error:2E068097:CMS routines:CMS_compress:unsupported compression algorithm:crypto/cms/cms_smime.c:879: doctor> not ok 11 - compressed content test streaming PEM format doctor> doctor> # Failed test 'compressed content test streaming PEM format' doctor> # at ../test/recipes/80-test_cms.t line 452. doctor> # Looks like you failed 1 test of 11. doctor> not ok 4 - CMS <=> CMS consistency tests, modified key parameters doctor> # doctor> doctor> # Failed test 'CMS <=> CMS consistency tests, modified key parameters doctor> # ' doctor> # at ../test/recipes/80-test_cms.t line 458. doctor> # Looks like you failed 1 test of 4. doctor> Dubious, test returned 1 (wstat 256, 0x100) doctor> Failed 1/4 subtests doctor> doctor> Test Summary Report doctor> ------------------- doctor> ../test/recipes/30-test_evp.t (Wstat: 256 Tests: 1 Failed: 1) doctor> Failed test: 1 doctor> Non-zero exit status: 1 doctor> ../test/recipes/70-test_packet.t (Wstat: 256 Tests: 1 Failed: 1) doctor> Failed test: 1 doctor> Non-zero exit status: 1 doctor> ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) doctor> Failed test: 4 doctor> Non-zero exit status: 1 doctor> Files=3, Tests=6, 24 wallclock secs ( 0.15 usr 0.08 sys + 12.15 cusr 15.10 csys = 27.48 CPU) doctor> Result: FAIL doctor> Failed 3/3 test programs. 3/6 subtests failed. doctor> *** Error code 1 doctor> doctor> Stop. doctor> doctor> The rest was fine. Would you mind submitting an email about these failures to rt at openssl.org? -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From moti.ms at gmail.com Wed Mar 16 21:41:49 2016 From: moti.ms at gmail.com (Moti Saroka) Date: Wed, 16 Mar 2016 23:41:49 +0200 Subject: [openssl-dev] OpenSSL 1.0.2 - Compile to Windows Universal Platform Message-ID: Hi, What is the best method to compile OpenSSL library 1.0.2.x to Windows Universal Platform 32, 64 and ARM ? Does OpenSSL should be running on Windows Universal Platform ? Best Regards, Moti Saroka. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michel.sales at free.fr Wed Mar 16 21:44:48 2016 From: michel.sales at free.fr (Michel) Date: Wed, 16 Mar 2016 22:44:48 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <002601d17ec7$b1861080$14923180$@sales@free.fr> References: <002601d17ec7$b1861080$14923180$@sales@free.fr> Message-ID: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> Hi, As per my previous post, this is still the case with OpenSSL version 1.1.0 pre release 4. The configure script generate the ntdll.mak file containing CFLAG* with conflicting CRT switches. De : openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Michel Envoy? : mardi 15 mars 2016 15:34 ? : openssl-dev at openssl.org Objet : [openssl-dev] configure results in conflicting CRT switches for win DLL Hi, Just to let you know that conflicting CRT switches are produced when configure for Windows DLL : cl : Command line warning D9025 : overriding '/MD' with '/MT' (and ct_test.exe can't be linked) Regards. -------------- next part -------------- An HTML attachment was scrubbed... URL: From michel.sales at free.fr Wed Mar 16 22:11:31 2016 From: michel.sales at free.fr (Michel) Date: Wed, 16 Mar 2016 23:11:31 +0100 Subject: [openssl-dev] libcryto 1.1 leaks since old locks are removed In-Reply-To: <000001d17bdb$fd248ba0$f76da2e0$@sales@free.fr> References: <000001d17bdb$fd248ba0$f76da2e0$@sales@free.fr> Message-ID: <002c01d17fd0$cbb5cef0$63216cd0$@sales@free.fr> Hi, As in my previous post, libcrypto still leaks with OpenSSL version 1.1.0 pre release 4. Here is an example with the same test program that was running fine before I removed the old locking "stuff". Detected memory leaks! Dumping objects -> {1418} normal block at 0x0064EF98, 24 bytes long. Data: < d > 98 1F 64 00 FF FF FF FF 00 00 00 00 00 00 00 00 {703} normal block at 0x00641E40, 24 bytes long. Data: 78 1E 64 00 FF FF FF FF 00 00 00 00 00 00 00 00 Object dump complete. Debug Error! ---------- Block 703 at 0x00641E40: 24 bytes ---------- Leak Hash: 0x95EDDA21, Count: 1, Total 24 bytes Call Stack (TID 7140): ntdll.dll!RtlAllocateHeap() f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): TestsTLS-11.exe!malloc() + 0x15 bytes e:\openssl-1.1.0-pre4\crypto\mem.c (140): TestsTLS-11.exe!CRYPTO_malloc() + 0x9 bytes e:\openssl-1.1.0-pre4\crypto\mem.c (148): TestsTLS-11.exe!CRYPTO_zalloc() + 0x11 bytes e:\openssl-1.1.0-pre4\crypto\threads_win.c (57): TestsTLS-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes e:\openssl-1.1.0-pre4\crypto\err\err.c (393): TestsTLS-11.exe!do_err_strings_init() + 0x5 bytes e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): TestsTLS-11.exe!CRYPTO_THREAD_run_once() e:\openssl-1.1.0-pre4\crypto\err\err.c (711): TestsTLS-11.exe!ERR_func_error_string() + 0xF bytes e:\openssl-1.1.0-pre4\ssl\ssl_err.c (716): TestsTLS-11.exe!ERR_load_SSL_strings() + 0x14 bytes e:\openssl-1.1.0-pre4\ssl\ssl_init.c (180): TestsTLS-11.exe!ossl_init_load_ssl_strings() e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): TestsTLS-11.exe!CRYPTO_THREAD_run_once() e:\openssl-1.1.0-pre4\ssl\ssl_init.c (258): TestsTLS-11.exe!OPENSSL_init_ssl() + 0x2B bytes e:\openssl-1.1.0-pre4\ssl\ssl_lib.c (2359): TestsTLS-11.exe!SSL_CTX_new() + 0xE bytes p:\mes programmes\shared\ocrypto-11\tls.cpp (95): TestsTLS-11.exe!OTLS::TLSCtx::SetMinTLSVer() + 0x9 bytes p:\mes programmes\tests\_testsshared\teststls-11\testtls.cpp (63): TestsTLS-11.exe!main() + 0xC bytes f:\dd\vctools\crt\crtw32\startup\crt0.c (165): TestsTLS-11.exe!mainCRTStartup() ---------- Block 1418 at 0x0064EF98: 24 bytes ---------- Leak Hash: 0x9FBB4D3C, Count: 1, Total 24 bytes Call Stack (TID 7140): ntdll.dll!RtlAllocateHeap() f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): TestsTLS-11.exe!malloc() + 0x15 bytes e:\openssl-1.1.0-pre4\crypto\mem.c (140): TestsTLS-11.exe!CRYPTO_malloc() + 0x9 bytes e:\openssl-1.1.0-pre4\crypto\mem.c (148): TestsTLS-11.exe!CRYPTO_zalloc() + 0x11 bytes e:\openssl-1.1.0-pre4\crypto\threads_win.c (57): TestsTLS-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes e:\openssl-1.1.0-pre4\crypto\ex_data.c (143): TestsTLS-11.exe!do_ex_data_init() + 0x5 bytes e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): TestsTLS-11.exe!CRYPTO_THREAD_run_once() e:\openssl-1.1.0-pre4\crypto\ex_data.c (160): TestsTLS-11.exe!get_and_lock() + 0xF bytes e:\openssl-1.1.0-pre4\crypto\ex_data.c (243): TestsTLS-11.exe!CRYPTO_get_ex_new_index() + 0x9 bytes e:\openssl-1.1.0-pre4\ssl\ssl_cert.c (146): TestsTLS-11.exe!ssl_x509_store_ctx_init() + 0x14 bytes e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): TestsTLS-11.exe!CRYPTO_THREAD_run_once() e:\openssl-1.1.0-pre4\ssl\ssl_cert.c (152): TestsTLS-11.exe!SSL_get_ex_data_X509_STORE_CTX_idx() + 0xF bytes e:\openssl-1.1.0-pre4\ssl\ssl_lib.c (2367): TestsTLS-11.exe!SSL_CTX_new() + 0x5 bytes p:\mes programmes\shared\ocrypto-11\tls.cpp (95): TestsTLS-11.exe!OTLS::TLSCtx::SetMinTLSVer() + 0x9 bytes p:\mes programmes\tests\_testsshared\teststls-11\testtls.cpp (63): TestsTLS-11.exe!main() + 0xC bytes f:\dd\vctools\crt\crtw32\startup\crt0.c (165): TestsTLS-11.exe!mainCRTStartup() Regards, Michel -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 16 22:11:58 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 16 Mar 2016 22:11:58 +0000 Subject: [openssl-dev] [openssl.org #4434] Gentoo 13, x86_64: 4 failed self tests In-Reply-To: References: <56E9678F.6060004@openssl.org> Message-ID: On Wed, Mar 16, 2016 at 10:02 AM, Matt Caswell wrote: > What happens if you run the afalgtest directly? > > $ cd test > $ ./afalgtest > ./afalgtest ALG_PERR: afalg_create_sk: Failed to open socket : Address family not supported by protocol test_afalg_aes_128_cbc() failed encryption And: $ git reset --hard HEAD && git pull HEAD is now at 43c1fd6 Deal with DSA_SIG opaqueness. Already up-to-date. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4434 Please log in as guest with password guest if prompted From dbrownhill256 at gmail.com Wed Mar 16 22:26:44 2016 From: dbrownhill256 at gmail.com (David Brownhill) Date: Wed, 16 Mar 2016 18:26:44 -0400 Subject: [openssl-dev] OpenSSL 1.0.2 - Compile to Windows Universal Platform Message-ID: Check Microsoft's work here: https://github.com/Microsoft/openssl/ I used the scripts here to build OpenSSL for Universal Apps (ARM, x86 and x64). I had to make small changes due to my build environment but it works. Regards, David -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Wed Mar 16 22:37:26 2016 From: levitte at openssl.org (Richard Levitte) Date: Wed, 16 Mar 2016 23:37:26 +0100 (CET) Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> References: <002601d17ec7$b1861080$14923180$@sales@free.fr> <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> Message-ID: <20160316.233726.1350815458305070246.levitte@openssl.org> The Configure script generates 'makefile', not 'ntdll.mak'. Are you sure you haven't confused things? Could you please show us the exact commands you used from configuration to making? Cheers, Richard In message <001b01d17fcd$109d9100$31d8b300$@sales at free.fr> on Wed, 16 Mar 2016 22:44:48 +0100, "Michel" said: michel.sales> Hi, michel.sales> michel.sales> As per my previous post, this is still the case with OpenSSL version michel.sales> 1.1.0 pre release 4. michel.sales> michel.sales> The configure script generate the ntdll.mak file containing CFLAG* michel.sales> with conflicting CRT switches. michel.sales> michel.sales> De : openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part michel.sales> de Michel michel.sales> Envoy? : mardi 15 mars 2016 15:34 michel.sales> ? : openssl-dev at openssl.org michel.sales> Objet : [openssl-dev] configure results in conflicting CRT switches michel.sales> for win DLL michel.sales> michel.sales> Hi, michel.sales> michel.sales> Just to let you know that conflicting CRT switches are produced when michel.sales> configure for Windows DLL : michel.sales> michel.sales> cl : Command line warning D9025 : overriding '/MD' with '/MT' michel.sales> michel.sales> (and ct_test.exe can't be linked) michel.sales> michel.sales> Regards. michel.sales> From j at w1.fi Wed Mar 16 22:37:41 2016 From: j at w1.fi (Jouni Malinen) Date: Thu, 17 Mar 2016 00:37:41 +0200 Subject: [openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value Message-ID: <20160316223741.GA13900@w1.fi> Was the SSL_get_version() behavior changed on purpose in the Beta 1 release? This function used to return "TLSv1" when TLS v1.0 was used while it is now in Beta 1 returning "TLSv1.0" for that case. This type of unexpected change in the API can break existing users of the function. As an example, wpa_supplicant exposes this string to external components to allow them to do things based on which TLS version is used. It is unknown to me whether there are any such component that could fail due to this change, but at least this broke one of the regression test cases due to the unexpected value. The commit 7d65007238e86e59fcf31d23fcefa01e3b30cc37 ('Make function to convert version to string') seems to claim to be more or less cleanup to use a shared function for doing the conversion. However, it changes the return value for TLS1_VERSION for both SSL_get_version() and SSL_SESSION_print(). In addition to that, it seems to be changing DTL1_BAD_VER value for SSL_SESSION_print(). It should also be noted that the new implementation does not match the man page for SSL_get_version(): https://www.openssl.org/docs/manmaster/ssl/SSL_get_version.html -- Jouni Malinen PGP id EFC895FA From openssl-users at dukhovni.org Wed Mar 16 22:44:23 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 16 Mar 2016 22:44:23 +0000 Subject: [openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value In-Reply-To: <20160316223741.GA13900@w1.fi> References: <20160316223741.GA13900@w1.fi> Message-ID: <20160316224423.GQ6602@mournblade.imrryr.org> On Thu, Mar 17, 2016 at 12:37:41AM +0200, Jouni Malinen wrote: > Was the SSL_get_version() behavior changed on purpose in the Beta 1 > release? This function used to return "TLSv1" when TLS v1.0 was used > while it is now in Beta 1 returning "TLSv1.0" for that case. I missed this change in the review. Sorry about that. It should perhaps be reverted for beta2. The reported version string for TLS 1.0 has been "TLSv1" since support for "TLS 1.0" was introduced. It should likely stay that way. -- Viktor. From michel.sales at free.fr Wed Mar 16 23:27:03 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 00:27:03 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <20160316.233726.1350815458305070246.levitte@openssl.org> References: <002601d17ec7$b1861080$14923180$@sales@free.fr> <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> Message-ID: <005501d17fdb$58d73800$0a85a800$@sales@free.fr> Hi Richard, I believe I am just doing what I read in the 'NOTES.WIN' file : PERL Configure ... VC-WIN32 --classic --prefix=... CALL ms\do_nasm nmake -f ms\ntdll.mak nmake -f ms\ntdll.mak install And each time I got a new nt[dll].mak file. I first missed the '--classic' option, but not since I reported this. Did I miss something else ? Regards, Michel. -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Richard Levitte Envoy??: mercredi 16 mars 2016 23:37 ??: openssl-dev at openssl.org Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for win DLL The Configure script generates 'makefile', not 'ntdll.mak'. Are you sure you haven't confused things? Could you please show us the exact commands you used from configuration to making? Cheers, Richard From levitte at openssl.org Wed Mar 16 23:43:41 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 17 Mar 2016 00:43:41 +0100 (CET) Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <005501d17fdb$58d73800$0a85a800$@sales@free.fr> References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005501d17fdb$58d73800$0a85a800$@sales@free.fr> Message-ID: <20160317.004341.876693309005882017.levitte@openssl.org> I can't reproduce what you're getting, but tell you what, if you send me these two files, I can try to figure out what's going on: configdata.pm ms\ntdll.mak In message <005501d17fdb$58d73800$0a85a800$@sales at free.fr> on Thu, 17 Mar 2016 00:27:03 +0100, "Michel" said: michel.sales> Hi Richard, michel.sales> michel.sales> I believe I am just doing what I read in the 'NOTES.WIN' file : michel.sales> michel.sales> PERL Configure ... VC-WIN32 --classic --prefix=... michel.sales> CALL ms\do_nasm michel.sales> nmake -f ms\ntdll.mak michel.sales> nmake -f ms\ntdll.mak install michel.sales> michel.sales> And each time I got a new nt[dll].mak file. michel.sales> michel.sales> I first missed the '--classic' option, but not since I reported this. michel.sales> Did I miss something else ? michel.sales> michel.sales> Regards, michel.sales> michel.sales> Michel. michel.sales> michel.sales> -----Message d'origine----- michel.sales> De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de michel.sales> Richard Levitte michel.sales> Envoy??: mercredi 16 mars 2016 23:37 michel.sales> ??: openssl-dev at openssl.org michel.sales> Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for michel.sales> win DLL michel.sales> michel.sales> The Configure script generates 'makefile', not 'ntdll.mak'. Are you sure michel.sales> you haven't confused things? Could you please show us the exact commands michel.sales> you used from configuration to making? michel.sales> michel.sales> Cheers, michel.sales> Richard michel.sales> michel.sales> michel.sales> -- michel.sales> openssl-dev mailing list michel.sales> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev michel.sales> From michel.sales at free.fr Wed Mar 16 23:49:32 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 00:49:32 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <20160316.233726.1350815458305070246.levitte@openssl.org> References: <002601d17ec7$b1861080$14923180$@sales@free.fr> <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> Message-ID: <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> I just would like to add that, for me, 'CALL ms\do_nasm' is part of the 'configure scripts'. Please excuse my poor english, Michel -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Richard Levitte Envoy??: mercredi 16 mars 2016 23:37 ??: openssl-dev at openssl.org Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for win DLL The Configure script generates 'makefile', not 'ntdll.mak'. Are you sure you haven't confused things? Cheers, Richard From michel.sales at free.fr Thu Mar 17 00:07:29 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 01:07:29 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005501d17fdb$58d73800$0a85a800$@sales@free.fr> <20160317.004341.876693309005882017.levitte@openssl.org> Message-ID: <006101d17fe0$ffef74e0$ffce5ea0$@sales@free.fr> Hi Richard, Looks like my answer, with the files attached, is waiting for approval. Regards. -----Message d'origine----- De?: Michel [mailto:michel.sales at free.fr] Envoy??: jeudi 17 mars 2016 01:03 ??: 'openssl-dev at openssl.org' Objet?: RE: [openssl-dev] configure results in conflicting CRT switches for win DLL Yes sure ! Here they are, with the output of the 'PERL Configure' script. As it is quite late (in France), or rather early now ;-), if you don't mind I will answer you next time in a few hours. Thanks for your help, Michel. -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Richard Levitte Envoy??: jeudi 17 mars 2016 00:44 ??: openssl-dev at openssl.org Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for win DLL I can't reproduce what you're getting, but tell you what, if you send me these two files, I can try to figure out what's going on: configdata.pm ms\ntdll.mak From rt at openssl.org Thu Mar 17 00:39:45 2016 From: rt at openssl.org (=?UTF-8?B?Q29ucmFkbyBQLiBMLiBHb3V2w6ph?= via RT) Date: Thu, 17 Mar 2016 00:39:45 +0000 Subject: [openssl-dev] [openssl.org #4435] Pull request: Update EVP_CIPHER_CTX_set_padding documentation. In-Reply-To: References: Message-ID: https://github.com/openssl/openssl/pull/876 Add note about when EVP_CIPHER_CTX_set_padding should be called. Conrado -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4435 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Thu Mar 17 00:40:42 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 16 Mar 2016 20:40:42 -0400 Subject: [openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value In-Reply-To: <20160316224423.GQ6602@mournblade.imrryr.org> References: <20160316223741.GA13900@w1.fi> <20160316224423.GQ6602@mournblade.imrryr.org> Message-ID: <9A91E7CF-E3EE-4A12-932D-D9082F39AD91@dukhovni.org> > On Mar 16, 2016, at 6:44 PM, Viktor Dukhovni wrote: > >> Was the SSL_get_version() behavior changed on purpose in the Beta 1 >> release? This function used to return "TLSv1" when TLS v1.0 was used >> while it is now in Beta 1 returning "TLSv1.0" for that case. > > I missed this change in the review. Sorry about that. It should > perhaps be reverted for beta2. The reported version string for > TLS 1.0 has been "TLSv1" since support for "TLS 1.0" was introduced. > It should likely stay that way. The commit in question consolidated disparate functions that all converted TLS protocol versions to strings, alas not entirely consistently. The "TLSv1.0" style was used in "ciphers -v" to report the protocol version that introduced the cipher, while "TLSv1" was used in most other contexts. I think it is reasonable to preserve the backwards compatible "TLSv1" for the string protocol version, but do we also need to preserve the "TLSv1.0" in ciphers(1) output? If so, the code needs an exception that can otherwise be avoided. Is it OK to change the protocol version string reported by ciphers(1) via SSL_CIPHER_get_version() by way of SSL_CIPHER_description()? If absolutely necessary, we can retain the legacy nomenclature, but I'm inclined to go with a change to the cipher variant, I don't think that compatibility there is nearly as important. -- Viktor. From ranjithdrp at gmail.com Thu Mar 17 06:32:16 2016 From: ranjithdrp at gmail.com (Ranjith Kumar A.) Date: Thu, 17 Mar 2016 12:02:16 +0530 Subject: [openssl-dev] openssl 1.0.1p PEM_write_bio_RSAPrivateKey fail. error: ASN1_get_object:too long Message-ID: Hi Folks, Need help. I?m not able to encrypt a key using passphrase, below is the error message. **"error:0D07209B:asn1 encoding routines:ASN1_get_object:too long"** Have already googled for error but couldn't got much info Snippet of my code: unsigned char pass[] = "123456"; BIO *priv_bio = BIO_new( BIO_s_mem() ); RSA *rsa = RSA_generate_key( 2048, 65537, NULL, NULL ) ret = PEM_write_bio_RSAPrivateKey( priv_bio, rsa, EVP_aes_256_cbc(), pass, 64, NULL, NULL ); if(!ret) { ERR_error_string(ERR_get_error(), buffer); printf(buffer); } The same piece of code is working on openssl-0.9.8zg. Can I know what?s missing or any further debug steps to check this issue? Thanks, Ranjith -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Thu Mar 17 07:37:55 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 17 Mar 2016 08:37:55 +0100 (CET) Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> Message-ID: <20160317.083755.242387829071286576.levitte@openssl.org> After having looked an extra time, I'd like to recommend using the new style build scheme, or in other words: perl Configure no-rc2 no-rc5 no-md2 no-md4 no-ssl3 no-comp no-hw no-heartbeats no-deprecated VC-WIN32 shared --prefix=c:\OpenSSL_DLL nmake I know that "install" is missing, I plan on adding it today. Cheers, Richard In message <005c01d17fde$7d8bb470$78a31d50$@sales at free.fr> on Thu, 17 Mar 2016 00:49:32 +0100, "Michel" said: michel.sales> I just would like to add that, for me, michel.sales> 'CALL ms\do_nasm' michel.sales> is part of the 'configure scripts'. michel.sales> michel.sales> Please excuse my poor english, michel.sales> michel.sales> Michel michel.sales> michel.sales> michel.sales> -----Message d'origine----- michel.sales> De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de michel.sales> Richard Levitte michel.sales> Envoy??: mercredi 16 mars 2016 23:37 michel.sales> ??: openssl-dev at openssl.org michel.sales> Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for michel.sales> win DLL michel.sales> michel.sales> The Configure script generates 'makefile', not 'ntdll.mak'. Are you michel.sales> sure you haven't confused things? michel.sales> michel.sales> Cheers, michel.sales> Richard michel.sales> michel.sales> -- michel.sales> openssl-dev mailing list michel.sales> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev michel.sales> From michel.sales at free.fr Thu Mar 17 09:04:43 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 10:04:43 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <20160317.083755.242387829071286576.levitte@openssl.org> References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> <20160317.083755.242387829071286576.levitte@openssl.org> Message-ID: <000601d1802c$0c6f4470$254dcd50$@sales@free.fr> Well, I am not lucky ! For once that documentation exists and was recently updated, it is not accurate :-( I saw that '--classic' was temporary, but I did not realize that an alternative build scheme was already there for Windows. You cannot imagine how many times I have manually modified the ms\*.mak files in order to achieve a successfull build process... Thanks Richard. -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Richard Levitte Envoy??: jeudi 17 mars 2016 08:38 ??: openssl-dev at openssl.org Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for win DLL After having looked an extra time, I'd like to recommend using the new style build scheme, or in other words: perl Configure no-rc2 no-rc5 no-md2 no-md4 no-ssl3 no-comp no-hw no-heartbeats no-deprecated VC-WIN32 shared --prefix=c:\OpenSSL_DLL nmake I know that "install" is missing, I plan on adding it today. Cheers, Richard https://mta.openssl.org/mailman/listinfo/openssl-dev From levitte at openssl.org Thu Mar 17 09:17:46 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 17 Mar 2016 10:17:46 +0100 (CET) Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <000601d1802c$0c6f4470$254dcd50$@sales@free.fr> References: <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> <20160317.083755.242387829071286576.levitte@openssl.org> <000601d1802c$0c6f4470$254dcd50$@sales@free.fr> Message-ID: <20160317.101746.1117689060278582474.levitte@openssl.org> In message <000601d1802c$0c6f4470$254dcd50$@sales at free.fr> on Thu, 17 Mar 2016 10:04:43 +0100, "Michel" said: michel.sales> Well, I am not lucky ! michel.sales> michel.sales> For once that documentation exists and was recently updated, it is not michel.sales> accurate :-( Uhmmmm... the most up to date and accurate is in INSTALL. michel.sales> I saw that '--classic' was temporary, but I did not realize that an michel.sales> alternative build scheme was already there for Windows. Ah, well, it is and has been for some time now. Sorry that got past you. As a matter of fact, '--classic' is the "alternative" build scheme, or rather a fallback to the old (and obviously rotting in the Windows case). michel.sales> You cannot imagine how many times I have manually modified the ms\*.mak michel.sales> files in order to achieve a successfull build process... Sorry about that. The places to look nowadays are Configurations\*.conf and Configurations\windows-makefile.tmpl... oh, and all the build.info files. michel.sales> Thanks Richard. michel.sales> michel.sales> -----Message d'origine----- michel.sales> De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de michel.sales> Richard Levitte michel.sales> Envoy??: jeudi 17 mars 2016 08:38 michel.sales> ??: openssl-dev at openssl.org michel.sales> Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for michel.sales> win DLL michel.sales> michel.sales> After having looked an extra time, I'd like to recommend using the new style michel.sales> build scheme, or in other words: michel.sales> michel.sales> perl Configure no-rc2 no-rc5 no-md2 no-md4 no-ssl3 no-comp no-hw michel.sales> no-heartbeats no-deprecated VC-WIN32 shared --prefix=c:\OpenSSL_DLL michel.sales> nmake michel.sales> michel.sales> I know that "install" is missing, I plan on adding it today. michel.sales> michel.sales> Cheers, michel.sales> Richard michel.sales> https://mta.openssl.org/mailman/listinfo/openssl-dev michel.sales> michel.sales> -- michel.sales> openssl-dev mailing list michel.sales> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev michel.sales> From rt at openssl.org Thu Mar 17 09:18:34 2016 From: rt at openssl.org (=?UTF-8?B?U2Now7xsbGVyIEZlbGl4?= via RT) Date: Thu, 17 Mar 2016 09:18:34 +0000 Subject: [openssl-dev] [openssl.org #4436] [Openssl 1.1.0] ECDSA_SIG_get0() for const ECDSA_SIG * In-Reply-To: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> References: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> Message-ID: Hallo, since the struct ECDSA_SIG ( -> ECDSA_SIG_st) is now opaque, one has to use ECDSA_SIG_get0() to access the values 'r' and 's'. This works fine for non-const variables. But if one has a 'const ECDSA_SIG *' (e.g. in verify_sig() of an ec_key-engine), this produces an error during compilation. So an additional version of ECDSA_SIG_get0() (taking a 'const ECDSA_SIG *' and setting pointer to (const BIGNUM)) would be nice. Kind regards Felix Sch?ller -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4436 Please log in as guest with password guest if prompted From matt at openssl.org Thu Mar 17 09:37:07 2016 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Mar 2016 09:37:07 +0000 Subject: [openssl-dev] libcryto 1.1 leaks since old locks are removed In-Reply-To: <002c01d17fd0$cbb5cef0$63216cd0$@sales@free.fr> References: <000001d17bdb$fd248ba0$f76da2e0$@sales@free.fr> <002c01d17fd0$cbb5cef0$63216cd0$@sales@free.fr> Message-ID: <56EA7AC3.6080008@openssl.org> FYI, I have a fix for this but it is currently stalled in review due to another related issue. Interim patch attached. Matt On 16/03/16 22:11, Michel wrote: > Hi, > > > > As in my previous post, libcrypto still leaks with OpenSSL version 1.1.0 > pre release 4. > > Here is an example with the same test program that was running fine > before I removed the old locking ?stuff?. > > > > Detected memory leaks! > > Dumping objects -> > > {1418} normal block at 0x0064EF98, 24 bytes long. > > Data: < d > 98 1F 64 00 FF FF FF FF 00 00 00 00 00 00 00 00 > > {703} normal block at 0x00641E40, 24 bytes long. > > Data: 78 1E 64 00 FF FF FF FF 00 00 00 00 00 00 00 00 > > Object dump complete. > > Debug Error! > > > > ---------- Block 703 at 0x00641E40: 24 bytes ---------- > > Leak Hash: 0x95EDDA21, Count: 1, Total 24 bytes > > Call Stack (TID 7140): > > ntdll.dll!RtlAllocateHeap() > > f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): > TestsTLS-11.exe!malloc() + 0x15 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (140): > TestsTLS-11.exe!CRYPTO_malloc() + 0x9 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (148): > TestsTLS-11.exe!CRYPTO_zalloc() + 0x11 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (57): > TestsTLS-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes > > e:\openssl-1.1.0-pre4\crypto\err\err.c (393): > TestsTLS-11.exe!do_err_strings_init() + 0x5 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\crypto\err\err.c (711): > TestsTLS-11.exe!ERR_func_error_string() + 0xF bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_err.c (716): > TestsTLS-11.exe!ERR_load_SSL_strings() + 0x14 bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_init.c (180): > TestsTLS-11.exe!ossl_init_load_ssl_strings() > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\ssl\ssl_init.c (258): > TestsTLS-11.exe!OPENSSL_init_ssl() + 0x2B bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_lib.c (2359): > TestsTLS-11.exe!SSL_CTX_new() + 0xE bytes > > p:\mes programmes\shared\ocrypto-11\tls.cpp (95): > TestsTLS-11.exe!OTLS::TLSCtx::SetMinTLSVer() + 0x9 bytes > > p:\mes programmes\tests\_testsshared\teststls-11\testtls.cpp (63): > TestsTLS-11.exe!main() + 0xC bytes > > f:\dd\vctools\crt\crtw32\startup\crt0.c (165): > TestsTLS-11.exe!mainCRTStartup() > > > > ---------- Block 1418 at 0x0064EF98: 24 bytes ---------- > > Leak Hash: 0x9FBB4D3C, Count: 1, Total 24 bytes > > Call Stack (TID 7140): > > ntdll.dll!RtlAllocateHeap() > > f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): > TestsTLS-11.exe!malloc() + 0x15 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (140): > TestsTLS-11.exe!CRYPTO_malloc() + 0x9 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (148): > TestsTLS-11.exe!CRYPTO_zalloc() + 0x11 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (57): > TestsTLS-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes > > e:\openssl-1.1.0-pre4\crypto\ex_data.c (143): > TestsTLS-11.exe!do_ex_data_init() + 0x5 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\crypto\ex_data.c (160): > TestsTLS-11.exe!get_and_lock() + 0xF bytes > > e:\openssl-1.1.0-pre4\crypto\ex_data.c (243): > TestsTLS-11.exe!CRYPTO_get_ex_new_index() + 0x9 bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_cert.c (146): > TestsTLS-11.exe!ssl_x509_store_ctx_init() + 0x14 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\ssl\ssl_cert.c (152): > TestsTLS-11.exe!SSL_get_ex_data_X509_STORE_CTX_idx() + 0xF bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_lib.c (2367): > TestsTLS-11.exe!SSL_CTX_new() + 0x5 bytes > > p:\mes programmes\shared\ocrypto-11\tls.cpp (95): > TestsTLS-11.exe!OTLS::TLSCtx::SetMinTLSVer() + 0x9 bytes > > p:\mes programmes\tests\_testsshared\teststls-11\testtls.cpp (63): > TestsTLS-11.exe!main() + 0xC bytes > > f:\dd\vctools\crt\crtw32\startup\crt0.c (165): > TestsTLS-11.exe!mainCRTStartup() > > > > Regards, > > > > Michel > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: lock-leaks-fix.patch Type: text/x-patch Size: 6930 bytes Desc: not available URL: From michel.sales at free.fr Thu Mar 17 09:48:14 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 10:48:14 +0100 Subject: [openssl-dev] libcryto 1.1 leaks since old locks are removed In-Reply-To: <56EA7AC3.6080008@openssl.org> References: <000001d17bdb$fd248ba0$f76da2e0$@sales@free.fr> <002c01d17fd0$cbb5cef0$63216cd0$@sales@free.fr> <56EA7AC3.6080008@openssl.org> Message-ID: <000c01d18032$2066e770$6134b650$@sales@free.fr> Hi Matt, Thank you very much for keeping me informed ! Regards, Michel. -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Matt Caswell Envoy??: jeudi 17 mars 2016 10:37 ??: openssl-dev at openssl.org Objet?: Re: [openssl-dev] libcryto 1.1 leaks since old locks are removed FYI, I have a fix for this but it is currently stalled in review due to another related issue. Interim patch attached. Matt On 16/03/16 22:11, Michel wrote: > Hi, > > > > As in my previous post, libcrypto still leaks with OpenSSL version > 1.1.0 pre release 4. > > Here is an example with the same test program that was running fine > before I removed the old locking ?stuff?. > > > > Detected memory leaks! > > Dumping objects -> > > {1418} normal block at 0x0064EF98, 24 bytes long. > > Data: < d > 98 1F 64 00 FF FF FF FF 00 00 00 00 00 00 00 00 > > {703} normal block at 0x00641E40, 24 bytes long. > > Data: 78 1E 64 00 FF FF FF FF 00 00 00 00 00 00 00 00 > > Object dump complete. > > Debug Error! > > > > ---------- Block 703 at 0x00641E40: 24 bytes ---------- > > Leak Hash: 0x95EDDA21, Count: 1, Total 24 bytes > > Call Stack (TID 7140): > > ntdll.dll!RtlAllocateHeap() > > f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): > TestsTLS-11.exe!malloc() + 0x15 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (140): > TestsTLS-11.exe!CRYPTO_malloc() + 0x9 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (148): > TestsTLS-11.exe!CRYPTO_zalloc() + 0x11 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (57): > TestsTLS-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes > > e:\openssl-1.1.0-pre4\crypto\err\err.c (393): > TestsTLS-11.exe!do_err_strings_init() + 0x5 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\crypto\err\err.c (711): > TestsTLS-11.exe!ERR_func_error_string() + 0xF bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_err.c (716): > TestsTLS-11.exe!ERR_load_SSL_strings() + 0x14 bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_init.c (180): > TestsTLS-11.exe!ossl_init_load_ssl_strings() > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\ssl\ssl_init.c (258): > TestsTLS-11.exe!OPENSSL_init_ssl() + 0x2B bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_lib.c (2359): > TestsTLS-11.exe!SSL_CTX_new() + 0xE bytes > > p:\mes programmes\shared\ocrypto-11\tls.cpp (95): > TestsTLS-11.exe!OTLS::TLSCtx::SetMinTLSVer() + 0x9 bytes > > p:\mes programmes\tests\_testsshared\teststls-11\testtls.cpp (63): > TestsTLS-11.exe!main() + 0xC bytes > > f:\dd\vctools\crt\crtw32\startup\crt0.c (165): > TestsTLS-11.exe!mainCRTStartup() > > > > ---------- Block 1418 at 0x0064EF98: 24 bytes ---------- > > Leak Hash: 0x9FBB4D3C, Count: 1, Total 24 bytes > > Call Stack (TID 7140): > > ntdll.dll!RtlAllocateHeap() > > f:\dd\vctools\crt\crtw32\misc\dbgmalloc.c (56): > TestsTLS-11.exe!malloc() + 0x15 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (140): > TestsTLS-11.exe!CRYPTO_malloc() + 0x9 bytes > > e:\openssl-1.1.0-pre4\crypto\mem.c (148): > TestsTLS-11.exe!CRYPTO_zalloc() + 0x11 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (57): > TestsTLS-11.exe!CRYPTO_THREAD_lock_new() + 0xE bytes > > e:\openssl-1.1.0-pre4\crypto\ex_data.c (143): > TestsTLS-11.exe!do_ex_data_init() + 0x5 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\crypto\ex_data.c (160): > TestsTLS-11.exe!get_and_lock() + 0xF bytes > > e:\openssl-1.1.0-pre4\crypto\ex_data.c (243): > TestsTLS-11.exe!CRYPTO_get_ex_new_index() + 0x9 bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_cert.c (146): > TestsTLS-11.exe!ssl_x509_store_ctx_init() + 0x14 bytes > > e:\openssl-1.1.0-pre4\crypto\threads_win.c (117): > TestsTLS-11.exe!CRYPTO_THREAD_run_once() > > e:\openssl-1.1.0-pre4\ssl\ssl_cert.c (152): > TestsTLS-11.exe!SSL_get_ex_data_X509_STORE_CTX_idx() + 0xF bytes > > e:\openssl-1.1.0-pre4\ssl\ssl_lib.c (2367): > TestsTLS-11.exe!SSL_CTX_new() + 0x5 bytes > > p:\mes programmes\shared\ocrypto-11\tls.cpp (95): > TestsTLS-11.exe!OTLS::TLSCtx::SetMinTLSVer() + 0x9 bytes > > p:\mes programmes\tests\_testsshared\teststls-11\testtls.cpp (63): > TestsTLS-11.exe!main() + 0xC bytes > > f:\dd\vctools\crt\crtw32\startup\crt0.c (165): > TestsTLS-11.exe!mainCRTStartup() > > > > Regards, > > > > Michel > > > > > From michel.sales at free.fr Thu Mar 17 09:56:41 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 10:56:41 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <20160317.083755.242387829071286576.levitte@openssl.org> References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> <20160317.083755.242387829071286576.levitte@openssl.org> Message-ID: <000d01d18033$4eafda50$ec0f8ef0$@sales@free.fr> Hello again Richard, And thanks for your help and answers. but as I said, I am not lucky at all :-( Hope I am not again missing something, I would not be particularly proud to win the trophy of the dumbest user on this list ;-) Doing : PERL Configure no-rc2 no-rc5 no-md2 no-md4 no-ssl3 no-comp no-hw no-heartbeats no-deprecated VC-WIN32 shared --prefix=c:\OpenSSL_DLL nmake I get : perl util\mkdef.pl "crypto" 32 > libcrypto-1_1.def perl -i.tmp -pe "s|^LIBRARY\s+crypto32|LIBRARY libcrypto-1_1|;" libcrypto-1_1.def DEL libcrypto-1_1.def.tmp link /nologo /debug /dll /implib:libcrypto.lib /out:libcrypto-1_1.dll /def:libcrypto-1_1.def @C:\Users\Papou\AppData\Local\Temp\nm4B1D.tmp libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_CTX_free libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_CTX_get_method libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_CTX_get_type libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_CTX_new libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_compress_block libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_expand_block libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_get_name libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_get_type libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_zlib libcrypto-1_1.def : error LNK2001: unresolved external symbol COMP_zlib_cleanup libcrypto-1_1.def : error LNK2001: unresolved external symbol ERR_load_COMP_strings libcrypto.lib : fatal error LNK1120: 11 unresolved externals NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\BIN\link.EXE"' : return code '0x460' Stop. And removing no-comp, I get (after nmake clean) : link /nologo /debug /dll /out:engines\padlock.dll /def:C:\Users\Papou\AppData\Local\Temp\nm5FB9.tmp @C:\Users\Papou\AppData\Local\Temp\nm5FBA.tmp nm5FB9.tmp : error LNK2001: unresolved external symbol bind_engine nm5FB9.tmp : error LNK2001: unresolved external symbol v_check engines\padlock.lib : fatal error LNK1120: 2 unresolved externals NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual Studio 12.0 \VC\BIN\link.EXE"' : return code '0x460' Stop. From christian at python.org Thu Mar 17 10:08:36 2016 From: christian at python.org (Christian Heimes) Date: Thu, 17 Mar 2016 11:08:36 +0100 Subject: [openssl-dev] 1.1.0-pre4: ALPN mismatch terminates connection Message-ID: Hi, I think I found a regression in 1.1.0-pre4's ALPN code. I'm currently porting Python's ssl module to OpenSSL 1.1.0-pre4. One of Python's unit tests for ALPN is failing. In the test case both client and server advertise ALPN but have no overlapping protocols. In OpenSSL 1.1.0-pre3 and all earlier versions of OpenSSL, the client was still able to establish a connection. With pre4, the server terminates the connection during handshake: 140348419344128:error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext:ssl/statem/statem_srvr.c:1520: I tried all four possible combinations of client and server with 1.0.2g and 1.1.0-pre4. Test cases with 1.1.0-pre4 on the server side always fail. A 1.0.2g server works like expected. The problem can be reproduced easily. I have attached output of the commands, too. 1st screen: $ curl -o server.pem https://raw.githubusercontent.com/python/cpython/master/Lib/test/keycert.pem $ openssl s_server -alpn egg 2nd screen: $ openssl s_client -connect localhost:4433 -alpn foo,bar The regression was most likely introduced in 817cd0d52f0462039d1fe60462150be7f59d2002. It looks like tls1_alpn_handle_client_hello_late() doesn't handle SSL_TLSEXT_ERR_NOACK as success. Christian -------------- next part -------------- $ ../openssl/1.1.0-pre4/bin/openssl s_server -alpn egg Using default temp DH parameters ACCEPT ALPN protocols advertised by the client: foo, bar ERROR 140080267302656:error:1417A0E2:SSL routines:tls_post_process_client_hello:clienthello tlsext:ssl/statem/statem_srvr.c:1520: shutting down SSL CONNECTION CLOSED ACCEPT $ ../openssl/1.1.0-pre4/bin/openssl s_client -connect localhost:4433 -alpn foo,bar CONNECTED(00000003) 139674129954560:error:14094460:SSL routines:ssl3_read_bytes:reason(1120):ssl/record/rec_layer_s3.c:1481:SSL alert number 120 --- no peer certificate available --- No client certificate CA names sent --- SCTs present (0) Warning: CT validation is disabled, so not all SCTs may be displayed. Re-run with "-requestct". --- SSL handshake has read 7 bytes and written 0 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1458207817 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- ---------------------------------------------------------------- $ openssl s_server -alpn egg Using default temp DH parameters ACCEPT ALPN protocols advertised by the client: foo, bar -----BEGIN SSL SESSION PARAMETERS----- MFUCAQECAgMDBALAMAQABDDf9sxOUQCanqlzesEMnCHaJGwQgo5fpYghA8O5rA8Z cFvuL7xFeZ+dvDI72xvEqb6hBgIEVup74aIEAgIBLKQGBAQBAAAA -----END SSL SESSION PARAMETERS----- Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 Supported Elliptic Curves: P-256:P-521:P-384:secp256k1 Shared Elliptic curves: P-256:P-521:P-384:secp256k1 CIPHER is ECDHE-RSA-AES256-GCM-SHA384 Secure Renegotiation IS supported $ openssl s_client -connect localhost:4433 -alpn foo,bar CONNECTED(00000003) depth=0 C = XY, L = Castle Anthrax, O = Python Software Foundation, CN = localhost verify error:num=18:self signed certificate verify return:1 depth=0 C = XY, L = Castle Anthrax, O = Python Software Foundation, CN = localhost verify return:1 --- Certificate chain 0 s:/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost i:/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost --- Server certificate -----BEGIN CERTIFICATE----- MIICVDCCAb2gAwIBAgIJANfHOBkZr8JOMA0GCSqGSIb3DQEBBQUAMF8xCzAJBgNV BAYTAlhZMRcwFQYDVQQHEw5DYXN0bGUgQW50aHJheDEjMCEGA1UEChMaUHl0aG9u IFNvZnR3YXJlIEZvdW5kYXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0xMDEw MDgyMzAxNTZaFw0yMDEwMDUyMzAxNTZaMF8xCzAJBgNVBAYTAlhZMRcwFQYDVQQH Ew5DYXN0bGUgQW50aHJheDEjMCEGA1UEChMaUHl0aG9uIFNvZnR3YXJlIEZvdW5k YXRpb24xEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAw gYkCgYEA21vT5isq7F68amYuuNpSFlKDPrMUCa4YWYqZRt2OZ+/3NKaZ2xAiSwr7 6MrQF70t5nLbSPpqE5+5VrS58SY+g/sXLiFd6AplH1wJZwh78DofbFYXUggktFMt pTyiX8jtP66bkcPkDADA089RI1TQR6Ca+n7HFa7c1fabVV6i3zkCAwEAAaMYMBYw FAYDVR0RBA0wC4IJbG9jYWxob3N0MA0GCSqGSIb3DQEBBQUAA4GBAHPctQBEQ4wd BJ6+JcpIraopLn8BGhbjNWj40mmRqWB/NAWF6M5ne7KpGAu7tLeG4hb1zLaldK8G lxy2GPSRF6LFS48dpEj2HbMv2nvv6xxalDMJ9+DicWgAKTQ6bcX2j3GUkCR0g/T1 CRlNBAAlvhKzO7Clpf9l0YKBEfraJByX -----END CERTIFICATE----- subject=/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost issuer=/C=XY/L=Castle Anthrax/O=Python Software Foundation/CN=localhost --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1131 bytes and written 341 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 5E7C2E42414AA123E2EC1F703033F4C84D4C00DC90BE5AD61358E687F556A7BE Session-ID-ctx: Master-Key: DFF6CC4E51009A9EA9737AC10C9C21DA246C10828E5FA5882103C3B9AC0F19705BEE2FBC45799F9DBC323BDB1BC4A9BE Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - ca ef 0a c5 71 44 90 a6-3b ee 68 7f db 9d 3c 8d ....qD..;.h...<. 0010 - 2f 9f 42 0f cf b7 5e c0-48 11 6b 54 19 f4 1a 9f /.B...^.H.kT.... 0020 - 02 a1 42 83 03 ed e2 1f-00 cd 7c b0 ef c5 f5 b6 ..B.......|..... 0030 - a4 87 f6 98 af 06 d9 67-39 4d 8e 1f ad e8 53 6a .......g9M....Sj 0040 - c5 18 91 07 ff 01 33 96-a4 0f f9 99 0f 4d 72 23 ......3......Mr# 0050 - cd 32 3f 48 e8 9b cb dc-6c 4a 6a 2f 04 c7 95 78 .2?H....lJj/...x 0060 - 6f fb 85 26 32 a2 b5 b5-4d 56 6b 05 b5 77 0c 29 o..&2...MVk..w.) 0070 - e1 32 30 fa 19 ee 50 e6-7a d6 57 92 07 51 1a 52 .20...P.z.W..Q.R 0080 - d9 2f a8 44 59 7f 99 01-e9 eb bc 6d 71 17 11 07 ./.DY......mq... 0090 - 01 74 7f 74 08 58 16 c1-2f b9 af 10 16 50 bf 32 .t.t.X../....P.2 Start Time: 1458207713 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- From christian at python.org Thu Mar 17 10:28:13 2016 From: christian at python.org (Christian Heimes) Date: Thu, 17 Mar 2016 11:28:13 +0100 Subject: [openssl-dev] 1.1.0-pre4: ALPN mismatch terminates connection In-Reply-To: References: Message-ID: On 2016-03-17 11:08, Christian Heimes wrote: > Hi, > > I think I found a regression in 1.1.0-pre4's ALPN code. And here is a fix: https://github.com/openssl/openssl/pull/891 From rt at openssl.org Thu Mar 17 10:49:16 2016 From: rt at openssl.org (Daniel Stenberg via RT) Date: Thu, 17 Mar 2016 10:49:16 +0000 Subject: [openssl-dev] [openssl.org #4437] invalid free() by ENGINE_cleanup() In-Reply-To: References: Message-ID: Hey, In curl we call ENGINE_cleanup() as part of our OpenSSL specific cleanup function. When I do this with OpenSSL from git master as of right now (OpenSSL_1_1_0-pre4-7-ga717738) valgrind catches an illegal free: ==20314== Invalid free() / delete / delete[] / realloc() ==20314== at 0x4C2AE6B: free (vg_replace_malloc.c:530) ==20314== by 0x53AC11: OPENSSL_cleanup (in /home/daniel/src/curl/src/curl) ==20314== by 0x6D53E07: __run_exit_handlers (in /lib/x86_64-linux-gnu/libc-2.22.so) ==20314== by 0x6D53E54: exit (in /lib/x86_64-linux-gnu/libc-2.22.so) ==20314== by 0x6D3E616: (below main) (in /lib/x86_64-linux-gnu/libc-2.22.so) ==20314== Address 0xb5bb990 is 0 bytes inside a block of size 56 free'd ==20314== at 0x4C2AE6B: free (vg_replace_malloc.c:530) ==20314== by 0x4861A2: Curl_ossl_cleanup (openssl.c:726) ==20314== by 0x4381C4: Curl_ssl_cleanup (vtls.c:274) ==20314== by 0x425D5D: curl_global_cleanup (easy.c:349) ==20314== by 0x411C50: main_free (tool_main.c:210) ==20314== by 0x411D05: main (tool_main.c:260) ==20314== Block was alloc'd at ==20314== at 0x4C29C0F: malloc (vg_replace_malloc.c:299) ==20314== by 0x53D97D: CRYPTO_zalloc (in /home/daniel/src/curl/src/curl) ==20314== by 0x5806E6: CRYPTO_THREAD_lock_new (in /home/daniel/src/curl/src/curl) ==20314== by 0x51EC18: do_engine_lock_init (in /home/daniel/src/curl/src/curl) ==20314== by 0x6B0F4E8: __pthread_once_slow (pthread_once.c:116) ==20314== by 0x5807C8: CRYPTO_THREAD_run_once (in /home/daniel/src/curl/src/curl) ==20314== by 0x51EC63: ENGINE_new (in /home/daniel/src/curl/src/curl) ==20314== by 0x611DE5: engine_load_dynamic_internal (in /home/daniel/src/curl/src/curl) ==20314== by 0x6B0F4E8: __pthread_once_slow (pthread_once.c:116) ==20314== by 0x5807C8: CRYPTO_THREAD_run_once (in /home/daniel/src/curl/src/curl) ==20314== by 0x53B0E2: OPENSSL_init_crypto (in /home/daniel/src/curl/src/curl) ==20314== by 0x486141: Curl_ossl_init (openssl.c:687) This is fully reproducable and it goes away if I remove the call to ENGINE_cleanup(). The corresponding curl bug to track this is at https://github.com/curl/curl/issues/717 -- / daniel.haxx.se -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4437 Please log in as guest with password guest if prompted From matt at openssl.org Thu Mar 17 11:12:17 2016 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Mar 2016 11:12:17 +0000 Subject: [openssl-dev] [openssl.org #4437] invalid free() by ENGINE_cleanup() In-Reply-To: References: Message-ID: <56EA9111.9040507@openssl.org> On 17/03/16 10:49, Daniel Stenberg via RT wrote: > Hey, > > In curl we call ENGINE_cleanup() as part of our OpenSSL specific cleanup > function. When I do this with OpenSSL from git master as of right now > (OpenSSL_1_1_0-pre4-7-ga717738) valgrind catches an illegal free: Auto deinit automatically calls ENGINE_cleanup() so there is no need to call it explicitly. The bug here is that ENGINE_cleanup() should really be a no-op and deprecated in 1.1.0 to prevent double frees occuring. Matt From rt at openssl.org Thu Mar 17 11:12:19 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Thu, 17 Mar 2016 11:12:19 +0000 Subject: [openssl-dev] [openssl.org #4437] invalid free() by ENGINE_cleanup() In-Reply-To: <56EA9111.9040507@openssl.org> References: <56EA9111.9040507@openssl.org> Message-ID: On 17/03/16 10:49, Daniel Stenberg via RT wrote: > Hey, > > In curl we call ENGINE_cleanup() as part of our OpenSSL specific cleanup > function. When I do this with OpenSSL from git master as of right now > (OpenSSL_1_1_0-pre4-7-ga717738) valgrind catches an illegal free: Auto deinit automatically calls ENGINE_cleanup() so there is no need to call it explicitly. The bug here is that ENGINE_cleanup() should really be a no-op and deprecated in 1.1.0 to prevent double frees occuring. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4437 Please log in as guest with password guest if prompted From matt at openssl.org Thu Mar 17 12:43:18 2016 From: matt at openssl.org (Matt Caswell) Date: Thu, 17 Mar 2016 12:43:18 +0000 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <000d01d18033$4eafda50$ec0f8ef0$@sales@free.fr> References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> <20160317.083755.242387829071286576.levitte@openssl.org> <000d01d18033$4eafda50$ec0f8ef0$@sales@free.fr> Message-ID: <56EAA666.3040907@openssl.org> On 17/03/16 09:56, Michel wrote: > Hello again Richard, > > And thanks for your help and answers. > but as I said, I am not lucky at all :-( > > Hope I am not again missing something, I would not be particularly proud to > win the trophy of the dumbest user on this list ;-) > > Doing : > PERL Configure no-rc2 no-rc5 no-md2 no-md4 no-ssl3 no-comp no-hw > no-heartbeats no-deprecated VC-WIN32 shared --prefix=c:\OpenSSL_DLL > nmake Looks like some of these options are broken on Windows. Try the attached patch. Matt -------------- next part -------------- A non-text attachment was scrubbed... Name: fix-config-opts.patch Type: text/x-patch Size: 13001 bytes Desc: not available URL: From rt at openssl.org Thu Mar 17 13:28:25 2016 From: rt at openssl.org (Dmitry Belyavsky via RT) Date: Thu, 17 Mar 2016 13:28:25 +0000 Subject: [openssl-dev] [openssl.org #4438] GOST ciphersuites and DTLS In-Reply-To: References: Message-ID: Hello OpenSSL team, The GOST ciphersuites currently defined are not DTLS-capable. So it should be fixed in the ssl/s3_lib.c file. Thank you! -- SY, Dmitry Belyavsky -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4438 Please log in as guest with password guest if prompted From michel.sales at free.fr Thu Mar 17 16:39:04 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 17:39:04 +0100 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <56EAA666.3040907@openssl.org> References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005c01d17fde$7d8bb470$78a31d50$@sales@free.fr> <20160317.083755.242387829071286576.levitte@openssl.org> <000d01d18033$4eafda50$ec0f8ef0$@sales@free.fr> <56EAA666.3040907@openssl.org> Message-ID: <001301d1806b$8530f810$8f92e830$@sales@free.fr> > Looks like some of these options are broken on Windows. Ouf, In some ways, that's good to hear. :-) I tried the patch and I was able to build the shared, debug and release version of OpenSSL 1.1. I was able to fully appreciate the new build system. Thanks Matt, merci bien Richard, Michel. -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Matt Caswell Envoy??: jeudi 17 mars 2016 13:43 ??: openssl-dev at openssl.org Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for win DLL On 17/03/16 09:56, Michel wrote: > Hello again Richard, > > And thanks for your help and answers. > but as I said, I am not lucky at all :-( > > Hope I am not again missing something, I would not be particularly > proud to win the trophy of the dumbest user on this list ;-) > > Doing : > PERL Configure no-rc2 no-rc5 no-md2 no-md4 no-ssl3 no-comp no-hw > no-heartbeats no-deprecated VC-WIN32 shared --prefix=c:\OpenSSL_DLL > nmake Looks like some of these options are broken on Windows. Try the attached patch. Matt From rsalz at akamai.com Thu Mar 17 18:36:08 2016 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 17 Mar 2016 18:36:08 +0000 Subject: [openssl-dev] Removing some systems Message-ID: <8f77f2d4452446c8825cc70057624690@usma1ex-dag1mb1.msg.corp.akamai.com> We are planning on removing the following systems from OpenSSL 1.1: Netware OS/2 There are a few reasons for this. In no particular order they include: these platforms are no longer supported by the vendor; the configurations and builds have not been testable by the team for years and might not even work; nobody on the team has access to any of these. As a hopefully mediating factor, please note that they are still part of 1.0.2, which we have said is an LTS release with support until 2019. People interested in supporting any of these systems should look at building their own configuration with the template system; post on the openssl-dev list for help. Reducing the footprint and tangle of #ifdef's is also very important. We are also looking at others that are in a similar (although perhaps not identical) reason and will post here about them. -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Thu Mar 17 19:44:22 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 17 Mar 2016 15:44:22 -0400 Subject: [openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value In-Reply-To: <20160316224423.GQ6602@mournblade.imrryr.org> References: <20160316223741.GA13900@w1.fi> <20160316224423.GQ6602@mournblade.imrryr.org> Message-ID: > On Mar 16, 2016, at 6:44 PM, Viktor Dukhovni wrote: > >> Was the SSL_get_version() behavior changed on purpose in the Beta 1 >> release? This function used to return "TLSv1" when TLS v1.0 was used >> while it is now in Beta 1 returning "TLSv1.0" for that case. > > I missed this change in the review. Sorry about that. It should > perhaps be reverted for beta2. The reported version string for > TLS 1.0 has been "TLSv1" since support for "TLS 1.0" was introduced. > It should likely stay that way. Please test ee3a6c646ff8ea6b9ada5a58f4a0e7c9b7be944b, it should restore the status quo ante. -- Viktor. From jeremy.farrell at oracle.com Thu Mar 17 19:55:13 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Thu, 17 Mar 2016 19:55:13 +0000 Subject: [openssl-dev] openssl 1.0.1p PEM_write_bio_RSAPrivateKey fail. error: ASN1_get_object:too long In-Reply-To: References: Message-ID: <56EB0BA1.1030901@oracle.com> On 17/03/2016 06:32, Ranjith Kumar A. wrote: > > Need help. This is a question about using the OpenSSL libraries, further discussion should be on openssl-users; I've set 'reply-to' appropriately, but I don't know what the mailing list will do with it. > I?m not able to encrypt a key using passphrase, below is the error > message. > > **"error:0D07209B:asn1 encoding routines:ASN1_get_object:too long"** > > Have already googled for error but couldn't got much info > > unsigned char pass[] = "123456"; > > BIO *priv_bio = BIO_new( BIO_s_mem() ); > > RSA *rsa = RSA_generate_key( 2048, 65537, NULL, NULL ) ret = > PEM_write_bio_RSAPrivateKey( priv_bio, rsa, EVP_aes_256_cbc(), pass, 64, NULL, NULL ); I don't know if or how it's related to your problem, but you have defined a 7 byte array as the passphrase then told the function to use 64 bytes at that location. There's no saying what values the other 57 bytes of the passphrase will have, assuming they're accessible at all. > ... > The same piece of code is working on openssl-0.9.8zg. More luck than good judgement I suspect. > ... -- J. J. Farrell Not speaking for Oracle. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Thu Mar 17 21:22:26 2016 From: rt at openssl.org (David Benjamin via RT) Date: Thu, 17 Mar 2016 21:22:26 +0000 Subject: [openssl-dev] [openssl.org #4439] poly1305-x86.pl produces incorrect output In-Reply-To: References: Message-ID: Hi folks, You know the drill. See the attached poly1305_test2.c. $ OPENSSL_ia32cap=0 ./poly1305_test2 PASS $ ./poly1305_test2 Poly1305 test failed. got: 2637408fe03086ea73f971e3425e2820 expected: 2637408fe13086ea73f971e3425e2820 I believe this affects both the SSE2 and AVX2 code. It does seem to be dependent on this input pattern. This was found because a run of our SSL tests happened to find a problematic input. I've trimmed it down to the first block where they disagree. I'm probably going to write something to generate random inputs and stress all your other poly1305 codepaths against a reference implementation. I recommend doing the same in your own test harness, to make sure there aren't others of these bugs lurking around. David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4439 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: poly1305_test2.c Type: text/x-csrc Size: 5436 bytes Desc: not available URL: From doctor at doctor.nl2k.ab.ca Thu Mar 17 22:07:42 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Thu, 17 Mar 2016 16:07:42 -0600 Subject: [openssl-dev] Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160316.200915.964875523300370144.levitte@openssl.org> References: <20160315205022.GA26917@doctor.nl2k.ab.ca> <20160315.221350.1725521770011152083.levitte@openssl.org> <20160316182629.GA10733@doctor.nl2k.ab.ca> <20160316.200915.964875523300370144.levitte@openssl.org> Message-ID: <20160317220742.GA24175@doctor.nl2k.ab.ca> On Wed, Mar 16, 2016 at 08:09:15PM +0100, Richard Levitte wrote: > In message <20160316182629.GA10733 at doctor.nl2k.ab.ca> on Wed, 16 Mar 2016 12:26:29 -0600, The Doctor said: > > doctor> On Tue, Mar 15, 2016 at 10:13:50PM +0100, Richard Levitte wrote: > doctor> > In message <20160315205022.GA26917 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:50:22 -0600, The Doctor said: > doctor> > doctor> perl -i -pe 's/^.*\|//; s/ \/(\\.|[^ ])*//; # $_ = undef if (/: *$/ || /^(#.*| *)$/); # $_.="\n" unless !defined($_) or /\R$/g;' crypto/aes/aes_cfb.d.tmp > doctor> > > doctor> > Actually, that perl line explained the issue just fine. Thanks, I > doctor> > know how to resolve this. > doctor> > > doctor> Just looked atthe Makefile. > doctor> > doctor> May I suggest instead of using perl, use -${PERL} instead. > > Good idea, I'll fix that. > And it works! > doctor> When I did a symbolic like to perl, that worked > doctor> > doctor> Also from my non-root account > doctor> > doctor> HARNESS_VERBOSE=yes make tests TESTS='test_evp test_packet test_cms' > doctor> > doctor> yielded > doctor> > doctor> ../test/recipes/30-test_evp.t ..... > doctor> 1..1 > doctor> Test line 2548: unexpected error KEY_MISMATCH > doctor> Expected: 77D6576238657B203B19CA42C18A0497F16B4844E3074AE8DFDFFA3FEDE21442FCD0069DED0948F8326A753A0FC81F17E8D3E0FB2E0D3628CF35E20C38D18906 > doctor> Got: 1E206D019AE5CD5575A1CD9BD56AF7AF094ACC8A903E163BF22A417CC7073B7B864FE17944690473DBED7E2FAA5A42069150BE9FF727AC1A251E04E52537B961 > doctor> Test line 2556: unexpected error KEY_MISMATCH > doctor> Expected: FDBABE1C9D3472007856E7190D01E9FE7C6AD7CBC8237830E77376634B3731622EAF30D92E22A3886FF109279D9830DAC727AFB94A83EE6D8360CBDFA2CC0640 > doctor> Got: 4D0B8D57109EF588586B7812B70CD2FBD4DDE5F9AD1E45A17C565E24FE247DE986CA22CFDFF6C64346C62436F301EAE987A0E424B080EACB04E70830C3B9ACE0 > doctor> Test line 2564: unexpected error KEY_MISMATCH > doctor> Expected: 7023BDCB3AFD7348461C06CD81FD38EBFDA8FBBA904F8E3EA9B543F6545DA1F2D5432955613F0FCF62D49705242A9AF9E61E85DC0D651E40DFCF017B45575887 > doctor> Got: BF7268686B9059DAA738213780F8EEE8BC2FDD65D50DE1298B5ED2142040DB72E0CC5C6649C682EB8BC998A70D1CA8BCB73FF7367C1027403201F663239520D6 > doctor> 480 tests completed with 3 errors, 0 skipped > doctor> not ok 1 - running evp_test evptests.txt > doctor> > doctor> # Failed test 'running evp_test evptests.txt' > doctor> # at ../test/recipes/30-test_evp.t line 11. > doctor> # Looks like you failed 1 test of 1. > doctor> Dubious, test returned 1 (wstat 256, 0x100) > doctor> Failed 1/1 subtests > doctor> ../test/recipes/70-test_packet.t .. > doctor> 1..1 > doctor> test_PACKET_buf_init() failed > doctor> not ok 1 - running packettest > doctor> > doctor> # Failed test 'running packettest' > doctor> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > doctor> # Looks like you failed 1 test of 1. > doctor> Dubious, test returned 1 (wstat 256, 0x100) > doctor> Failed 1/1 subtests > doctor> ../test/recipes/80-test_cms.t ..... > doctor> 1..4 > doctor> 1..15 > doctor> Verification successful > doctor> ok 1 - signed content DER format, RSA key > doctor> Verification successful > doctor> ok 2 - signed detached content DER format, RSA key > doctor> Verification successful > doctor> ok 3 - signed content test streaming BER format, RSA > doctor> Verification successful > doctor> ok 4 - signed content DER format, DSA key > doctor> Verification successful > doctor> ok 5 - signed detached content DER format, DSA key > doctor> Verification successful > doctor> ok 6 - signed detached content DER format, add RSA signer > doctor> Verification successful > doctor> ok 7 - signed content test streaming BER format, DSA key > doctor> Verification successful > doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes > doctor> Verification successful > doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys > doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients > doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used > doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used > doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients > doctor> ok 1 - CMS => PKCS\#7 compatibility tests > doctor> # > doctor> 1..15 > doctor> Verification successful > doctor> ok 1 - signed content DER format, RSA key > doctor> Verification successful > doctor> ok 2 - signed detached content DER format, RSA key > doctor> Verification successful > doctor> ok 3 - signed content test streaming BER format, RSA > doctor> Verification successful > doctor> ok 4 - signed content DER format, DSA key > doctor> Verification successful > doctor> ok 5 - signed detached content DER format, DSA key > doctor> Verification successful > doctor> ok 6 - signed detached content DER format, add RSA signer > doctor> Verification successful > doctor> ok 7 - signed content test streaming BER format, DSA key > doctor> Verification successful > doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes > doctor> Verification successful > doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys > doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients > doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used > doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used > doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients > doctor> ok 2 - CMS <= PKCS\#7 compatibility tests > doctor> # > doctor> 1..27 > doctor> Verification successful > doctor> ok 1 - signed content DER format, RSA key > doctor> Verification successful > doctor> ok 2 - signed detached content DER format, RSA key > doctor> Verification successful > doctor> ok 3 - signed content test streaming BER format, RSA > doctor> Verification successful > doctor> ok 4 - signed content DER format, DSA key > doctor> Verification successful > doctor> ok 5 - signed detached content DER format, DSA key > doctor> Verification successful > doctor> ok 6 - signed detached content DER format, add RSA signer > doctor> Verification successful > doctor> ok 7 - signed content test streaming BER format, DSA key > doctor> Verification successful > doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes > doctor> Verification successful > doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys > doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients > doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used > doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used > doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients > doctor> Verification successful > doctor> ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid > doctor> Verification successful > doctor> ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 18 - signed content MIME format, RSA key, signed receipt request > doctor> Verification successful > doctor> ok 19 - signed receipt MIME format, RSA key > doctor> ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid > doctor> ok 21 - enveloped content test streaming PEM format, KEK > doctor> ok 22 - enveloped content test streaming PEM format, KEK, key only > doctor> ok 23 - data content test streaming PEM format > doctor> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key > doctor> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key > doctor> ok 26 - encrypted content test streaming PEM format, triple DES key > doctor> ok 27 - encrypted content test streaming PEM format, 128 bit AES key > doctor> ok 3 - CMS <=> CMS consistency tests > doctor> # > doctor> 1..11 > doctor> Verification successful > doctor> ok 1 - signed content test streaming PEM format, RSA keys, PSS signature > doctor> Verification successful > doctor> ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes > doctor> Verification successful > doctor> ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 > doctor> ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters > doctor> ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 > doctor> ok 6 - enveloped content test streaming S/MIME format, ECDH > doctor> ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier > doctor> ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF > doctor> ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH > doctor> ok 10 - enveloped content test streaming S/MIME format, X9.42 DH > doctor> Error creating CMS structure > doctor> 135045376:error:2E068097:CMS routines:CMS_compress:unsupported compression algorithm:crypto/cms/cms_smime.c:879: > doctor> not ok 11 - compressed content test streaming PEM format > doctor> > doctor> # Failed test 'compressed content test streaming PEM format' > doctor> # at ../test/recipes/80-test_cms.t line 452. > doctor> # Looks like you failed 1 test of 11. > doctor> not ok 4 - CMS <=> CMS consistency tests, modified key parameters > doctor> # > doctor> > doctor> # Failed test 'CMS <=> CMS consistency tests, modified key parameters > doctor> # ' > doctor> # at ../test/recipes/80-test_cms.t line 458. > doctor> # Looks like you failed 1 test of 4. > doctor> Dubious, test returned 1 (wstat 256, 0x100) > doctor> Failed 1/4 subtests > doctor> > doctor> Test Summary Report > doctor> ------------------- > doctor> ../test/recipes/30-test_evp.t (Wstat: 256 Tests: 1 Failed: 1) > doctor> Failed test: 1 > doctor> Non-zero exit status: 1 > doctor> ../test/recipes/70-test_packet.t (Wstat: 256 Tests: 1 Failed: 1) > doctor> Failed test: 1 > doctor> Non-zero exit status: 1 > doctor> ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) > doctor> Failed test: 4 > doctor> Non-zero exit status: 1 > doctor> Files=3, Tests=6, 24 wallclock secs ( 0.15 usr 0.08 sys + 12.15 cusr 15.10 csys = 27.48 CPU) > doctor> Result: FAIL > doctor> Failed 3/3 test programs. 3/6 subtests failed. > doctor> *** Error code 1 > doctor> > doctor> Stop. > doctor> > doctor> The rest was fine. > > Would you mind submitting an email about these failures to > rt at openssl.org? > I will CC openssl-SNAP-20160317 results ../test/recipes/30-test_evp.t ..... 1..1 Test line 2548: unexpected error KEY_MISMATCH Expected: 77D6576238657B203B19CA42C18A0497F16B4844E3074AE8DFDFFA3FEDE21442FCD0069DED0948F8326A753A0FC81F17E8D3E0FB2E0D3628CF35E20C38D18906 Got: 1E206D019AE5CD5575A1CD9BD56AF7AF094ACC8A903E163BF22A417CC7073B7B864FE17944690473DBED7E2FAA5A42069150BE9FF727AC1A251E04E52537B961 Test line 2556: unexpected error KEY_MISMATCH Expected: FDBABE1C9D3472007856E7190D01E9FE7C6AD7CBC8237830E77376634B3731622EAF30D92E22A3886FF109279D9830DAC727AFB94A83EE6D8360CBDFA2CC0640 Got: 4D0B8D57109EF588586B7812B70CD2FBD4DDE5F9AD1E45A17C565E24FE247DE986CA22CFDFF6C64346C62436F301EAE987A0E424B080EACB04E70830C3B9ACE0 Test line 2564: unexpected error KEY_MISMATCH Expected: 7023BDCB3AFD7348461C06CD81FD38EBFDA8FBBA904F8E3EA9B543F6545DA1F2D5432955613F0FCF62D49705242A9AF9E61E85DC0D651E40DFCF017B45575887 Got: BF7268686B9059DAA738213780F8EEE8BC2FDD65D50DE1298B5ED2142040DB72E0CC5C6649C682EB8BC998A70D1CA8BCB73FF7367C1027403201F663239520D6 480 tests completed with 3 errors, 0 skipped not ok 1 - running evp_test evptests.txt # Failed test 'running evp_test evptests.txt' # at ../test/recipes/30-test_evp.t line 11. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/70-test_packet.t .. 1..1 test_PACKET_buf_init() failed not ok 1 - running packettest # Failed test 'running packettest' # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/80-test_cms.t ..... 1..4 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 1 - CMS => PKCS\#7 compatibility tests # 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 2 - CMS <= PKCS\#7 compatibility tests # 1..27 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients Verification successful ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid Verification successful ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys Verification successful ok 18 - signed content MIME format, RSA key, signed receipt request Verification successful ok 19 - signed receipt MIME format, RSA key ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid ok 21 - enveloped content test streaming PEM format, KEK ok 22 - enveloped content test streaming PEM format, KEK, key only ok 23 - data content test streaming PEM format ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key ok 26 - encrypted content test streaming PEM format, triple DES key ok 27 - encrypted content test streaming PEM format, 128 bit AES key ok 3 - CMS <=> CMS consistency tests # 1..11 Verification successful ok 1 - signed content test streaming PEM format, RSA keys, PSS signature Verification successful ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes Verification successful ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 ok 6 - enveloped content test streaming S/MIME format, ECDH ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH ok 10 - enveloped content test streaming S/MIME format, X9.42 DH Error creating CMS structure 135045376:error:2E068097:CMS routines:CMS_compress:unsupported compression algorithm:crypto/cms/cms_smime.c:879: not ok 11 - compressed content test streaming PEM format # Failed test 'compressed content test streaming PEM format' # at ../test/recipes/80-test_cms.t line 452. # Looks like you failed 1 test of 11. not ok 4 - CMS <=> CMS consistency tests, modified key parameters # # Failed test 'CMS <=> CMS consistency tests, modified key parameters # ' # at ../test/recipes/80-test_cms.t line 458. # Looks like you failed 1 test of 4. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests Test Summary Report ------------------- ../test/recipes/30-test_evp.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/70-test_packet.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=3, Tests=6, 25 wallclock secs ( 0.17 usr 0.07 sys + 12.65 cusr 14.40 csys = 27.28 CPU) Result: FAIL Failed 3/3 test programs. 3/6 subtests failed. *** Error code 1 Stop. > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From rt at openssl.org Thu Mar 17 22:31:01 2016 From: rt at openssl.org (The Doctor via RT) Date: Thu, 17 Mar 2016 22:31:01 +0000 Subject: [openssl-dev] [openssl.org #4440] Re: Openssl-SNAP-20160315 issue Re: Openssl-SNAP-20160314 Re: Openssl SNAP 20160313 issue Re: OPenSSL SNAP 20160312 issue In-Reply-To: <20160317220742.GA24175@doctor.nl2k.ab.ca> References: <20160315205022.GA26917@doctor.nl2k.ab.ca> <20160315.221350.1725521770011152083.levitte@openssl.org> <20160316182629.GA10733@doctor.nl2k.ab.ca> <20160316.200915.964875523300370144.levitte@openssl.org> <20160317220742.GA24175@doctor.nl2k.ab.ca> Message-ID: On Wed, Mar 16, 2016 at 08:09:15PM +0100, Richard Levitte wrote: > In message <20160316182629.GA10733 at doctor.nl2k.ab.ca> on Wed, 16 Mar 2016 12:26:29 -0600, The Doctor said: > > doctor> On Tue, Mar 15, 2016 at 10:13:50PM +0100, Richard Levitte wrote: > doctor> > In message <20160315205022.GA26917 at doctor.nl2k.ab.ca> on Tue, 15 Mar 2016 14:50:22 -0600, The Doctor said: > doctor> > doctor> perl -i -pe 's/^.*\|//; s/ \/(\\.|[^ ])*//; # $_ = undef if (/: *$/ || /^(#.*| *)$/); # $_.="\n" unless !defined($_) or /\R$/g;' crypto/aes/aes_cfb.d.tmp > doctor> > > doctor> > Actually, that perl line explained the issue just fine. Thanks, I > doctor> > know how to resolve this. > doctor> > > doctor> Just looked atthe Makefile. > doctor> > doctor> May I suggest instead of using perl, use -${PERL} instead. > > Good idea, I'll fix that. > And it works! > doctor> When I did a symbolic like to perl, that worked > doctor> > doctor> Also from my non-root account > doctor> > doctor> HARNESS_VERBOSE=yes make tests TESTS='test_evp test_packet test_cms' > doctor> > doctor> yielded > doctor> > doctor> ../test/recipes/30-test_evp.t ..... > doctor> 1..1 > doctor> Test line 2548: unexpected error KEY_MISMATCH > doctor> Expected: 77D6576238657B203B19CA42C18A0497F16B4844E3074AE8DFDFFA3FEDE21442FCD0069DED0948F8326A753A0FC81F17E8D3E0FB2E0D3628CF35E20C38D18906 > doctor> Got: 1E206D019AE5CD5575A1CD9BD56AF7AF094ACC8A903E163BF22A417CC7073B7B864FE17944690473DBED7E2FAA5A42069150BE9FF727AC1A251E04E52537B961 > doctor> Test line 2556: unexpected error KEY_MISMATCH > doctor> Expected: FDBABE1C9D3472007856E7190D01E9FE7C6AD7CBC8237830E77376634B3731622EAF30D92E22A3886FF109279D9830DAC727AFB94A83EE6D8360CBDFA2CC0640 > doctor> Got: 4D0B8D57109EF588586B7812B70CD2FBD4DDE5F9AD1E45A17C565E24FE247DE986CA22CFDFF6C64346C62436F301EAE987A0E424B080EACB04E70830C3B9ACE0 > doctor> Test line 2564: unexpected error KEY_MISMATCH > doctor> Expected: 7023BDCB3AFD7348461C06CD81FD38EBFDA8FBBA904F8E3EA9B543F6545DA1F2D5432955613F0FCF62D49705242A9AF9E61E85DC0D651E40DFCF017B45575887 > doctor> Got: BF7268686B9059DAA738213780F8EEE8BC2FDD65D50DE1298B5ED2142040DB72E0CC5C6649C682EB8BC998A70D1CA8BCB73FF7367C1027403201F663239520D6 > doctor> 480 tests completed with 3 errors, 0 skipped > doctor> not ok 1 - running evp_test evptests.txt > doctor> > doctor> # Failed test 'running evp_test evptests.txt' > doctor> # at ../test/recipes/30-test_evp.t line 11. > doctor> # Looks like you failed 1 test of 1. > doctor> Dubious, test returned 1 (wstat 256, 0x100) > doctor> Failed 1/1 subtests > doctor> ../test/recipes/70-test_packet.t .. > doctor> 1..1 > doctor> test_PACKET_buf_init() failed > doctor> not ok 1 - running packettest > doctor> > doctor> # Failed test 'running packettest' > doctor> # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. > doctor> # Looks like you failed 1 test of 1. > doctor> Dubious, test returned 1 (wstat 256, 0x100) > doctor> Failed 1/1 subtests > doctor> ../test/recipes/80-test_cms.t ..... > doctor> 1..4 > doctor> 1..15 > doctor> Verification successful > doctor> ok 1 - signed content DER format, RSA key > doctor> Verification successful > doctor> ok 2 - signed detached content DER format, RSA key > doctor> Verification successful > doctor> ok 3 - signed content test streaming BER format, RSA > doctor> Verification successful > doctor> ok 4 - signed content DER format, DSA key > doctor> Verification successful > doctor> ok 5 - signed detached content DER format, DSA key > doctor> Verification successful > doctor> ok 6 - signed detached content DER format, add RSA signer > doctor> Verification successful > doctor> ok 7 - signed content test streaming BER format, DSA key > doctor> Verification successful > doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes > doctor> Verification successful > doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys > doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients > doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used > doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used > doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients > doctor> ok 1 - CMS => PKCS\#7 compatibility tests > doctor> # > doctor> 1..15 > doctor> Verification successful > doctor> ok 1 - signed content DER format, RSA key > doctor> Verification successful > doctor> ok 2 - signed detached content DER format, RSA key > doctor> Verification successful > doctor> ok 3 - signed content test streaming BER format, RSA > doctor> Verification successful > doctor> ok 4 - signed content DER format, DSA key > doctor> Verification successful > doctor> ok 5 - signed detached content DER format, DSA key > doctor> Verification successful > doctor> ok 6 - signed detached content DER format, add RSA signer > doctor> Verification successful > doctor> ok 7 - signed content test streaming BER format, DSA key > doctor> Verification successful > doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes > doctor> Verification successful > doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys > doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients > doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used > doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used > doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients > doctor> ok 2 - CMS <= PKCS\#7 compatibility tests > doctor> # > doctor> 1..27 > doctor> Verification successful > doctor> ok 1 - signed content DER format, RSA key > doctor> Verification successful > doctor> ok 2 - signed detached content DER format, RSA key > doctor> Verification successful > doctor> ok 3 - signed content test streaming BER format, RSA > doctor> Verification successful > doctor> ok 4 - signed content DER format, DSA key > doctor> Verification successful > doctor> ok 5 - signed detached content DER format, DSA key > doctor> Verification successful > doctor> ok 6 - signed detached content DER format, add RSA signer > doctor> Verification successful > doctor> ok 7 - signed content test streaming BER format, DSA key > doctor> Verification successful > doctor> ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes > doctor> Verification successful > doctor> ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys > doctor> ok 12 - enveloped content test streaming S/MIME format, 3 recipients > doctor> ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used > doctor> ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used > doctor> ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients > doctor> Verification successful > doctor> ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid > doctor> Verification successful > doctor> ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys > doctor> Verification successful > doctor> ok 18 - signed content MIME format, RSA key, signed receipt request > doctor> Verification successful > doctor> ok 19 - signed receipt MIME format, RSA key > doctor> ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid > doctor> ok 21 - enveloped content test streaming PEM format, KEK > doctor> ok 22 - enveloped content test streaming PEM format, KEK, key only > doctor> ok 23 - data content test streaming PEM format > doctor> ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key > doctor> ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key > doctor> ok 26 - encrypted content test streaming PEM format, triple DES key > doctor> ok 27 - encrypted content test streaming PEM format, 128 bit AES key > doctor> ok 3 - CMS <=> CMS consistency tests > doctor> # > doctor> 1..11 > doctor> Verification successful > doctor> ok 1 - signed content test streaming PEM format, RSA keys, PSS signature > doctor> Verification successful > doctor> ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes > doctor> Verification successful > doctor> ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 > doctor> ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters > doctor> ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 > doctor> ok 6 - enveloped content test streaming S/MIME format, ECDH > doctor> ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier > doctor> ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF > doctor> ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH > doctor> ok 10 - enveloped content test streaming S/MIME format, X9.42 DH > doctor> Error creating CMS structure > doctor> 135045376:error:2E068097:CMS routines:CMS_compress:unsupported compression algorithm:crypto/cms/cms_smime.c:879: > doctor> not ok 11 - compressed content test streaming PEM format > doctor> > doctor> # Failed test 'compressed content test streaming PEM format' > doctor> # at ../test/recipes/80-test_cms.t line 452. > doctor> # Looks like you failed 1 test of 11. > doctor> not ok 4 - CMS <=> CMS consistency tests, modified key parameters > doctor> # > doctor> > doctor> # Failed test 'CMS <=> CMS consistency tests, modified key parameters > doctor> # ' > doctor> # at ../test/recipes/80-test_cms.t line 458. > doctor> # Looks like you failed 1 test of 4. > doctor> Dubious, test returned 1 (wstat 256, 0x100) > doctor> Failed 1/4 subtests > doctor> > doctor> Test Summary Report > doctor> ------------------- > doctor> ../test/recipes/30-test_evp.t (Wstat: 256 Tests: 1 Failed: 1) > doctor> Failed test: 1 > doctor> Non-zero exit status: 1 > doctor> ../test/recipes/70-test_packet.t (Wstat: 256 Tests: 1 Failed: 1) > doctor> Failed test: 1 > doctor> Non-zero exit status: 1 > doctor> ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) > doctor> Failed test: 4 > doctor> Non-zero exit status: 1 > doctor> Files=3, Tests=6, 24 wallclock secs ( 0.15 usr 0.08 sys + 12.15 cusr 15.10 csys = 27.48 CPU) > doctor> Result: FAIL > doctor> Failed 3/3 test programs. 3/6 subtests failed. > doctor> *** Error code 1 > doctor> > doctor> Stop. > doctor> > doctor> The rest was fine. > > Would you mind submitting an email about these failures to > rt at openssl.org? > I will CC openssl-SNAP-20160317 results ../test/recipes/30-test_evp.t ..... 1..1 Test line 2548: unexpected error KEY_MISMATCH Expected: 77D6576238657B203B19CA42C18A0497F16B4844E3074AE8DFDFFA3FEDE21442FCD0069DED0948F8326A753A0FC81F17E8D3E0FB2E0D3628CF35E20C38D18906 Got: 1E206D019AE5CD5575A1CD9BD56AF7AF094ACC8A903E163BF22A417CC7073B7B864FE17944690473DBED7E2FAA5A42069150BE9FF727AC1A251E04E52537B961 Test line 2556: unexpected error KEY_MISMATCH Expected: FDBABE1C9D3472007856E7190D01E9FE7C6AD7CBC8237830E77376634B3731622EAF30D92E22A3886FF109279D9830DAC727AFB94A83EE6D8360CBDFA2CC0640 Got: 4D0B8D57109EF588586B7812B70CD2FBD4DDE5F9AD1E45A17C565E24FE247DE986CA22CFDFF6C64346C62436F301EAE987A0E424B080EACB04E70830C3B9ACE0 Test line 2564: unexpected error KEY_MISMATCH Expected: 7023BDCB3AFD7348461C06CD81FD38EBFDA8FBBA904F8E3EA9B543F6545DA1F2D5432955613F0FCF62D49705242A9AF9E61E85DC0D651E40DFCF017B45575887 Got: BF7268686B9059DAA738213780F8EEE8BC2FDD65D50DE1298B5ED2142040DB72E0CC5C6649C682EB8BC998A70D1CA8BCB73FF7367C1027403201F663239520D6 480 tests completed with 3 errors, 0 skipped not ok 1 - running evp_test evptests.txt # Failed test 'running evp_test evptests.txt' # at ../test/recipes/30-test_evp.t line 11. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/70-test_packet.t .. 1..1 test_PACKET_buf_init() failed not ok 1 - running packettest # Failed test 'running packettest' # at ../test/testlib/OpenSSL/Test/Simple.pm line 70. # Looks like you failed 1 test of 1. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/1 subtests ../test/recipes/80-test_cms.t ..... 1..4 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 1 - CMS => PKCS\#7 compatibility tests # 1..15 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients ok 2 - CMS <= PKCS\#7 compatibility tests # 1..27 Verification successful ok 1 - signed content DER format, RSA key Verification successful ok 2 - signed detached content DER format, RSA key Verification successful ok 3 - signed content test streaming BER format, RSA Verification successful ok 4 - signed content DER format, DSA key Verification successful ok 5 - signed detached content DER format, DSA key Verification successful ok 6 - signed detached content DER format, add RSA signer Verification successful ok 7 - signed content test streaming BER format, DSA key Verification successful ok 8 - signed content test streaming BER format, 2 DSA and 2 RSA keys Verification successful ok 9 - signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes Verification successful ok 10 - signed content test streaming S/MIME format, 2 DSA and 2 RSA keys Verification successful ok 11 - signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys ok 12 - enveloped content test streaming S/MIME format, 3 recipients ok 13 - enveloped content test streaming S/MIME format, 3 recipients, 3rd used ok 14 - enveloped content test streaming S/MIME format, 3 recipients, key only used ok 15 - enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients Verification successful ok 16 - signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid Verification successful ok 17 - signed content test streaming PEM format, 2 DSA and 2 RSA keys Verification successful ok 18 - signed content MIME format, RSA key, signed receipt request Verification successful ok 19 - signed receipt MIME format, RSA key ok 20 - enveloped content test streaming S/MIME format, 3 recipients, keyid ok 21 - enveloped content test streaming PEM format, KEK ok 22 - enveloped content test streaming PEM format, KEK, key only ok 23 - data content test streaming PEM format ok 24 - encrypted content test streaming PEM format, 128 bit RC2 key ok 25 - encrypted content test streaming PEM format, 40 bit RC2 key ok 26 - encrypted content test streaming PEM format, triple DES key ok 27 - encrypted content test streaming PEM format, 128 bit AES key ok 3 - CMS <=> CMS consistency tests # 1..11 Verification successful ok 1 - signed content test streaming PEM format, RSA keys, PSS signature Verification successful ok 2 - signed content test streaming PEM format, RSA keys, PSS signature, no attributes Verification successful ok 3 - signed content test streaming PEM format, RSA keys, PSS signature, SHA384 MGF1 ok 4 - enveloped content test streaming S/MIME format, OAEP default parameters ok 5 - enveloped content test streaming S/MIME format, OAEP SHA256 ok 6 - enveloped content test streaming S/MIME format, ECDH ok 7 - enveloped content test streaming S/MIME format, ECDH, key identifier ok 8 - enveloped content test streaming S/MIME format, ECDH, AES128, SHA256 KDF ok 9 - enveloped content test streaming S/MIME format, ECDH, K-283, cofactor DH ok 10 - enveloped content test streaming S/MIME format, X9.42 DH Error creating CMS structure 135045376:error:2E068097:CMS routines:CMS_compress:unsupported compression algorithm:crypto/cms/cms_smime.c:879: not ok 11 - compressed content test streaming PEM format # Failed test 'compressed content test streaming PEM format' # at ../test/recipes/80-test_cms.t line 452. # Looks like you failed 1 test of 11. not ok 4 - CMS <=> CMS consistency tests, modified key parameters # # Failed test 'CMS <=> CMS consistency tests, modified key parameters # ' # at ../test/recipes/80-test_cms.t line 458. # Looks like you failed 1 test of 4. Dubious, test returned 1 (wstat 256, 0x100) Failed 1/4 subtests Test Summary Report ------------------- ../test/recipes/30-test_evp.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/70-test_packet.t (Wstat: 256 Tests: 1 Failed: 1) Failed test: 1 Non-zero exit status: 1 ../test/recipes/80-test_cms.t (Wstat: 256 Tests: 4 Failed: 1) Failed test: 4 Non-zero exit status: 1 Files=3, Tests=6, 25 wallclock secs ( 0.17 usr 0.07 sys + 12.65 cusr 14.40 csys = 27.28 CPU) Result: FAIL Failed 3/3 test programs. 3/6 subtests failed. *** Error code 1 Stop. > -- > Richard Levitte levitte at openssl.org > OpenSSL Project http://www.openssl.org/~levitte/ > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4440 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 17 23:47:37 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 17 Mar 2016 23:47:37 +0000 Subject: [openssl-dev] [openssl.org #4441] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: I was looking at the code for afalg_fin_cipher_aio in engines/afalg/e_afalg.c: int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, size_t len) { int r; int retry = 0; unsigned int done = 0; struct iocb *cb; struct timespec timeout; struct io_event events[MAX_INFLIGHTS]; u_int64_t eval = 0; timeout.tv_sec = 0; timeout.tv_nsec = 0; cb = &(aio->cbt[0 % MAX_INFLIGHTS]); memset(cb, '\0', sizeof(*cb)); cb->aio_fildes = sfd; cb->aio_lio_opcode = IOCB_CMD_PREAD; cb->aio_buf = (unsigned long)buf; cb->aio_offset = 0; cb->aio_data = 0; cb->aio_nbytes = len; cb->aio_flags = IOCB_FLAG_RESFD; cb->aio_resfd = aio->efd; ... That cast of 'buf' from 'unsigned char*' to 'unsigned long' does not quite look right. I think the [mostly] portable way to turn a pointer into an integral is a uintptr_t or size_t. I'm not sure about uintptr_t availability because of std=c89/90. size_t will work for most platforms; but the one I am aware it will fail is older hardware like i386/i486 with 16-bit segments and 32-bit registers. Can anyone confirm that's supposed to be happening? On Thu, Mar 10, 2016 at 2:29 PM, Jeffrey Walton wrote: > Working from Master: > > $ git reset --hard HEAD && git pull > HEAD is now at fb04434 In the recipe using "makedepend", make sure the > object file extension is there > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > $ make test > ... > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ ok > ../test/recipes/05-test_bf.t .............. ok > ... > ../test/recipes/25-test_x509.t ............ ok > ../test/recipes/30-test_afalg.t ........... > ^C (after about 20 minutes) > ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4441 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 00:00:48 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 18 Mar 2016 00:00:48 +0000 Subject: [openssl-dev] [openssl.org #4442] PATCH: fix typo in AF_ALG engine name In-Reply-To: References: Message-ID: $ git diff engines/afalg/e_afalg.c > e_afalg.patch $ cat e_afalg.patch diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c index 90d7602..4674bcf 100644 --- a/engines/afalg/e_afalg.c +++ b/engines/afalg/e_afalg.c @@ -127,7 +127,7 @@ static int afalg_chk_platform(void); /* Engine Id and Name */ static const char *engine_afalg_id = "afalg"; -static const char *engine_afalg_name = "AFLAG engine support"; +static const char *engine_afalg_name = "AFALG engine support"; static int afalg_cipher_nids[] = { NID_aes_128_cbc -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4442 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: e_afalg.patch Type: text/x-diff Size: 472 bytes Desc: not available URL: From rt at openssl.org Fri Mar 18 00:25:00 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 18 Mar 2016 00:25:00 +0000 Subject: [openssl-dev] [openssl.org #4443] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: > I think the [mostly] portable way to turn a pointer into an integral > is a uintptr_t or size_t. I'm not sure about uintptr_t availability > because of std=c89/90. size_t will work for most platforms; but the > one I am aware it will fail is older hardware like i386/i486 with > 16-bit segments and 32-bit registers. Yeah, this looks fishy... According to the libc manual, 13.10 Perform I/O Operations in Parallel (https://www.gnu.org/software/libc/manual/html_node/Asynchronous-I_002fO.html): volatile void *aio_buf This is a pointer to the buffer with the data to be written or the place where the read data is stored. That cast should be to a void*, not an unsigned long. Jeff On Thu, Mar 17, 2016 at 7:47 PM, Jeffrey Walton wrote: > I was looking at the code for afalg_fin_cipher_aio in engines/afalg/e_afalg.c: > > int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, > size_t len) > { > int r; > int retry = 0; > unsigned int done = 0; > struct iocb *cb; > struct timespec timeout; > struct io_event events[MAX_INFLIGHTS]; > u_int64_t eval = 0; > > timeout.tv_sec = 0; > timeout.tv_nsec = 0; > > cb = &(aio->cbt[0 % MAX_INFLIGHTS]); > memset(cb, '\0', sizeof(*cb)); > cb->aio_fildes = sfd; > cb->aio_lio_opcode = IOCB_CMD_PREAD; > cb->aio_buf = (unsigned long)buf; > cb->aio_offset = 0; > cb->aio_data = 0; > cb->aio_nbytes = len; > cb->aio_flags = IOCB_FLAG_RESFD; > cb->aio_resfd = aio->efd; > > ... > > That cast of 'buf' from 'unsigned char*' to 'unsigned long' does not > quite look right. > > I think the [mostly] portable way to turn a pointer into an integral > is a uintptr_t or size_t. I'm not sure about uintptr_t availability > because of std=c89/90. size_t will work for most platforms; but the > one I am aware it will fail is older hardware like i386/i486 with > 16-bit segments and 32-bit registers. > > Can anyone confirm that's supposed to be happening? > > On Thu, Mar 10, 2016 at 2:29 PM, Jeffrey Walton wrote: >> Working from Master: >> >> $ git reset --hard HEAD && git pull >> HEAD is now at fb04434 In the recipe using "makedepend", make sure the >> object file extension is there >> Already up-to-date. >> >> $ ./config >> ... >> $ make depend && make clean && make >> ... >> $ make test >> ... >> ( cd test; \ >> SRCTOP=../. \ >> BLDTOP=../. \ >> EXE_EXT= \ >> /usr/bin/perl .././test/run_tests.pl ) >> ../test/recipes/01-test_ordinals.t ........ ok >> ../test/recipes/05-test_bf.t .............. ok >> ... >> ../test/recipes/25-test_x509.t ............ ok >> ../test/recipes/30-test_afalg.t ........... >> ^C (after about 20 minutes) >> ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4443 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Fri Mar 18 00:43:40 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 17 Mar 2016 20:43:40 -0400 Subject: [openssl-dev] [openssl.org #4443] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: <544207B9-E685-49D0-B54C-62B1545B7AA0@dukhovni.org> > On Mar 17, 2016, at 8:25 PM, noloader at gmail.com via RT wrote: > > Yeah, this looks fishy... According to the libc manual, 13.10 Perform > I/O Operations in Parallel > (https://www.gnu.org/software/libc/manual/html_node/Asynchronous-I_002fO.html): > > volatile void *aio_buf > > This is a pointer to the buffer with the data to > be written or the place where the read data is > stored. > > That cast should be to a void*, not an unsigned long. Wrong interface. Here, OpenSSL is using "struct iocb" from the kernel ABI via , not glibc's "struct aiocb". In the kernel structure, the definition is: __u64 aio_buf; Since OpenSSL master has "uint64_t", that would perhaps be more appropriate than (unsigned long). -- Viktor. From noloader at gmail.com Fri Mar 18 00:57:05 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 17 Mar 2016 20:57:05 -0400 Subject: [openssl-dev] [openssl.org #4443] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <544207B9-E685-49D0-B54C-62B1545B7AA0@dukhovni.org> References: <544207B9-E685-49D0-B54C-62B1545B7AA0@dukhovni.org> Message-ID: On Thu, Mar 17, 2016 at 8:43 PM, Viktor Dukhovni wrote: > >> On Mar 17, 2016, at 8:25 PM, noloader at gmail.com via RT wrote: >> >> Yeah, this looks fishy... According to the libc manual, 13.10 Perform >> I/O Operations in Parallel >> (https://www.gnu.org/software/libc/manual/html_node/Asynchronous-I_002fO.html): >> >> volatile void *aio_buf >> >> This is a pointer to the buffer with the data to >> be written or the place where the read data is >> stored. >> >> That cast should be to a void*, not an unsigned long. > > Wrong interface. Here, OpenSSL is using "struct iocb" from the kernel ABI via > , not glibc's "struct aiocb". In the kernel structure, the > definition is: > > __u64 aio_buf; > OK, thanks. I just tested with void*, and it tested OK. The hang is no longer present and the self test simply failed. Let me test with uint64_t to see if the self test will pass. From rt at openssl.org Fri Mar 18 01:20:52 2016 From: rt at openssl.org (Hejian via RT) Date: Fri, 18 Mar 2016 01:20:52 +0000 Subject: [openssl-dev] =?utf-8?b?562U5aSNOiAg562U5aSNOiDnrZTlpI06IFtvcGVu?= =?utf-8?q?ssl=2Eorg_=234360=5D_=5BBUG=5D_OpenSSL-1=2E0=2E1_crash_o?= =?utf-8?q?n_sha1=5Fblock=5Fdata=5Forder=5Fssse3_asm?= In-Reply-To: References: <56D59088.2070006@openssl.org> Message-ID: Hello Do you have any progress or suggestion about this ticket? If more information is needed ,tell me please. Ths! -----????----- ???: Hejian (E) ????: 2016?3?7? 11:24 ???: 'noloader at gmail.com' ??: openssl-dev at openssl.org; Liubo (Liubo, OSS); 'rt at openssl.org' ??: ??: [openssl-dev] ??: ??: [openssl.org #4360] [BUG] OpenSSL-1.0.1 crash on sha1_block_data_order_ssse3 asm Hi Jeff Thanks for your reply, this are registers info: (gdb) info all-registers rax 0x745dd1f0 1952305648 rbx 0xf92ba6dd 4180387549 rcx 0x7b69e2f6 2070536950 rdx 0x86dab00c 2262478860 rsi 0x6436d580 1681315200 rdi 0x4763c5a8 1197721000 rbp 0x72856ca1 0x72856ca1 rsp 0x50a7e100 0x50a7e100 r8 0x55555a419c60 93825074830432 r9 0x2b4174415ff8 47560123310072 r10 0x2b417433acb8 47560122412216 r11 0x2b41740e9080 47560119980160 r12 0xffffffffffffffe7 -25 r13 0x2b417433acf8 47560122412280 r14 0x55555a419c7c 93825074830460 r15 0x3ff 1023 rip 0x2b41740e8db8 0x2b41740e8db8 eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x63 99 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 xmm0 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0xd3, 0x54, 0x10, 0xaa, 0xa1, 0x94, 0x90, 0x33, 0x41, 0xcc, 0x30, 0x31, 0x73, 0x5c, 0x80, 0xac}, v8_int16 = {0x54d3, 0xaa10, 0x94a1, 0x3390, 0xcc41, 0x3130, 0x5c73, 0xac80}, v4_int32 = {0xaa1054d3, 0x339094a1, 0x3130cc41, 0xac805c73}, v2_int64 = {0x339094a1aa1054d3, 0xac805c733130cc41}, uint128 = 0xac805c733130cc41339094a1aa1054d3} ---Type to continue, or q to quit--- xmm1 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x32, 0x47, 0xe5, 0x7e, 0x72, 0x80, 0xf1, 0xf, 0x66, 0x60, 0x37, 0xf, 0x99, 0x44, 0x6, 0xb7}, v8_int16 = {0x4732, 0x7ee5, 0x8072, 0xff1, 0x6066, 0xf37, 0x4499, 0xb706}, v4_int32 = {0x7ee54732, 0xff18072, 0xf376066, 0xb7064499}, v2_int64 = {0xff180727ee54732, 0xb70644990f376066}, uint128 = 0xb70644990f3760660ff180727ee54732} xmm2 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x7d, 0xcc, 0xbf, 0xf8, 0xc3, 0xd1, 0x32, 0x9, 0x33, 0x61, 0xb0, 0xba, 0x6d, 0x9, 0xde, 0x80}, v8_int16 = {0xcc7d, 0xf8bf, 0xd1c3, 0x932, 0x6133, 0xbab0, 0x96d, 0x80de}, v4_int32 = {0xf8bfcc7d, 0x932d1c3, 0xbab06133, 0x80de096d}, v2_int64 = {0x932d1c3f8bfcc7d, 0x80de096dbab06133}, uint128 = 0x80de096dbab061330932d1c3f8bfcc7d} xmm3 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x8000000000000000}, v16_int8 = {0x7b, 0x59, 0xd6, 0x82, 0x4, 0xd2, 0x31, 0x1e, 0xf, 0x72, 0x86, 0x7e, 0x13, 0x23, 0x2d, 0x5b}, v8_int16 = {0x597b, 0x82d6, 0xd204, 0x1e31, 0x720f, 0x7e86, 0x2313, 0x5b2d}, v4_int32 = {0x82d6597b, 0x1e31d204, 0x7e86720f, 0x5b2d2313}, v2_int64 = {0x1e31d20482d6597b, 0x5b2d23137e86720f}, uint128 = 0x5b2d23137e86720f1e31d20482d6597b} xmm4 {v4_float = {0x0, 0x2eef0000, 0x0, 0x0}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0xec, 0x23, 0xe4, 0x91, 0x11, 0xd1, 0xa, 0xd3, 0x41, 0x2d, 0xb5, 0x7b, 0x89, 0x87, 0x99, 0xed}, v8_int16 = {0x23ec, 0x91e4, 0xd111, 0xd30a, 0x2d41, 0x7bb5, 0x8789, 0xed99}, v4_int32 = {0x91e423ec, 0xd30ad111, 0x7bb52d41, 0xed998789}, v2_int64 = {0xd30ad11191e423ec, 0xed9987897bb52d41}, uint128 = 0xed9987897bb52d41d30ad11191e423ec} xmm5 {v4_float = {0x1, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x79, 0x55, 0x93, 0x3f, 0x52, 0x79, 0x16, 0x14, 0xd2, 0xdc, 0x77, 0x1f, 0xa3, 0x65, 0x51, 0x33}, v8_int16 = {0x5579, 0x3f93, 0x7952, 0x1416, 0xdcd2, 0x1f77, 0x65a3, 0x3351}, v4_int32 = {0x3f935579, 0x14167952, 0x1f77dcd2, 0x335165a3}, v2_int64 = {0x141679523f935579, 0x335165a31f77dcd2}, uint128 = 0x335165a31f77dcd2141679523f935579} xmm6 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x3, 0x2, 0x1, 0x0, 0x7, 0x6, 0x5, 0x4, 0xb, 0xa, 0x9, 0x8, 0xf, 0xe, 0xd, 0xc}, v8_int16 = {0x203, 0x1, 0x607, 0x405, 0xa0b, 0x809, 0xe0f, 0xc0d}, v4_int32 = {0x10203, 0x4050607, 0x8090a0b, 0xc0d0e0f}, v2_int64 = {0x405060700010203, 0xc0d0e0f08090a0b}, uint128 = 0x0c0d0e0f08090a0b0405060700010203} xmm7 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x93, 0xbe, 0x6, 0x2c, 0x89, 0x10, 0x8f, 0x11, 0xdf, 0x4, 0xba, 0x9a, 0xca, 0x18, 0xd6, 0xab}, v8_int16 = {0xbe93, 0x2c06, 0x1089, 0x118f, 0x4df, 0x9aba, 0x18ca, 0xabd6}, v4_int32 = {0x2c06be93, 0x118f1089, 0x9aba04df, 0xabd618ca}, v2_int64 = {0x118f10892c06be93, 0xabd618ca9aba04df}, uint128 = 0xabd618ca9aba04df118f10892c06be93} xmm8 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x0, 0x0}, v8_int16 = {0x3, 0x0, 0x0, 0x0, 0x3, 0x0, 0x3, 0x0}, v4_int32 = {0x3, 0x0, 0x3, 0x3}, v2_int64 = {0x3, 0x300000003}, uint128 = 0x00000003000000030000000000000003} xmm9 {v4_float = {0x80000000, 0x80000000, 0x80000000, 0x80000000}, v2_double = {0x8000000000000000, 0x8000000000000000}, v16_int8 = {0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a, 0x99, 0x79, 0x82, 0x5a}, v8_int16 = {0x7999, 0x5a82, 0x7999, 0x5a82, 0x7999, 0x5a82, 0x7999, 0x5a82}, v4_int32 = {0x5a827999, 0x5a827999, 0x5a827999, 0x5a827999}, v2_int64 = {0x5a8279995a827999, 0x5a8279995a827999}, uint128 = 0x5a8279995a8279995a8279995a827999} xmm10 {v4_float = {0xb91b510, 0x0, 0x7499f, 0x0}, v2_double = {0x8000000000000000, 0x0}, v16_int8 = {0x51, 0x1b, 0x39, 0x4d, 0xda, 0x93, 0x94, 0xe8, 0xe5, 0x33, 0xe9, 0x48, 0xe9, 0xe4, 0x8f, 0x25}, v8_int16 = {0x1b51, 0x4d39, 0x93da, 0xe894, 0x33e5, 0x48e9, 0xe4e9, 0x258f}, v4_int32 = {0x4d391b51, 0xe89493da, 0x48e933e5, 0x258fe4e9}, v2_int64 = {0xe89493da4d391b51, 0x258fe4e948e933e5}, uint128 = 0x258fe4e948e933e5e89493da4d391b51} xmm11 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm12 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm13 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm14 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} xmm15 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0}, v16_int8 = {0x0 }, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0}, uint128 = 0x00000000000000000000000000000000} mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] (gdb) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4360 Please log in as guest with password guest if prompted From noloader at gmail.com Fri Mar 18 02:52:30 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 17 Mar 2016 22:52:30 -0400 Subject: [openssl-dev] [openssl.org #4443] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <544207B9-E685-49D0-B54C-62B1545B7AA0@dukhovni.org> References: <544207B9-E685-49D0-B54C-62B1545B7AA0@dukhovni.org> Message-ID: >> Yeah, this looks fishy... According to the libc manual, 13.10 Perform >> I/O Operations in Parallel >> (https://www.gnu.org/software/libc/manual/html_node/Asynchronous-I_002fO.html): >> >> volatile void *aio_buf >> >> This is a pointer to the buffer with the data to >> be written or the place where the read data is >> stored. >> >> That cast should be to a void*, not an unsigned long. > > Wrong interface. Here, OpenSSL is using "struct iocb" from the kernel ABI via > , not glibc's "struct aiocb". In the kernel structure, the > definition is: > > __u64 aio_buf; > This is bad news... A 32-bit pointer's sign extension is implementation defined, which means it may as well be undefined behavior... GCC sign extends. I think you can get around it with an intermediate cast to uintptr_t: cb->aio_buf = (uint64_t)(uintptr_t)buf; But that's C99, and I'm not sure what happens under C89/90. I guess a compile error if uintptr_t is not available in stdint.h? ***** Testing with a cast to just uint64_t: cb->aio_buf = (uint64_t)buf; Produces a warning: engines/afalg/e_afalg.c: In function ?afalg_fin_cipher_aio?: engines/afalg/e_afalg.c:274:19: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] cb->aio_buf = (uint64_t)buf; And results in: test$ ./afalgtest ALG_PERR: afalg_fin_cipher_aio: io_read failed : Invalid argument test_afalg_aes_128_cbc() failed encryption ***** Testing with an intermediate cast to uintptr_t: cb->aio_buf = (uint64_t)(uintptr_t)buf; Produces the same hang. From dmesg: [145719.753869] BUG: unable to handle kernel NULL pointer dereference at 00000008 [145719.753884] IP: [] skcipher_recvmsg_async.isra.13+0x4b2/0x500 [algif_skcipher] [145719.753899] *pdpt = 0000000032f1d001 *pde = 0000000000000000 [145719.753906] Oops: 0000 [#1] SMP ... ***** For completeness, aio_abi.h is below. $ find /usr -name aio_abi.h /usr/include/linux/aio_abi.h $ cat /usr/include/linux/aio_abi.h /* include/linux/aio_abi.h * * Copyright 2000,2001,2002 Red Hat. * * Written by Benjamin LaHaise * * Distribute under the terms of the GPLv2 (see ../../COPYING) or under * the following terms. * * Permission to use, copy, modify, and distribute this software and its * documentation is hereby granted, provided that the above copyright * notice appears in all copies. This software is provided without any * warranty, express or implied. Red Hat makes no representations about * the suitability of this software for any purpose. * * IN NO EVENT SHALL RED HAT BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, * SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF * THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF RED HAT HAS BEEN ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * * RED HAT DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND * RED HAT HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, * ENHANCEMENTS, OR MODIFICATIONS. */ #ifndef __LINUX__AIO_ABI_H #define __LINUX__AIO_ABI_H #include #include typedef __kernel_ulong_t aio_context_t; enum { IOCB_CMD_PREAD = 0, IOCB_CMD_PWRITE = 1, IOCB_CMD_FSYNC = 2, IOCB_CMD_FDSYNC = 3, /* These two are experimental. * IOCB_CMD_PREADX = 4, * IOCB_CMD_POLL = 5, */ IOCB_CMD_NOOP = 6, IOCB_CMD_PREADV = 7, IOCB_CMD_PWRITEV = 8, }; /* * Valid flags for the "aio_flags" member of the "struct iocb". * * IOCB_FLAG_RESFD - Set if the "aio_resfd" member of the "struct iocb" * is valid. */ #define IOCB_FLAG_RESFD (1 << 0) /* read() from /dev/aio returns these structures. */ struct io_event { __u64 data; /* the data field from the iocb */ __u64 obj; /* what iocb this event came from */ __s64 res; /* result code for this event */ __s64 res2; /* secondary result */ }; #if defined(__BYTE_ORDER) ? __BYTE_ORDER == __LITTLE_ENDIAN : defined(__LITTLE_ENDIAN) #define PADDED(x,y) x, y #elif defined(__BYTE_ORDER) ? __BYTE_ORDER == __BIG_ENDIAN : defined(__BIG_ENDIAN) #define PADDED(x,y) y, x #else #error edit for your odd byteorder. #endif /* * we always use a 64bit off_t when communicating * with userland. its up to libraries to do the * proper padding and aio_error abstraction */ struct iocb { /* these are internal to the kernel/libc. */ __u64 aio_data; /* data to be returned in event's data */ __u32 PADDED(aio_key, aio_reserved1); /* the kernel sets aio_key to the req # */ /* common fields */ __u16 aio_lio_opcode; /* see IOCB_CMD_ above */ __s16 aio_reqprio; __u32 aio_fildes; __u64 aio_buf; __u64 aio_nbytes; __s64 aio_offset; /* extra parameters */ __u64 aio_reserved2; /* TODO: use this for a (struct sigevent *) */ /* flags for the "struct iocb" */ __u32 aio_flags; /* * if the IOCB_FLAG_RESFD flag of "aio_flags" is set, this is an * eventfd to signal AIO readiness to */ __u32 aio_resfd; }; /* 64 bytes */ #undef IFBIG #undef IFLITTLE #endif /* __LINUX__AIO_ABI_H */ From noloader at gmail.com Fri Mar 18 03:38:26 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 17 Mar 2016 23:38:26 -0400 Subject: [openssl-dev] AF_ALG engine support and kernel versions Message-ID: Hi Everyone, Looking at the code in engines/afalg/e_afalg.c, there is the following: ... #define K_MAJ 4 #define K_MIN1 1 #define K_MIN2 0 #if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" # warning "Skipping Compilation of AFALG engine" #else ... It appears AF_ALG was added to the kernel at 2.6.38. Asynchronous I/O support appears to have surfaced in the kernel at 2.5.23. Where is the requirement for 4.1 coming from? Also, "Fixing asynchronous I/O, again", dated January 2016 (http://lwn.net/Articles/671649/) could explain why later 4.x kernels are having problems with the afalgtest. Jeff From openssl-users at dukhovni.org Fri Mar 18 03:52:30 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 17 Mar 2016 23:52:30 -0400 Subject: [openssl-dev] [openssl.org #4443] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: <544207B9-E685-49D0-B54C-62B1545B7AA0@dukhovni.org> Message-ID: <4866B79B-ACE9-452C-96CD-F1CDE8DB7BC0@dukhovni.org> > On Mar 17, 2016, at 10:52 PM, Jeffrey Walton wrote: > > This is bad news... A 32-bit pointer's sign extension is > implementation defined, which means it may as well be undefined > behavior... > > GCC sign extends. I think you can get around it with an intermediate > cast to uintptr_t: > > cb->aio_buf = (uint64_t)(uintptr_t)buf; The kernel sources seem to use a cast to (unsigned long) in the system call definitions... Someone else will have to figure out how this is supposed to work... -- Viktor. From rt at openssl.org Fri Mar 18 05:08:50 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 18 Mar 2016 05:08:50 +0000 Subject: [openssl-dev] [openssl.org #4434] Gentoo 13, x86_64: 4 failed self tests In-Reply-To: References: <56E9678F.6060004@openssl.org> Message-ID: On Wed, Mar 16, 2016 at 6:11 PM, Jeffrey Walton wrote: > On Wed, Mar 16, 2016 at 10:02 AM, Matt Caswell wrote: >> What happens if you run the afalgtest directly? >> >> $ cd test >> $ ./afalgtest >> > > ./afalgtest > ALG_PERR: afalg_create_sk: Failed to open socket : Address family not > supported by protocol > test_afalg_aes_128_cbc() failed encryption It appears I missed the following kernel configuration parameters when building the kernel: * CONFIG_CRYPTO_USER_API=m * CONFIG_CRYPTO_USER_API_HASH=m * CONFIG_CRYPTO_USER_API_SKCIPHER=m Maybe what should be done for the engine is to determine if the kernel supports AF_ALG, and latch the result at startup. Perhaps something like the following in afalg_chk_platform(): $ git diff engines/afalg/e_afalg.c diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c index 90d7602..e2b5896 100644 --- a/engines/afalg/e_afalg.c +++ b/engines/afalg/e_afalg.c @@ -799,7 +799,11 @@ static int afalg_chk_platform(void) return 0; } - return 1; + ret = socket(AF_ALG, SOCK_SEQPACKET, 0); + if(ret != -1) + close(ret); + + return !!(ret != -1); } # ifdef OPENSSL_NO_DYNAMIC_ENGINE When runtime testing for AF_ALG is added to afalg_chk_platform(), then the test fails with: $ ./test/afalgtest AFALG Test: Failed to load AFALG Engine Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4434 Please log in as guest with password guest if prompted From sharad.tekale at zebra.com Fri Mar 18 06:14:17 2016 From: sharad.tekale at zebra.com (Tekale, Sharad) Date: Fri, 18 Mar 2016 06:14:17 +0000 Subject: [openssl-dev] openssl 1.0.1p PEM_write_bio_RSAPrivateKey fail. error: ASN1_get_object:too long In-Reply-To: <56EB0BA1.1030901@oracle.com> References: <56EB0BA1.1030901@oracle.com> Message-ID: Hi Farrell, Thanks a lot for your reply. I've actually used password of 64 characters in my program, for simplicity I've showcased as 6 byte password in below example. Looks like there is some other issue or some stringent check that is added in 1.0.1p as the same code works fine in 0.9.8zg version. Can you please give us pointers to debug this issue. Thanks, Sharad. From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Jeremy Farrell Sent: Friday, March 18, 2016 1:25 AM To: openssl-users at openssl.org Cc: openssl-dev at openssl.org Subject: Re: [openssl-dev] openssl 1.0.1p PEM_write_bio_RSAPrivateKey fail. error: ASN1_get_object:too long On 17/03/2016 06:32, Ranjith Kumar A. wrote: > > Need help. This is a question about using the OpenSSL libraries, further discussion should be on openssl-users; I've set 'reply-to' appropriately, but I don't know what the mailing list will do with it. > I'm not able to encrypt a key using passphrase, below is the error > message. > > **"error:0D07209B:asn1 encoding routines:ASN1_get_object:too long"** > > Have already googled for error but couldn't got much info > > unsigned char pass[] = "123456"; > > BIO *priv_bio = BIO_new( BIO_s_mem() ); > > RSA *rsa = RSA_generate_key( 2048, 65537, NULL, NULL ) ret = > PEM_write_bio_RSAPrivateKey( priv_bio, rsa, EVP_aes_256_cbc(), pass, 64, NULL, NULL ); I don't know if or how it's related to your problem, but you have defined a 7 byte array as the passphrase then told the function to use 64 bytes at that location. There's no saying what values the other 57 bytes of the passphrase will have, assuming they're accessible at all. > ... > The same piece of code is working on openssl-0.9.8zg. More luck than good judgement I suspect. > ... -- J. J. Farrell Not speaking for Oracle. ________________________________ - CONFIDENTIAL- This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email. -------------- next part -------------- An HTML attachment was scrubbed... URL: From noloader at gmail.com Fri Mar 18 07:50:37 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 18 Mar 2016 03:50:37 -0400 Subject: [openssl-dev] [openssl.org #4443] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: <4866B79B-ACE9-452C-96CD-F1CDE8DB7BC0@dukhovni.org> References: <544207B9-E685-49D0-B54C-62B1545B7AA0@dukhovni.org> <4866B79B-ACE9-452C-96CD-F1CDE8DB7BC0@dukhovni.org> Message-ID: >> This is bad news... A 32-bit pointer's sign extension is >> implementation defined, which means it may as well be undefined >> behavior... >> >> GCC sign extends. I think you can get around it with an intermediate >> cast to uintptr_t: >> >> cb->aio_buf = (uint64_t)(uintptr_t)buf; > > The kernel sources seem to use a cast to (unsigned long) in the system > call definitions... Someone else will have to figure out how this is > supposed to work... Yeah, maybe Andy can jump in. I known what the kernel is doing is just plain wrong because the C language does not make the size guarantees they are depending on. For some reason, they feel the C language rules don't apply to them. The language rules are important because that's what the compiler authors follow. Q.v... From rt at openssl.org Fri Mar 18 07:51:18 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Fri, 18 Mar 2016 07:51:18 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> Message-ID: % ./config --prefix=/opt/openssl Operating system: i86pc-whatever-solaris2 Configuring for solaris64-x86_64-gcc Configuring OpenSSL version 1.1.0-pre4 (0x0x10100004L) ??? no-crypto-mdebug [default]? OPENSSL_NO_CRYPTO_MDEBUG (skip dir) ??? no-crypto-mdebug-backtrace [forced]?? OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) ??? no-dynamic-engine [forced]? ??? no-ec_nistp_64_gcc_128 [default]? OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) ??? no-egd????????? [default]? OPENSSL_NO_EGD (skip dir) ??? no-heartbeats?? [default]? OPENSSL_NO_HEARTBEATS (skip dir) ??? no-md2????????? [default]? OPENSSL_NO_MD2 (skip dir) ??? no-rc5????????? [default]? OPENSSL_NO_RC5 (skip dir) ??? no-sctp???????? [default]? OPENSSL_NO_SCTP (skip dir) ??? no-shared?????? [default] ??? no-ssl-trace??? [default]? OPENSSL_NO_SSL_TRACE (skip dir) ??? no-ssl3???????? [default]? OPENSSL_NO_SSL3 (skip dir) ??? no-ssl3-method? [default]? OPENSSL_NO_SSL3_METHOD (skip dir) ??? no-unit-test??? [default]? OPENSSL_NO_UNIT_TEST (skip dir) ??? no-weak-ssl-ciphers [default]? OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) ??? no-zlib???????? [default] ??? no-zlib-dynamic [default] Configuring for solaris64-x86_64-gcc IsMK1MF?????? =no CC??????????? =gcc CFLAG???????? =-m64 -Wall -DL_ENDIAN -O3 -pthread -DFILIO_H? -Wa,--noexecstack SHARED_CFLAG? =-fPIC DEFINES?????? =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG???????? = PLIB_LFLAG??? = EX_LIBS?????? =-lresolv -lsocket -lnsl -ldl APPS_OBJ????? = CPUID_OBJ???? =x86_64cpuid.o UPLINK_OBJ??? = BN_ASM??????? =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM??????? =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC?????? =des_enc.o fcrypt_b.o AES_ENC?????? =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC??????? =bf_enc.o CAST_ENC????? =c_enc.o RC4_ENC?????? =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC?????? =rc5_enc.o MD5_OBJ_ASM?? =md5-x86_64.o SHA1_OBJ_ASM? =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC????? =cmll-x86_64.o cmll_misc.o MODES_OBJ???? =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ?? =e_padlock-x86_64.o CHACHA_ENC??? =chacha-x86_64.o POLY1305_OBJ? =poly1305-x86_64.o BLAKE2_OBJ??? = PROCESSOR???? = RANLIB??????? =/usr/ccs/bin/ranlib ARFLAGS?????? = PERL????????? =/opt/perl5/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for solaris64-x86_64-gcc. % make ? : make[1]: Leaving directory '/tmp/openssl-1.1.0-pre4' /opt/perl5/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ ??? "-oMakefile" apps/CA.pl.in > "apps/CA.pl" chmod a+x apps/CA.pl /opt/perl5/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ ??? "-oMakefile" tools/c_rehash.in > "tools/c_rehash" chmod a+x tools/c_rehash Makefile:170: recipe for target 'depend' failed make: *** [depend] Error 1 Other information OS: Solaris10 x86/64 perl version:v5.22.1 gcc version: 4.8.5 ld: /usr/ccs/bin/ld Best Regards, --- Kiyoshi -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From emilia at openssl.org Fri Mar 18 10:57:41 2016 From: emilia at openssl.org (=?UTF-8?Q?Emilia_K=C3=A4sper?=) Date: Fri, 18 Mar 2016 10:57:41 +0000 Subject: [openssl-dev] Running against BoringSSL's SSL test suite In-Reply-To: References: Message-ID: FYI for easier use, this patch now lives at https://github.com/google/openssl-tests, rebased against BoringSSL latest (thanks David!) and OpenSSL-1.1.0-pre4 (Beta 1). I've also checked in a log from Beta 1. Cheers, Emilia On Thu, Mar 10, 2016 at 4:33 PM David Benjamin wrote: > On Thu, Mar 10, 2016 at 1:30 AM Kanaka Kotamarthy > wrote: > >> And also Openssl fails with Resume-Client-NoResume cases. Do you have >> any report on which test cases do fail and reasons for the failure? >> >> >> RT tickets 4387 through 4395 were the failures I've triaged. I'm sure >> there's more things in there to look through. >> >> I don't believe Resume-Client-NoResume fails for me. Perhaps something >> was fixed between master and 1.1.0-pre2. >> >> >> Openssl doesn't gives any error. For Resume-Client-NoResume-SSL3-TLS11 >> test case, we expect the new session's handshake to be done with TLS11. But >> with Openssl handshake is done using SSL3. As in ssl3_clear, we set back >> s->version to s->method->version. >> > > Oh, sorry, I keep forgetting our runner doesn't make it clear when a -test > option fails to match anything. (I should fix that...) I looked > for Resume-Client-NoResume without noticing it had suffixes. :-) > > I would expect most things addResumptionVersionTests to fail. See > https://github.com/openssl/openssl/pull/603 > > David > > >> Thank you >> Durga. >> >> On Wed, Mar 9, 2016 at 10:38 PM, David Benjamin >> wrote: >> >>> On Wed, Mar 9, 2016 at 5:07 AM Kanaka Kotamarthy >>> wrote: >>> >>>> Hi >>>> >>>> I am even testing OpenSSL with BoringSSL's test cases using >>>> Openssl-1.1.0-pre2. Trying to find out reasons of OpenSSL's failures >>>> for particular cases. >>>> >>>> DTLS 1.0 session resumption has some thing wrong. If s_server started >>>> with -dtls and s_client -dtls1 -reconnect , session resumption is not >>>> being done. The reason for this may be, version negotiation for DTLS >>>> is done after loading previous session and check for s->version and >>>> s->session->version fails in tls_process_client_hello. >>>> >>> >>> See RT #4392. >>> https://rt.openssl.org/Ticket/Display.html?id=4392 >>> >>> >>>> And also Openssl fails with Resume-Client-NoResume cases. Do you have >>>> any report on which test cases do fail and reasons for the failure? >>>> >>> >>> RT tickets 4387 through 4395 were the failures I've triaged. I'm sure >>> there's more things in there to look through. >>> >>> I don't believe Resume-Client-NoResume fails for me. Perhaps something >>> was fixed between master and 1.1.0-pre2. >>> >>> David >>> >>> >>>> Thank you >>>> Durga. >>>> >>>> On Tue, Mar 8, 2016 at 3:19 AM, David Benjamin >>>> wrote: >>>> > Hi folks, >>>> > >>>> > So, we've by now built up a decent-sized SSL test suite in BoringSSL. >>>> I was >>>> > bored and ran it against OpenSSL master. It revealed a number of >>>> bugs. One >>>> > is https://github.com/openssl/openssl/pull/603. I'll be filing >>>> tickets >>>> > shortly for the remaining ones I've triaged, but I thought I'd send >>>> this >>>> > separately rather than duplicate it everywhere. >>>> > >>>> > Emilia also suggested there may be room to collaborate on testing. If >>>> > nothing else, just borrowing ideas or porting tests to/from your >>>> TLSProxy >>>> > setup. (Like, say, the ones that caught the bugs I'll be reporting. >>>> :-) ) >>>> > So, here's an introduction on how it all works: >>>> > >>>> > To run the tests on OpenSSL, clone BoringSSL: >>>> > https://boringssl.googlesource.com/boringssl/ >>>> > Then patch in this change. (Click the "Download" in the upper-right >>>> for >>>> > options.) >>>> > https://boringssl-review.googlesource.com/#/c/7332/ >>>> > Then follow the instructions in the commit message. >>>> > >>>> > The tests themselves and the runner logic live in >>>> ssl/test/runner/runner.go: >>>> > >>>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#922 >>>> > >>>> > They work by running an unmodified TLS stack in a shim binary against >>>> a copy >>>> > of Go's. We patch our copy with options for weird behavior to test >>>> against: >>>> > >>>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/common.go#414 >>>> > >>>> > Go and shim communicate entirely with sockets and (tons of) >>>> command-line >>>> > flags, though it is slightly overfit to BoringSSL's behavior and >>>> checks >>>> > error strings a lot. The shim also has options like -async mode which >>>> we use >>>> > on a subset of tests to stress state machine resumption. (This has >>>> saved me >>>> > from state machine bugs so many times.) >>>> > >>>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/runner/runner.go#2770 >>>> > >>>> https://boringssl.googlesource.com/boringssl/+/22ce9b2d08a52e399bf2ab86851952d727be034d/ssl/test/bssl_shim.cc#826 >>>> > >>>> > I hope this is useful! Bugs and patches will follow this mail, as I >>>> write >>>> > them up. >>>> > >>>> > David >>>> > >>>> > -- >>>> > openssl-dev mailing list >>>> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >>>> > >>>> -- >>>> openssl-dev mailing list >>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >>>> >>> >>> -- >>> openssl-dev mailing list >>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >>> >>> >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrea.grandi at intel.com Fri Mar 18 08:57:04 2016 From: andrea.grandi at intel.com (Grandi, Andrea) Date: Fri, 18 Mar 2016 08:57:04 +0000 Subject: [openssl-dev] [openssl.org #4436] [Openssl 1.1.0] ECDSA_SIG_get0() for const ECDSA_SIG * In-Reply-To: References: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> Message-ID: <02DF9A39E1EE92419A8C5BBE62973A231A4AAA9C@IRSMSX108.ger.corp.intel.com> Hi Felix, I have seen the same warning during the compilation and I agree with you that it would be nice to have an API that takes const variable. Regards, Andrea -----Original Message----- From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Sch?ller Felix via RT Sent: Thursday, March 17, 2016 9:19 AM Cc: openssl-dev at openssl.org Subject: [openssl-dev] [openssl.org #4436] [Openssl 1.1.0] ECDSA_SIG_get0() for const ECDSA_SIG * Hallo, since the struct ECDSA_SIG ( -> ECDSA_SIG_st) is now opaque, one has to use ECDSA_SIG_get0() to access the values 'r' and 's'. This works fine for non-const variables. But if one has a 'const ECDSA_SIG *' (e.g. in verify_sig() of an ec_key-engine), this produces an error during compilation. So an additional version of ECDSA_SIG_get0() (taking a 'const ECDSA_SIG *' and setting pointer to (const BIGNUM)) would be nice. Kind regards Felix Sch?ller -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4436 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------------------------------------------------------- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. From rt at openssl.org Fri Mar 18 11:07:12 2016 From: rt at openssl.org (Grandi, Andrea via RT) Date: Fri, 18 Mar 2016 11:07:12 +0000 Subject: [openssl-dev] [openssl.org #4436] [Openssl 1.1.0] ECDSA_SIG_get0() for const ECDSA_SIG * In-Reply-To: <02DF9A39E1EE92419A8C5BBE62973A231A4AAA9C@IRSMSX108.ger.corp.intel.com> References: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> <02DF9A39E1EE92419A8C5BBE62973A231A4AAA9C@IRSMSX108.ger.corp.intel.com> Message-ID: Hi Felix, I have seen the same warning during the compilation and I agree with you that it would be nice to have an API that takes const variable. Regards, Andrea -----Original Message----- From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Sch?ller Felix via RT Sent: Thursday, March 17, 2016 9:19 AM Cc: openssl-dev at openssl.org Subject: [openssl-dev] [openssl.org #4436] [Openssl 1.1.0] ECDSA_SIG_get0() for const ECDSA_SIG * Hallo, since the struct ECDSA_SIG ( -> ECDSA_SIG_st) is now opaque, one has to use ECDSA_SIG_get0() to access the values 'r' and 's'. This works fine for non-const variables. But if one has a 'const ECDSA_SIG *' (e.g. in verify_sig() of an ec_key-engine), this produces an error during compilation. So an additional version of ECDSA_SIG_get0() (taking a 'const ECDSA_SIG *' and setting pointer to (const BIGNUM)) would be nice. Kind regards Felix Sch?ller -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4436 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------------------------------------------------------- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4436 Please log in as guest with password guest if prompted From ramunas.jurgilas at gmail.com Fri Mar 18 11:52:26 2016 From: ramunas.jurgilas at gmail.com (=?utf-8?Q?Ram=C5=ABnas_Jurgilas?=) Date: Fri, 18 Mar 2016 13:52:26 +0200 Subject: [openssl-dev] Memory leak in PKCS12_newpass function Message-ID: <43B1F3FC-F31A-4F5E-958D-604B402CA2AE@gmail.com> Hello OpenSSL Team, I did write function which changes PKCS12 passphrase. I noticed that PKCS12_newpass function leaks memory. Memory leak disappears when commenting out line where is PKCS12_newpass func. Below I posted this code which I am using. I am using OpneSSL 1.0.2g version. Could you please give me information what I am doing wrong? Or it is known issue? Bets regards, Ramunas - (NSData*)changePKCS12:(NSData*)p12Data oldPassphrase:(NSString*)oldPassphrase newPassphrase:(NSString*)newPassphrase { OpenSSL_add_all_algorithms(); BIO *bp = NULL; PKCS12 *p12 = NULL; int status = 0; do { bp = BIO_new_mem_buf((void *)[p12Data bytes], (int)[p12Data length]); p12 = d2i_PKCS12_bio(bp, NULL); // MEMORY LEAK in PKCS12_newpass status = PKCS12_newpass(p12, (char *)[oldPassphrase UTF8String], (char *)[newPassphrase UTF8String]); } while (false); if (p12) { PKCS12_free(p12); p12 = NULL; } if (bp) { BIO_free_all(bp); bp = NULL; } EVP_cleanup(); return NULL; } -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Fri Mar 18 12:52:34 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 18 Mar 2016 12:52:34 +0000 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: References: Message-ID: I've configured with: ./config enable-afalgeng When I run the self tests, I see: ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not supported for this build That's coming from test/afalgtest.c and this block: #ifndef OPENSSL_NO_AFALGENG ... #else int main(int argc, char **argv) { fprintf(stderr, "AFALG not supported - skipping AFALG tests\n"); printf("PASS\n"); return 0; } #endif When I cat openssl/include/openssl/opensslconf.h, I see: #ifndef OPENSSL_NO_AFALGENG # define OPENSSL_NO_AFALGENG #endif It appears enable-afalgeng is not being honored. (I also tweaked engines/afalg/e_afalg.c, but I'm not getting that far). ********** $ ./config enable-afalgeng Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-x86_64. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4445 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 12:59:23 2016 From: rt at openssl.org (=?UTF-8?B?U2Now7xsbGVyIEZlbGl4?= via RT) Date: Fri, 18 Mar 2016 12:59:23 +0000 Subject: [openssl-dev] [openssl.org #4446] [openssl 1.1.0] Memory handling inside ASN1_item_sign_ctx() In-Reply-To: <9A2D7FB40390D144BE9C16563F849C86045CC091@AS000EX.ifd.infodas.de> References: <9A2D7FB40390D144BE9C16563F849C86045CC091@AS000EX.ifd.infodas.de> Message-ID: Hallo, I discovered an unexpected behavior of ASN1_item_sign_ctx(). This function frees the given EVP_MD_CTX, which is not documented (expect in apps/req.c ...). This behavior induces high risks of double-freeing the EVP_MD_CTX or memory leaks (you have to check the return value of 'X509.*_sign_ctx()' and decide whether to free the EVP_MD_CTX or not.) The attached diff (created for 1.1.0-pre4) changes the behavior of ASN1_item_sign_ctx() into the expected and applies the needed simplifications in apps/req.c. Kind regards Felix Sch?ller -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4446 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl-asn1.diff Type: application/octet-stream Size: 2845 bytes Desc: not available URL: From matt at openssl.org Fri Mar 18 13:18:04 2016 From: matt at openssl.org (Matt Caswell) Date: Fri, 18 Mar 2016 13:18:04 +0000 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: References: Message-ID: <56EC000C.1080801@openssl.org> On 18/03/16 12:52, noloader at gmail.com via RT wrote: > I've configured with: > > ./config enable-afalgeng > > When I run the self tests, I see: > > ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not > supported for this build You should not need to use enable-afalgeng at all. It is enabled by default unless for some reason it is not supported by your system. Reasons that it might not be supported: - You are not running Linux - You are not building "shared" or have otherwise disabled dynamic-engines - uname reports a kernel version less than 4.1.0 - Your linux headers are less than 4.1.0 Matt From rt at openssl.org Fri Mar 18 13:18:06 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Fri, 18 Mar 2016 13:18:06 +0000 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: <56EC000C.1080801@openssl.org> References: <56EC000C.1080801@openssl.org> Message-ID: On 18/03/16 12:52, noloader at gmail.com via RT wrote: > I've configured with: > > ./config enable-afalgeng > > When I run the self tests, I see: > > ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not > supported for this build You should not need to use enable-afalgeng at all. It is enabled by default unless for some reason it is not supported by your system. Reasons that it might not be supported: - You are not running Linux - You are not building "shared" or have otherwise disabled dynamic-engines - uname reports a kernel version less than 4.1.0 - Your linux headers are less than 4.1.0 Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4445 Please log in as guest with password guest if prompted From noloader at gmail.com Fri Mar 18 13:26:31 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 18 Mar 2016 09:26:31 -0400 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: References: <56EC000C.1080801@openssl.org> Message-ID: On Fri, Mar 18, 2016 at 9:18 AM, Matt Caswell via RT wrote: > > > On 18/03/16 12:52, noloader at gmail.com via RT wrote: >> I've configured with: >> >> ./config enable-afalgeng >> >> When I run the self tests, I see: >> >> ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not >> supported for this build > > You should not need to use enable-afalgeng at all. It is enabled by > default unless for some reason it is not supported by your system. > Reasons that it might not be supported: > > - You are not running Linux > - You are not building "shared" or have otherwise disabled dynamic-engines None of these work to enable it. I tried them incrementally, but did not list them because I don't care about them. $ ./config shared enable-pic enable-dso enable-engine enable-afalgeng This is what I am trying to test... Kernel version greater than 2.6 and less than 4.1. > - uname reports a kernel version less than 4.1.0 > - Your linux headers are less than 4.1.0 If the library is going to reject an option, then maybe it should produce an info, warning or error. Better, honor the configuration and these problems go away :) From rt at openssl.org Fri Mar 18 13:26:34 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 18 Mar 2016 13:26:34 +0000 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: References: <56EC000C.1080801@openssl.org> Message-ID: On Fri, Mar 18, 2016 at 9:18 AM, Matt Caswell via RT wrote: > > > On 18/03/16 12:52, noloader at gmail.com via RT wrote: >> I've configured with: >> >> ./config enable-afalgeng >> >> When I run the self tests, I see: >> >> ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not >> supported for this build > > You should not need to use enable-afalgeng at all. It is enabled by > default unless for some reason it is not supported by your system. > Reasons that it might not be supported: > > - You are not running Linux > - You are not building "shared" or have otherwise disabled dynamic-engines None of these work to enable it. I tried them incrementally, but did not list them because I don't care about them. $ ./config shared enable-pic enable-dso enable-engine enable-afalgeng This is what I am trying to test... Kernel version greater than 2.6 and less than 4.1. > - uname reports a kernel version less than 4.1.0 > - Your linux headers are less than 4.1.0 If the library is going to reject an option, then maybe it should produce an info, warning or error. Better, honor the configuration and these problems go away :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4445 Please log in as guest with password guest if prompted From tshort at akamai.com Fri Mar 18 14:43:34 2016 From: tshort at akamai.com (Short, Todd) Date: Fri, 18 Mar 2016 14:43:34 +0000 Subject: [openssl-dev] 1.1.0-pre4: ALPN mismatch terminates connection In-Reply-To: References: Message-ID: The change was actually introduced earlier (see: https://github.com/openssl/openssl/commit/0621786). GH891 (https://github.com/openssl/openssl/commit/817cd0d52f0462039d1fe60462150be7f59d2002) moved the ALPN processing later so that the SSL_CTX determined from SNI can be used, rather than the original SSL_CTX. -- -Todd Short // tshort at akamai.com // "One if by land, two if by sea, three if by the Internet." On Mar 17, 2016, at 6:28 AM, Christian Heimes > wrote: On 2016-03-17 11:08, Christian Heimes wrote: Hi, I think I found a regression in 1.1.0-pre4's ALPN code. And here is a fix: https://github.com/openssl/openssl/pull/891 -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: From hkario at redhat.com Fri Mar 18 16:20:26 2016 From: hkario at redhat.com (Hubert Kario) Date: Fri, 18 Mar 2016 17:20:26 +0100 Subject: [openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value In-Reply-To: <9A91E7CF-E3EE-4A12-932D-D9082F39AD91@dukhovni.org> References: <20160316223741.GA13900@w1.fi> <20160316224423.GQ6602@mournblade.imrryr.org> <9A91E7CF-E3EE-4A12-932D-D9082F39AD91@dukhovni.org> Message-ID: <1823170.px1zMknNl8@pintsize.usersys.redhat.com> On Wednesday 16 March 2016 20:40:42 Viktor Dukhovni wrote: > > On Mar 16, 2016, at 6:44 PM, Viktor Dukhovni wrote: > >> Was the SSL_get_version() behavior changed on purpose in the Beta 1 > >> release? This function used to return "TLSv1" when TLS v1.0 was > >> used > >> while it is now in Beta 1 returning "TLSv1.0" for that case. > > > > I missed this change in the review. Sorry about that. It should > > perhaps be reverted for beta2. The reported version string for > > TLS 1.0 has been "TLSv1" since support for "TLS 1.0" was introduced. > > It should likely stay that way. > > I think it is reasonable to preserve the backwards compatible "TLSv1" > for the string protocol version, but do we also need to preserve the > "TLSv1.0" in ciphers(1) output? If so, the code needs an exception > that can otherwise be avoided. I'd say that ciphers(1) is directed more at human users than on applications, I don't think changing it there would be a problem. -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purky?ova 99/71, 612 45, Brno, Czech Republic -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: From rainer.jung at kippdata.de Fri Mar 18 16:33:49 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Fri, 18 Mar 2016 17:33:49 +0100 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> Message-ID: <56EC2DED.4070503@kippdata.de> I had the same problem. /bin/sh on Solaris does not understand the "-nt" operator used in the definition of the "depend" target in the top-level Makefile, e.g. in line if [ Makefile -nt Makefile ] ... and elsewhere. From "man test" on Solaris: ... file1 -nt file2 True if file1 exists and is newer than file2. (Not available in sh.) ... Also normative standards documents as http://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html indicate, that "-nt" can't be expected. Quoting: "Some additional primaries newly invented or from the KornShell appeared in an early proposal as part of the conditional command ([[]]): s1 > s2, s1 < s2, str = pattern, str != pattern, f1 -nt f2, f1 -ot f2, and f1 -ef f2. They were not carried forward into the test utility when the conditional command was removed from the shell because they have not been included in the test utility built into historical implementations of the sh utility." I added a line SHELL=/bin/ksh to the Makefile on Solaris, because I was afraid that more non-standard shell stuff might be in the Makefile now or in the future. It would be better though to replace the non-standard stuff, but I didn't have the time to work on a full patch. Using the SHELL=/bin/ksh workaround should allow you to proceed building on Solaris. "make" then uses the Korn Shell for shell constructs contained in the Makefile. Regards, Rainer Am 18.03.2016 um 08:51 schrieb Kiyoshi KANAZAWA via RT: > % ./config --prefix=/opt/openssl > Operating system: i86pc-whatever-solaris2 > Configuring for solaris64-x86_64-gcc > Configuring OpenSSL version 1.1.0-pre4 (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for solaris64-x86_64-gcc > IsMK1MF =no > CC =gcc > CFLAG =-m64 -Wall -DL_ENDIAN -O3 -pthread -DFILIO_H -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-lresolv -lsocket -lnsl -ldl > APPS_OBJ = > CPUID_OBJ =x86_64cpuid.o > UPLINK_OBJ = > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM =md5-x86_64.o > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o > RMD160_OBJ_ASM= > CMLL_ENC =cmll-x86_64.o cmll_misc.o > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > PADLOCK_OBJ =e_padlock-x86_64.o > CHACHA_ENC =chacha-x86_64.o > POLY1305_OBJ =poly1305-x86_64.o > BLAKE2_OBJ = > PROCESSOR = > RANLIB =/usr/ccs/bin/ranlib > ARFLAGS = > PERL =/opt/perl5/bin/perl > > SIXTY_FOUR_BIT_LONG mode > > Configured for solaris64-x86_64-gcc. > > > % make > : > make[1]: Leaving directory '/tmp/openssl-1.1.0-pre4' > /opt/perl5/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ > "-oMakefile" apps/CA.pl.in > "apps/CA.pl" > chmod a+x apps/CA.pl > /opt/perl5/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ > "-oMakefile" tools/c_rehash.in > "tools/c_rehash" > chmod a+x tools/c_rehash > Makefile:170: recipe for target 'depend' failed > make: *** [depend] Error 1 > > > > Other information > OS: Solaris10 x86/64 > > perl version:v5.22.1 > gcc version: 4.8.5 > ld: /usr/ccs/bin/ld > > > Best Regards, > > > --- Kiyoshi From rt at openssl.org Fri Mar 18 16:34:06 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Fri, 18 Mar 2016 16:34:06 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: <56EC2DED.4070503@kippdata.de> References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> Message-ID: I had the same problem. /bin/sh on Solaris does not understand the "-nt" operator used in the definition of the "depend" target in the top-level Makefile, e.g. in line if [ Makefile -nt Makefile ] ... and elsewhere. From "man test" on Solaris: ... file1 -nt file2 True if file1 exists and is newer than file2. (Not available in sh.) ... Also normative standards documents as http://pubs.opengroup.org/onlinepubs/9699919799/utilities/test.html indicate, that "-nt" can't be expected. Quoting: "Some additional primaries newly invented or from the KornShell appeared in an early proposal as part of the conditional command ([[]]): s1 > s2, s1 < s2, str = pattern, str != pattern, f1 -nt f2, f1 -ot f2, and f1 -ef f2. They were not carried forward into the test utility when the conditional command was removed from the shell because they have not been included in the test utility built into historical implementations of the sh utility." I added a line SHELL=/bin/ksh to the Makefile on Solaris, because I was afraid that more non-standard shell stuff might be in the Makefile now or in the future. It would be better though to replace the non-standard stuff, but I didn't have the time to work on a full patch. Using the SHELL=/bin/ksh workaround should allow you to proceed building on Solaris. "make" then uses the Korn Shell for shell constructs contained in the Makefile. Regards, Rainer Am 18.03.2016 um 08:51 schrieb Kiyoshi KANAZAWA via RT: > % ./config --prefix=/opt/openssl > Operating system: i86pc-whatever-solaris2 > Configuring for solaris64-x86_64-gcc > Configuring OpenSSL version 1.1.0-pre4 (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for solaris64-x86_64-gcc > IsMK1MF =no > CC =gcc > CFLAG =-m64 -Wall -DL_ENDIAN -O3 -pthread -DFILIO_H -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-lresolv -lsocket -lnsl -ldl > APPS_OBJ = > CPUID_OBJ =x86_64cpuid.o > UPLINK_OBJ = > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM =md5-x86_64.o > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o > RMD160_OBJ_ASM= > CMLL_ENC =cmll-x86_64.o cmll_misc.o > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > PADLOCK_OBJ =e_padlock-x86_64.o > CHACHA_ENC =chacha-x86_64.o > POLY1305_OBJ =poly1305-x86_64.o > BLAKE2_OBJ = > PROCESSOR = > RANLIB =/usr/ccs/bin/ranlib > ARFLAGS = > PERL =/opt/perl5/bin/perl > > SIXTY_FOUR_BIT_LONG mode > > Configured for solaris64-x86_64-gcc. > > > % make > : > make[1]: Leaving directory '/tmp/openssl-1.1.0-pre4' > /opt/perl5/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ > "-oMakefile" apps/CA.pl.in > "apps/CA.pl" > chmod a+x apps/CA.pl > /opt/perl5/bin/perl "-I." -Mconfigdata "util/dofile.pl" \ > "-oMakefile" tools/c_rehash.in > "tools/c_rehash" > chmod a+x tools/c_rehash > Makefile:170: recipe for target 'depend' failed > make: *** [depend] Error 1 > > > > Other information > OS: Solaris10 x86/64 > > perl version:v5.22.1 > gcc version: 4.8.5 > ld: /usr/ccs/bin/ld > > > Best Regards, > > > --- Kiyoshi -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 16:49:13 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 18 Mar 2016 16:49:13 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> Message-ID: Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: > I had the same problem. /bin/sh on Solaris does not understand the "- > nt" > operator used in the definition of the "depend" target in the top- > level > Makefile, e.g. in line > > if [ Makefile -nt Makefile ] ... That can't be the cause, because whatever the exit code from the test is, it's "swallowed" by 'if'. A little like this is: $ if (exit 1); then :; fi; echo $? 0 I cannot tell you what's going wrong, and the only suggestion I currently have is to apply the attached patch and then reconfigure and make and see what the output is. Can I assume you know what 'set -ex' does? Cheers, Richard -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 16:50:01 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 18 Mar 2016 16:50:01 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> Message-ID: Perhaps with said attachment this time... Vid Fre, 18 Mar 2016 kl. 16.49.13, skrev levitte: > Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: > > I had the same problem. /bin/sh on Solaris does not understand the "- > > nt" > > operator used in the definition of the "depend" target in the top- > > level > > Makefile, e.g. in line > > > > if [ Makefile -nt Makefile ] ... > > That can't be the cause, because whatever the exit code from the test > is, it's > "swallowed" by 'if'. A little like this is: > > $ if (exit 1); then :; fi; echo $? 0 I cannot tell you what's going > wrong, and > the only suggestion I currently have is to apply the attached patch > and then > reconfigure and make and see what the output is. Can I assume you know > what > 'set -ex' does? > > Cheers, > Richard > > -- > Richard Levitte > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: unix-Makefile.tmpl.patch Type: text/x-patch Size: 504 bytes Desc: not available URL: From rainer.jung at kippdata.de Fri Mar 18 18:07:20 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Fri, 18 Mar 2016 19:07:20 +0100 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> Message-ID: <56EC43D8.50007@kippdata.de> Am 18.03.2016 um 17:49 schrieb Richard Levitte via RT: > Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: >> I had the same problem. /bin/sh on Solaris does not understand the "- >> nt" >> operator used in the definition of the "depend" target in the top- >> level >> Makefile, e.g. in line >> >> if [ Makefile -nt Makefile ] ... > > That can't be the cause, because whatever the exit code from the test is, it's > "swallowed" by 'if'. A little like this is: If it were syntactically correct, but it isn't. I added the "set -ex" and: % make depend catdepends=false + [ Makefile -nt Makefile ] Makefile:172: recipe for target 'depend' failed make: *** [depend] Error 1 Line numbers are: 167 # To check if test has the file age comparison operator, we 168 # simply try, and rely test to exit with 0 if the comparison 169 # was true, 1 if false, and most importantly, 2 if it doesn't 170 # recognise the operator. 171 depend: 172 @: 173 @set -ex; catdepends=false; \ 174 if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ ... > $ if (exit 1); then :; fi; echo $? 0 I cannot tell you what's going wrong, and > the only suggestion I currently have is to apply the attached patch and then > reconfigure and make and see what the output is. Can I assume you know what > 'set -ex' does? You can and "man sh" would tell me otherwise ;) I tried a couple of other approaches. One could simulate the "-nt" using perl and stat() but my current favorite is using "find" with "-newer": 171 depend: 172 @: 173 @catdepends=false; \ 174 if [ "X`find $(DEPS) -newer Makefile`" != "X" ]; then \ 175 catdepends=true; \ 176 fi; \ 177 if [ $$catdepends = true ]; then \ ... rest unchanged or - since there's no more real need for the catdepends variable shorter and more direct: 171 depend: 172 @: 173 @( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ 174 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \ 175 echo; \ 176 for d in `find $(DEPS) -newer Makefile`; do \ 177 if [ -f $$d ]; then cat $$d; fi; \ 178 done ) > Makefile.new; \ 179 if cmp Makefile.new Makefile >/dev/null 2>&1; then \ 180 rm -f Makefile.new; \ 181 else \ 182 mv -f Makefile.new Makefile; \ 183 fi 184 @: I don't know which length restrictions for $(DEPS) as find arguments we have, but at least for current OpenSSL 1.1.0 pre 4 on Solaris - which is typically more limited than Linux - it works. One could also iterate over "find" using one DEPS file for each iteration, but that would be much slower due to the overhead of forking "find" lots of times (on my slow system the above takes less than one second, but 6 seconds after switching to a loop over $(DEPS) with find inside the loop. Regards, Rainer From rt at openssl.org Fri Mar 18 18:07:31 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Fri, 18 Mar 2016 18:07:31 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: <56EC43D8.50007@kippdata.de> References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> <56EC43D8.50007@kippdata.de> Message-ID: Am 18.03.2016 um 17:49 schrieb Richard Levitte via RT: > Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: >> I had the same problem. /bin/sh on Solaris does not understand the "- >> nt" >> operator used in the definition of the "depend" target in the top- >> level >> Makefile, e.g. in line >> >> if [ Makefile -nt Makefile ] ... > > That can't be the cause, because whatever the exit code from the test is, it's > "swallowed" by 'if'. A little like this is: If it were syntactically correct, but it isn't. I added the "set -ex" and: % make depend catdepends=false + [ Makefile -nt Makefile ] Makefile:172: recipe for target 'depend' failed make: *** [depend] Error 1 Line numbers are: 167 # To check if test has the file age comparison operator, we 168 # simply try, and rely test to exit with 0 if the comparison 169 # was true, 1 if false, and most importantly, 2 if it doesn't 170 # recognise the operator. 171 depend: 172 @: 173 @set -ex; catdepends=false; \ 174 if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ ... > $ if (exit 1); then :; fi; echo $? 0 I cannot tell you what's going wrong, and > the only suggestion I currently have is to apply the attached patch and then > reconfigure and make and see what the output is. Can I assume you know what > 'set -ex' does? You can and "man sh" would tell me otherwise ;) I tried a couple of other approaches. One could simulate the "-nt" using perl and stat() but my current favorite is using "find" with "-newer": 171 depend: 172 @: 173 @catdepends=false; \ 174 if [ "X`find $(DEPS) -newer Makefile`" != "X" ]; then \ 175 catdepends=true; \ 176 fi; \ 177 if [ $$catdepends = true ]; then \ ... rest unchanged or - since there's no more real need for the catdepends variable shorter and more direct: 171 depend: 172 @: 173 @( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ 174 echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \ 175 echo; \ 176 for d in `find $(DEPS) -newer Makefile`; do \ 177 if [ -f $$d ]; then cat $$d; fi; \ 178 done ) > Makefile.new; \ 179 if cmp Makefile.new Makefile >/dev/null 2>&1; then \ 180 rm -f Makefile.new; \ 181 else \ 182 mv -f Makefile.new Makefile; \ 183 fi 184 @: I don't know which length restrictions for $(DEPS) as find arguments we have, but at least for current OpenSSL 1.1.0 pre 4 on Solaris - which is typically more limited than Linux - it works. One could also iterate over "find" using one DEPS file for each iteration, but that would be much slower due to the overhead of forking "find" lots of times (on my slow system the above takes less than one second, but 6 seconds after switching to a loop over $(DEPS) with find inside the loop. Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 18:33:45 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 18 Mar 2016 18:33:45 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> <56EC43D8.50007@kippdata.de> Message-ID: Vid Fre, 18 Mar 2016 kl. 18.07.31, skrev rainer.jung at kippdata.de: > Am 18.03.2016 um 17:49 schrieb Richard Levitte via RT: > > Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: > >> I had the same problem. /bin/sh on Solaris does not understand the > >> "- > >> nt" > >> operator used in the definition of the "depend" target in the top- > >> level > >> Makefile, e.g. in line > >> > >> if [ Makefile -nt Makefile ] ... > > > > That can't be the cause, because whatever the exit code from the test > > is, it's > > "swallowed" by 'if'. A little like this is: > > If it were syntactically correct, but it isn't. You'll have to explain that to me. I just had a look here: https://docs.oracle.com/cd/E26502_01/html/E29030/sh-1.html: >>> if list ; then list elif list ; then list ; ] . . . [ else list ; ] fi >>> The list following if is executed and, if it returns a zero exit status, the list following the first then is executed. Otherwise, the list following elif is executed and, if its value is zero, the list following the next then is executed. Failing that, the else list is executed. If no else list or then list is executed, then the if command returns a zero exit status. > I added the "set -ex" and: > > % make depend > catdepends=false > + [ Makefile -nt Makefile ] > Makefile:172: recipe for target 'depend' failed > make: *** [depend] Error 1 Would the following make a difference? if ( [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ] ); then or perhaps using 'test' instead of '[' (and removing the ']' in that case, of course)? > or - since there's no more real need for the catdepends variable That's an incorrect assumption. 'depend' is run as part of the larger targets, and on some slower systems, having the same file copying happening every time is quite time consuming. Checking if there's a need for all the data copying at all first takes down the time for the cases when the .d files haven't been updated since last time. Cheers, Richard -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Fri Mar 18 19:10:31 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Fri, 18 Mar 2016 20:10:31 +0100 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> <56EC43D8.50007@kippdata.de> Message-ID: <56EC52A7.9010705@kippdata.de> Am 18.03.2016 um 19:33 schrieb Richard Levitte via RT: > Vid Fre, 18 Mar 2016 kl. 18.07.31, skrev rainer.jung at kippdata.de: >> Am 18.03.2016 um 17:49 schrieb Richard Levitte via RT: >>> Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: >>>> I had the same problem. /bin/sh on Solaris does not understand the >>>> "- >>>> nt" >>>> operator used in the definition of the "depend" target in the top- >>>> level >>>> Makefile, e.g. in line >>>> >>>> if [ Makefile -nt Makefile ] ... >>> >>> That can't be the cause, because whatever the exit code from the test >>> is, it's >>> "swallowed" by 'if'. A little like this is: >> >> If it were syntactically correct, but it isn't. > > You'll have to explain that to me. I just had a look here: > https://docs.oracle.com/cd/E26502_01/html/E29030/sh-1.html: > > >>>> if list ; then list elif list ; then list ; ] . . . [ else list ; ] fi > >>>> The list following if is executed and, if it returns a zero exit status, > the list following the first then is executed. Otherwise, the list following > elif is executed and, if its value is zero, the list following the next then is > executed. Failing that, the else list is executed. If no else list or then list > is executed, then the if command returns a zero exit status. > >> I added the "set -ex" and: >> >> % make depend >> catdepends=false >> + [ Makefile -nt Makefile ] >> Makefile:172: recipe for target 'depend' failed >> make: *** [depend] Error 1 > > Would the following make a difference? > > if ( [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ] ); then Yes, that works. Works means: it correctly detects, that Solaris doesn't support "-nt" and adds all dependencies to the end of the Makefile. > or perhaps using 'test' instead of '[' (and removing the ']' in that case, of > course)? Also works. >> or - since there's no more real need for the catdepends variable > > That's an incorrect assumption. 'depend' is run as part of the larger targets, > and on some slower systems, having the same file copying happening every time > is quite time consuming. Checking if there's a need for all the data copying at > all first takes down the time for the cases when the .d files haven't been > updated since last time. I think the variant I suggested still does that, at least in my tests. If there's no newer dependency, then it will not add anything to the Makefile, since the result of the "find" command is empty. depend: @: @( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \ echo; \ for d in `find $(DEPS) -newer Makefile`; do \ if [ -f $$d ]; then cat $$d; fi; \ done ) > Makefile.new; \ if cmp Makefile.new Makefile >/dev/null 2>&1; then \ rm -f Makefile.new; \ else \ mv -f Makefile.new Makefile; \ fi @: With "no need for catdepends" I only wanted to say there's no need any more for first checking, then remembering the check result in the variable and then executing on the check result. Instead one can move the dependency change detection directly into the latter part as shown in my previous mail. It has also the benefit of only adding the dependency snippets that are newer than the Makefile, not all of them. Is that a logically correct aim, or do we need to add all dependencies even if only some of the files are newer than Makefile? Your suggested fix would mean on platforms without "-nt" we would always rebuild and that's in fact what I observed (make test rebuilds a lot of object files) whereas the "find" variant should work on all platforms and only adds the dependencies that are newer than the Makefile. If you want to add all dependencies even if only one is newer than the Makefile, a "find" based solution would be: depend: @: @if [ "X`find $(DEPS) -newer Makefile`" != "X" ]; then \ ( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \ echo; \ for d in $(DEPS); do \ if [ -f $$d ]; then cat $$d; fi; \ done ) > Makefile.new; \ if cmp Makefile.new Makefile >/dev/null 2>&1; then \ rm -f Makefile.new; \ else \ mv -f Makefile.new Makefile; \ fi; \ fi @: One final suggestion: if the final solution will still contain a "for d in ..." loop, you might want to rename the loop variable from d to something else, like e.g. "f". Why? It took me quite some time to understand why sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; works although the variable "d" was only defined below that line. Only later I noticed, that here the "$$d" has a totally different meaning than $$d in the loop (",$$" resolves to ",$" meaning until end of file and "d" is the sed delete command). So my confusion was triggered by seeing "$$d" in two places close to each other but having totally different meaning. If there were no variable "d" IMHO it might become a bit more understandable. BTW: I do like the new build system :) Regards, Rainer From rt at openssl.org Fri Mar 18 19:10:42 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Fri, 18 Mar 2016 19:10:42 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: <56EC52A7.9010705@kippdata.de> References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> <56EC2DED.4070503@kippdata.de> <56EC43D8.50007@kippdata.de> <56EC52A7.9010705@kippdata.de> Message-ID: Am 18.03.2016 um 19:33 schrieb Richard Levitte via RT: > Vid Fre, 18 Mar 2016 kl. 18.07.31, skrev rainer.jung at kippdata.de: >> Am 18.03.2016 um 17:49 schrieb Richard Levitte via RT: >>> Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: >>>> I had the same problem. /bin/sh on Solaris does not understand the >>>> "- >>>> nt" >>>> operator used in the definition of the "depend" target in the top- >>>> level >>>> Makefile, e.g. in line >>>> >>>> if [ Makefile -nt Makefile ] ... >>> >>> That can't be the cause, because whatever the exit code from the test >>> is, it's >>> "swallowed" by 'if'. A little like this is: >> >> If it were syntactically correct, but it isn't. > > You'll have to explain that to me. I just had a look here: > https://docs.oracle.com/cd/E26502_01/html/E29030/sh-1.html: > > >>>> if list ; then list elif list ; then list ; ] . . . [ else list ; ] fi > >>>> The list following if is executed and, if it returns a zero exit status, > the list following the first then is executed. Otherwise, the list following > elif is executed and, if its value is zero, the list following the next then is > executed. Failing that, the else list is executed. If no else list or then list > is executed, then the if command returns a zero exit status. > >> I added the "set -ex" and: >> >> % make depend >> catdepends=false >> + [ Makefile -nt Makefile ] >> Makefile:172: recipe for target 'depend' failed >> make: *** [depend] Error 1 > > Would the following make a difference? > > if ( [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ] ); then Yes, that works. Works means: it correctly detects, that Solaris doesn't support "-nt" and adds all dependencies to the end of the Makefile. > or perhaps using 'test' instead of '[' (and removing the ']' in that case, of > course)? Also works. >> or - since there's no more real need for the catdepends variable > > That's an incorrect assumption. 'depend' is run as part of the larger targets, > and on some slower systems, having the same file copying happening every time > is quite time consuming. Checking if there's a need for all the data copying at > all first takes down the time for the cases when the .d files haven't been > updated since last time. I think the variant I suggested still does that, at least in my tests. If there's no newer dependency, then it will not add anything to the Makefile, since the result of the "find" command is empty. depend: @: @( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \ echo; \ for d in `find $(DEPS) -newer Makefile`; do \ if [ -f $$d ]; then cat $$d; fi; \ done ) > Makefile.new; \ if cmp Makefile.new Makefile >/dev/null 2>&1; then \ rm -f Makefile.new; \ else \ mv -f Makefile.new Makefile; \ fi @: With "no need for catdepends" I only wanted to say there's no need any more for first checking, then remembering the check result in the variable and then executing on the check result. Instead one can move the dependency change detection directly into the latter part as shown in my previous mail. It has also the benefit of only adding the dependency snippets that are newer than the Makefile, not all of them. Is that a logically correct aim, or do we need to add all dependencies even if only some of the files are newer than Makefile? Your suggested fix would mean on platforms without "-nt" we would always rebuild and that's in fact what I observed (make test rebuilds a lot of object files) whereas the "find" variant should work on all platforms and only adds the dependencies that are newer than the Makefile. If you want to add all dependencies even if only one is newer than the Makefile, a "find" based solution would be: depend: @: @if [ "X`find $(DEPS) -newer Makefile`" != "X" ]; then \ ( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \ echo; \ for d in $(DEPS); do \ if [ -f $$d ]; then cat $$d; fi; \ done ) > Makefile.new; \ if cmp Makefile.new Makefile >/dev/null 2>&1; then \ rm -f Makefile.new; \ else \ mv -f Makefile.new Makefile; \ fi; \ fi @: One final suggestion: if the final solution will still contain a "for d in ..." loop, you might want to rename the loop variable from d to something else, like e.g. "f". Why? It took me quite some time to understand why sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; works although the variable "d" was only defined below that line. Only later I noticed, that here the "$$d" has a totally different meaning than $$d in the loop (",$$" resolves to ",$" meaning until end of file and "d" is the sed delete command). So my confusion was triggered by seeing "$$d" in two places close to each other but having totally different meaning. If there were no variable "d" IMHO it might become a bit more understandable. BTW: I do like the new build system :) Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 19:44:02 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 18 Mar 2016 19:44:02 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: Vid Fre, 18 Mar 2016 kl. 19.10.42, skrev rainer.jung at kippdata.de: > Your suggested fix would mean on platforms without "-nt" we would > always > rebuild and that's in fact what I observed (make test rebuilds a lot > of > object files) whereas the "find" variant should work on all platforms > and only adds the dependencies that are newer than the Makefile. If > you > want to add all dependencies even if only one is newer than the > Makefile, a "find" based solution would be: > > depend: > @: > @if [ "X`find $(DEPS) -newer Makefile`" != "X" ]; then \ > ( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \ > echo '# DO NOT DELETE THIS LINE -- make depend depends > on > it.'; \ > echo; \ > for d in $(DEPS); do \ > if [ -f $$d ]; then cat $$d; fi; \ > done ) > Makefile.new; \ > if cmp Makefile.new Makefile >/dev/null 2>&1; then \ > rm -f Makefile.new; \ > else \ > mv -f Makefile.new Makefile; \ > fi; \ > fi > @: This, I like. Makes total sense. Thank you. > One final suggestion: if the final solution will still contain a "for > d > in ..." loop, you might want to rename the loop variable from d to > something else, like e.g. "f". Why? It took me quite some time to > understand why > > sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; > > works although the variable "d" was only defined below that line. Only > later I noticed, that here the "$$d" has a totally different meaning > than $$d in the loop (",$$" resolves to ",$" meaning until end of file > and "d" is the sed delete command). So my confusion was triggered by > seeing "$$d" in two places close to each other but having totally > different meaning. If there were no variable "d" IMHO it might become > a > bit more understandable. Yeah, ok, I can see that confusion. Will do. > BTW: I do like the new build system :) Thank you :-) -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 19:57:13 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 18 Mar 2016 19:57:13 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: Patch for anyone interested in trying. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: unix-Makefile.tmpl.patch Type: text/x-patch Size: 1549 bytes Desc: not available URL: From rt at openssl.org Fri Mar 18 20:23:42 2016 From: rt at openssl.org (David Benjamin via RT) Date: Fri, 18 Mar 2016 20:23:42 +0000 Subject: [openssl-dev] [openssl.org #4439] poly1305-x86.pl produces incorrect output In-Reply-To: References: Message-ID: On Thu, Mar 17, 2016 at 5:22 PM David Benjamin via RT wrote: > I'm probably going to write something to generate random inputs and stress > all your other poly1305 codepaths against a reference implementation. I > recommend doing the same in your own test harness, to make sure there > aren't others of these bugs lurking around. > That gave a much shorter test case (or a different bug altogether?): Key = 2d773be37adb1e4d683bf0075e79c4ee037918535a7f99ccb7040fb5f5f43aea Input = 89dab80b7717c1db5db437860a3f70218e93e1b8f461fb677f16f35f6f87e2a91c99bc3a47ace47640cc95c345be5ecca5a3523c35cc01893af0b64a620334270372ec12482d1b1e363561698a578b359803495bb4e2ef1930b17a5190b580f141300df30adbeca28f6427a8bc1a999fd51c554a017d095d8c3e3127daf9f595 MAC = c85d15ed44c378d6b00e23064c7bcd51 This time there's no need for the funny update pattern. Feed it all into poly1305 in one call. $ OPENSSL_ia32cap=0 ./poly1305_test3 PASS $ ./poly1305_test3 Poly1305 test failed. got: c85d15ed43c378d6b00e23064c7bcd51 expected: c85d15ed44c378d6b00e23064c7bcd51 David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4439 Please log in as guest with password guest if prompted From richmoore44 at gmail.com Fri Mar 18 20:40:59 2016 From: richmoore44 at gmail.com (Richard Moore) Date: Fri, 18 Mar 2016 20:40:59 +0000 Subject: [openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value In-Reply-To: <1823170.px1zMknNl8@pintsize.usersys.redhat.com> References: <20160316223741.GA13900@w1.fi> <20160316224423.GQ6602@mournblade.imrryr.org> <9A91E7CF-E3EE-4A12-932D-D9082F39AD91@dukhovni.org> <1823170.px1zMknNl8@pintsize.usersys.redhat.com> Message-ID: On 18 March 2016 at 16:20, Hubert Kario wrote: > On Wednesday 16 March 2016 20:40:42 Viktor Dukhovni wrote: > > > On Mar 16, 2016, at 6:44 PM, Viktor Dukhovni users at dukhovni.org> wrote: > > >> Was the SSL_get_version() behavior changed on purpose in the Beta 1 > > >> release? This function used to return "TLSv1" when TLS v1.0 was > > >> used > > >> while it is now in Beta 1 returning "TLSv1.0" for that case. > > > > > > I missed this change in the review. Sorry about that. It should > > > perhaps be reverted for beta2. The reported version string for > > > TLS 1.0 has been "TLSv1" since support for "TLS 1.0" was introduced. > > > It should likely stay that way. > > > > I think it is reasonable to preserve the backwards compatible "TLSv1" > > for the string protocol version, but do we also need to preserve the > > "TLSv1.0" in ciphers(1) output? If so, the code needs an exception > > that can otherwise be avoided. > > I'd say that ciphers(1) is directed more at human users than on > applications, I don't think changing it there would be a problem. > ?Well, the same underlying API change would cause breakage in Qt?. As it happens I've started a new backend that is openssl 1.1 specific that means it probably won't matter in this case, but I doubt Qt is the only thing using this string. Cheers Rich. -------------- next part -------------- An HTML attachment was scrubbed... URL: From openssl-users at dukhovni.org Fri Mar 18 20:44:37 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Fri, 18 Mar 2016 16:44:37 -0400 Subject: [openssl-dev] OpenSSL 1.1.0-pre4 change in SSL_get_version() return value In-Reply-To: References: <20160316223741.GA13900@w1.fi> <20160316224423.GQ6602@mournblade.imrryr.org> <9A91E7CF-E3EE-4A12-932D-D9082F39AD91@dukhovni.org> <1823170.px1zMknNl8@pintsize.usersys.redhat.com> Message-ID: <22851D1B-7D96-4C39-9012-7E72823D4BBC@dukhovni.org> > On Mar 18, 2016, at 4:40 PM, Richard Moore wrote: > > I think it is reasonable to preserve the backwards compatible "TLSv1" > > for the string protocol version, but do we also need to preserve the > > "TLSv1.0" in ciphers(1) output? If so, the code needs an exception > > that can otherwise be avoided. > > I'd say that ciphers(1) is directed more at human users than on > applications, I don't think changing it there would be a problem. > > ?Well, the same underlying API change would cause breakage in Qt?. As it happens I've started a new backend that is openssl 1.1 specific that means it probably won't matter in this case, but I doubt Qt is the only thing using this string. The git version has reverted to fully backwards-compatible behaviour. The protocol version is "TLSv1" and the cipher protocol versions for the handful of PSK ciphers added with TLS 1.0 are "TLSv1.0". -- Viktor. From rt at openssl.org Fri Mar 18 21:56:38 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Fri, 18 Mar 2016 21:56:38 +0000 Subject: [openssl-dev] [openssl.org #4447] Missing generators for sparcv8plus.s, sparcv8.s and sparccpuid.s (OpenSSL 1.1.0 pre4) In-Reply-To: <56EC798B.7070502@kippdata.de> References: <56EC798B.7070502@kippdata.de> Message-ID: When building OpenSSL 1.1.0 pre4 on Solaris Sparc for 64 Bits I get an error, because before building crypto/bn/sparcv8plus.o first generates crypto/bn/asm/sparcv8plus.s from crypto/bn/asm/sparcv8plus.S with the following command gcc -E crypto/bn/asm/sparcv8plus.S > crypto/bn/asm/sparcv8plus.s This command is missing CFLAGS. As a consequence, the generated .s file does not work for 64 bit compilation and compiling it fails with lots of errors of type: /usr/ccs/bin/as: "crypto/bn/asm/sparcv8plus.s", line ...: error: detect global register use not covered .register pseudo-op The pre3 version compiled crypto/bn/asm/sparcv8plus.o directly from crypto/bn/asm/sparcv8plus.S (upper case ".S") using "gcc -c" and all CFLAGS, include flags etc. So either one does the same for pre4 or one adds a Makefile rule for crypto/bn/asm/sparcv8plus.s generating it from crypto/bn/asm/sparcv8plus.S respecting CFLAGS, include dirs etc. or simply copying it from the .S file. I think the switch from .S to .s happens in src2obj() inside Configurations/unix-Makefile.tmpl. So if it is intentional, you need to define and use a generator from .S to .s. The following patch worked for me, but I don't know whether it is how it should work: --- Configurations/00-base-templates.conf Wed Mar 16 19:18:09 2016 +++ Configurations/00-base-templates.conf Fri Mar 18 22:31:59 2016 @@ -198,8 +198,8 @@ }, sparcv9_asm => { template => 1, - cpuid_asm_src => "sparcv9cap.c sparccpuid.S", - bn_asm_src => "asm/sparcv8plus.S sparcv9-mont.S sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", + cpuid_asm_src => "sparcv9cap.c sparccpuid.s", + bn_asm_src => "sparcv8plus.s sparcv9-mont.S sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", ec_asm_src => "ecp_nistz256.c ecp_nistz256-sparcv9.S", des_asm_src => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S", aes_asm_src => "aes_core.c aes_cbc.c aes-sparcv9.S aest4-sparcv9.S", @@ -213,7 +213,7 @@ sparcv8_asm => { template => 1, cpuid_asm_src => "", - bn_asm_src => "asm/sparcv8.S", + bn_asm_src => "sparcv8.s", des_asm_src => "des_enc-sparc.S fcrypt_b.c", perlasm_scheme => "void" }, (upper case ".S" to lower case ".s" and removal of "asm/"). and two build.info changes: --- crypto/build.info Wed Mar 16 19:18:08 2016 +++ crypto/build.info Fri Mar 18 22:11:43 2016 @@ -21,6 +21,8 @@ GENERATE[x86_64cpuid.s]=x86_64cpuid.pl $(PERLASM_SCHEME) +GENERATE[sparccpuid.s]=sparccpuid.S + GENERATE[ia64cpuid.s]=ia64cpuid.S GENERATE[ppccpuid.s]=ppccpuid.pl $(PERLASM_SCHEME) GENERATE[pariscid.s]=pariscid.pl $(PERLASM_SCHEME) --- crypto/bn/build.info Wed Mar 16 19:18:09 2016 +++ crypto/bn/build.info Fri Mar 18 22:11:43 2016 @@ -24,6 +24,9 @@ $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR) DEPEND[x86-gf2m.s]=../perlasm/x86asm.pl +GENERATE[sparcv8.s]=asm/sparcv8.S +GENERATE[sparcv8plus.s]=asm/sparcv8plus.S + GENERATE[sparcv9a-mont.S]=asm/sparcv9a-mont.pl $(PERLASM_SCHEME) INCLUDE[sparcv9a-mont.o]=.. GENERATE[sparcv9-mont.S]=asm/sparcv9-mont.pl $(PERLASM_SCHEME) This seems to be consistent with how it is done for crypto/ia64cpuid.S crypto/aes/asm/aes-ia64.S crypto/bn/asm/ia64.S The same changes probably need to be done for crypto/s390xcpuid.S crypto/bn/asm/s390x.S Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4447 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 22:03:22 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Fri, 18 Mar 2016 22:03:22 +0000 Subject: [openssl-dev] [openssl.org #4448] Solaris pod install "sed" problem for OpenSSL 1.1.0 pre4 In-Reply-To: <56EC7B22.4040603@kippdata.de> References: <56EC7B22.4040603@kippdata.de> Message-ID: The following line in Configurations/unix-Makefile.tmpl is non standards-conforming and breaks using Solaris sed: ... sed -e ':a;{N;s/\n/ /;ba}' | \ ... The man page tells me, Solaris sed mandatory needs a newline before the closing "}". The above construct throws errors when executing PROCESS_PODS during the make target install_man_docs: Label too long: :a;{N;s/\n/ /;ba} Since I didn't find a way to include a verbatim newline in Configurations/unix-Makefile.tmpl that survives to the generated Makefile, I instead applied the following patch: --- unix-Makefile.tmpl Wed Mar 16 19:18:09 2016 +++ unix-Makefile.tmpl Fri Mar 18 22:23:57 2016 @@ -512,7 +512,7 @@ # The third sed removes the description and turns all commas into spaces # Voil?, you have a space separated list of names! EXTRACT_NAMES=sed -e '1,/^=head1 *NAME *$$/d;/^=head1/,$$d' | \ - sed -e ':a;{N;s/\n/ /;ba}' | \ + $(PERL) -p -0 -e 's/\n/ /g; END {print "\n"}' | \ sed -e 's/ - .*$$//;s/,/ /g' PROCESS_PODS=\ set -e; \ The perl based solution should work everywhere. Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4448 Please log in as guest with password guest if prompted From erik at efca.com Fri Mar 18 22:10:27 2016 From: erik at efca.com (Erik Forsberg) Date: Fri, 18 Mar 2016 15:10:27 -0700 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: It is the -nt that breaks Solaris 10 (dev0) 22$ make test catdepends=false + [ Makefile -nt Makefile ] *** Error code 1 it stops executing on that line. I like the suggestion of using /bin/ksh on Solaris 10, that is generally needed also for many GNU autoconfig scripts, so why not OpenSSL too ? It would be nice if that could be specified in the 10-main.conf snippets ? >-- Original Message -- > > >Perhaps with said attachment this time... > >Vid Fre, 18 Mar 2016 kl. 16.49.13, skrev levitte: >> Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: >> > I had the same problem. /bin/sh on Solaris does not understand the "- >> > nt" >> > operator used in the definition of the "depend" target in the top- >> > level >> > Makefile, e.g. in line >> > >> > if [ Makefile -nt Makefile ] ... >> >> That can't be the cause, because whatever the exit code from the test >> is, it's >> "swallowed" by 'if'. A little like this is: >> >> $ if (exit 1); then :; fi; echo $? 0 I cannot tell you what's going >> wrong, and >> the only suggestion I currently have is to apply the attached patch >> and then >> reconfigure and make and see what the output is. Can I assume you know >> what >> 'set -ex' does? >> >> Cheers, >> Richard >> >> -- >> Richard Levitte >> levitte at openssl.org > > >-- >Richard Levitte >levitte at openssl.org > >-- >Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 >Please log in as guest with password guest if prompted > > >diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl >index 3a1ade7..d13ab5e 100644 >--- a/Configurations/unix-Makefile.tmpl >+++ b/Configurations/unix-Makefile.tmpl >@@ -266,7 +266,7 @@ clean: libclean > # recognise the operator. > depend: > @: {- output_off() if $disabled{makedepend}; "" -} >- @catdepends=false; \ >+ @set -ex; catdepends=false; \ > if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ > for d in $(DEPS); do \ > if [ $$d -nt Makefile ]; then \ > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From rt at openssl.org Fri Mar 18 22:30:42 2016 From: rt at openssl.org (Erik Forsberg via RT) Date: Fri, 18 Mar 2016 22:30:42 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: It is the -nt that breaks Solaris 10 (dev0) 22$ make test catdepends=false + [ Makefile -nt Makefile ] *** Error code 1 it stops executing on that line. I like the suggestion of using /bin/ksh on Solaris 10, that is generally needed also for many GNU autoconfig scripts, so why not OpenSSL too ? It would be nice if that could be specified in the 10-main.conf snippets ? >-- Original Message -- > > >Perhaps with said attachment this time... > >Vid Fre, 18 Mar 2016 kl. 16.49.13, skrev levitte: >> Vid Fre, 18 Mar 2016 kl. 16.34.05, skrev rainer.jung at kippdata.de: >> > I had the same problem. /bin/sh on Solaris does not understand the "- >> > nt" >> > operator used in the definition of the "depend" target in the top- >> > level >> > Makefile, e.g. in line >> > >> > if [ Makefile -nt Makefile ] ... >> >> That can't be the cause, because whatever the exit code from the test >> is, it's >> "swallowed" by 'if'. A little like this is: >> >> $ if (exit 1); then :; fi; echo $? 0 I cannot tell you what's going >> wrong, and >> the only suggestion I currently have is to apply the attached patch >> and then >> reconfigure and make and see what the output is. Can I assume you know >> what >> 'set -ex' does? >> >> Cheers, >> Richard >> >> -- >> Richard Levitte >> levitte at openssl.org > > >-- >Richard Levitte >levitte at openssl.org > >-- >Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 >Please log in as guest with password guest if prompted > > >diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl >index 3a1ade7..d13ab5e 100644 >--- a/Configurations/unix-Makefile.tmpl >+++ b/Configurations/unix-Makefile.tmpl >@@ -266,7 +266,7 @@ clean: libclean > # recognise the operator. > depend: > @: {- output_off() if $disabled{makedepend}; "" -} >- @catdepends=false; \ >+ @set -ex; catdepends=false; \ > if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \ > for d in $(DEPS); do \ > if [ $$d -nt Makefile ]; then \ > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 22:42:42 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 18 Mar 2016 22:42:42 +0000 Subject: [openssl-dev] [openssl.org #4449] PATCH: fix PKCS12_newpass does not take a cont char[] In-Reply-To: References: Message-ID: A call to PKCS12_newpass: static const char super_secret[] = "password"; status = PKCS12_newpass(p12, super_secret, super_secret); ... Results in: test.cc:17:57: error: invalid conversion from ?const char*? to ?char*? [-fpermissive] In file included from test.cc:1:0: ./include/openssl/pkcs12.h:256:5: error: initializing argument 2 of ?int PKCS12_newpass(PKCS12*, char*, char*)? [-fpermissive] int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass); ********** The following tests OK with Master at b4ae8861214b5d73. $ git diff > PKCS12_newpass.patch $ cat PKCS12_newpass.patch diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index e23d035..601c047 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -76,7 +76,7 @@ static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); * Change the password on a PKCS#12 structure. */ -int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) +int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass) { /* Check for NULL PKCS12 structure */ diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h index 655655a..8589c2b 100644 --- a/include/openssl/pkcs12.h +++ b/include/openssl/pkcs12.h @@ -253,7 +253,7 @@ int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12); int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12); PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12); PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12); -int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass); +int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass); /* BEGIN ERROR CODES */ /* -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4449 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 18 22:59:20 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Fri, 18 Mar 2016 22:59:20 +0000 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: <20160318225910.GA12293@roeckx.be> References: <56EC000C.1080801@openssl.org> <20160318225910.GA12293@roeckx.be> Message-ID: On Fri, Mar 18, 2016 at 01:18:04PM +0000, Matt Caswell wrote: > > > On 18/03/16 12:52, noloader at gmail.com via RT wrote: > > I've configured with: > > > > ./config enable-afalgeng > > > > When I run the self tests, I see: > > > > ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not > > supported for this build > > You should not need to use enable-afalgeng at all. It is enabled by > default unless for some reason it is not supported by your system. > Reasons that it might not be supported: > > - You are not running Linux > - You are not building "shared" or have otherwise disabled dynamic-engines > - uname reports a kernel version less than 4.1.0 > - Your linux headers are less than 4.1.0 Please note that the kernel something is build on might not be the same as it's going to run on, so checking the current running kernel version doesn't make sense for compiling it. Is there some runtime detection of support in the kernel? Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4445 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 00:07:53 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 00:07:53 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> References: <587146.78445.qm@web101211.mail.kks.yahoo.co.jp> Message-ID: Fixup show in last message has now been merged with master, commit a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 00:28:21 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Sat, 19 Mar 2016 00:28:21 +0000 Subject: [openssl-dev] [openssl.org #4450] OpenSSL 1.1.0 pre4 podpath: cannot find suitable replacement path, cannot resolve link In-Reply-To: <56EC9D1B.7010002@kippdata.de> References: <56EC9D1B.7010002@kippdata.de> Message-ID: Errors during make install: Cannot find "EXAMPLES" in podpath: cannot find suitable replacement path, cannot resolve link Cannot find "X509_STORE_set_default_paths" in podpath: cannot find suitable replacement path, cannot resolve link Cannot find "SSL_pending()" in podpath: cannot find suitable replacement path, cannot resolve link Cannot find "EVP_MAX_IV_LENGTH" in podpath: cannot find suitable replacement path, cannot resolve link Cannot find "EVP_EncryptInit_ex" in podpath: cannot find suitable replacement path, cannot resolve link Cannot find "HMAC_Init_ex" in podpath: cannot find suitable replacement path, cannot resolve link Cannot find "EVP_DecryptInit_ex" in podpath: cannot find suitable replacement path, cannot resolve link Cannot find "HMAC_Init_ex" in podpath: cannot find suitable replacement path, cannot resolve link Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4450 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 00:47:40 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 19 Mar 2016 00:47:40 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: Message-ID: Working from Master at a6adf099cbd7c3bc... $ KERNEL_BITS=64 ./config && make depend && make clean && make -j 4 ... $ make test ... LD_LIBRARY_PATH=.: cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib/engines" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -o test/wp_test test/wp_test.o -Wl,-search_paths_first -L. -lcrypto make[1]: Leaving directory '/Users/jwalton/openssl' ( cd test; \ SRCTOP=../. \ BLDTOP=../. \ EXE_EXT= \ OPENSSL_ENGINES=.././engines \ /opt/local/bin//perl5 .././test/run_tests.pl ) ../test/recipes/01-test_abort.t ........... sh: line 1: 71522 Abort trap: 6 ../util/shlib_wrap.sh ./aborttest 2> /dev/null ../test/recipes/01-test_abort.t ........... ok ../test/recipes/01-test_ordinals.t ........ ok ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 00:56:36 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 00:56:36 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: Message-ID: This is a non issue, the test comes through ok as expected. The printout is a bit ugly, sure, but... And I'd love if someone could figure out a good way not to have that output. My attempts failed miserably... Vid Sat, 19 Mar 2016 kl. 00.47.40, skrev noloader at gmail.com: > Working from Master at a6adf099cbd7c3bc... > > $ KERNEL_BITS=64 ./config && make depend && make clean && make -j 4 > ... > > $ make test > ... > LD_LIBRARY_PATH=.: cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib/engines" > -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -o test/wp_test > test/wp_test.o -Wl,-search_paths_first -L. -lcrypto > make[1]: Leaving directory '/Users/jwalton/openssl' > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > OPENSSL_ENGINES=.././engines \ > /opt/local/bin//perl5 .././test/run_tests.pl ) > ../test/recipes/01-test_abort.t ........... sh: line 1: 71522 Abort > trap: 6 ../util/shlib_wrap.sh ./aborttest 2> /dev/null > ../test/recipes/01-test_abort.t ........... ok > ../test/recipes/01-test_ordinals.t ........ ok > ... > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From noloader at gmail.com Sat Mar 19 01:00:12 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 18 Mar 2016 21:00:12 -0400 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: Message-ID: On Fri, Mar 18, 2016 at 8:56 PM, Richard Levitte via RT wrote: > This is a non issue, the test comes through ok as expected. The printout is a > bit ugly, sure, but... > > And I'd love if someone could figure out a good way not to have that output. My > attempts failed miserably... Oh, sorry about that. Jeff From rt at openssl.org Sat Mar 19 01:00:22 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 19 Mar 2016 01:00:22 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: Message-ID: On Fri, Mar 18, 2016 at 8:56 PM, Richard Levitte via RT wrote: > This is a non issue, the test comes through ok as expected. The printout is a > bit ugly, sure, but... > > And I'd love if someone could figure out a good way not to have that output. My > attempts failed miserably... Oh, sorry about that. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 01:13:33 2016 From: rt at openssl.org (Stephen Henson via RT) Date: Sat, 19 Mar 2016 01:13:33 +0000 Subject: [openssl-dev] [openssl.org #4446] [openssl 1.1.0] Memory handling inside ASN1_item_sign_ctx() In-Reply-To: <9A2D7FB40390D144BE9C16563F849C86045CC091@AS000EX.ifd.infodas.de> References: <9A2D7FB40390D144BE9C16563F849C86045CC091@AS000EX.ifd.infodas.de> Message-ID: Your fix has now been applied to the master branch. Thanks for the report. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4446 Please log in as guest with password guest if prompted From erik at efca.com Sat Mar 19 01:31:48 2016 From: erik at efca.com (Erik Forsberg) Date: Fri, 18 Mar 2016 18:31:48 -0700 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: still not working right. Attached a longish log file extract. But root cause seems to be that we try to process test dependencies while doing depend in crypto, way before we had done any work in the test subdir. That causes the find to exit with failed status aborting the depend. >-- Original Message -- > >Fixup show in last message has now been merged with master, commit >a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 > >-- >Richard Levitte >levitte at openssl.org > >-- >Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 >Please log in as guest with password guest if prompted > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: depend.log Type: application/octet-stream Size: 34335 bytes Desc: not available URL: From noloader at gmail.com Sat Mar 19 01:41:15 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 18 Mar 2016 21:41:15 -0400 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: Message-ID: This might be a philosophical difference, but: $ test/aborttest test/aborttest.c:15: OpenSSL internal error: Voluntary abort Abort trap I don't believe its the library's place to shutdown an application. Libraries don't make policy decisions for applications. I think in this case, the library should refuse to process data and always return a failure. Similar to latching a power-up self test failure for the FIPS gear. Crashing the application will make OpenSSL powered apps no better than BIND, which constantly DoS'es itself. Cf., http://www.google.com/search?q=bind+assert+cve. Jeff On Fri, Mar 18, 2016 at 8:56 PM, Richard Levitte via RT wrote: > This is a non issue, the test comes through ok as expected. The printout is a > bit ugly, sure, but... > > And I'd love if someone could figure out a good way not to have that output. My > attempts failed miserably... > > Vid Sat, 19 Mar 2016 kl. 00.47.40, skrev noloader at gmail.com: >> Working from Master at a6adf099cbd7c3bc... >> >> $ KERNEL_BITS=64 ./config && make depend && make clean && make -j 4 >> ... >> ... >> OPENSSL_ENGINES=.././engines \ >> /opt/local/bin//perl5 .././test/run_tests.pl ) >> ../test/recipes/01-test_abort.t ........... sh: line 1: 71522 Abort >> trap: 6 ../util/shlib_wrap.sh ./aborttest 2> /dev/null >> ../test/recipes/01-test_abort.t ........... ok >> ../test/recipes/01-test_ordinals.t ........ ok >> ... From rt at openssl.org Sat Mar 19 01:41:18 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 19 Mar 2016 01:41:18 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: Message-ID: This might be a philosophical difference, but: $ test/aborttest test/aborttest.c:15: OpenSSL internal error: Voluntary abort Abort trap I don't believe its the library's place to shutdown an application. Libraries don't make policy decisions for applications. I think in this case, the library should refuse to process data and always return a failure. Similar to latching a power-up self test failure for the FIPS gear. Crashing the application will make OpenSSL powered apps no better than BIND, which constantly DoS'es itself. Cf., http://www.google.com/search?q=bind+assert+cve. Jeff On Fri, Mar 18, 2016 at 8:56 PM, Richard Levitte via RT wrote: > This is a non issue, the test comes through ok as expected. The printout is a > bit ugly, sure, but... > > And I'd love if someone could figure out a good way not to have that output. My > attempts failed miserably... > > Vid Sat, 19 Mar 2016 kl. 00.47.40, skrev noloader at gmail.com: >> Working from Master at a6adf099cbd7c3bc... >> >> $ KERNEL_BITS=64 ./config && make depend && make clean && make -j 4 >> ... >> ... >> OPENSSL_ENGINES=.././engines \ >> /opt/local/bin//perl5 .././test/run_tests.pl ) >> ../test/recipes/01-test_abort.t ........... sh: line 1: 71522 Abort >> trap: 6 ../util/shlib_wrap.sh ./aborttest 2> /dev/null >> ../test/recipes/01-test_abort.t ........... ok >> ../test/recipes/01-test_ordinals.t ........ ok >> ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 01:46:13 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 01:46:13 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: <20160319.024609.1263116961995387193.levitte@openssl.org> References: <20160319.024609.1263116961995387193.levitte@openssl.org> Message-ID: In this case, though, it's an application that explicitely calls an aborting function. No subterfuge at all there, so if you wanted to complain, this is a particularly bad example. We do use OPENSSL_assert() in some places, to check *internal* state. When internal state is incorrect, it's not something that should keep running. The aim is, of course, that such errors will be caught by our tests. Cheers, Richard In message on Sat, 19 Mar 2016 01:41:18 +0000, "noloader at gmail.com via RT" said: rt> This might be a philosophical difference, but: rt> rt> $ test/aborttest rt> test/aborttest.c:15: OpenSSL internal error: Voluntary abort rt> Abort trap rt> rt> I don't believe its the library's place to shutdown an application. rt> Libraries don't make policy decisions for applications. rt> rt> I think in this case, the library should refuse to process data and rt> always return a failure. Similar to latching a power-up self test rt> failure for the FIPS gear. rt> rt> Crashing the application will make OpenSSL powered apps no better than rt> BIND, which constantly DoS'es itself. Cf., rt> http://www.google.com/search?q=bind+assert+cve. rt> rt> Jeff rt> rt> On Fri, Mar 18, 2016 at 8:56 PM, Richard Levitte via RT wrote: rt> > This is a non issue, the test comes through ok as expected. The printout is a rt> > bit ugly, sure, but... rt> > rt> > And I'd love if someone could figure out a good way not to have that output. My rt> > attempts failed miserably... rt> > rt> > Vid Sat, 19 Mar 2016 kl. 00.47.40, skrev noloader at gmail.com: rt> >> Working from Master at a6adf099cbd7c3bc... rt> >> rt> >> $ KERNEL_BITS=64 ./config && make depend && make clean && make -j 4 rt> >> ... rt> >> ... rt> >> OPENSSL_ENGINES=.././engines \ rt> >> /opt/local/bin//perl5 .././test/run_tests.pl ) rt> >> ../test/recipes/01-test_abort.t ........... sh: line 1: 71522 Abort rt> >> trap: 6 ../util/shlib_wrap.sh ./aborttest 2> /dev/null rt> >> ../test/recipes/01-test_abort.t ........... ok rt> >> ../test/recipes/01-test_ordinals.t ........ ok rt> >> ... rt> rt> rt> -- rt> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 rt> Please log in as guest with password guest if prompted rt> rt> -- rt> openssl-dev mailing list rt> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev rt> -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From noloader at gmail.com Sat Mar 19 01:49:05 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 18 Mar 2016 21:49:05 -0400 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160319.024609.1263116961995387193.levitte@openssl.org> Message-ID: On Fri, Mar 18, 2016 at 9:46 PM, Richard Levitte via RT wrote: > In this case, though, it's an application that explicitely calls an > aborting function. No subterfuge at all there, so if you wanted to > complain, this is a particularly bad example. > > We do use OPENSSL_assert() in some places, to check *internal* state. > When internal state is incorrect, it's not something that should keep > running. The aim is, of course, that such errors will be caught by > our tests. When the library aborts, what keeps sensitive information from being written to disk and then sent to Apple, Microsoft, in a crash report? Jeff From rt at openssl.org Sat Mar 19 01:49:13 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 19 Mar 2016 01:49:13 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160319.024609.1263116961995387193.levitte@openssl.org> Message-ID: On Fri, Mar 18, 2016 at 9:46 PM, Richard Levitte via RT wrote: > In this case, though, it's an application that explicitely calls an > aborting function. No subterfuge at all there, so if you wanted to > complain, this is a particularly bad example. > > We do use OPENSSL_assert() in some places, to check *internal* state. > When internal state is incorrect, it's not something that should keep > running. The aim is, of course, that such errors will be caught by > our tests. When the library aborts, what keeps sensitive information from being written to disk and then sent to Apple, Microsoft, in a crash report? Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From erik at efca.com Sat Mar 19 02:33:06 2016 From: erik at efca.com (Erik Forsberg) Date: Fri, 18 Mar 2016 19:33:06 -0700 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: commit ac89799c3e78e9af1031226eb2fd389a70ce3c1b @levitte levitte committed an hour ago tried to fix this but it still dont work. Even on Solaris 11 I get (srv) 22# find foo -print find: stat() error foo: No such file or directory (srv) 23# echo $? 1 (srv) 24# find . -name foo -print (srv) 25# echo $? 0 if you pass a non-existent file to find, it exits with non-zero status which stops the make in progress. >-- Original Message -- > > >still not working right. >Attached a longish log file extract. >But root cause seems to be that we try to process test dependencies >while doing depend in crypto, way before we had done any work in >the test subdir. That causes the find to exit with failed status aborting >the depend. > > >>-- Original Message -- >> >>Fixup show in last message has now been merged with master, commit >>a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 >> >>-- >>Richard Levitte >>levitte at openssl.org >> >>-- >>Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 >>Please log in as guest with password guest if prompted >> >>-- >>openssl-dev mailing list >>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > >Attachment: depend.log (33.7 KB) > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From matt at openssl.org Sat Mar 19 10:09:51 2016 From: matt at openssl.org (Matt Caswell) Date: Sat, 19 Mar 2016 10:09:51 +0000 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: References: <56EC000C.1080801@openssl.org> <20160318225910.GA12293@roeckx.be> Message-ID: <56ED256F.7070006@openssl.org> On 18/03/16 22:59, Kurt Roeckx via RT wrote: > On Fri, Mar 18, 2016 at 01:18:04PM +0000, Matt Caswell wrote: >> >> >> On 18/03/16 12:52, noloader at gmail.com via RT wrote: >>> I've configured with: >>> >>> ./config enable-afalgeng >>> >>> When I run the self tests, I see: >>> >>> ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not >>> supported for this build >> >> You should not need to use enable-afalgeng at all. It is enabled by >> default unless for some reason it is not supported by your system. >> Reasons that it might not be supported: >> >> - You are not running Linux >> - You are not building "shared" or have otherwise disabled dynamic-engines >> - uname reports a kernel version less than 4.1.0 >> - Your linux headers are less than 4.1.0 > > Please note that the kernel something is build on might not be the > same as it's going to run on, so checking the current running > kernel version doesn't make sense for compiling it. Is there some > runtime detection of support in the kernel? Yes. There is runtime detection too. Matt From rt at openssl.org Sat Mar 19 10:09:59 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Sat, 19 Mar 2016 10:09:59 +0000 Subject: [openssl-dev] [openssl.org #4445] Configure does not honor enable-afalgeng In-Reply-To: <56ED256F.7070006@openssl.org> References: <56EC000C.1080801@openssl.org> <20160318225910.GA12293@roeckx.be> <56ED256F.7070006@openssl.org> Message-ID: On 18/03/16 22:59, Kurt Roeckx via RT wrote: > On Fri, Mar 18, 2016 at 01:18:04PM +0000, Matt Caswell wrote: >> >> >> On 18/03/16 12:52, noloader at gmail.com via RT wrote: >>> I've configured with: >>> >>> ./config enable-afalgeng >>> >>> When I run the self tests, I see: >>> >>> ../test/recipes/30-test_afalg.t ........... skipped: test_afalg not >>> supported for this build >> >> You should not need to use enable-afalgeng at all. It is enabled by >> default unless for some reason it is not supported by your system. >> Reasons that it might not be supported: >> >> - You are not running Linux >> - You are not building "shared" or have otherwise disabled dynamic-engines >> - uname reports a kernel version less than 4.1.0 >> - Your linux headers are less than 4.1.0 > > Please note that the kernel something is build on might not be the > same as it's going to run on, so checking the current running > kernel version doesn't make sense for compiling it. Is there some > runtime detection of support in the kernel? Yes. There is runtime detection too. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4445 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 10:14:25 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 10:14:25 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: Right. A little 'exit 0' in the right spot should fix that. It's true that the dependencies that are generated depend quite a lot on what you've built so far, I hope that's not an enormous bother. Cheers, Richard Vid Sat, 19 Mar 2016 kl. 01.31.53, skrev erik at efca.com: > still not working right. > Attached a longish log file extract. > But root cause seems to be that we try to process test dependencies > while doing depend in crypto, way before we had done any work in > the test subdir. That causes the find to exit with failed status aborting > the depend. > > > >-- Original Message -- > > > >Fixup show in last message has now been merged with master, commit > >a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 > > > >-- > >Richard Levitte > >levitte at openssl.org > > > >-- > >Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 > >Please log in as guest with password guest if prompted > > > >-- > >openssl-dev mailing list > >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 10:23:09 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 10:23:09 +0000 Subject: [openssl-dev] [openssl.org #4448] Solaris pod install "sed" problem for OpenSSL 1.1.0 pre4 In-Reply-To: <56EC7B22.4040603@kippdata.de> References: <56EC7B22.4040603@kippdata.de> Message-ID: Right. Thanks! Will apply. Cheers, Richard Vid Fre, 18 Mar 2016 kl. 22.03.22, skrev rainer.jung at kippdata.de: > The following line in Configurations/unix-Makefile.tmpl is non > standards-conforming and breaks using Solaris sed: > > ... > sed -e ':a;{N;s/\n/ /;ba}' | \ > ... > > The man page tells me, Solaris sed mandatory needs a newline before the > closing "}". The above construct throws errors when executing > PROCESS_PODS during the make target install_man_docs: > > Label too long: :a;{N;s/\n/ /;ba} > > Since I didn't find a way to include a verbatim newline in > Configurations/unix-Makefile.tmpl that survives to the generated > Makefile, I instead applied the following patch: > > --- unix-Makefile.tmpl Wed Mar 16 19:18:09 2016 > +++ unix-Makefile.tmpl Fri Mar 18 22:23:57 2016 > @@ -512,7 +512,7 @@ > # The third sed removes the description and turns all commas into spaces > # Voil?, you have a space separated list of names! > EXTRACT_NAMES=sed -e '1,/^=head1 *NAME *$$/d;/^=head1/,$$d' | \ > - sed -e ':a;{N;s/\n/ /;ba}' | \ > + $(PERL) -p -0 -e 's/\n/ /g; END {print "\n"}' | \ > sed -e 's/ - .*$$//;s/,/ /g' > PROCESS_PODS=\ > set -e; \ > > The perl based solution should work everywhere. > > Regards, > > Rainer > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4448 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 10:41:01 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 10:41:01 +0000 Subject: [openssl-dev] [openssl.org #4450] OpenSSL 1.1.0 pre4 podpath: cannot find suitable replacement path, cannot resolve link In-Reply-To: <56EC9D1B.7010002@kippdata.de> References: <56EC9D1B.7010002@kippdata.de> Message-ID: Thank you. Those are caused by some improperly written L<> links. Fix coming up. Cheers, Richard Vid Sat, 19 Mar 2016 kl. 00.28.21, skrev rainer.jung at kippdata.de: > Errors during make install: > > Cannot find "EXAMPLES" in podpath: cannot find suitable replacement > path, cannot resolve link > Cannot find "X509_STORE_set_default_paths" in podpath: cannot find > suitable replacement path, cannot resolve link > Cannot find "SSL_pending()" in podpath: cannot find suitable replacement > path, cannot resolve link > Cannot find "EVP_MAX_IV_LENGTH" in podpath: cannot find suitable > replacement path, cannot resolve link > Cannot find "EVP_EncryptInit_ex" in podpath: cannot find suitable > replacement path, cannot resolve link > Cannot find "HMAC_Init_ex" in podpath: cannot find suitable replacement > path, cannot resolve link > Cannot find "EVP_DecryptInit_ex" in podpath: cannot find suitable > replacement path, cannot resolve link > Cannot find "HMAC_Init_ex" in podpath: cannot find suitable replacement > path, cannot resolve link > > Regards, > > Rainer > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4450 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 10:44:09 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 10:44:09 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160319.024609.1263116961995387193.levitte@openssl.org> Message-ID: I think that's a discussion that deserves its own new thread on openssl-dev. A RT ticket is *not* the right place for a philosophical discussion. Closing this. Please don't respond on this message, create a new thread instead. Vid Sat, 19 Mar 2016 kl. 01.49.13, skrev noloader at gmail.com: > On Fri, Mar 18, 2016 at 9:46 PM, Richard Levitte via RT > wrote: > > In this case, though, it's an application that explicitely calls an > > aborting function. No subterfuge at all there, so if you wanted to > > complain, this is a particularly bad example. > > > > We do use OPENSSL_assert() in some places, to check *internal* state. > > When internal state is incorrect, it's not something that should keep > > running. The aim is, of course, that such errors will be caught by > > our tests. > > When the library aborts, what keeps sensitive information from being > written to disk and then sent to Apple, Microsoft, > in a crash report? > > Jeff -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 10:56:00 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sat, 19 Mar 2016 10:56:00 +0000 Subject: [openssl-dev] [openssl.org #4452] openssl-1.1.0-pre4: undefined symbol for solaris-x86-cc In-Reply-To: <747648.50843.qm@web101220.mail.kks.yahoo.co.jp> References: <747648.50843.qm@web101220.mail.kks.yahoo.co.jp> Message-ID: With patch for #4444, % mkdir build_solaris-x86-cc % cd build_solaris-x86-cc % ../Configure solaris-x86-cc % make ??? : Undefined?????????????????????? first referenced ?symbol???????????????????????????? in file padlock_xstore????????????????????? ./libcrypto.a(e_padlock.o) padlock_capability????????????????? ./libcrypto.a(e_padlock.o) padlock_reload_key????????????????? ./libcrypto.a(e_padlock.o) padlock_ctr32_encrypt?????????????? ./libcrypto.a(e_padlock.o) padlock_key_bswap?????????????????? ./libcrypto.a(e_padlock.o) padlock_cbc_encrypt???????????????? ./libcrypto.a(e_padlock.o) padlock_cfb_encrypt???????????????? ./libcrypto.a(e_padlock.o) padlock_ecb_encrypt???????????????? ./libcrypto.a(e_padlock.o) padlock_ofb_encrypt???????????????? ./libcrypto.a(e_padlock.o) padlock_aes_block?????????????????? ./libcrypto.a(e_padlock.o) ld: fatal: symbol referencing errors. No output written to apps/openssl ../Makefile.shared:186: recipe for target 'link_app.' failed make[1]: *** [link_app.] Error 2 % ../Configure solaris-x86-cc no-asm % make % make test passes. OS: Solaris10 x86/x64 cc: /opt/solarisstudio12.4/bin/cc Best Regards, --- Kiyoshi -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4452 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 10:56:00 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sat, 19 Mar 2016 10:56:00 +0000 Subject: [openssl-dev] [openssl.org #4453] openssl-1.1.0-pre4: make fails with 'wrong ELF class: ELFCLASS64' on solaris64-x86_64-cc In-Reply-To: <173729.2988.qm@web101210.mail.kks.yahoo.co.jp> References: <173729.2988.qm@web101210.mail.kks.yahoo.co.jp> Message-ID: Hello, Tested with patch for #4444, and removing gcc from path. % ./config Operating system: i86pc-whatever-solaris2 Configuring for solaris64-x86_64-cc Configuring OpenSSL version 1.1.0-pre4 (0x0x10100004L) ??? no-crypto-mdebug [default]? OPENSSL_NO_CRYPTO_MDEBUG (skip dir) ??? no-crypto-mdebug-backtrace [forced]?? OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) ??? no-dynamic-engine [forced]? ??? no-ec_nistp_64_gcc_128 [default]? OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) ??? no-egd????????? [default]? OPENSSL_NO_EGD (skip dir) ??? no-heartbeats?? [default]? OPENSSL_NO_HEARTBEATS (skip dir) ??? no-md2????????? [default]? OPENSSL_NO_MD2 (skip dir) ??? no-rc5????????? [default]? OPENSSL_NO_RC5 (skip dir) ??? no-sctp???????? [default]? OPENSSL_NO_SCTP (skip dir) ??? no-shared?????? [default] ??? no-ssl-trace??? [default]? OPENSSL_NO_SSL_TRACE (skip dir) ??? no-ssl3???????? [default]? OPENSSL_NO_SSL3 (skip dir) ??? no-ssl3-method? [default]? OPENSSL_NO_SSL3_METHOD (skip dir) ??? no-unit-test??? [default]? OPENSSL_NO_UNIT_TEST (skip dir) ??? no-weak-ssl-ciphers [default]? OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) ??? no-zlib???????? [default] ??? no-zlib-dynamic [default] Configuring for solaris64-x86_64-cc IsMK1MF?????? =no CC??????????? =cc CFLAG???????? =-xarch=generic64 -xstrconst -Xa -DL_ENDIAN -xO5 -xdepend -xbuiltin -D_REENTRANT -DFILIO_H SHARED_CFLAG? =-KPIC DEFINES?????? =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG???????? =-mt PLIB_LFLAG??? = EX_LIBS?????? =-lresolv -lsocket -lnsl -ldl -lpthread APPS_OBJ????? = CPUID_OBJ???? =x86_64cpuid.o UPLINK_OBJ??? = BN_ASM??????? =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM??????? =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC?????? =des_enc.o fcrypt_b.o AES_ENC?????? =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC??????? =bf_enc.o CAST_ENC????? =c_enc.o RC4_ENC?????? =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC?????? =rc5_enc.o MD5_OBJ_ASM?? =md5-x86_64.o SHA1_OBJ_ASM? =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC????? =cmll-x86_64.o cmll_misc.o MODES_OBJ???? =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ?? =e_padlock-x86_64.o CHACHA_ENC??? =chacha-x86_64.o POLY1305_OBJ? =poly1305-x86_64.o BLAKE2_OBJ??? = PROCESSOR???? = RANLIB??????? =/usr/ccs/bin/ranlib ARFLAGS?????? = PERL????????? =/opt/perl5/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for solaris64-x86_64-cc. % make ??? : make[1]: Entering directory '/tmp/openssl-1.1.0-pre4' ( :; LIBDEPS="${LIBDEPS:--L. -lssl -L. -lcrypto -lresolv -lsocket -lnsl -ldl -lpthread }"; LDCMD="${LDCMD:-cc}"; LDFLAGS="${LDFLAGS:--DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -xarch=generic64 -xstrconst -Xa -DL_ENDIAN -xO5 -xdepend -xbuiltin -D_REENTRANT -DFILIO_H?? -mt}"; LIBPATH=`for x in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; echo LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=apps/openssl} apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o ${LIBDEPS}; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=apps/openssl} apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o ${LIBDEPS} ) LD_LIBRARY_PATH=.:/opt/openssl/lib:/opt/local/lib:/usr/local/lib:/opt/local/locale/lib:/opt/SUNWspro/lib:/usr/jdk/latest/lib:/opt/netpbm/lib:/usr/sfw/lib:/usr/lib:/usr/lib/iconv:/usr/lib/locale/ja:/opt/sfw/lib:/opt/sfw/netpbm/link:/usr/openwin/lib/locale/ja:/usr/openwin/lib/locale/common:/usr/openwin/lib:/usr/java/lib:/opt/coreutils/libexec/coreutils cc -mt -o apps/openssl apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o -L. -lssl -L. -lcrypto -lresolv -lsocket -lnsl -ldl -lpthread ld: fatal: file apps/app_rand.o: wrong ELF class: ELFCLASS64 ld: fatal: file processing errors. No output written to apps/openssl Makefile.shared:186: recipe for target 'link_app.' failed make[1]: *** [link_app.] Error 2 make[1]: Leaving directory '/tmp/openssl-1.1.0-pre4' Makefile:8687: recipe for target 'apps/openssl' failed make: *** [apps/openssl] Error 2 Patch for this: diff ../openssl-1.1.0-pre4.orig/Configurations/10-main.conf Configurations/10-main.conf 196c196 add(threads("-mt")), --- >???????? lflags?????????? => add(threads("-mt -m64")), It seems to be better to change '-xarch=generic64' to '-m64' in line 196 & 201 of the same file, too. Best Regards, --- Kiyoshi -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4453 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 11:02:09 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 11:02:09 +0000 Subject: [openssl-dev] [openssl.org #4447] Missing generators for sparcv8plus.s, sparcv8.s and sparccpuid.s (OpenSSL 1.1.0 pre4) In-Reply-To: <56EC798B.7070502@kippdata.de> References: <56EC798B.7070502@kippdata.de> Message-ID: Hmmm... Actually, I'm thinkg that src2obj() should check if the original file exists as given before changing .S to .s... That should work, since we're always generating 'foo.s' from 'asm/foo.S' (or 'asm/foo.pl', but that's not applicable here)... The directory difference should make it safe. I'll experiment a little, there's also the question of the assembler files in crypto/, but they are a problem in other builds as well... So, fix coming up! But not quite your solution. Vid Fre, 18 Mar 2016 kl. 21.56.37, skrev rainer.jung at kippdata.de: > When building OpenSSL 1.1.0 pre4 on Solaris Sparc for 64 Bits I get an > error, because before building crypto/bn/sparcv8plus.o first generates > crypto/bn/asm/sparcv8plus.s from crypto/bn/asm/sparcv8plus.S with the > following command > > gcc -E crypto/bn/asm/sparcv8plus.S > crypto/bn/asm/sparcv8plus.s > > This command is missing CFLAGS. As a consequence, the generated .s file > does not work for 64 bit compilation and compiling it fails with lots of > errors of type: > > /usr/ccs/bin/as: "crypto/bn/asm/sparcv8plus.s", line ...: error: detect > global register use not covered .register pseudo-op > > The pre3 version compiled crypto/bn/asm/sparcv8plus.o directly from > crypto/bn/asm/sparcv8plus.S (upper case ".S") using "gcc -c" and all > CFLAGS, include flags etc. > > So either one does the same for pre4 or one adds a Makefile rule for > crypto/bn/asm/sparcv8plus.s generating it from > crypto/bn/asm/sparcv8plus.S respecting CFLAGS, include dirs etc. or > simply copying it from the .S file. > > I think the switch from .S to .s happens in src2obj() inside > Configurations/unix-Makefile.tmpl. So if it is intentional, you need to > define and use a generator from .S to .s. > > The following patch worked for me, but I don't know whether it is how it > should work: > > > --- Configurations/00-base-templates.conf Wed Mar 16 19:18:09 2016 > +++ Configurations/00-base-templates.conf Fri Mar 18 22:31:59 2016 > @@ -198,8 +198,8 @@ > }, > sparcv9_asm => { > template => 1, > - cpuid_asm_src => "sparcv9cap.c sparccpuid.S", > - bn_asm_src => "asm/sparcv8plus.S sparcv9-mont.S > sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", > + cpuid_asm_src => "sparcv9cap.c sparccpuid.s", > + bn_asm_src => "sparcv8plus.s sparcv9-mont.S sparcv9a-mont.S > vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", > ec_asm_src => "ecp_nistz256.c ecp_nistz256-sparcv9.S", > des_asm_src => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S", > aes_asm_src => "aes_core.c aes_cbc.c aes-sparcv9.S > aest4-sparcv9.S", > @@ -213,7 +213,7 @@ > sparcv8_asm => { > template => 1, > cpuid_asm_src => "", > - bn_asm_src => "asm/sparcv8.S", > + bn_asm_src => "sparcv8.s", > des_asm_src => "des_enc-sparc.S fcrypt_b.c", > perlasm_scheme => "void" > }, > > > (upper case ".S" to lower case ".s" and removal of "asm/"). > > and two build.info changes: > > > --- crypto/build.info Wed Mar 16 19:18:08 2016 > +++ crypto/build.info Fri Mar 18 22:11:43 2016 > @@ -21,6 +21,8 @@ > > GENERATE[x86_64cpuid.s]=x86_64cpuid.pl $(PERLASM_SCHEME) > > +GENERATE[sparccpuid.s]=sparccpuid.S > + > GENERATE[ia64cpuid.s]=ia64cpuid.S > GENERATE[ppccpuid.s]=ppccpuid.pl $(PERLASM_SCHEME) > GENERATE[pariscid.s]=pariscid.pl $(PERLASM_SCHEME) > > > --- crypto/bn/build.info Wed Mar 16 19:18:09 2016 > +++ crypto/bn/build.info Fri Mar 18 22:11:43 2016 > @@ -24,6 +24,9 @@ > $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR) > DEPEND[x86-gf2m.s]=../perlasm/x86asm.pl > > +GENERATE[sparcv8.s]=asm/sparcv8.S > +GENERATE[sparcv8plus.s]=asm/sparcv8plus.S > + > GENERATE[sparcv9a-mont.S]=asm/sparcv9a-mont.pl $(PERLASM_SCHEME) > INCLUDE[sparcv9a-mont.o]=.. > GENERATE[sparcv9-mont.S]=asm/sparcv9-mont.pl $(PERLASM_SCHEME) > > > This seems to be consistent with how it is done for > > crypto/ia64cpuid.S > crypto/aes/asm/aes-ia64.S > crypto/bn/asm/ia64.S > > The same changes probably need to be done for > > crypto/s390xcpuid.S > crypto/bn/asm/s390x.S > > Regards, > > Rainer > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4447 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 11:32:34 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 11:32:34 +0000 Subject: [openssl-dev] [openssl.org #4450] OpenSSL 1.1.0 pre4 podpath: cannot find suitable replacement path, cannot resolve link In-Reply-To: References: <56EC9D1B.7010002@kippdata.de> Message-ID: Fixed in commit c1e350577fe14e3e124cc258f742cb77a14b6ce8. Closing ticket. Vid Sat, 19 Mar 2016 kl. 10.41.01, skrev levitte: > Thank you. Those are caused by some improperly written L<> links. Fix coming > up. > > Cheers, > Richard > > Vid Sat, 19 Mar 2016 kl. 00.28.21, skrev rainer.jung at kippdata.de: > > Errors during make install: > > > > Cannot find "EXAMPLES" in podpath: cannot find suitable replacement > > path, cannot resolve link > > Cannot find "X509_STORE_set_default_paths" in podpath: cannot find > > suitable replacement path, cannot resolve link > > Cannot find "SSL_pending()" in podpath: cannot find suitable replacement > > path, cannot resolve link > > Cannot find "EVP_MAX_IV_LENGTH" in podpath: cannot find suitable > > replacement path, cannot resolve link > > Cannot find "EVP_EncryptInit_ex" in podpath: cannot find suitable > > replacement path, cannot resolve link > > Cannot find "HMAC_Init_ex" in podpath: cannot find suitable replacement > > path, cannot resolve link > > Cannot find "EVP_DecryptInit_ex" in podpath: cannot find suitable > > replacement path, cannot resolve link > > Cannot find "HMAC_Init_ex" in podpath: cannot find suitable replacement > > path, cannot resolve link > > > > Regards, > > > > Rainer > > > > > -- > Richard Levitte > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4450 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 11:33:27 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 11:33:27 +0000 Subject: [openssl-dev] [openssl.org #4448] Solaris pod install "sed" problem for OpenSSL 1.1.0 pre4 In-Reply-To: References: <56EC7B22.4040603@kippdata.de> Message-ID: Applied in commit 5287761bfc34d32572b1acfd6e64fd8c0fb2f799. Closing ticket. Vid Sat, 19 Mar 2016 kl. 10.23.09, skrev levitte: > Right. Thanks! Will apply. > > Cheers, > Richard > > Vid Fre, 18 Mar 2016 kl. 22.03.22, skrev rainer.jung at kippdata.de: > > The following line in Configurations/unix-Makefile.tmpl is non > > standards-conforming and breaks using Solaris sed: > > > > ... > > sed -e ':a;{N;s/\n/ /;ba}' | \ > > ... > > > > The man page tells me, Solaris sed mandatory needs a newline before the > > closing "}". The above construct throws errors when executing > > PROCESS_PODS during the make target install_man_docs: > > > > Label too long: :a;{N;s/\n/ /;ba} > > > > Since I didn't find a way to include a verbatim newline in > > Configurations/unix-Makefile.tmpl that survives to the generated > > Makefile, I instead applied the following patch: > > > > --- unix-Makefile.tmpl Wed Mar 16 19:18:09 2016 > > +++ unix-Makefile.tmpl Fri Mar 18 22:23:57 2016 > > @@ -512,7 +512,7 @@ > > # The third sed removes the description and turns all commas into spaces > > # Voil?, you have a space separated list of names! > > EXTRACT_NAMES=sed -e '1,/^=head1 *NAME *$$/d;/^=head1/,$$d' | \ > > - sed -e ':a;{N;s/\n/ /;ba}' | \ > > + $(PERL) -p -0 -e 's/\n/ /g; END {print "\n"}' | \ > > sed -e 's/ - .*$$//;s/,/ /g' > > PROCESS_PODS=\ > > set -e; \ > > > > The perl based solution should work everywhere. > > > > Regards, > > > > Rainer > > > > > -- > Richard Levitte > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4448 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 11:34:46 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 11:34:46 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: Fixed in commit 243a98d4a03a411dfe6db727dbf90adbfa2e7474. Can we close this ticket for good now? Vid Sat, 19 Mar 2016 kl. 10.14.25, skrev levitte: > Right. A little 'exit 0' in the right spot should fix that. > > It's true that the dependencies that are generated depend quite a lot > on what > you've built so far, I hope that's not an enormous bother. > > Cheers, > Richard > > Vid Sat, 19 Mar 2016 kl. 01.31.53, skrev erik at efca.com: > > still not working right. > > Attached a longish log file extract. > > But root cause seems to be that we try to process test dependencies > > while doing depend in crypto, way before we had done any work in > > the test subdir. That causes the find to exit with failed status > > aborting > > the depend. > > > > > > > -- Original Message -- > > > > > > Fixup show in last message has now been merged with master, commit > > > a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 > > > > > > -- > > > Richard Levitte > > > levitte at openssl.org > > > > > > -- > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 > > > Please log in as guest with password guest if prompted > > > > > > -- > > > openssl-dev mailing list > > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl- > > > dev > > > > > -- > Richard Levitte > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 11:49:01 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 11:49:01 +0000 Subject: [openssl-dev] [openssl.org #4447] Missing generators for sparcv8plus.s, sparcv8.s and sparccpuid.s (OpenSSL 1.1.0 pre4) In-Reply-To: References: <56EC798B.7070502@kippdata.de> Message-ID: So I'm wondering, what happens if you apply the attached patch? Vid Sat, 19 Mar 2016 kl. 11.02.09, skrev levitte: > Hmmm... > > Actually, I'm thinkg that src2obj() should check if the original file > exists as > given before changing .S to .s... That should work, since we're always > generating 'foo.s' from 'asm/foo.S' (or 'asm/foo.pl', but that's not > applicable > here)... The directory difference should make it safe. > > I'll experiment a little, there's also the question of the assembler > files in > crypto/, but they are a problem in other builds as well... > > So, fix coming up! But not quite your solution. > > Vid Fre, 18 Mar 2016 kl. 21.56.37, skrev rainer.jung at kippdata.de: > > When building OpenSSL 1.1.0 pre4 on Solaris Sparc for 64 Bits I get > > an > > error, because before building crypto/bn/sparcv8plus.o first > > generates > > crypto/bn/asm/sparcv8plus.s from crypto/bn/asm/sparcv8plus.S with the > > following command > > > > gcc -E crypto/bn/asm/sparcv8plus.S > crypto/bn/asm/sparcv8plus.s > > > > This command is missing CFLAGS. As a consequence, the generated .s > > file > > does not work for 64 bit compilation and compiling it fails with lots > > of > > errors of type: > > > > /usr/ccs/bin/as: "crypto/bn/asm/sparcv8plus.s", line ...: error: > > detect > > global register use not covered .register pseudo-op > > > > The pre3 version compiled crypto/bn/asm/sparcv8plus.o directly from > > crypto/bn/asm/sparcv8plus.S (upper case ".S") using "gcc -c" and all > > CFLAGS, include flags etc. > > > > So either one does the same for pre4 or one adds a Makefile rule for > > crypto/bn/asm/sparcv8plus.s generating it from > > crypto/bn/asm/sparcv8plus.S respecting CFLAGS, include dirs etc. or > > simply copying it from the .S file. > > > > I think the switch from .S to .s happens in src2obj() inside > > Configurations/unix-Makefile.tmpl. So if it is intentional, you need > > to > > define and use a generator from .S to .s. > > > > The following patch worked for me, but I don't know whether it is how > > it > > should work: > > > > > > --- Configurations/00-base-templates.conf Wed Mar 16 19:18:09 2016 > > +++ Configurations/00-base-templates.conf Fri Mar 18 22:31:59 2016 > > @@ -198,8 +198,8 @@ > > }, > > sparcv9_asm => { > > template => 1, > > - cpuid_asm_src => "sparcv9cap.c sparccpuid.S", > > - bn_asm_src => "asm/sparcv8plus.S sparcv9-mont.S > > sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", > > + cpuid_asm_src => "sparcv9cap.c sparccpuid.s", > > + bn_asm_src => "sparcv8plus.s sparcv9-mont.S sparcv9a-mont.S > > vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", > > ec_asm_src => "ecp_nistz256.c ecp_nistz256-sparcv9.S", > > des_asm_src => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S", > > aes_asm_src => "aes_core.c aes_cbc.c aes-sparcv9.S > > aest4-sparcv9.S", > > @@ -213,7 +213,7 @@ > > sparcv8_asm => { > > template => 1, > > cpuid_asm_src => "", > > - bn_asm_src => "asm/sparcv8.S", > > + bn_asm_src => "sparcv8.s", > > des_asm_src => "des_enc-sparc.S fcrypt_b.c", > > perlasm_scheme => "void" > > }, > > > > > > (upper case ".S" to lower case ".s" and removal of "asm/"). > > > > and two build.info changes: > > > > > > --- crypto/build.info Wed Mar 16 19:18:08 2016 > > +++ crypto/build.info Fri Mar 18 22:11:43 2016 > > @@ -21,6 +21,8 @@ > > > > GENERATE[x86_64cpuid.s]=x86_64cpuid.pl $(PERLASM_SCHEME) > > > > +GENERATE[sparccpuid.s]=sparccpuid.S > > + > > GENERATE[ia64cpuid.s]=ia64cpuid.S > > GENERATE[ppccpuid.s]=ppccpuid.pl $(PERLASM_SCHEME) > > GENERATE[pariscid.s]=pariscid.pl $(PERLASM_SCHEME) > > > > > > --- crypto/bn/build.info Wed Mar 16 19:18:09 2016 > > +++ crypto/bn/build.info Fri Mar 18 22:11:43 2016 > > @@ -24,6 +24,9 @@ > > $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR) > > DEPEND[x86-gf2m.s]=../perlasm/x86asm.pl > > > > +GENERATE[sparcv8.s]=asm/sparcv8.S > > +GENERATE[sparcv8plus.s]=asm/sparcv8plus.S > > + > > GENERATE[sparcv9a-mont.S]=asm/sparcv9a-mont.pl $(PERLASM_SCHEME) > > INCLUDE[sparcv9a-mont.o]=.. > > GENERATE[sparcv9-mont.S]=asm/sparcv9-mont.pl $(PERLASM_SCHEME) > > > > > > This seems to be consistent with how it is done for > > > > crypto/ia64cpuid.S > > crypto/aes/asm/aes-ia64.S > > crypto/bn/asm/ia64.S > > > > The same changes probably need to be done for > > > > crypto/s390xcpuid.S > > crypto/bn/asm/s390x.S > > > > Regards, > > > > Rainer > > > > > -- > Richard Levitte > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4447 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: unix-Makefile.tmpl.patch Type: text/x-patch Size: 767 bytes Desc: not available URL: From hanno at hboeck.de Sat Mar 19 12:41:01 2016 From: hanno at hboeck.de (Hanno =?UTF-8?B?QsO2Y2s=?=) Date: Sat, 19 Mar 2016 13:41:01 +0100 Subject: [openssl-dev] website inconsistent between start page and /source - beta1 vs pre4 Message-ID: <20160319134101.470e9e99@pc1> Hi, The latest news on the openssl start page is 16-Mar-2016Beta 1 of OpenSSL 1.1.0 is now available: please download and test it However the latest download on /source is 2016-Mar-16 17:43:30 openssl-1.1.0-pre4.tar.gz Is pre4 supposed to be the same as beta1? -- Hanno B?ck https://hboeck.de/ mail/jabber: hanno at hboeck.de GPG: BBB51E42 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From levitte at openssl.org Sat Mar 19 12:52:01 2016 From: levitte at openssl.org (Richard Levitte) Date: Sat, 19 Mar 2016 13:52:01 +0100 Subject: [openssl-dev] website inconsistent between start page and /source - beta1 vs pre4 In-Reply-To: <20160319134101.470e9e99@pc1> References: <20160319134101.470e9e99@pc1> Message-ID: <3101704E-23C4-4899-933A-460FA8358F32@openssl.org> Yes, it is. We should clarify that. "Hanno B?ck" skrev: (19 mars 2016 13:41:01 CET) >Hi, > >The latest news on the openssl start page is >16-Mar-2016Beta 1 of OpenSSL 1.1.0 is now available: please download >and test it > >However the latest download on /source is > 2016-Mar-16 17:43:30 openssl-1.1.0-pre4.tar.gz > >Is pre4 supposed to be the same as beta1? -- Sent from my Android device with K-9 Mail. Please excuse my brevity. From rainer.jung at kippdata.de Sat Mar 19 13:38:46 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Sat, 19 Mar 2016 14:38:46 +0100 Subject: [openssl-dev] [openssl.org #4447] Missing generators for sparcv8plus.s, sparcv8.s and sparccpuid.s (OpenSSL 1.1.0 pre4) In-Reply-To: References: <56EC798B.7070502@kippdata.de> Message-ID: <56ED5666.4070205@kippdata.de> Hi Richard, Am 19.03.2016 um 12:49 schrieb Richard Levitte via RT: > So I'm wondering, what happens if you apply the attached patch? Works like a charm, tested on Solaris 10 Sparc doing a 32bit build and a 64bit build. The intermediate ".s" (lower case) file no longer gets generated and instead the object file gets directly compiled from the .S (upper case) file. Builds succeed, tests pass. As always: thanks a bunch! Regards, Rainer > Vid Sat, 19 Mar 2016 kl. 11.02.09, skrev levitte: >> Hmmm... >> >> Actually, I'm thinkg that src2obj() should check if the original file >> exists as >> given before changing .S to .s... That should work, since we're always >> generating 'foo.s' from 'asm/foo.S' (or 'asm/foo.pl', but that's not >> applicable >> here)... The directory difference should make it safe. >> >> I'll experiment a little, there's also the question of the assembler >> files in >> crypto/, but they are a problem in other builds as well... >> >> So, fix coming up! But not quite your solution. >> >> Vid Fre, 18 Mar 2016 kl. 21.56.37, skrev rainer.jung at kippdata.de: >>> When building OpenSSL 1.1.0 pre4 on Solaris Sparc for 64 Bits I get >>> an >>> error, because before building crypto/bn/sparcv8plus.o first >>> generates >>> crypto/bn/asm/sparcv8plus.s from crypto/bn/asm/sparcv8plus.S with the >>> following command >>> >>> gcc -E crypto/bn/asm/sparcv8plus.S > crypto/bn/asm/sparcv8plus.s >>> >>> This command is missing CFLAGS. As a consequence, the generated .s >>> file >>> does not work for 64 bit compilation and compiling it fails with lots >>> of >>> errors of type: >>> >>> /usr/ccs/bin/as: "crypto/bn/asm/sparcv8plus.s", line ...: error: >>> detect >>> global register use not covered .register pseudo-op >>> >>> The pre3 version compiled crypto/bn/asm/sparcv8plus.o directly from >>> crypto/bn/asm/sparcv8plus.S (upper case ".S") using "gcc -c" and all >>> CFLAGS, include flags etc. >>> >>> So either one does the same for pre4 or one adds a Makefile rule for >>> crypto/bn/asm/sparcv8plus.s generating it from >>> crypto/bn/asm/sparcv8plus.S respecting CFLAGS, include dirs etc. or >>> simply copying it from the .S file. >>> >>> I think the switch from .S to .s happens in src2obj() inside >>> Configurations/unix-Makefile.tmpl. So if it is intentional, you need >>> to >>> define and use a generator from .S to .s. >>> >>> The following patch worked for me, but I don't know whether it is how >>> it >>> should work: >>> >>> >>> --- Configurations/00-base-templates.conf Wed Mar 16 19:18:09 2016 >>> +++ Configurations/00-base-templates.conf Fri Mar 18 22:31:59 2016 >>> @@ -198,8 +198,8 @@ >>> }, >>> sparcv9_asm => { >>> template => 1, >>> - cpuid_asm_src => "sparcv9cap.c sparccpuid.S", >>> - bn_asm_src => "asm/sparcv8plus.S sparcv9-mont.S >>> sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", >>> + cpuid_asm_src => "sparcv9cap.c sparccpuid.s", >>> + bn_asm_src => "sparcv8plus.s sparcv9-mont.S sparcv9a-mont.S >>> vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", >>> ec_asm_src => "ecp_nistz256.c ecp_nistz256-sparcv9.S", >>> des_asm_src => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S", >>> aes_asm_src => "aes_core.c aes_cbc.c aes-sparcv9.S >>> aest4-sparcv9.S", >>> @@ -213,7 +213,7 @@ >>> sparcv8_asm => { >>> template => 1, >>> cpuid_asm_src => "", >>> - bn_asm_src => "asm/sparcv8.S", >>> + bn_asm_src => "sparcv8.s", >>> des_asm_src => "des_enc-sparc.S fcrypt_b.c", >>> perlasm_scheme => "void" >>> }, >>> >>> >>> (upper case ".S" to lower case ".s" and removal of "asm/"). >>> >>> and two build.info changes: >>> >>> >>> --- crypto/build.info Wed Mar 16 19:18:08 2016 >>> +++ crypto/build.info Fri Mar 18 22:11:43 2016 >>> @@ -21,6 +21,8 @@ >>> >>> GENERATE[x86_64cpuid.s]=x86_64cpuid.pl $(PERLASM_SCHEME) >>> >>> +GENERATE[sparccpuid.s]=sparccpuid.S >>> + >>> GENERATE[ia64cpuid.s]=ia64cpuid.S >>> GENERATE[ppccpuid.s]=ppccpuid.pl $(PERLASM_SCHEME) >>> GENERATE[pariscid.s]=pariscid.pl $(PERLASM_SCHEME) >>> >>> >>> --- crypto/bn/build.info Wed Mar 16 19:18:09 2016 >>> +++ crypto/bn/build.info Fri Mar 18 22:11:43 2016 >>> @@ -24,6 +24,9 @@ >>> $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR) >>> DEPEND[x86-gf2m.s]=../perlasm/x86asm.pl >>> >>> +GENERATE[sparcv8.s]=asm/sparcv8.S >>> +GENERATE[sparcv8plus.s]=asm/sparcv8plus.S >>> + >>> GENERATE[sparcv9a-mont.S]=asm/sparcv9a-mont.pl $(PERLASM_SCHEME) >>> INCLUDE[sparcv9a-mont.o]=.. >>> GENERATE[sparcv9-mont.S]=asm/sparcv9-mont.pl $(PERLASM_SCHEME) >>> >>> >>> This seems to be consistent with how it is done for >>> >>> crypto/ia64cpuid.S >>> crypto/aes/asm/aes-ia64.S >>> crypto/bn/asm/ia64.S >>> >>> The same changes probably need to be done for >>> >>> crypto/s390xcpuid.S >>> crypto/bn/asm/s390x.S >>> >>> Regards, >>> >>> Rainer >>> >> >> >> -- >> Richard Levitte >> levitte at openssl.org > > > -- > Richard Levitte > levitte at openssl.org From rt at openssl.org Sat Mar 19 13:38:57 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Sat, 19 Mar 2016 13:38:57 +0000 Subject: [openssl-dev] [openssl.org #4447] Missing generators for sparcv8plus.s, sparcv8.s and sparccpuid.s (OpenSSL 1.1.0 pre4) In-Reply-To: <56ED5666.4070205@kippdata.de> References: <56EC798B.7070502@kippdata.de> <56ED5666.4070205@kippdata.de> Message-ID: Hi Richard, Am 19.03.2016 um 12:49 schrieb Richard Levitte via RT: > So I'm wondering, what happens if you apply the attached patch? Works like a charm, tested on Solaris 10 Sparc doing a 32bit build and a 64bit build. The intermediate ".s" (lower case) file no longer gets generated and instead the object file gets directly compiled from the .S (upper case) file. Builds succeed, tests pass. As always: thanks a bunch! Regards, Rainer > Vid Sat, 19 Mar 2016 kl. 11.02.09, skrev levitte: >> Hmmm... >> >> Actually, I'm thinkg that src2obj() should check if the original file >> exists as >> given before changing .S to .s... That should work, since we're always >> generating 'foo.s' from 'asm/foo.S' (or 'asm/foo.pl', but that's not >> applicable >> here)... The directory difference should make it safe. >> >> I'll experiment a little, there's also the question of the assembler >> files in >> crypto/, but they are a problem in other builds as well... >> >> So, fix coming up! But not quite your solution. >> >> Vid Fre, 18 Mar 2016 kl. 21.56.37, skrev rainer.jung at kippdata.de: >>> When building OpenSSL 1.1.0 pre4 on Solaris Sparc for 64 Bits I get >>> an >>> error, because before building crypto/bn/sparcv8plus.o first >>> generates >>> crypto/bn/asm/sparcv8plus.s from crypto/bn/asm/sparcv8plus.S with the >>> following command >>> >>> gcc -E crypto/bn/asm/sparcv8plus.S > crypto/bn/asm/sparcv8plus.s >>> >>> This command is missing CFLAGS. As a consequence, the generated .s >>> file >>> does not work for 64 bit compilation and compiling it fails with lots >>> of >>> errors of type: >>> >>> /usr/ccs/bin/as: "crypto/bn/asm/sparcv8plus.s", line ...: error: >>> detect >>> global register use not covered .register pseudo-op >>> >>> The pre3 version compiled crypto/bn/asm/sparcv8plus.o directly from >>> crypto/bn/asm/sparcv8plus.S (upper case ".S") using "gcc -c" and all >>> CFLAGS, include flags etc. >>> >>> So either one does the same for pre4 or one adds a Makefile rule for >>> crypto/bn/asm/sparcv8plus.s generating it from >>> crypto/bn/asm/sparcv8plus.S respecting CFLAGS, include dirs etc. or >>> simply copying it from the .S file. >>> >>> I think the switch from .S to .s happens in src2obj() inside >>> Configurations/unix-Makefile.tmpl. So if it is intentional, you need >>> to >>> define and use a generator from .S to .s. >>> >>> The following patch worked for me, but I don't know whether it is how >>> it >>> should work: >>> >>> >>> --- Configurations/00-base-templates.conf Wed Mar 16 19:18:09 2016 >>> +++ Configurations/00-base-templates.conf Fri Mar 18 22:31:59 2016 >>> @@ -198,8 +198,8 @@ >>> }, >>> sparcv9_asm => { >>> template => 1, >>> - cpuid_asm_src => "sparcv9cap.c sparccpuid.S", >>> - bn_asm_src => "asm/sparcv8plus.S sparcv9-mont.S >>> sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", >>> + cpuid_asm_src => "sparcv9cap.c sparccpuid.s", >>> + bn_asm_src => "sparcv8plus.s sparcv9-mont.S sparcv9a-mont.S >>> vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", >>> ec_asm_src => "ecp_nistz256.c ecp_nistz256-sparcv9.S", >>> des_asm_src => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S", >>> aes_asm_src => "aes_core.c aes_cbc.c aes-sparcv9.S >>> aest4-sparcv9.S", >>> @@ -213,7 +213,7 @@ >>> sparcv8_asm => { >>> template => 1, >>> cpuid_asm_src => "", >>> - bn_asm_src => "asm/sparcv8.S", >>> + bn_asm_src => "sparcv8.s", >>> des_asm_src => "des_enc-sparc.S fcrypt_b.c", >>> perlasm_scheme => "void" >>> }, >>> >>> >>> (upper case ".S" to lower case ".s" and removal of "asm/"). >>> >>> and two build.info changes: >>> >>> >>> --- crypto/build.info Wed Mar 16 19:18:08 2016 >>> +++ crypto/build.info Fri Mar 18 22:11:43 2016 >>> @@ -21,6 +21,8 @@ >>> >>> GENERATE[x86_64cpuid.s]=x86_64cpuid.pl $(PERLASM_SCHEME) >>> >>> +GENERATE[sparccpuid.s]=sparccpuid.S >>> + >>> GENERATE[ia64cpuid.s]=ia64cpuid.S >>> GENERATE[ppccpuid.s]=ppccpuid.pl $(PERLASM_SCHEME) >>> GENERATE[pariscid.s]=pariscid.pl $(PERLASM_SCHEME) >>> >>> >>> --- crypto/bn/build.info Wed Mar 16 19:18:09 2016 >>> +++ crypto/bn/build.info Fri Mar 18 22:11:43 2016 >>> @@ -24,6 +24,9 @@ >>> $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR) >>> DEPEND[x86-gf2m.s]=../perlasm/x86asm.pl >>> >>> +GENERATE[sparcv8.s]=asm/sparcv8.S >>> +GENERATE[sparcv8plus.s]=asm/sparcv8plus.S >>> + >>> GENERATE[sparcv9a-mont.S]=asm/sparcv9a-mont.pl $(PERLASM_SCHEME) >>> INCLUDE[sparcv9a-mont.o]=.. >>> GENERATE[sparcv9-mont.S]=asm/sparcv9-mont.pl $(PERLASM_SCHEME) >>> >>> >>> This seems to be consistent with how it is done for >>> >>> crypto/ia64cpuid.S >>> crypto/aes/asm/aes-ia64.S >>> crypto/bn/asm/ia64.S >>> >>> The same changes probably need to be done for >>> >>> crypto/s390xcpuid.S >>> crypto/bn/asm/s390x.S >>> >>> Regards, >>> >>> Rainer >>> >> >> >> -- >> Richard Levitte >> levitte at openssl.org > > > -- > Richard Levitte > levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4447 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Sat Mar 19 13:38:54 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Sat, 19 Mar 2016 14:38:54 +0100 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: <56ED566E.105@kippdata.de> Works here. No more "-nt" error, no warnings or other STDERR output. Tested on Solaris 10 Sparc using GCC doing a 32 bit build and another 64 bit build. Builds succeed, tests pass. Am 19.03.2016 um 12:34 schrieb Richard Levitte via RT: > Fixed in commit 243a98d4a03a411dfe6db727dbf90adbfa2e7474. Can we close this > ticket for good now? > > Vid Sat, 19 Mar 2016 kl. 10.14.25, skrev levitte: >> Right. A little 'exit 0' in the right spot should fix that. >> >> It's true that the dependencies that are generated depend quite a lot >> on what >> you've built so far, I hope that's not an enormous bother. >> >> Cheers, >> Richard >> >> Vid Sat, 19 Mar 2016 kl. 01.31.53, skrev erik at efca.com: >>> still not working right. >>> Attached a longish log file extract. >>> But root cause seems to be that we try to process test dependencies >>> while doing depend in crypto, way before we had done any work in >>> the test subdir. That causes the find to exit with failed status >>> aborting >>> the depend. >>> >>> >>>> -- Original Message -- >>>> >>>> Fixup show in last message has now been merged with master, commit >>>> a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 >>>> >>>> -- >>>> Richard Levitte >>>> levitte at openssl.org >>>> >>>> -- >>>> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 >>>> Please log in as guest with password guest if prompted >>>> >>>> -- >>>> openssl-dev mailing list >>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl- >>>> dev >>> >> >> >> -- >> Richard Levitte >> levitte at openssl.org > > > -- > Richard Levitte > levitte at openssl.org From rt at openssl.org Sat Mar 19 13:39:02 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Sat, 19 Mar 2016 13:39:02 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: <56ED566E.105@kippdata.de> References: <56ED566E.105@kippdata.de> Message-ID: Works here. No more "-nt" error, no warnings or other STDERR output. Tested on Solaris 10 Sparc using GCC doing a 32 bit build and another 64 bit build. Builds succeed, tests pass. Am 19.03.2016 um 12:34 schrieb Richard Levitte via RT: > Fixed in commit 243a98d4a03a411dfe6db727dbf90adbfa2e7474. Can we close this > ticket for good now? > > Vid Sat, 19 Mar 2016 kl. 10.14.25, skrev levitte: >> Right. A little 'exit 0' in the right spot should fix that. >> >> It's true that the dependencies that are generated depend quite a lot >> on what >> you've built so far, I hope that's not an enormous bother. >> >> Cheers, >> Richard >> >> Vid Sat, 19 Mar 2016 kl. 01.31.53, skrev erik at efca.com: >>> still not working right. >>> Attached a longish log file extract. >>> But root cause seems to be that we try to process test dependencies >>> while doing depend in crypto, way before we had done any work in >>> the test subdir. That causes the find to exit with failed status >>> aborting >>> the depend. >>> >>> >>>> -- Original Message -- >>>> >>>> Fixup show in last message has now been merged with master, commit >>>> a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 >>>> >>>> -- >>>> Richard Levitte >>>> levitte at openssl.org >>>> >>>> -- >>>> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 >>>> Please log in as guest with password guest if prompted >>>> >>>> -- >>>> openssl-dev mailing list >>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl- >>>> dev >>> >> >> >> -- >> Richard Levitte >> levitte at openssl.org > > > -- > Richard Levitte > levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rsalz at akamai.com Sat Mar 19 14:07:31 2016 From: rsalz at akamai.com (Salz, Rich) Date: Sat, 19 Mar 2016 14:07:31 +0000 Subject: [openssl-dev] website inconsistent between start page and /source - beta1 vs pre4 In-Reply-To: <3101704E-23C4-4899-933A-460FA8358F32@openssl.org> References: <20160319134101.470e9e99@pc1> <3101704E-23C4-4899-933A-460FA8358F32@openssl.org> Message-ID: >> >Is pre4 supposed to be the same as beta1? > Yes, it is. We should clarify that. Wording tweaked. From rt at openssl.org Sat Mar 19 17:16:01 2016 From: rt at openssl.org (Rich Salz via RT) Date: Sat, 19 Mar 2016 17:16:01 +0000 Subject: [openssl-dev] [openssl.org #4436] [Openssl 1.1.0] ECDSA_SIG_get0() for const ECDSA_SIG * In-Reply-To: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> References: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> Message-ID: We can't overload functions -- this is C not C++ :) So cast your pointer. Other accessors in OpenSSL have the same issue. We're not solving it right now. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4436 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 18:04:10 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 18:04:10 +0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: <56ED566E.105@kippdata.de> Message-ID: Perfect. Thanks for confirming. Closing this ticket now. Cheers, Richard Vid Sat, 19 Mar 2016 kl. 13.39.02, skrev rainer.jung at kippdata.de: > Works here. No more "-nt" error, no warnings or other STDERR output. > Tested on Solaris 10 Sparc using GCC doing a 32 bit build and another > 64 > bit build. Builds succeed, tests pass. > > Am 19.03.2016 um 12:34 schrieb Richard Levitte via RT: > > Fixed in commit 243a98d4a03a411dfe6db727dbf90adbfa2e7474. Can we > > close this > > ticket for good now? > > > > Vid Sat, 19 Mar 2016 kl. 10.14.25, skrev levitte: > >> Right. A little 'exit 0' in the right spot should fix that. > >> > >> It's true that the dependencies that are generated depend quite a > >> lot > >> on what > >> you've built so far, I hope that's not an enormous bother. > >> > >> Cheers, > >> Richard > >> > >> Vid Sat, 19 Mar 2016 kl. 01.31.53, skrev erik at efca.com: > >>> still not working right. > >>> Attached a longish log file extract. > >>> But root cause seems to be that we try to process test dependencies > >>> while doing depend in crypto, way before we had done any work in > >>> the test subdir. That causes the find to exit with failed status > >>> aborting > >>> the depend. > >>> > >>> > >>>> -- Original Message -- > >>>> > >>>> Fixup show in last message has now been merged with master, commit > >>>> a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 > >>>> > >>>> -- > >>>> Richard Levitte > >>>> levitte at openssl.org > >>>> > >>>> -- > >>>> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 > >>>> Please log in as guest with password guest if prompted > >>>> > >>>> -- > >>>> openssl-dev mailing list > >>>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl- > >>>> dev > >>> > >> > >> > >> -- > >> Richard Levitte > >> levitte at openssl.org > > > > > > -- > > Richard Levitte > > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 21:22:45 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 21:22:45 +0000 Subject: [openssl-dev] [openssl.org #4447] Missing generators for sparcv8plus.s, sparcv8.s and sparccpuid.s (OpenSSL 1.1.0 pre4) In-Reply-To: References: <56EC798B.7070502@kippdata.de> <56ED5666.4070205@kippdata.de> Message-ID: Commit 674d5858df6cd3dc5cafa25875861f4742d64608, merged to master. Closing ticket. Cheers, Richard Vid Sat, 19 Mar 2016 kl. 13.38.57, skrev rainer.jung at kippdata.de: > Hi Richard, > > Am 19.03.2016 um 12:49 schrieb Richard Levitte via RT: > > So I'm wondering, what happens if you apply the attached patch? > > Works like a charm, tested on Solaris 10 Sparc doing a 32bit build and a > 64bit build. The intermediate ".s" (lower case) file no longer gets > generated and instead the object file gets directly compiled from the .S > (upper case) file. > > Builds succeed, tests pass. > > As always: thanks a bunch! > > Regards, > > Rainer > > > Vid Sat, 19 Mar 2016 kl. 11.02.09, skrev levitte: > >> Hmmm... > >> > >> Actually, I'm thinkg that src2obj() should check if the original file > >> exists as > >> given before changing .S to .s... That should work, since we're always > >> generating 'foo.s' from 'asm/foo.S' (or 'asm/foo.pl', but that's not > >> applicable > >> here)... The directory difference should make it safe. > >> > >> I'll experiment a little, there's also the question of the assembler > >> files in > >> crypto/, but they are a problem in other builds as well... > >> > >> So, fix coming up! But not quite your solution. > >> > >> Vid Fre, 18 Mar 2016 kl. 21.56.37, skrev rainer.jung at kippdata.de: > >>> When building OpenSSL 1.1.0 pre4 on Solaris Sparc for 64 Bits I get > >>> an > >>> error, because before building crypto/bn/sparcv8plus.o first > >>> generates > >>> crypto/bn/asm/sparcv8plus.s from crypto/bn/asm/sparcv8plus.S with the > >>> following command > >>> > >>> gcc -E crypto/bn/asm/sparcv8plus.S > crypto/bn/asm/sparcv8plus.s > >>> > >>> This command is missing CFLAGS. As a consequence, the generated .s > >>> file > >>> does not work for 64 bit compilation and compiling it fails with lots > >>> of > >>> errors of type: > >>> > >>> /usr/ccs/bin/as: "crypto/bn/asm/sparcv8plus.s", line ...: error: > >>> detect > >>> global register use not covered .register pseudo-op > >>> > >>> The pre3 version compiled crypto/bn/asm/sparcv8plus.o directly from > >>> crypto/bn/asm/sparcv8plus.S (upper case ".S") using "gcc -c" and all > >>> CFLAGS, include flags etc. > >>> > >>> So either one does the same for pre4 or one adds a Makefile rule for > >>> crypto/bn/asm/sparcv8plus.s generating it from > >>> crypto/bn/asm/sparcv8plus.S respecting CFLAGS, include dirs etc. or > >>> simply copying it from the .S file. > >>> > >>> I think the switch from .S to .s happens in src2obj() inside > >>> Configurations/unix-Makefile.tmpl. So if it is intentional, you need > >>> to > >>> define and use a generator from .S to .s. > >>> > >>> The following patch worked for me, but I don't know whether it is how > >>> it > >>> should work: > >>> > >>> > >>> --- Configurations/00-base-templates.conf Wed Mar 16 19:18:09 2016 > >>> +++ Configurations/00-base-templates.conf Fri Mar 18 22:31:59 2016 > >>> @@ -198,8 +198,8 @@ > >>> }, > >>> sparcv9_asm => { > >>> template => 1, > >>> - cpuid_asm_src => "sparcv9cap.c sparccpuid.S", > >>> - bn_asm_src => "asm/sparcv8plus.S sparcv9-mont.S > >>> sparcv9a-mont.S vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", > >>> + cpuid_asm_src => "sparcv9cap.c sparccpuid.s", > >>> + bn_asm_src => "sparcv8plus.s sparcv9-mont.S sparcv9a-mont.S > >>> vis3-mont.S sparct4-mont.S sparcv9-gf2m.S", > >>> ec_asm_src => "ecp_nistz256.c ecp_nistz256-sparcv9.S", > >>> des_asm_src => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.S", > >>> aes_asm_src => "aes_core.c aes_cbc.c aes-sparcv9.S > >>> aest4-sparcv9.S", > >>> @@ -213,7 +213,7 @@ > >>> sparcv8_asm => { > >>> template => 1, > >>> cpuid_asm_src => "", > >>> - bn_asm_src => "asm/sparcv8.S", > >>> + bn_asm_src => "sparcv8.s", > >>> des_asm_src => "des_enc-sparc.S fcrypt_b.c", > >>> perlasm_scheme => "void" > >>> }, > >>> > >>> > >>> (upper case ".S" to lower case ".s" and removal of "asm/"). > >>> > >>> and two build.info changes: > >>> > >>> > >>> --- crypto/build.info Wed Mar 16 19:18:08 2016 > >>> +++ crypto/build.info Fri Mar 18 22:11:43 2016 > >>> @@ -21,6 +21,8 @@ > >>> > >>> GENERATE[x86_64cpuid.s]=x86_64cpuid.pl $(PERLASM_SCHEME) > >>> > >>> +GENERATE[sparccpuid.s]=sparccpuid.S > >>> + > >>> GENERATE[ia64cpuid.s]=ia64cpuid.S > >>> GENERATE[ppccpuid.s]=ppccpuid.pl $(PERLASM_SCHEME) > >>> GENERATE[pariscid.s]=pariscid.pl $(PERLASM_SCHEME) > >>> > >>> > >>> --- crypto/bn/build.info Wed Mar 16 19:18:09 2016 > >>> +++ crypto/bn/build.info Fri Mar 18 22:11:43 2016 > >>> @@ -24,6 +24,9 @@ > >>> $(PERLASM_SCHEME) $(CFLAGS) $(LIB_CFLAGS) $(PROCESSOR) > >>> DEPEND[x86-gf2m.s]=../perlasm/x86asm.pl > >>> > >>> +GENERATE[sparcv8.s]=asm/sparcv8.S > >>> +GENERATE[sparcv8plus.s]=asm/sparcv8plus.S > >>> + > >>> GENERATE[sparcv9a-mont.S]=asm/sparcv9a-mont.pl $(PERLASM_SCHEME) > >>> INCLUDE[sparcv9a-mont.o]=.. > >>> GENERATE[sparcv9-mont.S]=asm/sparcv9-mont.pl $(PERLASM_SCHEME) > >>> > >>> > >>> This seems to be consistent with how it is done for > >>> > >>> crypto/ia64cpuid.S > >>> crypto/aes/asm/aes-ia64.S > >>> crypto/bn/asm/ia64.S > >>> > >>> The same changes probably need to be done for > >>> > >>> crypto/s390xcpuid.S > >>> crypto/bn/asm/s390x.S > >>> > >>> Regards, > >>> > >>> Rainer > >>> > >> > >> > >> -- > >> Richard Levitte > >> levitte at openssl.org > > > > > > -- > > Richard Levitte > > levitte at openssl.org > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4447 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 21:53:35 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 21:53:35 +0000 Subject: [openssl-dev] [openssl.org #4452] openssl-1.1.0-pre4: undefined symbol for solaris-x86-cc In-Reply-To: <747648.50843.qm@web101220.mail.kks.yahoo.co.jp> References: <747648.50843.qm@web101220.mail.kks.yahoo.co.jp> Message-ID: If you have the possibility, please try a fresh checkout of the master branch and see if this is fixed. Cheers, Richard Vid Sat, 19 Mar 2016 kl. 10.55.59, skrev yoi_no_myoujou at yahoo.co.jp: > With patch for #4444, > > % mkdir build_solaris-x86-cc > % cd build_solaris-x86-cc > % ../Configure solaris-x86-cc > % make > : > Undefined first referenced > symbol in file > padlock_xstore ./libcrypto.a(e_padlock.o) > padlock_capability ./libcrypto.a(e_padlock.o) > padlock_reload_key ./libcrypto.a(e_padlock.o) > padlock_ctr32_encrypt ./libcrypto.a(e_padlock.o) > padlock_key_bswap ./libcrypto.a(e_padlock.o) > padlock_cbc_encrypt ./libcrypto.a(e_padlock.o) > padlock_cfb_encrypt ./libcrypto.a(e_padlock.o) > padlock_ecb_encrypt ./libcrypto.a(e_padlock.o) > padlock_ofb_encrypt ./libcrypto.a(e_padlock.o) > padlock_aes_block ./libcrypto.a(e_padlock.o) > ld: fatal: symbol referencing errors. No output written to apps/openssl > ../Makefile.shared:186: recipe for target 'link_app.' failed > make[1]: *** [link_app.] Error 2 > > > % ../Configure solaris-x86-cc no-asm > > % make > % make test > passes. > > > OS: Solaris10 x86/x64 > cc: /opt/solarisstudio12.4/bin/cc > > > Best Regards, > > --- Kiyoshi > > -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4452 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 22:03:20 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 19 Mar 2016 22:03:20 +0000 Subject: [openssl-dev] [openssl.org #4453] openssl-1.1.0-pre4: make fails with 'wrong ELF class: ELFCLASS64' on solaris64-x86_64-cc In-Reply-To: <173729.2988.qm@web101210.mail.kks.yahoo.co.jp> References: <173729.2988.qm@web101210.mail.kks.yahoo.co.jp> Message-ID: Vid Sat, 19 Mar 2016 kl. 10.56.00, skrev yoi_no_myoujou at yahoo.co.jp: > Patch for this: > diff ../openssl-1.1.0-pre4.orig/Configurations/10-main.conf > Configurations/10-main.conf > 196c196 > < lflags => add(threads("-mt")), > --- > > lflags => add(threads("-mt -m64")), Already done. > It seems to be better to change '-xarch=generic64' to '-m64' in line > 196 & 201 of the same file, too. Hmm, not in line 191? Cheers, Richard -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4453 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 19 22:27:34 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sat, 19 Mar 2016 22:27:34 +0000 Subject: [openssl-dev] [openssl.org #4453] openssl-1.1.0-pre4: make fails with 'wrong ELF class: ELFCLASS64' on solaris64-x86_64-cc In-Reply-To: <164132.91751.qm@web101218.mail.kks.yahoo.co.jp> References: <173729.2988.qm@web101210.mail.kks.yahoo.co.jp> <164132.91751.qm@web101218.mail.kks.yahoo.co.jp> Message-ID: Hello, > Already done. > >> It seems to be better to change '-xarch=generic64' to > '-m64' in line >> 196 & 201 of the same file, too. > > Hmm, not in line 191? Sorry, not 196 but 191. Regards, --- Kiyoshi -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4453 Please log in as guest with password guest if prompted From noloader at gmail.com Sat Mar 19 23:08:08 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 19 Mar 2016 19:08:08 -0400 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160319.024609.1263116961995387193.levitte@openssl.org> Message-ID: On Sat, Mar 19, 2016 at 6:44 AM, Richard Levitte via RT wrote: > I think that's a discussion that deserves its own new thread on openssl-dev. > > A RT ticket is *not* the right place for a philosophical discussion. Closing > this. Please don't respond on this message, create a new thread instead. Thanks Richard. For me, its not open for debate. Its a point of data egress, so it must not occur. What others do is there business. I'll configure without the "data loss" feature, and others can do what they want :) Jeff From rt at openssl.org Sat Mar 19 23:08:17 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sat, 19 Mar 2016 23:08:17 +0000 Subject: [openssl-dev] [openssl.org #4451] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160319.024609.1263116961995387193.levitte@openssl.org> Message-ID: On Sat, Mar 19, 2016 at 6:44 AM, Richard Levitte via RT wrote: > I think that's a discussion that deserves its own new thread on openssl-dev. > > A RT ticket is *not* the right place for a philosophical discussion. Closing > this. Please don't respond on this message, create a new thread instead. Thanks Richard. For me, its not open for debate. Its a point of data egress, so it must not occur. What others do is there business. I'll configure without the "data loss" feature, and others can do what they want :) Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4451 Please log in as guest with password guest if prompted From levitte at openssl.org Sat Mar 19 23:31:20 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 20 Mar 2016 00:31:20 +0100 (CET) Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: Message-ID: <20160320.003120.2296223415468433471.levitte@openssl.org> In message on Sat, 19 Mar 2016 23:08:17 +0000, "noloader at gmail.com via RT" said: rt> On Sat, Mar 19, 2016 at 6:44 AM, Richard Levitte via RT wrote: rt> > I think that's a discussion that deserves its own new thread on openssl-dev. rt> > rt> > A RT ticket is *not* the right place for a philosophical discussion. Closing rt> > this. Please don't respond on this message, create a new thread instead. rt> rt> Thanks Richard. rt> rt> For me, its not open for debate. Its a point of data egress, so it rt> must not occur. What others do is there business. rt> rt> I'll configure without the "data loss" feature, and others can do what rt> they want :) Well, how about you go after the calls then. Complaining about the existence of OPENSSL_die or OPENSSL_assert is about as fruitful as complaining about the existence of abort() or assert()... That's how this "philosophical discussion" started out that that's your complaint, isn't it? If not, I'd like you to clarify. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Sat Mar 19 23:41:28 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 19 Mar 2016 19:41:28 -0400 Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: <20160320.003120.2296223415468433471.levitte@openssl.org> References: <20160320.003120.2296223415468433471.levitte@openssl.org> Message-ID: On Sat, Mar 19, 2016 at 7:31 PM, Richard Levitte wrote: > In message on Sat, 19 Mar 2016 23:08:17 +0000, "noloader at gmail.com via RT" said: > > rt> On Sat, Mar 19, 2016 at 6:44 AM, Richard Levitte via RT wrote: > rt> > I think that's a discussion that deserves its own new thread on openssl-dev. > rt> > > rt> > A RT ticket is *not* the right place for a philosophical discussion. Closing > rt> > this. Please don't respond on this message, create a new thread instead. > rt> > rt> Thanks Richard. > rt> > rt> For me, its not open for debate. Its a point of data egress, so it > rt> must not occur. What others do is there business. > rt> > rt> I'll configure without the "data loss" feature, and others can do what > rt> they want :) > > Well, how about you go after the calls then. Complaining about the > existence of OPENSSL_die or OPENSSL_assert is about as fruitful as > complaining about the existence of abort() or assert()... That's how > this "philosophical discussion" started out that that's your > complaint, isn't it? If not, I'd like you to clarify. Allowing a library to make policy decisions for the application is a philosophical debate. Allowing data to egress from the security boundary violates security policies, and its not philosophical. Jeff From levitte at openssl.org Sat Mar 19 23:50:28 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 20 Mar 2016 00:50:28 +0100 (CET) Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160320.003120.2296223415468433471.levitte@openssl.org> Message-ID: <20160320.005028.908118865140747971.levitte@openssl.org> In message on Sat, 19 Mar 2016 19:41:28 -0400, Jeffrey Walton said: noloader> On Sat, Mar 19, 2016 at 7:31 PM, Richard Levitte wrote: noloader> > In message on Sat, 19 Mar 2016 23:08:17 +0000, "noloader at gmail.com via RT" said: noloader> > noloader> > rt> On Sat, Mar 19, 2016 at 6:44 AM, Richard Levitte via RT wrote: noloader> > rt> > I think that's a discussion that deserves its own new thread on openssl-dev. noloader> > rt> > noloader> > rt> > A RT ticket is *not* the right place for a philosophical discussion. Closing noloader> > rt> > this. Please don't respond on this message, create a new thread instead. noloader> > rt> noloader> > rt> Thanks Richard. noloader> > rt> noloader> > rt> For me, its not open for debate. Its a point of data egress, so it noloader> > rt> must not occur. What others do is there business. noloader> > rt> noloader> > rt> I'll configure without the "data loss" feature, and others can do what noloader> > rt> they want :) noloader> > noloader> > Well, how about you go after the calls then. Complaining about the noloader> > existence of OPENSSL_die or OPENSSL_assert is about as fruitful as noloader> > complaining about the existence of abort() or assert()... That's how noloader> > this "philosophical discussion" started out that that's your noloader> > complaint, isn't it? If not, I'd like you to clarify. noloader> noloader> Allowing a library to make policy decisions for the application is a noloader> philosophical debate. The few places we're using something that drastic is when the internal structures can only be seen as corrupt by our own fault. That's a point where you can expect things to go crashing any time, or just becoming *more* corrupt. The application cannot make a policy decision at that point, as the virtual rugg has already been pulled from under everyone's feet. noloader> Allowing data to egress from the security boundary violates security noloader> policies, and its not philosophical. Like I said, find the OPENSSL_die / OPENSSL_assert calls that have that potential (and the rugg hasn't already been pulled if they get triggered) and open tickets on them. However, doing so by point at a test that checks that our testing framework correctly catches an aborting process wasn't the best place to go looking.... We have that test in place because, just a few days ago, the testing framework would miss those. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Sun Mar 20 00:09:34 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 19 Mar 2016 20:09:34 -0400 Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: <20160320.005028.908118865140747971.levitte@openssl.org> References: <20160320.003120.2296223415468433471.levitte@openssl.org> <20160320.005028.908118865140747971.levitte@openssl.org> Message-ID: > noloader> Allowing a library to make policy decisions for the application is a > noloader> philosophical debate. > > The few places we're using something that drastic is when the internal > structures can only be seen as corrupt by our own fault. That's a > point where you can expect things to go crashing any time, or just > becoming *more* corrupt. The application cannot make a policy > decision at that point, as the virtual rugg has already been pulled > from under everyone's feet. Then why not call exit() rather than abort()? (Regardless of what you do here, its going to violate Apple's App Store policies and probably cause a rejection). Also, when configured with -d, that kind of puts you in a debug configuration. What's the purpose of crashing when the program is under a debugger? It seems like a raise(SIGTRAP) to snap the debugger would be a better choice. > noloader> Allowing data to egress from the security boundary violates security > noloader> policies, and its not philosophical. > > Like I said, find the OPENSSL_die / OPENSSL_assert calls that have > that potential (and the rugg hasn't already been pulled if they get > triggered) and open tickets on them. I'm not sure one leads to the other. How many times has a user submitted a core dump from an abort()? I'm guessing very few, and they probably got a curt response from the dev team. How many times has OpenSSL perused Apple's, Microsoft's, or error reporting website, and opened tickets based on the error reports? I'm guessing 0. How many times does the report egress data? 100% of the time. On the more sarcastic side, NSA, GCHQ and law enforcement has probably browsed those reports more than the folks they are supposedly provided for. Jeff From rt at openssl.org Sun Mar 20 00:29:10 2016 From: rt at openssl.org (Stephen Henson via RT) Date: Sun, 20 Mar 2016 00:29:10 +0000 Subject: [openssl-dev] [openssl.org #4436] [Openssl 1.1.0] ECDSA_SIG_get0() for const ECDSA_SIG * In-Reply-To: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> References: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> Message-ID: Fixed now. Closing ticket. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4436 Please log in as guest with password guest if prompted From levitte at openssl.org Sun Mar 20 00:44:24 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 20 Mar 2016 01:44:24 +0100 (CET) Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160320.005028.908118865140747971.levitte@openssl.org> Message-ID: <20160320.014424.429082579329599892.levitte@openssl.org> In message on Sat, 19 Mar 2016 20:09:34 -0400, Jeffrey Walton said: noloader> > noloader> Allowing a library to make policy decisions for the application is a noloader> > noloader> philosophical debate. noloader> > noloader> > The few places we're using something that drastic is when the internal noloader> > structures can only be seen as corrupt by our own fault. That's a noloader> > point where you can expect things to go crashing any time, or just noloader> > becoming *more* corrupt. The application cannot make a policy noloader> > decision at that point, as the virtual rugg has already been pulled noloader> > from under everyone's feet. noloader> noloader> Then why not call exit() rather than abort()? (Regardless of what you noloader> do here, its going to violate Apple's App Store policies and probably noloader> cause a rejection). I just grepped through the source, and we never call OPENSSL_die() directly, we do it via OPENSSL_assert() (well, except for that test program, but the effect is the same for the purpose of that test) Point is, if any of the the assertions are triggered into faulting, there's a but in the library and it shouldn't get released. That's the whole point. The tests are supposed to catch those and basically raise a big red flag. Are you telling me that according to Apple's App Store policies, assertions must not be used? noloader> Also, when configured with -d, that kind of puts you in a debug noloader> configuration. What's the purpose of crashing when the program is noloader> under a debugger? It seems like a raise(SIGTRAP) to snap the debugger noloader> would be a better choice. Well... the implementation of OPENSSL_assert() mimics the implementation of assert(). noloader> How many times has a user submitted a core dump from an abort()? noloader> I'm guessing very few, and they probably got a curt response from the dev noloader> team. Nope, no coredumps, but we do get reports about the failed assertion messages. There was some reported not so long ago, because a couple of assertions I had added were a bit overzealous... but they did also lead us to find a couple bugs in a CRTL. Other than that report, I can't remember when I last saw one. If the library crashes with an assertion failure, I would expect that to be reported, about the same way as a failing "make depend" or other build. If such reports are few and far apart, one might also think that's how often those assertion do fail, or that we've caught them ourselves first. noloader> How many times has OpenSSL perused Apple's, Microsoft's, or distros> error reporting website, and opened tickets based on the noloader> error reports? I'm guessing 0. I would believe that when we find errors in other libraries, we do report them if possible. I recently reported a couple of faults in the VMS C RTL (yup, that's the one I mentioned above). noloader> How many times does the report egress data? 100% of the time. noloader> noloader> On the more sarcastic side, NSA, GCHQ and law enforcement has probably noloader> browsed those reports more than the folks they are supposedly provided noloader> for. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Sun Mar 20 01:11:03 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 19 Mar 2016 21:11:03 -0400 Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: <20160320.014424.429082579329599892.levitte@openssl.org> References: <20160320.005028.908118865140747971.levitte@openssl.org> <20160320.014424.429082579329599892.levitte@openssl.org> Message-ID: > Point is, if any of the the assertions are triggered into faulting, > there's a but in the library and it shouldn't get released. That's > the whole point. The tests are supposed to catch those and basically > raise a big red flag. > > Are you telling me that according to Apple's App Store policies, > assertions must not be used? I don't know what Apple's policies are with respect to assert. But Posix assert calls abort, and the abort is a violation of Apple submission policies. More generally, assertions are a diagnostic and debugging feature. They have no place in production/release. In production, the time for debugging is over. The project should probably disgorge the debugging and diagnostics (asserts) from the data egress (abort, crash dumps and error reports). Then you can use asserts and not worry about data security violations. I'm aware of some projects that do it, like OWASP (http://www.owasp.org/index.php?title=C-Based_Toolchain_Hardening&setlang=es#ASSERT) and Crypto++ (http://github.com/weidai11/cryptopp/blob/master/trap.h). For what its worth, I adore asserts. They create self debugging programs. I love self debugging programs because I have better things to do with my time than wielding a debugger and stepping code. I tried to find the pedigree of Posix's "let's crash a program while its being debugged" philosophy a few years ago. I could not find it. No one could remember where it came from or why it was there. I asked on comp.lang.c because I could not find a relevant posix usenet group. I can try and find a citation, if needed. Jeff From levitte at openssl.org Sun Mar 20 01:47:36 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 20 Mar 2016 02:47:36 +0100 (CET) Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160320.014424.429082579329599892.levitte@openssl.org> Message-ID: <20160320.024736.847351863534695510.levitte@openssl.org> In message on Sat, 19 Mar 2016 21:11:03 -0400, Jeffrey Walton said: noloader> > Point is, if any of the the assertions are triggered into faulting, noloader> > there's a but in the library and it shouldn't get released. That's noloader> > the whole point. The tests are supposed to catch those and basically noloader> > raise a big red flag. noloader> > noloader> > Are you telling me that according to Apple's App Store policies, noloader> > assertions must not be used? noloader> noloader> I don't know what Apple's policies are with respect to assert. But noloader> Posix assert calls abort, and the abort is a violation of Apple noloader> submission policies. Ok, good to know. noloader> The project should probably disgorge the debugging and diagnostics noloader> (asserts) from the data egress (abort, crash dumps and error reports). noloader> Then you can use asserts and not worry about data security violations. noloader> I'm aware of some projects that do it, like OWASP noloader> (http://www.owasp.org/index.php?title=C-Based_Toolchain_Hardening&setlang=es#ASSERT) noloader> and Crypto++ (http://github.com/weidai11/cryptopp/blob/master/trap.h). I'm listening, and that Crypto++ file answered a question I meant to ask (how to do the SIGTRAP thing on Windows). noloader> I tried to find the pedigree of Posix's "let's crash a program while noloader> its being debugged" philosophy a few years ago. I could not find it. It may have been as simple as SIGTRAP not existing everywhere, while the abort() call was simple to implement in diverse ways on different platforms (my old UNIX programmer's manual from Bell Labs tells me it uses the IOT instruction on PDP11...). So I'd say the answer lies in the deeper recesses of history -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Sun Mar 20 07:07:57 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sun, 20 Mar 2016 07:07:57 +0000 Subject: [openssl-dev] [openssl.org #4452] openssl-1.1.0-pre4: undefined symbol for solaris-x86-cc In-Reply-To: <550057.6653.qm@web101214.mail.kks.yahoo.co.jp> References: <747648.50843.qm@web101220.mail.kks.yahoo.co.jp> <550057.6653.qm@web101214.mail.kks.yahoo.co.jp> Message-ID: Tried with openssl-SNAP-20160320, but have the same result, not fixed yet. Regards, --- Kiyoshi > If you have the possibility, please try a fresh checkout of the master branch > and see if this is fixed. > > Cheers, > Richard > > Vid Sat, 19 Mar 2016 kl. 10.55.59, skrev yoi_no_myoujou at yahoo.co.jp: >> With patch for #4444, >> >> % mkdir build_solaris-x86-cc >> % cd build_solaris-x86-cc >> % ../Configure solaris-x86-cc >> % make >> : >> Undefined first referenced >> symbol in file >> padlock_xstore ./libcrypto.a(e_padlock.o) >> padlock_capability ./libcrypto.a(e_padlock.o) >> padlock_reload_key ./libcrypto.a(e_padlock.o) >> padlock_ctr32_encrypt ./libcrypto.a(e_padlock.o) >> padlock_key_bswap ./libcrypto.a(e_padlock.o) >> padlock_cbc_encrypt ./libcrypto.a(e_padlock.o) >> padlock_cfb_encrypt ./libcrypto.a(e_padlock.o) >> padlock_ecb_encrypt ./libcrypto.a(e_padlock.o) >> padlock_ofb_encrypt ./libcrypto.a(e_padlock.o) >> padlock_aes_block ./libcrypto.a(e_padlock.o) >> ld: fatal: symbol referencing errors. No output written to apps/openssl >> ../Makefile.shared:186: recipe for target 'link_app.' failed >> make[1]: *** [link_app.] Error 2 >> >> >> % ../Configure solaris-x86-cc no-asm >> >> % make >> % make test >> passes. >> >> >> OS: Solaris10 x86/x64 >> cc: /opt/solarisstudio12.4/bin/cc >> >> >> Best Regards, >> >> --- Kiyoshi >> >> > > > -- > Richard Levitte > levitte at openssl.org > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4452 > Please log in as guest with password guest if prompted > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4452 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 07:23:45 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sun, 20 Mar 2016 07:23:45 +0000 Subject: [openssl-dev] [openssl.org #4454] openssl-1.1.0-pre4: zlib-dynamic problems In-Reply-To: <945595.50082.qm@web101212.mail.kks.yahoo.co.jp> References: <945595.50082.qm@web101212.mail.kks.yahoo.co.jp> Message-ID: Tested with patch for #4444. (1) Default choice ??? INSTALL says zlib-dynamic is the default choice. ??? But ./config sets no-zlib-dynamic [default] (2) Make error with solaris64-x86_64-gcc shared zlib-dynamic ??? % mkdir build ??? % cd build ??? % ../Configure solaris64-x86_64-gcc shared zlib-dynamic ??? % make ????? : ? ?? ?? Undefined?????????????????????? first referenced ? ?? symbol???????????????????????????? in file ??? BIO_f_zlib????????????????????????? ./libcrypto.so ??? ld: fatal: symbol referencing errors. No output written to apps/openssl ??? collect2: error: ld returned 1 exit status ??? ../Makefile.shared:384: recipe for target 'link_app.solaris' failed ??? Combination of shared & zlib-dynamic causes this. ??? % ../Configure solaris64-x86_64-gcc shared; make; make test ??? passes. ??? % ../Configure solaris64-x86_64-gcc zlib-dynamic; make ??? passes, but make test fails (see (3)). (3) Test error with solaris64-x86_64-gcc zlib-dynamic ??? % ../Configure solaris64-x86_64-gcc zlib-dynamic ??? % make ??? % make test ????? : ? ?? ?? #?? Failed test 'compressed content test streaming PEM format' ? ?? ?? #?? at ../../test/recipes/80-test_cms.t line 452. ? ? ? ? # Looks like you failed 1 test of 11. ??? #?? Failed test 'CMS <=> CMS consistency tests, modified key parameters ??? # ' ??? #?? at ../../test/recipes/80-test_cms.t line 458. ??? # Looks like you failed 1 test of 4. ??? ../../test/recipes/80-test_cms.t ............. ??? Dubious, test returned 1 (wstat 256, 0x100) ??? Failed 1/4 subtests Test environment OS: Solaris10 x86/x64 Gcc: version 4.8.5 ld: /usr/ccs/bin/ld --- Kiyoshi -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4454 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 07:56:02 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 20 Mar 2016 07:56:02 +0000 Subject: [openssl-dev] [openssl.org #4379] AutoReply: "arch/async_posix.h:67:24: error: ucontext.h: No such file or directory" under OpenBSD 5.7/64-bit In-Reply-To: References: Message-ID: Bump... Still present in 270862b470d43a28. cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -DL_ENDIAN -Wall -O3 -pthread -D_THREAD_SAFE -D_REENTRANT -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o crypto/async/arch/async_null.o crypto/async/arch/async_null.c In file included from crypto/async/arch/../async_locl.h:69, from crypto/async/arch/async_null.c:54: crypto/async/arch/../arch/async_posix.h:67:24: error: ucontext.h: No such file or directory In file included from crypto/async/arch/../async_locl.h:69, from crypto/async/arch/async_null.c:54: crypto/async/arch/../arch/async_posix.h: In function 'async_fibre_swapcontext': crypto/async/arch/../arch/async_posix.h:85: warning: implicit declaration of function 'setcontext' *** Error 1 in /home/jwalton/openssl (Makefile:1555 'crypto/async/arch/async_null.o') On Fri, Mar 4, 2016 at 9:22 PM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > ""arch/async_posix.h:67:24: error: ucontext.h: No such file or directory" under OpenBSD 5.7/64-bit", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4379]. > > Please include the string: > > [openssl.org #4379] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > rt at openssl.org > > ------------------------------------------------------------------------- > cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE > -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM > -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -DL_ENDIAN -Wall -O3 > -pthread -D_THREAD_SAFE -D_REENTRANT -Wa,--noexecstack -fPIC -c > async.c -o async.o > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h:67:24: error: ucontext.h: No such file or directory > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h: In function 'async_fibre_swapcontext': > arch/async_posix.h:85: warning: implicit declaration of function 'setcontext' > *** Error 1 in crypto/async (Makefile:65 'async.o') > *** Error 1 in crypto (Makefile:91 'subdirs') > *** Error 1 in /home/jwalton/openssl (Makefile:291 'build_crypto') > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4379 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 08:29:02 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 20 Mar 2016 08:29:02 +0000 Subject: [openssl-dev] [openssl.org #4455] OpenSUSE 42: undefined reference to `engine_load_afalg_internal' In-Reply-To: References: Message-ID: Working from Master at 270862b470d43a28: openssl> make depend && make clean && make ... CC='gcc' CFLAGS='-DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack ' \ LDFLAGS='' LIBRPATH='/usr/local/lib64' \ link_app. make[1]: Entering directory '/home/jwalton/openssl' ( :; LIBDEPS="${LIBDEPS:--L. -lssl -L. -lcrypto -ldl }"; LDCMD="${LDCMD:-gcc}"; LDFLAGS="${LDFLAGS:--DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack }"; LIBPATH=`for x in $LIBDEPS; do echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH | sed -e 's/ /:/g'`; echo LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=apps/openssl} apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o ${LIBDEPS}; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH ${LDCMD} ${LDFLAGS} -o ${APPNAME:=apps/openssl} apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o ${LIBDEPS} ) LD_LIBRARY_PATH=.: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib64/engines" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -o apps/openssl apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o -L. -lssl -L. -lcrypto -ldl ./libcrypto.a(init.o): In function `ossl_init_engine_afalg': init.c:(.text+0x31): undefined reference to `engine_load_afalg_internal' collect2: error: ld returned 1 exit status Makefile.shared:186: recipe for target 'link_app.' failed make[1]: *** [link_app.] Error 1 make[1]: Leaving directory '/home/jwalton/openssl' Makefile:5994: recipe for target 'apps/openssl' failed make: *** [apps/openssl] Error 2 ********** openssl> ./config Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-x86_64. ********* > uname -a Linux opensuse-42 4.1.12-1-default #1 SMP PREEMPT Thu Oct 29 06:43:42 UTC 2015 (e24bad1) x86_64 x86_64 x86_64 GNU/Linux > gcc --version gcc (SUSE Linux) 4.8.5 Copyright (C) 2015 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > cat /etc/SuSE-release openSUSE 42.1 (x86_64) VERSION = 42.1 CODENAME = Malachite # /etc/SuSE-release is deprecated and will be removed in the future, use /etc/os-release instead > cat /etc/os-release NAME="openSUSE Leap" VERSION="42.1" VERSION_ID="42.1" PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" ID=opensuse ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4455 Please log in as guest with password guest if prompted From openssl at roumenpetrov.info Sun Mar 20 09:23:05 2016 From: openssl at roumenpetrov.info (Roumen Petrov) Date: Sun, 20 Mar 2016 11:23:05 +0200 Subject: [openssl-dev] What about DSA_SIG_get0 ? Was: ECDSA_SIG_get0() for const ECDSA_SIG * In-Reply-To: References: <9A2D7FB40390D144BE9C16563F849C86045CA180@AS000EX.ifd.infodas.de> Message-ID: <56EE6BF9.1030405@roumenpetrov.info> Hello , Issue 4436 report only ECDSA_SIG_get0 but DSA is the same. Perhaps DSA_SIG_get0 could use constant signature pointer. Stephen Henson via RT wrote: > Fixed now. Closing ticket. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see:http://www.openssl.org > Roumen From kurt at roeckx.be Sun Mar 20 11:00:04 2016 From: kurt at roeckx.be (Kurt Roeckx) Date: Sun, 20 Mar 2016 12:00:04 +0100 Subject: [openssl-dev] OS X 10.8, x86_64: 01-test_abort.t... sh: line 1: 71522 Abort trap: 6 In-Reply-To: References: <20160320.003120.2296223415468433471.levitte@openssl.org> Message-ID: <20160320110004.GA6409@roeckx.be> On Sat, Mar 19, 2016 at 07:41:28PM -0400, Jeffrey Walton wrote: > On Sat, Mar 19, 2016 at 7:31 PM, Richard Levitte wrote: > > In message on Sat, 19 Mar 2016 23:08:17 +0000, "noloader at gmail.com via RT" said: > > > > rt> On Sat, Mar 19, 2016 at 6:44 AM, Richard Levitte via RT wrote: > > rt> > I think that's a discussion that deserves its own new thread on openssl-dev. > > rt> > > > rt> > A RT ticket is *not* the right place for a philosophical discussion. Closing > > rt> > this. Please don't respond on this message, create a new thread instead. > > rt> > > rt> Thanks Richard. > > rt> > > rt> For me, its not open for debate. Its a point of data egress, so it > > rt> must not occur. What others do is there business. > > rt> > > rt> I'll configure without the "data loss" feature, and others can do what > > rt> they want :) > > > > Well, how about you go after the calls then. Complaining about the > > existence of OPENSSL_die or OPENSSL_assert is about as fruitful as > > complaining about the existence of abort() or assert()... That's how > > this "philosophical discussion" started out that that's your > > complaint, isn't it? If not, I'd like you to clarify. > > Allowing a library to make policy decisions for the application is a > philosophical debate. At least a few of us don't want asserts in the library in the normal version and think that it should be up to the application to decide what to do. I think we need something that for a debug build it triggers an abort (or whatever), but that for normal builds returns an error instead. > Allowing data to egress from the security boundary violates security > policies, and its not philosophical. I hope that core files aren't just send to a third party without at least asking the user. But I understand that at least Windows is doing this by default now without being able to turn it off. If the assert we added actually sees that things are in such a bad state that we'll likely crash soon anyway, it doesn't change much. And I guess the question is if the error is something we can recover from or not. Kurt From rt at openssl.org Sun Mar 20 12:31:51 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 20 Mar 2016 12:31:51 +0000 Subject: [openssl-dev] [openssl.org #4456] Fedora 1, i386: error: field `next_timeout` has incomplete type In-Reply-To: References: Message-ID: I know this is kind of an old machine with GCC 3.3... With an updated PERL and a './config no-asm -D_XOPEN_SOURCE=600', I can almost get through a compile. After libcrypto.a is built, the next compile line is: gcc ... -c -o ssl/bio_ssl.o ssl/bio_ssl.c At that point, there's a: In file included from ssl/bio_ssl.c:65 ssl/ssl_locl.h:1501: error: field `next_timeout` has incomplete type [ssl/bio_ssl.o] Error 1 The issue was cleared by adding to "ssl/ssl_locl.h". ********** ar r libcrypto.a crypto/aes/aes_cbc.o crypto/aes/aes_cfb.o crypto/aes/aes_core.o crypto/aes/aes_ecb.o crypto/aes/aes_ige.o crypto/aes/aes_misc.o crypto/aes/aes_ofb.o crypto/aes/aes_wrap.o crypto/asn1/a_bitstr.o crypto/asn1/a_d2i_fp.o crypto/asn1/a_digest.o crypto/asn1/a_dup.o crypto/asn1/a_gentm.o crypto/asn1/a_i2d_fp.o crypto/asn1/a_int.o crypto/asn1/a_mbstr.o crypto/asn1/a_object.o crypto/asn1/a_octet.o crypto/asn1/a_print.o crypto/asn1/a_sign.o crypto/asn1/a_strex.o crypto/asn1/a_strnid.o crypto/asn1/a_time.o crypto/asn1/a_type.o crypto/asn1/a_utctm.o crypto/asn1/a_utf8.o crypto/asn1/a_verify.o crypto/asn1/ameth_lib.o crypto/asn1/asn1_err.o crypto/asn1/asn1_gen.o crypto/asn1/asn1_lib.o crypto/asn1/asn1_par.o crypto/asn1/asn_mime.o crypto/asn1/asn_moid.o crypto/asn1/asn_mstbl.o crypto/asn1/asn_pack.o crypto/asn1/bio_asn1.o crypto/asn1/bio_ndef.o crypto/asn1/d2i_pr.o crypto/asn1/d2i_pu.o crypto/asn1/evp_asn1.o crypto/asn1/f_int.o crypto/asn1/f_string.o crypto/asn1/i2d_pr.o crypto/asn1/i2d_pu.o crypto/asn1/n_pkey.o crypto/asn1/nsseq.o crypto/asn1/p5_pbe.o crypto/asn1/p5_pbev2.o crypto/asn1/p5_scrypt.o crypto/asn1/p8_pkey.o crypto/asn1/t_bitst.o crypto/asn1/t_pkey.o crypto/asn1/t_spki.o crypto/asn1/tasn_dec.o crypto/asn1/tasn_enc.o crypto/asn1/tasn_fre.o crypto/asn1/tasn_new.o crypto/asn1/tasn_prn.o crypto/asn1/tasn_scn.o crypto/asn1/tasn_typ.o crypto/asn1/tasn_utl.o crypto/asn1/x_algor.o crypto/asn1/x_bignum.o crypto/asn1/x_info.o crypto/asn1/x_long.o crypto/asn1/x_pkey.o crypto/asn1/x_pubkey.o crypto/asn1/x_sig.o crypto/asn1/x_spki.o crypto/asn1/x_val.o crypto/async/arch/async_null.o crypto/async/arch/async_posix.o crypto/async/arch/async_win.o crypto/async/async.o crypto/async/async_err.o crypto/async/async_wait.o crypto/bf/bf_cfb64.o crypto/bf/bf_ecb.o crypto/bf/bf_enc.o crypto/bf/bf_ofb64.o crypto/bf/bf_skey.o crypto/bio/b_addr.o crypto/bio/b_dump.o crypto/bio/b_print.o crypto/bio/b_sock.o crypto/bio/b_sock2.o crypto/bio/bf_buff.o crypto/bio/bf_nbio.o crypto/bio/bf_null.o crypto/bio/bio_cb.o crypto/bio/bio_err.o crypto/bio/bio_lib.o crypto/bio/bss_acpt.o crypto/bio/bss_bio.o crypto/bio/bss_conn.o crypto/bio/bss_dgram.o crypto/bio/bss_fd.o crypto/bio/bss_file.o crypto/bio/bss_log.o crypto/bio/bss_mem.o crypto/bio/bss_null.o crypto/bio/bss_sock.o crypto/blake2/blake2b.o crypto/blake2/blake2s.o crypto/blake2/m_blake2b.o crypto/blake2/m_blake2s.o crypto/bn/bn_add.o crypto/bn/bn_asm.o crypto/bn/bn_blind.o crypto/bn/bn_const.o crypto/bn/bn_ctx.o crypto/bn/bn_depr.o crypto/bn/bn_dh.o crypto/bn/bn_div.o crypto/bn/bn_err.o crypto/bn/bn_exp.o crypto/bn/bn_exp2.o crypto/bn/bn_gcd.o crypto/bn/bn_gf2m.o crypto/bn/bn_intern.o crypto/bn/bn_kron.o crypto/bn/bn_lib.o crypto/bn/bn_mod.o crypto/bn/bn_mont.o crypto/bn/bn_mpi.o crypto/bn/bn_mul.o crypto/bn/bn_nist.o crypto/bn/bn_prime.o crypto/bn/bn_print.o crypto/bn/bn_rand.o crypto/bn/bn_recp.o crypto/bn/bn_shift.o crypto/bn/bn_sqr.o crypto/bn/bn_sqrt.o crypto/bn/bn_srp.o crypto/bn/bn_word.o crypto/bn/bn_x931p.o crypto/buffer/buf_err.o crypto/buffer/buffer.o crypto/camellia/camellia.o crypto/camellia/cmll_cbc.o crypto/camellia/cmll_cfb.o crypto/camellia/cmll_ctr.o crypto/camellia/cmll_ecb.o crypto/camellia/cmll_misc.o crypto/camellia/cmll_ofb.o crypto/cast/c_cfb64.o crypto/cast/c_ecb.o crypto/cast/c_enc.o crypto/cast/c_ofb64.o crypto/cast/c_skey.o crypto/chacha/chacha_enc.o crypto/cmac/cm_ameth.o crypto/cmac/cm_pmeth.o crypto/cmac/cmac.o crypto/cms/cms_asn1.o crypto/cms/cms_att.o crypto/cms/cms_cd.o crypto/cms/cms_dd.o crypto/cms/cms_enc.o crypto/cms/cms_env.o crypto/cms/cms_err.o crypto/cms/cms_ess.o crypto/cms/cms_io.o crypto/cms/cms_kari.o crypto/cms/cms_lib.o crypto/cms/cms_pwri.o crypto/cms/cms_sd.o crypto/cms/cms_smime.o crypto/comp/c_zlib.o crypto/comp/comp_err.o crypto/comp/comp_lib.o crypto/conf/conf_api.o crypto/conf/conf_def.o crypto/conf/conf_err.o crypto/conf/conf_lib.o crypto/conf/conf_mall.o crypto/conf/conf_mod.o crypto/conf/conf_sap.o crypto/cpt_err.o crypto/cryptlib.o crypto/ct/ct_b64.o crypto/ct/ct_err.o crypto/ct/ct_log.o crypto/ct/ct_oct.o crypto/ct/ct_policy.o crypto/ct/ct_prn.o crypto/ct/ct_sct.o crypto/ct/ct_sct_ctx.o crypto/ct/ct_vfy.o crypto/ct/ct_x509v3.o crypto/cversion.o crypto/des/cbc_cksm.o crypto/des/cbc_enc.o crypto/des/cfb64ede.o crypto/des/cfb64enc.o crypto/des/cfb_enc.o crypto/des/des_enc.o crypto/des/ecb3_enc.o crypto/des/ecb_enc.o crypto/des/enc_read.o crypto/des/enc_writ.o crypto/des/fcrypt.o crypto/des/fcrypt_b.o crypto/des/ofb64ede.o crypto/des/ofb64enc.o crypto/des/ofb_enc.o crypto/des/pcbc_enc.o crypto/des/qud_cksm.o crypto/des/rand_key.o crypto/des/read2pwd.o crypto/des/rpc_enc.o crypto/des/set_key.o crypto/des/str2key.o crypto/des/xcbc_enc.o crypto/dh/dh_ameth.o crypto/dh/dh_asn1.o crypto/dh/dh_check.o crypto/dh/dh_depr.o crypto/dh/dh_err.o crypto/dh/dh_gen.o crypto/dh/dh_kdf.o crypto/dh/dh_key.o crypto/dh/dh_lib.o crypto/dh/dh_pmeth.o crypto/dh/dh_prn.o crypto/dh/dh_rfc5114.o crypto/dsa/dsa_ameth.o crypto/dsa/dsa_asn1.o crypto/dsa/dsa_depr.o crypto/dsa/dsa_err.o crypto/dsa/dsa_gen.o crypto/dsa/dsa_key.o crypto/dsa/dsa_lib.o crypto/dsa/dsa_ossl.o crypto/dsa/dsa_pmeth.o crypto/dsa/dsa_prn.o crypto/dsa/dsa_sign.o crypto/dsa/dsa_vrf.o crypto/dso/dso_dl.o crypto/dso/dso_dlfcn.o crypto/dso/dso_err.o crypto/dso/dso_lib.o crypto/dso/dso_null.o crypto/dso/dso_openssl.o crypto/dso/dso_vms.o crypto/dso/dso_win32.o crypto/ebcdic.o crypto/ec/curve25519.o crypto/ec/ec2_mult.o crypto/ec/ec2_oct.o crypto/ec/ec2_smpl.o crypto/ec/ec_25519.o crypto/ec/ec_ameth.o crypto/ec/ec_asn1.o crypto/ec/ec_check.o crypto/ec/ec_curve.o crypto/ec/ec_cvt.o crypto/ec/ec_err.o crypto/ec/ec_key.o crypto/ec/ec_kmeth.o crypto/ec/ec_lib.o crypto/ec/ec_mult.o crypto/ec/ec_oct.o crypto/ec/ec_pmeth.o crypto/ec/ec_print.o crypto/ec/ecdh_kdf.o crypto/ec/ecdh_ossl.o crypto/ec/ecdsa_ossl.o crypto/ec/ecdsa_sign.o crypto/ec/ecdsa_vrf.o crypto/ec/eck_prn.o crypto/ec/ecp_mont.o crypto/ec/ecp_nist.o crypto/ec/ecp_nistp224.o crypto/ec/ecp_nistp256.o crypto/ec/ecp_nistp521.o crypto/ec/ecp_nistputil.o crypto/ec/ecp_oct.o crypto/ec/ecp_smpl.o crypto/engine/eng_all.o crypto/engine/eng_cnf.o crypto/engine/eng_cryptodev.o crypto/engine/eng_ctrl.o crypto/engine/eng_dyn.o crypto/engine/eng_err.o crypto/engine/eng_fat.o crypto/engine/eng_init.o crypto/engine/eng_lib.o crypto/engine/eng_list.o crypto/engine/eng_openssl.o crypto/engine/eng_pkey.o crypto/engine/eng_rdrand.o crypto/engine/eng_table.o crypto/engine/tb_asnmth.o crypto/engine/tb_cipher.o crypto/engine/tb_dh.o crypto/engine/tb_digest.o crypto/engine/tb_dsa.o crypto/engine/tb_eckey.o crypto/engine/tb_pkmeth.o crypto/engine/tb_rand.o crypto/engine/tb_rsa.o crypto/err/err.o crypto/err/err_all.o crypto/err/err_prn.o crypto/evp/bio_b64.o crypto/evp/bio_enc.o crypto/evp/bio_md.o crypto/evp/bio_ok.o crypto/evp/c_allc.o crypto/evp/c_alld.o crypto/evp/cmeth_lib.o crypto/evp/digest.o crypto/evp/e_aes.o crypto/evp/e_aes_cbc_hmac_sha1.o crypto/evp/e_aes_cbc_hmac_sha256.o crypto/evp/e_bf.o crypto/evp/e_camellia.o crypto/evp/e_cast.o crypto/evp/e_chacha20_poly1305.o crypto/evp/e_des.o crypto/evp/e_des3.o crypto/evp/e_idea.o crypto/evp/e_null.o crypto/evp/e_old.o crypto/evp/e_rc2.o crypto/evp/e_rc4.o crypto/evp/e_rc4_hmac_md5.o crypto/evp/e_rc5.o crypto/evp/e_seed.o crypto/evp/e_xcbc_d.o crypto/evp/encode.o crypto/evp/evp_cnf.o crypto/evp/evp_enc.o crypto/evp/evp_err.o crypto/evp/evp_key.o crypto/evp/evp_lib.o crypto/evp/evp_pbe.o crypto/evp/evp_pkey.o crypto/evp/m_md2.o crypto/evp/m_md4.o crypto/evp/m_md5.o crypto/evp/m_md5_sha1.o crypto/evp/m_mdc2.o crypto/evp/m_null.o crypto/evp/m_ripemd.o crypto/evp/m_sha1.o crypto/evp/m_sigver.o crypto/evp/m_wp.o crypto/evp/names.o crypto/evp/p5_crpt.o crypto/evp/p5_crpt2.o crypto/evp/p_dec.o crypto/evp/p_enc.o crypto/evp/p_lib.o crypto/evp/p_open.o crypto/evp/p_seal.o crypto/evp/p_sign.o crypto/evp/p_verify.o crypto/evp/pmeth_fn.o crypto/evp/pmeth_gn.o crypto/evp/pmeth_lib.o crypto/evp/scrypt.o crypto/ex_data.o crypto/hmac/hm_ameth.o crypto/hmac/hm_pmeth.o crypto/hmac/hmac.o crypto/idea/i_cbc.o crypto/idea/i_cfb64.o crypto/idea/i_ecb.o crypto/idea/i_ofb64.o crypto/idea/i_skey.o crypto/init.o crypto/kdf/hkdf.o crypto/kdf/kdf_err.o crypto/kdf/tls1_prf.o crypto/lhash/lh_stats.o crypto/lhash/lhash.o crypto/md4/md4_dgst.o crypto/md4/md4_one.o crypto/md5/md5_dgst.o crypto/md5/md5_one.o crypto/mdc2/mdc2_one.o crypto/mdc2/mdc2dgst.o crypto/mem.o crypto/mem_clr.o crypto/mem_dbg.o crypto/mem_sec.o crypto/modes/cbc128.o crypto/modes/ccm128.o crypto/modes/cfb128.o crypto/modes/ctr128.o crypto/modes/cts128.o crypto/modes/gcm128.o crypto/modes/ocb128.o crypto/modes/ofb128.o crypto/modes/wrap128.o crypto/modes/xts128.o crypto/o_dir.o crypto/o_fips.o crypto/o_init.o crypto/o_str.o crypto/o_time.o crypto/objects/o_names.o crypto/objects/obj_dat.o crypto/objects/obj_err.o crypto/objects/obj_lib.o crypto/objects/obj_xref.o crypto/ocsp/ocsp_asn.o crypto/ocsp/ocsp_cl.o crypto/ocsp/ocsp_err.o crypto/ocsp/ocsp_ext.o crypto/ocsp/ocsp_ht.o crypto/ocsp/ocsp_lib.o crypto/ocsp/ocsp_prn.o crypto/ocsp/ocsp_srv.o crypto/ocsp/ocsp_vfy.o crypto/ocsp/v3_ocsp.o crypto/pem/pem_all.o crypto/pem/pem_err.o crypto/pem/pem_info.o crypto/pem/pem_lib.o crypto/pem/pem_oth.o crypto/pem/pem_pk8.o crypto/pem/pem_pkey.o crypto/pem/pem_sign.o crypto/pem/pem_x509.o crypto/pem/pem_xaux.o crypto/pem/pvkfmt.o crypto/pkcs12/p12_add.o crypto/pkcs12/p12_asn.o crypto/pkcs12/p12_attr.o crypto/pkcs12/p12_crpt.o crypto/pkcs12/p12_crt.o crypto/pkcs12/p12_decr.o crypto/pkcs12/p12_init.o crypto/pkcs12/p12_key.o crypto/pkcs12/p12_kiss.o crypto/pkcs12/p12_mutl.o crypto/pkcs12/p12_npas.o crypto/pkcs12/p12_p8d.o crypto/pkcs12/p12_p8e.o crypto/pkcs12/p12_sbag.o crypto/pkcs12/p12_utl.o crypto/pkcs12/pk12err.o crypto/pkcs7/bio_pk7.o crypto/pkcs7/pk7_asn1.o crypto/pkcs7/pk7_attr.o crypto/pkcs7/pk7_doit.o crypto/pkcs7/pk7_lib.o crypto/pkcs7/pk7_mime.o crypto/pkcs7/pk7_smime.o crypto/pkcs7/pkcs7err.o crypto/poly1305/poly1305.o crypto/rand/md_rand.o crypto/rand/rand_egd.o crypto/rand/rand_err.o crypto/rand/rand_lib.o crypto/rand/rand_unix.o crypto/rand/rand_vms.o crypto/rand/rand_win.o crypto/rand/randfile.o crypto/rc2/rc2_cbc.o crypto/rc2/rc2_ecb.o crypto/rc2/rc2_skey.o crypto/rc2/rc2cfb64.o crypto/rc2/rc2ofb64.o crypto/rc4/rc4_enc.o crypto/rc4/rc4_skey.o crypto/ripemd/rmd_dgst.o crypto/ripemd/rmd_one.o crypto/rsa/rsa_ameth.o crypto/rsa/rsa_asn1.o crypto/rsa/rsa_chk.o crypto/rsa/rsa_crpt.o crypto/rsa/rsa_depr.o crypto/rsa/rsa_err.o crypto/rsa/rsa_gen.o crypto/rsa/rsa_lib.o crypto/rsa/rsa_none.o crypto/rsa/rsa_null.o crypto/rsa/rsa_oaep.o crypto/rsa/rsa_ossl.o crypto/rsa/rsa_pk1.o crypto/rsa/rsa_pmeth.o crypto/rsa/rsa_prn.o crypto/rsa/rsa_pss.o crypto/rsa/rsa_saos.o crypto/rsa/rsa_sign.o crypto/rsa/rsa_ssl.o crypto/rsa/rsa_x931.o crypto/rsa/rsa_x931g.o crypto/seed/seed.o crypto/seed/seed_cbc.o crypto/seed/seed_cfb.o crypto/seed/seed_ecb.o crypto/seed/seed_ofb.o crypto/sha/sha1_one.o crypto/sha/sha1dgst.o crypto/sha/sha256.o crypto/sha/sha512.o crypto/srp/srp_lib.o crypto/srp/srp_vfy.o crypto/stack/stack.o crypto/threads_none.o crypto/threads_pthread.o crypto/threads_win.o crypto/ts/ts_asn1.o crypto/ts/ts_conf.o crypto/ts/ts_err.o crypto/ts/ts_lib.o crypto/ts/ts_req_print.o crypto/ts/ts_req_utils.o crypto/ts/ts_rsp_print.o crypto/ts/ts_rsp_sign.o crypto/ts/ts_rsp_utils.o crypto/ts/ts_rsp_verify.o crypto/ts/ts_verify_ctx.o crypto/txt_db/txt_db.o crypto/ui/ui_err.o crypto/ui/ui_lib.o crypto/ui/ui_openssl.o crypto/ui/ui_util.o crypto/uid.o crypto/whrlpool/wp_block.o crypto/whrlpool/wp_dgst.o crypto/x509/by_dir.o crypto/x509/by_file.o crypto/x509/t_crl.o crypto/x509/t_req.o crypto/x509/t_x509.o crypto/x509/x509_att.o crypto/x509/x509_cmp.o crypto/x509/x509_d2.o crypto/x509/x509_def.o crypto/x509/x509_err.o crypto/x509/x509_ext.o crypto/x509/x509_lu.o crypto/x509/x509_obj.o crypto/x509/x509_r2x.o crypto/x509/x509_req.o crypto/x509/x509_set.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o crypto/x509/x509cset.o crypto/x509/x509name.o crypto/x509/x509rset.o crypto/x509/x509spki.o crypto/x509/x509type.o crypto/x509/x_all.o crypto/x509/x_attrib.o crypto/x509/x_crl.o crypto/x509/x_exten.o crypto/x509/x_name.o crypto/x509/x_req.o crypto/x509/x_x509.o crypto/x509/x_x509a.o crypto/x509v3/pcy_cache.o crypto/x509v3/pcy_data.o crypto/x509v3/pcy_lib.o crypto/x509v3/pcy_map.o crypto/x509v3/pcy_node.o crypto/x509v3/pcy_tree.o crypto/x509v3/v3_addr.o crypto/x509v3/v3_akey.o crypto/x509v3/v3_akeya.o crypto/x509v3/v3_alt.o crypto/x509v3/v3_asid.o crypto/x509v3/v3_bcons.o crypto/x509v3/v3_bitst.o crypto/x509v3/v3_conf.o crypto/x509v3/v3_cpols.o crypto/x509v3/v3_crld.o crypto/x509v3/v3_enum.o crypto/x509v3/v3_extku.o crypto/x509v3/v3_genn.o crypto/x509v3/v3_ia5.o crypto/x509v3/v3_info.o crypto/x509v3/v3_int.o crypto/x509v3/v3_lib.o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_pci.o crypto/x509v3/v3_pcia.o crypto/x509v3/v3_pcons.o crypto/x509v3/v3_pku.o crypto/x509v3/v3_pmaps.o crypto/x509v3/v3_prn.o crypto/x509v3/v3_purp.o crypto/x509v3/v3_skey.o crypto/x509v3/v3_sxnet.o crypto/x509v3/v3_tlsf.o crypto/x509v3/v3_utl.o crypto/x509v3/v3err.o engines/e_capi.o engines/e_dasync.o engines/e_padlock.o /usr/bin/ranlib libcrypto.a || echo Never mind. gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -D_XOPEN_SOURCE=600 -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -DL_ENDIAN -fomit-frame-pointer -fPIC -Iinclude -I. -c -o ssl/bio_ssl.o ssl/bio_ssl.c In file included from ssl/bio_ssl.c:65: ssl/ssl_locl.h:1501: error: field `next_timeout' has incomplete type -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4456 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 12:50:21 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 20 Mar 2016 12:50:21 +0000 Subject: [openssl-dev] [openssl.org #4457] apps/apps.c and apps/ocsp.c needs for fd_set In-Reply-To: References: Message-ID: This is the old Fedora 1 machine again... apps/apps.c and apps/ocsp.c failed to compile because fd_set was not known to the compiler. fd_set is defined in . Also see http://pubs.opengroup.org/onlinepubs/009696899/basedefs/sys/select.h.html. According to the Open Group, timeval is also defined there. ********** $ grep -IR fd_set * apps/apps.c: fd_set asyncfds; apps/ocsp.c:# define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined apps/ocsp.c: fd_set confds; apps/s_apps.h: * VAX C does not defined fd_set and friends, but it's actually quite simple apps/s_apps.h:typedef fd_mask fd_set; apps/s_client.c: fd_set readfds, writefds; apps/s_server.c: fd_set readfds; apps/s_server.c: fd_set readfds; apps/s_time.c: fd_set readfds; apps/speed.c: fd_set waitfdset; crypto/rand/rand_unix.c:# define FD_SETSIZE (8*sizeof(fd_set)) crypto/rand/rand_unix.c: fd_set fset; doc/crypto/ASYNC_start_job.pod: fd_set waitfdset; -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4457 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 13:07:43 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 20 Mar 2016 13:07:43 +0000 Subject: [openssl-dev] [openssl.org #4458] "implicitly declared function" warnings due to missing include In-Reply-To: References: Message-ID: The missing include caused a number of "implicitly declared function" warnings due to use of strcmpcase and strncmpcase. $ egrep -IR '(strcasecmp|strncasecmp)' * | cut -f 1 -d ':' | sort | uniq apps/apps.c apps/ca.c apps/ocsp.c apps/rehash.c apps/s_server.c crypto/asn1/ameth_lib.c crypto/engine/tb_asnmth.c crypto/o_str.c crypto/x509v3/v3_ncons.c crypto/x509v3/v3_tlsf.c crypto/x509v3/v3_utl.c e_os.h include/internal/o_str.h ssl/ssl_conf.c test/ssltest.c test/v3nametest.c -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4458 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 14:07:04 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sun, 20 Mar 2016 14:07:04 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> Message-ID: With patch for #4444, % mkdir /tmp/install_check % ./config --prefix=/tmp/install_check ??? : Configured for solaris64-x86_64-gcc. % make (passed) % make test (passed) % make install ??? : install openssl.pc -> /tmp/install_check/lib/pkgconfig/openssl.pc *** Installing engines /bin/sh: syntax error at line 1: `;' unexpected Makefile:251: recipe for target 'install_engines' failed make: *** [install_engines] Error 2 OS: Solaris10 x86/x64 Best Regards, --- Kiyoshi -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Sun Mar 20 14:41:09 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Sun, 20 Mar 2016 15:41:09 +0100 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> Message-ID: <56EEB685.6070408@kippdata.de> Am 20.03.2016 um 15:07 schrieb Kiyoshi KANAZAWA via RT: > With patch for #4444, > > > % mkdir /tmp/install_check > % ./config --prefix=/tmp/install_check > > : > Configured for solaris64-x86_64-gcc. > > % make > (passed) > > % make test > (passed) > > % make install > : > install openssl.pc -> /tmp/install_check/lib/pkgconfig/openssl.pc > *** Installing engines > /bin/sh: syntax error at line 1: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > > OS: Solaris10 x86/x64 Could it be that the ENGINES variable in the top level Makefile is empty? On my Solaris Sparc system it is ENGINES=engines/capi.so engines/dasync.so engines/ossltest.so engines/padlock.so (line 24) To debug, you might look for the line starting with install_engines: and then change the @set -e; ... a few lines down into @set -ex; ... (add the "x") and run "make install" again. Regards, Rainer From rt at openssl.org Sun Mar 20 14:41:22 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Sun, 20 Mar 2016 14:41:22 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <56EEB685.6070408@kippdata.de> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> Message-ID: Am 20.03.2016 um 15:07 schrieb Kiyoshi KANAZAWA via RT: > With patch for #4444, > > > % mkdir /tmp/install_check > % ./config --prefix=/tmp/install_check > > : > Configured for solaris64-x86_64-gcc. > > % make > (passed) > > % make test > (passed) > > % make install > : > install openssl.pc -> /tmp/install_check/lib/pkgconfig/openssl.pc > *** Installing engines > /bin/sh: syntax error at line 1: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > > OS: Solaris10 x86/x64 Could it be that the ENGINES variable in the top level Makefile is empty? On my Solaris Sparc system it is ENGINES=engines/capi.so engines/dasync.so engines/ossltest.so engines/padlock.so (line 24) To debug, you might look for the line starting with install_engines: and then change the @set -e; ... a few lines down into @set -ex; ... (add the "x") and run "make install" again. Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 15:03:38 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 20 Mar 2016 15:03:38 +0000 Subject: [openssl-dev] [openssl.org #4413] AutoReply: Cygwin x86_64: make: *** No rule to make target '/openssl/Configurations/unix-Makefile.tmpl', needed by 'configdata.pm'. In-Reply-To: References: Message-ID: Well, this appears to be cleared as of commit 270862b470d43a28 (likely well before the commit). The test programs compile and complete with success. Is this what is intended for command lines? It looks a tad bit odd to me, and I wonder if there are potential problems lurking behind the scenes. gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -DTERMIOS -DL_ENDIAN -Wall -O3 -D_WINDLL -I../../Jeffrey -IWalton/openssl/include -I. -Icrypto/include -Iinclude -Icrypto/bn/Walton/openssl/crypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o crypto/aes/aes-x86_64.s On Fri, Mar 11, 2016 at 3:07 AM, The default queue via RT wrote: > > ... > $ ./config > ... > $ make depend > > > $ make > make: *** No rule to make target > 'Walton/openssl/Configurations/unix-Makefile.tmpl', needed by > 'configdata.pm'. Stop. > > And: > > $ echo $PWD > /home/Jeffrey Walton/openssl > > HOME for Cygwin-x64 on the Windows filesystem is: > "C:\cygwin-x86_64\home\Jeffrey Walton". > > Two weeks ago I was able to complete the exercise. > > ********** > > $ ./config > Operating system: x86_64-pc-cygwin > Configuring for Cygwin-x86_64 > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for Cygwin-x86_64 > IsMK1MF =no > CC =gcc > CFLAG =-DTERMIOS -DL_ENDIAN -Wall -O3 > SHARED_CFLAG =-D_WINDLL > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_NO_STATIC_ENGINE > OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 > OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM > VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS = > APPS_OBJ = > CPUID_OBJ =x86_64cpuid.o > UPLINK_OBJ = > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o > x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o > aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o > aesni-mb-x86_64.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM =md5-x86_64.o > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o > sha1-mb-x86_64.o sha256-mb-x86_64.o > RMD160_OBJ_ASM= > CMLL_ENC =cmll-x86_64.o cmll_misc.o > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > PADLOCK_OBJ =e_padlock-x86_64.o > CHACHA_ENC =chacha-x86_64.o > POLY1305_OBJ =poly1305-x86_64.o > PROCESSOR = > RANLIB =/usr/bin/ranlib.exe > ARFLAGS = > PERL =/usr/bin/perl.exe > > SIXTY_FOUR_BIT_LONG mode > > Configured for Cygwin-x86_64. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4413 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 20 15:46:35 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sun, 20 Mar 2016 15:46:35 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <820989.97962.qm@web101209.mail.kks.yahoo.co.jp> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <820989.97962.qm@web101209.mail.kks.yahoo.co.jp> Message-ID: Hello, Yes, ENGINES in the top level Makefile is empty. ?? 22:? LIBS=libcrypto.a libssl.a ?? 23:? SHLIBS= ?? 24:? ENGINES= ?? 25:? PROGRAMS=apps/openssl Changing Makefile has no effect. % make install ??? : /bin/sh: syntax error at line 1: `;' unexpected Makefile:251: recipe for target 'install_engines' failed make: *** [install_engines] Error 2 Makefile is changed as: % diff -c5 Makefile.orig Makefile *** Makefile.orig?????? 2016-03-21 00:26:45.677312045 +0900 --- Makefile??? 2016-03-21 00:41:29.792734235 +0900 *************** *** 249,259 **** ? ? install_engines: ??????? @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) ??????? @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/ ??????? @echo "*** Installing engines" !?????? @set -e; for e in $(ENGINES); do \ ??????????????? fn=`basename $$e`; \ ??????????????? if [ "$$fn" = 'ossltest.so' ]; then \ ??????????????????????? continue; \ ??????????????? fi; \ ??????????????? echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn"; \ --- 249,259 ---- ? ? install_engines: ??????? @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) ??????? @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/ ??????? @echo "*** Installing engines" !?????? @set -ex; for e in $(ENGINES); do \ ??????????????? fn=`basename $$e`; \ ??????????????? if [ "$$fn" = 'ossltest.so' ]; then \ ??????????????????????? continue; \ ??????????????? fi; \ ??????????????? echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn"; \ Regards, --- Kiyoshi > Am 20.03.2016 um 15:07 schrieb Kiyoshi KANAZAWA via RT: >> With patch for #4444, >> >> >> % mkdir /tmp/install_check >> % ./config --prefix=/tmp/install_check >> >> ? ? ? : >> Configured for solaris64-x86_64-gcc. >> >> % make >> (passed) >> >> % make test >> (passed) >> >> % make install >> ? ? ? : >> install openssl.pc -> /tmp/install_check/lib/pkgconfig/openssl.pc >> *** Installing engines >> /bin/sh: syntax error at line 1: `;' unexpected >> Makefile:251: recipe for target 'install_engines' failed >> make: *** [install_engines] Error 2 >> >> >> >> OS: Solaris10 x86/x64 > > Could it be that the ENGINES variable in the top level Makefile is > empty? On my Solaris Sparc system it is > > ENGINES=engines/capi.so engines/dasync.so engines/ossltest.so > engines/padlock.so > > (line 24) > > To debug, you might look for the line starting with > > install_engines: > > and then change the > > @set -e; ... > > a few lines down into > > @set -ex; ... > > (add the "x") and run "make install" again. > > Regards, > > Rainer > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 > Please log in as guest with password guest if prompted > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Sun Mar 20 16:16:30 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Sun, 20 Mar 2016 17:16:30 +0100 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <820989.97962.qm@web101209.mail.kks.yahoo.co.jp> Message-ID: <56EECCDE.7080607@kippdata.de> Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: > Hello, > > Yes, ENGINES in the top level Makefile is empty. > > 22: LIBS=libcrypto.a libssl.a > 23: SHLIBS= > 24: ENGINES= > 25: PROGRAMS=apps/openssl OK, that explains the error, because the install_engines target then contains a shell snippet for e in ; do ($(ENGINES) is empty, but since it is not used as a shell variable but instead as a make variable, that is the resulting for loop). That results in /bin/sh: syntax error at line 1: `;' unexpected at least for /bin/sh on Solaris. So we need to add special handling in $(ENGINES) is empty. You could try the attached patch. Regards, Rainer -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl-install-engines.patch Type: text/x-diff Size: 795 bytes Desc: not available URL: From rt at openssl.org Sun Mar 20 16:16:38 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Sun, 20 Mar 2016 16:16:38 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <56EECCDE.7080607@kippdata.de> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <820989.97962.qm@web101209.mail.kks.yahoo.co.jp> <56EECCDE.7080607@kippdata.de> Message-ID: Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: > Hello, > > Yes, ENGINES in the top level Makefile is empty. > > 22: LIBS=libcrypto.a libssl.a > 23: SHLIBS= > 24: ENGINES= > 25: PROGRAMS=apps/openssl OK, that explains the error, because the install_engines target then contains a shell snippet for e in ; do ($(ENGINES) is empty, but since it is not used as a shell variable but instead as a make variable, that is the resulting for loop). That results in /bin/sh: syntax error at line 1: `;' unexpected at least for /bin/sh on Solaris. So we need to add special handling in $(ENGINES) is empty. You could try the attached patch. Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl-install-engines.patch Type: text/x-diff Size: 795 bytes Desc: not available URL: From rt at openssl.org Sun Mar 20 18:45:57 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 20 Mar 2016 18:45:57 +0000 Subject: [openssl-dev] [openssl.org #4456] Fedora 1, i386: error: field `next_timeout` has incomplete type In-Reply-To: <20160320.194548.286469873540532506.levitte@openssl.org> References: <20160320.194548.286469873540532506.levitte@openssl.org> Message-ID: '#include ' should be added in e_os.h rather than ssl/ssl_locl.h In message on Sun, 20 Mar 2016 12:31:51 +0000, "noloader at gmail.com via RT" said: rt> I know this is kind of an old machine with GCC 3.3... rt> rt> With an updated PERL and a './config no-asm -D_XOPEN_SOURCE=600', I rt> can almost get through a compile. After libcrypto.a is built, the next rt> compile line is: rt> rt> gcc ... -c -o ssl/bio_ssl.o ssl/bio_ssl.c rt> rt> At that point, there's a: rt> rt> In file included from ssl/bio_ssl.c:65 rt> ssl/ssl_locl.h:1501: error: field `next_timeout` has incomplete type rt> [ssl/bio_ssl.o] Error 1 rt> rt> The issue was cleared by adding to "ssl/ssl_locl.h". rt> rt> ********** rt> rt> ar r libcrypto.a crypto/aes/aes_cbc.o crypto/aes/aes_cfb.o rt> crypto/aes/aes_core.o crypto/aes/aes_ecb.o crypto/aes/aes_ige.o rt> crypto/aes/aes_misc.o crypto/aes/aes_ofb.o crypto/aes/aes_wrap.o rt> crypto/asn1/a_bitstr.o crypto/asn1/a_d2i_fp.o crypto/asn1/a_digest.o rt> crypto/asn1/a_dup.o crypto/asn1/a_gentm.o crypto/asn1/a_i2d_fp.o rt> crypto/asn1/a_int.o crypto/asn1/a_mbstr.o crypto/asn1/a_object.o rt> crypto/asn1/a_octet.o crypto/asn1/a_print.o crypto/asn1/a_sign.o rt> crypto/asn1/a_strex.o crypto/asn1/a_strnid.o crypto/asn1/a_time.o rt> crypto/asn1/a_type.o crypto/asn1/a_utctm.o crypto/asn1/a_utf8.o rt> crypto/asn1/a_verify.o crypto/asn1/ameth_lib.o crypto/asn1/asn1_err.o rt> crypto/asn1/asn1_gen.o crypto/asn1/asn1_lib.o crypto/asn1/asn1_par.o rt> crypto/asn1/asn_mime.o crypto/asn1/asn_moid.o crypto/asn1/asn_mstbl.o rt> crypto/asn1/asn_pack.o crypto/asn1/bio_asn1.o crypto/asn1/bio_ndef.o rt> crypto/asn1/d2i_pr.o crypto/asn1/d2i_pu.o crypto/asn1/evp_asn1.o rt> crypto/asn1/f_int.o crypto/asn1/f_string.o crypto/asn1/i2d_pr.o rt> crypto/asn1/i2d_pu.o crypto/asn1/n_pkey.o crypto/asn1/nsseq.o rt> crypto/asn1/p5_pbe.o crypto/asn1/p5_pbev2.o crypto/asn1/p5_scrypt.o rt> crypto/asn1/p8_pkey.o crypto/asn1/t_bitst.o crypto/asn1/t_pkey.o rt> crypto/asn1/t_spki.o crypto/asn1/tasn_dec.o crypto/asn1/tasn_enc.o rt> crypto/asn1/tasn_fre.o crypto/asn1/tasn_new.o crypto/asn1/tasn_prn.o rt> crypto/asn1/tasn_scn.o crypto/asn1/tasn_typ.o crypto/asn1/tasn_utl.o rt> crypto/asn1/x_algor.o crypto/asn1/x_bignum.o crypto/asn1/x_info.o rt> crypto/asn1/x_long.o crypto/asn1/x_pkey.o crypto/asn1/x_pubkey.o rt> crypto/asn1/x_sig.o crypto/asn1/x_spki.o crypto/asn1/x_val.o rt> crypto/async/arch/async_null.o crypto/async/arch/async_posix.o rt> crypto/async/arch/async_win.o crypto/async/async.o rt> crypto/async/async_err.o crypto/async/async_wait.o rt> crypto/bf/bf_cfb64.o crypto/bf/bf_ecb.o crypto/bf/bf_enc.o rt> crypto/bf/bf_ofb64.o crypto/bf/bf_skey.o crypto/bio/b_addr.o rt> crypto/bio/b_dump.o crypto/bio/b_print.o crypto/bio/b_sock.o rt> crypto/bio/b_sock2.o crypto/bio/bf_buff.o crypto/bio/bf_nbio.o rt> crypto/bio/bf_null.o crypto/bio/bio_cb.o crypto/bio/bio_err.o rt> crypto/bio/bio_lib.o crypto/bio/bss_acpt.o crypto/bio/bss_bio.o rt> crypto/bio/bss_conn.o crypto/bio/bss_dgram.o crypto/bio/bss_fd.o rt> crypto/bio/bss_file.o crypto/bio/bss_log.o crypto/bio/bss_mem.o rt> crypto/bio/bss_null.o crypto/bio/bss_sock.o crypto/blake2/blake2b.o rt> crypto/blake2/blake2s.o crypto/blake2/m_blake2b.o rt> crypto/blake2/m_blake2s.o crypto/bn/bn_add.o crypto/bn/bn_asm.o rt> crypto/bn/bn_blind.o crypto/bn/bn_const.o crypto/bn/bn_ctx.o rt> crypto/bn/bn_depr.o crypto/bn/bn_dh.o crypto/bn/bn_div.o rt> crypto/bn/bn_err.o crypto/bn/bn_exp.o crypto/bn/bn_exp2.o rt> crypto/bn/bn_gcd.o crypto/bn/bn_gf2m.o crypto/bn/bn_intern.o rt> crypto/bn/bn_kron.o crypto/bn/bn_lib.o crypto/bn/bn_mod.o rt> crypto/bn/bn_mont.o crypto/bn/bn_mpi.o crypto/bn/bn_mul.o rt> crypto/bn/bn_nist.o crypto/bn/bn_prime.o crypto/bn/bn_print.o rt> crypto/bn/bn_rand.o crypto/bn/bn_recp.o crypto/bn/bn_shift.o rt> crypto/bn/bn_sqr.o crypto/bn/bn_sqrt.o crypto/bn/bn_srp.o rt> crypto/bn/bn_word.o crypto/bn/bn_x931p.o crypto/buffer/buf_err.o rt> crypto/buffer/buffer.o crypto/camellia/camellia.o rt> crypto/camellia/cmll_cbc.o crypto/camellia/cmll_cfb.o rt> crypto/camellia/cmll_ctr.o crypto/camellia/cmll_ecb.o rt> crypto/camellia/cmll_misc.o crypto/camellia/cmll_ofb.o rt> crypto/cast/c_cfb64.o crypto/cast/c_ecb.o crypto/cast/c_enc.o rt> crypto/cast/c_ofb64.o crypto/cast/c_skey.o crypto/chacha/chacha_enc.o rt> crypto/cmac/cm_ameth.o crypto/cmac/cm_pmeth.o crypto/cmac/cmac.o rt> crypto/cms/cms_asn1.o crypto/cms/cms_att.o crypto/cms/cms_cd.o rt> crypto/cms/cms_dd.o crypto/cms/cms_enc.o crypto/cms/cms_env.o rt> crypto/cms/cms_err.o crypto/cms/cms_ess.o crypto/cms/cms_io.o rt> crypto/cms/cms_kari.o crypto/cms/cms_lib.o crypto/cms/cms_pwri.o rt> crypto/cms/cms_sd.o crypto/cms/cms_smime.o crypto/comp/c_zlib.o rt> crypto/comp/comp_err.o crypto/comp/comp_lib.o crypto/conf/conf_api.o rt> crypto/conf/conf_def.o crypto/conf/conf_err.o crypto/conf/conf_lib.o rt> crypto/conf/conf_mall.o crypto/conf/conf_mod.o crypto/conf/conf_sap.o rt> crypto/cpt_err.o crypto/cryptlib.o crypto/ct/ct_b64.o rt> crypto/ct/ct_err.o crypto/ct/ct_log.o crypto/ct/ct_oct.o rt> crypto/ct/ct_policy.o crypto/ct/ct_prn.o crypto/ct/ct_sct.o rt> crypto/ct/ct_sct_ctx.o crypto/ct/ct_vfy.o crypto/ct/ct_x509v3.o rt> crypto/cversion.o crypto/des/cbc_cksm.o crypto/des/cbc_enc.o rt> crypto/des/cfb64ede.o crypto/des/cfb64enc.o crypto/des/cfb_enc.o rt> crypto/des/des_enc.o crypto/des/ecb3_enc.o crypto/des/ecb_enc.o rt> crypto/des/enc_read.o crypto/des/enc_writ.o crypto/des/fcrypt.o rt> crypto/des/fcrypt_b.o crypto/des/ofb64ede.o crypto/des/ofb64enc.o rt> crypto/des/ofb_enc.o crypto/des/pcbc_enc.o crypto/des/qud_cksm.o rt> crypto/des/rand_key.o crypto/des/read2pwd.o crypto/des/rpc_enc.o rt> crypto/des/set_key.o crypto/des/str2key.o crypto/des/xcbc_enc.o rt> crypto/dh/dh_ameth.o crypto/dh/dh_asn1.o crypto/dh/dh_check.o rt> crypto/dh/dh_depr.o crypto/dh/dh_err.o crypto/dh/dh_gen.o rt> crypto/dh/dh_kdf.o crypto/dh/dh_key.o crypto/dh/dh_lib.o rt> crypto/dh/dh_pmeth.o crypto/dh/dh_prn.o crypto/dh/dh_rfc5114.o rt> crypto/dsa/dsa_ameth.o crypto/dsa/dsa_asn1.o crypto/dsa/dsa_depr.o rt> crypto/dsa/dsa_err.o crypto/dsa/dsa_gen.o crypto/dsa/dsa_key.o rt> crypto/dsa/dsa_lib.o crypto/dsa/dsa_ossl.o crypto/dsa/dsa_pmeth.o rt> crypto/dsa/dsa_prn.o crypto/dsa/dsa_sign.o crypto/dsa/dsa_vrf.o rt> crypto/dso/dso_dl.o crypto/dso/dso_dlfcn.o crypto/dso/dso_err.o rt> crypto/dso/dso_lib.o crypto/dso/dso_null.o crypto/dso/dso_openssl.o rt> crypto/dso/dso_vms.o crypto/dso/dso_win32.o crypto/ebcdic.o rt> crypto/ec/curve25519.o crypto/ec/ec2_mult.o crypto/ec/ec2_oct.o rt> crypto/ec/ec2_smpl.o crypto/ec/ec_25519.o crypto/ec/ec_ameth.o rt> crypto/ec/ec_asn1.o crypto/ec/ec_check.o crypto/ec/ec_curve.o rt> crypto/ec/ec_cvt.o crypto/ec/ec_err.o crypto/ec/ec_key.o rt> crypto/ec/ec_kmeth.o crypto/ec/ec_lib.o crypto/ec/ec_mult.o rt> crypto/ec/ec_oct.o crypto/ec/ec_pmeth.o crypto/ec/ec_print.o rt> crypto/ec/ecdh_kdf.o crypto/ec/ecdh_ossl.o crypto/ec/ecdsa_ossl.o rt> crypto/ec/ecdsa_sign.o crypto/ec/ecdsa_vrf.o crypto/ec/eck_prn.o rt> crypto/ec/ecp_mont.o crypto/ec/ecp_nist.o crypto/ec/ecp_nistp224.o rt> crypto/ec/ecp_nistp256.o crypto/ec/ecp_nistp521.o rt> crypto/ec/ecp_nistputil.o crypto/ec/ecp_oct.o crypto/ec/ecp_smpl.o rt> crypto/engine/eng_all.o crypto/engine/eng_cnf.o rt> crypto/engine/eng_cryptodev.o crypto/engine/eng_ctrl.o rt> crypto/engine/eng_dyn.o crypto/engine/eng_err.o rt> crypto/engine/eng_fat.o crypto/engine/eng_init.o rt> crypto/engine/eng_lib.o crypto/engine/eng_list.o rt> crypto/engine/eng_openssl.o crypto/engine/eng_pkey.o rt> crypto/engine/eng_rdrand.o crypto/engine/eng_table.o rt> crypto/engine/tb_asnmth.o crypto/engine/tb_cipher.o rt> crypto/engine/tb_dh.o crypto/engine/tb_digest.o crypto/engine/tb_dsa.o rt> crypto/engine/tb_eckey.o crypto/engine/tb_pkmeth.o rt> crypto/engine/tb_rand.o crypto/engine/tb_rsa.o crypto/err/err.o rt> crypto/err/err_all.o crypto/err/err_prn.o crypto/evp/bio_b64.o rt> crypto/evp/bio_enc.o crypto/evp/bio_md.o crypto/evp/bio_ok.o rt> crypto/evp/c_allc.o crypto/evp/c_alld.o crypto/evp/cmeth_lib.o rt> crypto/evp/digest.o crypto/evp/e_aes.o rt> crypto/evp/e_aes_cbc_hmac_sha1.o crypto/evp/e_aes_cbc_hmac_sha256.o rt> crypto/evp/e_bf.o crypto/evp/e_camellia.o crypto/evp/e_cast.o rt> crypto/evp/e_chacha20_poly1305.o crypto/evp/e_des.o rt> crypto/evp/e_des3.o crypto/evp/e_idea.o crypto/evp/e_null.o rt> crypto/evp/e_old.o crypto/evp/e_rc2.o crypto/evp/e_rc4.o rt> crypto/evp/e_rc4_hmac_md5.o crypto/evp/e_rc5.o crypto/evp/e_seed.o rt> crypto/evp/e_xcbc_d.o crypto/evp/encode.o crypto/evp/evp_cnf.o rt> crypto/evp/evp_enc.o crypto/evp/evp_err.o crypto/evp/evp_key.o rt> crypto/evp/evp_lib.o crypto/evp/evp_pbe.o crypto/evp/evp_pkey.o rt> crypto/evp/m_md2.o crypto/evp/m_md4.o crypto/evp/m_md5.o rt> crypto/evp/m_md5_sha1.o crypto/evp/m_mdc2.o crypto/evp/m_null.o rt> crypto/evp/m_ripemd.o crypto/evp/m_sha1.o crypto/evp/m_sigver.o rt> crypto/evp/m_wp.o crypto/evp/names.o crypto/evp/p5_crpt.o rt> crypto/evp/p5_crpt2.o crypto/evp/p_dec.o crypto/evp/p_enc.o rt> crypto/evp/p_lib.o crypto/evp/p_open.o crypto/evp/p_seal.o rt> crypto/evp/p_sign.o crypto/evp/p_verify.o crypto/evp/pmeth_fn.o rt> crypto/evp/pmeth_gn.o crypto/evp/pmeth_lib.o crypto/evp/scrypt.o rt> crypto/ex_data.o crypto/hmac/hm_ameth.o crypto/hmac/hm_pmeth.o rt> crypto/hmac/hmac.o crypto/idea/i_cbc.o crypto/idea/i_cfb64.o rt> crypto/idea/i_ecb.o crypto/idea/i_ofb64.o crypto/idea/i_skey.o rt> crypto/init.o crypto/kdf/hkdf.o crypto/kdf/kdf_err.o rt> crypto/kdf/tls1_prf.o crypto/lhash/lh_stats.o crypto/lhash/lhash.o rt> crypto/md4/md4_dgst.o crypto/md4/md4_one.o crypto/md5/md5_dgst.o rt> crypto/md5/md5_one.o crypto/mdc2/mdc2_one.o crypto/mdc2/mdc2dgst.o rt> crypto/mem.o crypto/mem_clr.o crypto/mem_dbg.o crypto/mem_sec.o rt> crypto/modes/cbc128.o crypto/modes/ccm128.o crypto/modes/cfb128.o rt> crypto/modes/ctr128.o crypto/modes/cts128.o crypto/modes/gcm128.o rt> crypto/modes/ocb128.o crypto/modes/ofb128.o crypto/modes/wrap128.o rt> crypto/modes/xts128.o crypto/o_dir.o crypto/o_fips.o crypto/o_init.o rt> crypto/o_str.o crypto/o_time.o crypto/objects/o_names.o rt> crypto/objects/obj_dat.o crypto/objects/obj_err.o rt> crypto/objects/obj_lib.o crypto/objects/obj_xref.o rt> crypto/ocsp/ocsp_asn.o crypto/ocsp/ocsp_cl.o crypto/ocsp/ocsp_err.o rt> crypto/ocsp/ocsp_ext.o crypto/ocsp/ocsp_ht.o crypto/ocsp/ocsp_lib.o rt> crypto/ocsp/ocsp_prn.o crypto/ocsp/ocsp_srv.o crypto/ocsp/ocsp_vfy.o rt> crypto/ocsp/v3_ocsp.o crypto/pem/pem_all.o crypto/pem/pem_err.o rt> crypto/pem/pem_info.o crypto/pem/pem_lib.o crypto/pem/pem_oth.o rt> crypto/pem/pem_pk8.o crypto/pem/pem_pkey.o crypto/pem/pem_sign.o rt> crypto/pem/pem_x509.o crypto/pem/pem_xaux.o crypto/pem/pvkfmt.o rt> crypto/pkcs12/p12_add.o crypto/pkcs12/p12_asn.o rt> crypto/pkcs12/p12_attr.o crypto/pkcs12/p12_crpt.o rt> crypto/pkcs12/p12_crt.o crypto/pkcs12/p12_decr.o rt> crypto/pkcs12/p12_init.o crypto/pkcs12/p12_key.o rt> crypto/pkcs12/p12_kiss.o crypto/pkcs12/p12_mutl.o rt> crypto/pkcs12/p12_npas.o crypto/pkcs12/p12_p8d.o rt> crypto/pkcs12/p12_p8e.o crypto/pkcs12/p12_sbag.o rt> crypto/pkcs12/p12_utl.o crypto/pkcs12/pk12err.o crypto/pkcs7/bio_pk7.o rt> crypto/pkcs7/pk7_asn1.o crypto/pkcs7/pk7_attr.o rt> crypto/pkcs7/pk7_doit.o crypto/pkcs7/pk7_lib.o crypto/pkcs7/pk7_mime.o rt> crypto/pkcs7/pk7_smime.o crypto/pkcs7/pkcs7err.o rt> crypto/poly1305/poly1305.o crypto/rand/md_rand.o rt> crypto/rand/rand_egd.o crypto/rand/rand_err.o crypto/rand/rand_lib.o rt> crypto/rand/rand_unix.o crypto/rand/rand_vms.o crypto/rand/rand_win.o rt> crypto/rand/randfile.o crypto/rc2/rc2_cbc.o crypto/rc2/rc2_ecb.o rt> crypto/rc2/rc2_skey.o crypto/rc2/rc2cfb64.o crypto/rc2/rc2ofb64.o rt> crypto/rc4/rc4_enc.o crypto/rc4/rc4_skey.o crypto/ripemd/rmd_dgst.o rt> crypto/ripemd/rmd_one.o crypto/rsa/rsa_ameth.o crypto/rsa/rsa_asn1.o rt> crypto/rsa/rsa_chk.o crypto/rsa/rsa_crpt.o crypto/rsa/rsa_depr.o rt> crypto/rsa/rsa_err.o crypto/rsa/rsa_gen.o crypto/rsa/rsa_lib.o rt> crypto/rsa/rsa_none.o crypto/rsa/rsa_null.o crypto/rsa/rsa_oaep.o rt> crypto/rsa/rsa_ossl.o crypto/rsa/rsa_pk1.o crypto/rsa/rsa_pmeth.o rt> crypto/rsa/rsa_prn.o crypto/rsa/rsa_pss.o crypto/rsa/rsa_saos.o rt> crypto/rsa/rsa_sign.o crypto/rsa/rsa_ssl.o crypto/rsa/rsa_x931.o rt> crypto/rsa/rsa_x931g.o crypto/seed/seed.o crypto/seed/seed_cbc.o rt> crypto/seed/seed_cfb.o crypto/seed/seed_ecb.o crypto/seed/seed_ofb.o rt> crypto/sha/sha1_one.o crypto/sha/sha1dgst.o crypto/sha/sha256.o rt> crypto/sha/sha512.o crypto/srp/srp_lib.o crypto/srp/srp_vfy.o rt> crypto/stack/stack.o crypto/threads_none.o crypto/threads_pthread.o rt> crypto/threads_win.o crypto/ts/ts_asn1.o crypto/ts/ts_conf.o rt> crypto/ts/ts_err.o crypto/ts/ts_lib.o crypto/ts/ts_req_print.o rt> crypto/ts/ts_req_utils.o crypto/ts/ts_rsp_print.o rt> crypto/ts/ts_rsp_sign.o crypto/ts/ts_rsp_utils.o rt> crypto/ts/ts_rsp_verify.o crypto/ts/ts_verify_ctx.o rt> crypto/txt_db/txt_db.o crypto/ui/ui_err.o crypto/ui/ui_lib.o rt> crypto/ui/ui_openssl.o crypto/ui/ui_util.o crypto/uid.o rt> crypto/whrlpool/wp_block.o crypto/whrlpool/wp_dgst.o rt> crypto/x509/by_dir.o crypto/x509/by_file.o crypto/x509/t_crl.o rt> crypto/x509/t_req.o crypto/x509/t_x509.o crypto/x509/x509_att.o rt> crypto/x509/x509_cmp.o crypto/x509/x509_d2.o crypto/x509/x509_def.o rt> crypto/x509/x509_err.o crypto/x509/x509_ext.o crypto/x509/x509_lu.o rt> crypto/x509/x509_obj.o crypto/x509/x509_r2x.o crypto/x509/x509_req.o rt> crypto/x509/x509_set.o crypto/x509/x509_trs.o crypto/x509/x509_txt.o rt> crypto/x509/x509_v3.o crypto/x509/x509_vfy.o crypto/x509/x509_vpm.o rt> crypto/x509/x509cset.o crypto/x509/x509name.o crypto/x509/x509rset.o rt> crypto/x509/x509spki.o crypto/x509/x509type.o crypto/x509/x_all.o rt> crypto/x509/x_attrib.o crypto/x509/x_crl.o crypto/x509/x_exten.o rt> crypto/x509/x_name.o crypto/x509/x_req.o crypto/x509/x_x509.o rt> crypto/x509/x_x509a.o crypto/x509v3/pcy_cache.o rt> crypto/x509v3/pcy_data.o crypto/x509v3/pcy_lib.o rt> crypto/x509v3/pcy_map.o crypto/x509v3/pcy_node.o rt> crypto/x509v3/pcy_tree.o crypto/x509v3/v3_addr.o rt> crypto/x509v3/v3_akey.o crypto/x509v3/v3_akeya.o rt> crypto/x509v3/v3_alt.o crypto/x509v3/v3_asid.o rt> crypto/x509v3/v3_bcons.o crypto/x509v3/v3_bitst.o rt> crypto/x509v3/v3_conf.o crypto/x509v3/v3_cpols.o rt> crypto/x509v3/v3_crld.o crypto/x509v3/v3_enum.o rt> crypto/x509v3/v3_extku.o crypto/x509v3/v3_genn.o rt> crypto/x509v3/v3_ia5.o crypto/x509v3/v3_info.o crypto/x509v3/v3_int.o rt> crypto/x509v3/v3_lib.o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_pci.o rt> crypto/x509v3/v3_pcia.o crypto/x509v3/v3_pcons.o rt> crypto/x509v3/v3_pku.o crypto/x509v3/v3_pmaps.o crypto/x509v3/v3_prn.o rt> crypto/x509v3/v3_purp.o crypto/x509v3/v3_skey.o rt> crypto/x509v3/v3_sxnet.o crypto/x509v3/v3_tlsf.o rt> crypto/x509v3/v3_utl.o crypto/x509v3/v3err.o engines/e_capi.o rt> engines/e_dasync.o engines/e_padlock.o rt> /usr/bin/ranlib libcrypto.a || echo Never mind. rt> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS rt> -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -D_XOPEN_SOURCE=600 rt> -DOPENSSLDIR="\"/usr/local/ssl\"" rt> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread rt> -DL_ENDIAN -fomit-frame-pointer -fPIC -Iinclude -I. -c -o rt> ssl/bio_ssl.o ssl/bio_ssl.c rt> In file included from ssl/bio_ssl.c:65: rt> ssl/ssl_locl.h:1501: error: field `next_timeout' has incomplete type rt> rt> rt> -- rt> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4456 rt> Please log in as guest with password guest if prompted rt> rt> -- rt> openssl-dev mailing list rt> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev rt> -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4456 Please log in as guest with password guest if prompted From nikita.leontiev at gmail.com Sun Mar 20 20:09:56 2016 From: nikita.leontiev at gmail.com (Nikita Leontiev) Date: Sun, 20 Mar 2016 23:09:56 +0300 Subject: [openssl-dev] openssl_config_internal passes config_name to CONF_modules_load_file as appname Message-ID: Hello, Examining OpenSSL code I noticed strange thing. openssl_config_internal function passes config_name parameter to CONF_modules_load_file as appname parameter: void openssl_config_internal(const char **config_name*) { ... CONF_modules_load_file(NULL, *config_name*, CONF_MFLAGS_DEFAULT_SECTION | CONF_MFLAGS_IGNORE_MISSING_FILE); ... } int CONF_modules_load_file(*const char *filename*, *const char *appname*, unsigned long flags) { ... } Looks strange, because in such case config loading not occur or I missed something? -- Nikita Leontiev Just Manager Lead Developer -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Sun Mar 20 21:05:42 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Sun, 20 Mar 2016 21:05:42 +0000 Subject: [openssl-dev] [openssl.org #4439] poly1305-x86.pl produces incorrect output In-Reply-To: <56EF10A4.70304@openssl.org> References: <56EF10A4.70304@openssl.org> Message-ID: Hi, > You know the drill. See the attached poly1305_test2.c. > > $ OPENSSL_ia32cap=0 ./poly1305_test2 > PASS > $ ./poly1305_test2 > Poly1305 test failed. > got: 2637408fe03086ea73f971e3425e2820 > expected: 2637408fe13086ea73f971e3425e2820 > > I believe this affects both the SSE2 and AVX2 code. It does seem to be > dependent on this input pattern. No, it doesn't depend on call pattern. Please confirm that attached patch solves the problem. Thanks. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4439 Please log in as guest with password guest if prompted -------------- next part -------------- diff --git a/crypto/poly1305/asm/poly1305-x86.pl b/crypto/poly1305/asm/poly1305-x86.pl index 4307c99..419cb30 100755 --- a/crypto/poly1305/asm/poly1305-x86.pl +++ b/crypto/poly1305/asm/poly1305-x86.pl @@ -540,6 +540,7 @@ my $base = shift; $base = "esp" if (!defined($base)); sub lazy_reduction { my $extra = shift; +my $paddx = defined(extra) ? paddq : paddd; ################################################################ # lazy reduction as discussed in "NEON crypto" by D.J. Bernstein @@ -563,12 +564,12 @@ my $extra = shift; # possible, because # paddq is "broken" # on Atom - &pand ($D1,$MASK); - &paddq ($T1,$D2); # h1 -> h2 &psllq ($T0,2); + &paddq ($T1,$D2); # h1 -> h2 + &$paddx ($T0,$D0); # h4 -> h0 + &pand ($D1,$MASK); &movdqa ($D2,$T1); &psrlq ($T1,26); - &paddd ($T0,$D0); # h4 -> h0 &pand ($D2,$MASK); &paddd ($T1,$D3); # h2 -> h3 &movdqa ($D0,$T0); @@ -1708,18 +1709,18 @@ sub vlazy_reduction { &vpsrlq ($T1,$D1,26); &vpand ($D1,$D1,$MASK); &vpaddq ($D2,$D2,$T1); # h1 -> h2 - &vpaddd ($D0,$D0,$T0); + &vpaddq ($D0,$D0,$T0); &vpsllq ($T0,$T0,2); &vpsrlq ($T1,$D2,26); &vpand ($D2,$D2,$MASK); - &vpaddd ($D0,$D0,$T0); # h4 -> h0 - &vpaddd ($D3,$D3,$T1); # h2 -> h3 + &vpaddq ($D0,$D0,$T0); # h4 -> h0 + &vpaddq ($D3,$D3,$T1); # h2 -> h3 &vpsrlq ($T1,$D3,26); &vpsrlq ($T0,$D0,26); &vpand ($D0,$D0,$MASK); &vpand ($D3,$D3,$MASK); - &vpaddd ($D1,$D1,$T0); # h0 -> h1 - &vpaddd ($D4,$D4,$T1); # h3 -> h4 + &vpaddq ($D1,$D1,$T0); # h0 -> h1 + &vpaddq ($D4,$D4,$T1); # h3 -> h4 } &vlazy_reduction(); diff --git a/crypto/poly1305/poly1305.c b/crypto/poly1305/poly1305.c index 303822e..b500f2e 100644 --- a/crypto/poly1305/poly1305.c +++ b/crypto/poly1305/poly1305.c @@ -699,6 +699,35 @@ static const struct poly1305_test poly1305_tests[] = { "746869732069732033322d6279746520""6b657920666f7220506f6c7931333035", "49ec78090e481ec6c26b33b91ccc0307" }, + { + "89dab80b7717c1db5db437860a3f70218e93e1b8f461fb677f16f35f6f87e2a9" + "1c99bc3a47ace47640cc95c345be5ecca5a3523c35cc01893af0b64a62033427" + "0372ec12482d1b1e363561698a578b359803495bb4e2ef1930b17a5190b580f1" + "41300df30adbeca28f6427a8bc1a999fd51c554a017d095d8c3e3127daf9f595", + "2d773be37adb1e4d683bf0075e79c4ee""037918535a7f99ccb7040fb5f5f43aea", + "c85d15ed44c378d6b00e23064c7bcd51" + }, + { + "000000000000000b1703030200000000" + "06db1f1f368d696a810a349c0c714c9a5e7850c2407d721acded95e018d7a852" + "66a6e1289cdb4aeb18da5ac8a2b0026d24a59ad485227f3eaedbb2e7e35e1c66" + "cd60f9abf716dcc9ac42682dd7dab287a7024c4eefc321cc0574e16793e37cec" + "03c5bda42b54c114a80b57af26416c7be742005e20855c73e21dc8e2edc9d435" + "cb6f6059280011c270b71570051c1c9b3052126620bc1e2730fa066c7a509d53" + "c60e5ae1b40aa6e39e49669228c90eecb4a50db32a50bc49e90b4f4b359a1dfd" + "11749cd3867fcf2fb7bb6cd4738f6a4ad6f7ca5058f7618845af9f020f6c3b96" + "7b8f4cd4a91e2813b507ae66f2d35c18284f7292186062e10fd5510d18775351" + "ef334e7634ab4743f5b68f49adcab384d3fd75f7390f4006ef2a295c8c7a076a" + "d54546cd25d2107fbe1436c840924aaebe5b370893cd63d1325b8616fc481088" + "6bc152c53221b6df373119393255ee72bcaa880174f1717f9184fa91646f17a2" + "4ac55d16bfddca9581a92eda479201f0edbf633600d6066d1ab36d5d2415d713" + "51bbcd608a25108d25641992c1f26c531cf9f90203bc4cc19f5927d834b0a471" + "16d3884bbb164b8ec883d1ac832e56b3918a98601a08d171881541d594db399c" + "6ae6151221745aec814c45b0b05b565436fd6f137aa10a0c0b643761dbd6f9a9" + "dcb99b1a6e690854ce0769cde39761d82fcdec15f0d92d7d8e94ade8eb83fbe0", + "99e5822dd4173c995e3dae0ddefb9774""3fde3b080134b39f76e9bf8d0e88d546", + "2637408fe13086ea73f971e3425e2820" + }, /* * test vectors from Andrew Moon */ @@ -866,7 +895,8 @@ int main() Poly1305_Final(&poly1305, out); if (memcmp(out, expected, sizeof(expected)) != 0) { - printf("Poly1305 test #%d/%d failed.\n", i, half); + printf("Poly1305 test #%d/%d+%d failed.\n", + i, half, inlen-half); printf("got: "); hexdump(out, sizeof(out)); printf("\nexpected: "); From rt at openssl.org Sun Mar 20 22:20:01 2016 From: rt at openssl.org (David Benjamin via RT) Date: Sun, 20 Mar 2016 22:20:01 +0000 Subject: [openssl-dev] [openssl.org #4460] [PATCH] BIO_METHODs should be const In-Reply-To: References: Message-ID: Patch attached. This is a mechanical change. BIO_new takes a non-const BIO_METHOD and the various BIO_METHODs defined in the library are also non-const, so they don't get placed in .rodata. The change to BIO_new and the BIO struct should be source-compatible. Fixing the in-library BIO_METHODs is not. This will work as-is: BIO *bio = BIO_new(BIO_s_mem()); This will not: BIO_METHOD *method = BIO_s_mem(); BIO *bio = BIO_new(method); (method would have to be const.) If this is a concern, I can split out just the BIO_new change (so that external BIO_METHODs may be const without requiring casts). It would be nice to put the in-library BIOs in .rodata too, but then functions like BIO_s_mem would need to cast away const-ness internally. Happy to switch it to whichever is preferable. David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4460 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-BIO_METHODs-should-be-const.patch Type: application/octet-stream Size: 28985 bytes Desc: not available URL: From rt at openssl.org Sun Mar 20 23:05:49 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Sun, 20 Mar 2016 23:05:49 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <845192.25779.qm@web101206.mail.kks.yahoo.co.jp> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <820989.97962.qm@web101209.mail.kks.yahoo.co.jp> <56EECCDE.7080607@kippdata.de> <845192.25779.qm@web101206.mail.kks.yahoo.co.jp> Message-ID: Hello, Tried your openssl-install-engines.patch, but have the same result. % make install_engines *** Installing engines /bin/sh: syntax error at line 2: `;' unexpected Makefile:251: recipe for target 'install_engines' failed make: *** [install_engines] Error 2 I think it should work, and added, for double check, @echo "XENGINES="X$$ENGINES after the line @echo "*** Installing engines". % make install_engines *** Installing engines XENGINES=X /bin/sh: syntax error at line 2: `;' unexpected Makefile:251: recipe for target 'install_engines' failed make: *** [install_engines] Error 2 Regards, --- Kiyoshi ----- Original Message ----- > From: Rainer Jung via RT > To: yoi_no_myoujou at yahoo.co.jp > Cc: openssl-dev at openssl.org > Date: 2016/3/21, Mon 01:16 > Subject: Re: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. > > Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: >> Hello, >> >> Yes, ENGINES in the top level Makefile is empty. >> >> ? ? 22:? LIBS=libcrypto.a libssl.a >> ? ? 23:? SHLIBS= >> ? ? 24:? ENGINES= >> ? ? 25:? PROGRAMS=apps/openssl > > OK, that explains the error, because the install_engines target then > contains a shell snippet > > ? for e in ; do > > ($(ENGINES) is empty, but since it is not used as a shell variable but > instead as a make variable, that is the resulting for loop). That results in > > ? /bin/sh: syntax error at line 1: `;' unexpected > > at least for /bin/sh on Solaris. > > So we need to add special handling in $(ENGINES) is empty. > > You could try the attached patch. > > Regards, > > Rainer > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 > Please log in as guest with password guest if prompted > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 21 00:11:04 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 20 Mar 2016 20:11:04 -0400 Subject: [openssl-dev] [openssl.org #4456] Fedora 1, i386: error: field `next_timeout` has incomplete type In-Reply-To: References: <20160320.194548.286469873540532506.levitte@openssl.org> Message-ID: On Sun, Mar 20, 2016 at 2:45 PM, Richard Levitte via RT wrote: > '#include ' should be added in e_os.h rather than ssl/ssl_locl.h > Thanks. Would it be possible to add , , and ? Then all these tickets can be closed. It should also allow moving onto Android testing. Android, Cygwin and early Fedora seem to have similar personalities, and they often complain about the same headers. Jeff From rt at openssl.org Mon Mar 21 00:11:17 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 00:11:17 +0000 Subject: [openssl-dev] [openssl.org #4456] Fedora 1, i386: error: field `next_timeout` has incomplete type In-Reply-To: References: <20160320.194548.286469873540532506.levitte@openssl.org> Message-ID: On Sun, Mar 20, 2016 at 2:45 PM, Richard Levitte via RT wrote: > '#include ' should be added in e_os.h rather than ssl/ssl_locl.h > Thanks. Would it be possible to add , , and ? Then all these tickets can be closed. It should also allow moving onto Android testing. Android, Cygwin and early Fedora seem to have similar personalities, and they often complain about the same headers. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4456 Please log in as guest with password guest if prompted From rainer.jung at kippdata.de Mon Mar 21 00:11:38 2016 From: rainer.jung at kippdata.de (Rainer Jung) Date: Mon, 21 Mar 2016 01:11:38 +0100 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <820989.97962.qm@web101209.mail.kks.yahoo.co.jp> <56EECCDE.7080607@kippdata.de> <845192.25779.qm@web101206.mail.kks.yahoo.co.jp> Message-ID: <56EF3C3A.4070709@kippdata.de> I'm sorry and thanks for your patience: there's a bug in the patch: Replace the $$(ENGINE) in the line @set -e; if [ "X$$(ENGINES)" != "X" ]; then \ by $(ENGINE) (no "$$" instead just a single "$"). The new line is @set -e; if [ "X$(ENGINES)" != "X" ]; then \ (plus a tab and some additional whitespace in front). The wrong "X$$(ENGINES)" is reduced by make into "X$(ENGINES)" which doesn't make sense in shell. The "X$$ENGINES" in your suggested echo line is reduced to "X$ENGINES" and since there's no shell variable named ENGINES set, this is reduced by the shell to "X". But I want "X$(ENGINES)" in my patch: make reduces this to "X", because the make variable ENGINES has an empty value and that's what we want to test in the new "if". Regards, Rainer Am 21.03.2016 um 00:05 schrieb Kiyoshi KANAZAWA via RT: > Hello, > > Tried your openssl-install-engines.patch, but have the same result. > % make install_engines > *** Installing engines > /bin/sh: syntax error at line 2: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > I think it should work, and added, for double check, > @echo "XENGINES="X$$ENGINES > after the line > > @echo "*** Installing engines". > % make install_engines > *** Installing engines > XENGINES=X > /bin/sh: syntax error at line 2: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > > Regards, > > --- Kiyoshi > > > > ----- Original Message ----- >> From: Rainer Jung via RT >> To: yoi_no_myoujou at yahoo.co.jp >> Cc: openssl-dev at openssl.org >> Date: 2016/3/21, Mon 01:16 >> Subject: Re: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. >> >> Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: >>> Hello, >>> >>> Yes, ENGINES in the top level Makefile is empty. >>> >>> 22: LIBS=libcrypto.a libssl.a >>> 23: SHLIBS= >>> 24: ENGINES= >>> 25: PROGRAMS=apps/openssl >> >> OK, that explains the error, because the install_engines target then >> contains a shell snippet >> >> for e in ; do >> >> ($(ENGINES) is empty, but since it is not used as a shell variable but >> instead as a make variable, that is the resulting for loop). That results in >> >> /bin/sh: syntax error at line 1: `;' unexpected >> >> at least for /bin/sh on Solaris. >> >> So we need to add special handling in $(ENGINES) is empty. >> >> You could try the attached patch. >> >> Regards, >> >> Rainer >> >> -- >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 >> Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 00:11:46 2016 From: rt at openssl.org (Rainer Jung via RT) Date: Mon, 21 Mar 2016 00:11:46 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <56EF3C3A.4070709@kippdata.de> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <56EECCDE.7080607@kippdata.de> <845192.25779.qm@web101206.mail.kks.yahoo.co.jp> <56EF3C3A.4070709@kippdata.de> Message-ID: I'm sorry and thanks for your patience: there's a bug in the patch: Replace the $$(ENGINE) in the line @set -e; if [ "X$$(ENGINES)" != "X" ]; then \ by $(ENGINE) (no "$$" instead just a single "$"). The new line is @set -e; if [ "X$(ENGINES)" != "X" ]; then \ (plus a tab and some additional whitespace in front). The wrong "X$$(ENGINES)" is reduced by make into "X$(ENGINES)" which doesn't make sense in shell. The "X$$ENGINES" in your suggested echo line is reduced to "X$ENGINES" and since there's no shell variable named ENGINES set, this is reduced by the shell to "X". But I want "X$(ENGINES)" in my patch: make reduces this to "X", because the make variable ENGINES has an empty value and that's what we want to test in the new "if". Regards, Rainer Am 21.03.2016 um 00:05 schrieb Kiyoshi KANAZAWA via RT: > Hello, > > Tried your openssl-install-engines.patch, but have the same result. > % make install_engines > *** Installing engines > /bin/sh: syntax error at line 2: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > I think it should work, and added, for double check, > @echo "XENGINES="X$$ENGINES > after the line > > @echo "*** Installing engines". > % make install_engines > *** Installing engines > XENGINES=X > /bin/sh: syntax error at line 2: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > > Regards, > > --- Kiyoshi > > > > ----- Original Message ----- >> From: Rainer Jung via RT >> To: yoi_no_myoujou at yahoo.co.jp >> Cc: openssl-dev at openssl.org >> Date: 2016/3/21, Mon 01:16 >> Subject: Re: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. >> >> Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: >>> Hello, >>> >>> Yes, ENGINES in the top level Makefile is empty. >>> >>> 22: LIBS=libcrypto.a libssl.a >>> 23: SHLIBS= >>> 24: ENGINES= >>> 25: PROGRAMS=apps/openssl >> >> OK, that explains the error, because the install_engines target then >> contains a shell snippet >> >> for e in ; do >> >> ($(ENGINES) is empty, but since it is not used as a shell variable but >> instead as a make variable, that is the resulting for loop). That results in >> >> /bin/sh: syntax error at line 1: `;' unexpected >> >> at least for /bin/sh on Solaris. >> >> So we need to add special handling in $(ENGINES) is empty. >> >> You could try the attached patch. >> >> Regards, >> >> Rainer >> >> -- >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 >> Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 21 00:50:10 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 20 Mar 2016 20:50:10 -0400 Subject: [openssl-dev] [openssl.org #4460] [PATCH] BIO_METHODs should be const In-Reply-To: References: Message-ID: On Sun, Mar 20, 2016 at 6:20 PM, David Benjamin via RT wrote: > Patch attached. This is a mechanical change. BIO_new takes a non-const > BIO_METHOD and the various BIO_METHODs defined in the library are also > non-const, so they don't get placed in .rodata. > > The change to BIO_new and the BIO struct should be source-compatible. > Fixing the in-library BIO_METHODs is not. This will work as-is: > BIO *bio = BIO_new(BIO_s_mem()); > This will not: > BIO_METHOD *method = BIO_s_mem(); > BIO *bio = BIO_new(method); > (method would have to be const.) > > If this is a concern, I can split out just the BIO_new change (so that > external BIO_METHODs may be const without requiring casts). It would be > nice to put the in-library BIOs in .rodata too, but then functions like > BIO_s_mem would need to cast away const-ness internally. Happy to switch it > to whichever is preferable. +1 for getting const-ness in order. The const-ness issues have been around a long time. They should be sorted out before the 1.1.0 release. The major version bump is precisely the time when it should occur. Jeff From rt at openssl.org Mon Mar 21 00:50:14 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 00:50:14 +0000 Subject: [openssl-dev] [openssl.org #4460] [PATCH] BIO_METHODs should be const In-Reply-To: References: Message-ID: On Sun, Mar 20, 2016 at 6:20 PM, David Benjamin via RT wrote: > Patch attached. This is a mechanical change. BIO_new takes a non-const > BIO_METHOD and the various BIO_METHODs defined in the library are also > non-const, so they don't get placed in .rodata. > > The change to BIO_new and the BIO struct should be source-compatible. > Fixing the in-library BIO_METHODs is not. This will work as-is: > BIO *bio = BIO_new(BIO_s_mem()); > This will not: > BIO_METHOD *method = BIO_s_mem(); > BIO *bio = BIO_new(method); > (method would have to be const.) > > If this is a concern, I can split out just the BIO_new change (so that > external BIO_METHODs may be const without requiring casts). It would be > nice to put the in-library BIOs in .rodata too, but then functions like > BIO_s_mem would need to cast away const-ness internally. Happy to switch it > to whichever is preferable. +1 for getting const-ness in order. The const-ness issues have been around a long time. They should be sorted out before the 1.1.0 release. The major version bump is precisely the time when it should occur. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4460 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 01:28:28 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 01:28:28 +0000 Subject: [openssl-dev] [openssl.org #4461] No rule to make target 'crypto/include/internal/blake2_locl.h' In-Reply-To: References: Message-ID: Working on Gentoo 13, x86_64 with a 4.1 kernel. Master at 89ff989d01314a61. $ git reset --hard HEAD && git pull HEAD is now at 89ff989 Add a comment on dane_verify() logic Already up-to-date. $ ./config ... $ make depend && make clean && make ... No rule to make target 'crypto/include/internal/blake2_locl.h' ********** $ ./config Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-x86_64. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4461 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 01:29:59 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Mon, 21 Mar 2016 01:29:59 +0000 Subject: [openssl-dev] [openssl.org #4461] No rule to make target 'crypto/include/internal/blake2_locl.h' In-Reply-To: <7c82bb7c9ff14be08d3f602c69203a04@usma1ex-dag1mb1.msg.corp.akamai.com> References: <7c82bb7c9ff14be08d3f602c69203a04@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > $ make depend && make clean && make > ... > > No rule to make target 'crypto/include/internal/blake2_locl.h' Shouldn't that be clean ; make depend? At any rate, yes, some header files moved around. Old dependencies are out of date ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4461 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 21 01:35:16 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 20 Mar 2016 21:35:16 -0400 Subject: [openssl-dev] [openssl.org #4461] No rule to make target 'crypto/include/internal/blake2_locl.h' In-Reply-To: References: <7c82bb7c9ff14be08d3f602c69203a04@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Sun, Mar 20, 2016 at 9:29 PM, Salz, Rich via RT wrote: > >> $ make depend && make clean && make >> ... >> >> No rule to make target 'crypto/include/internal/blake2_locl.h' > > Shouldn't that be clean ; make depend? > > At any rate, yes, some header files moved around. Old dependencies are out of date ... I think it need depends first to get the dependencies right (for clean); then it needs the clean to ensure old artifacts are gone. At any rate, what does the Dev team recommend/want? I'm happy to do either. Jeff From rt at openssl.org Mon Mar 21 01:35:19 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 01:35:19 +0000 Subject: [openssl-dev] [openssl.org #4461] No rule to make target 'crypto/include/internal/blake2_locl.h' In-Reply-To: References: <7c82bb7c9ff14be08d3f602c69203a04@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Sun, Mar 20, 2016 at 9:29 PM, Salz, Rich via RT wrote: > >> $ make depend && make clean && make >> ... >> >> No rule to make target 'crypto/include/internal/blake2_locl.h' > > Shouldn't that be clean ; make depend? > > At any rate, yes, some header files moved around. Old dependencies are out of date ... I think it need depends first to get the dependencies right (for clean); then it needs the clean to ensure old artifacts are gone. At any rate, what does the Dev team recommend/want? I'm happy to do either. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4461 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 01:42:00 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 01:42:00 +0000 Subject: [openssl-dev] [openssl.org #4461] AutoReply: No rule to make target 'crypto/include/internal/blake2_locl.h' In-Reply-To: References: Message-ID: Just pulled 89ff989 and the issue is gone. Close it. On Sun, Mar 20, 2016 at 9:28 PM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "No rule to make target 'crypto/include/internal/blake2_locl.h'", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4461]. > > Please include the string: > > [openssl.org #4461] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > rt at openssl.org > > ------------------------------------------------------------------------- > Working on Gentoo 13, x86_64 with a 4.1 kernel. Master at 89ff989d01314a61. > > $ git reset --hard HEAD && git pull > HEAD is now at 89ff989 Add a comment on dane_verify() logic > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > > No rule to make target 'crypto/include/internal/blake2_locl.h' > > ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4461 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 01:47:04 2016 From: rt at openssl.org (Rich Salz via RT) Date: Mon, 21 Mar 2016 01:47:04 +0000 Subject: [openssl-dev] [openssl.org #4461] No rule to make target 'crypto/include/internal/blake2_locl.h' In-Reply-To: References: Message-ID: "Just pulled 89ff989 and the issue is gone. Close it." -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4461 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 02:31:47 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 02:31:47 +0000 Subject: [openssl-dev] [openssl.org #4462] FEATURE: enable 'make test' to respond to 'V=1' or 'VERBOSE=1' In-Reply-To: References: Message-ID: INSTALL details the way to obtain verbose output is with: HARNESS_VERBOSE=yes make test That is kind of non-standard for autotools, cmake and kbuild users. Users of those tools (including various OpenSSL package maintainers) are accustomed to output being sometimes hidden from them, and they normally react with: make test V=1 Or: make test VERBOSE=1 Please consider enabling the build system to respond to both 'V=1' and 'VERBOSE=1'. It will save a bunch of mailing list questions and miscellaneous noise. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4462 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 02:47:52 2016 From: rt at openssl.org (David Benjamin via RT) Date: Mon, 21 Mar 2016 02:47:52 +0000 Subject: [openssl-dev] [openssl.org #4439] poly1305-x86.pl produces incorrect output In-Reply-To: References: <56EF10A4.70304@openssl.org> Message-ID: On Sun, Mar 20, 2016 at 5:05 PM Andy Polyakov via RT wrote: > No, it doesn't depend on call pattern. Please confirm that attached > patch solves the problem. Thanks. > (Right, sorry, I meant that the test vectors I have seem to only with their corresponding call patterns.) The patch works on my end, and naively comparing random inputs against a reference implementation doesn't reveal any other issues. Thanks for fixing it so quickly! David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4439 Please log in as guest with password guest if prompted From sms at antinode.info Mon Mar 21 03:08:23 2016 From: sms at antinode.info (Steven M. Schweda) Date: Sun, 20 Mar 2016 22:08:23 -0500 (CDT) Subject: [openssl-dev] 1.1.0-pre5-dev (2016-03-20) v. VMS Message-ID: <16032022082387_202140C6@antinode.info> 1. An attempt to build on VMS Alpha V8.4 died when MMS choked on a too-long command: [...] PURGE [.crypto.evp]digest.OBJ SET DEFAULT ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto.evp] CC/DECC /DEFINE=(OPENSSL_THREADS,OPENSSL_NO_DYNAMIC_ENGINE,OPENSSL_PIC,OPENSSLDIR="""SYS$COMMON:[SSL]""",ENGINESDIR="""OSSL$ENGINES:""") /STANDARD=RELAXED/NOLIST/PREFIX=ALL/NAMES=(AS_IS,SHORTENED) /OPTIMIZE/NODEBUG/INCLUDE=(utility5_dev:[UTILITY.source- .openssl.openssl-master_2016-03-20.include],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto.include],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.include]- ,utility5_dev:[UTILITY.source.openssl.openssl-master_2016-03-20.crypto.include],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto.modes]) /MMS=(FILE=utility5_dev:[- UTILITY.source.openssl.openssl-master_2016-03-20.crypto.evp]e_aes.tmp-MMS,TARGET=[.crypto.evp]e_aes.OBJ) /OBJECT=utility5_dev:[UTILITY.source.openssl.openssl-master_2016-03-20.crypto.evp]e_aes.OBJ /REPOSITORY=utility5_dev:[UTILITY.source.openssl.- openssl-master_2016-03-20] e_aes.c %MMS-F-EXETOOBIG, Command too large. Maximum length is 1019 characters. I haven't tried to see how this stuff is generated nowadays, but I'd say that it could use more of at least one of the following: logical names (one rooted for the top-level dir?) continuation lines relative directory specs documentation of the default directory spec length limit 2. What's the status of zlib support on VMS? In the old days, makevms.com had a place to specify a zlib directory. Is there a way in the new scheme? (Documented anywhere?) All I found was the OPTIONS= [...] no-zlib no-zlib-dynamic in descrip.mms. 3. Shared images? For the record: ALP $ mms /id %MMS-I-IDENT, MMS V3.8-2 ? Copyright 2007 Hewlett-Packard Development Company, L .P. ALP $ cc /version HP C V7.3-010 on OpenVMS Alpha V8.4 (I haven't verified it yet, but I believe that the "-010" compiler, recently made available to us lowly hobbyists, fixes the 64-bit argv[] NULL-termination problems on Alpha.) ------------------------------------------------------------------------ Steven M. Schweda sms at antinode-info 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 From rt at openssl.org Mon Mar 21 04:53:54 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Mon, 21 Mar 2016 04:53:54 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <850109.23361.qm@web101209.mail.kks.yahoo.co.jp> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <845192.25779.qm@web101206.mail.kks.yahoo.co.jp> <56EF3C3A.4070709@kippdata.de> <850109.23361.qm@web101209.mail.kks.yahoo.co.jp> Message-ID: Still I have the same error. % make install_engines *** Installing engines /bin/sh: syntax error at line 2: `;' unexpected Makefile:251: recipe for target 'install_engines' failed make: *** [install_engines] Error 2 I tried to enter 'echo "AAAAA"' before for loop, such as --- Makefile??? 2016-03-19 14:08:21.655179000 +0100 +++ Makefile??? 2016-03-20 17:08:48.298012000 +0100 @@ -284,7 +284,9 @@ ??? @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) ??? @$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/ ??? @echo "*** Installing engines" -?? @set -e; for e in $(ENGINES); do \ +?? @set -e; if [ "X$(ENGINES)" != "X" ]; then \ +?????? echo "AAAAA"; \ +?????? for e in $(ENGINES); do \ ??????? fn=`basename $$e`; \ ??????? if [ "$$fn" = 'ossltest.so' ]; then \ ??????????? continue; \ @@ -294,7 +295,8 @@ ??????? chmod 755 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \ ??????? mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new \ ????????????? $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \ -?? done +?????? done; \ +?? fi ? ?uninstall_engines: ??? @echo "*** Uninstalling engines" % make install_engines *** Installing engines /bin/sh: syntax error at line 3: `;' unexpected Makefile:251: recipe for target 'install_engines' failed make: *** [install_engines] Error 2 "AAAAA" is not echoed, but '/bin/sh: syntax error at line 2: `;' unexpected' changed to '/bin/sh: syntax error at line 3: `;' unexpected' Inside of if condition is not executed, but seems to be checked by sh. BTW, is it OK that ENGINES is empty on Solaris 10 x86/x64, although ENGINES=engines/capi.so engines/dasync.so engines/ossltest.so engines/padlock.so on your Solaris Sparc ? Regards, --- Kiyoshi > I'm sorry and thanks for your patience: there's a bug in the patch: > Replace the $$(ENGINE) in the line > > @set -e; if [ "X$$(ENGINES)" != "X" ]; then \ > > by $(ENGINE) (no "$$" instead just a single "$"). > > The new line is > > @set -e; if [ "X$(ENGINES)" != "X" ]; then \ > > (plus a tab and some additional whitespace in front). > > The wrong "X$$(ENGINES)" is reduced by make into > "X$(ENGINES)" which > doesn't make sense in shell. The "X$$ENGINES" in your suggested > echo > line is reduced to "X$ENGINES" and since there's no shell variable > named > ENGINES set, this is reduced by the shell to "X". But I want > "X$(ENGINES)" in my patch: make reduces this to "X", because > the make > variable ENGINES has an empty value and that's what we want to test in > the new "if". > > Regards, > > Rainer > > Am 21.03.2016 um 00:05 schrieb Kiyoshi KANAZAWA via RT: >> Hello, >> >> Tried your openssl-install-engines.patch, but have the same result. >> % make install_engines >> *** Installing engines >> /bin/sh: syntax error at line 2: `;' unexpected >> Makefile:251: recipe for target 'install_engines' failed >> make: *** [install_engines] Error 2 >> >> >> I think it should work, and added, for double check, >> @echo "XENGINES="X$$ENGINES >> after the line >> >> @echo "*** Installing engines". >> % make install_engines >> *** Installing engines >> XENGINES=X >> /bin/sh: syntax error at line 2: `;' unexpected >> Makefile:251: recipe for target 'install_engines' failed >> make: *** [install_engines] Error 2 >> >> >> >> Regards, >> >> --- Kiyoshi >> >> >> >> ----- Original Message ----- >>> From: Rainer Jung via RT >>> To: yoi_no_myoujou at yahoo.co.jp >>> Cc: openssl-dev at openssl.org >>> Date: 2016/3/21, Mon 01:16 >>> Subject: Re: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make > install fals on solaris64-x86_64-gcc. >>> >>> Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: >>>> ? Hello, >>>> >>>> ? Yes, ENGINES in the top level Makefile is empty. >>>> >>>> ? ? ? 22:? LIBS=libcrypto.a libssl.a >>>> ? ? ? 23:? SHLIBS= >>>> ? ? ? 24:? ENGINES= >>>> ? ? ? 25:? PROGRAMS=apps/openssl >>> >>> OK, that explains the error, because the install_engines target then >>> contains a shell snippet >>> >>> ? ? for e in ; do >>> >>> ($(ENGINES) is empty, but since it is not used as a shell variable but >>> instead as a make variable, that is the resulting for loop). That > results in >>> >>> ? ? /bin/sh: syntax error at line 1: `;' unexpected >>> >>> at least for /bin/sh on Solaris. >>> >>> So we need to add special handling in $(ENGINES) is empty. >>> >>> You could try the attached patch. >>> >>> Regards, >>> >>> Rainer >>> >>> -- >>> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 >>> Please log in as guest with password guest if prompted > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 > Please log in as guest with password guest if prompted > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 05:25:06 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Mon, 21 Mar 2016 05:25:06 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <613522.97267.qm@web101214.mail.kks.yahoo.co.jp> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <56EEB685.6070408@kippdata.de> <845192.25779.qm@web101206.mail.kks.yahoo.co.jp> <56EF3C3A.4070709@kippdata.de> <850109.23361.qm@web101209.mail.kks.yahoo.co.jp> <613522.97267.qm@web101214.mail.kks.yahoo.co.jp> Message-ID: Hmm, % ./config --prefix=/tmp/install_check shared makes 'ENGINES=engines/capi.so engines/dasync.so engines/ossltest.so engines/padlock.so' I confirmed % make install passes in this case. ('AAAAA' is also echoed.) Regards, --- Kiyoshi > Still I have the same error. > > % make install_engines > *** Installing engines > /bin/sh: syntax error at line 2: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > > I tried to enter 'echo "AAAAA"' before for loop, such as > --- Makefile??? 2016-03-19 14:08:21.655179000 +0100 > +++ Makefile??? 2016-03-20 17:08:48.298012000 +0100 > @@ -284,7 +284,9 @@ > ??? @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; > exit 1) > ??? @$(PERL) $(SRCDIR)/util/mkdir-p.pl > $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/ > ??? @echo "*** Installing engines" > -?? @set -e; for e in $(ENGINES); do \ > +?? @set -e; if [ "X$(ENGINES)" != "X" ]; then \ > +?????? echo "AAAAA"; \ > +?????? for e in $(ENGINES); do \ > ??????? fn=`basename $$e`; \ > ??????? if [ "$$fn" = 'ossltest.so' ]; then \ > ??????????? continue; \ > @@ -294,7 +295,8 @@ > ??????? chmod 755 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \ > ??????? mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new \ > ????????????? $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \ > -?? done > +?????? done; \ > +?? fi > ? > ?uninstall_engines: > ??? @echo "*** Uninstalling engines" > > > % make install_engines > *** Installing engines > /bin/sh: syntax error at line 3: `;' unexpected > Makefile:251: recipe for target 'install_engines' failed > make: *** [install_engines] Error 2 > > > "AAAAA" is not echoed, but > > '/bin/sh: syntax error at line 2: `;' unexpected' > changed to > '/bin/sh: syntax error at line 3: `;' unexpected' > > > Inside of if condition is not executed, > but seems to be checked by sh. > > > BTW, is it OK that ENGINES is empty on Solaris 10 x86/x64, > although > ENGINES=engines/capi.so engines/dasync.so engines/ossltest.so engines/padlock.so > on your Solaris Sparc ? > > > Regards, > > --- Kiyoshi > > > > > >> I'm sorry and thanks for your patience: there's a bug in the patch: > >> Replace the $$(ENGINE) in the line >> >> @set -e; if [ "X$$(ENGINES)" != "X" ]; then \ >> >> by $(ENGINE) (no "$$" instead just a single "$"). >> >> The new line is >> >> @set -e; if [ "X$(ENGINES)" != "X" ]; then \ >> >> (plus a tab and some additional whitespace in front). >> >> The wrong "X$$(ENGINES)" is reduced by make into >> "X$(ENGINES)" which >> doesn't make sense in shell. The "X$$ENGINES" in your > suggested >> echo >> line is reduced to "X$ENGINES" and since there's no shell > variable >> named >> ENGINES set, this is reduced by the shell to "X". But I want >> "X$(ENGINES)" in my patch: make reduces this to "X", > because >> the make >> variable ENGINES has an empty value and that's what we want to test in >> the new "if". >> >> Regards, >> >> Rainer >> >> Am 21.03.2016 um 00:05 schrieb Kiyoshi KANAZAWA via RT: >>> ? Hello, >>> >>> ? Tried your openssl-install-engines.patch, but have the same result. >>> ? % make install_engines >>> ? *** Installing engines >>> ? /bin/sh: syntax error at line 2: `;' unexpected >>> ? Makefile:251: recipe for target 'install_engines' failed >>> ? make: *** [install_engines] Error 2 >>> >>> >>> ? I think it should work, and added, for double check, >>> ? @echo "XENGINES="X$$ENGINES >>> ? after the line >>> >>> ? @echo "*** Installing engines". >>> ? % make install_engines >>> ? *** Installing engines >>> ? XENGINES=X >>> ? /bin/sh: syntax error at line 2: `;' unexpected >>> ? Makefile:251: recipe for target 'install_engines' failed >>> ? make: *** [install_engines] Error 2 >>> >>> >>> >>> ? Regards, >>> >>> ? --- Kiyoshi >>> >>> >>> >>> ? ----- Original Message ----- >>>> ? From: Rainer Jung via RT >>>> ? To: yoi_no_myoujou at yahoo.co.jp >>>> ? Cc: openssl-dev at openssl.org >>>> ? Date: 2016/3/21, Mon 01:16 >>>> ? Subject: Re: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: > make >> install fals on solaris64-x86_64-gcc. >>>> >>>> ? Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: >>>>> ?? Hello, >>>>> >>>>> ?? Yes, ENGINES in the top level Makefile is empty. >>>>> >>>>> ? ? ?? 22:? LIBS=libcrypto.a libssl.a >>>>> ? ? ?? 23:? SHLIBS= >>>>> ? ? ?? 24:? ENGINES= >>>>> ? ? ?? 25:? PROGRAMS=apps/openssl >>>> >>>> ? OK, that explains the error, because the install_engines target > then >>>> ? contains a shell snippet >>>> >>>> ? ?? for e in ; do >>>> >>>> ? ($(ENGINES) is empty, but since it is not used as a shell variable > but >>>> ? instead as a make variable, that is the resulting for loop). That >> results in >>>> >>>> ? ?? /bin/sh: syntax error at line 1: `;' unexpected >>>> >>>> ? at least for /bin/sh on Solaris. >>>> >>>> ? So we need to add special handling in $(ENGINES) is empty. >>>> >>>> ? You could try the attached patch. >>>> >>>> ? Regards, >>>> >>>> ? Rainer >>>> >>>> ? -- >>>> ? Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 >>>> ? Please log in as guest with password guest if prompted >> >> >> -- >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 >> Please log in as guest with password guest if prompted >> > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 21 05:47:33 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 21 Mar 2016 01:47:33 -0400 Subject: [openssl-dev] Is a "no next protocol negotiation" (no-npn) a supported option? Message-ID: Is no-npn a supported configuration option for 1.1.0? Its causing a test script to fail: Testing no next protocol negotiation Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) ***** Unsupported options: no-npn FAILED: config no protocol negotiation And: Testing shared object with no next protocol negotiation Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) ***** Unsupported options: no-npn FAILED: config shared object with no protocol negotiation From rt at openssl.org Mon Mar 21 07:10:38 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Mon, 21 Mar 2016 07:10:38 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: References: <820989.97962.qm@web101209.mail.kks.yahoo.co.jp> Message-ID: Guys, you're on the wrong track. The shell checks the syntax of the whole line (that is, all those lines concatenated together) before any execution, so if $(ENGINES) is empty, for 'for e in $(ENGINES)' part will have an empty list no matter what, since $(ENGINES) is expanded by make, before the shell gets any control. The best way I know to handle this issue is with a dummy. Might not be elegant, but it's quick and easy to understand. See attached patch Vid Mon, 21 Mar 2016 kl. 00.11.46, skrev rainer.jung at kippdata.de: > I'm sorry and thanks for your patience: there's a bug in the patch: > Replace the $$(ENGINE) in the line > > @set -e; if [ "X$$(ENGINES)" != "X" ]; then \ > > by $(ENGINE) (no "$$" instead just a single "$"). > > The new line is > > @set -e; if [ "X$(ENGINES)" != "X" ]; then \ > > (plus a tab and some additional whitespace in front). > > The wrong "X$$(ENGINES)" is reduced by make into "X$(ENGINES)" which > doesn't make sense in shell. The "X$$ENGINES" in your suggested echo > line is reduced to "X$ENGINES" and since there's no shell variable > named > ENGINES set, this is reduced by the shell to "X". But I want > "X$(ENGINES)" in my patch: make reduces this to "X", because the make > variable ENGINES has an empty value and that's what we want to test in > the new "if". > > Regards, > > Rainer > > Am 21.03.2016 um 00:05 schrieb Kiyoshi KANAZAWA via RT: > > Hello, > > > > Tried your openssl-install-engines.patch, but have the same result. > > % make install_engines > > *** Installing engines > > /bin/sh: syntax error at line 2: `;' unexpected > > Makefile:251: recipe for target 'install_engines' failed > > make: *** [install_engines] Error 2 > > > > > > I think it should work, and added, for double check, > > @echo "XENGINES="X$$ENGINES > > after the line > > > > @echo "*** Installing engines". > > % make install_engines > > *** Installing engines > > XENGINES=X > > /bin/sh: syntax error at line 2: `;' unexpected > > Makefile:251: recipe for target 'install_engines' failed > > make: *** [install_engines] Error 2 > > > > > > > > Regards, > > > > --- Kiyoshi > > > > > > > > ----- Original Message ----- > >> From: Rainer Jung via RT > >> To: yoi_no_myoujou at yahoo.co.jp > >> Cc: openssl-dev at openssl.org > >> Date: 2016/3/21, Mon 01:16 > >> Subject: Re: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: > >> make install fals on solaris64-x86_64-gcc. > >> > >> Am 20.03.2016 um 16:46 schrieb Kiyoshi KANAZAWA via RT: > >>> Hello, > >>> > >>> Yes, ENGINES in the top level Makefile is empty. > >>> > >>> 22: LIBS=libcrypto.a libssl.a > >>> 23: SHLIBS= > >>> 24: ENGINES= > >>> 25: PROGRAMS=apps/openssl > >> > >> OK, that explains the error, because the install_engines target then > >> contains a shell snippet > >> > >> for e in ; do > >> > >> ($(ENGINES) is empty, but since it is not used as a shell variable > >> but > >> instead as a make variable, that is the resulting for loop). That > >> results in > >> > >> /bin/sh: syntax error at line 1: `;' unexpected > >> > >> at least for /bin/sh on Solaris. > >> > >> So we need to add special handling in $(ENGINES) is empty. > >> > >> You could try the attached patch. > >> > >> Regards, > >> > >> Rainer > >> > >> -- > >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 > >> Please log in as guest with password guest if prompted -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: unix-Makefile.tmpl.patch Type: text/x-patch Size: 3806 bytes Desc: not available URL: From levitte at openssl.org Mon Mar 21 07:30:23 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 21 Mar 2016 08:30:23 +0100 (CET) Subject: [openssl-dev] [openssl.org #4461] No rule to make target 'crypto/include/internal/blake2_locl.h' In-Reply-To: References: <7c82bb7c9ff14be08d3f602c69203a04@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <20160321.083023.85244070553541142.levitte@openssl.org> In message on Sun, 20 Mar 2016 21:35:16 -0400, Jeffrey Walton said: noloader> On Sun, Mar 20, 2016 at 9:29 PM, Salz, Rich via RT wrote: noloader> > noloader> >> $ make depend && make clean && make noloader> >> ... noloader> >> noloader> >> No rule to make target 'crypto/include/internal/blake2_locl.h' noloader> > noloader> > Shouldn't that be clean ; make depend? noloader> > noloader> > At any rate, yes, some header files moved around. Old dependencies are out of date ... noloader> noloader> I think it need depends first to get the dependencies right (for noloader> clean); then it needs the clean to ensure old artifacts are gone. 'make depend' will only ensure that the existing .d files get appended to Makefile if one of them is newer than the Makefile. In all likelyhood, it's going to be a noop. noloader> At any rate, what does the Dev team recommend/want? I'm happy to do either. In this case, the safest thing to do is to have Makefile recreated from scratch, like this: perl Configure reconf Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Mon Mar 21 08:00:13 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 21 Mar 2016 09:00:13 +0100 (CET) Subject: [openssl-dev] 1.1.0-pre5-dev (2016-03-20) v. VMS In-Reply-To: <16032022082387_202140C6@antinode.info> References: <16032022082387_202140C6@antinode.info> Message-ID: <20160321.090013.575925183006870257.levitte@openssl.org> In message <16032022082387_202140C6 at antinode.info> on Sun, 20 Mar 2016 22:08:23 -0500 (CDT), "Steven M. Schweda" said: sms> 1. An attempt to build on VMS Alpha V8.4 died when MMS choked on a sms> too-long command: sms> sms> [...] sms> PURGE [.crypto.evp]digest.OBJ sms> SET DEFAULT ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto.evp] sms> CC/DECC /DEFINE=(OPENSSL_THREADS,OPENSSL_NO_DYNAMIC_ENGINE,OPENSSL_PIC,OPENSSLDIR="""SYS$COMMON:[SSL]""",ENGINESDIR="""OSSL$ENGINES:""") /STANDARD=RELAXED/NOLIST/PREFIX=ALL/NAMES=(AS_IS,SHORTENED) /OPTIMIZE/NODEBUG/INCLUDE=(utility5_dev:[UTILITY.source- sms> .openssl.openssl-master_2016-03-20.include],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto.include],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.include]- sms> ,utility5_dev:[UTILITY.source.openssl.openssl-master_2016-03-20.crypto.include],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto],ALP$DKC100:[UTILITY.SOURCE.OPENSSL.openssl-master_2016-03-20.crypto.modes]) /MMS=(FILE=utility5_dev:[- sms> UTILITY.source.openssl.openssl-master_2016-03-20.crypto.evp]e_aes.tmp-MMS,TARGET=[.crypto.evp]e_aes.OBJ) /OBJECT=utility5_dev:[UTILITY.source.openssl.openssl-master_2016-03-20.crypto.evp]e_aes.OBJ /REPOSITORY=utility5_dev:[UTILITY.source.openssl.- sms> openssl-master_2016-03-20] e_aes.c sms> %MMS-F-EXETOOBIG, Command too large. Maximum length is 1019 characters. Could you show me how you configured and what your default directory was? Also, if you could tell me the difference between utility5_dev and ALP$DKC100, that would be great. sms> I haven't tried to see how this stuff is generated nowadays, A combination of information from the build.info files, the .conf files in [.Configurations] and [.Configurations]descrip.mms.tmpl. sms> but I'd say that it could use more of at least one of the following: sms> logical names (one rooted for the top-level dir?) I'm starting to consider that. sms> continuation lines Regardless of that, there will still be a limit on the total line length, won't it? sms> relative directory specs Configure tries its best when possible. However, from the command line above, the source and build tree appear to be on different devices, and it won't try to expand the logical names (or even worse, trying to use realpath(), you've already seen first hand what happens then). sms> documentation of the default directory spec length limit Another thing I could see is recommending users to create rooted logicals "SRC" and "BLD" and use those. sms> 2. What's the status of zlib support on VMS? In the old days, sms> makevms.com had a place to specify a zlib directory. Is there a way in sms> the new scheme? (Documented anywhere?) All I found was the sms> OPTIONS= [...] no-zlib no-zlib-dynamic sms> in descrip.mms. There are two, and you're right that they aren't documented (I'm looking through documentation this week but may be staring myself blind, so any pointers of the "hey, please remeber to document {blah}" form is appreciated): --with-zlib-include=INCDIR --with-zlib-lib=LIBDIR Apart from that, what I've done so far is tentative. From all the searches I've been doing, it looks like GNV$LIBZSHR is the zlib name du jour, is that your assessment as well? sms> 3. Shared images? Add "shared" to the Configure line. Generally speaking, I'd love it if you had a look at INSTALL, that file covers Unix, Windows and VMS sms> For the record: sms> sms> ALP $ mms /id sms> %MMS-I-IDENT, MMS V3.8-2 ? Copyright 2007 Hewlett-Packard Development Company, L sms> .P. sms> sms> ALP $ cc /version sms> HP C V7.3-010 on OpenVMS Alpha V8.4 sms> sms> (I haven't verified it yet, but I believe that the "-010" compiler, sms> recently made available to us lowly hobbyists, fixes the 64-bit argv[] sms> NULL-termination problems on Alpha.) Interesting. So that would make the hack in [.apps]vms_decc_init.c less necessary then? Does keeping that hack in place hurt in any way? Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Mon Mar 21 08:02:22 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 21 Mar 2016 09:02:22 +0100 (CET) Subject: [openssl-dev] Is a "no next protocol negotiation" (no-npn) a supported option? In-Reply-To: References: Message-ID: <20160321.090222.713004186383328150.levitte@openssl.org> Yes, there is such a configuration option: no-nextprotoneg In message on Mon, 21 Mar 2016 01:47:33 -0400, Jeffrey Walton said: noloader> Is no-npn a supported configuration option for 1.1.0? noloader> noloader> Its causing a test script to fail: noloader> noloader> Testing no next protocol negotiation noloader> Operating system: x86_64-whatever-linux2 noloader> Configuring for linux-x86_64 noloader> Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) noloader> ***** Unsupported options: no-npn noloader> FAILED: config no protocol negotiation noloader> noloader> And: noloader> noloader> Testing shared object with no next protocol negotiation noloader> Operating system: x86_64-whatever-linux2 noloader> Configuring for linux-x86_64 noloader> Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) noloader> ***** Unsupported options: no-npn noloader> FAILED: config shared object with no protocol negotiation noloader> -- noloader> openssl-dev mailing list noloader> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev noloader> From rt at openssl.org Mon Mar 21 08:11:13 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Mon, 21 Mar 2016 08:11:13 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> Message-ID: My earlier patch was incorrect, it introduced another syntax error. Try this one instead. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: unix-Makefile.tmpl.patch Type: text/x-patch Size: 3816 bytes Desc: not available URL: From noloader at gmail.com Mon Mar 21 08:42:00 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 21 Mar 2016 04:42:00 -0400 Subject: [openssl-dev] Is a "no next protocol negotiation" (no-npn) a supported option? In-Reply-To: <20160321.090222.713004186383328150.levitte@openssl.org> References: <20160321.090222.713004186383328150.levitte@openssl.org> Message-ID: On Mon, Mar 21, 2016 at 4:02 AM, Richard Levitte wrote: > Yes, there is such a configuration option: no-nextprotoneg > Thank you very much. That leads to: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -MMD -MF ssl/t1_ext.d.tmp -MT ssl/t1_ext.o -c -o ssl/t1_ext.o ssl/t1_ext.c ssl/t1_ext.c: In function ?SSL_extension_supported?: ssl/t1_ext.c:303:10: error: ?TLSEXT_TYPE_next_proto_neg? undeclared (first use in this function) case TLSEXT_TYPE_next_proto_neg: ^ ssl/t1_ext.c:303:10: note: each undeclared identifier is reported only once for each function it appears in Makefile:5954: recipe for target 'ssl/t1_ext.o' failed From michel.sales at free.fr Mon Mar 21 09:34:01 2016 From: michel.sales at free.fr (Michel) Date: Mon, 21 Mar 2016 10:34:01 +0100 Subject: [openssl-dev] Is a "no next protocol negotiation" (no-npn) a supported option? In-Reply-To: References: <20160321.090222.713004186383328150.levitte@openssl.org> Message-ID: <002f01d18354$cd8e1f70$68aa5e50$@sales@free.fr> Hi Jeff, Just for information, I send a patch and had a previous exchange about this with Rich : http://openssl.6102.n7.nabble.com/openssl-org-4178-patch-OpenSSL-1-1-0-fails-when-configure-with-no-nextproto-td61662.html Regards, Michel. -----Message d'origine----- De : openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Jeffrey Walton Envoy? : lundi 21 mars 2016 09:42 ? : OpenSSL Developer ML Objet : Re: [openssl-dev] Is a "no next protocol negotiation" (no-npn) a supported option? On Mon, Mar 21, 2016 at 4:02 AM, Richard Levitte wrote: > Yes, there is such a configuration option: no-nextprotoneg > Thank you very much. That leads to: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -MMD -MF ssl/t1_ext.d.tmp -MT ssl/t1_ext.o -c -o ssl/t1_ext.o ssl/t1_ext.c ssl/t1_ext.c: In function SSL_extension_supported : ssl/t1_ext.c:303:10: error: TLSEXT_TYPE_next_proto_neg undeclared (first use in this function) case TLSEXT_TYPE_next_proto_neg: ^ ssl/t1_ext.c:303:10: note: each undeclared identifier is reported only once for each function it appears in Makefile:5954: recipe for target 'ssl/t1_ext.o' failed -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From rt at openssl.org Mon Mar 21 09:40:33 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Mon, 21 Mar 2016 09:40:33 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: <767312.35644.qm@web101212.mail.kks.yahoo.co.jp> References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <767312.35644.qm@web101212.mail.kks.yahoo.co.jp> Message-ID: Thank you, Richard. Make install succeeded with your new patch. --- Kiyoshi > My earlier patch was incorrect, it introduced another syntax error. Try this > one instead. > > -- > Richard Levitte > levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 09:51:26 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 09:51:26 +0000 Subject: [openssl-dev] [openssl.org #4463] Undefined behavior in cast/c_enc.c In-Reply-To: References: Message-ID: $ ./config -fsanitize=undefined ... $ make test HARNESS_VERBOSE=yes ... ../test/recipes/05-test_cast.t ............ 1..1 crypto/cast/c_enc.c:78:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:111:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' ecb cast5 ok crypto/cast/c_enc.c:74:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:70:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:84:9: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:72:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:79:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:85:9: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:80:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:71:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:75:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:77:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:83:9: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:73:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:86:9: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:76:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:81:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' ... ../test/recipes/20-test_enc.t ............. 1..117 ... ok 38 - cast crypto/cast/c_enc.c:76:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:86:9: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:103:9: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:113:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' ok 39 - cast base64 ok 40 - cast-cbc ok 41 - cast-cbc base64 crypto/cast/c_enc.c:70:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' crypto/cast/c_enc.c:119:5: runtime error: shift exponent 32 is too large for 32-bit type 'unsigned int' ********** $ uname -a Linux core2 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) x86_64 GNU/Linux $ gcc --version gcc (Debian 4.9.2-10) 4.9.2 ********** $ ./config -fsanitize=undefined Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 IsMK1MF =no CC =gcc CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -fsanitize=undefined -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-x86_64. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4463 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 10:14:38 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 21 Mar 2016 10:14:38 +0000 Subject: [openssl-dev] [openssl.org #4422] OS X 32-bit PowerPC: blake2b.c:27: warning: integer constant is too large for 'unsigned long' type In-Reply-To: <56EFC98E.8040602@openssl.org> References: <20160313105718.GA26936@roeckx.be> <56E6E307.8050707@openssl.org> <56EFC98E.8040602@openssl.org> Message-ID: On 03/14/16 17:12, Andy Polyakov via RT wrote: >> It looks like the ULL suffix should be safe today; > > This is misleading statement. *Today* U suffix should be safe, because > standard specifies that compiler should pick type automatically > depending on value of the constant. In order words suffices beyond U are > required only if you need constant to be of wider type, wider than its > value, e.g. 13ULL. Well, even then it might be superfluous, because type > promotion rules might do it for you. Going back to beginning, to "today > U suffix should be safe". Thing is that we kind of live between today > and yesterday, making it work not only with contemporary platforms, but > even older ones. So real question is if there is compiler supporting > 64-bit integer (which is OpenSSL minimum requirement) which would > *truncate* constants in question, i.e. with U alone? I'm not aware of > any. Next question is if there is compiler that would *fail* to parse > ULL? Yes, older Microsoft 32-bit compilers would. Do you see where is it > going? It's going toward leaving U alone. > > One can wonder if warning is actually justified. I'd argue that this > would be a trick question. Compiler in question obviously accepts long > long, but it's an *extension* to c89 [which we require and rely on]. Now > if compiler already accepts extensions, why would it have to complain > about extended constant values? I mean you either process extensions and > don't complain, or reject extension and complain. Anyway, the U is here > to stay. If warnings sting the eye that much, then the only appropriate > action would be to bump standard compliance by passing -std=c9x as > additional argument to config/Configure. One can argue that it should be > in Configuration/10-main.conf, or be automatically added by ./config. > Yes, I suppose it's appropriate assuming that compilers shipped with > MacOS X all recognize the option. With rationale that MacOS X for PPC is not going to evolve options for darwin*-ppc-cc are frozen at -std=gnu9x. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4422 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 10:33:09 2016 From: rt at openssl.org (David Woodhouse via RT) Date: Mon, 21 Mar 2016 10:33:09 +0000 Subject: [openssl-dev] [openssl.org #4464] UEFI/EDK2 build broken by removal of 'make files'. In-Reply-To: <1458556371.20936.12.camel@infradead.org> References: <1458556371.20936.12.camel@infradead.org> Message-ID: The EDK2 build was using 'make files', as follows: make files cd - function filelist () { ????echo '1,/# Autogenerated files list starts here/p' ????echo '/# Autogenerated files list ends here/,$p' ????echo '/# Autogenerated files list starts here/a\' ????while read LINE; do case "$LINE" in ????RELATIVE_DIRECTORY=*) eval "$LINE" ;; ????LIBSRC=*) LIBSRC=$(echo "$LINE" | sed s/^LIBSRC=//) for FILE in $LIBSRC; do ????if [ "$FILE" != "b_print.c" ]; then echo -e '??$(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\ ????fi done ;; esac ????done ????echo -e \\r } filelist < "${OPENSSL_PATH}/MINFO" |??sed -n -f - -i OpensslLib.inf It wasn't pretty, but it worked. Now it doesn't. What should I be doing instead? -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4464 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: From rt at openssl.org Mon Mar 21 10:42:05 2016 From: rt at openssl.org (Kiyoshi KANAZAWA via RT) Date: Mon, 21 Mar 2016 10:42:05 +0000 Subject: [openssl-dev] [openssl.org #4452] openssl-1.1.0-pre4: undefined symbol for solaris-x86-cc In-Reply-To: <777156.81532.qm@web101215.mail.kks.yahoo.co.jp> References: <747648.50843.qm@web101220.mail.kks.yahoo.co.jp> <550057.6653.qm@web101214.mail.kks.yahoo.co.jp> <777156.81532.qm@web101215.mail.kks.yahoo.co.jp> Message-ID: % ../Configure solaris-x86-cc shared; make; make test also passes. Regards, --- Kiyoshi > Tried with openssl-SNAP-20160320, > but have the same result, not fixed yet. > > > Regards, > > --- Kiyoshi > > > > >> If you have the possibility, please try a fresh checkout of the master > branch >> and see if this is fixed. >> >> Cheers, >> Richard >> >> Vid Sat, 19 Mar 2016 kl. 10.55.59, skrev yoi_no_myoujou at yahoo.co.jp: >>> ? With patch for #4444, >>> >>> ? % mkdir build_solaris-x86-cc >>> ? % cd build_solaris-x86-cc >>> ? % ../Configure solaris-x86-cc >>> ? % make >>> ? : >>> ? Undefined first referenced >>> ? symbol in file >>> ? padlock_xstore ./libcrypto.a(e_padlock.o) >>> ? padlock_capability ./libcrypto.a(e_padlock.o) >>> ? padlock_reload_key ./libcrypto.a(e_padlock.o) >>> ? padlock_ctr32_encrypt ./libcrypto.a(e_padlock.o) >>> ? padlock_key_bswap ./libcrypto.a(e_padlock.o) >>> ? padlock_cbc_encrypt ./libcrypto.a(e_padlock.o) >>> ? padlock_cfb_encrypt ./libcrypto.a(e_padlock.o) >>> ? padlock_ecb_encrypt ./libcrypto.a(e_padlock.o) >>> ? padlock_ofb_encrypt ./libcrypto.a(e_padlock.o) >>> ? padlock_aes_block ./libcrypto.a(e_padlock.o) >>> ? ld: fatal: symbol referencing errors. No output written to > apps/openssl >>> ? ../Makefile.shared:186: recipe for target 'link_app.' failed >>> ? make[1]: *** [link_app.] Error 2 >>> >>> >>> ? % ../Configure solaris-x86-cc no-asm >>> >>> ? % make >>> ? % make test >>> ? passes. >>> >>> >>> ? OS: Solaris10 x86/x64 >>> ? cc: /opt/solarisstudio12.4/bin/cc >>> >>> >>> ? Best Regards, >>> >>> ? --- Kiyoshi >>> >>> >> >> >> -- >> Richard Levitte >> levitte at openssl.org >> >> -- >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4452 >> Please log in as guest with password guest if prompted >> > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4452 Please log in as guest with password guest if prompted From zhjwpku at gmail.com Mon Mar 21 10:53:07 2016 From: zhjwpku at gmail.com (John Hunter) Date: Mon, 21 Mar 2016 18:53:07 +0800 Subject: [openssl-dev] Question about adding a new cipher [I am not asking the old question] Message-ID: I know that this question had been asked millions of times, I searched the maillist archives and I know it, and this is not a homework for an academic project, trust me :) In [1], Victor said that we don't need to rebuild OpenSSL just for adding a crypto algrorithm, and he recoment to see the ccgost engine, I did, but I think that if we add a symmetric cipher, we will declare a EVP_CIPHER struct, which contains a nid, let's say NID_id_Gost28147_89, this nid was defined in crypto/objects/obj_mac.h, but if I don't have a nid for my new added cipher, I think we should add one into openssl, in that occasion I think we should rebuild the OpenSSL. I am appreciated if somebody could help to explain. [1] http://openssl.6102.n7.nabble.com/add-a-new-cipher-to-OpenSSL-td22968.html Cheers! Zhao From levitte at openssl.org Mon Mar 21 10:55:51 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 21 Mar 2016 11:55:51 +0100 (CET) Subject: [openssl-dev] [openssl.org #4464] UEFI/EDK2 build broken by removal of 'make files'. In-Reply-To: References: <1458556371.20936.12.camel@infradead.org> Message-ID: <20160321.115551.1851354022562942113.levitte@openssl.org> Something like this in the directory where you find configdata.pm: $ perl opensslinf.pl > OpensslLib.inf opensslinf.pl: -------- snip 8< ----------------------------------------------- #! /usr/bin/perl use strict; use lib "."; use configdata qw/%unified_info/; foreach my $product ((@{$unified_info{libraries}}, @{$unified_info{engines}})) { foreach my $o (@{$unified_info{sources}->{$product}}) { foreach my $s (@{$unified_info{sources}->{$o}}) { next if $unified_info{generate}->{$s}; print $s, "\n"; } } } -------- snip 8< ----------------------------------------------- Note that it skips over generated source, something that LIBSRC never contained anyway... Cheers, Richard In message on Mon, 21 Mar 2016 10:33:09 +0000, David Woodhouse via RT said: rt> The EDK2 build was using 'make files', as follows: rt> rt> rt> make files rt> cd - rt> rt> function filelist () rt> { rt> ????echo '1,/# Autogenerated files list starts here/p' rt> ????echo '/# Autogenerated files list ends here/,$p' rt> ????echo '/# Autogenerated files list starts here/a\' rt> rt> ????while read LINE; do rt> case "$LINE" in rt> ????RELATIVE_DIRECTORY=*) rt> eval "$LINE" rt> ;; rt> ????LIBSRC=*) rt> LIBSRC=$(echo "$LINE" | sed s/^LIBSRC=//) rt> for FILE in $LIBSRC; do rt> ????if [ "$FILE" != "b_print.c" ]; then rt> echo -e '??$(OPENSSL_PATH)/'$RELATIVE_DIRECTORY/$FILE\\r\\ rt> ????fi rt> done rt> ;; rt> esac rt> ????done rt> ????echo -e \\r rt> } rt> rt> filelist < "${OPENSSL_PATH}/MINFO" |??sed -n -f - -i OpensslLib.inf rt> rt> rt> It wasn't pretty, but it worked. Now it doesn't. What should I be doing rt> instead? rt> rt> -- rt> David Woodhouse Open Source Technology Centre rt> David.Woodhouse at intel.com Intel Corporation rt> rt> rt> -- rt> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4464 rt> Please log in as guest with password guest if prompted rt> From rt at openssl.org Mon Mar 21 11:12:48 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Mon, 21 Mar 2016 11:12:48 +0000 Subject: [openssl-dev] [openssl.org #4325] Unified Builds Don't Work With ARM In-Reply-To: <56EFD730.4010806@openssl.org> References: <56EFD730.4010806@openssl.org> Message-ID: Hi, > There are a few problems that I am facing with unified builds with arm: > > 1. arm_arch.h is not in the include path. > fatal error: arm_arch.h: No such file or directory > > 2. The arm assembler scripts output to stdout > (see attached output.txt) This was addressed in a bigger sweep addressing multiple platforms. Thanks. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4325 Please log in as guest with password guest if prompted From beldmit at gmail.com Mon Mar 21 11:38:07 2016 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 21 Mar 2016 14:38:07 +0300 Subject: [openssl-dev] Question about adding a new cipher [I am not asking the old question] In-Reply-To: References: Message-ID: Hello John, On Mon, Mar 21, 2016 at 1:53 PM, John Hunter wrote: > I know that this question had been asked millions of times, I searched the > maillist archives and I know it, and this is not a homework for an academic > project, trust me :) > > In [1], Victor said that we don't need to rebuild OpenSSL just for adding a > crypto algrorithm, and he recoment to see the ccgost engine, I did, but > I think that if we add a symmetric cipher, we will declare a EVP_CIPHER > struct, which contains a nid, let's say NID_id_Gost28147_89, this nid was > defined in crypto/objects/obj_mac.h, but if I don't have a nid for my new > added cipher, I think we should add one into openssl, in that occasion I > think we should rebuild the OpenSSL. > > I am appreciated if somebody could help to explain. > > [1] > http://openssl.6102.n7.nabble.com/add-a-new-cipher-to-OpenSSL-td22968.html In theory, you are able to register OID/NID via engine. In practice when we implemented the GOST algorithms we found that sometimes it causes memory problems. And anyway, if you provide cipher via an engine, it just allows to use it in some commands but not for TLS. -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From zhjwpku at gmail.com Mon Mar 21 11:52:19 2016 From: zhjwpku at gmail.com (John Hunter) Date: Mon, 21 Mar 2016 19:52:19 +0800 Subject: [openssl-dev] Question about adding a new cipher [I am not asking the old question] In-Reply-To: References: Message-ID: Hi Dmitry, Thank you for you quick reply. On Mon, Mar 21, 2016 at 7:38 PM, Dmitry Belyavsky wrote: > Hello John, > > On Mon, Mar 21, 2016 at 1:53 PM, John Hunter wrote: >> >> I know that this question had been asked millions of times, I searched the >> maillist archives and I know it, and this is not a homework for an >> academic >> project, trust me :) >> >> In [1], Victor said that we don't need to rebuild OpenSSL just for adding >> a >> crypto algrorithm, and he recoment to see the ccgost engine, I did, but >> I think that if we add a symmetric cipher, we will declare a EVP_CIPHER >> struct, which contains a nid, let's say NID_id_Gost28147_89, this nid was >> defined in crypto/objects/obj_mac.h, but if I don't have a nid for my new >> added cipher, I think we should add one into openssl, in that occasion I >> think we should rebuild the OpenSSL. >> >> I am appreciated if somebody could help to explain. >> >> [1] >> http://openssl.6102.n7.nabble.com/add-a-new-cipher-to-OpenSSL-td22968.html > > > In theory, you are able to register OID/NID via engine. > In practice when we implemented the GOST algorithms we found that sometimes > it causes memory problems. > And anyway, if you provide cipher via an engine, it just allows to use it in > some commands but not for TLS. So if I want to use the engine cipher, I should add some ciphersuit in ssl and rebuild the openssl, but I am wondering how will the ssl use the engine? Maybe add the engine to openssl.cnf? For now I just use the engine cipher(not a new added cipher, but replace the aes-128-ecb using the engine) in command with the -engine xxx parameter, I don't know how to use the engine cipher as default(I mean without the -engine). Thanks in advance ! > > -- > SY, Dmitry Belyavsky > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > From dwmw2 at infradead.org Mon Mar 21 11:56:55 2016 From: dwmw2 at infradead.org (David Woodhouse) Date: Mon, 21 Mar 2016 11:56:55 +0000 Subject: [openssl-dev] [openssl.org #4464] UEFI/EDK2 build broken by removal of 'make files'. In-Reply-To: <20160321.115551.1851354022562942113.levitte@openssl.org> References: <1458556371.20936.12.camel@infradead.org> <20160321.115551.1851354022562942113.levitte@openssl.org> Message-ID: <1458561415.20936.29.camel@infradead.org> On Mon, 2016-03-21 at 11:55 +0100, Richard Levitte wrote: > Something like this in the directory where you find configdata.pm: > > ??? $ perl opensslinf.pl > OpensslLib.inf > > opensslinf.pl: ?... That works; thank you. It appears to give me rand/rand_vms.c which I didn't have before, that that's harmless. And it obviously gives me bio/b_print.c which I was manually filtering out before ? I need to do something better than that! It also means I need to try to remember some perl because my test is currently just using your perl snippet and feeding it to the sed command I had before... which is *stupid*. But that's my problem :) function filelist () { ????echo '1,/# Autogenerated files list starts here/p' ????echo '/# Autogenerated files list ends here/,$p' ????echo '/# Autogenerated files list starts here/a\' ????perl <{\$product}}) { ????????foreach my \$s (@{\$unified_info{sources}->{\$o}}) { ????????????next if \$unified_info{generate}->{\$s}; ????????????print "??\\\$(OPENSSL_PATH)/", \$s, "\r\\\\\n"; ????????} ????} } EOF ????echo -e \\r } filelist??|??sed -n -f - -i OpensslLib.inf > Note that it skips over generated source, something that LIBSRC never > contained anyway... Yeah, we don't use any generated source. The only generated file we use is opensslconf.h, and we stash our own copy of that away as part of the same script I'm looking at here. Once EDK2 starts using NASM instead of having *different* copies of various asm files for the MSVC vs. GCC builds(!!), perhaps I'll look at whether I can stop using no-asm. But that's a game for another day. -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5691 bytes Desc: not available URL: From beldmit at gmail.com Mon Mar 21 12:09:40 2016 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Mon, 21 Mar 2016 15:09:40 +0300 Subject: [openssl-dev] Question about adding a new cipher [I am not asking the old question] In-Reply-To: References: Message-ID: Dear John, On Mon, Mar 21, 2016 at 2:52 PM, John Hunter wrote: > Hi Dmitry, > Thank you for you quick reply. > > On Mon, Mar 21, 2016 at 7:38 PM, Dmitry Belyavsky > wrote: > > Hello John, > > > > On Mon, Mar 21, 2016 at 1:53 PM, John Hunter wrote: > >> > >> I know that this question had been asked millions of times, I searched > the > >> maillist archives and I know it, and this is not a homework for an > >> academic > >> project, trust me :) > >> > >> In [1], Victor said that we don't need to rebuild OpenSSL just for > adding > >> a > >> crypto algrorithm, and he recoment to see the ccgost engine, I did, but > >> I think that if we add a symmetric cipher, we will declare a EVP_CIPHER > >> struct, which contains a nid, let's say NID_id_Gost28147_89, this nid > was > >> defined in crypto/objects/obj_mac.h, but if I don't have a nid for my > new > >> added cipher, I think we should add one into openssl, in that occasion I > >> think we should rebuild the OpenSSL. > >> > >> I am appreciated if somebody could help to explain. > >> > >> [1] > >> > http://openssl.6102.n7.nabble.com/add-a-new-cipher-to-OpenSSL-td22968.html > > > > > > In theory, you are able to register OID/NID via engine. > > In practice when we implemented the GOST algorithms we found that > sometimes > > it causes memory problems. > > And anyway, if you provide cipher via an engine, it just allows to use > it in > > some commands but not for TLS. > > So if I want to use the engine cipher, I should add some ciphersuit in > ssl and rebuild > the openssl, but I am wondering how will the ssl use the engine? Maybe add > the > engine to openssl.cnf? > Yes. And the application should also use the OPENSSL_config() function to ensure the loading of the engine. And sometimes the applications have their own config file with the directives to load engines as accelerators. > For now I just use the engine cipher(not a new added cipher, but replace > the > aes-128-ecb using the engine) in command with the -engine xxx parameter, I > don't know how to use the engine cipher as default(I mean without the > -engine). > > Thanks in advance ! > > > > > -- > > SY, Dmitry Belyavsky > > > > -- > > openssl-dev mailing list > > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From uri at ll.mit.edu Mon Mar 21 12:23:22 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 21 Mar 2016 12:23:22 +0000 Subject: [openssl-dev] Missing blake2_locl.h? Message-ID: With the current Github code (1.1-pre?) after ./Configure xxx and ?make depend && make clean && make all": clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/Users/ur20980/etc/openssl/\"" -DENGINESDIR="\"/Users/ur20980/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/bio/bss_sock.d.tmp -MT crypto/bio/bss_sock.o -c -o crypto/bio/bss_sock.o crypto/bio/bss_sock.c make: *** No rule to make target `crypto/include/internal/blake2_locl.h', needed by `crypto/blake2/blake2b.o'. Stop. $ -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: From zhjwpku at gmail.com Mon Mar 21 12:51:19 2016 From: zhjwpku at gmail.com (John Hunter) Date: Mon, 21 Mar 2016 20:51:19 +0800 Subject: [openssl-dev] Question about adding a new cipher [I am not asking the old question] In-Reply-To: References: Message-ID: Got it, thanks :) On Mon, Mar 21, 2016 at 8:09 PM, Dmitry Belyavsky wrote: > Dear John, > > On Mon, Mar 21, 2016 at 2:52 PM, John Hunter wrote: >> >> Hi Dmitry, >> Thank you for you quick reply. >> >> On Mon, Mar 21, 2016 at 7:38 PM, Dmitry Belyavsky >> wrote: >> > Hello John, >> > >> > On Mon, Mar 21, 2016 at 1:53 PM, John Hunter wrote: >> >> >> >> I know that this question had been asked millions of times, I searched >> >> the >> >> maillist archives and I know it, and this is not a homework for an >> >> academic >> >> project, trust me :) >> >> >> >> In [1], Victor said that we don't need to rebuild OpenSSL just for >> >> adding >> >> a >> >> crypto algrorithm, and he recoment to see the ccgost engine, I did, but >> >> I think that if we add a symmetric cipher, we will declare a EVP_CIPHER >> >> struct, which contains a nid, let's say NID_id_Gost28147_89, this nid >> >> was >> >> defined in crypto/objects/obj_mac.h, but if I don't have a nid for my >> >> new >> >> added cipher, I think we should add one into openssl, in that occasion >> >> I >> >> think we should rebuild the OpenSSL. >> >> >> >> I am appreciated if somebody could help to explain. >> >> >> >> [1] >> >> >> >> http://openssl.6102.n7.nabble.com/add-a-new-cipher-to-OpenSSL-td22968.html >> > >> > >> > In theory, you are able to register OID/NID via engine. >> > In practice when we implemented the GOST algorithms we found that >> > sometimes >> > it causes memory problems. >> > And anyway, if you provide cipher via an engine, it just allows to use >> > it in >> > some commands but not for TLS. >> >> So if I want to use the engine cipher, I should add some ciphersuit in >> ssl and rebuild >> the openssl, but I am wondering how will the ssl use the engine? Maybe add >> the >> engine to openssl.cnf? > > > Yes. And the application should also use the OPENSSL_config() function to > ensure the loading of the engine. > > And sometimes the applications have their own config file with the > directives to load engines as accelerators. > >> >> For now I just use the engine cipher(not a new added cipher, but replace >> the >> aes-128-ecb using the engine) in command with the -engine xxx parameter, I >> don't know how to use the engine cipher as default(I mean without the >> -engine). >> >> Thanks in advance ! >> >> > >> > -- >> > SY, Dmitry Belyavsky >> > >> > -- >> > openssl-dev mailing list >> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> > >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > > > > > -- > SY, Dmitry Belyavsky > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > From rt at openssl.org Mon Mar 21 13:02:56 2016 From: rt at openssl.org (=?UTF-8?B?UmFtxatuYXMgSnVyZ2lsYXM=?= via RT) Date: Mon, 21 Mar 2016 13:02:56 +0000 Subject: [openssl-dev] [openssl.org #4466] Memory leak in PKCS12_newpass function In-Reply-To: <58FDFB4D-CDDA-4A93-ACCA-015F4A90CA9F@gmail.com> References: <58FDFB4D-CDDA-4A93-ACCA-015F4A90CA9F@gmail.com> Message-ID: I did write function which changes PKCS12 passphrase. I noticed that PKCS12_newpass function leaks memory. Memory leak disappears when commenting out line where is PKCS12_newpass func. Below I posted this code which I am using. I am using OpneSSL 1.0.2g version. Could you please give me information what I am doing wrong? Or it is known issue? Bets regards, Ramunas - (NSData*)changePKCS12:(NSData*)p12Data oldPassphrase:(NSString*)oldPassphrase newPassphrase:(NSString*)newPassphrase { OpenSSL_add_all_algorithms(); BIO *bp = NULL; PKCS12 *p12 = NULL; int status = 0; do { bp = BIO_new_mem_buf((void *)[p12Data bytes], (int)[p12Data length]); p12 = d2i_PKCS12_bio(bp, NULL); // MEMORY LEAK in PKCS12_newpass status = PKCS12_newpass(p12, (char *)[oldPassphrase UTF8String], (char *)[newPassphrase UTF8String]); } while (false); if (p12) { PKCS12_free(p12); p12 = NULL; } if (bp) { BIO_free_all(bp); bp = NULL; } EVP_cleanup(); return NULL; } -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4466 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 13:02:56 2016 From: rt at openssl.org (=?UTF-8?B?UmFtxatuYXMgSnVyZ2lsYXM=?= via RT) Date: Mon, 21 Mar 2016 13:02:56 +0000 Subject: [openssl-dev] [openssl.org #4465] PKCS12_newpass memory leak In-Reply-To: References: Message-ID: I did write function which changes PKCS12 passphrase. I noticed that PKCS12_newpass function leaks memory. Memory leak disappears when commenting out line where is PKCS12_newpass func. Below I posted this code which I am using. I am using OpneSSL 1.0.2g version. Could you please give me information what I am doing wrong? Or it is known issue? Bets regards, Ramunas - (NSData*)changePKCS12:(NSData*)p12Data oldPassphrase:(NSString*)oldPassphrase newPassphrase:(NSString*)newPassphrase { OpenSSL_add_all_algorithms(); BIO *bp = NULL; PKCS12 *p12 = NULL; int status = 0; do { bp = BIO_new_mem_buf((void *)[p12Data bytes], (int)[p12Data length]); p12 = d2i_PKCS12_bio(bp, NULL); // MEMORY LEAK in PKCS12_newpass status = PKCS12_newpass(p12, (char *)[oldPassphrase UTF8String], (char *)[newPassphrase UTF8String]); } while (false); if (p12) { PKCS12_free(p12); p12 = NULL; } if (bp) { BIO_free_all(bp); bp = NULL; } EVP_cleanup(); return NULL; } -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4465 Please log in as guest with password guest if prompted From uri at ll.mit.edu Mon Mar 21 13:39:28 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 21 Mar 2016 13:39:28 +0000 Subject: [openssl-dev] "make depend" is broken in current Github Message-ID: After fixing ?blake2_locl.h? (by copying it manually to crypto/include/internal), same problem with ct_int.h: clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/Users/ur20980/etc/openssl/\"" -DENGINESDIR="\"/Users/ur20980/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/ct/ct_vfy.d.tmp -MT crypto/ct/ct_vfy.o -c -o crypto/ct/ct_vfy.o crypto/ct/ct_vfy.c make: *** No rule to make target `crypto/include/internal/ct_int.h', needed by `crypto/ct/ct_x509v3.o'. Stop. -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: From levitte at openssl.org Mon Mar 21 13:47:25 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 21 Mar 2016 14:47:25 +0100 Subject: [openssl-dev] "make depend" is broken in current Github In-Reply-To: References: Message-ID: <6F8F2980-5905-4AF0-BCFA-EF9CAF490213@openssl.org> Hold on, stop! Put the blake2 header back where you found it, then do this: $ perl Configure reconf Then try building again Cheers Richard "Blumenthal, Uri - 0553 - MITLL" skrev: (21 mars 2016 14:39:28 CET) >After fixing ?blake2_locl.h? (by copying it manually to >crypto/include/internal), same problem with ct_int.h: > > >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/etc/openssl/\"" >-DENGINESDIR="\"/Users/ur20980/lib/engines\"" -O3 -D_REENTRANT -arch >x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. -Icrypto/include -MMD -MF >crypto/ct/ct_vfy.d.tmp -MT crypto/ct/ct_vfy.o -c -o crypto/ct/ct_vfy.o >crypto/ct/ct_vfy.c > >make: *** No rule to make target `crypto/include/internal/ct_int.h', >needed by `crypto/ct/ct_x509v3.o'. Stop. > >-- >Regards, >Uri Blumenthal > > >------------------------------------------------------------------------ -- Sent from my Android device with K-9 Mail. Please excuse my brevity. From rsalz at akamai.com Mon Mar 21 14:16:24 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 21 Mar 2016 14:16:24 +0000 Subject: [openssl-dev] "make depend" is broken in current Github In-Reply-To: References: Message-ID: Some header files moved. Clean and rebuild. -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz From: Blumenthal, Uri - 0553 - MITLL [mailto:uri at ll.mit.edu] Sent: Monday, March 21, 2016 9:39 AM To: openssl-dev Subject: [openssl-dev] "make depend" is broken in current Github After fixing ?blake2_locl.h? (by copying it manually to crypto/include/internal), same problem with ct_int.h: clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/Users/ur20980/etc/openssl/\"" -DENGINESDIR="\"/Users/ur20980/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/ct/ct_vfy.d.tmp -MT crypto/ct/ct_vfy.o -c -o crypto/ct/ct_vfy.o crypto/ct/ct_vfy.c make: *** No rule to make target `crypto/include/internal/ct_int.h', needed by `crypto/ct/ct_x509v3.o'. Stop. -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: From uri at ll.mit.edu Mon Mar 21 14:41:44 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Mon, 21 Mar 2016 14:41:44 +0000 Subject: [openssl-dev] "make depend" is broken in current Github Message-ID: Some header files moved. Clean and rebuild. I?ve done it several times (./Configure? then ?make depend && make clean && make all ?? - you know the drill), but after this email it started working. No update on git that could claim responsibility for this success. Puzzling, but? From: Blumenthal, Uri - 0553 - MITLL [mailto:uri at ll.mit.edu] Sent: Monday, March 21, 2016 9:39 AM To: openssl-dev Subject: [openssl-dev] "make depend" is broken in current Github After fixing ?blake2_locl.h? (by copying it manually to crypto/include/internal), same problem with ct_int.h: clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/Users/ur20980/etc/openssl/\"" -DENGINESDIR="\"/Users/ur20980/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/ct/ct_vfy.d.tmp -MT crypto/ct/ct_vfy.o -c -o crypto/ct/ct_vfy.o crypto/ct/ct_vfy.c make: *** No rule to make target `crypto/include/internal/ct_int.h', needed by `crypto/ct/ct_x509v3.o'. Stop. -- Regards, Uri Blumenthal -------------- next part -------------- An HTML attachment was scrubbed... URL: From sms at antinode.info Mon Mar 21 14:05:38 2016 From: sms at antinode.info (Steven M. Schweda) Date: Mon, 21 Mar 2016 09:05:38 -0500 (CDT) Subject: [openssl-dev] 1.1.0-pre5-dev (2016-03-20) v. VMS Message-ID: <16032109053819_2021407C@antinode.info> From: Richard Levitte > Could you show me how you configured and what your default directory > was? Also, if you could tell me the difference between utility5_dev > and ALP$DKC100, that would be great. ALP $ show logical utility5_dev "UTILITY5_DEV" = "ALP$DKC100:" (LNM$SYSTEM_TABLE) $ set default - utility5_dev:[UTILITY.source.openssl.openssl-master_2016-03-20] $ @ config.com $ mms > sms> logical names (one rooted for the top-level dir?) > > I'm starting to consider that. I tried to fool it: $ define /translation_attributes = concealed OSSL_TOP - utility5_dev:[UTILITY.source.openssl.] $ set default OSSL_TOP:[openssl-master_2016-03-20] But that led to (the not especially informative): Configured for vms-alpha. ************************************************* *** *** *** Please run the same mms command again *** *** *** ************************************************* so I figured that more care would be required somewhere to cope with the logical names. (Interactive advice is not much use in a batch job.) > sms> continuation lines > > Regardless of that, there will still be a limit on the total line > length, won't it? Probably. MMS already seems to be breaking things apart. sms> relative directory specs > Configure tries its best when possible. However, from the command > line above, the source and build tree appear to be on different > devices, and it won't try to expand the logical names (or even worse, > trying to use realpath(), you've already seen first hand what happens > then). I'll try it again with more physical, fewer logical names. Perhaps some f$trnlnm() action (lather, rinse, repeat) could solve this kind of thing automatically. > sms> documentation of the default directory spec length limit > > Another thing I could see is recommending users to create rooted > logicals "SRC" and "BLD" and use those. Better if the builders do it than the victims. > --with-zlib-include=3DINCDIR > --with-zlib-lib=3DLIBDIR > > Apart from that, what I've done so far is tentative. From all the > searches I've been doing, it looks like GNV$LIBZSHR is the zlib name > du jour, is that your assessment as well? My assessment is that this stuff is where I put it. Some place like, say, utility_root:[source.zlib.zlib-1_2_6], where I see LIBZ.OLB, LIBZ_64.OLB, and libzshr.exe. I'd need to look more closely to see what the 32-/64-bit situation is for zlib. I'd expect only a minority of victims to have GNV installed, and I don't know its 32-/64-bit situation, either. > sms> 3. Shared images? > > Add "shared" to the Configure line. I'll try it (when I get past the too-long-line problem). > Generally speaking, I'd love it > if you had a look at INSTALL, that file covers Unix, Windows and VMS Reading further than the first few paragraphs might have helprd in my case. > sms> (I haven't verified it yet, but I believe that the "-010" compiler, > sms> recently made available to us lowly hobbyists, fixes the 64-bit argv[] > sms> NULL-termination problems on Alpha.) > > Interesting. So that would make the hack in [.apps]vms_decc_init.c > less necessary then? It should. > Does keeping that hack in place hurt in any way? It'll waste a little time, but not enough to matter. Probably safer to leave it in there until the newer compiler diffuses more. A recent posting in comp.os.vms said: $ cc /version HP C V7.3-009 on OpenVMS Alpha V8.3 so it's clearly not yet reached everyone. ------------------------------------------------------------------------ Steven M. Schweda sms at antinode-info 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 From rt at openssl.org Mon Mar 21 15:12:38 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Mon, 21 Mar 2016 15:12:38 +0000 Subject: [openssl-dev] [openssl.org #4459] openssl-1.1.0-pre4: make install fals on solaris64-x86_64-gcc. In-Reply-To: References: <180606.78677.qm@web101203.mail.kks.yahoo.co.jp> <767312.35644.qm@web101212.mail.kks.yahoo.co.jp> Message-ID: Fix merged, commit 2b364f615bbe913ba9121ddb4018da505b407882 Closing ticket. Thank you Cheers, Richard Vid Mon, 21 Mar 2016 kl. 09.40.33, skrev yoi_no_myoujou at yahoo.co.jp: > Thank you, Richard. > Make install succeeded with your new patch. > > --- Kiyoshi > > > > > > My earlier patch was incorrect, it introduced another syntax error. > > Try this > > one instead. > > > > -- > > Richard Levitte > > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4459 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 15:51:00 2016 From: rt at openssl.org (Tiantian Liu via RT) Date: Mon, 21 Mar 2016 15:51:00 +0000 Subject: [openssl-dev] [openssl.org #4467] SSL_Connect crashed In-Reply-To: References: Message-ID: Hi, Good morning everyone! I have an issue about OpenSSL. I installed OpenSSL-1.0.1p on a 32-bit Linux machine. Our application uses the OpenSSL library to communicate with other hosts over TLS1.2 protocol. The OpenSSL library has been working for us pretty well, until last Friday one developer told me our application crashed whenever it called SSL_Connect(). I was shocked, I don't know why OpenSSL library stopped working suddenly. I changed the protocol to SSLv23, then our application didn't crash anymore and communicated with host well. But if I change back to TLS1.2, the application crashed again at the place where SSL_Connect() was called. I am pretty sure, the does support TLS1.2 and it used to work. I also use the openssl command successfully established connection to peer over TLS1.2: #openssl s_client -connect 71.6.108.188:443 ........ ........ Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : AES128-SHA Session-ID: 56F011C1586C3FD0D406FD908012B47501CF06748182A738424120C90A15E646 Session-ID-ctx: Master-Key: 7C12A5E358194A350AE990BCF1C1DA3606D8E46F3DDCEFCAADD6724B72D9FB0DD802616255FC0DFFB7898C56F1FDAEBC Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1458573627 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) ......... I used GDB to investigate the issue in our source code, GDB printed all the fields in SSL structure passed into SSL_Connect(): (gdb) n 562 res = SSL_connect(ssl); (gdb) print *ssl $3 = {version = 771, type = 0, method = 0x860520, rbio = 0x9a28588, wbio = 0x9a28588, bbio = 0x0, rwstate = 1, in_handshake = 0, handshake_func = 0, server = 1, new_session = 0, quiet_shutdown = 0, shutdown = 0, state = 24576, rstate = 240, init_buf = 0x0, init_msg = 0x0, init_num = 0, init_off = 0, packet = 0x0, packet_length = 0, s2 = 0x0, s3 = 0x9a286b0, d1 = 0x0, read_ahead = 0, msg_callback = 0, msg_callback_arg = 0x0, hit = 0, param = 0x9a28688, cipher_list = 0x0, cipher_list_by_id = 0x0, mac_flags = 0, enc_read_ctx = 0x0, read_hash = 0x0, expand = 0x0, enc_write_ctx = 0x0, write_hash = 0x0, compress = 0x9a29120, cert = 0x0, sid_ctx_length = 0, sid_ctx = '\0' , session = 0x0, generate_session_id = 0, verify_mode = 0, verify_callback = 0, info_callback = 0, error = 0, error_code = 161704456, psk_client_callback = 0, psk_server_callback = 0, ctx = 0x0, debug = 0, verify_result = 0, ex_data = {sk = 0x1, dummy = 0}, client_CA = 0x0, references = 102400, options = 0, mode = 771, max_cert_list = 0, first_packet = 0, client_version = 0, max_send_fragment = 0, tlsext_debug_cb = 0xffffffff, tlsext_debug_arg = 0x0, tlsext_hostname = 0x0, servername_done = 0, tlsext_status_type = 0, tlsext_status_expected = -1, tlsext_ocsp_ids = 0x0, tlsext_ocsp_exts = 0x9a36a08, tlsext_ocsp_resp = 0x8622c0 "\001", tlsext_ocsp_resplen = 73, tlsext_ticket_expected = 4780448, tlsext_ecpointformatlist_length = 0, tlsext_ecpointformatlist = 0x0, tlsext_ellipticcurvelist_length = 1, tlsext_ellipticcurvelist = 0x0, tlsext_opaque_prf_input = 0x0, tlsext_opaque_prf_input_len = 0, tlsext_session_ticket = 0x6, tls_session_ticket_ext_cb = 0, tls_session_ticket_ext_cb_arg = 0x0, tls_session_secret_cb = 0, tls_session_secret_cb_arg = 0x1, initial_ctx = 0x0, next_proto_negotiated = 0x0, next_proto_negotiated_len = 0 '\0', srtp_profiles = 0x0, srtp_profile = 0x0, tlsext_heartbeat = 137, tlsext_hb_pending = 14406096, tlsext_hb_seq = 14406096, renegotiate = 0, srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback = 0, SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0, login = 0x44454c4c
, N = 0x9a285f8, g = 0x61, s = 0x9a29820, B = 0xdbd150, A = 0x0, a = 0x4, b = 0x18, v = 0x18, info = 0x9a298d0 "", strength = 0, srp_Mask = 0}} (gdb) n Program received signal SIGSEGV, Segmentation fault. 0x008283cc in ssl3_connect () from /usr/lib/libssl.so.1.0.0 (gdb) quit The SSL structure was returned by SSL_new(), and we didn't touch the SSL structure before we calling SSL_Connect(). The only suspicious value I found is the 'out of bounds' error upon 'login' field. But I don't think it caused the crash. Because I also printed SSL structure after I changed to SSLv23 protocol. I also found there were a number of 'out of bounds' errors happened, but no crash. P.S: I re-compiled the same source code on 64-bit Linux machine, which has different OpenSSL version, and I confirm our application works fine with TLS1.2, no crash at all. Could you tell me what probably happened? Any recommendation is welcome! Thanks, Tyer [Acceo Solutions] Tiantian(Tyler) Liu Analyste Programmeur | Programmer Analyst Tender Retail ACCEO Solutions Inc. 416-498-1200 ext. 301 Suite 400 - 2 Lansing Square Toronto, Ontario, Canada M2J 4P8 acceo.com -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4467 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 14459 bytes Desc: not available URL: From michel.sales at free.fr Mon Mar 21 16:05:09 2016 From: michel.sales at free.fr (Michel) Date: Mon, 21 Mar 2016 17:05:09 +0100 Subject: [openssl-dev] Is a "no next protocol negotiation" (no-npn) a supported option? In-Reply-To: <002f01d18354$cd8e1f70$68aa5e50$@sales@free.fr> References: <20160321.090222.713004186383328150.levitte@openssl.org> <002f01d18354$cd8e1f70$68aa5e50$@sales@free.fr> Message-ID: <00a301d1838b$71752350$545f69f0$@sales@free.fr> Hi Jeff, In case it may still be usefull, I have updated the patch against today's git repo. I was able to build OpenSSL VC-WIN32 configured with no-nextprotoneg option. Regards, Michel. -------------- next part -------------- A non-text attachment was scrubbed... Name: no-nextproto-1.1.0.patch Type: application/octet-stream Size: 1022 bytes Desc: not available URL: From openssl-users at dukhovni.org Mon Mar 21 16:10:13 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 21 Mar 2016 12:10:13 -0400 Subject: [openssl-dev] [openssl.org #4467] SSL_Connect crashed In-Reply-To: References: Message-ID: <8B2EC80D-AF3F-43D1-B847-7C80AB3E1F43@dukhovni.org> > On Mar 21, 2016, at 11:51 AM, Tiantian Liu via RT wrote: > > > srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback = 0, SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0, > login = 0x44454c4c
, N = 0x9a285f8, g = 0x61, s = 0x9a29820, B = 0xdbd150, A = 0x0, a = 0x4, b = 0x18, v = 0x18, info = 0x9a298d0 "", strength = 0, > srp_Mask = 0} > (gdb) n > > Program received signal SIGSEGV, Segmentation fault. > 0x008283cc in ssl3_connect () from /usr/lib/libssl.so.1.0.0 > (gdb) quit > > The SSL structure was returned by SSL_new(), and we didn't touch the SSL structure before we calling SSL_Connect(). > The only suspicious value I found is the 'out of bounds' error upon 'login' field. But I don't think it caused the crash. Interestingly, "0x44454c4c" is "DELL". In OpenSSL the SSL_new() function zeros the SSL structure when it is allocated. So that "DELL" clobbered the "login" pointer after the structure was allocated in SSL_new(). Are you using SRP? One would expect the entire SRP context to be zeroed otherwise... Either something is clobbering memory, or you may be using SRP incorrectly. -- Viktor. From rt at openssl.org Mon Mar 21 16:10:19 2016 From: rt at openssl.org (Viktor Dukhovni via RT) Date: Mon, 21 Mar 2016 16:10:19 +0000 Subject: [openssl-dev] [openssl.org #4467] SSL_Connect crashed In-Reply-To: <8B2EC80D-AF3F-43D1-B847-7C80AB3E1F43@dukhovni.org> References: <8B2EC80D-AF3F-43D1-B847-7C80AB3E1F43@dukhovni.org> Message-ID: > On Mar 21, 2016, at 11:51 AM, Tiantian Liu via RT wrote: > > > srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback = 0, SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0, > login = 0x44454c4c
, N = 0x9a285f8, g = 0x61, s = 0x9a29820, B = 0xdbd150, A = 0x0, a = 0x4, b = 0x18, v = 0x18, info = 0x9a298d0 "", strength = 0, > srp_Mask = 0} > (gdb) n > > Program received signal SIGSEGV, Segmentation fault. > 0x008283cc in ssl3_connect () from /usr/lib/libssl.so.1.0.0 > (gdb) quit > > The SSL structure was returned by SSL_new(), and we didn't touch the SSL structure before we calling SSL_Connect(). > The only suspicious value I found is the 'out of bounds' error upon 'login' field. But I don't think it caused the crash. Interestingly, "0x44454c4c" is "DELL". In OpenSSL the SSL_new() function zeros the SSL structure when it is allocated. So that "DELL" clobbered the "login" pointer after the structure was allocated in SSL_new(). Are you using SRP? One would expect the entire SRP context to be zeroed otherwise... Either something is clobbering memory, or you may be using SRP incorrectly. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4467 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 16:11:52 2016 From: rt at openssl.org (Tiantian Liu via RT) Date: Mon, 21 Mar 2016 16:11:52 +0000 Subject: [openssl-dev] [openssl.org #4467] SSL_Connect crashed In-Reply-To: References: <8B2EC80D-AF3F-43D1-B847-7C80AB3E1F43@dukhovni.org> Message-ID: Hi Victor, Thanks for your response. I will inspect the field you mentioned. Thanks! Tyler Tiantian(Tyler) Liu Analyste Programmeur | Programmer Analyst Tender Retail ACCEO Solutions Inc. 416-498-1200 ext. 301 Suite 400 ? 2 Lansing Square Toronto, Ontario, Canada M2J 4P8 acceo.com -----Original Message----- From: Viktor Dukhovni via RT [mailto:rt at openssl.org] Sent: March-21-16 12:10 PM To: Tiantian (Tyler) Liu Cc: openssl-dev at openssl.org Subject: Re: [openssl-dev] [openssl.org #4467] SSL_Connect crashed > On Mar 21, 2016, at 11:51 AM, Tiantian Liu via RT wrote: > > > srp_ctx = {SRP_cb_arg = 0x0, TLS_ext_srp_username_callback = 0, SRP_verify_param_callback = 0, SRP_give_srp_client_pwd_callback = 0, > login = 0x44454c4c
, N = 0x9a285f8, g = 0x61, s = 0x9a29820, B = 0xdbd150, A = 0x0, a = 0x4, b = 0x18, v = 0x18, info = 0x9a298d0 "", strength = 0, > srp_Mask = 0} > (gdb) n > > Program received signal SIGSEGV, Segmentation fault. > 0x008283cc in ssl3_connect () from /usr/lib/libssl.so.1.0.0 > (gdb) quit > > The SSL structure was returned by SSL_new(), and we didn't touch the SSL structure before we calling SSL_Connect(). > The only suspicious value I found is the 'out of bounds' error upon 'login' field. But I don't think it caused the crash. Interestingly, "0x44454c4c" is "DELL". In OpenSSL the SSL_new() function zeros the SSL structure when it is allocated. So that "DELL" clobbered the "login" pointer after the structure was allocated in SSL_new(). Are you using SRP? One would expect the entire SRP context to be zeroed otherwise... Either something is clobbering memory, or you may be using SRP incorrectly. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4467 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4467 Please log in as guest with password guest if prompted From sms at antinode.info Mon Mar 21 18:48:01 2016 From: sms at antinode.info (Steven M. Schweda) Date: Mon, 21 Mar 2016 13:48:01 -0500 (CDT) Subject: [openssl-dev] 1.1.0-pre5-dev (2016-03-20) v. VMS Message-ID: <16032113480098_2020F9D5@antinode.info> > I'll try it again with more physical, fewer logical names. Perhaps > some f$trnlnm() action (lather, rinse, repeat) could solve this kind of > thing automatically. That seems to help considerably (more relative dir specs). Oddities from test: [.recipes]25-test_pkcs7.t ........... ok readline() on closed filehandle DATA at [.recipes]25-test_req.t line 34. readline() on closed filehandle DATA at [.recipes]25-test_req.t line 34. But: All tests successful. Files=72, Tests=362, 1337 wallclock secs (16.36 usr + 0.00 sys = 16.36 CPU) Result: PASS The 64-bit attempt did less well. config.com says: $ ! -32 or 32 sets /POINTER_SIZE=32 $ ! -64 or 64 sets /POINTER_SIZE=64 But: $ @ config.com -64 led to: Warning! target vms-alpha-p64 doesn't exist! Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags] [...] vms-alpha vms-alpha-P32 vms-alpha-P64 [...] I just noticed the case difference as I was assembling this message. More/less/different quotation again? ------------------------------------------------------------------------ Steven M. Schweda sms at antinode-info 382 South Warwick Street (+1) 651-699-9818 Saint Paul MN 55105-2547 From levitte at openssl.org Mon Mar 21 19:17:22 2016 From: levitte at openssl.org (Richard Levitte) Date: Mon, 21 Mar 2016 20:17:22 +0100 (CET) Subject: [openssl-dev] 1.1.0-pre5-dev (2016-03-20) v. VMS In-Reply-To: <16032113480098_2020F9D5@antinode.info> References: <16032113480098_2020F9D5@antinode.info> Message-ID: <20160321.201722.698124543348091024.levitte@openssl.org> In message <16032113480098_2020F9D5 at antinode.info> on Mon, 21 Mar 2016 13:48:01 -0500 (CDT), "Steven M. Schweda" said: sms> > I'll try it again with more physical, fewer logical names. Perhaps sms> > some f$trnlnm() action (lather, rinse, repeat) could solve this kind of sms> > thing automatically. sms> sms> That seems to help considerably (more relative dir specs). Oddities sms> from test: sms> sms> [.recipes]25-test_pkcs7.t ........... ok sms> readline() on closed filehandle DATA at [.recipes]25-test_req.t line 34. sms> readline() on closed filehandle DATA at [.recipes]25-test_req.t line 34. Yeah, I've been eyeing that one but have been busy with more pressing things. As far as I've seen, this is innocuous, so more an annoyance than anything else. sms> But: sms> sms> All tests successful. sms> Files=72, Tests=362, 1337 wallclock secs (16.36 usr + 0.00 sys = 16.36 CPU) sms> Result: PASS sms> sms> sms> The 64-bit attempt did less well. config.com says: sms> sms> $ ! -32 or 32 sets /POINTER_SIZE=32 sms> $ ! -64 or 64 sets /POINTER_SIZE=64 sms> sms> But: sms> sms> $ @ config.com -64 sms> sms> led to: sms> sms> Warning! target vms-alpha-p64 doesn't exist! sms> Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags] sms> [...] sms> vms-alpha sms> vms-alpha-P32 sms> vms-alpha-P64 sms> [...] sms> sms> I just noticed the case difference as I was assembling this message. sms> More/less/different quotation again? Yeah, that one got discovered already today. Now, now it's because perl arguments won't be automatically downcased in some cases (actually, you discovered that a while ago!), so there's an explicit downcase of in Configure (for --foo=BAR cases, just the part before the equal sign). Of course, the issue above is how that fix comes back in bites me ;-) The easiest (I'm all for easy in this case) is to downcase the indices in [.Configurations]10-main.conf... Will be visible in tonight's snapshot (did you know that we produce nightly snapshots? ftp://ftp.openssl.org/snapshot or http://ftp.openssl.org/snapshot). Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Mon Mar 21 19:23:17 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 21 Mar 2016 19:23:17 +0000 Subject: [openssl-dev] [openssl.org #4455] AutoReply: OpenSUSE 42: undefined reference to `engine_load_afalg_internal' In-Reply-To: References: Message-ID: Still present at 149bd5d6cb393648. If I './config shared', then the issue goes away. The only difference I see is the absence of "no-dynamic-engine [forced]" when "shared" is used. Here's the config with shared: openssl> ./config shared Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for linux-x86_64 CC =gcc CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack SHARED_CFLAG =-fPIC DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM LFLAG = PLIB_LFLAG = EX_LIBS =-ldl APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =/usr/bin/ranlib ARFLAGS = PERL =/usr/bin/perl SIXTY_FOUR_BIT_LONG mode Configured for linux-x86_64. On Sun, Mar 20, 2016 at 4:29 AM, The default queue via RT wrote: > > Greetings, > > ... > Working from Master at 270862b470d43a28: > > openssl> make depend && make clean && make > ... > LD_LIBRARY_PATH=.: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib64/engines" > -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -o apps/openssl > apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o > apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o > apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o > apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o > apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o > apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o > apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o > apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o > apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o > apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o > apps/x509.o -L. -lssl -L. -lcrypto -ldl > ./libcrypto.a(init.o): In function `ossl_init_engine_afalg': > init.c:(.text+0x31): undefined reference to `engine_load_afalg_internal' > collect2: error: ld returned 1 exit status > Makefile.shared:186: recipe for target 'link_app.' failed > make[1]: *** [link_app.] Error 1 > make[1]: Leaving directory '/home/jwalton/openssl' > Makefile:5994: recipe for target 'apps/openssl' failed > make: *** [apps/openssl] Error 2 > > ********** > > openssl> ./config > Operating system: x86_64-whatever-linux2 > Configuring for linux-x86_64 > Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-dynamic-engine [forced] > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-x86_64 > IsMK1MF =no > CC =gcc > CFLAG =-Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 > OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM > SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM > ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-ldl > APPS_OBJ = > CPUID_OBJ =x86_64cpuid.o > UPLINK_OBJ = > BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o > x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o > DES_ENC =des_enc.o fcrypt_b.o > AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o > aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o > aesni-mb-x86_64.o > BF_ENC =bf_enc.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o > RC5_ENC =rc5_enc.o > MD5_OBJ_ASM =md5-x86_64.o > SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o > sha1-mb-x86_64.o sha256-mb-x86_64.o > RMD160_OBJ_ASM= > CMLL_ENC =cmll-x86_64.o cmll_misc.o > MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o > PADLOCK_OBJ =e_padlock-x86_64.o > CHACHA_ENC =chacha-x86_64.o > POLY1305_OBJ =poly1305-x86_64.o > BLAKE2_OBJ = > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/usr/bin/perl > > SIXTY_FOUR_BIT_LONG mode > > Configured for linux-x86_64. > > ********* > >> uname -a > Linux opensuse-42 4.1.12-1-default #1 SMP PREEMPT Thu Oct 29 06:43:42 > UTC 2015 (e24bad1) x86_64 x86_64 x86_64 GNU/Linux > >> gcc --version > gcc (SUSE Linux) 4.8.5 > Copyright (C) 2015 Free Software Foundation, Inc. > This is free software; see the source for copying conditions. There is NO > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. > >> cat /etc/SuSE-release > openSUSE 42.1 (x86_64) > VERSION = 42.1 > CODENAME = Malachite > # /etc/SuSE-release is deprecated and will be removed in the future, > use /etc/os-release instead > >> cat /etc/os-release > NAME="openSUSE Leap" > VERSION="42.1" > VERSION_ID="42.1" > PRETTY_NAME="openSUSE Leap 42.1 (x86_64)" > ID=opensuse > ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4455 Please log in as guest with password guest if prompted From rt at openssl.org Mon Mar 21 20:50:28 2016 From: rt at openssl.org (Rich Salz via RT) Date: Mon, 21 Mar 2016 20:50:28 +0000 Subject: [openssl-dev] [openssl.org #4460] [PATCH] BIO_METHODs should be const In-Reply-To: References: Message-ID: done with commit 04f6b0f. Thanks ! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4460 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 22 00:26:33 2016 From: rt at openssl.org (paul.dale@oracle.com via RT) Date: Tue, 22 Mar 2016 00:26:33 +0000 Subject: [openssl-dev] [openssl.org #4468] #ifndefs incorrect for GOST In-Reply-To: <2015461.ps5oDIzqUp@acid> References: <2015461.ps5oDIzqUp@acid> Message-ID: Attached is a patch that fixes a typo in the #ifndef OPENSSL_NO_GOST lines in ssl/s3_lib.c regards, Pauli -- Oracle Dr Paul Dale | Cryptographer | Network Security & Encryption Phone +61 7 3031 7217 Oracle Australia -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4468 Please log in as guest with password guest if prompted -------------- next part -------------- >From 8cc3d7a13c2092331f98ca12db64fabe23872e00 Mon Sep 17 00:00:00 2001 From: Pauli Date: Tue, 22 Mar 2016 09:16:36 +1000 Subject: [PATCH] Fix #ifndef line for GOST --- ssl/s3_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 49180cd..aea62ac 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -2498,7 +2498,7 @@ static SSL_CIPHER ssl3_ciphers[] = #endif /* OPENSSL_NO_CAMELLIA */ -#ifndef OPENSL_NO_GOST +#ifndef OPENSSL_NO_GOST { 1, "GOST2001-GOST89-GOST89", @@ -2558,7 +2558,7 @@ static SSL_CIPHER ssl3_ciphers[] = SSL_HANDSHAKE_MAC_GOST12_256 | TLS1_PRF_GOST12_256 | TLS1_STREAM_MAC, 0, 0}, -#endif /* OPENSL_NO_GOST */ +#endif /* OPENSSL_NO_GOST */ #ifndef OPENSSL_NO_IDEA { -- 1.9.1 From ashwini.vpatil at siemens.com Tue Mar 22 08:54:46 2016 From: ashwini.vpatil at siemens.com (Patil, Ashwini IN BLR SHC) Date: Tue, 22 Mar 2016 14:24:46 +0530 Subject: [openssl-dev] Openssl linker errors Message-ID: Hello Team, When I tried to integrate openssl-fips2.0.11 in openssl-1.0.2f with below steps Step1 - perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0 no-idea no-mdc2 no-rc5 no-camellia no-seed no-md2 no-rc2 no-rc4 no-whirlpool no-ripemd no-cast no-md2 no-ssl2 no-srp no-dsa no-dh Note: Patented algorithms will be disabled by using below flags. This is our assumption please guide. no-idea no-mdc2 no-rc5 no-camellia no-seed no-md2 no-rc2 no-rc4 no-whirlpool no-ripemd no-cast no-md2 no-ssl2 no-srp no-dsa no-dh Step2 - ms\do_nasm Step3 - nmake -f ms\ntdll.mak I get below linker errors: Building OpenSSL perl .\util\copy-if-different.pl ".\crypto\buildinf.h" "tmp32dll\buildinf.h" Copying: ./crypto/buildinf.h to tmp32dll/buildinf.h perl .\util\copy-if-different.pl ".\crypto\opensslconf.h" "inc32\openssl\opensslconf.h" NOT copying: ./crypto/opensslconf.h to inc32/openssl/opensslconf.h rc /fo"tmp32dll\libeay32.res" /d CRYPTO ms\version32.rc Microsoft (R) Windows (R) Resource Compiler Version 6.0.5724.0 Copyright (C) Microsoft Corporation. All rights reserved. link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_premain_dso.exe @C:\DOCUME~1\ADMINI~1\LOCALS~ 1\Temp\nm28F.tmp Creating library out32dll\fips_premain_dso.lib and object out32dll\fips_premain_dso.exp IF EXIST out32dll\fips_premain_dso.exe.manifest mt -nologo -manifest out32dll\fips_premain_dso.exe.manifest -out putresource:out32dll\fips_premain_dso.exe;1 SET FIPS_LINK=link SET FIPS_CC=cl SET FIPS_CC_ARGS=/Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_ BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I\usr\local\ssl\fips-2.0/include -DSH A1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOP ENSSL_NO_IDEA -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC4 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD 2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CAST -DOPENSSL_NO_DSA -DOPENSSL_NO_DH -DOPENSSL_NO_WHIRLPOOL -DOPEN SSL_NO_SSL2 -DOPENSSL_NO_SRP -DOPENSSL_NO_KRB5 -DOPENSSL_NO_GOST -DOPENSSL_NO_HW -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPE NSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -c SET PREMAIN_DSO_EXE=out32dll\fips_premain_dso.exe SET FIPS_SHA1_EXE=\usr\local\ssl\fips-2.0\bin\fips_standalone_sha1.exe SET FIPS_TARGET=out32dll\libeay32.dll SET FIPSLIB_D=\usr\local\ssl\fips-2.0\lib perl \usr\local\ssl\fips-2.0\bin\fipslink.pl /nologo /subsystem:console /opt:ref /debug /dll /fixed /map /base: 0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm293.tmp Integrity check OK cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nol ogo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_BN_ASM_PART_WORDS -DOP ENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I\usr\local\ssl\fips-2.0/include -DSHA1_ASM -DSHA256_ASM -D SHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_IDEA -DOPENSS L_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC4 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CAST -DOPENSSL_NO_DSA -DOPENSSL_NO_DH -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_SSL2 -DOPENSSL_ NO_SRP -DOPENSSL_NO_KRB5 -DOPENSSL_NO_GOST -DOPENSSL_NO_HW -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -c \usr\local\ssl\fips-2.0\lib/fips_premain.c fips_premain.c link /nologo /subsystem:console /opt:ref /debug /dll /fixed /map /base:0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBE AY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm293.tmp LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PrivateKey LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PrivateKey_bio LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PublicKey LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PublicKey_bio LIBEAY32.def : error LNK2001: unresolved external symbol i2b_PrivateKey_bio LIBEAY32.def : error LNK2001: unresolved external symbol i2b_PublicKey_bio out32dll\libeay32.lib : fatal error LNK1120: 6 unresolved externals First stage Link failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 55. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x60' Stop. C:\openssl-1.0.2f-fips-complaint> Please help me how to resolve the above errors. Your help is appreciated. With best regards, Ashwini V Patil Siemens Healthcare Private Limited HC SI DC IN H1-FH STD IBP 6 84, Hosur Road Bengaluru 560100, Indien Mobil: +91 9008132565 mailto:ashwini.vpatil at siemens.com Registered Office: 130, Pandurang Budhkar Marg, Worli, Mumbai 400 018. Telephone +91 22 39677000. Fax +91 22 39677075. Other Offices: Bengaluru. Corporate Identity number: U74999MH2015PTC264859 -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Tue Mar 22 11:41:49 2016 From: rt at openssl.org (Patil, Ashwini IN BLR STS via RT) Date: Tue, 22 Mar 2016 11:41:49 +0000 Subject: [openssl-dev] [openssl.org #4469] Openssl linker errors In-Reply-To: References: Message-ID: Hello Team, When I tried to integrate openssl-fips2.0.11 in openssl-1.0.2f with below steps Step1 - perl Configure VC-WIN32 fips --with-fipslibdir=C:\usr\local\ssl\fips-2.0 no-idea no-mdc2 no-rc5 no-camellia no-seed no-md2 no-rc2 no-rc4 no-whirlpool no-ripemd no-cast no-md2 no-ssl2 no-srp no-dsa no-dh Note: Patented algorithms will be disabled by using below flags. This is our assumption please guide. no-idea no-mdc2 no-rc5 no-camellia no-seed no-md2 no-rc2 no-rc4 no-whirlpool no-ripemd no-cast no-md2 no-ssl2 no-srp no-dsa no-dh Step2 - ms\do_nasm Step3 - nmake -f ms\ntdll.mak I get below linker errors: Building OpenSSL perl .\util\copy-if-different.pl ".\crypto\buildinf.h" "tmp32dll\buildinf.h" Copying: ./crypto/buildinf.h to tmp32dll/buildinf.h perl .\util\copy-if-different.pl ".\crypto\opensslconf.h" "inc32\openssl\opensslconf.h" NOT copying: ./crypto/opensslconf.h to inc32/openssl/opensslconf.h rc /fo"tmp32dll\libeay32.res" /d CRYPTO ms\version32.rc Microsoft (R) Windows (R) Resource Compiler Version 6.0.5724.0 Copyright (C) Microsoft Corporation. All rights reserved. link /nologo /subsystem:console /opt:ref /debug /out:out32dll\fips_premain_dso.exe @C:\DOCUME~1\ADMINI~1\LOCALS~ 1\Temp\nm28F.tmp Creating library out32dll\fips_premain_dso.lib and object out32dll\fips_premain_dso.exp IF EXIST out32dll\fips_premain_dso.exe.manifest mt -nologo -manifest out32dll\fips_premain_dso.exe.manifest -out putresource:out32dll\fips_premain_dso.exe;1 SET FIPS_LINK=link SET FIPS_CC=cl SET FIPS_CC_ARGS=/Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_ BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I\usr\local\ssl\fips-2.0/include -DSH A1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOP ENSSL_NO_IDEA -DOPENSSL_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC4 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD 2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CAST -DOPENSSL_NO_DSA -DOPENSSL_NO_DH -DOPENSSL_NO_WHIRLPOOL -DOPEN SSL_NO_SSL2 -DOPENSSL_NO_SRP -DOPENSSL_NO_KRB5 -DOPENSSL_NO_GOST -DOPENSSL_NO_HW -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPE NSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -c SET PREMAIN_DSO_EXE=out32dll\fips_premain_dso.exe SET FIPS_SHA1_EXE=\usr\local\ssl\fips-2.0\bin\fips_standalone_sha1.exe SET FIPS_TARGET=out32dll\libeay32.dll SET FIPSLIB_D=\usr\local\ssl\fips-2.0\lib perl \usr\local\ssl\fips-2.0\bin\fipslink.pl /nologo /subsystem:console /opt:ref /debug /dll /fixed /map /base: 0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBEAY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm293.tmp Integrity check OK cl /Fotmp32dll\fips_premain.obj -Iinc32 -Itmp32dll /MD /Ox /O2 /Ob2 -DOPENSSL_THREADS -DDSO_WIN32 -W3 -Gs0 -GF -Gy -nol ogo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DOPENSSL_BN_ASM_PART_WORDS -DOP ENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -I\usr\local\ssl\fips-2.0/include -DSHA1_ASM -DSHA256_ASM -D SHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DGHASH_ASM -DOPENSSL_USE_APPLINK -I. -DOPENSSL_NO_IDEA -DOPENSS L_NO_CAMELLIA -DOPENSSL_NO_SEED -DOPENSSL_NO_RC2 -DOPENSSL_NO_RC4 -DOPENSSL_NO_RC5 -DOPENSSL_NO_MD2 -DOPENSSL_NO_RIPEMD -DOPENSSL_NO_MDC2 -DOPENSSL_NO_CAST -DOPENSSL_NO_DSA -DOPENSSL_NO_DH -DOPENSSL_NO_WHIRLPOOL -DOPENSSL_NO_SSL2 -DOPENSSL_ NO_SRP -DOPENSSL_NO_KRB5 -DOPENSSL_NO_GOST -DOPENSSL_NO_HW -DOPENSSL_FIPS -DOPENSSL_NO_JPAKE -DOPENSSL_NO_STATIC_ENGINE /Zi /Fdtmp32dll/lib -D_WINDLL -c \usr\local\ssl\fips-2.0\lib/fips_premain.c fips_premain.c link /nologo /subsystem:console /opt:ref /debug /dll /fixed /map /base:0xFB00000 /out:out32dll\libeay32.dll /def:ms/LIBE AY32.def @C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nm293.tmp LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PrivateKey LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PrivateKey_bio LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PublicKey LIBEAY32.def : error LNK2001: unresolved external symbol b2i_PublicKey_bio LIBEAY32.def : error LNK2001: unresolved external symbol i2b_PrivateKey_bio LIBEAY32.def : error LNK2001: unresolved external symbol i2b_PublicKey_bio out32dll\libeay32.lib : fatal error LNK1120: 6 unresolved externals First stage Link failure at \usr\local\ssl\fips-2.0\bin\fipslink.pl line 55. NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x60' Stop. C:\openssl-1.0.2f-fips-complaint> Please help me how to resolve the above errors. Your help is appreciated. With best regards, Ashwini V Patil Siemens Healthcare Private Limited HC SI DC IN H1-FH STD IBP 6 84, Hosur Road Bengaluru 560100, Indien Mobil: +91 9008132565 mailto:ashwini.vpatil at siemens.com Registered Office: 130, Pandurang Budhkar Marg, Worli, Mumbai 400 018. Telephone +91 22 39677000. Fax +91 22 39677075. Other Offices: Bengaluru. Corporate Identity number: U74999MH2015PTC264859 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4469 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 22 12:53:15 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Tue, 22 Mar 2016 12:53:15 +0000 Subject: [openssl-dev] [openssl.org #4470] FEATURE: OpenSSL test script for configurations and options In-Reply-To: References: Message-ID: Hi Everyone, Attached is a test script to repeatedly configure, build and test OpenSSL under different configuration options. Options include the usual suspects like "no-asm", "no-ssl2", "no-ssl3" and "no-comp". It also includes other options, like Debug, Release, IPv4 and IPv6. I understand some of the devs have similar scripts Please consider adding the attached script or a similar dev script to the tarball. The script will help the project proactively detect issues, and help it avoid reactive fixes. As the script grows in depth and breadth, OpenSSL will only get stronger. Thanks in advance. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4470 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl-test.tar.gz Type: application/x-gzip Size: 2001 bytes Desc: not available URL: From rt at openssl.org Tue Mar 22 13:20:02 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Tue, 22 Mar 2016 13:20:02 +0000 Subject: [openssl-dev] [openssl.org #4470] AutoReply: FEATURE: OpenSSL test script for configurations and options In-Reply-To: References: Message-ID: Updated to fix the additional options, like "-g2 -Os" On Tue, Mar 22, 2016 at 8:53 AM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "FEATURE: OpenSSL test script for configurations and options", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4470]. > > Please include the string: > > [openssl.org #4470] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > rt at openssl.org > > ------------------------------------------------------------------------- > Hi Everyone, > > Attached is a test script to repeatedly configure, build and test > OpenSSL under different configuration options. Options include the > usual suspects like "no-asm", "no-ssl2", "no-ssl3" and "no-comp". It > also includes other options, like Debug, Release, IPv4 and IPv6. > > I understand some of the devs have similar scripts Please consider > adding the attached script or a similar dev script to the tarball. > > The script will help the project proactively detect issues, and help > it avoid reactive fixes. As the script grows in depth and breadth, > OpenSSL will only get stronger. > > Thanks in advance. > > > ------------------------------------------------------------------------- > http://rt.openssl.org/Ticket/Display.html?id=4470&user=guest&pass=guest -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4470 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl-test.tar.gz Type: application/x-gzip Size: 2085 bytes Desc: not available URL: From doctor at doctor.nl2k.ab.ca Tue Mar 22 15:21:39 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Tue, 22 Mar 2016 09:21:39 -0600 Subject: [openssl-dev] Openssl-SNAP-20160322 issue Message-ID: <20160322152138.GA21296@doctor.nl2k.ab.ca> An odd quark just showed up. Whill running make tests is full debug mode, I find that one test is hung up.. 3188 bytes leaked in 219 chunks Using default temp DH parameters ACCEPT How can be of assistance? -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From rt at openssl.org Tue Mar 22 19:40:13 2016 From: rt at openssl.org (Brian Wellington via RT) Date: Tue, 22 Mar 2016 19:40:13 +0000 Subject: [openssl-dev] [openssl.org #4471] 1.1.0-pre4 safestack.h compilation errors with -Wcast-qual In-Reply-To: <558C903B-A05C-4B2C-A29E-065E918D5F56@xbill.org> References: <558C903B-A05C-4B2C-A29E-065E918D5F56@xbill.org> Message-ID: Attempting to compile this program: #include int main(int argc, char **argv) { return 0; } with -Wcast-qual (with both gcc and clang) results in errors like this (repeated a number of times). target/include/openssl/safestack.h:214:1: warning: cast from 'const struct stack_st_OPENSSL_STRING *' to 'struct stack_st *' drops const qualifier [-Wcast-qual] DEFINE_SPECIAL_STACK_OF(OPENSSL_STRING, char) ^ target/include/openssl/safestack.h:186:42: note: expanded from macro 'DEFINE_SPECIAL_STACK_OF' # define DEFINE_SPECIAL_STACK_OF(t1, t2) SKM_DEFINE_STACK_OF(t1, t2, t2) ^ target/include/openssl/safestack.h:95:33: note: expanded from macro 'SKM_DEFINE_STACK_OF' return sk_num((_STACK *)sk); \ ^ This doesn?t happen with 1.0.2g. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4471 Please log in as guest with password guest if prompted From uri at ll.mit.edu Tue Mar 22 20:03:07 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 22 Mar 2016 20:03:07 +0000 Subject: [openssl-dev] [openssl.org #4471] 1.1.0-pre4 safestack.h compilation errors with -Wcast-qual In-Reply-To: References: <558C903B-A05C-4B2C-A29E-065E918D5F56@xbill.org> Message-ID: I don?t seem to be able to replicate with either 1.0.2h-dev, or 1.1.0-pre using clang-3.7 and gcc-5.3 (on Mac OS X 10.10.5). Here?s 1.1.0-pre output: $ cat t9.c #include int main(int argc, char **argv) { return 0; } $ gcc -Wcast-qual -I/Users/ur20980/include -o t9 t9.c -L/Users/ur20980/lib -lcrypto $ clang -Wcast-qual -I/Users/ur20980/include -o t9 t9.c -L/Users/ur20980/lib -lcrypto $ clang-mp-3.7 -Wcast-qual -I/Users/ur20980/include -o t9 t9.c -L/Users/ur20980/lib -lcrypto $ -- Regards, Uri Blumenthal On 3/22/16, 15:40 , "openssl-dev on behalf of Brian Wellington via RT" wrote: >Attempting to compile this program: > >#include > >int >main(int argc, char **argv) { > return 0; >} > >with -Wcast-qual (with both gcc and clang) results in errors like this >(repeated a number of times). > >target/include/openssl/safestack.h:214:1: warning: cast from 'const struct > stack_st_OPENSSL_STRING *' to 'struct stack_st *' drops const >qualifier > [-Wcast-qual] >DEFINE_SPECIAL_STACK_OF(OPENSSL_STRING, char) >^ >target/include/openssl/safestack.h:186:42: note: expanded from macro > 'DEFINE_SPECIAL_STACK_OF' ># define DEFINE_SPECIAL_STACK_OF(t1, t2) SKM_DEFINE_STACK_OF(t1, t2, t2) > ^ >target/include/openssl/safestack.h:95:33: note: expanded from macro > 'SKM_DEFINE_STACK_OF' > return sk_num((_STACK *)sk); \ > ^ > >This doesn?t happen with 1.0.2g. > >-- >Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4471 >Please log in as guest with password guest if prompted > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From rt at openssl.org Tue Mar 22 21:51:05 2016 From: rt at openssl.org (Michel via RT) Date: Tue, 22 Mar 2016 21:51:05 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> Message-ID: Hi, Here attached is some test data files and a patch against today's git repo to allow for the use of wrap mode using the OpenSSL 'enc' command. The 'raw*.dat' files contains the NIST test vectors, and the '*.ok.enc' the expected encrypted result (base64 encoded with equivalent hexa value). The testwrap.cmds file is a small Windows script (.bat) with tests commands. As mentioned in a previous post, It may not be the best way to achieve this, in which case I would be happy to learn how to do it better. Meanwhile, It is usefull (at least for me :-) to decrypt wrapped symetric keys using OpenSSL 1.1. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: raw128.dat Type: application/octet-stream Size: 16 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: raw192.dat Type: application/octet-stream Size: 24 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: raw256.dat Type: application/octet-stream Size: 32 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wrap-128-128.ok.enc Type: application/octet-stream Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wrap-128-192.ok.enc Type: application/octet-stream Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wrap-128-256.ok.enc Type: application/octet-stream Size: 105 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wrap-192-192.ok.enc Type: application/octet-stream Size: 141 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wrap-192-256.ok.enc Type: application/octet-stream Size: 141 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: wrap-256-256.ok.enc Type: application/octet-stream Size: 178 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: enc-wrap-1.1.0.patch Type: application/octet-stream Size: 2050 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: testwrap.cmds Type: application/octet-stream Size: 1897 bytes Desc: not available URL: From rt at openssl.org Tue Mar 22 22:29:35 2016 From: rt at openssl.org (David Benjamin via RT) Date: Tue, 22 Mar 2016 22:29:35 +0000 Subject: [openssl-dev] [openssl.org #4439] poly1305-x86.pl produces incorrect output In-Reply-To: References: <56EF10A4.70304@openssl.org> Message-ID: On Sun, Mar 20, 2016 at 10:47 PM David Benjamin wrote: > On Sun, Mar 20, 2016 at 5:05 PM Andy Polyakov via RT > wrote: > >> No, it doesn't depend on call pattern. Please confirm that attached >> patch solves the problem. Thanks. >> > > (Right, sorry, I meant that the test vectors I have seem to only with > their corresponding call patterns.) > > The patch works on my end, and naively comparing random inputs against a > reference implementation doesn't reveal any other issues. Thanks for fixing > it so quickly! > Andy, there appears to be a typo in the patch. It says defined(extra) rather than defined($extra). It was evaluating a bare word and always using paddq. The $extra version seems to work too, but may I suggest adding some comments here? If I'm understanding correctly, the paddd vs paddq decision is about whether the sum fits in 2^32 rather than needing the full 2^64, right? And you use paddd preferentially over paddq because paddq is slow on Atom? This isn't very clear from "because paddq is "broken" on Atom". It's also no longer next to where $paddx is computed. Moreover, it seems lazy_reduction conditioning on $extra isn't because $extra is in itself significant, but because $extra being set means we are following the tail logic and a horizontal addition, so the bounds don't hold anymore? This could do with a clear comment. Finally, where paddd is used, it's probably worth a comment for why the bounds hold and under what assumptions. I haven't been able to trace through them myself (based on the paper, it looks like the result of the h4 -> h0 carry after the horizontal addition should be bound by 2^26 + 2^26 * 5 * 2 * 5 = 2^26 * 51, but looking in a debugger, it's larger, so clearly I'm missing something), so I can't suggest any particular text. David PS: By the way, this typo would have been caught by use strict. Have you all considered moving perlasm to be use strict clean? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4439 Please log in as guest with password guest if prompted From wrowe at rowe-clan.net Tue Mar 22 23:06:09 2016 From: wrowe at rowe-clan.net (William A Rowe Jr) Date: Tue, 22 Mar 2016 18:06:09 -0500 Subject: [openssl-dev] [openssl-users] Removing some systems In-Reply-To: <8f77f2d4452446c8825cc70057624690@usma1ex-dag1mb1.msg.corp.akamai.com> References: <8f77f2d4452446c8825cc70057624690@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: Just FTR... http://www.osnews.com/story/28933/Blue_Lion_new_OS_2_distribution_due_2016 Not that I'd take that as a mandate to preserve support... We are having the same internal dialog at the ASF httpd project and coming to the same conclusions. On Mar 17, 2016 1:36 PM, "Salz, Rich" wrote: > We are planning on removing the following systems from OpenSSL 1.1: > > Netware > > OS/2 > > > > There are a few reasons for this. In no particular order they include: > these platforms are no longer supported by the vendor; the configurations > and builds have not been testable by the team for years and might not even > work; nobody on the team has access to any of these. > > > > As a hopefully mediating factor, please note that they are still part of > 1.0.2, which we have said is an LTS release with support until 2019. > > > > People interested in supporting any of these systems should look at > building their own configuration with the template system; post on the > openssl-dev list for help. Reducing the footprint and tangle of #ifdef?s > is also very important. > > > > We are also looking at others that are in a similar (although perhaps not > identical) reason and will post here about them. > > > > -- > > Senior Architect, Akamai Technologies > > IM: richsalz at jabber.at Twitter: RichSalz > > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 23 07:27:08 2016 From: rt at openssl.org (Dr. Matthias St. Pierre via RT) Date: Wed, 23 Mar 2016 07:27:08 +0000 Subject: [openssl-dev] [openssl.org #3676] Resolved: [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: <1E23EFC52F00C649B69F652AFD284ABD378659A3A4@ex07.ncp.local> References: <1E23EFC52F00C649B69F652AFD284ABD3786599BFB@ex07.ncp.local> <1E23EFC52F00C649B69F652AFD284ABD378659A3A4@ex07.ncp.local> Message-ID: > > The fact we don't export the DHparameters item I'd regard as a bug which should be fixed. Will the missing export for DHparameters still be fixed for 1.1? Matthias St. Pierre > -----Urspr?ngliche Nachricht----- > Von: Dr. Matthias St. Pierre via RT [mailto:rt at openssl.org] > Gesendet: Donnerstag, 10. M?rz 2016 00:51 > An: Dr. Matthias St. Pierre > Cc: openssl-dev at openssl.org > Betreff: AW: [openssl.org #3676] Resolved: [PATCH] Export ASN1 templates for DH and ECDH groups > > > According to our records, your request has been resolved. If you have any > > further questions or concerns, please respond to this message. > > Thanks a lot for finally adding the patch. Since our software is not ready for version 1.1 > yet, I can't try it directly with the master, but I will backport it for us to 1.0.2. > > Reviewing the commit everything looks perfect, except for a small omission: You probably > overlooked the changes for exporting the DHparameters. According to Stephen, > > > The fact we don't export the DHparameters item I'd regard as a bug which should be fixed. > > Essentually it's the following changes to dh.h and libcrypto.num (formerly libeay.num), which are > missing: > > include/openssl/dh.h: > ==================== > > +#include > ... > +DECLARE_ASN1_ITEM(DHparams) > > > util/libcrypto.num: > ================== > > +DHparams_it 1_1_0 EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:DH > +DHparams_it 1_1_0 EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:DH > > > > Regards, > Matthias St. Pierre > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 > Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4328 bytes Desc: not available URL: From Miguel.Suarez at stratus.com Wed Mar 23 16:00:33 2016 From: Miguel.Suarez at stratus.com (Suarez, Miguel) Date: Wed, 23 Mar 2016 16:00:33 +0000 Subject: [openssl-dev] 1.0.1t ? Message-ID: Hi Can you tell me when 1.0.1t release or later will be made available with fixes for the following issues (see below). Disabling SSLv2 in a default build will break applications we have released that depended on SSLv2 by default like release 2.2.29 of Apache's httpd. We can change our SSL build but would rather have fixes in an official release. Thanks. https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=CHANGES;h=d4e9887370c8733885851625a72301bc90275b2d;hb=refs/heads/OpenSSL_1_0_1-stable#l5 2 OpenSSL CHANGES 3 _______________ 4 5 Changes between 1.0.1s and 1.0.1t [xx XXX xxxx] 6 7 *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the 8 default. 9 [Kurt Roeckx] 10 11 *) Only remove the SSLv2 methods with the no-ssl2-method option. When the 12 methods are enabled and ssl2 is disabled the methods return NULL. 13 [Kurt Roeckx] -------------- next part -------------- An HTML attachment was scrubbed... URL: From matt at openssl.org Wed Mar 23 16:36:03 2016 From: matt at openssl.org (Matt Caswell) Date: Wed, 23 Mar 2016 16:36:03 +0000 Subject: [openssl-dev] 1.0.1t ? In-Reply-To: References: Message-ID: <56F2C5F3.8060603@openssl.org> On 23/03/16 16:00, Suarez, Miguel wrote: > Hi > > > > Can you tell me when 1.0.1t release or later will be made available with > fixes for the following issues (see below). 1.0.1t does not currently have a planned release date. Releases are scheduled on an as-needed basis, typically (although not always) as a result of security defects being discovered. We normally only announce a release date for security fixes a few days in advance. Matt > > Disabling SSLv2 in a default build will break applications we have > released that depended on SSLv2 by default like release 2.2.29 of > Apache?s httpd. > > We can change our SSL build but would rather have fixes in an official > release. > > > > Thanks. > > > > https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=CHANGES;h=d4e9887370c8733885851625a72301bc90275b2d;hb=refs/heads/OpenSSL_1_0_1-stable#l5 > > > > 2 OpenSSL CHANGES > > 3 _______________ > > 4 > > 5 Changes between 1.0.1s and 1.0.1t [xx XXX xxxx] > > 6 > > 7 *) Remove LOW from the DEFAULT cipher list. This removes singles > DES from the > > 8 default. > > 9 [Kurt Roeckx] > > 10 > > 11 *) Only remove the SSLv2 methods with the no-ssl2-method option. > When the > > 12 methods are enabled and ssl2 is disabled the methods return NULL. > > 13 [Kurt Roeckx] > > > From rsalz at akamai.com Wed Mar 23 16:47:24 2016 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 23 Mar 2016 16:47:24 +0000 Subject: [openssl-dev] 1.0.1t ? In-Reply-To: <56F2C5F3.8060603@openssl.org> References: <56F2C5F3.8060603@openssl.org> Message-ID: > 1.0.1t does not currently have a planned release date. Releases are > scheduled on an as-needed basis, typically (although not always) as a result > of security defects being discovered. We normally only announce a release > date for security fixes a few days in advance. And note that 1.0.1 is on a security-fixes-only state. > > Disabling SSLv2 in a default build will break applications we have > > released that depended on SSLv2 by default like release 2.2.29 of > > Apache?s httpd. > > > > We can change our SSL build but would rather have fixes in an official > > release. Yes, we broke compatibility in our desire to make sure everyone was "safe" from the attack. Sorry about that; we'll fix it next time a security patch for 1.0.1 comes out. One approach is to look at the branch in our GIT repo's and cherry-pick the fix to your release for now. From glenm at opentext.com Wed Mar 23 17:25:39 2016 From: glenm at opentext.com (Glen Matthews) Date: Wed, 23 Mar 2016 17:25:39 +0000 Subject: [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code Message-ID: <6D4F4080B6BD2B4F9F5955C645671A1FA98ADCE4@otwlxg23.opentext.net> Hi, We're receiving this assertion at the start of negotiating an SSL connection: c:\s\15\src\openssl\build\openssl-1.0.2f\crypto\sha\sha_locl.h(128): OpenSSL internal error, assertion failed: Low level API call to digest SHA1 forbidden in FIPS mode! The last 2 lines of this stack trace shows that we are performing a BIO_read at this point. How can we work around this issue? We're using the self-validated FIPS module and openssl 1.0.2g. glen user32!ZwUserWaitMessage+0xa user32!DialogBox2+0x212 user32!InternalDialogBox+0x132 user32!SoftModalMessageBox+0xee1 user32!MessageBoxWorker+0x2eb user32!MessageBoxTimeoutW+0xba user32!MessageBoxW+0x4e libeay32f!OPENSSL_showfatal+0x25e [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 979] libeay32f!OpenSSLDie+0x22 [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 1008] libeay32f!SHA1_Init+0x33 [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\sha\sha_locl.h @ 128] libeay32f!EVP_DigestInit_ex+0x269 [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 241] libeay32f!EVP_Digest+0x7a [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 359] libeay32f!ASN1_item_digest+0x6a [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\asn1\a_digest.c @ 107] libeay32f!X509_digest+0x44 [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x_all.c @ 414] libeay32f!x509v3_cache_extensions+0x43 [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 407] libeay32f!X509_check_purpose+0x47 [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 134] libeay32f!X509_verify_cert+0x180 [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x509_vfy.c @ 249] ssleay32f!ssl_verify_cert_chain+0x14a [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\ssl_cert.c @ 759] ssleay32f!ssl3_get_server_certificate+0x1bb [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 1255] ssleay32f!ssl3_connect+0x258 [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 345] ssleay32f!ssl23_get_server_hello+0x44a [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 799] ssleay32f!ssl23_connect+0x1f2 [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 228] ssleay32f!ssl23_read+0x44 [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_lib.c @ 134] ssleay32f!ssl_read+0x5e [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\bio_ssl.c @ 167] libeay32f!BIO_read+0xbf [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\bio\bio_lib.c @ 212] hclftpx!CAsyncSslSocketLayer::OnReceive+0x1a8 [c:\s\15\src\montreal\inc\asyncsslsocketlayer.cpp @ 357] -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy.farrell at oracle.com Wed Mar 23 19:48:29 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Wed, 23 Mar 2016 19:48:29 +0000 Subject: [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code In-Reply-To: <6D4F4080B6BD2B4F9F5955C645671A1FA98ADCE4@otwlxg23.opentext.net> References: <6D4F4080B6BD2B4F9F5955C645671A1FA98ADCE4@otwlxg23.opentext.net> Message-ID: <56F2F30D.6060207@oracle.com> This is a question about using the OpenSSL libraries; should be in openssl-users, copied and reply-to'd. On 23/03/2016 17:25, Glen Matthews wrote: > > We?re receiving this assertion at the start of negotiating an SSL > connection: > > c:\s\15\src\openssl\build\openssl-1.0.2f\crypto\sha\sha_locl.h(128): > OpenSSL internal error, assertion failed: Low level API call to digest > SHA1 forbidden in FIPS mode! > I notice the assertion message mentions a header from what looks like a 1.0.2f tree, but the references below are all to a 1.0.2g tree. I've no idea if this is relevant to the problem, but I wonder if this is a self-consistent build of the libraries. > The last 2 lines of this stack trace shows that we are performing a > BIO_read at this point. > > How can we work around this issue? We?re using the self-validated FIPS > module and openssl 1.0.2g. > > glen > > user32!ZwUserWaitMessage+0xa > > user32!DialogBox2+0x212 > > user32!InternalDialogBox+0x132 > > user32!SoftModalMessageBox+0xee1 > > user32!MessageBoxWorker+0x2eb > > user32!MessageBoxTimeoutW+0xba > > user32!MessageBoxW+0x4e > > libeay32f!OPENSSL_showfatal+0x25e > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 979] > > libeay32f!OpenSSLDie+0x22 > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\cryptlib.c @ 1008] > > libeay32f!SHA1_Init+0x33 > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\sha\sha_locl.h @ 128] > > libeay32f!EVP_DigestInit_ex+0x269 > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 241] > > libeay32f!EVP_Digest+0x7a > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\evp\digest.c @ 359] > > libeay32f!ASN1_item_digest+0x6a > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\asn1\a_digest.c @ 107] > > libeay32f!X509_digest+0x44 > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x_all.c @ 414] > > libeay32f!x509v3_cache_extensions+0x43 > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 407] > > libeay32f!X509_check_purpose+0x47 > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509v3\v3_purp.c @ 134] > > libeay32f!X509_verify_cert+0x180 > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\x509\x509_vfy.c @ 249] > > ssleay32f!ssl_verify_cert_chain+0x14a > [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\ssl_cert.c @ 759] > > ssleay32f!ssl3_get_server_certificate+0x1bb > [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 1255] > > ssleay32f!ssl3_connect+0x258 > [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s3_clnt.c @ 345] > > ssleay32f!ssl23_get_server_hello+0x44a > [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 799] > > ssleay32f!ssl23_connect+0x1f2 > [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_clnt.c @ 228] > > ssleay32f!ssl23_read+0x44 > [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\s23_lib.c @ 134] > > ssleay32f!ssl_read+0x5e > [c:\s\15\src\openssl\build\openssl-1.0.2g\ssl\bio_ssl.c @ 167] > > libeay32f!BIO_read+0xbf > [c:\s\15\src\openssl\build\openssl-1.0.2g\crypto\bio\bio_lib.c @ 212] > > hclftpx!CAsyncSslSocketLayer::OnReceive+0x1a8 > [c:\s\15\src\montreal\inc\asyncsslsocketlayer.cpp @ 357] > -- J. J. Farrell Not speaking for Oracle. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 23 23:47:20 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Wed, 23 Mar 2016 23:47:20 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: I'm not sure if this is a supported configuration, but I'm guessing there are going to be users in the filed who find themselves in it, like http://stackoverflow.com/q/36188982. Working from the tip of Master... $ export CC=g++ $ ./config ... $ make ... g++ -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c -o crypto/asn1/a_bitstr.o crypto/asn1/a_bitstr.c In file included from crypto/include/internal/cryptlib.h:71:0, from crypto/asn1/a_bitstr.c:59: crypto/asn1/a_bitstr.c: In function ?ASN1_BIT_STRING* c2i_ASN1_BIT_STRING(ASN1_BIT_STRING**, const unsigned char**, long int)?: include/openssl/crypto.h:236:54: error: invalid conversion from ?void*? to ?unsigned char*? [-fpermissive] CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE) ^ crypto/asn1/a_bitstr.c:158:13: note: in expansion of macro ?OPENSSL_malloc? s = OPENSSL_malloc((int)len); ^ crypto/asn1/a_bitstr.c: In function ?int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING*, int, int)?: include/openssl/crypto.h:242:76: error: invalid conversion from ?void*? to ?unsigned char*? [-fpermissive] CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, OPENSSL_LINE) ^ crypto/asn1/a_bitstr.c:206:13: note: in expansion of macro ?OPENSSL_clear_realloc? c = OPENSSL_clear_realloc(a->data, a->length, w + 1); ^ make: *** [crypto/asn1/a_bitstr.o] Error 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Wed Mar 23 23:53:44 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Wed, 23 Mar 2016 19:53:44 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: <58A35D2B-43A1-48EE-B5C3-15BDEFD7F70A@dukhovni.org> > On Mar 23, 2016, at 7:47 PM, noloader at gmail.com via RT wrote: > > I'm not sure if this is a supported configuration, but I'm guessing > there are going to be users in the filed who find themselves in it, > like http://stackoverflow.com/q/36188982. > > Working from the tip of Master... > > $ export CC=g++ > $ ./config > ... > $ make C is not a subset of C++ and g++ is not a C-compiler. The user would also have problems using a Fortran or Pascal compiler. -- Viktor. From rt at openssl.org Wed Mar 23 23:53:48 2016 From: rt at openssl.org (Viktor Dukhovni via RT) Date: Wed, 23 Mar 2016 23:53:48 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <58A35D2B-43A1-48EE-B5C3-15BDEFD7F70A@dukhovni.org> References: <58A35D2B-43A1-48EE-B5C3-15BDEFD7F70A@dukhovni.org> Message-ID: > On Mar 23, 2016, at 7:47 PM, noloader at gmail.com via RT wrote: > > I'm not sure if this is a supported configuration, but I'm guessing > there are going to be users in the filed who find themselves in it, > like http://stackoverflow.com/q/36188982. > > Working from the tip of Master... > > $ export CC=g++ > $ ./config > ... > $ make C is not a subset of C++ and g++ is not a C-compiler. The user would also have problems using a Fortran or Pascal compiler. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From onicrypt at gmail.com Wed Mar 23 23:58:49 2016 From: onicrypt at gmail.com (Nich Ramsey) Date: Wed, 23 Mar 2016 16:58:49 -0700 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: maybe ``` export CXX=g++ export CC=gcc ./config ``` will work? On Mar 23, 2016 5:47 PM, "noloader at gmail.com via RT" wrote: > I'm not sure if this is a supported configuration, but I'm guessing > there are going to be users in the filed who find themselves in it, > like http://stackoverflow.com/q/36188982. > > Working from the tip of Master... > > $ export CC=g++ > $ ./config > ... > $ make > ... > > g++ -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c > -o crypto/asn1/a_bitstr.o crypto/asn1/a_bitstr.c > In file included from crypto/include/internal/cryptlib.h:71:0, > from crypto/asn1/a_bitstr.c:59: > crypto/asn1/a_bitstr.c: In function ?ASN1_BIT_STRING* > c2i_ASN1_BIT_STRING(ASN1_BIT_STRING**, const unsigned char**, long > int)?: > include/openssl/crypto.h:236:54: error: invalid conversion from > ?void*? to ?unsigned char*? [-fpermissive] > CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/asn1/a_bitstr.c:158:13: note: in expansion of macro ?OPENSSL_malloc? > s = OPENSSL_malloc((int)len); > ^ > crypto/asn1/a_bitstr.c: In function ?int > ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING*, int, int)?: > include/openssl/crypto.h:242:76: error: invalid conversion from > ?void*? to ?unsigned char*? [-fpermissive] > CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, > OPENSSL_LINE) > > ^ > crypto/asn1/a_bitstr.c:206:13: note: in expansion of macro > ?OPENSSL_clear_realloc? > c = OPENSSL_clear_realloc(a->data, a->length, w + 1); > ^ > make: *** [crypto/asn1/a_bitstr.o] Error 1 > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Wed Mar 23 23:58:59 2016 From: rt at openssl.org (Nich Ramsey via RT) Date: Wed, 23 Mar 2016 23:58:59 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: maybe ``` export CXX=g++ export CC=gcc ./config ``` will work? On Mar 23, 2016 5:47 PM, "noloader at gmail.com via RT" wrote: > I'm not sure if this is a supported configuration, but I'm guessing > there are going to be users in the filed who find themselves in it, > like http://stackoverflow.com/q/36188982. > > Working from the tip of Master... > > $ export CC=g++ > $ ./config > ... > $ make > ... > > g++ -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 > -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM > -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c > -o crypto/asn1/a_bitstr.o crypto/asn1/a_bitstr.c > In file included from crypto/include/internal/cryptlib.h:71:0, > from crypto/asn1/a_bitstr.c:59: > crypto/asn1/a_bitstr.c: In function ?ASN1_BIT_STRING* > c2i_ASN1_BIT_STRING(ASN1_BIT_STRING**, const unsigned char**, long > int)?: > include/openssl/crypto.h:236:54: error: invalid conversion from > ?void*? to ?unsigned char*? [-fpermissive] > CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/asn1/a_bitstr.c:158:13: note: in expansion of macro ?OPENSSL_malloc? > s = OPENSSL_malloc((int)len); > ^ > crypto/asn1/a_bitstr.c: In function ?int > ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING*, int, int)?: > include/openssl/crypto.h:242:76: error: invalid conversion from > ?void*? to ?unsigned char*? [-fpermissive] > CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, > OPENSSL_LINE) > > ^ > crypto/asn1/a_bitstr.c:206:13: note: in expansion of macro > ?OPENSSL_clear_realloc? > c = OPENSSL_clear_realloc(a->data, a->length, w + 1); > ^ > make: *** [crypto/asn1/a_bitstr.o] Error 1 > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 00:01:42 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 24 Mar 2016 00:01:42 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <3FBF3A84-F958-4326-B59F-3A136472387A@openssl.org> References: <3FBF3A84-F958-4326-B59F-3A136472387A@openssl.org> Message-ID: Sure. CXX will (or should) simply be ignored Cheers Richard Nich Ramsey via RT skrev: (24 mars 2016 00:58:59 CET) >maybe > >``` >export CXX=g++ >export CC=gcc >./config >``` >will work? >On Mar 23, 2016 5:47 PM, "noloader at gmail.com via RT" >wrote: > >> I'm not sure if this is a supported configuration, but I'm guessing >> there are going to be users in the filed who find themselves in it, >> like http://stackoverflow.com/q/36188982. >> >> Working from the tip of Master... >> >> $ export CC=g++ >> $ ./config >> ... >> $ make >> ... >> >> g++ -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 >> -DL_ENDIAN -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -c >> -o crypto/asn1/a_bitstr.o crypto/asn1/a_bitstr.c >> In file included from crypto/include/internal/cryptlib.h:71:0, >> from crypto/asn1/a_bitstr.c:59: >> crypto/asn1/a_bitstr.c: In function ?ASN1_BIT_STRING* >> c2i_ASN1_BIT_STRING(ASN1_BIT_STRING**, const unsigned char**, long >> int)?: >> include/openssl/crypto.h:236:54: error: invalid conversion from >> ?void*? to ?unsigned char*? [-fpermissive] >> CRYPTO_malloc(num, OPENSSL_FILE, OPENSSL_LINE) >> ^ >> crypto/asn1/a_bitstr.c:158:13: note: in expansion of macro >?OPENSSL_malloc? >> s = OPENSSL_malloc((int)len); >> ^ >> crypto/asn1/a_bitstr.c: In function ?int >> ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING*, int, int)?: >> include/openssl/crypto.h:242:76: error: invalid conversion from >> ?void*? to ?unsigned char*? [-fpermissive] >> CRYPTO_clear_realloc(addr, old_num, num, OPENSSL_FILE, >> OPENSSL_LINE) >> >> ^ >> crypto/asn1/a_bitstr.c:206:13: note: in expansion of macro >> ?OPENSSL_clear_realloc? >> c = OPENSSL_clear_realloc(a->data, a->length, w + 1); >> ^ >> make: *** [crypto/asn1/a_bitstr.o] Error 1 >> >> >> -- >> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 >> Please log in as guest with password guest if prompted >> >> -- >> openssl-dev mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev >> > >-- >Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 >Please log in as guest with password guest if prompted > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 00:32:57 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 24 Mar 2016 00:32:57 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: You can link C++ against openssl API because of the extern C wrapper we use. You cannot compile openssl with a C++ compiler. Closing ticket. (The days of "C++ is a better C" went away a long long time ago.) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From noloader at gmail.com Thu Mar 24 01:38:19 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Wed, 23 Mar 2016 21:38:19 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: On Wed, Mar 23, 2016 at 8:32 PM, Rich Salz via RT wrote: > You can link C++ against openssl API because of the extern C wrapper we use. That's what I was on my way to testing. > You cannot compile openssl with a C++ compiler. Closing ticket. (The days of > "C++ is a better C" went away a long long time ago.) I don't want to speak out of turn, but this might be setting up users for years of pain an misery. It might also discard some analysis that could be beneficial to the project. The only problem I have not been able to fix when swapping C++ compiler for a C compiler is code that uses OFFSETOF macro, which it does not appear OpenSSL is using: $ grep -R OFFSETOF * $ Nearly everything else I have encountered is trivially fixed, like the cast. Since the C++ compiler is a better with respect to type safety, it seems like its providing valuable analysis services. I guess to put it another way, discarding it because of colloquial like "C++ is a better C" is cutting off your nose to spite your face. The configuration should only be avoided/abandoned due to technical reasons, and not philosophical principals. Jeff From rt at openssl.org Thu Mar 24 01:38:32 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 01:38:32 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: On Wed, Mar 23, 2016 at 8:32 PM, Rich Salz via RT wrote: > You can link C++ against openssl API because of the extern C wrapper we use. That's what I was on my way to testing. > You cannot compile openssl with a C++ compiler. Closing ticket. (The days of > "C++ is a better C" went away a long long time ago.) I don't want to speak out of turn, but this might be setting up users for years of pain an misery. It might also discard some analysis that could be beneficial to the project. The only problem I have not been able to fix when swapping C++ compiler for a C compiler is code that uses OFFSETOF macro, which it does not appear OpenSSL is using: $ grep -R OFFSETOF * $ Nearly everything else I have encountered is trivially fixed, like the cast. Since the C++ compiler is a better with respect to type safety, it seems like its providing valuable analysis services. I guess to put it another way, discarding it because of colloquial like "C++ is a better C" is cutting off your nose to spite your face. The configuration should only be avoided/abandoned due to technical reasons, and not philosophical principals. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 02:16:42 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 24 Mar 2016 02:16:42 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > The configuration should only be avoided/abandoned due to technical > reasons, and not philosophical principals. Lack of resources and interest. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From noloader at gmail.com Thu Mar 24 04:38:27 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 24 Mar 2016 00:38:27 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Wed, Mar 23, 2016 at 10:16 PM, Salz, Rich via RT wrote: > >> The configuration should only be avoided/abandoned due to technical >> reasons, and not philosophical principals. > > Lack of resources and interest. I can understand lack of resources. Lack of interest can be dealt with in the engineering process. Place a quality gate, and make the code pass through it. I'd wager folks will take interest if/when it blocks a release. Quality and security gates are placed to improve the code. That's why projects take the time to ensure the code compiles cleanly under reasonable warnings, passes testing under tools like Sanitizers and Valgrind, passes Covertity analysis, etc. I'm guessing all end users and most other folks will appreciate them. Jeff From rt at openssl.org Thu Mar 24 04:38:39 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 04:38:39 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Wed, Mar 23, 2016 at 10:16 PM, Salz, Rich via RT wrote: > >> The configuration should only be avoided/abandoned due to technical >> reasons, and not philosophical principals. > > Lack of resources and interest. I can understand lack of resources. Lack of interest can be dealt with in the engineering process. Place a quality gate, and make the code pass through it. I'd wager folks will take interest if/when it blocks a release. Quality and security gates are placed to improve the code. That's why projects take the time to ensure the code compiles cleanly under reasonable warnings, passes testing under tools like Sanitizers and Valgrind, passes Covertity analysis, etc. I'm guessing all end users and most other folks will appreciate them. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Thu Mar 24 04:52:17 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 24 Mar 2016 00:52:17 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> > On Mar 24, 2016, at 12:38 AM, noloader at gmail.com via RT wrote: > > I can understand lack of resources. > > Lack of interest can be dealt with in the engineering process. Place a > quality gate, and make the code pass through it. I'd wager folks will > take interest if/when it blocks a release. Lack of relevance. C++ is NOT C. There many subtle and not so subtle differences. OpenSSL is written in C. Use a C compiler. -- Viktor. From rt at openssl.org Thu Mar 24 04:52:24 2016 From: rt at openssl.org (Viktor Dukhovni via RT) Date: Thu, 24 Mar 2016 04:52:24 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> Message-ID: > On Mar 24, 2016, at 12:38 AM, noloader at gmail.com via RT wrote: > > I can understand lack of resources. > > Lack of interest can be dealt with in the engineering process. Place a > quality gate, and make the code pass through it. I'd wager folks will > take interest if/when it blocks a release. Lack of relevance. C++ is NOT C. There many subtle and not so subtle differences. OpenSSL is written in C. Use a C compiler. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From noloader at gmail.com Thu Mar 24 05:08:19 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 24 Mar 2016 01:08:19 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> Message-ID: On Thu, Mar 24, 2016 at 12:52 AM, Viktor Dukhovni wrote: > >> On Mar 24, 2016, at 12:38 AM, noloader at gmail.com via RT wrote: >> >> I can understand lack of resources. >> >> Lack of interest can be dealt with in the engineering process. Place a >> quality gate, and make the code pass through it. I'd wager folks will >> take interest if/when it blocks a release. > > Lack of relevance. C++ is NOT C. There many subtle and not so subtle > differences. OpenSSL is written in C. Use a C compiler. 'make -k' is telling me its a little more than (ir)relevance. I see some stuff going on that's not allowed in C++, but its dodgy in C. For example: crypto/asn1/asn_mime.c: In function ?ASN1_VALUE* SMIME_read_ASN1(BIO*, BIO**, const ASN1_ITEM*)?: crypto/asn1/asn_mime.c:432:53: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] if ((hdr = mime_hdr_find(headers, "content-type")) == NULL ^ crypto/asn1/asn_mime.c:443:46: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] prm = mime_param_find(hdr, "boundary"); ^ crypto/asn1/asn_mime.c:468:57: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] if ((hdr = mime_hdr_find(headers, "content-type")) == NULL In the absence of a compensating control to catch these kinds of mistakes, maybe the project should consider a modern C++ compiler as a quality gate. Jeff From rt at openssl.org Thu Mar 24 05:08:29 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 05:08:29 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> Message-ID: On Thu, Mar 24, 2016 at 12:52 AM, Viktor Dukhovni wrote: > >> On Mar 24, 2016, at 12:38 AM, noloader at gmail.com via RT wrote: >> >> I can understand lack of resources. >> >> Lack of interest can be dealt with in the engineering process. Place a >> quality gate, and make the code pass through it. I'd wager folks will >> take interest if/when it blocks a release. > > Lack of relevance. C++ is NOT C. There many subtle and not so subtle > differences. OpenSSL is written in C. Use a C compiler. 'make -k' is telling me its a little more than (ir)relevance. I see some stuff going on that's not allowed in C++, but its dodgy in C. For example: crypto/asn1/asn_mime.c: In function ?ASN1_VALUE* SMIME_read_ASN1(BIO*, BIO**, const ASN1_ITEM*)?: crypto/asn1/asn_mime.c:432:53: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] if ((hdr = mime_hdr_find(headers, "content-type")) == NULL ^ crypto/asn1/asn_mime.c:443:46: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] prm = mime_param_find(hdr, "boundary"); ^ crypto/asn1/asn_mime.c:468:57: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] if ((hdr = mime_hdr_find(headers, "content-type")) == NULL In the absence of a compensating control to catch these kinds of mistakes, maybe the project should consider a modern C++ compiler as a quality gate. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From zj at zakjan.cz Thu Mar 24 06:41:40 2016 From: zj at zakjan.cz (=?UTF-8?B?SmFuIMW9w6Fr?=) Date: Thu, 24 Mar 2016 10:41:40 +0400 Subject: [openssl-dev] Master thesis: implementation of a new ciphersuite into OpenSSL -- feedback wanted Message-ID: Hi, Last year I successfully finished my Master studies at Czech Technical University by a thesis defense about implementing a new CAESAR ciphersuite (specifically with NORX, but not restricted to it) into OpenSSL. I was supervised by prof. Wu Hongjun from Nangyang Technological University, Singapore, a member of CAESAR comitee. https://dl.dropboxusercontent.com/u/433404/DP_Zak_Jan_2015.pdf I'd be really grateful for a feedback from any member of this mailing list. Sincerely, Jan Zak -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Thu Mar 24 07:23:46 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 24 Mar 2016 07:23:46 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: Vid Ons, 23 Mar 2016 kl. 23.47.19, skrev noloader at gmail.com: > I'm not sure if this is a supported configuration, but I'm guessing > there are going to be users in the filed who find themselves in it, > like http://stackoverflow.com/q/36188982. The actual issue there is that we haven't wrapped ossl_typ.h with 'extern "C"'... That should be fixed. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From noloader at gmail.com Thu Mar 24 07:36:22 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 24 Mar 2016 03:36:22 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: On Thu, Mar 24, 2016 at 3:23 AM, Richard Levitte via RT wrote: > Vid Ons, 23 Mar 2016 kl. 23.47.19, skrev noloader at gmail.com: >> I'm not sure if this is a supported configuration, but I'm guessing >> there are going to be users in the filed who find themselves in it, >> like http://stackoverflow.com/q/36188982. > > The actual issue there is that we haven't wrapped ossl_typ.h with 'extern > "C"'... That should be fixed. If that's the case, then this might be helpful: $ find $PWD -name '*.h' -print | xargs grep -iL 'extern "C"' | egrep 'include/openssl' /home/jwalton/openssl/include/openssl/__decc_include_prologue.h /home/jwalton/openssl/include/openssl/__decc_include_epilogue.h /home/jwalton/openssl/include/openssl/obj_mac.h /home/jwalton/openssl/include/openssl/ecdh.h /home/jwalton/openssl/include/openssl/symhacks.h /home/jwalton/openssl/include/openssl/ecdsa.h Jeff From rt at openssl.org Thu Mar 24 07:36:37 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 07:36:37 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: On Thu, Mar 24, 2016 at 3:23 AM, Richard Levitte via RT wrote: > Vid Ons, 23 Mar 2016 kl. 23.47.19, skrev noloader at gmail.com: >> I'm not sure if this is a supported configuration, but I'm guessing >> there are going to be users in the filed who find themselves in it, >> like http://stackoverflow.com/q/36188982. > > The actual issue there is that we haven't wrapped ossl_typ.h with 'extern > "C"'... That should be fixed. If that's the case, then this might be helpful: $ find $PWD -name '*.h' -print | xargs grep -iL 'extern "C"' | egrep 'include/openssl' /home/jwalton/openssl/include/openssl/__decc_include_prologue.h /home/jwalton/openssl/include/openssl/__decc_include_epilogue.h /home/jwalton/openssl/include/openssl/obj_mac.h /home/jwalton/openssl/include/openssl/ecdh.h /home/jwalton/openssl/include/openssl/symhacks.h /home/jwalton/openssl/include/openssl/ecdsa.h Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 07:41:56 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Thu, 24 Mar 2016 07:41:56 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: Vid Thu, 24 Mar 2016 kl. 07.23.46, skrev levitte: > Vid Ons, 23 Mar 2016 kl. 23.47.19, skrev noloader at gmail.com: > > I'm not sure if this is a supported configuration, but I'm guessing > > there are going to be users in the filed who find themselves in it, > > like http://stackoverflow.com/q/36188982. > > The actual issue there is that we haven't wrapped ossl_typ.h with 'extern > "C"'... That should be fixed. That was incorrect, btw. We do. However, the issue is still with a C++ program that includes our header files and gets errors from it. It has nothing to do with building OpenSSL using a C++ compiler. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From noloader at gmail.com Thu Mar 24 07:57:57 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 24 Mar 2016 03:57:57 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: On Thu, Mar 24, 2016 at 3:41 AM, Richard Levitte via RT wrote: > Vid Thu, 24 Mar 2016 kl. 07.23.46, skrev levitte: >> Vid Ons, 23 Mar 2016 kl. 23.47.19, skrev noloader at gmail.com: >> > I'm not sure if this is a supported configuration, but I'm guessing >> > there are going to be users in the filed who find themselves in it, >> > like http://stackoverflow.com/q/36188982. >> >> The actual issue there is that we haven't wrapped ossl_typ.h with 'extern >> "C"'... That should be fixed. > > That was incorrect, btw. We do. > > However, the issue is still with a C++ program that includes our header files > and gets errors from it. It has nothing to do with building OpenSSL using a C++ > compiler. OK, thanks. I also noticed 'make test' does not respect a CC override: ./config CC=clang make ... CC=clang++ make test Is it being tested? If so, how is it being tested (I'd like to verify the results)? Jeff From rt at openssl.org Thu Mar 24 07:58:00 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 07:58:00 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: On Thu, Mar 24, 2016 at 3:41 AM, Richard Levitte via RT wrote: > Vid Thu, 24 Mar 2016 kl. 07.23.46, skrev levitte: >> Vid Ons, 23 Mar 2016 kl. 23.47.19, skrev noloader at gmail.com: >> > I'm not sure if this is a supported configuration, but I'm guessing >> > there are going to be users in the filed who find themselves in it, >> > like http://stackoverflow.com/q/36188982. >> >> The actual issue there is that we haven't wrapped ossl_typ.h with 'extern >> "C"'... That should be fixed. > > That was incorrect, btw. We do. > > However, the issue is still with a C++ program that includes our header files > and gets errors from it. It has nothing to do with building OpenSSL using a C++ > compiler. OK, thanks. I also noticed 'make test' does not respect a CC override: ./config CC=clang make ... CC=clang++ make test Is it being tested? If so, how is it being tested (I'd like to verify the results)? Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From levitte at openssl.org Thu Mar 24 08:00:24 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 24 Mar 2016 09:00:24 +0100 (CET) Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: <20160324.090024.797990354000943596.levitte@openssl.org> [responding ONLY to openssl-dev, since the ticket is closed] In message on Thu, 24 Mar 2016 07:36:37 +0000, "noloader at gmail.com via RT" said: rt> If that's the case, then this might be helpful: rt> rt> $ find $PWD -name '*.h' -print | xargs grep -iL 'extern "C"' | egrep rt> 'include/openssl' rt> /home/jwalton/openssl/include/openssl/__decc_include_prologue.h rt> /home/jwalton/openssl/include/openssl/__decc_include_epilogue.h Those two are specific for VMS C and contain #pragmas only. rt> /home/jwalton/openssl/include/openssl/obj_mac.h Contains #define only rt> /home/jwalton/openssl/include/openssl/ecdh.h Contains #include only rt> /home/jwalton/openssl/include/openssl/symhacks.h Contains #undef and #define only rt> /home/jwalton/openssl/include/openssl/ecdsa.h Contains #include only It seems to me that those files are safe. Thanks for checking this out! Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From levitte at openssl.org Thu Mar 24 08:11:01 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 24 Mar 2016 09:11:01 +0100 (CET) Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: Message-ID: <20160324.091101.1696641818322623817.levitte@openssl.org> In message on Thu, 24 Mar 2016 03:57:57 -0400, Jeffrey Walton said: noloader> I also noticed 'make test' does not respect a CC override: Really? noloader> ./config CC=clang How did you get that to work? I get this: : ; ./config CC=clang Operating system: x86_64-whatever-linux2 Configuring for linux-x86_64 Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) target already defined - linux-x86_64 (offending arg: CC=clang) noloader> make noloader> ... noloader> CC=clang++ make test You might want to try this: make CC=clang++ test noloader> Is it being tested? If so, how is it being tested (I'd like to verify noloader> the results)? No, we have no test where we intermix C and C++ in our builds. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Thu Mar 24 08:20:07 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 24 Mar 2016 04:20:07 -0400 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <20160324.091101.1696641818322623817.levitte@openssl.org> References: <20160324.091101.1696641818322623817.levitte@openssl.org> Message-ID: > You might want to try this: > > make CC=clang++ test Doh, you're right. That's why I used 'export CC=clang++' in the first place. http://www.youtube.com/watch?v=dO37Ql91qqM > noloader> Is it being tested? If so, how is it being tested (I'd like to verify > noloader> the results)? > > No, we have no test where we intermix C and C++ in our builds. OK, thanks. So I guess I should ask... Is using OpenSSL in a C++ program supported configuration? I think the answer is yes because of the 'extern "C"', but it never hurts to ask. Jeff From levitte at openssl.org Thu Mar 24 08:29:18 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 24 Mar 2016 09:29:18 +0100 (CET) Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: <20160324.091101.1696641818322623817.levitte@openssl.org> Message-ID: <20160324.092918.1479265409125220218.levitte@openssl.org> In message on Thu, 24 Mar 2016 04:20:07 -0400, Jeffrey Walton said: noloader> > You might want to try this: noloader> > noloader> > make CC=clang++ test noloader> noloader> Doh, you're right. That's why I used 'export CC=clang++' in the first place. I suppose you have noticed how that deteriorates, btw. I actually made an attempt, just for kicks... In file included from test/asynctest.c:62: include/../apps/apps.h:160:59: error: expected ')' BIO *bio_open_owner(const char *filename, int format, int private); ^ include/../apps/apps.h:160:20: note: to match this '(' BIO *bio_open_owner(const char *filename, int format, int private); ^ This isn't going to be "fixed". noloader> So I guess I should ask... Is using OpenSSL in a C++ program supported noloader> configuration? Linking C++ programs with OpenSSL libraries is supported. Including OpenSSL header files in C++ programs is supported. Building OpenSSL with a C++ compiler is not supported. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Thu Mar 24 09:27:50 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 24 Mar 2016 09:27:50 +0000 Subject: [openssl-dev] [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <4a8ed49c453d474fbc8152b148f1be28@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20160324.091101.1696641818322623817.levitte@openssl.org> <4a8ed49c453d474fbc8152b148f1be28@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > So I guess I should ask... Is using OpenSSL in a C++ program supported > configuration? Sure, as much as anything is "supported" in an open source project. That's not a flip answer. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4473 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 09:32:56 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 09:32:56 +0000 Subject: [openssl-dev] [openssl.org #4441] AutoReply: Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: This turned out to be a kernel bug. The userland crypto interface was known to have some problems, and the kernel checked in changes to the 2.6 kernel in January 2016. Distro's were cherry picking them for 2.8-4.5, but some needed ones got missed (q.v.). According to and comment 3 at https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1556562: Please try this test kernel: http://kernel.ubuntu.com/~kamal/lp1556562.0/ (For reference, this is 4.2.0-35.40 plus backports of these mainline commits:) 6454c2b crypto: algif_skcipher - Do not dereference ctx without socket lock ec69bbf crypto: algif_skcipher - Do not assume that req is unchanged 6e8d8ec crypto: algif_skcipher - Add key check exception for cipher_null a1383cd crypto: skcipher - Add crypto_skcipher_has_setkey Close this bug. On Thu, Mar 17, 2016 at 7:47 PM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "Re: VIA C7-D processor: Hang in 30-test_afalg.t", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4441]. > > Please include the string: > > [openssl.org #4441] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > rt at openssl.org > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4441 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 11:42:05 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 11:42:05 +0000 Subject: [openssl-dev] [openssl.org #4474] Overflow optimizations being taken by GCC In-Reply-To: References: Message-ID: $ ./config -Wstrict-overflow ... $ make ... crypto/asn1/a_strex.c: In function ?do_print_ex.constprop.3?: crypto/asn1/a_strex.c:385:12: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (len < 0) ^ crypto/asn1/a_strex.c:385:12: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] crypto/asn1/a_strex.c:404:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (len < 0) ^ crypto/asn1/a_strex.c:413:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (do_buf(str->data, str->length, type, flags, NULL, io_ch, arg) < 0) ^ crypto/asn1/a_strex.c: In function ?do_print_ex.constprop.4?: crypto/asn1/a_strex.c:385:12: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (len < 0) ^ crypto/asn1/a_strex.c:385:12: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] crypto/asn1/a_strex.c:404:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (len < 0) ^ crypto/asn1/a_strex.c:413:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (do_buf(str->data, str->length, type, flags, NULL, io_ch, arg) < 0) crypto/bio/b_print.c:716:15: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] while (fplace > 0) { ^ crypto/bn/bn_exp.c:377:13: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] for (i = 0; i < j; i++) { ^ crypto/bn/bn_exp.c: In function ?BN_mod_exp_mont?: crypto/bn/bn_exp.c:541:13: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] for (i = 0; i < j; i++) { ^ crypto/bn/bn_exp.c: In function ?BN_mod_exp_simple?: crypto/bn/bn_exp.c:1433:13: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] for (i = 0; i < j; i++) { ^ crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] for (p = ts; p < ts + len; p++) ^ crypto/ocsp/ocsp_prn.c: In function ?OCSP_cert_status_str?: crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] for (p = ts; p < ts + len; p++) ^ crypto/ocsp/ocsp_prn.c: In function ?OCSP_crl_reason_str?: crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] for (p = ts; p < ts + len; p++) ^ crypto/ocsp/ocsp_prn.c: In function ?OCSP_response_status_str?: crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] for (p = ts; p < ts + len; p++) ^ crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] crypto/ocsp/ocsp_prn.c: In function ?OCSP_cert_status_str?: crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] for (p = ts; p < ts + len; p++) ^ crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] crypto/ocsp/ocsp_prn.c: In function ?OCSP_crl_reason_str?: crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] for (p = ts; p < ts + len; p++) ^ crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] crypto/ocsp/ocsp_prn.c:96:5: warning: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Wstrict-overflow] ssl/ssl_lib.c:4023:50: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (ct_extract_tls_extension_scts(s) < 0 || ^ apps/ca.c:619:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (!selfsign) ^ apps/ca.c:758:12: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (i == -1) { ^ apps/ca.c:1955:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (!notext) ^ apps/dhparam.c:248:18: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (dsaparam && g) { ^ apps/genpkey.c:207:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (do_param) ^ apps/srp.c:643:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (errors != 0) ^ apps/srp.c:643:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] apps/srp.c:647:8: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (verbose) ^ apps/srp.c:632:12: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (verbose) ^ apps/srp.c:627:12: warning: assuming signed overflow does not occur when simplifying conditional to constant [-Wstrict-overflow] if (verbose) ^ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4474 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 13:03:47 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 24 Mar 2016 13:03:47 +0000 Subject: [openssl-dev] [openssl.org #4441] Re: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: Kernel bug; closing as requested. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4441 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 14:53:09 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 24 Mar 2016 14:53:09 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> Message-ID: I did the trivial conversion to Unix shell and run the script. At the end, which files are supposed to compare to be identical? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From rsalz at akamai.com Thu Mar 24 15:13:24 2016 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 24 Mar 2016 15:13:24 +0000 Subject: [openssl-dev] [openssl.org #3676] Resolved: [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: References: <1E23EFC52F00C649B69F652AFD284ABD3786599BFB@ex07.ncp.local> <1E23EFC52F00C649B69F652AFD284ABD378659A3A4@ex07.ncp.local> Message-ID: > Will the missing export for DHparameters still be fixed for 1.1? It was: commit 599eccfcbf8d77eb7c89b6338fdc39a7531a9f82 Author: Rich Salz Date: Wed Mar 9 20:56:43 2016 -0500 From rt at openssl.org Thu Mar 24 15:13:36 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 24 Mar 2016 15:13:36 +0000 Subject: [openssl-dev] [openssl.org #3676] Resolved: [PATCH] Export ASN1 templates for DH and ECDH groups In-Reply-To: References: <1E23EFC52F00C649B69F652AFD284ABD3786599BFB@ex07.ncp.local> <1E23EFC52F00C649B69F652AFD284ABD378659A3A4@ex07.ncp.local> Message-ID: > Will the missing export for DHparameters still be fixed for 1.1? It was: commit 599eccfcbf8d77eb7c89b6338fdc39a7531a9f82 Author: Rich Salz Date: Wed Mar 9 20:56:43 2016 -0500 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3676 Please log in as guest with password guest if prompted From michel.sales at free.fr Thu Mar 24 17:46:50 2016 From: michel.sales at free.fr (Michel) Date: Thu, 24 Mar 2016 18:46:50 +0100 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> Message-ID: <002401d185f5$26857fe0$73907fa0$@sales@free.fr> Hi Rich, Thanks for your interest in this matter. the 3 'raw128*.dec' should be the same as 'raw128.dat' the 2 'raw192*.dec' should be the same as 'raw192.dat' and finally, 'raw256-256.dec' should be the same as 'raw256.dat'. FYI I will soon report a new/updated patch with other bugs and oddities fixes for the enc command. I am still testing them, but in a few hours it should be ready. Regards, Michel. -----Message d'origine----- De : Rich Salz via RT [mailto:rt at openssl.org] Envoy? : jeudi 24 mars 2016 15:53 ? : michel.sales at free.fr Cc : openssl-dev at openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command I did the trivial conversion to Unix shell and run the script. At the end, which files are supposed to compare to be identical? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 17:47:21 2016 From: rt at openssl.org (Michel via RT) Date: Thu, 24 Mar 2016 17:47:21 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <002401d185f5$26857fe0$73907fa0$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <002401d185f5$26857fe0$73907fa0$@sales@free.fr> Message-ID: Hi Rich, Thanks for your interest in this matter. the 3 'raw128*.dec' should be the same as 'raw128.dat' the 2 'raw192*.dec' should be the same as 'raw192.dat' and finally, 'raw256-256.dec' should be the same as 'raw256.dat'. FYI I will soon report a new/updated patch with other bugs and oddities fixes for the enc command. I am still testing them, but in a few hours it should be ready. Regards, Michel. -----Message d'origine----- De : Rich Salz via RT [mailto:rt at openssl.org] Envoy? : jeudi 24 mars 2016 15:53 ? : michel.sales at free.fr Cc : openssl-dev at openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command I did the trivial conversion to Unix shell and run the script. At the end, which files are supposed to compare to be identical? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From dnsands at sandia.gov Thu Mar 24 17:55:38 2016 From: dnsands at sandia.gov (Sands, Daniel) Date: Thu, 24 Mar 2016 17:55:38 +0000 Subject: [openssl-dev] [EXTERNAL] Re: [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> Message-ID: <1458842180.17024.6.camel@sandia.gov> On Thu, 2016-03-24 at 01:08 -0400, Jeffrey Walton wrote: Lack of relevance. C++ is NOT C. There many subtle and not so subtle differences. OpenSSL is written in C. Use a C compiler. 'make -k' is telling me its a little more than (ir)relevance. I see some stuff going on that's not allowed in C++, but its dodgy in C. For example: crypto/asn1/asn_mime.c: In function ?ASN1_VALUE* SMIME_read_ASN1(BIO*, BIO**, const ASN1_ITEM*)?: crypto/asn1/asn_mime.c:432:53: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] if ((hdr = mime_hdr_find(headers, "content-type")) == NULL ^ crypto/asn1/asn_mime.c:443:46: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] prm = mime_param_find(hdr, "boundary"); ^ crypto/asn1/asn_mime.c:468:57: warning: deprecated conversion from string constant to ?char*? [-Wwrite-strings] if ((hdr = mime_hdr_find(headers, "content-type")) == NULL In the absence of a compensating control to catch these kinds of mistakes, maybe the project should consider a modern C++ compiler as a quality gate. Just a note about this particular issue: It's not unique to C++. Even the C standard proscribes use of character string constants as char*'s. And with the appropriate -W's, even gcc will warn you about such use. With another -W that I can't be bothered to look up at the moment, it will even warn you that explicit casts from const x to x are taboo, since your constant may be optimized in a way that conflicts with your attempted use. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jeremy.farrell at oracle.com Thu Mar 24 18:28:27 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Thu, 24 Mar 2016 18:28:27 +0000 Subject: [openssl-dev] [EXTERNAL] Re: [openssl.org #4473] Compile errors when compiling with C++ compiler In-Reply-To: <1458842180.17024.6.camel@sandia.gov> References: <1ea73bc6f32a4be4b0e58e8f0a19de64@usma1ex-dag1mb1.msg.corp.akamai.com> <27EBFC60-178A-4DA2-9C3B-7E3CB0D8DE11@dukhovni.org> <1458842180.17024.6.camel@sandia.gov> Message-ID: <56F431CB.2010500@oracle.com> On 24/03/2016 17:55, Sands, Daniel wrote: > On Thu, 2016-03-24 at 01:08 -0400, Jeffrey Walton wrote: >> I see >> some stuff going on that's not allowed in C++, but its dodgy in C. For >> example: >> >> crypto/asn1/asn_mime.c: In function ?ASN1_VALUE* SMIME_read_ASN1(BIO*, >> BIO**, const ASN1_ITEM*)?: >> crypto/asn1/asn_mime.c:432:53: warning: deprecated conversion from >> string constant to ?char*? [-Wwrite-strings] >> if ((hdr = mime_hdr_find(headers, "content-type")) == NULL >> ^ >> In the absence of a compensating control to catch these kinds of >> mistakes, maybe the project should consider a modern C++ compiler as a >> quality gate. >> > Just a note about this particular issue: It's not unique to C++. > Even the C standard proscribes use of character string constants as > char*'s. That's not correct. In C string literals are static arrays of items of type char, so char* is appropriate to access them. They have the added ugly restriction that attempting to modify them results in undefined behaviour, which does not exactly match their type. They were not defined as arrays of const char to be more easily compatible with pre-existing library APIs. > And with the appropriate -W's, even gcc will warn you about such use. Just in case you're code might be using them to modify the literal. > With another -W that I can't be bothered to look up at the moment, it > will even warn you that explicit casts from const x to x are taboo, > since your constant may be optimized in a way that conflicts with your > attempted use. -- J. J. Farrell Not speaking for Oracle -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Thu Mar 24 18:35:38 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Thu, 24 Mar 2016 18:35:38 +0000 Subject: [openssl-dev] [openssl.org #4475] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: References: Message-ID: This clears what looks to be hundreds of alignment related warnings like below. $ git diff include/openssl/lhash.h diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index 2edd738..5da5054 100644 --- a/include/openssl/lhash.h +++ b/include/openssl/lhash.h @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO *out); # define LHASH_OF(type) struct lhash_st_##type # define DEFINE_LHASH_OF(type) \ - LHASH_OF(type) { int dummy; }; \ + LHASH_OF(type) { unsigned long dummy; }; \ static ossl_inline LHASH_OF(type) * \ lh_##type##_new(unsigned long (*hfn)(const type *), \ int (*cfn)(const type *, const type *)) \ ********** cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DNDEBUG -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -g2 -O3 -Wcast-align -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/aes/aes_ige.d.tmp -MT crypto/aes/aes_ige.o -c -o crypto/aes/aes_ige.o crypto/aes/aes_ige.c In file included from crypto/aes/aes_ige.c:51: In file included from crypto/include/internal/cryptlib.h:74: In file included from include/openssl/err.h:123: include/openssl/lhash.h:265:1: warning: cast from 'struct lhash_st_OPENSSL_STRING *' to '_LHASH *' (aka 'struct lhash_st *') increases required alignment from 4 to 8 [-Wcast-align] DEFINE_LHASH_OF(OPENSSL_STRING); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/openssl/lhash.h:193:17: note: expanded from macro 'DEFINE_LHASH_OF' lh_free((_LHASH *)lh); \ ^~~~~~~~~~~~ include/openssl/lhash.h:265:1: warning: cast from 'struct lhash_st_OPENSSL_STRING *' to '_LHASH *' (aka 'struct lhash_st *') increases required alignment from 4 to 8 [-Wcast-align] DEFINE_LHASH_OF(OPENSSL_STRING); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ include/openssl/lhash.h:197:34: note: expanded from macro 'DEFINE_LHASH_OF' return (type *)lh_insert((_LHASH *)lh, d); \ ^~~~~~~~~~~~ -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4475 Please log in as guest with password guest if prompted From rsalz at akamai.com Thu Mar 24 18:41:28 2016 From: rsalz at akamai.com (Salz, Rich) Date: Thu, 24 Mar 2016 18:41:28 +0000 Subject: [openssl-dev] PATCH: fix cast-alignment of "struct lhash_st *" Message-ID: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> This looks like a good change. > This clears what looks to be hundreds of alignment related warnings like > below. > > $ git diff include/openssl/lhash.h > diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index > 2edd738..5da5054 100644 > --- a/include/openssl/lhash.h > +++ b/include/openssl/lhash.h > @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO > *out); # define LHASH_OF(type) struct lhash_st_##type > > # define DEFINE_LHASH_OF(type) \ > - LHASH_OF(type) { int dummy; }; \ > + LHASH_OF(type) { unsigned long dummy; }; \ > static ossl_inline LHASH_OF(type) * \ > lh_##type##_new(unsigned long (*hfn)(const type *), \ > int (*cfn)(const type *, const type *)) \ Does changing it to "void *dummy" also work? From rt at openssl.org Thu Mar 24 18:41:34 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 24 Mar 2016 18:41:34 +0000 Subject: [openssl-dev] [openssl.org #4476] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> References: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: This looks like a good change. > This clears what looks to be hundreds of alignment related warnings like > below. > > $ git diff include/openssl/lhash.h > diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index > 2edd738..5da5054 100644 > --- a/include/openssl/lhash.h > +++ b/include/openssl/lhash.h > @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO > *out); # define LHASH_OF(type) struct lhash_st_##type > > # define DEFINE_LHASH_OF(type) \ > - LHASH_OF(type) { int dummy; }; \ > + LHASH_OF(type) { unsigned long dummy; }; \ > static ossl_inline LHASH_OF(type) * \ > lh_##type##_new(unsigned long (*hfn)(const type *), \ > int (*cfn)(const type *, const type *)) \ Does changing it to "void *dummy" also work? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4476 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Thu Mar 24 18:55:25 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Thu, 24 Mar 2016 18:55:25 +0000 Subject: [openssl-dev] [openssl.org #4476] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: References: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <20160324185525.GM6602@mournblade.imrryr.org> On Thu, Mar 24, 2016 at 06:41:34PM +0000, Salz, Rich via RT wrote: > This looks like a good change. > > > This clears what looks to be hundreds of alignment related warnings like > > below. > > > > $ git diff include/openssl/lhash.h > > diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index > > 2edd738..5da5054 100644 > > --- a/include/openssl/lhash.h > > +++ b/include/openssl/lhash.h > > @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO > > *out); # define LHASH_OF(type) struct lhash_st_##type > > > > # define DEFINE_LHASH_OF(type) \ > > - LHASH_OF(type) { int dummy; }; \ > > + LHASH_OF(type) { unsigned long dummy; }; \ > > static ossl_inline LHASH_OF(type) * \ > > lh_##type##_new(unsigned long (*hfn)(const type *), \ > > int (*cfn)(const type *, const type *)) \ > > Does changing it to "void *dummy" also work? Not necessarily. A union might be more comprehensive. LHASH_OF(type) { union { void *v; unsigned long long ull; uint64_t u64; long double ld; } u; }; using whatever types we're sure to have on all supported platforms. -- Viktor. From rt at openssl.org Thu Mar 24 19:02:48 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 24 Mar 2016 19:02:48 +0000 Subject: [openssl-dev] [openssl.org #4475] RE: [openssl.org #4476] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: <5b44350e5ae34c2db085cdc2670c7a80@usma1ex-dag1mb1.msg.corp.akamai.com> References: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> <20160324185525.GM6602@mournblade.imrryr.org> <5b44350e5ae34c2db085cdc2670c7a80@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: > Not necessarily. A union might be more comprehensive. Better point :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4475 Please log in as guest with password guest if prompted From noloader at gmail.com Thu Mar 24 19:04:06 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Thu, 24 Mar 2016 15:04:06 -0400 Subject: [openssl-dev] [openssl.org #4476] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: <20160324185525.GM6602@mournblade.imrryr.org> References: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> <20160324185525.GM6602@mournblade.imrryr.org> Message-ID: >> > $ git diff include/openssl/lhash.h >> > diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index >> > 2edd738..5da5054 100644 >> > --- a/include/openssl/lhash.h >> > +++ b/include/openssl/lhash.h >> > @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO >> > *out); # define LHASH_OF(type) struct lhash_st_##type >> > >> > # define DEFINE_LHASH_OF(type) \ >> > - LHASH_OF(type) { int dummy; }; \ >> > + LHASH_OF(type) { unsigned long dummy; }; \ >> > static ossl_inline LHASH_OF(type) * \ >> > lh_##type##_new(unsigned long (*hfn)(const type *), \ >> > int (*cfn)(const type *, const type *)) \ >> >> Does changing it to "void *dummy" also work? > > Not necessarily. A union might be more comprehensive. > > LHASH_OF(type) { > union { > void *v; > unsigned long long ull; > uint64_t u64; > long double ld; > } u; > }; > > using whatever types we're sure to have on all supported platforms. Yeah, that might be better. I looked at "struct lhash_st" prior to testing, and it looked like the largest member was a pointer and an unsigned long. Sine the alignment complaint needed something to move things to 8 bytes and the int was already present, unsigned long seemed like a good choice. I'm not sure about the long double, but the larger alignment demand should be OK. For example, Apple always gives you a 16-byte aligned pointer (http://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/malloc.3.html), so using a 4-byte int does not save much in practice since its 16-byte aligned, too. Whatever you decide, there's a fair amount of low hanging fruit to be picked with -Wcast-align. Jeff From rt at openssl.org Thu Mar 24 19:06:00 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Thu, 24 Mar 2016 19:06:00 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <002401d185f5$26857fe0$73907fa0$@sales@free.fr> Message-ID: > the 3 'raw128*.dec' should be the same as 'raw128.dat' > the 2 'raw192*.dec' should be the same as 'raw192.dat' > and finally, 'raw256-256.dec' should be the same as 'raw256.dat'. And not surprisingly, all the tests pass :) I will make this work with our perl-based test framework. > FYI I will soon report a new/updated patch with other bugs and oddities fixes > for the enc command. > I am still testing them, but in a few hours it should be ready. Open a new ticket. Or better yet a GitHub pull request if you can do that :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From michel.sales at free.fr Thu Mar 24 22:12:02 2016 From: michel.sales at free.fr (Michel) Date: Thu, 24 Mar 2016 23:12:02 +0100 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <002401d185f5$26857fe0$73907fa0$@sales@free.fr> Message-ID: <003a01d1861a$31feaa20$95fbfe60$@sales@free.fr> > I will make this work with our perl-based test framework. Whaooooo, I will feel like a member of your gang now ! ;-) From rt at openssl.org Thu Mar 24 22:12:30 2016 From: rt at openssl.org (Michel via RT) Date: Thu, 24 Mar 2016 22:12:30 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <003a01d1861a$31feaa20$95fbfe60$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <002401d185f5$26857fe0$73907fa0$@sales@free.fr> <003a01d1861a$31feaa20$95fbfe60$@sales@free.fr> Message-ID: > I will make this work with our perl-based test framework. Whaooooo, I will feel like a member of your gang now ! ;-) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 24 23:48:24 2016 From: rt at openssl.org (Michel via RT) Date: Thu, 24 Mar 2016 23:48:24 +0000 Subject: [openssl-dev] [openssl.org #4477] [PATCH] enc command enhancement and small fixes In-Reply-To: <003b01d18627$983a5020$c8aef060$@sales@free.fr> References: <003b01d18627$983a5020$c8aef060$@sales@free.fr> Message-ID: Hi, While I was at it (allowing wrap/unwrap mode), I finally decided to remedy some unnecessary restrictions of the 'enc' command. The general idea is to allow to decrypt a file using the original passphrase even when it is not internally salted (hence produced by another software), in which case the salt must be supplied as an argument (along with the same iteration count). I also added support for PKCS5 v2. The previous behavior of the command is not modified. I didn't work on the AEAD ciphers problem as I know someone else applied for this job. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4477 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: enc-fixes_v2-1.1.0.patch Type: application/octet-stream Size: 11178 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: test_enc.cmds Type: application/octet-stream Size: 3070 bytes Desc: not available URL: From uri at ll.mit.edu Fri Mar 25 00:14:41 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Fri, 25 Mar 2016 00:14:41 +0000 Subject: [openssl-dev] [openssl.org #4477] [PATCH] enc command enhancement and small fixes Message-ID: <20160325001450.18296912.68087.59795@ll.mit.edu> Please consider that position vacant! ;) I've no idea when I manage to get it (AEAD in enc) done, if at all. Sent?from?my?BlackBerry?10?smartphone?on?the Verizon?Wireless?4G?LTE?network. ? Original Message ? From: Michel via RT Sent: Thursday, March 24, 2016 19:48 Reply To: rt at openssl.org Cc: openssl-dev at openssl.org Subject: [openssl-dev] [openssl.org #4477] [PATCH] enc command enhancement and small fixes Hi, While I was at it (allowing wrap/unwrap mode), I finally decided to remedy some unnecessary restrictions of the 'enc' command. The general idea is to allow to decrypt a file using the original passphrase even when it is not internally salted (hence produced by another software), in which case the salt must be supplied as an argument (along with the same iteration count). I also added support for PKCS5 v2. The previous behavior of the command is not modified. I didn't work on the AEAD ciphers problem as I know someone else applied for this job. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4477 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4350 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 07:21:09 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 07:21:09 +0000 Subject: [openssl-dev] [openssl.org #4478] DOCUMENTATION: PKCS12_newpass In-Reply-To: References: Message-ID: Some of PKCS#12 is documented, others are not. This adds missing documentation for PKCS12_newpass. The documentation should be placed at "doc/crypto/PKCS12_newpass.pod". The full test program for EXAMPLE is attached. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4478 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: PKCS12_newpass.pod Type: application/octet-stream Size: 2635 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: test.cc Type: application/octet-stream Size: 1103 bytes Desc: not available URL: From noloader at gmail.com Fri Mar 25 08:04:07 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 04:04:07 -0400 Subject: [openssl-dev] [openssl.org #4476] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: <20160324185525.GM6602@mournblade.imrryr.org> References: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> <20160324185525.GM6602@mournblade.imrryr.org> Message-ID: >> > $ git diff include/openssl/lhash.h >> > diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index >> > 2edd738..5da5054 100644 >> > --- a/include/openssl/lhash.h >> > +++ b/include/openssl/lhash.h >> > @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO >> > *out); # define LHASH_OF(type) struct lhash_st_##type >> > >> > # define DEFINE_LHASH_OF(type) \ >> > - LHASH_OF(type) { int dummy; }; \ >> > + LHASH_OF(type) { unsigned long dummy; }; \ >> > static ossl_inline LHASH_OF(type) * \ >> > lh_##type##_new(unsigned long (*hfn)(const type *), \ >> > int (*cfn)(const type *, const type *)) \ >> >> Does changing it to "void *dummy" also work? > > Not necessarily. A union might be more comprehensive. > > LHASH_OF(type) { > union { > void *v; > unsigned long long ull; > uint64_t u64; > long double ld; > } u; > }; $ git diff include/openssl/lhash.h diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index 2edd738..b097b88 100644 --- a/include/openssl/lhash.h +++ b/include/openssl/lhash.h @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO *out); # define LHASH_OF(type) struct lhash_st_##type # define DEFINE_LHASH_OF(type) \ - LHASH_OF(type) { int dummy; }; \ + LHASH_OF(type) { union { void* dummy1; unsigned long dummy2; }; }; \ static ossl_inline LHASH_OF(type) * \ lh_##type##_new(unsigned long (*hfn)(const type *), \ int (*cfn)(const type *, const type *)) \ Tested OK under i686, x86_64, ARM32 and ARM64. Original code with -Wcast-align (not a typo): $ grep warning -c openssl-build.txt 34180 Modified with the union and -Wcast-align: $ grep warning -c openssl-build.txt 228 That's a lot of bang for the buck... Jeff From noloader at gmail.com Fri Mar 25 09:08:51 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 05:08:51 -0400 Subject: [openssl-dev] AF_ALG engine support and kernel versions In-Reply-To: References: Message-ID: > Looking at the code in engines/afalg/e_afalg.c, there is the following: > > ... > #define K_MAJ 4 > #define K_MIN1 1 > #define K_MIN2 0 > #if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) > # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" > # warning "Skipping Compilation of AFALG engine" > #else > ... > > It appears AF_ALG was added to the kernel at 2.6.38. Asynchronous I/O > support appears to have surfaced in the kernel at 2.5.23. > > Where is the requirement for 4.1 coming from? > > Also, "Fixing asynchronous I/O, again", dated January 2016 > (http://lwn.net/Articles/671649/) could explain why later 4.x kernels > are having problems with the afalgtest. I think this has to do with the asynchronous cipher support. Its just a guess because I can't seem to find any information on it. CHANGES talks about "ASYNC support" between 1.0.2 and 1.1.1, but it does not discuss AF_ALG. Its not clear to me were the supporting kernel versions begin or end. It appears asynchronous cipher stuff is still being cut-in. This meesage is from two weeks ago: "[PATCH v3] crypto: af_alg - add async support to algif_aead", http://marc.info/?l=linux-crypto-vger&m=145772613405482. Jeff From michel.sales at free.fr Fri Mar 25 10:03:05 2016 From: michel.sales at free.fr (Michel) Date: Fri, 25 Mar 2016 11:03:05 +0100 Subject: [openssl-dev] [openssl.org #4477] [PATCH] enc command enhancement and small fixes In-Reply-To: <20160325001450.18296912.68087.59795@ll.mit.edu> References: <20160325001450.18296912.68087.59795@ll.mit.edu> Message-ID: <000c01d1867d$86832270$93896750$@sales@free.fr> Hi Mr. Blumenthal, I believed there is someone else who should have almost finished at this time : https://mta.openssl.org/pipermail/openssl-dev/2016-January/004034.html Regards, Michel. -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Blumenthal, Uri - 0553 - MITLL Envoy??: vendredi 25 mars 2016 01:15 ??: openssl-dev Objet?: Re: [openssl-dev] [openssl.org #4477] [PATCH] enc command enhancement and small fixes Please consider that position vacant! ;) I've no idea when I manage to get it (AEAD in enc) done, if at all. From rt at openssl.org Fri Mar 25 10:21:58 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 10:21:58 +0000 Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: Working from Master at 7793e17440539b71 on OS X 10.8. Also see http://stackoverflow.com/questions/13870489/is-inline-asm-part-of-the-ansi-c-standard. $ KERNEL_BITS=64 ./config shared no-asm -ansi ... $ make -k ... cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/async/arch/async_null.d.tmp -MT crypto/async/arch/async_null.o -c -o crypto/async/arch/async_null.o crypto/async/arch/async_null.c In file included from crypto/async/arch/async_null.c:54: In file included from crypto/async/arch/../async_locl.h:69: crypto/async/arch/../arch/async_posix.h:77:8: error: unknown type name 'inline' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ crypto/async/arch/../arch/async_posix.h:77:15: error: expected identifier or '(' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ 2 errors generated. Makefile:1240: recipe for target 'crypto/async/arch/async_null.o' failed cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/async/arch/async_win.d.tmp -MT crypto/async/arch/async_win.o -c -o crypto/async/arch/async_win.o crypto/async/arch/async_win.c In file included from crypto/async/arch/async_win.c:54: In file included from crypto/async/arch/../async_locl.h:69: crypto/async/arch/../arch/async_posix.h:77:8: error: unknown type name 'inline' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ crypto/async/arch/../arch/async_posix.h:77:15: error: expected identifier or '(' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ 2 errors generated. Makefile:1256: recipe for target 'crypto/async/arch/async_win.o' failed make: *** [crypto/async/arch/async_win.o] Error 1 cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/async/async.d.tmp -MT crypto/async/async.o -c -o crypto/async/async.o crypto/async/async.c In file included from crypto/async/async.c:62: In file included from crypto/async/async_locl.h:69: crypto/async/arch/async_posix.h:77:8: error: unknown type name 'inline' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ crypto/async/arch/async_posix.h:77:15: error: expected identifier or '(' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ crypto/async/async.c:202:14: warning: implicit declaration of function 'async_fibre_swapcontext' [-Wimplicit-function-declaration] if (!async_fibre_swapcontext(&job->fibrectx, ^ 1 warning and 2 errors generated. Makefile:1264: recipe for target 'crypto/async/async.o' failed make: *** [crypto/async/async.o] Error 1 cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/async/async_err.d.tmp -MT crypto/async/async_err.o -c -o crypto/async/async_err.o crypto/async/async_err.c cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/async/async_wait.d.tmp -MT crypto/async/async_wait.o -c -o crypto/async/async_wait.o crypto/async/async_wait.c In file included from crypto/async/async_wait.c:54: In file included from crypto/async/async_locl.h:69: crypto/async/arch/async_posix.h:77:8: error: unknown type name 'inline' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ crypto/async/arch/async_posix.h:77:15: error: expected identifier or '(' static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) ^ 2 errors generated. Makefile:1280: recipe for target 'crypto/async/async_wait.o' failed make: *** [crypto/async/async_wait.o] Error 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4479 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 10:29:40 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 10:29:40 +0000 Subject: [openssl-dev] [openssl.org #4480] Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: Working from Master at 7793e17440539b71 on Ubuntu 14 machine. Also see http://stackoverflow.com/questions/13870489/is-inline-asm-part-of-the-ansi-c-standard. $ ./config shared no-asm -ansi ... $ make -k ... gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/asn1/ameth_lib.d.tmp -MT crypto/asn1/ameth_lib.o -c -o crypto/asn1/ameth_lib.o crypto/asn1/ameth_lib.c crypto/asn1/ameth_lib.c: In function ?EVP_PKEY_asn1_find_str?: crypto/asn1/ameth_lib.c:217:13: warning: implicit declaration of function ?strncasecmp? [-Wimplicit-function-declaration] && (strncasecmp(ameth->pem_str, str, len) == 0)) ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/bio/b_addr.d.tmp -MT crypto/bio/b_addr.o -c -o crypto/bio/b_addr.o crypto/bio/b_addr.c crypto/bio/b_addr.c: In function ?BIO_lookup?: crypto/bio/b_addr.c:770:17: warning: implicit declaration of function ?hstrerror? [-Wimplicit-function-declaration] ERR_add_error_data(1, hstrerror(h_errno)); ^ crypto/bio/b_addr.c:690:13: warning: unused variable ?gai_ret? [-Wunused-variable] int gai_ret = 0; ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/bio/bss_bio.d.tmp -MT crypto/bio/bss_bio.o -c -o crypto/bio/bss_bio.o crypto/bio/bss_bio.c In file included from include/openssl/bio.h:61:0, from crypto/bio/bss_bio.c:68: crypto/bio/bss_bio.c: In function ?bio_nread?: include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first use in this function) # define OSSL_SSIZE_MAX SSIZE_MAX ^ crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? if (num_ > OSSL_SSIZE_MAX) ^ include/openssl/e_os2.h:267:26: note: each undeclared identifier is reported only once for each function it appears in # define OSSL_SSIZE_MAX SSIZE_MAX ^ crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? if (num_ > OSSL_SSIZE_MAX) ^ crypto/bio/bss_bio.c: In function ?bio_nwrite?: include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first use in this function) # define OSSL_SSIZE_MAX SSIZE_MAX ^ crypto/bio/bss_bio.c:445:16: note: in expansion of macro ?OSSL_SSIZE_MAX? if (num_ > OSSL_SSIZE_MAX) ^ make: *** [crypto/bio/bss_bio.o] Error 1 gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/bio/bss_dgram.d.tmp -MT crypto/bio/bss_dgram.o -c -o crypto/bio/bss_dgram.o crypto/bio/bss_dgram.c In file included from /usr/include/netdb.h:27:0, from ./e_os.h:443, from crypto/bio/bio_lcl.h:2, from crypto/bio/bss_dgram.c:62: crypto/bio/bss_dgram.c: In function ?dgram_get_mtu_overhead?: crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no member named ?s6_addr32? && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) ^ crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no member named ?s6_addr32? && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) ^ crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no member named ?s6_addr32? && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) ^ crypto/bio/bss_dgram.c: In function ?dgram_ctrl?: crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no member named ?s6_addr32? && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) ^ crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no member named ?s6_addr32? && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) ^ crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no member named ?s6_addr32? && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) ^ make: *** [crypto/bio/bss_dgram.o] Error 1 gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/conf/conf_lib.d.tmp -MT crypto/conf/conf_lib.o -c -o crypto/conf/conf_lib.o crypto/conf/conf_lib.c crypto/conf/conf_lib.c: In function ?OPENSSL_INIT_set_config_filename?: crypto/conf/conf_lib.c:395:5: warning: implicit declaration of function ?strdup? [-Wimplicit-function-declaration] settings->config_name = config_file == NULL ? NULL : strdup(config_file); ^ crypto/conf/conf_lib.c:395:56: warning: pointer/integer type mismatch in conditional expression [enabled by default] settings->config_name = config_file == NULL ? NULL : strdup(config_file); ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/conf/conf_sap.d.tmp -MT crypto/conf/conf_sap.o -c -o crypto/conf/conf_sap.o crypto/conf/conf_sap.c crypto/conf/conf_sap.c: In function ?OPENSSL_config?: crypto/conf/conf_sap.c:82:9: warning: implicit declaration of function ?strdup? [-Wimplicit-function-declaration] settings.config_name = strdup(config_name); ^ crypto/conf/conf_sap.c:82:30: warning: assignment makes pointer from integer without a cast [enabled by default] settings.config_name = strdup(config_name); ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/engine/tb_asnmth.d.tmp -MT crypto/engine/tb_asnmth.o -c -o crypto/engine/tb_asnmth.o crypto/engine/tb_asnmth.c crypto/engine/tb_asnmth.c: In function ?ENGINE_get_pkey_asn1_meth_str?: crypto/engine/tb_asnmth.c:195:13: warning: implicit declaration of function ?strncasecmp? [-Wimplicit-function-declaration] && strncasecmp(ameth->pem_str, str, len) == 0) ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/rand/randfile.d.tmp -MT crypto/rand/randfile.o -c -o crypto/rand/randfile.o crypto/rand/randfile.c crypto/rand/randfile.c: In function ?RAND_write_file?: crypto/rand/randfile.c:222:13: warning: implicit declaration of function ?fdopen? [-Wimplicit-function-declaration] out = fdopen(fd, "wb"); ^ crypto/rand/randfile.c:222:17: warning: assignment makes pointer from integer without a cast [enabled by default] out = fdopen(fd, "wb"); ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/threads_pthread.d.tmp -MT crypto/threads_pthread.o -c -o crypto/threads_pthread.o crypto/threads_pthread.c In file included from crypto/threads_pthread.c:50:0: crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_new?: crypto/threads_pthread.c:57:49: error: ?pthread_rwlock_t? undeclared (first use in this function) CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); ^ include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) ^ crypto/threads_pthread.c:57:49: note: each undeclared identifier is reported only once for each function it appears in CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); ^ include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) ^ crypto/threads_pthread.c:61:5: warning: implicit declaration of function ?pthread_rwlock_init? [-Wimplicit-function-declaration] if (pthread_rwlock_init(lock, NULL) != 0) { ^ crypto/threads_pthread.c: In function ?CRYPTO_THREAD_read_lock?: crypto/threads_pthread.c:71:5: warning: implicit declaration of function ?pthread_rwlock_rdlock? [-Wimplicit-function-declaration] if (pthread_rwlock_rdlock(lock) != 0) ^ crypto/threads_pthread.c: In function ?CRYPTO_THREAD_write_lock?: crypto/threads_pthread.c:79:5: warning: implicit declaration of function ?pthread_rwlock_wrlock? [-Wimplicit-function-declaration] if (pthread_rwlock_wrlock(lock) != 0) ^ crypto/threads_pthread.c: In function ?CRYPTO_THREAD_unlock?: crypto/threads_pthread.c:87:5: warning: implicit declaration of function ?pthread_rwlock_unlock? [-Wimplicit-function-declaration] if (pthread_rwlock_unlock(lock) != 0) ^ crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_free?: crypto/threads_pthread.c:98:5: warning: implicit declaration of function ?pthread_rwlock_destroy? [-Wimplicit-function-declaration] pthread_rwlock_destroy(lock); ^ make: *** [crypto/threads_pthread.o] Error 1 gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/ui/ui_openssl.d.tmp -MT crypto/ui/ui_openssl.o -c -o crypto/ui/ui_openssl.o crypto/ui/ui_openssl.c crypto/ui/ui_openssl.c:270:25: error: array type has incomplete element type static struct sigaction savsig[NX509_SIG]; ^ crypto/ui/ui_openssl.c: In function ?open_console?: crypto/ui/ui_openssl.c:483:5: warning: implicit declaration of function ?fileno? [-Wimplicit-function-declaration] if (TTY_get(fileno(tty_in), &tty_orig) == -1) { ^ crypto/ui/ui_openssl.c: In function ?pushsig?: crypto/ui/ui_openssl.c:584:22: error: storage size of ?sa? isn?t known struct sigaction sa; ^ crypto/ui/ui_openssl.c:612:9: warning: implicit declaration of function ?sigaction? [-Wimplicit-function-declaration] sigaction(i, &sa, &savsig[i]); ^ crypto/ui/ui_openssl.c:584:22: warning: unused variable ?sa? [-Wunused-variable] struct sigaction sa; ^ crypto/ui/ui_openssl.c: At top level: crypto/ui/ui_openssl.c:270:25: warning: ?savsig? defined but not used [-Wunused-variable] static struct sigaction savsig[NX509_SIG]; ^ make: *** [crypto/ui/ui_openssl.o] Error 1 gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/x509v3/v3_ncons.d.tmp -MT crypto/x509v3/v3_ncons.o -c -o crypto/x509v3/v3_ncons.o crypto/x509v3/v3_ncons.c crypto/x509v3/v3_ncons.c: In function ?nc_dns?: crypto/x509v3/v3_ncons.c:392:5: warning: implicit declaration of function ?strcasecmp? [-Wimplicit-function-declaration] if (strcasecmp(baseptr, dnsptr)) ^ crypto/x509v3/v3_ncons.c: In function ?nc_uri?: crypto/x509v3/v3_ncons.c:472:13: warning: implicit declaration of function ?strncasecmp? [-Wimplicit-function-declaration] if (strncasecmp(p, baseptr, base->length) == 0) ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/x509v3/v3_utl.d.tmp -MT crypto/x509v3/v3_utl.o -c -o crypto/x509v3/v3_utl.o crypto/x509v3/v3_utl.c crypto/x509v3/v3_utl.c: In function ?wildcard_match?: crypto/x509v3/v3_utl.c:774:9: warning: implicit declaration of function ?strncasecmp? [-Wimplicit-function-declaration] subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0) ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/bio_ssl.d.tmp -MT ssl/bio_ssl.o -c -o ssl/bio_ssl.o ssl/bio_ssl.c In file included from ssl/bio_ssl.c:65:0: ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type struct timeval next_timeout; ^ gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/d1_lib.d.tmp -MT ssl/d1_lib.o -c -o ssl/d1_lib.o ssl/d1_lib.c In file included from ssl/d1_lib.c:63:0: ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type struct timeval next_timeout; ^ make: *** [ssl/d1_lib.o] Error 1 gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/ssl_conf.d.tmp -MT ssl/ssl_conf.o -c -o ssl/ssl_conf.o ssl/ssl_conf.c In file included from ssl/ssl_conf.c:59:0: ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type struct timeval next_timeout; ^ ssl/ssl_conf.c: In function ?ssl_match_option?: ssl/ssl_conf.c:194:16: warning: implicit declaration of function ?strncasecmp? [-Wimplicit-function-declaration] || strncasecmp(tbl->name, name, namelen)) ^ ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 11:35:34 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 11:35:34 +0000 Subject: [openssl-dev] [openssl.org #4481] Re: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: It looks like the defines of interest here to use inline are: $ cc -ansi -dM -E - ansi.txt $ cc -dM -E - no-ansi.txt $ diff ansi.txt no-ansi.txt 65d64 < #define __GNUC_GNU_INLINE__ 1 67a67 > #define __GNUC_STDC_INLINE__ 1 140a141 > #define __STDC_VERSION__ 199901L 142d142 < #define __STRICT_ANSI__ 1 On Fri, Mar 25, 2016 at 6:21 AM, Jeffrey Walton wrote: > Working from Master at 7793e17440539b71 on OS X 10.8. Also see > http://stackoverflow.com/questions/13870489/is-inline-asm-part-of-the-ansi-c-standard. > > $ KERNEL_BITS=64 ./config shared no-asm -ansi > ... > $ make -k > ... > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch > x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include > -MMD -MF crypto/async/arch/async_null.d.tmp -MT > crypto/async/arch/async_null.o -c -o crypto/async/arch/async_null.o > crypto/async/arch/async_null.c > In file included from crypto/async/arch/async_null.c:54: > In file included from crypto/async/arch/../async_locl.h:69: > crypto/async/arch/../arch/async_posix.h:77:8: error: unknown type name 'inline' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > crypto/async/arch/../arch/async_posix.h:77:15: error: expected identifier or '(' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > 2 errors generated. > Makefile:1240: recipe for target 'crypto/async/arch/async_null.o' failed > > > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch > x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include > -MMD -MF crypto/async/arch/async_win.d.tmp -MT > crypto/async/arch/async_win.o -c -o crypto/async/arch/async_win.o > crypto/async/arch/async_win.c > In file included from crypto/async/arch/async_win.c:54: > In file included from crypto/async/arch/../async_locl.h:69: > crypto/async/arch/../arch/async_posix.h:77:8: error: unknown type name 'inline' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > crypto/async/arch/../arch/async_posix.h:77:15: error: expected identifier or '(' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > 2 errors generated. > Makefile:1256: recipe for target 'crypto/async/arch/async_win.o' failed > make: *** [crypto/async/arch/async_win.o] Error 1 > > > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch > x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include > -MMD -MF crypto/async/async.d.tmp -MT crypto/async/async.o -c -o > crypto/async/async.o crypto/async/async.c > In file included from crypto/async/async.c:62: > In file included from crypto/async/async_locl.h:69: > crypto/async/arch/async_posix.h:77:8: error: unknown type name 'inline' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > crypto/async/arch/async_posix.h:77:15: error: expected identifier or '(' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > crypto/async/async.c:202:14: warning: implicit declaration of function > 'async_fibre_swapcontext' [-Wimplicit-function-declaration] > if (!async_fibre_swapcontext(&job->fibrectx, > ^ > 1 warning and 2 errors generated. > Makefile:1264: recipe for target 'crypto/async/async.o' failed > make: *** [crypto/async/async.o] Error 1 > > > > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch > x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include > -MMD -MF crypto/async/async_err.d.tmp -MT crypto/async/async_err.o -c > -o crypto/async/async_err.o crypto/async/async_err.c > cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch > x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include > -MMD -MF crypto/async/async_wait.d.tmp -MT crypto/async/async_wait.o > -c -o crypto/async/async_wait.o crypto/async/async_wait.c > In file included from crypto/async/async_wait.c:54: > In file included from crypto/async/async_locl.h:69: > crypto/async/arch/async_posix.h:77:8: error: unknown type name 'inline' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > crypto/async/arch/async_posix.h:77:15: error: expected identifier or '(' > static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) > ^ > 2 errors generated. > Makefile:1280: recipe for target 'crypto/async/async_wait.o' failed > make: *** [crypto/async/async_wait.o] Error 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4481 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 11:39:03 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 11:39:03 +0000 Subject: [openssl-dev] [openssl.org #4480] AutoReply: Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: It looks like the defines of interest here to use inline are: $ gcc -ansi -dM -E - ansi.txt $ gcc -dM -E - no-ansi.txt $ diff ansi.txt no-ansi.txt 147a148 > #define linux 1 193d193 < #define __STRICT_ANSI__ 1 228a229 > #define unix 1 > Working from Master at 7793e17440539b71 on Ubuntu 14 machine. Also see > http://stackoverflow.com/questions/13870489/is-inline-asm-part-of-the-ansi-c-standard. > > $ ./config shared no-asm -ansi > ... > $ make -k > ... > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/asn1/ameth_lib.d.tmp -MT crypto/asn1/ameth_lib.o -c -o > crypto/asn1/ameth_lib.o crypto/asn1/ameth_lib.c > crypto/asn1/ameth_lib.c: In function ?EVP_PKEY_asn1_find_str?: > crypto/asn1/ameth_lib.c:217:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > && (strncasecmp(ameth->pem_str, str, len) == 0)) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/b_addr.d.tmp -MT crypto/bio/b_addr.o -c -o > crypto/bio/b_addr.o crypto/bio/b_addr.c > crypto/bio/b_addr.c: In function ?BIO_lookup?: > crypto/bio/b_addr.c:770:17: warning: implicit declaration of function > ?hstrerror? [-Wimplicit-function-declaration] > ERR_add_error_data(1, hstrerror(h_errno)); > ^ > crypto/bio/b_addr.c:690:13: warning: unused variable ?gai_ret? > [-Wunused-variable] > int gai_ret = 0; > ^ > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/bss_bio.d.tmp -MT crypto/bio/bss_bio.o -c -o > crypto/bio/bss_bio.o crypto/bio/bss_bio.c > In file included from include/openssl/bio.h:61:0, > from crypto/bio/bss_bio.c:68: > crypto/bio/bss_bio.c: In function ?bio_nread?: > include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first > use in this function) > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > include/openssl/e_os2.h:267:26: note: each undeclared identifier is > reported only once for each function it appears in > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > crypto/bio/bss_bio.c: In function ?bio_nwrite?: > include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first > use in this function) > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:445:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > make: *** [crypto/bio/bss_bio.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/bss_dgram.d.tmp -MT crypto/bio/bss_dgram.o -c -o > crypto/bio/bss_dgram.o crypto/bio/bss_dgram.c > In file included from /usr/include/netdb.h:27:0, > from ./e_os.h:443, > from crypto/bio/bio_lcl.h:2, > from crypto/bio/bss_dgram.c:62: > crypto/bio/bss_dgram.c: In function ?dgram_get_mtu_overhead?: > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c: In function ?dgram_ctrl?: > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > make: *** [crypto/bio/bss_dgram.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/conf/conf_lib.d.tmp -MT crypto/conf/conf_lib.o -c -o > crypto/conf/conf_lib.o crypto/conf/conf_lib.c > crypto/conf/conf_lib.c: In function ?OPENSSL_INIT_set_config_filename?: > crypto/conf/conf_lib.c:395:5: warning: implicit declaration of > function ?strdup? [-Wimplicit-function-declaration] > settings->config_name = config_file == NULL ? NULL : strdup(config_file); > ^ > crypto/conf/conf_lib.c:395:56: warning: pointer/integer type mismatch > in conditional expression [enabled by default] > settings->config_name = config_file == NULL ? NULL : strdup(config_file); > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/conf/conf_sap.d.tmp -MT crypto/conf/conf_sap.o -c -o > crypto/conf/conf_sap.o crypto/conf/conf_sap.c > crypto/conf/conf_sap.c: In function ?OPENSSL_config?: > crypto/conf/conf_sap.c:82:9: warning: implicit declaration of function > ?strdup? [-Wimplicit-function-declaration] > settings.config_name = strdup(config_name); > ^ > crypto/conf/conf_sap.c:82:30: warning: assignment makes pointer from > integer without a cast [enabled by default] > settings.config_name = strdup(config_name); > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/engine/tb_asnmth.d.tmp -MT crypto/engine/tb_asnmth.o -c -o > crypto/engine/tb_asnmth.o crypto/engine/tb_asnmth.c > crypto/engine/tb_asnmth.c: In function ?ENGINE_get_pkey_asn1_meth_str?: > crypto/engine/tb_asnmth.c:195:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > && strncasecmp(ameth->pem_str, str, len) == 0) > ^ > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/rand/randfile.d.tmp -MT crypto/rand/randfile.o -c -o > crypto/rand/randfile.o crypto/rand/randfile.c > crypto/rand/randfile.c: In function ?RAND_write_file?: > crypto/rand/randfile.c:222:13: warning: implicit declaration of > function ?fdopen? [-Wimplicit-function-declaration] > out = fdopen(fd, "wb"); > ^ > crypto/rand/randfile.c:222:17: warning: assignment makes pointer from > integer without a cast [enabled by default] > out = fdopen(fd, "wb"); > ^ > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/threads_pthread.d.tmp -MT crypto/threads_pthread.o -c -o > crypto/threads_pthread.o crypto/threads_pthread.c > In file included from crypto/threads_pthread.c:50:0: > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_new?: > crypto/threads_pthread.c:57:49: error: ?pthread_rwlock_t? undeclared > (first use in this function) > CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); > ^ > include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? > CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/threads_pthread.c:57:49: note: each undeclared identifier is > reported only once for each function it appears in > CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); > ^ > include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? > CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/threads_pthread.c:61:5: warning: implicit declaration of > function ?pthread_rwlock_init? [-Wimplicit-function-declaration] > if (pthread_rwlock_init(lock, NULL) != 0) { > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_read_lock?: > crypto/threads_pthread.c:71:5: warning: implicit declaration of > function ?pthread_rwlock_rdlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_rdlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_write_lock?: > crypto/threads_pthread.c:79:5: warning: implicit declaration of > function ?pthread_rwlock_wrlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_wrlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_unlock?: > crypto/threads_pthread.c:87:5: warning: implicit declaration of > function ?pthread_rwlock_unlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_unlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_free?: > crypto/threads_pthread.c:98:5: warning: implicit declaration of > function ?pthread_rwlock_destroy? [-Wimplicit-function-declaration] > pthread_rwlock_destroy(lock); > ^ > make: *** [crypto/threads_pthread.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/ui/ui_openssl.d.tmp -MT crypto/ui/ui_openssl.o -c -o > crypto/ui/ui_openssl.o crypto/ui/ui_openssl.c > crypto/ui/ui_openssl.c:270:25: error: array type has incomplete element type > static struct sigaction savsig[NX509_SIG]; > ^ > crypto/ui/ui_openssl.c: In function ?open_console?: > crypto/ui/ui_openssl.c:483:5: warning: implicit declaration of > function ?fileno? [-Wimplicit-function-declaration] > if (TTY_get(fileno(tty_in), &tty_orig) == -1) { > ^ > crypto/ui/ui_openssl.c: In function ?pushsig?: > crypto/ui/ui_openssl.c:584:22: error: storage size of ?sa? isn?t known > struct sigaction sa; > ^ > crypto/ui/ui_openssl.c:612:9: warning: implicit declaration of > function ?sigaction? [-Wimplicit-function-declaration] > sigaction(i, &sa, &savsig[i]); > ^ > crypto/ui/ui_openssl.c:584:22: warning: unused variable ?sa? [-Wunused-variable] > struct sigaction sa; > ^ > crypto/ui/ui_openssl.c: At top level: > crypto/ui/ui_openssl.c:270:25: warning: ?savsig? defined but not used > [-Wunused-variable] > static struct sigaction savsig[NX509_SIG]; > ^ > make: *** [crypto/ui/ui_openssl.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/x509v3/v3_ncons.d.tmp -MT crypto/x509v3/v3_ncons.o -c -o > crypto/x509v3/v3_ncons.o crypto/x509v3/v3_ncons.c > crypto/x509v3/v3_ncons.c: In function ?nc_dns?: > crypto/x509v3/v3_ncons.c:392:5: warning: implicit declaration of > function ?strcasecmp? [-Wimplicit-function-declaration] > if (strcasecmp(baseptr, dnsptr)) > ^ > crypto/x509v3/v3_ncons.c: In function ?nc_uri?: > crypto/x509v3/v3_ncons.c:472:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > if (strncasecmp(p, baseptr, base->length) == 0) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/x509v3/v3_utl.d.tmp -MT crypto/x509v3/v3_utl.o -c -o > crypto/x509v3/v3_utl.o crypto/x509v3/v3_utl.c > crypto/x509v3/v3_utl.c: In function ?wildcard_match?: > crypto/x509v3/v3_utl.c:774:9: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/bio_ssl.d.tmp -MT > ssl/bio_ssl.o -c -o ssl/bio_ssl.o ssl/bio_ssl.c > In file included from ssl/bio_ssl.c:65:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/d1_lib.d.tmp -MT > ssl/d1_lib.o -c -o ssl/d1_lib.o ssl/d1_lib.c > In file included from ssl/d1_lib.c:63:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > make: *** [ssl/d1_lib.o] Error 1 > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/ssl_conf.d.tmp -MT > ssl/ssl_conf.o -c -o ssl/ssl_conf.o ssl/ssl_conf.c > In file included from ssl/ssl_conf.c:59:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > ssl/ssl_conf.c: In function ?ssl_match_option?: > ssl/ssl_conf.c:194:16: warning: implicit declaration of function > ?strncasecmp? [-Wimplicit-function-declaration] > || strncasecmp(tbl->name, name, namelen)) > ^ > ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 11:45:25 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 11:45:25 +0000 Subject: [openssl-dev] [openssl.org #4481] PATCH: Re: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: $ git diff crypto/async/arch/async_posix.h > async_posix.h.patch $ cat async_posix.h.patch diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index de80f95..968358f 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -74,7 +74,7 @@ typedef struct async_fibre_st { int env_init; } async_fibre; -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) +static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) { o->env_init = 1; > ------------------------------------------------------------------------- > It looks like the defines of interest here to use inline are: > > $ cc -ansi -dM -E - ansi.txt > $ cc -dM -E - no-ansi.txt > > $ diff ansi.txt no-ansi.txt > 65d64 > < #define __GNUC_GNU_INLINE__ 1 > 67a67 >> #define __GNUC_STDC_INLINE__ 1 > 140a141 >> #define __STDC_VERSION__ 199901L > 142d142 > < #define __STRICT_ANSI__ 1 > > On Fri, Mar 25, 2016 at 6:21 AM, Jeffrey Walton wrote: >> Working from Master at 7793e17440539b71 on OS X 10.8. Also see >> http://stackoverflow.com/questions/13870489/is-inline-asm-part-of-the-ansi-c-standard. >> >> $ KERNEL_BITS=64 ./config shared no-asm -ansi >> ... >> $ make -k >> ... >> >> cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch >> x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include >> -MMD -MF crypto/async/arch/async_null.d.tmp -MT >> crypto/async/arch/async_null.o -c -o crypto/async/arch/async_null.o >> crypto/async/arch/async_null.c >> In file included from crypto/async/arch/async_null.c:54: >> In file included from crypto/async/arch/../async_locl.h:69: >> crypto/async/arch/../arch/async_posix.h:77:8: error: unknown type name 'inline' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> crypto/async/arch/../arch/async_posix.h:77:15: error: expected identifier or '(' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> 2 errors generated. >> Makefile:1240: recipe for target 'crypto/async/arch/async_null.o' failed >> >> >> >> cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch >> x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include >> -MMD -MF crypto/async/arch/async_win.d.tmp -MT >> crypto/async/arch/async_win.o -c -o crypto/async/arch/async_win.o >> crypto/async/arch/async_win.c >> In file included from crypto/async/arch/async_win.c:54: >> In file included from crypto/async/arch/../async_locl.h:69: >> crypto/async/arch/../arch/async_posix.h:77:8: error: unknown type name 'inline' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> crypto/async/arch/../arch/async_posix.h:77:15: error: expected identifier or '(' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> 2 errors generated. >> Makefile:1256: recipe for target 'crypto/async/arch/async_win.o' failed >> make: *** [crypto/async/arch/async_win.o] Error 1 >> >> >> >> cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch >> x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include >> -MMD -MF crypto/async/async.d.tmp -MT crypto/async/async.o -c -o >> crypto/async/async.o crypto/async/async.c >> In file included from crypto/async/async.c:62: >> In file included from crypto/async/async_locl.h:69: >> crypto/async/arch/async_posix.h:77:8: error: unknown type name 'inline' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> crypto/async/arch/async_posix.h:77:15: error: expected identifier or '(' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> crypto/async/async.c:202:14: warning: implicit declaration of function >> 'async_fibre_swapcontext' [-Wimplicit-function-declaration] >> if (!async_fibre_swapcontext(&job->fibrectx, >> ^ >> 1 warning and 2 errors generated. >> Makefile:1264: recipe for target 'crypto/async/async.o' failed >> make: *** [crypto/async/async.o] Error 1 >> >> >> >> cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch >> x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include >> -MMD -MF crypto/async/async_err.d.tmp -MT crypto/async/async_err.o -c >> -o crypto/async/async_err.o crypto/async/async_err.c >> cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch >> x86_64 -DL_ENDIAN -Wall -ansi -fPIC -Iinclude -I. -Icrypto/include >> -MMD -MF crypto/async/async_wait.d.tmp -MT crypto/async/async_wait.o >> -c -o crypto/async/async_wait.o crypto/async/async_wait.c >> In file included from crypto/async/async_wait.c:54: >> In file included from crypto/async/async_locl.h:69: >> crypto/async/arch/async_posix.h:77:8: error: unknown type name 'inline' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> crypto/async/arch/async_posix.h:77:15: error: expected identifier or '(' >> static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) >> ^ >> 2 errors generated. >> Makefile:1280: recipe for target 'crypto/async/async_wait.o' failed >> make: *** [crypto/async/async_wait.o] Error 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4481 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 11:46:34 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 11:46:34 +0000 Subject: [openssl-dev] [openssl.org #4480] PATCH: Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: $ git diff crypto/async/arch/async_posix.h > async_posix.h.patch $ cat async_posix.h.patch diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index de80f95..968358f 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -74,7 +74,7 @@ typedef struct async_fibre_st { int env_init; } async_fibre; -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) +static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) { o->env_init = 1; > Working from Master at 7793e17440539b71 on Ubuntu 14 machine. Also see > http://stackoverflow.com/questions/13870489/is-inline-asm-part-of-the-ansi-c-standard. > > $ ./config shared no-asm -ansi > ... > $ make -k > ... > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/asn1/ameth_lib.d.tmp -MT crypto/asn1/ameth_lib.o -c -o > crypto/asn1/ameth_lib.o crypto/asn1/ameth_lib.c > crypto/asn1/ameth_lib.c: In function ?EVP_PKEY_asn1_find_str?: > crypto/asn1/ameth_lib.c:217:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > && (strncasecmp(ameth->pem_str, str, len) == 0)) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/b_addr.d.tmp -MT crypto/bio/b_addr.o -c -o > crypto/bio/b_addr.o crypto/bio/b_addr.c > crypto/bio/b_addr.c: In function ?BIO_lookup?: > crypto/bio/b_addr.c:770:17: warning: implicit declaration of function > ?hstrerror? [-Wimplicit-function-declaration] > ERR_add_error_data(1, hstrerror(h_errno)); > ^ > crypto/bio/b_addr.c:690:13: warning: unused variable ?gai_ret? > [-Wunused-variable] > int gai_ret = 0; > ^ > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/bss_bio.d.tmp -MT crypto/bio/bss_bio.o -c -o > crypto/bio/bss_bio.o crypto/bio/bss_bio.c > In file included from include/openssl/bio.h:61:0, > from crypto/bio/bss_bio.c:68: > crypto/bio/bss_bio.c: In function ?bio_nread?: > include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first > use in this function) > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > include/openssl/e_os2.h:267:26: note: each undeclared identifier is > reported only once for each function it appears in > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > crypto/bio/bss_bio.c: In function ?bio_nwrite?: > include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first > use in this function) > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:445:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > make: *** [crypto/bio/bss_bio.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/bss_dgram.d.tmp -MT crypto/bio/bss_dgram.o -c -o > crypto/bio/bss_dgram.o crypto/bio/bss_dgram.c > In file included from /usr/include/netdb.h:27:0, > from ./e_os.h:443, > from crypto/bio/bio_lcl.h:2, > from crypto/bio/bss_dgram.c:62: > crypto/bio/bss_dgram.c: In function ?dgram_get_mtu_overhead?: > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c: In function ?dgram_ctrl?: > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > make: *** [crypto/bio/bss_dgram.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/conf/conf_lib.d.tmp -MT crypto/conf/conf_lib.o -c -o > crypto/conf/conf_lib.o crypto/conf/conf_lib.c > crypto/conf/conf_lib.c: In function ?OPENSSL_INIT_set_config_filename?: > crypto/conf/conf_lib.c:395:5: warning: implicit declaration of > function ?strdup? [-Wimplicit-function-declaration] > settings->config_name = config_file == NULL ? NULL : strdup(config_file); > ^ > crypto/conf/conf_lib.c:395:56: warning: pointer/integer type mismatch > in conditional expression [enabled by default] > settings->config_name = config_file == NULL ? NULL : strdup(config_file); > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/conf/conf_sap.d.tmp -MT crypto/conf/conf_sap.o -c -o > crypto/conf/conf_sap.o crypto/conf/conf_sap.c > crypto/conf/conf_sap.c: In function ?OPENSSL_config?: > crypto/conf/conf_sap.c:82:9: warning: implicit declaration of function > ?strdup? [-Wimplicit-function-declaration] > settings.config_name = strdup(config_name); > ^ > crypto/conf/conf_sap.c:82:30: warning: assignment makes pointer from > integer without a cast [enabled by default] > settings.config_name = strdup(config_name); > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/engine/tb_asnmth.d.tmp -MT crypto/engine/tb_asnmth.o -c -o > crypto/engine/tb_asnmth.o crypto/engine/tb_asnmth.c > crypto/engine/tb_asnmth.c: In function ?ENGINE_get_pkey_asn1_meth_str?: > crypto/engine/tb_asnmth.c:195:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > && strncasecmp(ameth->pem_str, str, len) == 0) > ^ > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/rand/randfile.d.tmp -MT crypto/rand/randfile.o -c -o > crypto/rand/randfile.o crypto/rand/randfile.c > crypto/rand/randfile.c: In function ?RAND_write_file?: > crypto/rand/randfile.c:222:13: warning: implicit declaration of > function ?fdopen? [-Wimplicit-function-declaration] > out = fdopen(fd, "wb"); > ^ > crypto/rand/randfile.c:222:17: warning: assignment makes pointer from > integer without a cast [enabled by default] > out = fdopen(fd, "wb"); > ^ > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/threads_pthread.d.tmp -MT crypto/threads_pthread.o -c -o > crypto/threads_pthread.o crypto/threads_pthread.c > In file included from crypto/threads_pthread.c:50:0: > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_new?: > crypto/threads_pthread.c:57:49: error: ?pthread_rwlock_t? undeclared > (first use in this function) > CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); > ^ > include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? > CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/threads_pthread.c:57:49: note: each undeclared identifier is > reported only once for each function it appears in > CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); > ^ > include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? > CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/threads_pthread.c:61:5: warning: implicit declaration of > function ?pthread_rwlock_init? [-Wimplicit-function-declaration] > if (pthread_rwlock_init(lock, NULL) != 0) { > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_read_lock?: > crypto/threads_pthread.c:71:5: warning: implicit declaration of > function ?pthread_rwlock_rdlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_rdlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_write_lock?: > crypto/threads_pthread.c:79:5: warning: implicit declaration of > function ?pthread_rwlock_wrlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_wrlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_unlock?: > crypto/threads_pthread.c:87:5: warning: implicit declaration of > function ?pthread_rwlock_unlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_unlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_free?: > crypto/threads_pthread.c:98:5: warning: implicit declaration of > function ?pthread_rwlock_destroy? [-Wimplicit-function-declaration] > pthread_rwlock_destroy(lock); > ^ > make: *** [crypto/threads_pthread.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/ui/ui_openssl.d.tmp -MT crypto/ui/ui_openssl.o -c -o > crypto/ui/ui_openssl.o crypto/ui/ui_openssl.c > crypto/ui/ui_openssl.c:270:25: error: array type has incomplete element type > static struct sigaction savsig[NX509_SIG]; > ^ > crypto/ui/ui_openssl.c: In function ?open_console?: > crypto/ui/ui_openssl.c:483:5: warning: implicit declaration of > function ?fileno? [-Wimplicit-function-declaration] > if (TTY_get(fileno(tty_in), &tty_orig) == -1) { > ^ > crypto/ui/ui_openssl.c: In function ?pushsig?: > crypto/ui/ui_openssl.c:584:22: error: storage size of ?sa? isn?t known > struct sigaction sa; > ^ > crypto/ui/ui_openssl.c:612:9: warning: implicit declaration of > function ?sigaction? [-Wimplicit-function-declaration] > sigaction(i, &sa, &savsig[i]); > ^ > crypto/ui/ui_openssl.c:584:22: warning: unused variable ?sa? [-Wunused-variable] > struct sigaction sa; > ^ > crypto/ui/ui_openssl.c: At top level: > crypto/ui/ui_openssl.c:270:25: warning: ?savsig? defined but not used > [-Wunused-variable] > static struct sigaction savsig[NX509_SIG]; > ^ > make: *** [crypto/ui/ui_openssl.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/x509v3/v3_ncons.d.tmp -MT crypto/x509v3/v3_ncons.o -c -o > crypto/x509v3/v3_ncons.o crypto/x509v3/v3_ncons.c > crypto/x509v3/v3_ncons.c: In function ?nc_dns?: > crypto/x509v3/v3_ncons.c:392:5: warning: implicit declaration of > function ?strcasecmp? [-Wimplicit-function-declaration] > if (strcasecmp(baseptr, dnsptr)) > ^ > crypto/x509v3/v3_ncons.c: In function ?nc_uri?: > crypto/x509v3/v3_ncons.c:472:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > if (strncasecmp(p, baseptr, base->length) == 0) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/x509v3/v3_utl.d.tmp -MT crypto/x509v3/v3_utl.o -c -o > crypto/x509v3/v3_utl.o crypto/x509v3/v3_utl.c > crypto/x509v3/v3_utl.c: In function ?wildcard_match?: > crypto/x509v3/v3_utl.c:774:9: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/bio_ssl.d.tmp -MT > ssl/bio_ssl.o -c -o ssl/bio_ssl.o ssl/bio_ssl.c > In file included from ssl/bio_ssl.c:65:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/d1_lib.d.tmp -MT > ssl/d1_lib.o -c -o ssl/d1_lib.o ssl/d1_lib.c > In file included from ssl/d1_lib.c:63:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > make: *** [ssl/d1_lib.o] Error 1 > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/ssl_conf.d.tmp -MT > ssl/ssl_conf.o -c -o ssl/ssl_conf.o ssl/ssl_conf.c > In file included from ssl/ssl_conf.c:59:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > ssl/ssl_conf.c: In function ?ssl_match_option?: > ssl/ssl_conf.c:194:16: warning: implicit declaration of function > ?strncasecmp? [-Wimplicit-function-declaration] > || strncasecmp(tbl->name, name, namelen)) > ^ > ... > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 12:10:18 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 12:10:18 +0000 Subject: [openssl-dev] [openssl.org #4480] PATCH: Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: This should fix the missing SSIZE_MAX on GNU systems when -ansi is in effect (and posix is not available). Also see https://sourceware.org/ml/libc-hacker/2002-08/msg00031.html. diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index bbd6116..73058c0 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -264,7 +264,15 @@ extern "C" { # ifndef ossl_ssize_t # define ossl_ssize_t ssize_t -# define OSSL_SSIZE_MAX SSIZE_MAX +# if defined(SSIZE_MAX) +# define OSSL_SSIZE_MAX SSIZE_MAX +# elif defined(_POSIX_SSIZE_MAX) +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX +# elif (__WORDSIZE == 64) +# define OSSL_SSIZE_MAX LONG_MAX +# elif(__WORDSIZE == 32) +# define OSSL_SSIZE_MAX INT_MAX +# endif # endif # ifdef DEBUG_UNUSED > ------------------------------------------------------------------------- > Working from Master at 7793e17440539b71 on Ubuntu 14 machine. Also see > http://stackoverflow.com/questions/13870489/is-inline-asm-part-of-the-ansi-c-standard. > > $ ./config shared no-asm -ansi > ... > $ make -k > ... > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/asn1/ameth_lib.d.tmp -MT crypto/asn1/ameth_lib.o -c -o > crypto/asn1/ameth_lib.o crypto/asn1/ameth_lib.c > crypto/asn1/ameth_lib.c: In function ?EVP_PKEY_asn1_find_str?: > crypto/asn1/ameth_lib.c:217:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > && (strncasecmp(ameth->pem_str, str, len) == 0)) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/b_addr.d.tmp -MT crypto/bio/b_addr.o -c -o > crypto/bio/b_addr.o crypto/bio/b_addr.c > crypto/bio/b_addr.c: In function ?BIO_lookup?: > crypto/bio/b_addr.c:770:17: warning: implicit declaration of function > ?hstrerror? [-Wimplicit-function-declaration] > ERR_add_error_data(1, hstrerror(h_errno)); > ^ > crypto/bio/b_addr.c:690:13: warning: unused variable ?gai_ret? > [-Wunused-variable] > int gai_ret = 0; > ^ > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/bss_bio.d.tmp -MT crypto/bio/bss_bio.o -c -o > crypto/bio/bss_bio.o crypto/bio/bss_bio.c > In file included from include/openssl/bio.h:61:0, > from crypto/bio/bss_bio.c:68: > crypto/bio/bss_bio.c: In function ?bio_nread?: > include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first > use in this function) > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > include/openssl/e_os2.h:267:26: note: each undeclared identifier is > reported only once for each function it appears in > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:289:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > crypto/bio/bss_bio.c: In function ?bio_nwrite?: > include/openssl/e_os2.h:267:26: error: ?SSIZE_MAX? undeclared (first > use in this function) > # define OSSL_SSIZE_MAX SSIZE_MAX > ^ > crypto/bio/bss_bio.c:445:16: note: in expansion of macro ?OSSL_SSIZE_MAX? > if (num_ > OSSL_SSIZE_MAX) > ^ > make: *** [crypto/bio/bss_bio.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/bss_dgram.d.tmp -MT crypto/bio/bss_dgram.o -c -o > crypto/bio/bss_dgram.o crypto/bio/bss_dgram.c > In file included from /usr/include/netdb.h:27:0, > from ./e_os.h:443, > from crypto/bio/bio_lcl.h:2, > from crypto/bio/bss_dgram.c:62: > crypto/bio/bss_dgram.c: In function ?dgram_get_mtu_overhead?: > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c: In function ?dgram_ctrl?: > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:604:24: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > make: *** [crypto/bio/bss_dgram.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/conf/conf_lib.d.tmp -MT crypto/conf/conf_lib.o -c -o > crypto/conf/conf_lib.o crypto/conf/conf_lib.c > crypto/conf/conf_lib.c: In function ?OPENSSL_INIT_set_config_filename?: > crypto/conf/conf_lib.c:395:5: warning: implicit declaration of > function ?strdup? [-Wimplicit-function-declaration] > settings->config_name = config_file == NULL ? NULL : strdup(config_file); > ^ > crypto/conf/conf_lib.c:395:56: warning: pointer/integer type mismatch > in conditional expression [enabled by default] > settings->config_name = config_file == NULL ? NULL : strdup(config_file); > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/conf/conf_sap.d.tmp -MT crypto/conf/conf_sap.o -c -o > crypto/conf/conf_sap.o crypto/conf/conf_sap.c > crypto/conf/conf_sap.c: In function ?OPENSSL_config?: > crypto/conf/conf_sap.c:82:9: warning: implicit declaration of function > ?strdup? [-Wimplicit-function-declaration] > settings.config_name = strdup(config_name); > ^ > crypto/conf/conf_sap.c:82:30: warning: assignment makes pointer from > integer without a cast [enabled by default] > settings.config_name = strdup(config_name); > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/engine/tb_asnmth.d.tmp -MT crypto/engine/tb_asnmth.o -c -o > crypto/engine/tb_asnmth.o crypto/engine/tb_asnmth.c > crypto/engine/tb_asnmth.c: In function ?ENGINE_get_pkey_asn1_meth_str?: > crypto/engine/tb_asnmth.c:195:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > && strncasecmp(ameth->pem_str, str, len) == 0) > ^ > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/rand/randfile.d.tmp -MT crypto/rand/randfile.o -c -o > crypto/rand/randfile.o crypto/rand/randfile.c > crypto/rand/randfile.c: In function ?RAND_write_file?: > crypto/rand/randfile.c:222:13: warning: implicit declaration of > function ?fdopen? [-Wimplicit-function-declaration] > out = fdopen(fd, "wb"); > ^ > crypto/rand/randfile.c:222:17: warning: assignment makes pointer from > integer without a cast [enabled by default] > out = fdopen(fd, "wb"); > ^ > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/threads_pthread.d.tmp -MT crypto/threads_pthread.o -c -o > crypto/threads_pthread.o crypto/threads_pthread.c > In file included from crypto/threads_pthread.c:50:0: > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_new?: > crypto/threads_pthread.c:57:49: error: ?pthread_rwlock_t? undeclared > (first use in this function) > CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); > ^ > include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? > CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/threads_pthread.c:57:49: note: each undeclared identifier is > reported only once for each function it appears in > CRYPTO_RWLOCK *lock = OPENSSL_zalloc(sizeof(pthread_rwlock_t)); > ^ > include/openssl/crypto.h:238:23: note: in definition of macro ?OPENSSL_zalloc? > CRYPTO_zalloc(num, OPENSSL_FILE, OPENSSL_LINE) > ^ > crypto/threads_pthread.c:61:5: warning: implicit declaration of > function ?pthread_rwlock_init? [-Wimplicit-function-declaration] > if (pthread_rwlock_init(lock, NULL) != 0) { > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_read_lock?: > crypto/threads_pthread.c:71:5: warning: implicit declaration of > function ?pthread_rwlock_rdlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_rdlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_write_lock?: > crypto/threads_pthread.c:79:5: warning: implicit declaration of > function ?pthread_rwlock_wrlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_wrlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_unlock?: > crypto/threads_pthread.c:87:5: warning: implicit declaration of > function ?pthread_rwlock_unlock? [-Wimplicit-function-declaration] > if (pthread_rwlock_unlock(lock) != 0) > ^ > crypto/threads_pthread.c: In function ?CRYPTO_THREAD_lock_free?: > crypto/threads_pthread.c:98:5: warning: implicit declaration of > function ?pthread_rwlock_destroy? [-Wimplicit-function-declaration] > pthread_rwlock_destroy(lock); > ^ > make: *** [crypto/threads_pthread.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/ui/ui_openssl.d.tmp -MT crypto/ui/ui_openssl.o -c -o > crypto/ui/ui_openssl.o crypto/ui/ui_openssl.c > crypto/ui/ui_openssl.c:270:25: error: array type has incomplete element type > static struct sigaction savsig[NX509_SIG]; > ^ > crypto/ui/ui_openssl.c: In function ?open_console?: > crypto/ui/ui_openssl.c:483:5: warning: implicit declaration of > function ?fileno? [-Wimplicit-function-declaration] > if (TTY_get(fileno(tty_in), &tty_orig) == -1) { > ^ > crypto/ui/ui_openssl.c: In function ?pushsig?: > crypto/ui/ui_openssl.c:584:22: error: storage size of ?sa? isn?t known > struct sigaction sa; > ^ > crypto/ui/ui_openssl.c:612:9: warning: implicit declaration of > function ?sigaction? [-Wimplicit-function-declaration] > sigaction(i, &sa, &savsig[i]); > ^ > crypto/ui/ui_openssl.c:584:22: warning: unused variable ?sa? [-Wunused-variable] > struct sigaction sa; > ^ > crypto/ui/ui_openssl.c: At top level: > crypto/ui/ui_openssl.c:270:25: warning: ?savsig? defined but not used > [-Wunused-variable] > static struct sigaction savsig[NX509_SIG]; > ^ > make: *** [crypto/ui/ui_openssl.o] Error 1 > > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/x509v3/v3_ncons.d.tmp -MT crypto/x509v3/v3_ncons.o -c -o > crypto/x509v3/v3_ncons.o crypto/x509v3/v3_ncons.c > crypto/x509v3/v3_ncons.c: In function ?nc_dns?: > crypto/x509v3/v3_ncons.c:392:5: warning: implicit declaration of > function ?strcasecmp? [-Wimplicit-function-declaration] > if (strcasecmp(baseptr, dnsptr)) > ^ > crypto/x509v3/v3_ncons.c: In function ?nc_uri?: > crypto/x509v3/v3_ncons.c:472:13: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > if (strncasecmp(p, baseptr, base->length) == 0) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/x509v3/v3_utl.d.tmp -MT crypto/x509v3/v3_utl.o -c -o > crypto/x509v3/v3_utl.o crypto/x509v3/v3_utl.c > crypto/x509v3/v3_utl.c: In function ?wildcard_match?: > crypto/x509v3/v3_utl.c:774:9: warning: implicit declaration of > function ?strncasecmp? [-Wimplicit-function-declaration] > subject_len >= 4 && strncasecmp((char *)subject, "xn--", 4) == 0) > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/bio_ssl.d.tmp -MT > ssl/bio_ssl.o -c -o ssl/bio_ssl.o ssl/bio_ssl.c > In file included from ssl/bio_ssl.c:65:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/d1_lib.d.tmp -MT > ssl/d1_lib.o -c -o ssl/d1_lib.o ssl/d1_lib.c > In file included from ssl/d1_lib.c:63:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > make: *** [ssl/d1_lib.o] Error 1 > > > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -MMD -MF ssl/ssl_conf.d.tmp -MT > ssl/ssl_conf.o -c -o ssl/ssl_conf.o ssl/ssl_conf.c > In file included from ssl/ssl_conf.c:59:0: > ssl/ssl_locl.h:1494:20: error: field ?next_timeout? has incomplete type > struct timeval next_timeout; > ^ > ssl/ssl_conf.c: In function ?ssl_match_option?: > ssl/ssl_conf.c:194:16: warning: implicit declaration of function > ?strncasecmp? [-Wimplicit-function-declaration] > || strncasecmp(tbl->name, name, namelen)) > ^ > ... > > > > ------------------------------------------------------------------------- > http://rt.openssl.org/Ticket/Display.html?id=4480&user=guest&pass=guest -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 12:10:32 2016 From: rt at openssl.org (Hanno Boeck via RT) Date: Fri, 25 Mar 2016 12:10:32 +0000 Subject: [openssl-dev] [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: <20160325115042.5b8be48f@pc1> References: <20160325115042.5b8be48f@pc1> Message-ID: Attached is a sample code that will test various inputs for the Poly1305 functions of openssl. These produce wrong results. The first example does so only on 32 bit, the other three also on 64 bit. David Benjamin has already reported incorrect results for Poly1305 in bug #4439, these are separate issues. I have tested this against latest git + the patch Andy Polyakov provided in that thread (+ the typo fix David Benjamin mentioned). I have checked the results against two reference implementations (donna-poly1305 and the gmpxx example code from DJB), so I'm reasoanbly confident the bug is in openssl and not in the reference code. This needs to be compiled inside a compiled openssl tree (see comment). The simplest example triggering a wrong result is a key completely consisting of bytes with value 0c and an input of 02:fc. This was found with the help of american fuzzy lop. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4482 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: polytest.c Type: text/x-c++src Size: 7590 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 12:10:32 2016 From: rt at openssl.org (Hanno Boeck via RT) Date: Fri, 25 Mar 2016 12:10:32 +0000 Subject: [openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions In-Reply-To: <20160325115152.6629faa7@pc1> References: <20160325115152.6629faa7@pc1> Message-ID: Attached is a sample code that will test various inputs for the Poly1305 functions of openssl. These produce wrong results. The first example does so only on 32 bit, the other three also on 64 bit. David Benjamin has already reported incorrect results for Poly1305 in bug #4439, these are separate issues. I have tested this against latest git + the patch Andy Polyakov provided in that thread (+ the typo fix David Benjamin mentioned). I have checked the results against two reference implementations (donna-poly1305 and the gmpxx example code from DJB), so I'm reasoanbly confident the bug is in openssl and not in the reference code. This needs to be compiled inside a compiled openssl tree (see comment). The simplest example triggering a wrong result is a key completely consisting of bytes with value 0c and an input of 02:fc. This was found with the help of american fuzzy lop. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: polytest.c Type: text/x-c++src Size: 7590 bytes Desc: not available URL: From rsalz at akamai.com Fri Mar 25 13:04:10 2016 From: rsalz at akamai.com (Salz, Rich) Date: Fri, 25 Mar 2016 13:04:10 +0000 Subject: [openssl-dev] [openssl.org #4476] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: References: <06003337b1f74a4ba3cd96ab6e9b87ec@usma1ex-dag1mb1.msg.corp.akamai.com> <20160324185525.GM6602@mournblade.imrryr.org> Message-ID: > That's a lot of bang for the buck... Wow, it certainly is! Thanks. From rt at openssl.org Fri Mar 25 13:14:54 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 13:14:54 +0000 Subject: [openssl-dev] [openssl.org #4411] AutoReply: VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: This can be closed. Somehow it managed to split from the original bug. On Thu, Mar 10, 2016 at 2:29 PM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "VIA C7-D processor: Hang in 30-test_afalg.t", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4411]. > > Please include the string: > > [openssl.org #4411] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > rt at openssl.org > > ------------------------------------------------------------------------- > Working from Master: > > $ git reset --hard HEAD && git pull > HEAD is now at fb04434 In the recipe using "makedepend", make sure the > object file extension is there > Already up-to-date. > > $ ./config > ... > $ make depend && make clean && make > ... > $ make test > ... > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ ok > ../test/recipes/05-test_bf.t .............. ok > ... > ../test/recipes/25-test_x509.t ............ ok > ../test/recipes/30-test_afalg.t ........... > ^C (after about 20 minutes) > > ********** > > Machine is Lubuntu: > > $ lsb_release -a > No LSB modules are available. > Distributor ID: Ubuntu > Description: Ubuntu 15.10 > Release: 15.10 > Codename: wily > > $ uname -a > Linux via 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 > i686 i686 i686 GNU/Linux > > ********** > > $ ./config > Operating system: i686-whatever-linux2 > Configuring for linux-elf > Configuring OpenSSL version 1.1.0-pre4-dev (0x0x10100004L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] > OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-shared [default] > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-static-engine [default] OPENSSL_NO_STATIC_ENGINE (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib [default] > no-zlib-dynamic [default] > Configuring for linux-elf > IsMK1MF =no > CC =gcc > CFLAG =-Wall -O3 -pthread -DL_ENDIAN -fomit-frame-pointer > -Wa,--noexecstack > SHARED_CFLAG =-fPIC > DEFINES =DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS > OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_BN_ASM_PART_WORDS > OPENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_GF2m SHA1_ASM > SHA256_ASM SHA512_ASM MD5_ASM RMD160_ASM AES_ASM VPAES_ASM > WHIRLPOOL_ASM GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM > LFLAG = > PLIB_LFLAG = > EX_LIBS =-ldl > APPS_OBJ = > CPUID_OBJ =x86cpuid.o > UPLINK_OBJ = > BN_ASM =bn-586.o co-586.o x86-mont.o x86-gf2m.o > EC_ASM =ecp_nistz256.o ecp_nistz256-x86.o > DES_ENC =des-586.o crypt586.o > AES_ENC =aes-586.o vpaes-x86.o aesni-x86.o > BF_ENC =bf-586.o > CAST_ENC =c_enc.o > RC4_ENC =rc4-586.o > RC5_ENC =rc5-586.o > MD5_OBJ_ASM =md5-586.o > SHA1_OBJ_ASM =sha1-586.o sha256-586.o sha512-586.o > RMD160_OBJ_ASM=rmd-586.o > CMLL_ENC =cmll-x86.o > MODES_OBJ =ghash-x86.o > PADLOCK_OBJ =e_padlock-x86.o > CHACHA_ENC =chacha-x86.o > POLY1305_OBJ =poly1305-x86.o > PROCESSOR = > RANLIB =/usr/bin/ranlib > ARFLAGS = > PERL =/usr/bin/perl > > THIRTY_TWO_BIT mode > BN_LLONG mode > > Configured for linux-elf. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 13:15:14 2016 From: rt at openssl.org (Stephen Henson via RT) Date: Fri, 25 Mar 2016 13:15:14 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> Message-ID: On Tue Mar 22 21:51:05 2016, michel.sales at free.fr wrote: > Hi, > > Here attached is some test data files and a patch against today's git repo > to allow for the use of wrap mode using the OpenSSL 'enc' command. > > The 'raw*.dat' files contains the NIST test vectors, and the '*.ok.enc' the > expected encrypted result (base64 encoded with equivalent hexa value). > The testwrap.cmds file is a small Windows script (.bat) with tests commands. > > As mentioned in a previous post, It may not be the best way to achieve this, > in which case I would be happy to learn how to do it better. > The enc command uses a cipher BIO chain which requires that a cipher is able to stream. That means the output doesn't depend on how the input is presented: e.g. all in one piece or one byte at a time. The wrap modes by their very nature cannot stream and so cannot work easily with the enc command. It may work for some cases but if buffers fill and you end up getting data in more than one piece the result is different. There are other modes which have problem with streaming too such as CCM. I think supporting wrap modes in the 'enc' utility is a good idea but it unfortunately requires rather more significant changes to bypass the cipher BIO mechanism and present the data in a single operation where required. That would also mean things like chaining (base64 operations) cannot work. We support tests already in evptests.txt: some additions in there would be welcome. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 13:16:00 2016 From: rt at openssl.org (Rich Salz via RT) Date: Fri, 25 Mar 2016 13:16:00 +0000 Subject: [openssl-dev] [openssl.org #4411] VIA C7-D processor: Hang in 30-test_afalg.t In-Reply-To: References: Message-ID: closing per OP. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4411 Please log in as guest with password guest if prompted From uri at ll.mit.edu Fri Mar 25 14:08:39 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Fri, 25 Mar 2016 14:08:39 +0000 Subject: [openssl-dev] [openssl.org #4477] [PATCH] enc command enhancement and small fixes In-Reply-To: <000c01d1867d$86832270$93896750$@sales@free.fr> References: <20160325001450.18296912.68087.59795@ll.mit.edu> <000c01d1867d$86832270$93896750$@sales@free.fr> Message-ID: On 3/25/16, 6:03 , "openssl-dev on behalf of Michel" wrote: >Hi Mr. Blumenthal, > >I believed there is someone else who should have almost finished at this >time : >https://mta.openssl.org/pipermail/openssl-dev/2016-January/004034.html Ah, yes. But that person seems to be rather quiet since that post. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 15:11:38 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 15:11:38 +0000 Subject: [openssl-dev] [openssl.org #4484] Ubuntu i686: engines/afalg/e_afalg.c does not respect no-asm In-Reply-To: References: Message-ID: Working from Master at 7793e17440539b7. x86_64 is OK. To get to e_afalg.c in the compile, you will need to change "inline" -> "ossl_inline". $ ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ ... $ make ... engines/afalg/e_afalg.c: In function ?afalg_fin_cipher_aio?: engines/afalg/e_afalg.c:275:19: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] cb->aio_buf = (uint64_t)buf; ^ engines/afalg/e_afalg.c: At top level: engines/afalg/e_afalg.c:355:15: error: expected ?=?, ?,?, ?;?, ?asm? or ?__attribute__? before ?void? static inline void afalg_set_op_sk(struct cmsghdr *cmsg, ^ engines/afalg/e_afalg.c:377:15: error: expected ?=?, ?,?, ?;?, ?asm? or ?__attribute__? before ?int? static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, ^ engines/afalg/e_afalg.c: In function ?afalg_start_cipher_sk?: engines/afalg/e_afalg.c:460:5: warning: implicit declaration of function ?afalg_set_op_sk? [-Wimplicit-function-declaration] afalg_set_op_sk(cmsg, enc); ^ engines/afalg/e_afalg.c: In function ?afalg_cipher_init?: engines/afalg/e_afalg.c:572:11: warning: implicit declaration of function ?afalg_set_key? [-Wimplicit-function-declaration] ret = afalg_set_key(actx, key, EVP_CIPHER_CTX_key_length(ctx)); ^ Makefile:5804: recipe for target 'engines/afalg/e_afalg.o' failed make: *** [engines/afalg/e_afalg.o] Error 1 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4484 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 15:13:51 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 15:13:51 +0000 Subject: [openssl-dev] [openssl.org #4484] AutoReply: Ubuntu i686: engines/afalg/e_afalg.c does not respect no-asm In-Reply-To: References: Message-ID: Cancel this. This was not an ASM error; it was inline artifacts froma previous build. On Fri, Mar 25, 2016 at 11:11 AM, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "Ubuntu i686: engines/afalg/e_afalg.c does not respect no-asm", > a summary of which appears below. > > There is no need to reply to this message right now. Your ticket has been > assigned an ID of [openssl.org #4484]. > > Please include the string: > > [openssl.org #4484] > > in the subject line of all future correspondence about this issue. To do so, > you may reply to this message. > > Thank you, > rt at openssl.org > > ------------------------------------------------------------------------- > Working from Master at 7793e17440539b7. x86_64 is OK. > > To get to e_afalg.c in the compile, you will need to change "inline" > -> "ossl_inline". > > > $ ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ > ... > > $ make > ... > > engines/afalg/e_afalg.c: In function ?afalg_fin_cipher_aio?: > engines/afalg/e_afalg.c:275:19: warning: cast from pointer to integer > of different size [-Wpointer-to-int-cast] > cb->aio_buf = (uint64_t)buf; > ^ > engines/afalg/e_afalg.c: At top level: > engines/afalg/e_afalg.c:355:15: error: expected ?=?, ?,?, ?;?, ?asm? > or ?__attribute__? before ?void? > static inline void afalg_set_op_sk(struct cmsghdr *cmsg, > ^ > engines/afalg/e_afalg.c:377:15: error: expected ?=?, ?,?, ?;?, ?asm? > or ?__attribute__? before ?int? > static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > ^ > engines/afalg/e_afalg.c: In function ?afalg_start_cipher_sk?: > engines/afalg/e_afalg.c:460:5: warning: implicit declaration of > function ?afalg_set_op_sk? [-Wimplicit-function-declaration] > afalg_set_op_sk(cmsg, enc); > ^ > engines/afalg/e_afalg.c: In function ?afalg_cipher_init?: > engines/afalg/e_afalg.c:572:11: warning: implicit declaration of > function ?afalg_set_key? [-Wimplicit-function-declaration] > ret = afalg_set_key(actx, key, EVP_CIPHER_CTX_key_length(ctx)); > ^ > Makefile:5804: recipe for target 'engines/afalg/e_afalg.o' failed > make: *** [engines/afalg/e_afalg.o] Error 1 > > > > ------------------------------------------------------------------------- > http://rt.openssl.org/Ticket/Display.html?id=4484&user=guest&pass=guest -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4484 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 15:15:05 2016 From: rt at openssl.org (Rich Salz via RT) Date: Fri, 25 Mar 2016 15:15:05 +0000 Subject: [openssl-dev] [openssl.org #4484] Ubuntu i686: engines/afalg/e_afalg.c does not respect no-asm In-Reply-To: References: Message-ID: cancelling per OP. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4484 Please log in as guest with password guest if prompted From noloader at gmail.com Fri Mar 25 15:39:00 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 11:39:00 -0400 Subject: [openssl-dev] [openssl.org #4480] ROLLUP PATCH: Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" Message-ID: Here's the rollup patch that makes -ansi work. Most of it was "inline" -> "ossl_inline". Some hoops were jumped through to get SSIZE_MAX defined correctly. To configure: ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__automatically. **** $ git diff > ansi.patch $ cat ansi.patch diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index de80f95..968358f 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -74,7 +74,7 @@ typedef struct async_fibre_st { int env_init; } async_fibre; -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) +static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) { o->env_init = 1; diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c index 3ccf9d5..1914be5 100644 --- a/engines/afalg/e_afalg.c +++ b/engines/afalg/e_afalg.c @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { static EVP_CIPHER *_hidden_aes_128_cbc = NULL; -static inline int io_setup(unsigned n, aio_context_t *ctx) +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) { return syscall(__NR_io_setup, n, ctx); } -static inline int eventfd(int n) +static ossl_inline int eventfd(int n) { return syscall(__NR_eventfd, n); } -static inline int io_destroy(aio_context_t ctx) +static ossl_inline int io_destroy(aio_context_t ctx) { return syscall(__NR_io_destroy, ctx); } -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) { return syscall(__NR_io_submit, ctx, n, iocb); } -static inline int io_getevents(aio_context_t ctx, long min, long max, +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, struct io_event *events, struct timespec *timeout) { @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, memset(cb, '\0', sizeof(*cb)); cb->aio_fildes = sfd; cb->aio_lio_opcode = IOCB_CMD_PREAD; - cb->aio_buf = (unsigned long)buf; + cb->aio_buf = (uint64_t)buf; cb->aio_offset = 0; cb->aio_data = 0; cb->aio_nbytes = len; @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, return 1; } -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, const unsigned int op) { cmsg->cmsg_level = SOL_ALG; @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, const unsigned char *iv, memcpy(aiv->iv, iv, len); } -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, const int klen) { int ret; diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index bbd6116..73058c0 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -264,7 +264,15 @@ extern "C" { # ifndef ossl_ssize_t # define ossl_ssize_t ssize_t -# define OSSL_SSIZE_MAX SSIZE_MAX +# if defined(SSIZE_MAX) +# define OSSL_SSIZE_MAX SSIZE_MAX +# elif defined(_POSIX_SSIZE_MAX) +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX +# elif (__WORDSIZE == 64) +# define OSSL_SSIZE_MAX LONG_MAX +# elif(__WORDSIZE == 32) +# define OSSL_SSIZE_MAX INT_MAX +# endif # endif # ifdef DEBUG_UNUSED diff --git a/test/ssltest.c b/test/ssltest.c index a2dd445..6c1575c 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -140,8 +140,12 @@ */ /* Or gethostname won't be declared properly on Linux and GNU platforms. */ -#define _BSD_SOURCE 1 -#define _DEFAULT_SOURCE 1 +#ifndef _BSD_SOURCE +# define _BSD_SOURCE 1 +#endif +#ifndef _DEFAULT_SOURCE +# define _DEFAULT_SOURCE 1 +#endif #include #include -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 3700 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 15:39:04 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 15:39:04 +0000 Subject: [openssl-dev] [openssl.org #4480] ROLLUP PATCH: Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: Here's the rollup patch that makes -ansi work. Most of it was "inline" -> "ossl_inline". Some hoops were jumped through to get SSIZE_MAX defined correctly. To configure: ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__automatically. **** $ git diff > ansi.patch $ cat ansi.patch diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index de80f95..968358f 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -74,7 +74,7 @@ typedef struct async_fibre_st { int env_init; } async_fibre; -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) +static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) { o->env_init = 1; diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c index 3ccf9d5..1914be5 100644 --- a/engines/afalg/e_afalg.c +++ b/engines/afalg/e_afalg.c @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { static EVP_CIPHER *_hidden_aes_128_cbc = NULL; -static inline int io_setup(unsigned n, aio_context_t *ctx) +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) { return syscall(__NR_io_setup, n, ctx); } -static inline int eventfd(int n) +static ossl_inline int eventfd(int n) { return syscall(__NR_eventfd, n); } -static inline int io_destroy(aio_context_t ctx) +static ossl_inline int io_destroy(aio_context_t ctx) { return syscall(__NR_io_destroy, ctx); } -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) { return syscall(__NR_io_submit, ctx, n, iocb); } -static inline int io_getevents(aio_context_t ctx, long min, long max, +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, struct io_event *events, struct timespec *timeout) { @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, memset(cb, '\0', sizeof(*cb)); cb->aio_fildes = sfd; cb->aio_lio_opcode = IOCB_CMD_PREAD; - cb->aio_buf = (unsigned long)buf; + cb->aio_buf = (uint64_t)buf; cb->aio_offset = 0; cb->aio_data = 0; cb->aio_nbytes = len; @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, return 1; } -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, const unsigned int op) { cmsg->cmsg_level = SOL_ALG; @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, const unsigned char *iv, memcpy(aiv->iv, iv, len); } -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, const int klen) { int ret; diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index bbd6116..73058c0 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -264,7 +264,15 @@ extern "C" { # ifndef ossl_ssize_t # define ossl_ssize_t ssize_t -# define OSSL_SSIZE_MAX SSIZE_MAX +# if defined(SSIZE_MAX) +# define OSSL_SSIZE_MAX SSIZE_MAX +# elif defined(_POSIX_SSIZE_MAX) +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX +# elif (__WORDSIZE == 64) +# define OSSL_SSIZE_MAX LONG_MAX +# elif(__WORDSIZE == 32) +# define OSSL_SSIZE_MAX INT_MAX +# endif # endif # ifdef DEBUG_UNUSED diff --git a/test/ssltest.c b/test/ssltest.c index a2dd445..6c1575c 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -140,8 +140,12 @@ */ /* Or gethostname won't be declared properly on Linux and GNU platforms. */ -#define _BSD_SOURCE 1 -#define _DEFAULT_SOURCE 1 +#ifndef _BSD_SOURCE +# define _BSD_SOURCE 1 +#endif +#ifndef _DEFAULT_SOURCE +# define _DEFAULT_SOURCE 1 +#endif #include #include -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 3700 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 15:49:36 2016 From: rt at openssl.org (Hanno Boeck via RT) Date: Fri, 25 Mar 2016 15:49:36 +0000 Subject: [openssl-dev] [openssl.org #4483] Re: [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: <20160325164904.7092a6bc@pc1> References: <20160325115042.5b8be48f@pc1> <20160325164904.7092a6bc@pc1> Message-ID: Attached is an updated version of the test with an additional test vector. This one happens on 64 bit and not on 32 bit. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: polytest.c Type: text/x-c++src Size: 8742 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 15:51:46 2016 From: rt at openssl.org (Hanno Boeck via RT) Date: Fri, 25 Mar 2016 15:51:46 +0000 Subject: [openssl-dev] [openssl.org #4483] Re: [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: <20160325165121.5d650cf1@pc1> References: <20160325115042.5b8be48f@pc1> <20160325165121.5d650cf1@pc1> Message-ID: Attached is an updated version of the test with an additional test vector. This one happens on 64 bit and not on 32 bit. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: polytest.c Type: text/x-c++src Size: 8742 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 15:52:15 2016 From: rt at openssl.org (Hanno Boeck via RT) Date: Fri, 25 Mar 2016 15:52:15 +0000 Subject: [openssl-dev] [openssl.org #4483] Re: [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: <20160325165154.638dabc6@pc1> References: <20160325115042.5b8be48f@pc1> <20160325165154.638dabc6@pc1> Message-ID: Attached is an updated version of the test with an additional test vector. This one happens on 64 bit and not on 32 bit. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: polytest.c Type: text/x-c++src Size: 8742 bytes Desc: not available URL: From michel.sales at free.fr Fri Mar 25 16:16:29 2016 From: michel.sales at free.fr (Michel) Date: Fri, 25 Mar 2016 17:16:29 +0100 Subject: [openssl-dev] [openssl.org #4477] [PATCH] enc command enhancement and small fixes In-Reply-To: References: <20160325001450.18296912.68087.59795@ll.mit.edu> <000c01d1867d$86832270$93896750$@sales@free.fr> Message-ID: <005001d186b1$b090d470$11b27d50$@sales@free.fr> >Ah, yes. But that person seems to be rather quiet since that post. And I can understand why now that I read the answer of Steve about AEAD and Wrap modes. :-( From noloader at gmail.com Fri Mar 25 16:31:01 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 12:31:01 -0400 Subject: [openssl-dev] [openssl.org #4479] ROLLUP PATCH: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" Message-ID: Here's the rollup patch that makes -ansi work. Most of it was "inline" -> "ossl_inline". Some hoops were jumped through to get SSIZE_MAX defined correctly. Drepper signed-off on roughly the same fix about 15 years ago for glibc; see http://sourceware.org/ml/libc-hacker/2002-08/msg00031.html. To configure: ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ automatically. Its the same patch as for Issue 4480. The patch can be applied with 'patch -p1 < ansi.patch'. Tested OK on OS X 64-bit, OS X 32-bit, Linux x86_64, Linux i686, ARM32 and ARM64. ---------- $ cat ansi.patch diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index de80f95..968358f 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -74,7 +74,7 @@ typedef struct async_fibre_st { int env_init; } async_fibre; -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) +static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) { o->env_init = 1; diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c index 3ccf9d5..1914be5 100644 --- a/engines/afalg/e_afalg.c +++ b/engines/afalg/e_afalg.c @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { static EVP_CIPHER *_hidden_aes_128_cbc = NULL; -static inline int io_setup(unsigned n, aio_context_t *ctx) +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) { return syscall(__NR_io_setup, n, ctx); } -static inline int eventfd(int n) +static ossl_inline int eventfd(int n) { return syscall(__NR_eventfd, n); } -static inline int io_destroy(aio_context_t ctx) +static ossl_inline int io_destroy(aio_context_t ctx) { return syscall(__NR_io_destroy, ctx); } -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) { return syscall(__NR_io_submit, ctx, n, iocb); } -static inline int io_getevents(aio_context_t ctx, long min, long max, +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, struct io_event *events, struct timespec *timeout) { @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, memset(cb, '\0', sizeof(*cb)); cb->aio_fildes = sfd; cb->aio_lio_opcode = IOCB_CMD_PREAD; - cb->aio_buf = (unsigned long)buf; + cb->aio_buf = (uint64_t)buf; cb->aio_offset = 0; cb->aio_data = 0; cb->aio_nbytes = len; @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, return 1; } -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, const unsigned int op) { cmsg->cmsg_level = SOL_ALG; @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, const unsigned char *iv, memcpy(aiv->iv, iv, len); } -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, const int klen) { int ret; diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index bbd6116..73058c0 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -264,7 +264,15 @@ extern "C" { # ifndef ossl_ssize_t # define ossl_ssize_t ssize_t -# define OSSL_SSIZE_MAX SSIZE_MAX +# if defined(SSIZE_MAX) +# define OSSL_SSIZE_MAX SSIZE_MAX +# elif defined(_POSIX_SSIZE_MAX) +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX +# elif (__WORDSIZE == 64) +# define OSSL_SSIZE_MAX LONG_MAX +# elif(__WORDSIZE == 32) +# define OSSL_SSIZE_MAX INT_MAX +# endif # endif # ifdef DEBUG_UNUSED diff --git a/test/ssltest.c b/test/ssltest.c index a2dd445..6c1575c 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -140,8 +140,12 @@ */ /* Or gethostname won't be declared properly on Linux and GNU platforms. */ -#define _BSD_SOURCE 1 -#define _DEFAULT_SOURCE 1 +#ifndef _BSD_SOURCE +# define _BSD_SOURCE 1 +#endif +#ifndef _DEFAULT_SOURCE +# define _DEFAULT_SOURCE 1 +#endif #include #include -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 3700 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 16:31:14 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 16:31:14 +0000 Subject: [openssl-dev] [openssl.org #4479] ROLLUP PATCH: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: Here's the rollup patch that makes -ansi work. Most of it was "inline" -> "ossl_inline". Some hoops were jumped through to get SSIZE_MAX defined correctly. Drepper signed-off on roughly the same fix about 15 years ago for glibc; see http://sourceware.org/ml/libc-hacker/2002-08/msg00031.html. To configure: ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ automatically. Its the same patch as for Issue 4480. The patch can be applied with 'patch -p1 < ansi.patch'. Tested OK on OS X 64-bit, OS X 32-bit, Linux x86_64, Linux i686, ARM32 and ARM64. ---------- $ cat ansi.patch diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h index de80f95..968358f 100644 --- a/crypto/async/arch/async_posix.h +++ b/crypto/async/arch/async_posix.h @@ -74,7 +74,7 @@ typedef struct async_fibre_st { int env_init; } async_fibre; -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) +static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) { o->env_init = 1; diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c index 3ccf9d5..1914be5 100644 --- a/engines/afalg/e_afalg.c +++ b/engines/afalg/e_afalg.c @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { static EVP_CIPHER *_hidden_aes_128_cbc = NULL; -static inline int io_setup(unsigned n, aio_context_t *ctx) +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) { return syscall(__NR_io_setup, n, ctx); } -static inline int eventfd(int n) +static ossl_inline int eventfd(int n) { return syscall(__NR_eventfd, n); } -static inline int io_destroy(aio_context_t ctx) +static ossl_inline int io_destroy(aio_context_t ctx) { return syscall(__NR_io_destroy, ctx); } -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) { return syscall(__NR_io_submit, ctx, n, iocb); } -static inline int io_getevents(aio_context_t ctx, long min, long max, +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, struct io_event *events, struct timespec *timeout) { @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, memset(cb, '\0', sizeof(*cb)); cb->aio_fildes = sfd; cb->aio_lio_opcode = IOCB_CMD_PREAD; - cb->aio_buf = (unsigned long)buf; + cb->aio_buf = (uint64_t)buf; cb->aio_offset = 0; cb->aio_data = 0; cb->aio_nbytes = len; @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, unsigned char *buf, return 1; } -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, const unsigned int op) { cmsg->cmsg_level = SOL_ALG; @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, const unsigned char *iv, memcpy(aiv->iv, iv, len); } -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, const int klen) { int ret; diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index bbd6116..73058c0 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -264,7 +264,15 @@ extern "C" { # ifndef ossl_ssize_t # define ossl_ssize_t ssize_t -# define OSSL_SSIZE_MAX SSIZE_MAX +# if defined(SSIZE_MAX) +# define OSSL_SSIZE_MAX SSIZE_MAX +# elif defined(_POSIX_SSIZE_MAX) +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX +# elif (__WORDSIZE == 64) +# define OSSL_SSIZE_MAX LONG_MAX +# elif(__WORDSIZE == 32) +# define OSSL_SSIZE_MAX INT_MAX +# endif # endif # ifdef DEBUG_UNUSED diff --git a/test/ssltest.c b/test/ssltest.c index a2dd445..6c1575c 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -140,8 +140,12 @@ */ /* Or gethostname won't be declared properly on Linux and GNU platforms. */ -#define _BSD_SOURCE 1 -#define _DEFAULT_SOURCE 1 +#ifndef _BSD_SOURCE +# define _BSD_SOURCE 1 +#endif +#ifndef _DEFAULT_SOURCE +# define _DEFAULT_SOURCE 1 +#endif #include #include -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4479 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 3700 bytes Desc: not available URL: From rt at openssl.org Fri Mar 25 16:48:37 2016 From: rt at openssl.org (Michel via RT) Date: Fri, 25 Mar 2016 16:48:37 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <005101d186b6$22c34f10$6849ed30$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <005101d186b6$22c34f10$6849ed30$@sales@free.fr> Message-ID: Thank's Steve. So, if I understand you correctly, we can assume that for files whose data size is lower than the buffer size - which we can adjust - it will always work. Right ? If yes, it looks to me still better than not being able to use it at all. And for big files, we could warn about this in the documentation. Can I expect my patch to be applied as this anyway ? Would you prefered I remove the part concerning the wrap mode ? Thanks again for any advice, Regards, Michel -----Message d'origine----- De : Stephen Henson via RT [mailto:rt at openssl.org] Envoy? : vendredi 25 mars 2016 14:15 ? : michel.sales at free.fr Cc : openssl-dev at openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command The enc command uses a cipher BIO chain which requires that a cipher is able to stream. That means the output doesn't depend on how the input is presented: e.g. all in one piece or one byte at a time. The wrap modes by their very nature cannot stream and so cannot work easily with the enc command. It may work for some cases but if buffers fill and you end up getting data in more than one piece the result is different. There are other modes which have problem with streaming too such as CCM. I think supporting wrap modes in the 'enc' utility is a good idea but it unfortunately requires rather more significant changes to bypass the cipher BIO mechanism and present the data in a single operation where required. That would also mean things like chaining (base64 operations) cannot work. We support tests already in evptests.txt: some additions in there would be welcome. Steve. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 16:49:27 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 25 Mar 2016 16:49:27 +0000 Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: Vid Fre, 25 Mar 2016 kl. 16.31.14, skrev noloader at gmail.com: > To configure: > > ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ > > I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ > automatically. Why do you give it the value __STRICT_ANSI__? All documentation I find suggests it's enough to simply define it. See man page feature_test_macros(7) on Linux (at least) The alternative is, of course, to define _DEFAULT_SOURCE in the files where -ansi becomes a problem. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4479 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 17:00:57 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 25 Mar 2016 17:00:57 +0000 Subject: [openssl-dev] [openssl.org #4480] Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: Vid Fre, 25 Mar 2016 kl. 10.29.39, skrev noloader at gmail.com: > gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 > -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF > crypto/bio/bss_dgram.d.tmp -MT crypto/bio/bss_dgram.o -c -o > crypto/bio/bss_dgram.o crypto/bio/bss_dgram.c > In file included from /usr/include/netdb.h:27:0, > from ./e_os.h:443, > from crypto/bio/bio_lcl.h:2, > from crypto/bio/bss_dgram.c:62: > crypto/bio/bss_dgram.c: In function ?dgram_get_mtu_overhead?: > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? > && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) > ^ > crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no > member named ?s6_addr32? This is particularly disturbing... It suggests that the diverse network system headers have bugs under certain circumstances... -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted From noloader at gmail.com Fri Mar 25 17:01:55 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 13:01:55 -0400 Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: On Fri, Mar 25, 2016 at 12:49 PM, Richard Levitte via RT wrote: > Vid Fre, 25 Mar 2016 kl. 16.31.14, skrev noloader at gmail.com: >> To configure: >> >> ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ >> >> I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ >> automatically. > > Why do you give it the value __STRICT_ANSI__? All documentation I find suggests > it's enough to simply define it. See man page feature_test_macros(7) on Linux > (at least) > > The alternative is, of course, to define _DEFAULT_SOURCE in the files where > -ansi becomes a problem. That was based on examining /usr/include/features.h and the comment for _DEFAULT_SOURCE: _DEFAULT_SOURCE The default set of features (taking precedence over __STRICT_ANSI__). How do you convey features by just defining it? It seems like it needs an argument, like _DEFAULT_SOURCE=__STRICT_ANSI__ or _DEFAULT_SOURCE=_POSIX_SOURCE. But its definitely not my area of expertise. I've never had to define to before. Jeff From rt at openssl.org Fri Mar 25 17:01:58 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 17:01:58 +0000 Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: On Fri, Mar 25, 2016 at 12:49 PM, Richard Levitte via RT wrote: > Vid Fre, 25 Mar 2016 kl. 16.31.14, skrev noloader at gmail.com: >> To configure: >> >> ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ >> >> I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ >> automatically. > > Why do you give it the value __STRICT_ANSI__? All documentation I find suggests > it's enough to simply define it. See man page feature_test_macros(7) on Linux > (at least) > > The alternative is, of course, to define _DEFAULT_SOURCE in the files where > -ansi becomes a problem. That was based on examining /usr/include/features.h and the comment for _DEFAULT_SOURCE: _DEFAULT_SOURCE The default set of features (taking precedence over __STRICT_ANSI__). How do you convey features by just defining it? It seems like it needs an argument, like _DEFAULT_SOURCE=__STRICT_ANSI__ or _DEFAULT_SOURCE=_POSIX_SOURCE. But its definitely not my area of expertise. I've never had to define to before. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4479 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 17:25:24 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Fri, 25 Mar 2016 17:25:24 +0000 Subject: [openssl-dev] [openssl.org #4483] Re: [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: <56F57483.3040407@openssl.org> References: <20160325115042.5b8be48f@pc1> <20160325165154.638dabc6@pc1> <56F57483.3040407@openssl.org> Message-ID: > Attached is an updated version of the test with an additional test > vector. This one happens on 64 bit and not on 32 bit. Got it. It will take some time to perform cross-checks. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From jeremy.farrell at oracle.com Fri Mar 25 17:32:04 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Fri, 25 Mar 2016 17:32:04 +0000 Subject: [openssl-dev] [openssl.org #4479] ROLLUP PATCH: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: <56F57614.9030106@oracle.com> On 25/03/2016 16:31, Jeffrey Walton wrote: > Here's the rollup patch that makes -ansi work. Most of it was "inline" > -> "ossl_inline". > > Some hoops were jumped through to get SSIZE_MAX defined correctly. > Drepper signed-off on roughly the same fix about 15 years ago for > glibc; see http://sourceware.org/ml/libc-hacker/2002-08/msg00031.html. Just out of interest, what requirement is there to be able to build with compilers which support only a 27 year old version of C which was superseded 17 years ago? I can't imagine much need to build now with compilers which don't support at least the most popular features of C99 like inline. After recent pruning OpenSSL still supports an impressive range of platforms and compilers; are any of them known to support nothing newer than C89? -- J. J. Farrell Not speaking for Oracle. -------------- next part -------------- An HTML attachment was scrubbed... URL: From noloader at gmail.com Fri Mar 25 17:33:12 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 13:33:12 -0400 Subject: [openssl-dev] [openssl.org #4480] Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: On Fri, Mar 25, 2016 at 1:00 PM, Richard Levitte via RT wrote: > Vid Fre, 25 Mar 2016 kl. 10.29.39, skrev noloader at gmail.com: >> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 >> -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF >> crypto/bio/bss_dgram.d.tmp -MT crypto/bio/bss_dgram.o -c -o >> crypto/bio/bss_dgram.o crypto/bio/bss_dgram.c >> In file included from /usr/include/netdb.h:27:0, >> from ./e_os.h:443, >> from crypto/bio/bio_lcl.h:2, >> from crypto/bio/bss_dgram.c:62: >> crypto/bio/bss_dgram.c: In function ?dgram_get_mtu_overhead?: >> crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no >> member named ?s6_addr32? >> && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) >> ^ >> crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no >> member named ?s6_addr32? > > This is particularly disturbing... It suggests that the diverse network system > headers have bugs under certain circumstances... Yeah, I did not quite understand it either. I think its because ANSI, POSIX, et al only require a 'struct in6_addr'. They don't require the other members. Looking at the two definitions of in6_addr showed both guarded the additional members. The following is from a mostly GNU Linux machine (Ubuntu): Here one (/usr/include/linux/in6.h): #if __UAPI_DEF_IN6_ADDR struct in6_addr { union { __u8 u6_addr8[16]; #if __UAPI_DEF_IN6_ADDR_ALT __be16 u6_addr16[8]; __be32 u6_addr32[4]; #endif } in6_u; #define s6_addr in6_u.u6_addr8 #if __UAPI_DEF_IN6_ADDR_ALT #define s6_addr16 in6_u.u6_addr16 #define s6_addr32 in6_u.u6_addr32 #endif }; #endif /* __UAPI_DEF_IN6_ADDR */ And here's the other (/usr/include/netinet/in.h): #ifndef __USE_KERNEL_IPV6_DEFS /* IPv6 address */ struct in6_addr { union { uint8_t __u6_addr8[16]; #ifdef __USE_MISC uint16_t __u6_addr16[8]; uint32_t __u6_addr32[4]; #endif } __in6_u; #define s6_addr __in6_u.__u6_addr8 #ifdef __USE_MISC # define s6_addr16 __in6_u.__u6_addr16 # define s6_addr32 __in6_u.__u6_addr32 #endif }; #endif /* !__USE_KERNEL_IPV6_DEFS */ Jeff From rt at openssl.org Fri Mar 25 17:33:24 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Fri, 25 Mar 2016 17:33:24 +0000 Subject: [openssl-dev] [openssl.org #4480] Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: On Fri, Mar 25, 2016 at 1:00 PM, Richard Levitte via RT wrote: > Vid Fre, 25 Mar 2016 kl. 10.29.39, skrev noloader at gmail.com: >> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC >> -DOPENSSLDIR="\"/usr/local/ssl\"" >> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 >> -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF >> crypto/bio/bss_dgram.d.tmp -MT crypto/bio/bss_dgram.o -c -o >> crypto/bio/bss_dgram.o crypto/bio/bss_dgram.c >> In file included from /usr/include/netdb.h:27:0, >> from ./e_os.h:443, >> from crypto/bio/bio_lcl.h:2, >> from crypto/bio/bss_dgram.c:62: >> crypto/bio/bss_dgram.c: In function ?dgram_get_mtu_overhead?: >> crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no >> member named ?s6_addr32? >> && IN6_IS_ADDR_V4MAPPED(&tmp_addr)) >> ^ >> crypto/bio/bss_dgram.c:433:20: error: ?const struct in6_addr? has no >> member named ?s6_addr32? > > This is particularly disturbing... It suggests that the diverse network system > headers have bugs under certain circumstances... Yeah, I did not quite understand it either. I think its because ANSI, POSIX, et al only require a 'struct in6_addr'. They don't require the other members. Looking at the two definitions of in6_addr showed both guarded the additional members. The following is from a mostly GNU Linux machine (Ubuntu): Here one (/usr/include/linux/in6.h): #if __UAPI_DEF_IN6_ADDR struct in6_addr { union { __u8 u6_addr8[16]; #if __UAPI_DEF_IN6_ADDR_ALT __be16 u6_addr16[8]; __be32 u6_addr32[4]; #endif } in6_u; #define s6_addr in6_u.u6_addr8 #if __UAPI_DEF_IN6_ADDR_ALT #define s6_addr16 in6_u.u6_addr16 #define s6_addr32 in6_u.u6_addr32 #endif }; #endif /* __UAPI_DEF_IN6_ADDR */ And here's the other (/usr/include/netinet/in.h): #ifndef __USE_KERNEL_IPV6_DEFS /* IPv6 address */ struct in6_addr { union { uint8_t __u6_addr8[16]; #ifdef __USE_MISC uint16_t __u6_addr16[8]; uint32_t __u6_addr32[4]; #endif } __in6_u; #define s6_addr __in6_u.__u6_addr8 #ifdef __USE_MISC # define s6_addr16 __in6_u.__u6_addr16 # define s6_addr32 __in6_u.__u6_addr32 #endif }; #endif /* !__USE_KERNEL_IPV6_DEFS */ Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted From jeremy.farrell at oracle.com Fri Mar 25 17:42:11 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Fri, 25 Mar 2016 17:42:11 +0000 Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: <56F57873.4020204@oracle.com> On 25/03/2016 17:01, Jeffrey Walton wrote: > On Fri, Mar 25, 2016 at 12:49 PM, Richard Levitte via RT wrote: >> Vid Fre, 25 Mar 2016 kl. 16.31.14, skrev noloader at gmail.com: >>> To configure: >>> >>> ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ >>> >>> I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ >>> automatically. >> Why do you give it the value __STRICT_ANSI__? All documentation I find suggests >> it's enough to simply define it. See man page feature_test_macros(7) on Linux >> (at least) >> >> The alternative is, of course, to define _DEFAULT_SOURCE in the files where >> -ansi becomes a problem. > That was based on examining /usr/include/features.h and the comment > for _DEFAULT_SOURCE: > > _DEFAULT_SOURCE The default set of features (taking precedence > over __STRICT_ANSI__). > > How do you convey features by just defining it? It seems like it needs > an argument, like _DEFAULT_SOURCE=__STRICT_ANSI__ or > _DEFAULT_SOURCE=_POSIX_SOURCE. > > But its definitely not my area of expertise. I've never had to define to before. > > Jeff It's the fact of its being defined which indicates features - it's tested in the GNU headers to decide what functionality to make visible. The norm is just to define it, or to define it to 1; setting it to __STRICT_ANSI__ would be a very confusing thing to do since the whole point of defining it is to say that you don't want __STRICT_ANSI__. Why do you want to be able to build on an OS released in 2012 with a C89-only compiler? I'm probably missing something, but I'm struggling to understand the point of this. -- J. J. Farrell Not speaking for Oracle. -------------- next part -------------- An HTML attachment was scrubbed... URL: From noloader at gmail.com Fri Mar 25 17:55:26 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 13:55:26 -0400 Subject: [openssl-dev] [openssl.org #4479] ROLLUP PATCH: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: <56F57614.9030106@oracle.com> References: <56F57614.9030106@oracle.com> Message-ID: > Just out of interest, what requirement is there to be able to build with > compilers which support only a 27 year old version of C which was superseded > 17 years ago? I can't imagine much need to build now with compilers which > don't support at least the most popular features of C99 like inline. I can't really answer what's the reason for ANSI C or std=c90. The project sets its goals, so I'll have to leave that up to folks like Dr. Henson, Andy, Richard, Matt and Viktor. What I've found is compiler have personalities. Each will tolerate a certain amount of non-standardness and make you think the code is OK. Sometimes its done insidiously under the guise of implementation-defined. In a vacuum, its mostly useless. In the big picture, when taken and mixed with all the other personalities, it leads to more robust code by driving out the non-standard parts tolerated by the personality. You are left with a union that can run nearly anywhere without trouble. I've also found that once the testing infrastructure is sound, its easy to support 10 or 20 years. That's only 2 or 3 major revisions of . Thorough testing will let you know when you're not meeting your goals. You'll find it before the user, and the fix will be checked in before a user even notices. In another project I work with, we're happy to support the old stuff like C++03. We don't want to dictate policy, and we want the user to have choices. If you want to build on a 10 or 15 year old system and it makes you happy, then hat's off to you. Jeff From noloader at gmail.com Fri Mar 25 18:16:59 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 14:16:59 -0400 Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: <56F57873.4020204@oracle.com> References: <56F57873.4020204@oracle.com> Message-ID: > It's the fact of its being defined which indicates features - it's tested in > the GNU headers to decide what functionality to make visible. The norm is > just to define it, or to define it to 1; setting it to __STRICT_ANSI__ would > be a very confusing thing to do since the whole point of defining it is to > say that you don't want __STRICT_ANSI__. Thanks, I parsed the comments in the header incorrectly. > Why do you want to be able to build on an OS released in 2012 with a > C89-only compiler? I'm probably missing something, but I'm struggling to > understand the point of this. I'm not sure what the reason are. But for me, as long as its a claim or a requirement, it gets tested to ensure goals are being met. Jeff From levitte at openssl.org Fri Mar 25 18:28:34 2016 From: levitte at openssl.org (Richard Levitte) Date: Fri, 25 Mar 2016 19:28:34 +0100 (CET) Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: <56F57873.4020204@oracle.com> Message-ID: <20160325.192834.1244786136945194540.levitte@openssl.org> In message on Fri, 25 Mar 2016 14:16:59 -0400, Jeffrey Walton said: noloader> > Why do you want to be able to build on an OS released in 2012 with a noloader> > C89-only compiler? I'm probably missing something, but I'm struggling to noloader> > understand the point of this. noloader> noloader> I'm not sure what the reason are. But for me, as long as its a claim noloader> or a requirement, it gets tested to ensure goals are being met. An ANSI compiler is not strict requirement, but rather a minimum. That means we need to refrain from using more modern language features such as // comments, lambda functions, try/except/failure and the like. Obviously, we need to handle strict ANSI a bit better. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Fri Mar 25 18:46:43 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Fri, 25 Mar 2016 14:46:43 -0400 Subject: [openssl-dev] [openssl.org #4479] OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: <20160325.192834.1244786136945194540.levitte@openssl.org> References: <56F57873.4020204@oracle.com> <20160325.192834.1244786136945194540.levitte@openssl.org> Message-ID: On Fri, Mar 25, 2016 at 2:28 PM, Richard Levitte wrote: > In message on Fri, 25 Mar 2016 14:16:59 -0400, Jeffrey Walton said: > > noloader> > Why do you want to be able to build on an OS released in 2012 with a > noloader> > C89-only compiler? I'm probably missing something, but I'm struggling to > noloader> > understand the point of this. > noloader> > noloader> I'm not sure what the reason are. But for me, as long as its a claim > noloader> or a requirement, it gets tested to ensure goals are being met. > > An ANSI compiler is not strict requirement, but rather a minimum. > That means we need to refrain from using more modern language features > such as // comments, lambda functions, try/except/failure and the > like. OK, thanks. Use what you'd like out of the patch, or discard it in its entirety. Its community property, like a wiki article. I expect it to be edited mercilessly. I find the interesting thing to be, when I started at the structure and worked backwards, it made sense. When you and Jeremy started at the macro and worked inwards, it turned things on its head. Sorry about the extra noise. Jeff From rt at openssl.org Fri Mar 25 18:56:13 2016 From: rt at openssl.org (David Benjamin via RT) Date: Fri, 25 Mar 2016 18:56:13 +0000 Subject: [openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions In-Reply-To: References: <20160325115042.5b8be48f@pc1> <20160325165154.638dabc6@pc1> <56F57483.3040407@openssl.org> Message-ID: For x86-64, this seems to be the bug: $ git diff diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/ poly1305-x86_64.pl index 3c810c5..bc14ed1 100755 --- a/crypto/poly1305/asm/poly1305-x86_64.pl +++ b/crypto/poly1305/asm/poly1305-x86_64.pl @@ -97,6 +97,7 @@ $code.=<<___; add $d3,%rax add %rax,$h0 adc \$0,$h1 + adc \$0,$h2 ___ } In the final reduction, $h1 is all ones, so there is one more carry to propagate. Though $h2 can then overflow its two bits, I think? I expect that and the cleared bits of r mean the imulqs in poly1305_iteration are still safe, so we can pick up that slack in poly1305_emit, but I'm not sure about all the complex switching back and forth in the SIMD codepaths. Does __poly1305_block need to follow up with one more reduction? I seem to be able to reproduce failures on all four of {32,64}-bit {arm,x86}. I'm guessing the other three have similar issues, but I haven't looked at them yet. David On Fri, Mar 25, 2016 at 1:25 PM Andy Polyakov via RT wrote: > > Attached is an updated version of the test with an additional test > > vector. This one happens on 64 bit and not on 32 bit. > > Got it. It will take some time to perform cross-checks. Thanks! > > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 19:07:44 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Fri, 25 Mar 2016 19:07:44 +0000 Subject: [openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions In-Reply-To: <56F58C7F.8010109@openssl.org> References: <20160325115042.5b8be48f@pc1> <56F57483.3040407@openssl.org> <56F58C7F.8010109@openssl.org> Message-ID: > For x86-64, this seems to be the bug: > > $ git diff > diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl b/crypto/poly1305/asm/ > poly1305-x86_64.pl > index 3c810c5..bc14ed1 100755 > --- a/crypto/poly1305/asm/poly1305-x86_64.pl > +++ b/crypto/poly1305/asm/poly1305-x86_64.pl > @@ -97,6 +97,7 @@ $code.=<<___; > add $d3,%rax > add %rax,$h0 > adc \$0,$h1 > + adc \$0,$h2 > ___ > } Correct. Testing is done on all platforms. > In the final reduction, $h1 is all ones, so there is one more carry to > propagate. Though $h2 can then overflow its two bits, I think? I expect > that and the cleared bits of r mean the imulqs in poly1305_iteration are > still safe, so we can pick up that slack in poly1305_emit, but I'm not sure > about all the complex switching back and forth in the SIMD codepaths. Does > __poly1305_block need to follow up with one more reduction? That additional adc goes to a perl subroutine that is used in both poly1305_blocks and __poly1305_blocks, so modification covers both. Pure SIMD paths (or FP) are not affected... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 19:26:30 2016 From: rt at openssl.org (David Benjamin via RT) Date: Fri, 25 Mar 2016 19:26:30 +0000 Subject: [openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions In-Reply-To: References: <20160325115042.5b8be48f@pc1> <56F58C7F.8010109@openssl.org> Message-ID: On Fri, Mar 25, 2016 at 3:07 PM Andy Polyakov via RT wrote: > > For x86-64, this seems to be the bug: > > > > $ git diff > > diff --git a/crypto/poly1305/asm/poly1305-x86_64.pl > b/crypto/poly1305/asm/ > > poly1305-x86_64.pl > > index 3c810c5..bc14ed1 100755 > > --- a/crypto/poly1305/asm/poly1305-x86_64.pl > > +++ b/crypto/poly1305/asm/poly1305-x86_64.pl > > @@ -97,6 +97,7 @@ $code.=<<___; > > add $d3,%rax > > add %rax,$h0 > > adc \$0,$h1 > > + adc \$0,$h2 > > ___ > > } > > Correct. Testing is done on all platforms. > > > In the final reduction, $h1 is all ones, so there is one more carry to > > propagate. Though $h2 can then overflow its two bits, I think? I expect > > that and the cleared bits of r mean the imulqs in poly1305_iteration are > > still safe, so we can pick up that slack in poly1305_emit, but I'm not > sure > > about all the complex switching back and forth in the SIMD codepaths. > Does > > __poly1305_block need to follow up with one more reduction? > > That additional adc goes to a perl subroutine that is used in both > poly1305_blocks and __poly1305_blocks, so modification covers both. Pure > SIMD paths (or FP) are not affected... > Right. What I meant is that a fully reduced h has $h2 < 4. Is it possible that $h2, after that adc, ends up at 4, exceeding that bound? If it were, that would require one more reduction. In the non-SIMD paths, I believe this is fine because $r0's and $r1's cleared high bits mean we should have plenty of slack to leave that unreduced. (And indeed its normally not reduced on input from the addition.) Then poly1305_emit's reduction after adding s will resolve things before output. But, in the SIMD paths, __poly1305_blocks is called and then bits are shifted without any reduction. Wouldn't that cause a problem? Or is this situation impossible? David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 19:49:35 2016 From: rt at openssl.org (Rich Salz via RT) Date: Fri, 25 Mar 2016 19:49:35 +0000 Subject: [openssl-dev] [openssl.org #4475] PATCH: fix cast-alignment of "struct lhash_st *" In-Reply-To: References: Message-ID: Done (the two-element union). Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4475 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 19:53:35 2016 From: rt at openssl.org (Michel via RT) Date: Fri, 25 Mar 2016 19:53:35 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <006a01d186cf$f6370c10$e2a52430$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <005101d186b6$22c34f10$6849ed30$@sales@free.fr> <006a01d186cf$f6370c10$e2a52430$@sales@free.fr> Message-ID: To be sure I understand you well (again, excuse my laborious english), do you think everything will work fine as expected, even using a BIO chain if, for Wrap and CCM modes only, we use a buffer as big as the data size to encrypt (with an upper limit), and we do not loop reading data (lines 604-612), and only work with 'regular' files (disable the use of stdin) ? Michel. -----Message d'origine----- De : openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Michel via RT Envoy? : vendredi 25 mars 2016 17:49 Cc : openssl-dev at openssl.org Objet : Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command Thank's Steve. So, if I understand you correctly, we can assume that for files whose data size is lower than the buffer size - which we can adjust - it will always work. Right ? If yes, it looks to me still better than not being able to use it at all. And for big files, we could warn about this in the documentation. Can I expect my patch to be applied as this anyway ? Would you prefered I remove the part concerning the wrap mode ? Thanks again for any advice, Regards, Michel -----Message d'origine----- De : Stephen Henson via RT [mailto:rt at openssl.org] Envoy? : vendredi 25 mars 2016 14:15 ? : michel.sales at free.fr Cc : openssl-dev at openssl.org Objet : [openssl.org #4472] [PATCH] alllowing wrap mode using enc command The enc command uses a cipher BIO chain which requires that a cipher is able to stream. That means the output doesn't depend on how the input is presented: e.g. all in one piece or one byte at a time. The wrap modes by their very nature cannot stream and so cannot work easily with the enc command. It may work for some cases but if buffers fill and you end up getting data in more than one piece the result is different. There are other modes which have problem with streaming too such as CCM. I think supporting wrap modes in the 'enc' utility is a good idea but it unfortunately requires rather more significant changes to bypass the cipher BIO mechanism and present the data in a single operation where required. That would also mean things like chaining (base64 operations) cannot work. We support tests already in evptests.txt: some additions in there would be welcome. Steve. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted From jeremy.farrell at oracle.com Fri Mar 25 20:07:54 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Fri, 25 Mar 2016 20:07:54 +0000 Subject: [openssl-dev] [openssl.org #4479] ROLLUP PATCH: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: <56F57614.9030106@oracle.com> Message-ID: <56F59A9A.1060309@oracle.com> On 25/03/2016 17:55, Jeffrey Walton wrote: >> Just out of interest, what requirement is there to be able to build with >> compilers which support only a 27 year old version of C which was superseded >> 17 years ago? I can't imagine much need to build now with compilers which >> don't support at least the most popular features of C99 like inline. > I can't really answer what's the reason for ANSI C or std=c90. The > project sets its goals, so I'll have to leave that up to folks like > Dr. Henson, Andy, Richard, Matt and Viktor. I'd misunderstood what you were doing here; I thought this was just something you were playing with yourself rather than an officially supported configuration option which you were checking. Thanks for the great work you're doing checking all the options and combinations by the way, it's flushing out a lot of things that will save me some effort later ... > ... > > In another project I work with, we're happy to support the old stuff > like C++03. We don't want to dictate policy, and we want the user to > have choices. If you want to build on a 10 or 15 year old system and > it makes you happy, then hat's off to you. > > Jeff I agree that OpenSSL should support older compilers and environments, but it's a question of how far back it's worth going and how much effort and code complexity it warrants to do it. Most of the things I work on target environments with a compiler capable of at least C89 plus a core subset of the functionality added in C95 and C99 - mostly the bits that many compilers were already supporting in the early 90's such as 'inline' and (gulp) C++ line-end comments. Unless there are supported platforms which require it, it seems a bit excessive to have code complexity to work with compilers which support only C as it was 27 years and 2 major language standard revisions ago. -- J. J. Farrell Not speaking for Oracle. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rt at openssl.org Fri Mar 25 20:51:10 2016 From: rt at openssl.org (Craig A. Berry via RT) Date: Fri, 25 Mar 2016 20:51:10 +0000 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: I?ve seen test failures in a recent build from git master that look like: Failed! -9494949494FAFFFFFFE0000000000000001111111164646464 / 4000000000000000000000000 - -25252525253EBFFFFFF8000000 => -0x1 Failed! -9494949494FAFFFFFFE0000000000000001111111164646464 / 8000000000000000000000000 - -12929292929F5FFFFFFC000000 => -0x1 Failed! -9494949494FAFFFFFFE0000000000000001111111164646464 / 10000000000000000000000000 - -9494949494FAFFFFFFE000000 => -0x1 # Failed test 'verify test BN_rshift' # at [.recipes]10-test_bn.t line 55. and it is BN_rshift, BN_div, and BN_div_recp that all fail this way (in other words. always big number division). Then I noticed that these failures don?t happen when I?m using Perl 5.22.1, but they do fail when I?m using a development snapshot of what will become Perl 5.24.0 in a month or two. And that in turn is because the development stream of Perl contains Math::BigInt 1.999701, which gives -0x1 as the result of the following test program, whereas the result was 0x0 (as expected by the OpenSSL test suite) with previous versions of Math::BigInt: $ cat testcase.pl use strict; use warnings; use Math::BigInt; my $operand1 = Math::BigInt->from_hex('-F7C3C3DADA0000FFA028FFFFFFFF4CFF737300000000003E3E'); my $operand2 = Math::BigInt->from_hex('4'); $operand1->bdiv($operand2); my $operand3 = Math::BigInt->from_hex('-3DF0F0F6B680003FE80A3FFFFFFFD33FDCDCC0000000000F8F'); $operand1->bsub($operand3); print $operand1->as_hex() . "\n"; exit ($operand1->as_hex() eq '0x0' ? 0 : 1); [end] I reported this to the Math::BigInt maintainer, who explains that the change fixes a bug in which, "The code did truncated division whereas the documentation said that floored division was used" and he changed the code to match the documentation. See: So, does the big number library in OpenSSL need a similar fix? Or is there something about the test generation code in test/bntest.c that is doing truncated division unintentionally when it really means to be doing floored division? Or is truncated division intentional and we now have a problem using Math::BigInt as a reference since that?s not what it does anymore? Something else I?ve missed? I don?t know the answers to those questions, but I would hate to see either OpenSSL 1.1.0 or Perl 5.24.0 considered duff releases because there are test failures when used in combination. The above reproducer should be sensitive only to Math::BigInt version. The environment where I first encountered the test failures was a default configuration of: $ git describe OpenSSL_1_1_0-pre4-122-ga5bb160 on: $ cc/vers HP C V7.3-020 on OpenVMS IA64 V8.4 but I have also reproduced the test failures on OS X by just doing: $ sudo cpan -i Math::BigInt before building OpenSSL from a git checkout. ________________________________________ Craig A. Berry mailto:craigberry at mac.com "... getting out of a sonnet is much more difficult than getting in." Brad Leithauser -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 21:29:51 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 25 Mar 2016 21:29:51 +0000 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: Vid Fre, 25 Mar 2016 kl. 20.51.10, skrev craigberry at mac.com: > I reported this to the Math::BigInt maintainer, who explains that the > change fixes a bug in which, "The code did truncated division whereas > the documentation said that floored division was used" and he changed > the code to match the documentation. See: BN_div does truncated division, which is expressed in other terms in the comment in crypto/bn/bn_div.c: /*- * BN_div computes dv := num / divisor, rounding towards * zero, and sets up rm such that dv*divisor + rm = num holds. * Thus: * dv->neg == num->neg ^ divisor->neg (unless the result is zero) * rm->neg == num->neg (unless the remainder is zero) * If 'dv' or 'rm' is NULL, the respective value is not returned. */ keywords being "rounding towards zero". > Or is truncated division intentional and we now have a problem using > Math::BigInt as a reference since that?s not what it does anymore? I wouldn't dare change BN_div's behaviour in this regard. It might not be as mathematically correct, but there's too much else possibly relying on the current behaviour. However, if you have a look at test/recipes/bc.pl, you'll see that there's a "fix" of modulo because there's already a difference between what OpenSSL's modulo does and what Math::BigInt's modulo does. I don't think it would be too hard to do something similar for division. > but I have also reproduced the test failures on OS X by just doing: > > $ sudo cpan -i Math::BigInt Ok. -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 Please log in as guest with password guest if prompted From rt at openssl.org Fri Mar 25 23:05:35 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Fri, 25 Mar 2016 23:05:35 +0000 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: I've attached a tentative patch for test/recipes/bc.pl. Would you be willing to try it out? Vid Fre, 25 Mar 2016 kl. 21.29.50, skrev levitte: > Vid Fre, 25 Mar 2016 kl. 20.51.10, skrev craigberry at mac.com: > > I reported this to the Math::BigInt maintainer, who explains that the > > change fixes a bug in which, "The code did truncated division whereas > > the documentation said that floored division was used" and he changed > > the code to match the documentation. See: > > BN_div does truncated division, which is expressed in other terms in > the comment in crypto/bn/bn_div.c: > > /*- * BN_div computes dv := num / divisor, rounding towards * zero, > and sets up > rm such that dv*divisor + rm = num holds. * Thus: * dv->neg == num- > >neg ^ > divisor->neg (unless the result is zero) * rm->neg == num->neg (unless > the > remainder is zero) * If 'dv' or 'rm' is NULL, the respective value is > not > returned. */ > keywords being "rounding towards zero". > > Or is truncated division intentional and we now have a problem using > > Math::BigInt as a reference since that?s not what it does anymore? > > I wouldn't dare change BN_div's behaviour in this regard. It might not > be > as mathematically correct, but there's too much else possibly relying > on > the current behaviour. > > However, if you have a look at test/recipes/bc.pl, you'll see that > there's > a "fix" of modulo because there's already a difference between what > OpenSSL's modulo does and what Math::BigInt's modulo does. I don't > think it would be too hard to do something similar for division. > > > but I have also reproduced the test failures on OS X by just doing: > > > > $ sudo cpan -i Math::BigInt > > Ok. > > -- > Richard Levitte > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: bc.pl.patch Type: text/x-patch Size: 872 bytes Desc: not available URL: From rt at openssl.org Sat Mar 26 02:38:47 2016 From: rt at openssl.org (Craig A. Berry via RT) Date: Sat, 26 Mar 2016 02:38:47 +0000 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: Wow, that was fast. The patch looks good here: now all tests pass on systems with and without the Math::BigInt changes. Thanks! > On Mar 25, 2016, at 6:05 PM, Richard Levitte via RT wrote: > > I've attached a tentative patch for test/recipes/bc.pl. Would you be willing to > try it out? > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 > Please log in as guest with password guest if prompted > > diff --git a/test/recipes/bc.pl b/test/recipes/bc.pl > index 29a4a8a..f7d4dc6 100644 > --- a/test/recipes/bc.pl > +++ b/test/recipes/bc.pl > @@ -46,7 +46,16 @@ sub __multiplier { > if ($operator eq "*") { > $operand1->bmul($operand2); > } elsif ($operator eq "/") { > + # Math::BigInt->bdiv() is documented to do floored division, > + # i.e. 1 / -4 = -1, while bc and OpenSSL BN_div do truncated > + # division, i.e. 1 / -4 = 0. We need to make the operation > + # work like OpenSSL's BN_div to be able to verify. > + my $neg = ($operand1->is_neg() > + ? !$operand2->is_neg() : $operand2->is_neg()); > + $operand1->babs(); > + $operand2->babs(); > $operand1->bdiv($operand2); > + if ($neg) { $operand1->bneg(); } > } elsif ($operator eq "%") { > # Here's a bit of a quirk... > # With OpenSSL's BN, as well as bc, the result of -10 % 3 is -1 ________________________________________ Craig A. Berry mailto:craigberry at mac.com "... getting out of a sonnet is much more difficult than getting in." Brad Leithauser -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 26 06:35:55 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sat, 26 Mar 2016 06:35:55 +0000 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: Frankly, you did all the work. With your analysis, it became very easy to figure out what needed to be done. Low hanging fruit ;-) So, thank you! Cheers, Richard Vid Sat, 26 Mar 2016 kl. 02.38.47, skrev craigberry at mac.com: > Wow, that was fast. The patch looks good here: now all tests pass on > systems with and without the Math::BigInt changes. Thanks! > > > On Mar 25, 2016, at 6:05 PM, Richard Levitte via RT > > wrote: > > > > I've attached a tentative patch for test/recipes/bc.pl. Would you be > > willing to > > try it out? > > > > > -- > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 > > Please log in as guest with password guest if prompted > > > > diff --git a/test/recipes/bc.pl b/test/recipes/bc.pl > > index 29a4a8a..f7d4dc6 100644 > > --- a/test/recipes/bc.pl > > +++ b/test/recipes/bc.pl > > @@ -46,7 +46,16 @@ sub __multiplier { > > if ($operator eq "*") { > > $operand1->bmul($operand2); > > } elsif ($operator eq "/") { > > + # Math::BigInt->bdiv() is documented to do floored > > division, > > + # i.e. 1 / -4 = -1, while bc and OpenSSL BN_div do > > truncated > > + # division, i.e. 1 / -4 = 0. We need to make the operation > > + # work like OpenSSL's BN_div to be able to verify. > > + my $neg = ($operand1->is_neg() > > + ? !$operand2->is_neg() : $operand2->is_neg()); > > + $operand1->babs(); > > + $operand2->babs(); > > $operand1->bdiv($operand2); > > + if ($neg) { $operand1->bneg(); } > > } elsif ($operator eq "%") { > > # Here's a bit of a quirk... > > # With OpenSSL's BN, as well as bc, the result of -10 % 3 > > is -1 > > ________________________________________ > Craig A. Berry > mailto:craigberry at mac.com > > "... getting out of a sonnet is much more > difficult than getting in." > Brad Leithauser -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 26 15:41:42 2016 From: rt at openssl.org (David Benjamin via RT) Date: Sat, 26 Mar 2016 15:41:42 +0000 Subject: [openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions In-Reply-To: References: <20160325115042.5b8be48f@pc1> <56F58C7F.8010109@openssl.org> Message-ID: On Fri, Mar 25, 2016 at 3:26 PM David Benjamin wrote: > Right. What I meant is that a fully reduced h has $h2 < 4. Is it possible > that $h2, after that adc, ends up at 4, exceeding that bound? If it were, > that would require one more reduction. > > In the non-SIMD paths, I believe this is fine because $r0's and $r1's > cleared high bits mean we should have plenty of slack to leave that > unreduced. (And indeed its normally not reduced on input from the > addition.) Then poly1305_emit's reduction after adding s will resolve > things before output. But, in the SIMD paths, __poly1305_blocks is called > and then bits are shifted without any reduction. Wouldn't that cause a > problem? Or is this situation impossible? > Pondering this some more, I missed that the base 2^26 representation still has six bits extra, so we shouldn't immediately lose that bit. How tolerant is the SIMD code to a partially-reduced h? (I haven't puzzled out how it works yet.) Is this within its bounds? David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Sat Mar 26 16:20:59 2016 From: rt at openssl.org (Michel via RT) Date: Sat, 26 Mar 2016 16:20:59 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <000801d1877b$6d641de0$482c59a0$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <000801d1877b$6d641de0$482c59a0$@sales@free.fr> Message-ID: Hi, Here is an updated patch which prevents 'unstreamable' modes (Wrap only for the moment) to be streamed, while still allowing them to be encrypted or decrypted if the internal buffer size is greater than the total data size. Looks to work just fine to me, but I can still try to improve it if some other issue arises. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: enc-fixes_v2-1.1.0.patch Type: application/octet-stream Size: 12179 bytes Desc: not available URL: From noloader at gmail.com Sat Mar 26 17:38:41 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 26 Mar 2016 13:38:41 -0400 Subject: [openssl-dev] Add cross-compile helpers to official OpenSSL sources? Message-ID: OpenSSL has a few scripts it uses for platforms like Android and iOS. In addition, there are other helper scripts like incore_macho used on the platforms. As far as I know, the bits are not under version control. They are available from the OpenSSL website once you know where to look. There are also updates to those scripts available on the web (disjoint from the official OpenSSL ones). Would it be possible to get those scripts added to OpenSSL sources? From noloader at gmail.com Sat Mar 26 18:56:13 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 26 Mar 2016 14:56:13 -0400 Subject: [openssl-dev] AF_ALG engine support and kernel versions In-Reply-To: References: Message-ID: On Thu, Mar 17, 2016 at 11:38 PM, Jeffrey Walton wrote: > Hi Everyone, > > Looking at the code in engines/afalg/e_afalg.c, there is the following: > > ... > #define K_MAJ 4 > #define K_MIN1 1 > #define K_MIN2 0 > #if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) > # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" > # warning "Skipping Compilation of AFALG engine" > #else > ... > > It appears AF_ALG was added to the kernel at 2.6.38. Asynchronous I/O > support appears to have surfaced in the kernel at 2.5.23. > > Where is the requirement for 4.1 coming from? This requirement does not look quite right. I've got a Ubuntu 3.19.0-56-generic kernel running on a 5th gen i7 that provides some async drivers for the ciphers. I've also got a Ubuntu 4.2.0-34-generic kernel running on an old VIA C7 that does not provide any async ciphers. I'm also building out-of-tree crypto kernel modules that have the latest patches. In this case, the kernel version has nothing to do with availability of async ciphers. Does anyone know where the requirement is coming from? Thanks in advance. ********** # Newer, Intel 5th gen Core-i7 $ uname -r 3.19.0-56-generic $ sudo cat /proc/crypto | egrep '^(name|driver|async|$)' name : crct10dif driver : crct10dif-pclmul name : crc32 driver : crc32-pclmul name : xts(aes) driver : xts-aes-aesni async : yes name : lrw(aes) driver : lrw-aes-aesni async : yes name : __xts-aes-aesni driver : __driver-xts-aes-aesni name : __lrw-aes-aesni driver : __driver-lrw-aes-aesni name : pcbc(aes) driver : pcbc-aes-aesni async : yes name : rfc4106(gcm(aes)) driver : rfc4106-gcm-aesni async : yes name : __gcm-aes-aesni driver : __driver-gcm-aes-aesni async : no name : ctr(aes) driver : ctr-aes-aesni async : yes name : __ctr-aes-aesni driver : __driver-ctr-aes-aesni name : cbc(aes) driver : cbc-aes-aesni async : yes name : ecb(aes) driver : ecb-aes-aesni async : yes name : __cbc-aes-aesni driver : __driver-cbc-aes-aesni name : __ecb-aes-aesni driver : __driver-ecb-aes-aesni name : __aes-aesni driver : __driver-aes-aesni name : aes driver : aes-aesni name : aes driver : aes-asm name : hmac(sha256) driver : hmac(sha256-generic) name : hmac(sha1) driver : hmac(sha1-generic) name : skein1024 driver : skein name : skein512 driver : skein name : skein256 driver : skein name : stdrng driver : krng name : lzo driver : lzo-generic name : crct10dif driver : crct10dif-generic name : crc32c driver : crc32c-generic name : aes driver : aes-generic name : sha384 driver : sha384-generic name : sha512 driver : sha512-generic name : sha224 driver : sha224-generic name : sha256 driver : sha256-generic name : sha1 driver : sha1-generic name : md5 driver : md5-generic name : crc32c driver : crc32c-intel ***** # Older, VIA C7 machine $ uname -r 4.2.0-34-generic $ sudo cat /proc/crypto | egrep '^(name|driver|async|$)' name : sha256 driver : sha256-padlock name : sha1 driver : sha1-padlock name : cbc(aes) driver : cbc-aes-padlock name : ecb(aes) driver : ecb-aes-padlock name : aes driver : aes-padlock name : lzo driver : lzo-generic name : crct10dif driver : crct10dif-generic name : crc32c driver : crc32c-generic name : aes driver : aes-generic name : sha384 driver : sha384-generic name : sha512 driver : sha512-generic name : sha224 driver : sha224-generic name : sha256 driver : sha256-generic name : sha1 driver : sha1-generic name : md5 driver : md5-generic via:linux$ From rt at openssl.org Sat Mar 26 22:03:38 2016 From: rt at openssl.org (Michel via RT) Date: Sat, 26 Mar 2016 22:03:38 +0000 Subject: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command In-Reply-To: <001501d187ab$45f7cc40$d1e764c0$@sales@free.fr> References: <000001d18484$e23ea1c0$a6bbe540$@sales@free.fr> <000801d1877b$6d641de0$482c59a0$@sales@free.fr> <001501d187ab$45f7cc40$d1e764c0$@sales@free.fr> Message-ID: And attached a better patch, with updated documentation and some test data. -----Message d'origine----- De : openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Michel via RT Envoy? : samedi 26 mars 2016 17:21 Cc : openssl-dev at openssl.org Objet : Re: [openssl-dev] [openssl.org #4472] [PATCH] alllowing wrap mode using enc command Hi, Here is an updated patch which prevents 'unstreamable' modes (Wrap only for the moment) to be streamed, while still allowing them to be encrypted or decrypted if the internal buffer size is greater than the total data size. Looks to work just fine to me, but I can still try to improve it if some other issue arises. Regards, Michel. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4472 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: enc-fixes_v2-1.1.0.patch Type: application/octet-stream Size: 12592 bytes Desc: not available URL: -------------- next part -------------- 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 -------------- next part -------------- A non-text attachment was scrubbed... Name: testwrapstream.cmds Type: application/octet-stream Size: 688 bytes Desc: not available URL: From noloader at gmail.com Sat Mar 26 22:14:05 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 26 Mar 2016 18:14:05 -0400 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? Message-ID: e_os2.h has this around line 260: # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) # define ossl_ssize_t int # define OSSL_SSIZE_MAX INT_MAX # endif I don't believe you can test for a type by using 'defined(t)'. Also see http://stackoverflow.com/questions/12558538/how-can-i-check-a-certain-type-is-already-defined-in-c-compiler. Jeff From openssl-users at dukhovni.org Sat Mar 26 22:44:19 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Sat, 26 Mar 2016 22:44:19 +0000 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: References: Message-ID: <20160326224419.GW6602@mournblade.imrryr.org> On Sat, Mar 26, 2016 at 06:14:05PM -0400, Jeffrey Walton wrote: > e_os2.h has this around line 260: > > # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) > # define ossl_ssize_t int > # define OSSL_SSIZE_MAX INT_MAX > # endif > > I don't believe you can test for a type by using 'defined(t)'. Also > see http://stackoverflow.com/questions/12558538/how-can-i-check-a-certain-type-is-already-defined-in-c-compiler. Thanks for the heads-up. Perhaps that condition should have been defined(ossl_ssize_t). In any case, if UEFI code runs in 32-bit mode, then likely the additional condition is not (or rarely) needed at present. -- Viktor. From noloader at gmail.com Sun Mar 27 00:16:16 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 26 Mar 2016 20:16:16 -0400 Subject: [openssl-dev] no-ui, warnings and errors Message-ID: Is this a supported configuration (no-ui and apps)? There's a fair number of warnings when configuring with no-ui: apps/enc.c:357:13: warning: implicit declaration of function ?EVP_read_pw_string? [-Wimplicit-function-declaration] i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc); There's a few link problems, too: LD_LIBRARY_PATH=.: gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib/engines" -Wall -O3 -m64 -DL_ENDIAN -ansi -o apps/openssl apps/app_rand.o apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o apps/x509.o -L. -lssl -L. -lcrypto -ldl apps/apps.o: In function `ui_close': apps.c:(.text+0x15): undefined reference to `UI_OpenSSL' apps.c:(.text+0x1d): undefined reference to `UI_method_get_closer' apps/apps.o: In function `ui_write': apps.c:(.text+0x40): undefined reference to `UI_get_input_flags' apps.c:(.text+0x4c): undefined reference to `UI_get0_user_data' apps.c:(.text+0x59): undefined reference to `UI_get_string_type' apps.c:(.text+0x66): undefined reference to `UI_OpenSSL' apps.c:(.text+0x6e): undefined reference to `UI_method_get_writer' apps.c:(.text+0x84): undefined reference to `UI_get0_user_data' apps/apps.o: In function `ui_read': apps.c:(.text+0xc0): undefined reference to `UI_get_input_flags' apps.c:(.text+0xcc): undefined reference to `UI_get0_user_data' apps.c:(.text+0xd9): undefined reference to `UI_get_string_type' apps.c:(.text+0xe6): undefined reference to `UI_OpenSSL' apps.c:(.text+0xee): undefined reference to `UI_method_get_reader' apps.c:(.text+0x104): undefined reference to `UI_get0_user_data' apps.c:(.text+0x11c): undefined reference to `UI_set_result' apps/apps.o: In function `ui_open': apps.c:(.text+0x135): undefined reference to `UI_OpenSSL' apps.c:(.text+0x13d): undefined reference to `UI_method_get_opener' apps/apps.o: In function `password_callback': apps.c:(.text+0xca3): undefined reference to `UI_new_method' apps.c:(.text+0xcbf): undefined reference to `UI_construct_prompt' apps.c:(.text+0xce2): undefined reference to `UI_ctrl' apps.c:(.text+0xd05): undefined reference to `UI_add_input_string' apps.c:(.text+0xd38): undefined reference to `UI_ctrl' apps.c:(.text+0xd44): undefined reference to `UI_process' apps.c:(.text+0xd72): undefined reference to `UI_free' apps.c:(.text+0xe5e): undefined reference to `UI_add_verify_string' apps.c:(.text+0xe81): undefined reference to `UI_free' apps/apps.o: In function `setup_ui_method': apps.c:(.text+0x11da): undefined reference to `UI_create_method' apps.c:(.text+0x11ee): undefined reference to `UI_method_set_opener' apps.c:(.text+0x11ff): undefined reference to `UI_method_set_reader' apps.c:(.text+0x1210): undefined reference to `UI_method_set_writer' apps.c:(.text+0x1221): undefined reference to `UI_method_set_closer' apps/apps.o: In function `destroy_ui_method': apps.c:(.text+0x1241): undefined reference to `UI_destroy_method' apps/enc.o: In function `enc_main': enc.c:(.text+0xfbf): undefined reference to `EVP_read_pw_string' enc.c:(.text+0x10f7): undefined reference to `EVP_read_pw_string' apps/pkcs12.o: In function `pkcs12_main': pkcs12.c:(.text+0x119a): undefined reference to `EVP_read_pw_string' pkcs12.c:(.text+0x1733): undefined reference to `EVP_read_pw_string' pkcs12.c:(.text+0x17d8): undefined reference to `EVP_read_pw_string' apps/pkcs8.o:pkcs8.c:(.text+0x7e0): more undefined references to `EVP_read_pw_string' follow ./libcrypto.a(err_all.o): In function `err_load_crypto_strings_intern': err_all.c:(.text+0x86): undefined reference to `ERR_load_UI_strings' From noloader at gmail.com Sun Mar 27 00:45:15 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 26 Mar 2016 20:45:15 -0400 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: <20160326224419.GW6602@mournblade.imrryr.org> References: <20160326224419.GW6602@mournblade.imrryr.org> Message-ID: On Sat, Mar 26, 2016 at 6:44 PM, Viktor Dukhovni wrote: > On Sat, Mar 26, 2016 at 06:14:05PM -0400, Jeffrey Walton wrote: > >> e_os2.h has this around line 260: >> >> # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) >> # define ossl_ssize_t int >> # define OSSL_SSIZE_MAX INT_MAX >> # endif >> >> I don't believe you can test for a type by using 'defined(t)'. Also >> see http://stackoverflow.com/questions/12558538/how-can-i-check-a-certain-type-is-already-defined-in-c-compiler. > > Thanks for the heads-up. Perhaps that condition should have been > defined(ossl_ssize_t). In any case, if UEFI code runs in 32-bit > mode, then likely the additional condition is not (or rarely) needed > at present. I think the one to focus on is "define ossl_ssize_t ssize_t". SSIZE_MAX should be defined when ssize_t is available. If SSIZE_MAX in not defined, then both ssize_t and SSIZE_MAX need a definition. So something like: diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h index bbd6116..216aebf 100644 --- a/include/openssl/e_os2.h +++ b/include/openssl/e_os2.h @@ -257,14 +257,20 @@ extern "C" { # endif # endif -# if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) -# define ossl_ssize_t int -# define OSSL_SSIZE_MAX INT_MAX -# endif - -# ifndef ossl_ssize_t +# if defined(SSIZE_MAX) # define ossl_ssize_t ssize_t # define OSSL_SSIZE_MAX SSIZE_MAX +# else /* not SSIZE_MAX */ +# if (__WORDSIZE == 64) || (__SIZEOF_PTRDIFF_T__ == 8) || (__LP64__ == 1) +# define ossl_ssize_t long +# define OSSL_SSIZE_MAX LONG_MAX +# elif (__WORDSIZE == 32) || (__SIZEOF_PTRDIFF_T__ == 4) +# define ossl_ssize_t int +# define OSSL_SSIZE_MAX INT_MAX +# else +# define ossl_ssize_t ssize_t +# define OSSL_SSIZE_MAX SSIZE_MAX +# endif # endif # ifdef DEBUG_UNUSED The last two defines only serve to provide a file and line number for a compile error. If omitted, someone will have to go hunting for the reason ossl_ssize_t and OSSL_SSIZE_MAX are not defined. When ossl_ssize_t and OSSL_SSIZE_MAX defined, it will point to the file and line number of the offenders ssize_t and SSIZE_MAX. +# define ossl_ssize_t ssize_t +# define OSSL_SSIZE_MAX SSIZE_MAX ********** $ grep -IR ossl_ssize_t * | egrep '(typedef|define)' include/openssl/e_os2.h:# define ossl_ssize_t __int64 include/openssl/e_os2.h:# define ossl_ssize_t int include/openssl/e_os2.h:# define ossl_ssize_t int include/openssl/e_os2.h:# define ossl_ssize_t ssize_t ms/uplink.h:#define UP_read (*(ossl_ssize_t (*)(int,void *,size_t))OPENSSL_UplinkTable[APPLINK_READ]) ms/uplink.h:#define UP_write (*(ossl_ssize_t (*)(int,const void *,size_t))OPENSSL_UplinkTable[APPLINK_WRITE]) From levitte at openssl.org Sun Mar 27 03:10:56 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 27 Mar 2016 05:10:56 +0200 (CEST) Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: References: Message-ID: <20160327.051056.1643525019254842841.levitte@openssl.org> In message on Sat, 26 Mar 2016 18:14:05 -0400, Jeffrey Walton said: noloader> e_os2.h has this around line 260: noloader> noloader> # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) noloader> # define ossl_ssize_t int noloader> # define OSSL_SSIZE_MAX INT_MAX noloader> # endif noloader> noloader> I don't believe you can test for a type by using 'defined(t)'. Also noloader> see http://stackoverflow.com/questions/12558538/how-can-i-check-a-certain-type-is-already-defined-in-c-compiler. ... unless it's defined with a macro -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From noloader at gmail.com Sun Mar 27 03:50:12 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sat, 26 Mar 2016 23:50:12 -0400 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: <20160327.051056.1643525019254842841.levitte@openssl.org> References: <20160327.051056.1643525019254842841.levitte@openssl.org> Message-ID: On Sat, Mar 26, 2016 at 11:10 PM, Richard Levitte wrote: > In message on Sat, 26 Mar 2016 18:14:05 -0400, Jeffrey Walton said: > > noloader> e_os2.h has this around line 260: > noloader> > noloader> # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) > noloader> # define ossl_ssize_t int > noloader> # define OSSL_SSIZE_MAX INT_MAX > noloader> # endif > noloader> > noloader> I don't believe you can test for a type by using 'defined(t)'. Also > noloader> see http://stackoverflow.com/questions/12558538/how-can-i-check-a-certain-type-is-already-defined-in-c-compiler. > > ... unless it's defined with a macro Yeah, I kind of knew about that. But a type like ssize_t defined with a typedef won't pass that test. It will degenerate into: #if defined(OPENSSL_SYS_UEFI) && /*TRUE*/ ... #endif That brings up the thing I was wondering about. I followed the pattern in my diffs, but did not feel it was quite right (I might be missing something obvious)... Why isn't ossl_ssize_t a typedef? Jeff From noloader at gmail.com Sun Mar 27 05:38:18 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 27 Mar 2016 01:38:18 -0400 Subject: [openssl-dev] LHASH, -Wcast-align and the union (redux) Message-ID: I'm on CentOS 5 with GCC 4.1.2. It appears there are side effects to the union for the down level compiler. Removing the union squashes the warning, but I like Viktor's idea and placing a few of the larger types in it. I think its safer in the long run. Naming the union squashes the warning. The change below tested OK under OS X, CentOS, Linux and NetBSD. $ git diff include/openssl/lhash.h diff --git a/include/openssl/lhash.h b/include/openssl/lhash.h index e10c522..669cdf1 100644 --- a/include/openssl/lhash.h +++ b/include/openssl/lhash.h @@ -180,7 +180,7 @@ void lh_node_usage_stats_bio(const _LHASH *lh, BIO *out); # define LHASH_OF(type) struct lhash_st_##type # define DEFINE_LHASH_OF(type) \ - LHASH_OF(type) { union { void* d1; unsigned long d2; int d3; }; }; \ + LHASH_OF(type) { union { void* d1; unsigned long d2; int d3; } u_st; }; \ static ossl_inline LHASH_OF(type) * \ lh_##type##_new(unsigned long (*hfn)(const type *), \ int (*cfn)(const type *, const type *)) \ Breaking eggs, making omelets, and catching the issues before they are pushed to users. Things are working as expected :) ********** gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib64/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN -ansi -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/asn1/a_bitstr.d.tmp -MT crypto/asn1/a_bitstr.o -c -o crypto/asn1/a_bitstr.o crypto/asn1/a_bitstr.c In file included from include/openssl/err.h:123, from crypto/include/internal/cryptlib.h:74, from crypto/aes/aes_wrap.c:54: include/openssl/lhash.h:265: warning: declaration does not declare anythingIn file included from include/openssl/err.h:123, from crypto/include/internal/cryptlib.h:74, from crypto/aes/aes_ige.c:51: include/openssl/lhash.h:265: warning: declaration does not declare anything include/openssl/lhash.h:266: warning: declaration does not declare anything include/openssl/lhash.h:266: warning: declaration does not declare anything And $ cat -n include/openssl/lhash.h: ... 265 DEFINE_LHASH_OF(OPENSSL_STRING); 266 DEFINE_LHASH_OF(OPENSSL_CSTRING); And catching lots of them. ********** $ gcc --version gcc (GCC) 4.1.2 20080704 (Red Hat 4.1.2-55) Copyright (C) 2006 Free Software Foundation, Inc. From noloader at gmail.com Sun Mar 27 05:55:00 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 27 Mar 2016 01:55:00 -0400 Subject: [openssl-dev] [openssl.org #4479] ROLLUP PATCH: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: The rollup was updated to include both -ansi and -std=c90. Nearly all the pieces were available to support it. The patch simply needed better integration with existing library facilities. For example, there's an OPENSSL_strdup() for strdup(), there's workarounds for strncmpcase() that performs the to_lower() conversion, etc. Some of the OpenSSL utilities needed things relaxed, so it follows ssltest.c lead and performs "#define _DEFAULT_SOURCE 1" when needed. There's no need for the dodgy "-D_DEFAULT_SOURCE=__STRICT_ANSI__". Tested OK under CentOS, OS X, Linux and NetBSD. Jeff On Fri, Mar 25, 2016 at 12:31 PM, Jeffrey Walton wrote: > Here's the rollup patch that makes -ansi work. Most of it was "inline" > -> "ossl_inline". > > Some hoops were jumped through to get SSIZE_MAX defined correctly. > Drepper signed-off on roughly the same fix about 15 years ago for > glibc; see http://sourceware.org/ml/libc-hacker/2002-08/msg00031.html. > > To configure: > > ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ > > I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ > automatically. > > Its the same patch as for Issue 4480. The patch can be applied with > 'patch -p1 < ansi.patch'. > > Tested OK on OS X 64-bit, OS X 32-bit, Linux x86_64, Linux i686, ARM32 > and ARM64. > > ---------- > > $ cat ansi.patch > diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h > index de80f95..968358f 100644 > --- a/crypto/async/arch/async_posix.h > +++ b/crypto/async/arch/async_posix.h > @@ -74,7 +74,7 @@ typedef struct async_fibre_st { > int env_init; > } async_fibre; > > -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre > *n, int r) > +static ossl_inline int async_fibre_swapcontext(async_fibre *o, > async_fibre *n, int r) > { > o->env_init = 1; > > diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c > index 3ccf9d5..1914be5 100644 > --- a/engines/afalg/e_afalg.c > +++ b/engines/afalg/e_afalg.c > @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { > > static EVP_CIPHER *_hidden_aes_128_cbc = NULL; > > -static inline int io_setup(unsigned n, aio_context_t *ctx) > +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) > { > return syscall(__NR_io_setup, n, ctx); > } > > -static inline int eventfd(int n) > +static ossl_inline int eventfd(int n) > { > return syscall(__NR_eventfd, n); > } > > -static inline int io_destroy(aio_context_t ctx) > +static ossl_inline int io_destroy(aio_context_t ctx) > { > return syscall(__NR_io_destroy, ctx); > } > > -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > { > return syscall(__NR_io_submit, ctx, n, iocb); > } > > -static inline int io_getevents(aio_context_t ctx, long min, long max, > +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, > struct io_event *events, > struct timespec *timeout) > { > @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > memset(cb, '\0', sizeof(*cb)); > cb->aio_fildes = sfd; > cb->aio_lio_opcode = IOCB_CMD_PREAD; > - cb->aio_buf = (unsigned long)buf; > + cb->aio_buf = (uint64_t)buf; > cb->aio_offset = 0; > cb->aio_data = 0; > cb->aio_nbytes = len; > @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > return 1; > } > > -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, > +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, > const unsigned int op) > { > cmsg->cmsg_level = SOL_ALG; > @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, > const unsigned char *iv, > memcpy(aiv->iv, iv, len); > } > > -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > const int klen) > { > int ret; > diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h > index bbd6116..73058c0 100644 > --- a/include/openssl/e_os2.h > +++ b/include/openssl/e_os2.h > @@ -264,7 +264,15 @@ extern "C" { > > # ifndef ossl_ssize_t > # define ossl_ssize_t ssize_t > -# define OSSL_SSIZE_MAX SSIZE_MAX > +# if defined(SSIZE_MAX) > +# define OSSL_SSIZE_MAX SSIZE_MAX > +# elif defined(_POSIX_SSIZE_MAX) > +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX > +# elif (__WORDSIZE == 64) > +# define OSSL_SSIZE_MAX LONG_MAX > +# elif(__WORDSIZE == 32) > +# define OSSL_SSIZE_MAX INT_MAX > +# endif > # endif > > # ifdef DEBUG_UNUSED > diff --git a/test/ssltest.c b/test/ssltest.c > index a2dd445..6c1575c 100644 > --- a/test/ssltest.c > +++ b/test/ssltest.c > @@ -140,8 +140,12 @@ > */ > > /* Or gethostname won't be declared properly on Linux and GNU platforms. */ > -#define _BSD_SOURCE 1 > -#define _DEFAULT_SOURCE 1 > +#ifndef _BSD_SOURCE > +# define _BSD_SOURCE 1 > +#endif > +#ifndef _DEFAULT_SOURCE > +# define _DEFAULT_SOURCE 1 > +#endif > > #include > #include -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 12530 bytes Desc: not available URL: From rt at openssl.org Sun Mar 27 05:55:11 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 05:55:11 +0000 Subject: [openssl-dev] [openssl.org #4479] ROLLUP PATCH: OS X 10.8 (x86_64): Compile errors when using "no-asm -ansi" In-Reply-To: References: Message-ID: The rollup was updated to include both -ansi and -std=c90. Nearly all the pieces were available to support it. The patch simply needed better integration with existing library facilities. For example, there's an OPENSSL_strdup() for strdup(), there's workarounds for strncmpcase() that performs the to_lower() conversion, etc. Some of the OpenSSL utilities needed things relaxed, so it follows ssltest.c lead and performs "#define _DEFAULT_SOURCE 1" when needed. There's no need for the dodgy "-D_DEFAULT_SOURCE=__STRICT_ANSI__". Tested OK under CentOS, OS X, Linux and NetBSD. Jeff On Fri, Mar 25, 2016 at 12:31 PM, Jeffrey Walton wrote: > Here's the rollup patch that makes -ansi work. Most of it was "inline" > -> "ossl_inline". > > Some hoops were jumped through to get SSIZE_MAX defined correctly. > Drepper signed-off on roughly the same fix about 15 years ago for > glibc; see http://sourceware.org/ml/libc-hacker/2002-08/msg00031.html. > > To configure: > > ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ > > I'm not sure if Configure should set _DEFAULT_SOURCE=__STRICT_ANSI__ > automatically. > > Its the same patch as for Issue 4480. The patch can be applied with > 'patch -p1 < ansi.patch'. > > Tested OK on OS X 64-bit, OS X 32-bit, Linux x86_64, Linux i686, ARM32 > and ARM64. > > ---------- > > $ cat ansi.patch > diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h > index de80f95..968358f 100644 > --- a/crypto/async/arch/async_posix.h > +++ b/crypto/async/arch/async_posix.h > @@ -74,7 +74,7 @@ typedef struct async_fibre_st { > int env_init; > } async_fibre; > > -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre > *n, int r) > +static ossl_inline int async_fibre_swapcontext(async_fibre *o, > async_fibre *n, int r) > { > o->env_init = 1; > > diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c > index 3ccf9d5..1914be5 100644 > --- a/engines/afalg/e_afalg.c > +++ b/engines/afalg/e_afalg.c > @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { > > static EVP_CIPHER *_hidden_aes_128_cbc = NULL; > > -static inline int io_setup(unsigned n, aio_context_t *ctx) > +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) > { > return syscall(__NR_io_setup, n, ctx); > } > > -static inline int eventfd(int n) > +static ossl_inline int eventfd(int n) > { > return syscall(__NR_eventfd, n); > } > > -static inline int io_destroy(aio_context_t ctx) > +static ossl_inline int io_destroy(aio_context_t ctx) > { > return syscall(__NR_io_destroy, ctx); > } > > -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > { > return syscall(__NR_io_submit, ctx, n, iocb); > } > > -static inline int io_getevents(aio_context_t ctx, long min, long max, > +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, > struct io_event *events, > struct timespec *timeout) > { > @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > memset(cb, '\0', sizeof(*cb)); > cb->aio_fildes = sfd; > cb->aio_lio_opcode = IOCB_CMD_PREAD; > - cb->aio_buf = (unsigned long)buf; > + cb->aio_buf = (uint64_t)buf; > cb->aio_offset = 0; > cb->aio_data = 0; > cb->aio_nbytes = len; > @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > return 1; > } > > -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, > +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, > const unsigned int op) > { > cmsg->cmsg_level = SOL_ALG; > @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, > const unsigned char *iv, > memcpy(aiv->iv, iv, len); > } > > -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > const int klen) > { > int ret; > diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h > index bbd6116..73058c0 100644 > --- a/include/openssl/e_os2.h > +++ b/include/openssl/e_os2.h > @@ -264,7 +264,15 @@ extern "C" { > > # ifndef ossl_ssize_t > # define ossl_ssize_t ssize_t > -# define OSSL_SSIZE_MAX SSIZE_MAX > +# if defined(SSIZE_MAX) > +# define OSSL_SSIZE_MAX SSIZE_MAX > +# elif defined(_POSIX_SSIZE_MAX) > +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX > +# elif (__WORDSIZE == 64) > +# define OSSL_SSIZE_MAX LONG_MAX > +# elif(__WORDSIZE == 32) > +# define OSSL_SSIZE_MAX INT_MAX > +# endif > # endif > > # ifdef DEBUG_UNUSED > diff --git a/test/ssltest.c b/test/ssltest.c > index a2dd445..6c1575c 100644 > --- a/test/ssltest.c > +++ b/test/ssltest.c > @@ -140,8 +140,12 @@ > */ > > /* Or gethostname won't be declared properly on Linux and GNU platforms. */ > -#define _BSD_SOURCE 1 > -#define _DEFAULT_SOURCE 1 > +#ifndef _BSD_SOURCE > +# define _BSD_SOURCE 1 > +#endif > +#ifndef _DEFAULT_SOURCE > +# define _DEFAULT_SOURCE 1 > +#endif > > #include > #include -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4479 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 12530 bytes Desc: not available URL: From noloader at gmail.com Sun Mar 27 05:55:07 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 27 Mar 2016 01:55:07 -0400 Subject: [openssl-dev] [openssl.org #4480] ROLLUP PATCH: Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: The rollup was updated to include both -ansi and -std=c90. Nearly all the pieces were available to support it. The patch simply needed better integration with existing library facilities. For example, there's an OPENSSL_strdup() for strdup(), there's workarounds for strncmpcase() that performs the to_lower() conversion, etc. Some of the OpenSSL utilities needed things relaxed, so it follows ssltest.c lead and performs "#define _DEFAULT_SOURCE 1" when needed. There's no need for the dodgy "-D_DEFAULT_SOURCE=__STRICT_ANSI__". Tested OK under OS X, Linux and NetBSD. Jeff On Fri, Mar 25, 2016 at 11:39 AM, Jeffrey Walton wrote: > Here's the rollup patch that makes -ansi work. Most of it was "inline" > -> "ossl_inline". Some hoops were jumped through to get SSIZE_MAX > defined correctly. > > To configure: > > ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ > > I'm not sure if Configure should set > _DEFAULT_SOURCE=__STRICT_ANSI__automatically. > > **** > > $ git diff > ansi.patch > $ cat ansi.patch > diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h > index de80f95..968358f 100644 > --- a/crypto/async/arch/async_posix.h > +++ b/crypto/async/arch/async_posix.h > @@ -74,7 +74,7 @@ typedef struct async_fibre_st { > int env_init; > } async_fibre; > > -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre > *n, int r) > +static ossl_inline int async_fibre_swapcontext(async_fibre *o, > async_fibre *n, int r) > { > o->env_init = 1; > > diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c > index 3ccf9d5..1914be5 100644 > --- a/engines/afalg/e_afalg.c > +++ b/engines/afalg/e_afalg.c > @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { > > static EVP_CIPHER *_hidden_aes_128_cbc = NULL; > > -static inline int io_setup(unsigned n, aio_context_t *ctx) > +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) > { > return syscall(__NR_io_setup, n, ctx); > } > > -static inline int eventfd(int n) > +static ossl_inline int eventfd(int n) > { > return syscall(__NR_eventfd, n); > } > > -static inline int io_destroy(aio_context_t ctx) > +static ossl_inline int io_destroy(aio_context_t ctx) > { > return syscall(__NR_io_destroy, ctx); > } > > -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > { > return syscall(__NR_io_submit, ctx, n, iocb); > } > > -static inline int io_getevents(aio_context_t ctx, long min, long max, > +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, > struct io_event *events, > struct timespec *timeout) > { > @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > memset(cb, '\0', sizeof(*cb)); > cb->aio_fildes = sfd; > cb->aio_lio_opcode = IOCB_CMD_PREAD; > - cb->aio_buf = (unsigned long)buf; > + cb->aio_buf = (uint64_t)buf; > cb->aio_offset = 0; > cb->aio_data = 0; > cb->aio_nbytes = len; > @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > return 1; > } > > -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, > +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, > const unsigned int op) > { > cmsg->cmsg_level = SOL_ALG; > @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, > const unsigned char *iv, > memcpy(aiv->iv, iv, len); > } > > -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > const int klen) > { > int ret; > diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h > index bbd6116..73058c0 100644 > --- a/include/openssl/e_os2.h > +++ b/include/openssl/e_os2.h > @@ -264,7 +264,15 @@ extern "C" { > > # ifndef ossl_ssize_t > # define ossl_ssize_t ssize_t > -# define OSSL_SSIZE_MAX SSIZE_MAX > +# if defined(SSIZE_MAX) > +# define OSSL_SSIZE_MAX SSIZE_MAX > +# elif defined(_POSIX_SSIZE_MAX) > +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX > +# elif (__WORDSIZE == 64) > +# define OSSL_SSIZE_MAX LONG_MAX > +# elif(__WORDSIZE == 32) > +# define OSSL_SSIZE_MAX INT_MAX > +# endif > # endif > > # ifdef DEBUG_UNUSED > diff --git a/test/ssltest.c b/test/ssltest.c > index a2dd445..6c1575c 100644 > --- a/test/ssltest.c > +++ b/test/ssltest.c > @@ -140,8 +140,12 @@ > */ > > /* Or gethostname won't be declared properly on Linux and GNU platforms. */ > -#define _BSD_SOURCE 1 > -#define _DEFAULT_SOURCE 1 > +#ifndef _BSD_SOURCE > +# define _BSD_SOURCE 1 > +#endif > +#ifndef _DEFAULT_SOURCE > +# define _DEFAULT_SOURCE 1 > +#endif > > #include > #include -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 12530 bytes Desc: not available URL: From rt at openssl.org Sun Mar 27 05:55:18 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 05:55:18 +0000 Subject: [openssl-dev] [openssl.org #4480] ROLLUP PATCH: Ubuntu 14 (x86_64): Compile errors and warnings when using "no-asm -ansi" In-Reply-To: References: Message-ID: The rollup was updated to include both -ansi and -std=c90. Nearly all the pieces were available to support it. The patch simply needed better integration with existing library facilities. For example, there's an OPENSSL_strdup() for strdup(), there's workarounds for strncmpcase() that performs the to_lower() conversion, etc. Some of the OpenSSL utilities needed things relaxed, so it follows ssltest.c lead and performs "#define _DEFAULT_SOURCE 1" when needed. There's no need for the dodgy "-D_DEFAULT_SOURCE=__STRICT_ANSI__". Tested OK under OS X, Linux and NetBSD. Jeff On Fri, Mar 25, 2016 at 11:39 AM, Jeffrey Walton wrote: > Here's the rollup patch that makes -ansi work. Most of it was "inline" > -> "ossl_inline". Some hoops were jumped through to get SSIZE_MAX > defined correctly. > > To configure: > > ./config shared no-asm -ansi -D_DEFAULT_SOURCE=__STRICT_ANSI__ > > I'm not sure if Configure should set > _DEFAULT_SOURCE=__STRICT_ANSI__automatically. > > **** > > $ git diff > ansi.patch > $ cat ansi.patch > diff --git a/crypto/async/arch/async_posix.h b/crypto/async/arch/async_posix.h > index de80f95..968358f 100644 > --- a/crypto/async/arch/async_posix.h > +++ b/crypto/async/arch/async_posix.h > @@ -74,7 +74,7 @@ typedef struct async_fibre_st { > int env_init; > } async_fibre; > > -static inline int async_fibre_swapcontext(async_fibre *o, async_fibre > *n, int r) > +static ossl_inline int async_fibre_swapcontext(async_fibre *o, > async_fibre *n, int r) > { > o->env_init = 1; > > diff --git a/engines/afalg/e_afalg.c b/engines/afalg/e_afalg.c > index 3ccf9d5..1914be5 100644 > --- a/engines/afalg/e_afalg.c > +++ b/engines/afalg/e_afalg.c > @@ -136,27 +136,27 @@ static int afalg_cipher_nids[] = { > > static EVP_CIPHER *_hidden_aes_128_cbc = NULL; > > -static inline int io_setup(unsigned n, aio_context_t *ctx) > +static ossl_inline int io_setup(unsigned n, aio_context_t *ctx) > { > return syscall(__NR_io_setup, n, ctx); > } > > -static inline int eventfd(int n) > +static ossl_inline int eventfd(int n) > { > return syscall(__NR_eventfd, n); > } > > -static inline int io_destroy(aio_context_t ctx) > +static ossl_inline int io_destroy(aio_context_t ctx) > { > return syscall(__NR_io_destroy, ctx); > } > > -static inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > +static ossl_inline int io_read(aio_context_t ctx, long n, struct iocb **iocb) > { > return syscall(__NR_io_submit, ctx, n, iocb); > } > > -static inline int io_getevents(aio_context_t ctx, long min, long max, > +static ossl_inline int io_getevents(aio_context_t ctx, long min, long max, > struct io_event *events, > struct timespec *timeout) > { > @@ -272,7 +272,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > memset(cb, '\0', sizeof(*cb)); > cb->aio_fildes = sfd; > cb->aio_lio_opcode = IOCB_CMD_PREAD; > - cb->aio_buf = (unsigned long)buf; > + cb->aio_buf = (uint64_t)buf; > cb->aio_offset = 0; > cb->aio_data = 0; > cb->aio_nbytes = len; > @@ -352,7 +352,7 @@ int afalg_fin_cipher_aio(afalg_aio *aio, int sfd, > unsigned char *buf, > return 1; > } > > -static inline void afalg_set_op_sk(struct cmsghdr *cmsg, > +static ossl_inline void afalg_set_op_sk(struct cmsghdr *cmsg, > const unsigned int op) > { > cmsg->cmsg_level = SOL_ALG; > @@ -374,7 +374,7 @@ static void afalg_set_iv_sk(struct cmsghdr *cmsg, > const unsigned char *iv, > memcpy(aiv->iv, iv, len); > } > > -static inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > +static ossl_inline int afalg_set_key(afalg_ctx *actx, const unsigned char *key, > const int klen) > { > int ret; > diff --git a/include/openssl/e_os2.h b/include/openssl/e_os2.h > index bbd6116..73058c0 100644 > --- a/include/openssl/e_os2.h > +++ b/include/openssl/e_os2.h > @@ -264,7 +264,15 @@ extern "C" { > > # ifndef ossl_ssize_t > # define ossl_ssize_t ssize_t > -# define OSSL_SSIZE_MAX SSIZE_MAX > +# if defined(SSIZE_MAX) > +# define OSSL_SSIZE_MAX SSIZE_MAX > +# elif defined(_POSIX_SSIZE_MAX) > +# define OSSL_SSIZE_MAX _POSIX_SSIZE_MAX > +# elif (__WORDSIZE == 64) > +# define OSSL_SSIZE_MAX LONG_MAX > +# elif(__WORDSIZE == 32) > +# define OSSL_SSIZE_MAX INT_MAX > +# endif > # endif > > # ifdef DEBUG_UNUSED > diff --git a/test/ssltest.c b/test/ssltest.c > index a2dd445..6c1575c 100644 > --- a/test/ssltest.c > +++ b/test/ssltest.c > @@ -140,8 +140,12 @@ > */ > > /* Or gethostname won't be declared properly on Linux and GNU platforms. */ > -#define _BSD_SOURCE 1 > -#define _DEFAULT_SOURCE 1 > +#ifndef _BSD_SOURCE > +# define _BSD_SOURCE 1 > +#endif > +#ifndef _DEFAULT_SOURCE > +# define _DEFAULT_SOURCE 1 > +#endif > > #include > #include -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4480 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: ansi.patch Type: text/x-diff Size: 12530 bytes Desc: not available URL: From noloader at gmail.com Sun Mar 27 06:32:06 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 27 Mar 2016 02:32:06 -0400 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: References: <20160327.051056.1643525019254842841.levitte@openssl.org> Message-ID: >> noloader> I don't believe you can test for a type by using 'defined(t)'. Also >> noloader> see http://stackoverflow.com/questions/12558538/how-can-i-check-a-certain-type-is-already-defined-in-c-compiler. >> >> ... unless it's defined with a macro > > Yeah, I kind of knew about that. But a type like ssize_t defined with > a typedef won't pass that test. It will degenerate into: > > #if defined(OPENSSL_SYS_UEFI) && /*TRUE*/ > ... > #endif > > That brings up the thing I was wondering about. I followed the pattern > in my diffs, but did not feel it was quite right (I might be missing > something obvious)... Why isn't ossl_ssize_t a typedef? I'm not finding a compelling reason to define something that's usually typedef'd. Also see http://programmers.stackexchange.com/questions/130679/typedefs-and-defines and http://stackoverflow.com/questions/1666353/are-typedef-and-define-the-same-in-c. Does anyone know why things are done that way? Jeff From rt at openssl.org Sun Mar 27 06:58:00 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 06:58:00 +0000 Subject: [openssl-dev] [openssl.org #4379] AutoReply: "arch/async_posix.h:67:24: error: ucontext.h: No such file or directory" under OpenBSD 5.7/64-bit In-Reply-To: References: Message-ID: I'm thinking this should be closed because the compile problem can be worked around with "./config no-async". "./config no-async" worked on both CentOS 5 and BSD 5.7 (both lack the headers). I suppose it can be kept open if someone feels Configure should auto-detect the feature. I'm in this camp because that what Configure is supposed to do, and it maintains a dark and silent cockpit. > ------------------------------------------------------------------------- > cc -I.. -I../.. -I../modes -I../include -I../../include -DDSO_DLFCN > -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_STATIC_ENGINE > -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM > -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" > -DENGINESDIR="\"/usr/local/lib/engines\"" -DL_ENDIAN -Wall -O3 > -pthread -D_THREAD_SAFE -D_REENTRANT -Wa,--noexecstack -fPIC -c > async.c -o async.o > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h:67:24: error: ucontext.h: No such file or directory > In file included from async_locl.h:69, > from async.c:62: > arch/async_posix.h: In function 'async_fibre_swapcontext': > arch/async_posix.h:85: warning: implicit declaration of function 'setcontext' > *** Error 1 in crypto/async (Makefile:65 'async.o') > *** Error 1 in crypto (Makefile:91 'subdirs') > *** Error 1 in /home/jwalton/openssl (Makefile:291 'build_crypto') -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4379 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 27 08:57:46 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 08:57:46 +0000 Subject: [openssl-dev] [openssl.org #4470] AutoReply: FEATURE: OpenSSL test script for configurations and options In-Reply-To: References: Message-ID: Updated to print the options used when a failure occurs; add additional test configurations, like "no-asm -ansi". The QA/Testing team should try the script. Its very revealing. Here's what I am seeing: $ grep '!!!!!!!!!!' openssl-result.txt !!!!!!!!!!FAILED (no-aes)!!!!!!!!!! !!!!!!!!!!FAILED (no-asm no-aes)!!!!!!!!!! !!!!!!!!!!FAILED (no-autoalginit)!!!!!!!!!! !!!!!!!!!!FAILED (no-asm no-autoalginit)!!!!!!!!!! ... Its better to run the script on a machine with 8 or 16 cores because there's a lot of combinations and you'll get results faster. The script automatically steps up job counts based on logical processors. I think the project has some big iron lying around, so it should be available somewhere. > ------------------------------------------------------------------------- > Hi Everyone, > > Attached is a test script to repeatedly configure, build and test > OpenSSL under different configuration options. Options include the > usual suspects like "no-asm", "no-ssl2", "no-ssl3" and "no-comp". It > also includes other options, like Debug, Release, IPv4 and IPv6. > > I understand some of the devs have similar scripts Please consider > adding the attached script or a similar dev script to the tarball. > > The script will help the project proactively detect issues, and help > it avoid reactive fixes. As the script grows in depth and breadth, > OpenSSL will only get stronger. > > Thanks in advance. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4470 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: openssl-test.tar.gz Type: application/x-gzip Size: 2163 bytes Desc: not available URL: From noloader at gmail.com Sun Mar 27 10:09:39 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 27 Mar 2016 06:09:39 -0400 Subject: [openssl-dev] Changing/deleted ordinals for exported function in the Windows DLLs Message-ID: It looks like ordinals are changing and/or being removed for functions exported by the Windows DLL. Its causing pain points for users in the field, and it appears to be trending. Confer: * WAMP OpenSSL ordinal 372 error, http://stackoverflow.com/q/36238887 * The Ordinal 112 could not be located in dynamic link library?, http://stackoverflow.com/q/36163468 I think ordinals were meant to speed up loading of shared resources in the 16-bit Windows days. They fell out of favor circa Windows 95. According to Jeffrey Richter and in his book Programming Applications for Microsoft Windows, page 701 (http://www.amazon.com/dp/1572319968): The second form [of the function GetProcAddress] ... [and the] pszSymbolName parameter indicates the ordinal number of the symbol whose address you want... Again, let me reiterate that Microsoft strongly discourages the use of ordinals. Richter then goes on to discuss getting the wrong function address because ordinals have changed. It seems like the changes should have been caught in the engineering process during QA or testing. Perhaps an explicit step should be added to avoid the problems in the future? From rt at openssl.org Sun Mar 27 13:29:37 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 13:29:37 +0000 Subject: [openssl-dev] [openssl.org #4486] PATCH: fix NMAKE fatal error U1073: "don't know how to make 'LNAME\openssl\Configurations\windows-makefile.tmpl'" In-Reply-To: References: Message-ID: Using Strawberry PERL from a typical Windows user desktop and working from Master at c828cd7... > cls && perl Configure VC-WIN32 ... > nmake Microsoft (R) Program Maintenance Utility Version 11.00.61030.0 Copyright (C) Microsoft Corporation. All rights reserved. NMAKE : fatal error U1073: don't know how to make 'LNAME\openssl\Configurations \windows-makefile.tmpl' Stop. $ git diff diff --git a/Configurations/windows-makefile.tmpl b/Configurations/windows-makefile.tmpl index 0b8ac72..6f97315 100644 --- a/Configurations/windows-makefile.tmpl +++ b/Configurations/windows-makefile.tmpl @@ -218,7 +218,7 @@ uninstall_runtime: # Building targets ################################################### -configdata.pm: {- $config{build_file_template} -} $(SRCDIR)\Configure +configdata.pm: "{- $config{build_file_template} -}" $(SRCDIR)\Configure @echo "Detected changed: $?" @echo "Reconfiguring..." $(PERL) $(SRCDIR)\Configure reconf ********** After patching: >nmake Microsoft (R) Program Maintenance Utility Version 11.00.61030.0 Copyright (C) Microsoft Corporation. All rights reserved. nasm -f win32 -ocrypto\aes\aes-586.obj crypto\aes\aes-586.asm cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I crypto\include /I include /I crypto\bn\Walton\openssl\crypto\i nclude -c /Focrypto\aes\aes_cfb.obj crypto\aes\aes_cfb.c aes_cfb.c cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I crypto\include /I include /I crypto\bn\Walton\openssl\crypto\i nclude -c /Focrypto\aes\aes_ecb.obj crypto\aes\aes_ecb.c aes_ecb.c ... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4486 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: windows-makefile.patch Type: text/x-diff Size: 559 bytes Desc: not available URL: From rsalz at akamai.com Sun Mar 27 13:59:30 2016 From: rsalz at akamai.com (Salz, Rich) Date: Sun, 27 Mar 2016 13:59:30 +0000 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: References: Message-ID: <3125eac161ff423c9be6a903185e3a37@usma1ex-dag1mb1.msg.corp.akamai.com> > # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) # define ossl_ssize_t > int # define OSSL_SSIZE_MAX INT_MAX # endif It's testing for a #define, not a typedef. From rt at openssl.org Sun Mar 27 14:01:25 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 14:01:25 +0000 Subject: [openssl-dev] [openssl.org #4487] Dirty compile under Windows 7 and MSVC 2012 (four to six non-trivial) In-Reply-To: References: Message-ID: There's a somewhat dirty compile under Windows 7 Pro x64 and Visual Studio 2012. cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I include -c /Fossl\record\rec_layer_s3.obj ssl\record\rec_layer _s3.c rec_layer_s3.c ssl\record\rec_layer_s3.c(843) : warning C4146: unary minus operator applied to unsigned type, result still unsigned ssl\record\rec_layer_s3.c(1250) : warning C4146: unary minus operator applied to unsigned type, result still unsigned ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I include -c /Fossl\record\rec_layer_d1.obj ssl\record\rec_layer _d1.c rec_layer_d1.c ssl\record\rec_layer_d1.c(572) : warning C4146: unary minus operator applied to unsigned type, result still unsigned ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I crypto\include /I include /I crypto\bn\Walton\openssl\crypto\i nclude -c /Focrypto\x509\x509_def.obj crypto\x509\x509_def.c x509_def.c crypto\x509\x509_def.c(65) : warning C4129: 'P' : unrecognized character escape sequence crypto\x509\x509_def.c(65) : warning C4129: 'C' : unrecognized character escape sequence crypto\x509\x509_def.c(70) : warning C4129: 'P' : unrecognized character escape sequence crypto\x509\x509_def.c(70) : warning C4129: 'C' : unrecognized character escape sequence crypto\x509\x509_def.c(75) : warning C4129: 'P' : unrecognized character escape sequence crypto\x509\x509_def.c(75) : warning C4129: 'C' : unrecognized character escape sequence crypto\x509\x509_def.c(80) : warning C4129: 'P' : unrecognized character escape sequence crypto\x509\x509_def.c(80) : warning C4129: 'C' : unrecognized character escape sequence ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I crypto\include /I include /I crypto\bn\Walton\openssl\crypto\i nclude /I crypto -c /Focrypto\cversion.obj crypto\cversion.c cversion.c crypto\cversion.c(100) : warning C4129: 'P' : unrecognized character escape sequ ence crypto\cversion.c(100) : warning C4129: 'C' : unrecognized character escape sequ ence crypto\cversion.c(107) : warning C4129: 'P' : unrecognized character escape sequ ence ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I crypto\include /I include /I crypto\bn\Walton\openssl\crypto\i nclude -c /Focrypto\bio\b_sock2.obj crypto\bio\b_sock2.c b_sock2.c crypto\bio\b_sock2.c(135) : warning C4133: 'function' : incompatible types - fro m 'int *' to 'const char *' crypto\bio\b_sock2.c(143) : warning C4133: 'function' : incompatible types - fro m 'int *' to 'const char *' crypto\bio\b_sock2.c(209) : warning C4133: 'function' : incompatible types - fro m 'int *' to 'char *' crypto\bio\b_sock2.c(232) : warning C4133: 'function' : incompatible types - fro m 'int *' to 'const char *' crypto\bio\b_sock2.c(240) : warning C4133: 'function' : incompatible types - fro m 'int *' to 'const char *' crypto\bio\b_sock2.c(249) : warning C4133: 'function' : incompatible types - fro m 'int *' to 'const char *' ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zi /Fdapp /I ..\..\Jeffrey /I apps\Walton\openssl\include /I . /I include -c /Foapps\apps.obj apps\apps.c apps.c apps\apps.c(2572) : warning C4996: 'open': The POSIX name for this item is depre cated. Instead, use the ISO C++ conformant name: _open. See online help for deta ils. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(315) : see declaration of 'open' apps\apps.c(2575) : warning C4996: 'fdopen': The POSIX name for this item is dep recated. Instead, use the ISO C++ conformant name: _fdopen. See online help for details. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\stdio.h(7 09) : see declaration of 'fdopen' apps\apps.c(2593) : warning C4996: 'close': The POSIX name for this item is depr ecated. Instead, use the ISO C++ conformant name: _close. See online help for de tails. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(305) : see declaration of 'close' ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zi /Fdapp /I ..\..\Jeffrey /I apps\Walton\openssl\include /I . /I include -c /Foapps\s_socket.obj apps\s_socket.c s_socket.c apps\s_socket.c(290) : warning C4996: 'unlink': The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name: _unlink. See online help f or details. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\stdio.h(2 85) : see declaration of 'unlink' ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zl /Zi /Fdlib -D_WINDLL /I ..\..\Jeffrey /I Walton\openss l\include /I . /I crypto\include /I include /I crypto\bn\Walton\openssl\crypto\i nclude -c /Focrypto\conf\conf_lib.obj crypto\conf\conf_lib.c conf_lib.c crypto\conf\conf_lib.c(395) : warning C4996: 'strdup': The POSIX name for this i tem is deprecated. Instead, use the ISO C++ conformant name: _strdup. See online help for details. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\string.h( 241) : see declaration of 'strdup' -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4487 Please log in as guest with password guest if prompted From noloader at gmail.com Sun Mar 27 14:02:55 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 27 Mar 2016 10:02:55 -0400 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: On Fri, Mar 25, 2016 at 7:05 PM, Richard Levitte via RT wrote: > I've attached a tentative patch for test/recipes/bc.pl. Would you be willing to > try it out? OpenSSL master (c828cd7) experienced what appeared to be the same issue under Windows 7 Pro x64 with Strawberry PERL 5.22. The machine has Visual Studio 2008, Visual Studio 2010 and Visual Studio 2012, but I don't think it affects the issue. The patch cleared the issue for VC-WIN32 and VC-WIN64A. Jeff From rt at openssl.org Sun Mar 27 14:03:04 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 14:03:04 +0000 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: On Fri, Mar 25, 2016 at 7:05 PM, Richard Levitte via RT wrote: > I've attached a tentative patch for test/recipes/bc.pl. Would you be willing to > try it out? OpenSSL master (c828cd7) experienced what appeared to be the same issue under Windows 7 Pro x64 with Strawberry PERL 5.22. The machine has Visual Studio 2008, Visual Studio 2010 and Visual Studio 2012, but I don't think it affects the issue. The patch cleared the issue for VC-WIN32 and VC-WIN64A. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 Please log in as guest with password guest if prompted From rsalz at akamai.com Sun Mar 27 14:41:31 2016 From: rsalz at akamai.com (Salz, Rich) Date: Sun, 27 Mar 2016 14:41:31 +0000 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: References: <20160327.051056.1643525019254842841.levitte@openssl.org> Message-ID: <3a294bfb52be4da3abd88f937c26f1f2@usma1ex-dag1mb1.msg.corp.akamai.com> Is this a real problem or a theoretical one? From jeremy.farrell at oracle.com Sun Mar 27 17:24:03 2016 From: jeremy.farrell at oracle.com (Jeremy Farrell) Date: Sun, 27 Mar 2016 18:24:03 +0100 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: <3125eac161ff423c9be6a903185e3a37@usma1ex-dag1mb1.msg.corp.akamai.com> References: <3125eac161ff423c9be6a903185e3a37@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <56F81733.7060700@oracle.com> On 27/03/2016 14:59, Salz, Rich wrote: > >> # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) # define ossl_ssize_t >> int # define OSSL_SSIZE_MAX INT_MAX # endif > It's testing for a #define, not a typedef. Then I suppose this comes down to understanding precisely what the test is trying to achieve. Do you mean it's explicitly checking for ssize_t being a macro rather than the usual typedef? Does OpenSSL create it as a macro somewhere? POSIX requires ssize_t to be a type rather than a macro, defined in among other places. I don't know it there are non-POSIX or vaguely-similar-to-POSIX environments which define it as a macro. -- J. J. Farrell Not speaking for Oracle. -------------- next part -------------- An HTML attachment was scrubbed... URL: From noloader at gmail.com Sun Mar 27 17:32:18 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Sun, 27 Mar 2016 13:32:18 -0400 Subject: [openssl-dev] [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: References: <20160325115042.5b8be48f@pc1> Message-ID: On Fri, Mar 25, 2016 at 8:10 AM, Hanno Boeck via RT wrote: > Attached is a sample code that will test various inputs for the > Poly1305 functions of openssl... I'm seeing compiler conversion warnings about size_t to int truncation. Do you have any vectors that cross the 2GB boundary? Jeff From rt at openssl.org Sun Mar 27 17:32:24 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Sun, 27 Mar 2016 17:32:24 +0000 Subject: [openssl-dev] [openssl.org #4483] Re: [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: References: <20160325115042.5b8be48f@pc1> Message-ID: On Fri, Mar 25, 2016 at 8:10 AM, Hanno Boeck via RT wrote: > Attached is a sample code that will test various inputs for the > Poly1305 functions of openssl... I'm seeing compiler conversion warnings about size_t to int truncation. Do you have any vectors that cross the 2GB boundary? Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Sun Mar 27 19:40:48 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Sun, 27 Mar 2016 19:40:48 +0000 Subject: [openssl-dev] [openssl.org #4485] big number tests and Math::BigInt changes In-Reply-To: References: <0FD83649-4FFB-4218-BAD7-1ED5433357E7@mac.com> Message-ID: And merged, commit ce84456ddf4e57c18a84858755b8b90c183a270e. Closing this ticket. Vid Sat, 26 Mar 2016 kl. 06.35.55, skrev levitte: > Frankly, you did all the work. With your analysis, it became very easy to > figure out what needed to be done. Low hanging fruit ;-) > > So, thank you! > > Cheers, > Richard > > Vid Sat, 26 Mar 2016 kl. 02.38.47, skrev craigberry at mac.com: > > Wow, that was fast. The patch looks good here: now all tests pass on > > systems with and without the Math::BigInt changes. Thanks! > > > > > On Mar 25, 2016, at 6:05 PM, Richard Levitte via RT > > > wrote: > > > > > > I've attached a tentative patch for test/recipes/bc.pl. Would you be > > > willing to > > > try it out? > > > > > > > > -- > > > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 > > > Please log in as guest with password guest if prompted > > > > > > diff --git a/test/recipes/bc.pl b/test/recipes/bc.pl > > > index 29a4a8a..f7d4dc6 100644 > > > --- a/test/recipes/bc.pl > > > +++ b/test/recipes/bc.pl > > > @@ -46,7 +46,16 @@ sub __multiplier { > > > if ($operator eq "*") { > > > $operand1->bmul($operand2); > > > } elsif ($operator eq "/") { > > > + # Math::BigInt->bdiv() is documented to do floored > > > division, > > > + # i.e. 1 / -4 = -1, while bc and OpenSSL BN_div do > > > truncated > > > + # division, i.e. 1 / -4 = 0. We need to make the operation > > > + # work like OpenSSL's BN_div to be able to verify. > > > + my $neg = ($operand1->is_neg() > > > + ? !$operand2->is_neg() : $operand2->is_neg()); > > > + $operand1->babs(); > > > + $operand2->babs(); > > > $operand1->bdiv($operand2); > > > + if ($neg) { $operand1->bneg(); } > > > } elsif ($operator eq "%") { > > > # Here's a bit of a quirk... > > > # With OpenSSL's BN, as well as bc, the result of -10 % 3 > > > is -1 > > > > ________________________________________ > > Craig A. Berry > > mailto:craigberry at mac.com > > > > "... getting out of a sonnet is much more > > difficult than getting in." > > Brad Leithauser > > > -- > Richard Levitte > levitte at openssl.org -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4485 Please log in as guest with password guest if prompted From levitte at openssl.org Sun Mar 27 20:00:21 2016 From: levitte at openssl.org (Richard Levitte) Date: Sun, 27 Mar 2016 22:00:21 +0200 (CEST) Subject: [openssl-dev] Changing/deleted ordinals for exported function in the Windows DLLs In-Reply-To: References: Message-ID: <20160327.220021.1289685851240325231.levitte@openssl.org> In message on Sun, 27 Mar 2016 06:09:39 -0400, Jeffrey Walton said: noloader> It looks like ordinals are changing and/or being removed for functions noloader> exported by the Windows DLL. Its causing pain points for users in the noloader> field, and it appears to be trending. Confer: noloader> noloader> * WAMP OpenSSL ordinal 372 error, http://stackoverflow.com/q/36238887 noloader> * The Ordinal 112 could not be located in dynamic link library?, noloader> http://stackoverflow.com/q/36163468 I sure hope noone is using OpenSSL 1.1.0 in production. The .num files were recreated entirely just before beta1. So, if we assume that this is about 1.0.2, this is what I can grep: : ; egrep '\s(112|372)\s' util/*.num util/libeay.num:BN_MONT_CTX_free 112 EXIST::FUNCTION: util/libeay.num:PEM_SealInit 372 EXIST::FUNCTION:RSA util/ssleay.num:SSLv23_server_method 112 EXIST::FUNCTION:RSA util/ssleay.num:SSL_CONF_cmd_argv 372 EXIST::FUNCTION: You notice the ":RSA" at the end? That means that if the library was created with the 'no-rsa' config option, those locations will be empty in the transfer table. I can't say for sure that's the case, but it's a possible lead to follow. Either way, it does seem to me that someone didn't keep the OpenSSL libraries in check, somehow. Btw, when it comes to OpenSSL 1.1.0, the DLLs have embedded version numbers in the file name. noloader> I think ordinals were meant to speed up loading of shared resources in noloader> the 16-bit Windows days. They fell out of favor circa Windows 95. noloader> According to Jeffrey Richter and in his book Programming Applications noloader> for Microsoft Windows, page 701 (http://www.amazon.com/dp/1572319968): noloader> noloader> The second form [of the function GetProcAddress] ... noloader> [and the] pszSymbolName parameter indicates the noloader> ordinal number of the symbol whose address you noloader> want... noloader> noloader> Again, let me reiterate that Microsoft strongly noloader> discourages the use of ordinals. noloader> noloader> Richter then goes on to discuss getting the wrong function address noloader> because ordinals have changed. noloader> noloader> It seems like the changes should have been caught in the engineering noloader> process during QA or testing. Perhaps an explicit step should be added noloader> to avoid the problems in the future? Possbly. Either way, it's a bit late in the game to make that change. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From matt at openssl.org Sun Mar 27 22:35:02 2016 From: matt at openssl.org (Matt Caswell) Date: Sun, 27 Mar 2016 23:35:02 +0100 Subject: [openssl-dev] no-ui, warnings and errors In-Reply-To: References: Message-ID: <56F86016.8000708@openssl.org> On 27/03/16 00:16, Jeffrey Walton wrote: > Is this a supported configuration (no-ui and apps)? Co-incidentally, Richard has a patch for no-ui that fixes these problems that is currently in review. Matt > > There's a fair number of warnings when configuring with no-ui: > > apps/enc.c:357:13: warning: implicit declaration of function > ?EVP_read_pw_string? [-Wimplicit-function-declaration] > i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc); > > There's a few link problems, too: > > LD_LIBRARY_PATH=.: gcc -DDSO_DLFCN -DHAVE_DLFCN_H > -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC > -DOPENSSLDIR="/usr/local/ssl" -DENGINESDIR="/usr/local/lib/engines" > -Wall -O3 -m64 -DL_ENDIAN -ansi -o apps/openssl apps/app_rand.o > apps/apps.o apps/asn1pars.o apps/ca.o apps/ciphers.o apps/cms.o > apps/crl.o apps/crl2p7.o apps/dgst.o apps/dhparam.o apps/dsa.o > apps/dsaparam.o apps/ec.o apps/ecparam.o apps/enc.o apps/engine.o > apps/errstr.o apps/gendsa.o apps/genpkey.o apps/genrsa.o apps/nseq.o > apps/ocsp.o apps/openssl.o apps/opt.o apps/passwd.o apps/pkcs12.o > apps/pkcs7.o apps/pkcs8.o apps/pkey.o apps/pkeyparam.o apps/pkeyutl.o > apps/prime.o apps/rand.o apps/rehash.o apps/req.o apps/rsa.o > apps/rsautl.o apps/s_cb.o apps/s_client.o apps/s_server.o > apps/s_socket.o apps/s_time.o apps/sess_id.o apps/smime.o apps/speed.o > apps/spkac.o apps/srp.o apps/ts.o apps/verify.o apps/version.o > apps/x509.o -L. -lssl -L. -lcrypto -ldl > apps/apps.o: In function `ui_close': > apps.c:(.text+0x15): undefined reference to `UI_OpenSSL' > apps.c:(.text+0x1d): undefined reference to `UI_method_get_closer' > apps/apps.o: In function `ui_write': > apps.c:(.text+0x40): undefined reference to `UI_get_input_flags' > apps.c:(.text+0x4c): undefined reference to `UI_get0_user_data' > apps.c:(.text+0x59): undefined reference to `UI_get_string_type' > apps.c:(.text+0x66): undefined reference to `UI_OpenSSL' > apps.c:(.text+0x6e): undefined reference to `UI_method_get_writer' > apps.c:(.text+0x84): undefined reference to `UI_get0_user_data' > apps/apps.o: In function `ui_read': > apps.c:(.text+0xc0): undefined reference to `UI_get_input_flags' > apps.c:(.text+0xcc): undefined reference to `UI_get0_user_data' > apps.c:(.text+0xd9): undefined reference to `UI_get_string_type' > apps.c:(.text+0xe6): undefined reference to `UI_OpenSSL' > apps.c:(.text+0xee): undefined reference to `UI_method_get_reader' > apps.c:(.text+0x104): undefined reference to `UI_get0_user_data' > apps.c:(.text+0x11c): undefined reference to `UI_set_result' > apps/apps.o: In function `ui_open': > apps.c:(.text+0x135): undefined reference to `UI_OpenSSL' > apps.c:(.text+0x13d): undefined reference to `UI_method_get_opener' > apps/apps.o: In function `password_callback': > apps.c:(.text+0xca3): undefined reference to `UI_new_method' > apps.c:(.text+0xcbf): undefined reference to `UI_construct_prompt' > apps.c:(.text+0xce2): undefined reference to `UI_ctrl' > apps.c:(.text+0xd05): undefined reference to `UI_add_input_string' > apps.c:(.text+0xd38): undefined reference to `UI_ctrl' > apps.c:(.text+0xd44): undefined reference to `UI_process' > apps.c:(.text+0xd72): undefined reference to `UI_free' > apps.c:(.text+0xe5e): undefined reference to `UI_add_verify_string' > apps.c:(.text+0xe81): undefined reference to `UI_free' > apps/apps.o: In function `setup_ui_method': > apps.c:(.text+0x11da): undefined reference to `UI_create_method' > apps.c:(.text+0x11ee): undefined reference to `UI_method_set_opener' > apps.c:(.text+0x11ff): undefined reference to `UI_method_set_reader' > apps.c:(.text+0x1210): undefined reference to `UI_method_set_writer' > apps.c:(.text+0x1221): undefined reference to `UI_method_set_closer' > apps/apps.o: In function `destroy_ui_method': > apps.c:(.text+0x1241): undefined reference to `UI_destroy_method' > apps/enc.o: In function `enc_main': > enc.c:(.text+0xfbf): undefined reference to `EVP_read_pw_string' > enc.c:(.text+0x10f7): undefined reference to `EVP_read_pw_string' > apps/pkcs12.o: In function `pkcs12_main': > pkcs12.c:(.text+0x119a): undefined reference to `EVP_read_pw_string' > pkcs12.c:(.text+0x1733): undefined reference to `EVP_read_pw_string' > pkcs12.c:(.text+0x17d8): undefined reference to `EVP_read_pw_string' > apps/pkcs8.o:pkcs8.c:(.text+0x7e0): more undefined references to > `EVP_read_pw_string' follow > ./libcrypto.a(err_all.o): In function `err_load_crypto_strings_intern': > err_all.c:(.text+0x86): undefined reference to `ERR_load_UI_strings' > From rt at openssl.org Sun Mar 27 23:29:46 2016 From: rt at openssl.org (Kurt Roeckx via RT) Date: Sun, 27 Mar 2016 23:29:46 +0000 Subject: [openssl-dev] [openssl.org #4392] [PATCH] Resolve DTLS cookie and version before session resumption. In-Reply-To: <20160327232929.GA12357@roeckx.be> References: <20160327232929.GA12357@roeckx.be> Message-ID: On Mon, Mar 07, 2016 at 10:03:20PM +0000, David Benjamin via RT wrote: > Session resumption involves a version check, so version negotiation must > happen first. Currently, the DTLS implementation cannot do session > resumption in DTLS 1.0 because the ssl_version check always checks against > 1.2. > > Switching the order also removes the need to fixup ssl_version in DTLS > version negotiation. This has been fixed in the master branch. The 1.0.x branches look like they're affected too, so I'll leave this open. Kurt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4392 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 28 04:23:55 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 28 Mar 2016 00:23:55 -0400 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: <3a294bfb52be4da3abd88f937c26f1f2@usma1ex-dag1mb1.msg.corp.akamai.com> References: <20160327.051056.1643525019254842841.levitte@openssl.org> <3a294bfb52be4da3abd88f937c26f1f2@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Sun, Mar 27, 2016 at 10:41 AM, Salz, Rich wrote: > Is this a real problem or a theoretical one? UEFI will be a problem on non 32-bit systems as it assume 32-bit environment. I don't know if there are any of them in the wild, however. non-UEFI code is a problem in some restricted environments, like ANSI. It will affect 32-bit and 64-bit code. I believe "defined(ossl_sszie_t)" may be missing the point for the non-UEFI code. Both are easy enough to fix once we know what to look for. Jeff From noloader at gmail.com Mon Mar 28 05:09:24 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 28 Mar 2016 01:09:24 -0400 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: <56F81733.7060700@oracle.com> References: <3125eac161ff423c9be6a903185e3a37@usma1ex-dag1mb1.msg.corp.akamai.com> <56F81733.7060700@oracle.com> Message-ID: > # if defined(OPENSSL_SYS_UEFI) && !defined(ssize_t) # define ossl_ssize_t > int # define OSSL_SSIZE_MAX INT_MAX # endif > > It's testing for a #define, not a typedef. > > > Then I suppose this comes down to understanding precisely what the test is > trying to achieve. Do you mean it's explicitly checking for ssize_t being a > macro rather than the usual typedef? Does OpenSSL create it as a macro > somewhere? If I am parsing things correctly (in the big picture), ossl_ssize_t and OSSL_SSIZE_MAX are trying to bootstrap themselves. If ssize_t and SSIZE_MAX are available, ossl_ssize_t and OSSL_SSIZE_MAX should set themselves to existing types and define. Otherwise, ossl_ssize_t and OSSL_SSIZE_MAX provide their own definition. I think that's what's trying to be achieved. I can kinda understand the "if defined(ossl_ssize_t)". However, the base case - the first time its encountered undefined - may be missing the point. > POSIX requires ssize_t to be a type rather than a macro, defined in > among other places. I don't know it there are non-POSIX or > vaguely-similar-to-POSIX environments which define it as a macro. Its those non-Posix environments the pain point is experienced. ANSI is one of them. That's because the bootstrapping isn't quite right. I've also seem some interesting results on Android. The test rig is simple enough. It seems some of the older environments (maybe the newer ones too) don't undef SSIZE_MAX; rather, they set it to 0. Jeff $ cat test.cc #include #include #include /* gcc -x c -ansi test.cc -o test.exe */ int main(void) { #if defined(SSIZE_MAX) && (SSIZE_MAX != 0) #define my_ssize_t ssize_t #define MY_SSIZE_MAX SSIZE_MAX printf("SSIZE_MAX is defined, using ssize_t\n"); my_ssize_t t = MY_SSIZE_MAX; #else /* not SSIZE_MAX */ # if (__LP64__) #define my_ssize_t long #define MY_SSIZE_MAX LONG_MAX printf("SSIZE_MAX not defined, typing ssize_t to long\n"); my_ssize_t t = MY_SSIZE_MAX; # else #define my_ssize_t int #define MY_SSIZE_MAX INT_MAX printf("SSIZE_MAX not defined, typing ssize_t to int\n"); my_ssize_t t = MY_SSIZE_MAX; # endif #endif /* SSIZE_MAX */ return 0; } ********** i686 without -ansi: $ ./test.exe SSIZE_MAX is defined, using ssize_t i686 with -ansi: $ ./test.exe SSIZE_MAX not defined, typing ssize_t to int x86_64 without -ansi: $ ./test.exe SSIZE_MAX is defined, using ssize_t x86_64 with -ansi: $ ./test.exe SSIZE_MAX not defined, typing ssize_t to long From rt at openssl.org Mon Mar 28 06:59:53 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 28 Mar 2016 06:59:53 +0000 Subject: [openssl-dev] [openssl.org #4488] PATCH: fix Windows "The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name..." In-Reply-To: References: Message-ID: Working from master at c5c7700c9a1c1daa. The patch below fixes multiple "The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name..." warnings on Windows. There are about 20 of them, and an example is below. diff --git a/e_os.h b/e_os.h index f0a441e..c9765c2 100644 --- a/e_os.h +++ b/e_os.h @@ -520,6 +520,11 @@ struct servent *PASCAL getservbyname(const char *, const char *); # if defined(OPENSSL_SYS_WINDOWS) # define strcasecmp _stricmp # define strncasecmp _strnicmp +# define open _open +# define fdopen _fdopen +# define close _close +# define strdup _strdup +# define unlink _unlink # elif defined(OPENSSL_SYS_VMS) /* VMS below version 7.0 doesn't have strcasecmp() */ # include "internal/o_str.h" ********** cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI CODE /MT /Ox /O2 /Ob2 /Zi /Fdapp /I ..\..\Jeffrey /I apps\Walton\openssl\include /I . /I include -c /Foapps\apps.obj apps\apps.c apps.c apps\apps.c(2572) : warning C4996: 'open': The POSIX name for this item is depre cated. Instead, use the ISO C++ conformant name: _open. See online help for deta ils. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(315) : see declaration of 'open' apps\apps.c(2575) : warning C4996: 'fdopen': The POSIX name for this item is dep recated. Instead, use the ISO C++ conformant name: _fdopen. See online help for details. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\stdio.h(7 09) : see declaration of 'fdopen' apps\apps.c(2593) : warning C4996: 'close': The POSIX name for this item is depr ecated. Instead, use the ISO C++ conformant name: _close. See online help for de tails. C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(305) : see declaration of 'close' -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4488 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: e_os.patch Type: text/x-diff Size: 514 bytes Desc: not available URL: From rt at openssl.org Mon Mar 28 08:38:10 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 28 Mar 2016 08:38:10 +0000 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: References: Message-ID: On Windows, the fix below also depends upon the patch from Issue 4488 ("The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name..."). This patch below also fixes some problems with the older standards on Fedora, BSD and Linux. $ cat conf_lib.patch diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c index f197714..7bc3ac0 100644 --- a/crypto/conf/conf_lib.c +++ b/crypto/conf/conf_lib.c @@ -392,7 +392,7 @@ void OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, const char *config_file) { free(settings->config_name); - settings->config_name = config_file == NULL ? NULL : strdup(config_file); + settings->config_name = config_file == NULL ? NULL : OPENSSL_strdup(config_file); } #endif -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4489 Please log in as guest with password guest if prompted From noloader at gmail.com Mon Mar 28 09:04:41 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Mon, 28 Mar 2016 05:04:41 -0400 Subject: [openssl-dev] [openssl.org #4488] PATCH: fix Windows "The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name..." In-Reply-To: References: Message-ID: This patch can be tightened further, if interested. According to MS docs, the define _CRT_NONSTDC_NO_DEPRECATE is available for Visual Studio 2005 (cl.exe=14.00). Also see http://msdn.microsoft.com/en-us/library/ms235384(v=vs.80).aspx. Testing on Visual Studio 2003 (cl.exe=13.10) shows the change is OK there, too. We can pick up Visual Studio 2003 and its compiler through _MSC_VER and 1310. It should leave other versions alone (CE System Builder comes to mind). $ git diff e_os.h > e_os.patch $ cat e_os.patch diff --git a/e_os.h b/e_os.h index f0a441e..1fe3ffb 100644 --- a/e_os.h +++ b/e_os.h @@ -520,6 +520,13 @@ struct servent *PASCAL getservbyname(const char *, const char *); # if defined(OPENSSL_SYS_WINDOWS) # define strcasecmp _stricmp # define strncasecmp _strnicmp +# if (_MSC_VER >= 1310) +# define open _open +# define fdopen _fdopen +# define close _close +# define strdup _strdup +# define unlink _unlink +# endif # elif defined(OPENSSL_SYS_VMS) /* VMS below version 7.0 doesn't have strcasecmp() */ # include "internal/o_str.h" On Mon, Mar 28, 2016 at 2:59 AM, noloader at gmail.com via RT wrote: > Working from master at c5c7700c9a1c1daa. > > The patch below fixes multiple "The POSIX name for this item is > deprecated. Instead, use the ISO C++ conformant name..." warnings on > Windows. There are about 20 of them, and an example is below. > > diff --git a/e_os.h b/e_os.h > index f0a441e..c9765c2 100644 > --- a/e_os.h > +++ b/e_os.h > @@ -520,6 +520,11 @@ struct servent *PASCAL getservbyname(const char > *, const char *); > # if defined(OPENSSL_SYS_WINDOWS) > # define strcasecmp _stricmp > # define strncasecmp _strnicmp > +# define open _open > +# define fdopen _fdopen > +# define close _close > +# define strdup _strdup > +# define unlink _unlink > # elif defined(OPENSSL_SYS_VMS) > /* VMS below version 7.0 doesn't have strcasecmp() */ > # include "internal/o_str.h" > > ********** > > cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P > IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS > SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES > _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " > -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co > mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI > N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI > CODE /MT /Ox /O2 /Ob2 /Zi /Fdapp /I ..\..\Jeffrey /I apps\Walton\openssl\include > /I . /I include -c /Foapps\apps.obj apps\apps.c > apps.c > apps\apps.c(2572) : warning C4996: 'open': The POSIX name for this item is depre > cated. Instead, use the ISO C++ conformant name: _open. See online help for deta > ils. > C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(315) > : see declaration of 'open' > apps\apps.c(2575) : warning C4996: 'fdopen': The POSIX name for this item is dep > recated. Instead, use the ISO C++ conformant name: _fdopen. See online help for > details. > C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\stdio.h(7 > 09) : see declaration of 'fdopen' > apps\apps.c(2593) : warning C4996: 'close': The POSIX name for this item is depr > ecated. Instead, use the ISO C++ conformant name: _close. See online help for de > tails. > C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(305) > : see declaration of 'close' > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4488 > Please log in as guest with password guest if prompted > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -------------- next part -------------- A non-text attachment was scrubbed... Name: e_os.patch Type: text/x-diff Size: 555 bytes Desc: not available URL: From rt at openssl.org Mon Mar 28 09:04:51 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 28 Mar 2016 09:04:51 +0000 Subject: [openssl-dev] [openssl.org #4488] PATCH: fix Windows "The POSIX name for this item is deprecated. Instead, use the ISO C++ conformant name..." In-Reply-To: References: Message-ID: This patch can be tightened further, if interested. According to MS docs, the define _CRT_NONSTDC_NO_DEPRECATE is available for Visual Studio 2005 (cl.exe=14.00). Also see http://msdn.microsoft.com/en-us/library/ms235384(v=vs.80).aspx. Testing on Visual Studio 2003 (cl.exe=13.10) shows the change is OK there, too. We can pick up Visual Studio 2003 and its compiler through _MSC_VER and 1310. It should leave other versions alone (CE System Builder comes to mind). $ git diff e_os.h > e_os.patch $ cat e_os.patch diff --git a/e_os.h b/e_os.h index f0a441e..1fe3ffb 100644 --- a/e_os.h +++ b/e_os.h @@ -520,6 +520,13 @@ struct servent *PASCAL getservbyname(const char *, const char *); # if defined(OPENSSL_SYS_WINDOWS) # define strcasecmp _stricmp # define strncasecmp _strnicmp +# if (_MSC_VER >= 1310) +# define open _open +# define fdopen _fdopen +# define close _close +# define strdup _strdup +# define unlink _unlink +# endif # elif defined(OPENSSL_SYS_VMS) /* VMS below version 7.0 doesn't have strcasecmp() */ # include "internal/o_str.h" On Mon, Mar 28, 2016 at 2:59 AM, noloader at gmail.com via RT wrote: > Working from master at c5c7700c9a1c1daa. > > The patch below fixes multiple "The POSIX name for this item is > deprecated. Instead, use the ISO C++ conformant name..." warnings on > Windows. There are about 20 of them, and an example is below. > > diff --git a/e_os.h b/e_os.h > index f0a441e..c9765c2 100644 > --- a/e_os.h > +++ b/e_os.h > @@ -520,6 +520,11 @@ struct servent *PASCAL getservbyname(const char > *, const char *); > # if defined(OPENSSL_SYS_WINDOWS) > # define strcasecmp _stricmp > # define strncasecmp _strnicmp > +# define open _open > +# define fdopen _fdopen > +# define close _close > +# define strdup _strdup > +# define unlink _unlink > # elif defined(OPENSSL_SYS_VMS) > /* VMS below version 7.0 doesn't have strcasecmp() */ > # include "internal/o_str.h" > > ********** > > cl -DDSO_WIN32 -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_P > IC -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENS > SL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES > _ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM " > -DENGINESDIR=\"%ProgramFiles(x86)%\\OpenSSL\\lib\\engines\"" "-DOPENSSLDIR=\"%Co > mmonProgramFiles(x86)%\\SSL\"" -W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WI > N32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNI > CODE /MT /Ox /O2 /Ob2 /Zi /Fdapp /I ..\..\Jeffrey /I apps\Walton\openssl\include > /I . /I include -c /Foapps\apps.obj apps\apps.c > apps.c > apps\apps.c(2572) : warning C4996: 'open': The POSIX name for this item is depre > cated. Instead, use the ISO C++ conformant name: _open. See online help for deta > ils. > C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(315) > : see declaration of 'open' > apps\apps.c(2575) : warning C4996: 'fdopen': The POSIX name for this item is dep > recated. Instead, use the ISO C++ conformant name: _fdopen. See online help for > details. > C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\stdio.h(7 > 09) : see declaration of 'fdopen' > apps\apps.c(2593) : warning C4996: 'close': The POSIX name for this item is depr > ecated. Instead, use the ISO C++ conformant name: _close. See online help for de > tails. > C:\Program Files (x86)\Microsoft Visual Studio 11.0\VC\INCLUDE\io.h(305) > : see declaration of 'close' > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4488 > Please log in as guest with password guest if prompted > > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4488 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: e_os.patch Type: text/x-diff Size: 555 bytes Desc: not available URL: From rt at openssl.org Mon Mar 28 09:41:25 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Mon, 28 Mar 2016 09:41:25 +0000 Subject: [openssl-dev] [openssl.org #4490] "nmake install" fails "Destination must be a directory at .\util\copy.pl line 39" on Windows with short pathname (no spaces) In-Reply-To: References: Message-ID: Working from Master at c5c7700c9a1c1daa. Strawberry PERL 5.22 Windows XP x64 (as fully patched as it can be) Visual Studio 2005 (as fully patched as it can be) Source directory: C:\openssl-src Install directory: C:\OpenSSL ********** C:\openssl-src>nmake install Microsoft (R) Program Maintenance Utility Version 8.00.50727.762 Copyright (C) Microsoft Corporation. All rights reserved. *** Installing development files created directory `C:/Program Files/OpenSSL' created directory `C:/Program Files/OpenSSL/include' created directory `C:/Program Files/OpenSSL/include/openssl' Destination must be a directory at .\util\copy.pl line 39. NMAKE : fatal error U1077: 'perl' : return code '0x2' Stop. ********** C:\openssl-src>perl Configure VC-WIN64A no-async --openssldir="C:\OpenSSL" Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) no-async [option] OPENSSL_NO_ASYNC no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) no-crypto-mdebug-backtrace [forced] OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (sk ip dir) no-dynamic-engine [forced] no-ec_nistp_64_gcc_128 [default] OPENSSL_NO_EC_NISTP_64_GCC_128 (skip dir) no-egd [default] OPENSSL_NO_EGD (skip dir) no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) no-md2 [default] OPENSSL_NO_MD2 (skip dir) no-rc5 [default] OPENSSL_NO_RC5 (skip dir) no-sctp [default] OPENSSL_NO_SCTP (skip dir) no-shared [default] no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) no-zlib [default] no-zlib-dynamic [default] Configuring for VC-WIN64A CC =cl CFLAG =-W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WIN32 -DWIN32_LEAN _AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE -D_UNICODE /MT /Ox /O2 /Ob2 SHARED_CFLAG =-D_WINDLL DEFINES =DSO_WIN32 OPENSSL_THREADS OPENSSL_NO_DYNAMIC_ENGINE OPENSSL_PIC O PENSSL_IA32_SSE2 OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SH A1_ASM SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM ECP_N ISTZ256_ASM POLY1305_ASM LFLAG =/nologo /debug PLIB_LFLAG = EX_LIBS =ws2_32.lib gdi32.lib advapi32.lib crypt32.lib user32.lib APPS_OBJ = CPUID_OBJ =x86_64cpuid.o UPLINK_OBJ = BN_ASM =bn_asm.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rs az-x86_64.o rsaz-avx2.o EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o DES_ENC =des_enc.o fcrypt_b.o AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-s ha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o BF_ENC =bf_enc.o CAST_ENC =c_enc.o RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o RC5_ENC =rc5_enc.o MD5_OBJ_ASM =md5-x86_64.o SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sh a256-mb-x86_64.o RMD160_OBJ_ASM= CMLL_ENC =cmll-x86_64.o cmll_misc.o MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o PADLOCK_OBJ =e_padlock-x86_64.o CHACHA_ENC =chacha-x86_64.o POLY1305_OBJ =poly1305-x86_64.o BLAKE2_OBJ = PROCESSOR = RANLIB =true ARFLAGS =/nologo PERL =perl SIXTY_FOUR_BIT mode Configured for VC-WIN64A. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4490 Please log in as guest with password guest if prompted From openssl-users at dukhovni.org Mon Mar 28 13:16:21 2016 From: openssl-users at dukhovni.org (Viktor Dukhovni) Date: Mon, 28 Mar 2016 09:16:21 -0400 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: References: Message-ID: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> > On Mar 28, 2016, at 4:38 AM, noloader at gmail.com via RT wrote: > > On Windows, the fix below also depends upon the patch from Issue 4488 > ("The POSIX name for this item is deprecated. Instead, use the ISO C++ > conformant name..."). > > This patch below also fixes some problems with the older standards on > Fedora, BSD and Linux. > > $ cat conf_lib.patch > diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c > index f197714..7bc3ac0 100644 > --- a/crypto/conf/conf_lib.c > +++ b/crypto/conf/conf_lib.c > @@ -392,7 +392,7 @@ void > OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, > const char *config_file) > { > free(settings->config_name); > - settings->config_name = config_file == NULL ? NULL : strdup(config_file); > + settings->config_name = config_file == NULL ? NULL : > OPENSSL_strdup(config_file); > } > #endif If you're going to change strdup -> OPENSSL_strdup, then the previous line needs to also change free -> OPENSSL_free. -- Viktor. From rt at openssl.org Mon Mar 28 13:16:30 2016 From: rt at openssl.org (Viktor Dukhovni via RT) Date: Mon, 28 Mar 2016 13:16:30 +0000 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> Message-ID: > On Mar 28, 2016, at 4:38 AM, noloader at gmail.com via RT wrote: > > On Windows, the fix below also depends upon the patch from Issue 4488 > ("The POSIX name for this item is deprecated. Instead, use the ISO C++ > conformant name..."). > > This patch below also fixes some problems with the older standards on > Fedora, BSD and Linux. > > $ cat conf_lib.patch > diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c > index f197714..7bc3ac0 100644 > --- a/crypto/conf/conf_lib.c > +++ b/crypto/conf/conf_lib.c > @@ -392,7 +392,7 @@ void > OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, > const char *config_file) > { > free(settings->config_name); > - settings->config_name = config_file == NULL ? NULL : strdup(config_file); > + settings->config_name = config_file == NULL ? NULL : > OPENSSL_strdup(config_file); > } > #endif If you're going to change strdup -> OPENSSL_strdup, then the previous line needs to also change free -> OPENSSL_free. -- Viktor. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4489 Please log in as guest with password guest if prompted From rsalz at akamai.com Mon Mar 28 13:21:19 2016 From: rsalz at akamai.com (Salz, Rich) Date: Mon, 28 Mar 2016 13:21:19 +0000 Subject: [openssl-dev] Testing for a type with a define in e_os2.h? In-Reply-To: References: <20160327.051056.1643525019254842841.levitte@openssl.org> <3a294bfb52be4da3abd88f937c26f1f2@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: <69a2f0350e804a5292d64177c42ae9be@usma1ex-dag1mb1.msg.corp.akamai.com> > > Is this a real problem or a theoretical one? > > UEFI will be a problem on non 32-bit systems as it assume 32-bit > environment. I don't know if there are any of them in the wild, however. Okay, theoretical. I assume the UEFI folks, who are VERY active here, will let us know. > non-UEFI code is a problem in some restricted environments, like ANSI. > It will affect 32-bit and 64-bit code. I repeat my question. Does it break in -ansi? From rt at openssl.org Mon Mar 28 15:09:40 2016 From: rt at openssl.org (Paulo Flabiano Smorigo via RT) Date: Mon, 28 Mar 2016 15:09:40 +0000 Subject: [openssl-dev] [openssl.org #4491] [PATCH] VMX-crypto: Add XTS support In-Reply-To: <20160328150622.GA15807@london.kopenhagen> References: <20160328150622.GA15807@london.kopenhagen> Message-ID: Author: Leonidas Da Silva Barbosa ASM implementation Signed-off-by: Paulo Flabiano Smorigo Signed-off-by: Leonidas Da Silva Barbosa --- crypto/aes/asm/aesp8-ppc.pl | 237 +++++++++++++++++++++++++++++++++++++++++++- crypto/evp/e_aes.c | 7 ++ 2 files changed, 243 insertions(+), 1 deletion(-) diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl index a1891cc..28ae77c 100755 --- a/crypto/aes/asm/aesp8-ppc.pl +++ b/crypto/aes/asm/aesp8-ppc.pl @@ -84,6 +84,19 @@ Lconsts: .byte 0,12,0x14,0,0,0,0,0 .asciz "AES for PowerISA 2.07, CRYPTOGAMS by " +.align 7 +gf: +.long 0x87000000, 0x00000000, 0x00000000, 0x00000000 ?rev +Lgf: + mflr r0 + bcl 20,21,\$+4 + mflr r12 + addi r12,r12,-24 + mtlr r0 + blr + .long 0 + .byte 0,12,0x14,0,0,0,0,0 + .globl .${prefix}_set_encrypt_key .align 5 .${prefix}_set_encrypt_key: @@ -1886,6 +1899,228 @@ Lctr32_enc8x_done: .size .${prefix}_ctr32_encrypt_blocks,.-.${prefix}_ctr32_encrypt_blocks ___ }} }}} +####### +{{ +my ($inp,$out,$len,$key,$tweak,$enc,$rounds,$idx)=map("r$_",(3..10)); +my ($rndkey0, $rndkey1,$inout,$tmp)=map("v$_",(0..3)); +my ($intweak,$inptail,$inpperm,$outhead,$outperm,$outmask,$keyperm)= + map("v$_",(4..10)); + + +$code.=<<___; +.globl .${prefix}_xts_encrypt +.align 5 +.${prefix}_xts_encrypt: + ${UCMP}i $len,16 + bltlr- + + cmpwi $enc,0 + lis r0,0xffe0 + mfspr $vrsave,256 + mtspr 256,r0 + + li $idx,15 + vxor $rndkey0,$rndkey0,$rndkey0 + le?vspltisb $tmp,0x0f + + lvx $intweak,0,$tweak + lvsl $inpperm,0,$tweak + lvx $inptail,$idx,$tweak + le?vxor $inpperm,$inpperm,$tmp + vperm $intweak,$intweak,$inptail,$inpperm + + neg r11,$inp + ?lvsl $keyperm,0,$key + lwz $rounds,240($key) + + lvsr $inpperm,0,r11 + lvx $inptail,0,$inp + addi $inp,$inp,15 + le?vxor $inpperm,$inpperm,$tmp + + ?lvsr $outperm,0,$out + vspltisb $outmask,-1 + lvx $outhead,0,$out + ?vperm $outmask,$rndkey0,$outmask,$outperm + le?vxor $outperm,$outperm,$tmp + + srwi $rounds,$rounds,1 + li $idx,16 + subi $rounds,$rounds,1 + + beq Lxts_dec #if enc = 0 is dec + b Lxts_enc #if not jump to enc + +Ltweak: + mflr r11 + xor r12,r12,r12 + addi r12,r12,0x1 + lvsr v11,0,r12 + + bl Lgf + mtlr r11 + + vor v11,v4,v4 + vspltisb v15,1 # create a mask 0101010...01 + vsl v13,$intweak,v15 # shift tweak left 1 bit + vor $intweak,v13,v13 + vand v13,v13,v15 # create a new mask to fix shift left + + vxor v13,v4,v13 # apply mask to clean last bits at each byte + vxor v12,v12,v12 + vsldoi v12,v11,v12,0xf + + vspltisb v14,0x06 + vspltisb v16,0x02 + vsl v14,v16,v14 # create a mask of 808080..80 bytes to check carry bits + vspltisb v16,0x0f + vand v11,v11,v14 # create a mask to see if we have carry to xor + + vsro v11,v11,v16 # shift 1byte back carry bit + vsr v11,v11,v16 # shift 7bits carry bit + + vxor v13,v13,v11 # apply mask and finally we have a tweak shifted 1 bit + vor $intweak,v13,v13 + vxor v13,v13,v13 + + vand v14,v12,v14 # if first byte in tweak has a carry we'll need to mult it + vxor v16,v16,v16 + vcmpequb v16,v16,v14 + + lvx v11,0,r12 + + vspltisb v15, -1 + vxor v16, v16,v15 + vand v11,v16,v11 + vxor $intweak,v11,$intweak + + cmpwi $enc,0 + beq Lxts_dec + +Lxts_enc: + vmr $inout,$inptail + lvx $inptail,0,$inp + addi $inp,$inp,16 + mtctr $rounds + subi $len,$len,16 + + lvx $rndkey0,0,$key + vperm $inout,$inout,$inptail,$inpperm + lvx $rndkey1,$idx,$key + addi $idx,$idx,16 + ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm + vxor $inout,$inout,$rndkey0 + lvx $rndkey0,$idx,$key + addi $idx,$idx,16 + vxor $inout,$inout,$intweak #P = T xor PP + +Loop_xts_enc: + ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm + vcipher $inout,$inout,$rndkey1 + lvx $rndkey1,$idx,$key + + addi $idx,$idx,16 + ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm + vcipher $inout,$inout,$rndkey0 + lvx $rndkey0,$idx,$key + + addi $idx,$idx,16 + bdnz Loop_xts_enc + + ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm + vcipher $inout,$inout,$rndkey1 + lvx $rndkey1,$idx,$key + li $idx,16 + ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm + vcipherlast $inout,$inout,$rndkey0 + vxor $inout,$inout,$intweak #C = T xor CC + ${UCMP}i $len,16 + + vperm $tmp,$inout,$inout,$outperm + vsel $inout,$outhead,$tmp,$outmask + vmr $outhead,$tmp + stvx $inout,0,$out + addi $out,$out,16 + bge Ltweak + + b Lxts_done + +Lxts_dec: + vmr $inout,$inptail + lvx $inptail,0,$inp + addi $inp,$inp,16 + mtctr $rounds + subi $len,$len,16 + + lvx $rndkey0,0,$key + vperm $inout,$inout,$inptail,$inpperm + lvx $rndkey1,$idx,$key + addi $idx,$idx,16 + ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm + vxor $inout,$inout,$rndkey0 + lvx $rndkey0,$idx,$key + addi $idx,$idx,16 + vxor $inout,$inout,$intweak #P = T xor PP + +Loop_xts_dec: + ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm + vncipher $inout,$inout,$rndkey1 + lvx $rndkey1,$idx,$key + + addi $idx,$idx,16 + ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm + vncipher $inout,$inout,$rndkey0 + lvx $rndkey0,$idx,$key + + addi $idx,$idx,16 + bdnz Loop_xts_dec + + ?vperm $rndkey1,$rndkey1,$rndkey0,$keyperm + vncipher $inout,$inout,$rndkey1 + lvx $rndkey1,$idx,$key + li $idx,16 + ?vperm $rndkey0,$rndkey0,$rndkey1,$keyperm + vncipherlast $inout,$inout,$rndkey0 + vxor $inout,$inout,$intweak #C = T xor CC + ${UCMP}i $len,16 + + vperm $tmp,$inout,$inout,$outperm + vsel $inout,$outhead,$tmp,$outmask + vmr $outhead,$tmp + stvx $inout,0,$out + addi $out,$out,16 + bge Ltweak + +Lxts_done: + addi $out,$out,-1 + lvx $inout,0,$out, + vsel $inout,$outhead,$inout,$outmask + stvx $inout,0,$out + + neg $enc,$tweak + li $idx,15 + vxor $rndkey0,$rndkey0,$rndkey0 + vspltisb $outmask,-1 + le?vspltisb $tmp,0x0f + ?lvsl $outperm,0,$enc + ?vperm $outmask,$rndkey0,$outmask,$outperm + le?vxor $outperm,$outperm,$tmp + lvx $outhead,0,$tweak + vperm $intweak,$intweak,$intweak,$outperm + vsel $inout,$outhead,$intweak,$outmask + lvx $inptail,$idx,$tweak + stvx $inout,0,$tweak + vsel $inout,$intweak,$inptail,$outmask + stvx $inout,$idx,$tweak + + mtspr 256,$vrsave + blr + .long 0 + .byte 0,12,0x14,0,0,0,6,0 + .long 0 +.size .${prefix}_xts_encrypt,.-.${prefix}_xts_encrypt +___ +}} my $consts=1; foreach(split("\n",$code)) { @@ -1918,7 +2153,7 @@ foreach(split("\n",$code)) { print ".byte\t",join(',',map (sprintf("0x%02x",$_), at bytes)),"\n"; next; } - $consts=0 if (m/Lconsts:/o); # end of table + $consts=0 if (m/Lgf:/o); # end of table # instructions prefixed with '?' are endian-specific and need # to be adjusted accordingly... diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index c906e6f..b83af7b 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -196,6 +196,7 @@ void AES_xts_decrypt(const char *inp, char *out, size_t len, # define HWAES_encrypt aes_p8_encrypt # define HWAES_decrypt aes_p8_decrypt # define HWAES_cbc_encrypt aes_p8_cbc_encrypt +# define HWAES_xts_encrypt aes_p8_xts_encrypt # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks # endif @@ -1039,6 +1040,9 @@ void HWAES_decrypt(const unsigned char *in, unsigned char *out, void HWAES_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t length, const AES_KEY *key, unsigned char *ivec, const int enc); +void HWAES_xts_encrypt(const unsigned char *in, unsigned char *out, + size_t length, const AES_KEY *key, + unsigned char *ivec, const int enc); void HWAES_ctr32_encrypt_blocks(const unsigned char *in, unsigned char *out, size_t len, const AES_KEY *key, const unsigned char ivec[16]); @@ -1850,6 +1854,9 @@ static int aes_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, xctx->xts.block2 = (block128_f) HWAES_encrypt; xctx->xts.key1 = &xctx->ks1; + + if (HWAES_xts_encrypt) + xctx->stream = HWAES_xts_encrypt; break; } else # endif -- 2.5.5 -- Paulo Flabiano Smorigo IBM Linux Technology Center -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4491 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 06:53:30 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Tue, 29 Mar 2016 06:53:30 +0000 Subject: [openssl-dev] [openssl.org #4492] Configure, Unix and Linux, and malformed command line when path includes spaces In-Reply-To: References: Message-ID: Unix and Linux builds have problems when the path includes spaces. In-tree is witnessing the issue, and out-of-tree may experience the issue. This problem was observed on Windows due to "C:\Program Files" and "C:\Documents and Settings"; see Issues 4486 and 4490. Windows uses UAC, which means make usually does not fails and it sprays the errant directories onto the filesystem. Conventional wisdom is to "don't use spaces"; however, it does not apply to Windows so the problem may as well be completely remediated since it has to be fixed under Windows. To duplicate: cd /tmp git clone git://git.openssl.org/openssl.git "openssl workspace" cd "openssl workspace" ./config You should encounter paths like the following on the command lines. Notice the include options have "-I../openssl -Iworkspace/include -I. -Icrypto/include -Iinclude -Icrypto/bn/workspace/crypto/include". cc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -I../openssl -Iworkspace/include -I. -Icrypto/include -Iinclude -Icrypto/bn/workspace/crypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o crypto/aes/aes-x86_64.s ... *********** I see where some of the potential problems are. I just don't have the requisite Perl experience to remediate them and offer a patch. Some other places are where $bilddir, $srcdir and $args{incs} are used. openssl workspace$ grep -R "\-I" * | egrep -iv 'makefile|\.conf|\.h|\.c|\.txt|\.pod|//test|test\.pl' Configurations/descrip.mms.tmpl: staging_instdir = staging_instdir - "]A.;" + ".OPENSSL-INSTALL]" Configurations/descrip.mms.tmpl: staging_instdir = staging_instdir - "A.;" + "[OPENSSL-INSTALL]" Configurations/descrip.mms.tmpl: $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} - Configurations/descrip.mms.tmpl: $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} - Configurations/descrip.mms.tmpl: \$(PERL) "-I\$(BUILDDIR)" "-Mconfigdata" $dofile - Configure: $withargs{zlib_include}="-I$1"; Configure: my $cmd = "$config{perl} \"-I.\" \"-Mconfigdata\" $dofile -o\"Configure\" \"".join("\" \"", at templates)."\" > \"$out.new\""; ... test/run_tests.pl:$switches = "-w \"-I$testlib\" \"-I$utillib\""; -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4492 Please log in as guest with password guest if prompted From noloader at gmail.com Tue Mar 29 07:54:48 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 29 Mar 2016 03:54:48 -0400 Subject: [openssl-dev] Switch or option for out-of-tree operations? Message-ID: I'm trying to test an out-of-tree build. Configure does not appear to document the switch; cf., http://github.com/openssl/openssl/blob/master/Configure. There are $blddir and $srcdir variables, but searching for the variables, 'tree' and 'build' don't appear to provide a hint. Using a naive "--blddir=" and "--srcdir=" is cause a compile failure due to an unknown option. There are some past questions, but they are 5 years old or so; cf., http://openssl.6102.n7.nabble.com/building-out-of-tree-td16071.html. How do I build out-of-tree? Or how do we test the features? ********** >From the source directory: src$ ./config --blddir=/tmp/openssl-tmp ... src$ make ... CC="gcc" /usr/bin/perl crypto/aes/asm/aes-x86_64.pl elf crypto/aes/aes-x86_64.s gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN --blddir=/tmp/openssl-tmp -Wa,--noexecstack -fPIC -Iinclude -I. -Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o crypto/aes/aes-x86_64.s gcc: error: unrecognized command line option ?--blddir=/tmp/openssl-tmp? make: *** [crypto/aes/aes-x86_64.o] Error 1 ********** >From a temp directory: cd /tmp $ ./openssl-src/config --srcdir=/tmp/openssl-src --blddir=/tmp/openssl-tmp ... $ make gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM -DOPENSSLDIR="\"/usr/local/ssl\"" -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 -DL_ENDIAN --srcdir=/tmp/openssl-src --blddir=/tmp/openssl-tmp -Wa,--noexecstack -fPIC -Iinclude -Iopenssl-src -Iopenssl-src/crypto/include -Iopenssl-src/include -Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o openssl-src/crypto/aes/aes-x86_64.s gcc: error: unrecognized command line option ?--srcdir=/tmp/openssl-src? gcc: error: unrecognized command line option ?--blddir=/tmp/openssl-tmp? make: *** [crypto/aes/aes-x86_64.o] Error 1 From levitte at openssl.org Tue Mar 29 08:28:04 2016 From: levitte at openssl.org (Richard Levitte) Date: Tue, 29 Mar 2016 10:28:04 +0200 (CEST) Subject: [openssl-dev] Switch or option for out-of-tree operations? In-Reply-To: References: Message-ID: <20160329.102804.43914362755438474.levitte@openssl.org> I suggest you read the docs, such as INSTALL. If you go down a bit, you'll find the section "Installation in Detail", and a little bit further, you'll find "1c. Configure OpenSSL for building outside of the source tree." Cheers, Richard In message on Tue, 29 Mar 2016 03:54:48 -0400, Jeffrey Walton said: noloader> I'm trying to test an out-of-tree build. Configure does not appear to noloader> document the switch; cf., noloader> http://github.com/openssl/openssl/blob/master/Configure. noloader> noloader> There are $blddir and $srcdir variables, but searching for the noloader> variables, 'tree' and 'build' don't appear to provide a hint. noloader> noloader> Using a naive "--blddir=" and "--srcdir=" is cause a compile failure noloader> due to an unknown option. There are some past questions, but they are noloader> 5 years old or so; cf., noloader> http://openssl.6102.n7.nabble.com/building-out-of-tree-td16071.html. noloader> noloader> How do I build out-of-tree? Or how do we test the features? noloader> noloader> ********** noloader> noloader> From the source directory: noloader> noloader> src$ ./config --blddir=/tmp/openssl-tmp noloader> ... noloader> src$ make noloader> ... noloader> CC="gcc" /usr/bin/perl crypto/aes/asm/aes-x86_64.pl elf crypto/aes/aes-x86_64.s noloader> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS noloader> -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 noloader> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m noloader> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM noloader> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM noloader> -DOPENSSLDIR="\"/usr/local/ssl\"" noloader> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 noloader> -DL_ENDIAN --blddir=/tmp/openssl-tmp -Wa,--noexecstack -fPIC noloader> -Iinclude -I. -Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp noloader> -MT crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o noloader> crypto/aes/aes-x86_64.s noloader> gcc: error: unrecognized command line option ?--blddir=/tmp/openssl-tmp? noloader> make: *** [crypto/aes/aes-x86_64.o] Error 1 noloader> noloader> ********** noloader> noloader> From a temp directory: noloader> noloader> cd /tmp noloader> $ ./openssl-src/config --srcdir=/tmp/openssl-src --blddir=/tmp/openssl-tmp noloader> ... noloader> $ make noloader> gcc -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS noloader> -DOPENSSL_NO_DYNAMIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 noloader> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m noloader> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM noloader> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM noloader> -DOPENSSLDIR="\"/usr/local/ssl\"" noloader> -DENGINESDIR="\"/usr/local/lib/engines\"" -Wall -O3 -pthread -m64 noloader> -DL_ENDIAN --srcdir=/tmp/openssl-src --blddir=/tmp/openssl-tmp noloader> -Wa,--noexecstack -fPIC -Iinclude -Iopenssl-src noloader> -Iopenssl-src/crypto/include -Iopenssl-src/include -Icrypto/include noloader> -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT crypto/aes/aes-x86_64.o -c -o noloader> crypto/aes/aes-x86_64.o openssl-src/crypto/aes/aes-x86_64.s noloader> gcc: error: unrecognized command line option ?--srcdir=/tmp/openssl-src? noloader> gcc: error: unrecognized command line option ?--blddir=/tmp/openssl-tmp? noloader> make: *** [crypto/aes/aes-x86_64.o] Error 1 noloader> -- noloader> openssl-dev mailing list noloader> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev From rt at openssl.org Tue Mar 29 11:50:32 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Tue, 29 Mar 2016 11:50:32 +0000 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: <56FA6C32.6000004@openssl.org> References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> <56FA6C32.6000004@openssl.org> Message-ID: On 03/28/16 15:16, Viktor Dukhovni via RT wrote: > >> On Mar 28, 2016, at 4:38 AM, noloader at gmail.com via RT wrote: >> >> On Windows, the fix below also depends upon the patch from Issue 4488 >> ("The POSIX name for this item is deprecated. Instead, use the ISO C++ >> conformant name..."). >> >> This patch below also fixes some problems with the older standards on >> Fedora, BSD and Linux. >> >> $ cat conf_lib.patch >> diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c >> index f197714..7bc3ac0 100644 >> --- a/crypto/conf/conf_lib.c >> +++ b/crypto/conf/conf_lib.c >> @@ -392,7 +392,7 @@ void >> OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, >> const char *config_file) >> { >> free(settings->config_name); >> - settings->config_name = config_file == NULL ? NULL : strdup(config_file); >> + settings->config_name = config_file == NULL ? NULL : >> OPENSSL_strdup(config_file); >> } >> #endif > > If you're going to change strdup -> OPENSSL_strdup, then the previous > line needs to also change free -> OPENSSL_free. Few lines up there is rationale for malloc/free and by association strdup. Switching to OPENSSL_[strdup|malloc|free] goes against it. On Windows one can/should switch to _strdup (it also solves another real yet subtle problem, not just warning). If lack of strdup is concern (relly? which Fedora, BSD, Linux can it be?), then one might have to consider local few-liner implementation. And conf_sap.c suffers from this too... -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4489 Please log in as guest with password guest if prompted From noloader at gmail.com Tue Mar 29 12:02:32 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 29 Mar 2016 08:02:32 -0400 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> <56FA6C32.6000004@openssl.org> Message-ID: >>> $ cat conf_lib.patch >>> diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c >>> index f197714..7bc3ac0 100644 >>> --- a/crypto/conf/conf_lib.c >>> +++ b/crypto/conf/conf_lib.c >>> @@ -392,7 +392,7 @@ void >>> OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, >>> const char *config_file) >>> { >>> free(settings->config_name); >>> - settings->config_name = config_file == NULL ? NULL : strdup(config_file); >>> + settings->config_name = config_file == NULL ? NULL : >>> OPENSSL_strdup(config_file); >>> } >>> #endif >> >> If you're going to change strdup -> OPENSSL_strdup, then the previous >> line needs to also change free -> OPENSSL_free. > > Few lines up there is rationale for malloc/free and by association > strdup. Switching to OPENSSL_[strdup|malloc|free] goes against it. On > Windows one can/should switch to _strdup (it also solves another real > yet subtle problem, not just warning). If lack of strdup is concern > (relly? which Fedora, BSD, Linux can it be?), then one might have to > consider local few-liner implementation. And conf_sap.c suffers from > this too... The odd thing with this one was, the switch from strdup to _strdup should have occurred with the patch from Issue 4488 occurred. For some reason, the text substitution was not occurring, even after including the header "openssl/e_os.h" in conf_lib.c. I'm probably missing some other interaction among the headers. For completeness, below is the thrust of the 4488 patch. If Microsoft's compiler is from Visual Studio 2003 or above, then follow Microsoft's recommendations reported in the warning. *********** $ git diff e_os.h > e_os.patch $ cat e_os.patch diff --git a/e_os.h b/e_os.h index f0a441e..1fe3ffb 100644 --- a/e_os.h +++ b/e_os.h @@ -520,6 +520,13 @@ struct servent *PASCAL getservbyname(const char *, const char *); # if defined(OPENSSL_SYS_WINDOWS) # define strcasecmp _stricmp # define strncasecmp _strnicmp +# if (_MSC_VER >= 1310) +# define open _open +# define fdopen _fdopen +# define close _close +# define strdup _strdup +# define unlink _unlink +# endif # elif defined(OPENSSL_SYS_VMS) /* VMS below version 7.0 doesn't have strcasecmp() */ # include "internal/o_str.h" From rt at openssl.org Tue Mar 29 12:02:42 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Tue, 29 Mar 2016 12:02:42 +0000 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> <56FA6C32.6000004@openssl.org> Message-ID: >>> $ cat conf_lib.patch >>> diff --git a/crypto/conf/conf_lib.c b/crypto/conf/conf_lib.c >>> index f197714..7bc3ac0 100644 >>> --- a/crypto/conf/conf_lib.c >>> +++ b/crypto/conf/conf_lib.c >>> @@ -392,7 +392,7 @@ void >>> OPENSSL_INIT_set_config_filename(OPENSSL_INIT_SETTINGS *settings, >>> const char *config_file) >>> { >>> free(settings->config_name); >>> - settings->config_name = config_file == NULL ? NULL : strdup(config_file); >>> + settings->config_name = config_file == NULL ? NULL : >>> OPENSSL_strdup(config_file); >>> } >>> #endif >> >> If you're going to change strdup -> OPENSSL_strdup, then the previous >> line needs to also change free -> OPENSSL_free. > > Few lines up there is rationale for malloc/free and by association > strdup. Switching to OPENSSL_[strdup|malloc|free] goes against it. On > Windows one can/should switch to _strdup (it also solves another real > yet subtle problem, not just warning). If lack of strdup is concern > (relly? which Fedora, BSD, Linux can it be?), then one might have to > consider local few-liner implementation. And conf_sap.c suffers from > this too... The odd thing with this one was, the switch from strdup to _strdup should have occurred with the patch from Issue 4488 occurred. For some reason, the text substitution was not occurring, even after including the header "openssl/e_os.h" in conf_lib.c. I'm probably missing some other interaction among the headers. For completeness, below is the thrust of the 4488 patch. If Microsoft's compiler is from Visual Studio 2003 or above, then follow Microsoft's recommendations reported in the warning. *********** $ git diff e_os.h > e_os.patch $ cat e_os.patch diff --git a/e_os.h b/e_os.h index f0a441e..1fe3ffb 100644 --- a/e_os.h +++ b/e_os.h @@ -520,6 +520,13 @@ struct servent *PASCAL getservbyname(const char *, const char *); # if defined(OPENSSL_SYS_WINDOWS) # define strcasecmp _stricmp # define strncasecmp _strnicmp +# if (_MSC_VER >= 1310) +# define open _open +# define fdopen _fdopen +# define close _close +# define strdup _strdup +# define unlink _unlink +# endif # elif defined(OPENSSL_SYS_VMS) /* VMS below version 7.0 doesn't have strcasecmp() */ # include "internal/o_str.h" -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4489 Please log in as guest with password guest if prompted From noloader at gmail.com Tue Mar 29 12:13:22 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 29 Mar 2016 08:13:22 -0400 Subject: [openssl-dev] Switch or option for out-of-tree operations? In-Reply-To: <20160329.102804.43914362755438474.levitte@openssl.org> References: <20160329.102804.43914362755438474.levitte@openssl.org> Message-ID: On Tue, Mar 29, 2016 at 4:28 AM, Richard Levitte wrote: > I suggest you read the docs, such as INSTALL. If you go down a bit, > you'll find the section "Installation in Detail", and a little bit > further, you'll find "1c. Configure OpenSSL for building outside of > the source tree." Perfect, thanks. How is it being tested? Jeff From levitte at openssl.org Tue Mar 29 12:19:58 2016 From: levitte at openssl.org (Richard Levitte) Date: Tue, 29 Mar 2016 14:19:58 +0200 (CEST) Subject: [openssl-dev] Switch or option for out-of-tree operations? In-Reply-To: References: <20160329.102804.43914362755438474.levitte@openssl.org> Message-ID: <20160329.141958.1290084117384077345.levitte@openssl.org> In message on Tue, 29 Mar 2016 08:13:22 -0400, Jeffrey Walton said: noloader> On Tue, Mar 29, 2016 at 4:28 AM, Richard Levitte wrote: noloader> > I suggest you read the docs, such as INSTALL. If you go down a bit, noloader> > you'll find the section "Installation in Detail", and a little bit noloader> > further, you'll find "1c. Configure OpenSSL for building outside of noloader> > the source tree." noloader> noloader> Perfect, thanks. noloader> noloader> How is it being tested? If you have a look in .travis.yml, you can see that we make a separate _build directory for all builds that aren't configured --classic. Cheers, Richard -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From beldmit at gmail.com Tue Mar 29 12:33:19 2016 From: beldmit at gmail.com (Dmitry Belyavsky) Date: Tue, 29 Mar 2016 15:33:19 +0300 Subject: [openssl-dev] cms -decrypt calls RAND_pseudo_bytes Message-ID: Hello, We currently use the openssl 1.0.2g. We found out that the cms -decrypt command line utility calls the RAND_pseudo_bytes function. In the file crypto/cms/cms_enc.c the function EVP_CIPHER_CTX_rand_key is called both for the encryption and for the decryption. Could we avoid the call to the EVP_CIPHER_CTX_rand_key function in case of decryption? It seems unnecessary for me here, but I am not sure I understand the whole situation. Thank you! -- SY, Dmitry Belyavsky -------------- next part -------------- An HTML attachment was scrubbed... URL: From appro at openssl.org Tue Mar 29 12:41:56 2016 From: appro at openssl.org (Andy Polyakov) Date: Tue, 29 Mar 2016 14:41:56 +0200 Subject: [openssl-dev] Changing/deleted ordinals for exported function in the Windows DLLs In-Reply-To: References: Message-ID: <56FA7814.4060706@openssl.org> > It looks like ordinals are changing and/or being removed for functions > exported by the Windows DLL. Its causing pain points for users in the > field, and it appears to be trending. Confer: > > * WAMP OpenSSL ordinal 372 error, http://stackoverflow.com/q/36238887 > * The Ordinal 112 could not be located in dynamic link library?, > http://stackoverflow.com/q/36163468 This can be a bit misleading in sense that it doesn't have to be related to ordinals per se. I mean if an application calls a function from DLL, if you remove that function from DLL, it doesn't matter how it was exposed, by ordinal or by name. If exposed by name, then error message would be more readable, or less ambiguous, but application will fail to start in either case. In other words I agree with Richard's suggestion that someone fails to keep OpenSSL DLLs in check, and say that failure to do so would have similar effect irregardless whether or not we stick with ordinals or not. From rt at openssl.org Tue Mar 29 12:46:28 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Tue, 29 Mar 2016 12:46:28 +0000 Subject: [openssl-dev] [openssl.org #4483] Re: [openssl.org #4482] Wrong results with Poly1305 functions In-Reply-To: <56FA7952.8090802@openssl.org> References: <20160325115042.5b8be48f@pc1> <56FA7952.8090802@openssl.org> Message-ID: >> Attached is a sample code that will test various inputs for the >> Poly1305 functions of openssl... > > I'm seeing compiler conversion warnings about size_t to int > truncation. Can you be more specific? > Do you have any vectors that cross the 2GB boundary? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 13:46:59 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Tue, 29 Mar 2016 13:46:59 +0000 Subject: [openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions In-Reply-To: <56FA877F.8040200@openssl.org> References: <20160325115042.5b8be48f@pc1> <56F58C7F.8010109@openssl.org> <56FA877F.8040200@openssl.org> Message-ID: >>> In the final reduction, $h1 is all ones, so there is one more carry to >>> propagate. Though $h2 can then overflow its two bits, I think? I expect >>> that and the cleared bits of r mean the imulqs in poly1305_iteration are >>> still safe, so we can pick up that slack in poly1305_emit, but I'm not >> sure >>> about all the complex switching back and forth in the SIMD codepaths. >> Does >>> __poly1305_block need to follow up with one more reduction? >> >> That additional adc goes to a perl subroutine that is used in both >> poly1305_blocks and __poly1305_blocks, so modification covers both. Pure >> SIMD paths (or FP) are not affected... >> > > Right. What I meant is that a fully reduced h has $h2 < 4. Is it possible > that $h2, after that adc, ends up at 4, exceeding that bound? The question is somewhat ambiguous. I mean you write < 4 and then wonder if it can end up at 4. If you meant to write $h2 < 3, then it wouldn't be ambiguous. Anyway... > If it were, > that would require one more reduction. It can (one of suggested test vectors actually exposes it), but no special treatment is required. If it happens anywhere in the middle it's handled naturally. If it happens as last step, then final "comparison with modulus" step effectively takes care of it, because after adding 5 value would still appear as "overflow", and so it will choose value with 5 added. Note that it does mean that *final* $h2 is at most 4. It can become larger that 4 in the *middle*, but not larger than 6. > In the non-SIMD paths, I believe this is fine because $r0's and $r1's > cleared high bits mean we should have plenty of slack to leave that > unreduced. (And indeed its normally not reduced on input from the > addition.) Then poly1305_emit's reduction after adding s will resolve > things before output. But, in the SIMD paths, __poly1305_blocks is called > and then bits are shifted without any reduction. What do you mean shifted without any reduction? There is reduction step after base 2^26 -> 2^64 conversion (which also needs additional adc, but there *is* reduction step) *prior* call to __poly1305_block. And there naturally is reduction step at the end of __poly1305_block, so that base 2^64 -> 2^26 conversion *after* __poly1305_block is performed at reduced value. > Wouldn't that cause a > problem? Or is this situation impossible? If neither of above answers questions, then please elaborate. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 13:53:07 2016 From: rt at openssl.org (Salz, Rich via RT) Date: Tue, 29 Mar 2016 13:53:07 +0000 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: <42773d894d59439fb8a44ac80c00c692@usma1ex-dag1mb1.msg.corp.akamai.com> References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> <56FA6C32.6000004@openssl.org> <42773d894d59439fb8a44ac80c00c692@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: We use strdup because none of the openssl machinery (error stack, etc) might be set up yet. The comment a few lines above says this! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4489 Please log in as guest with password guest if prompted From noloader at gmail.com Tue Mar 29 13:58:12 2016 From: noloader at gmail.com (Jeffrey Walton) Date: Tue, 29 Mar 2016 09:58:12 -0400 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> <56FA6C32.6000004@openssl.org> <42773d894d59439fb8a44ac80c00c692@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Tue, Mar 29, 2016 at 9:53 AM, Salz, Rich via RT wrote: > We use strdup because none of the openssl machinery (error stack, etc) might be set up yet. > > The comment a few lines above says this! Thanks. That does not explain why this had not effect on Windows, even after including "openssl/e_os.h": # define strdup _strdup It cleared the warning at other places, but not conf_lib.c. Jeff From rt at openssl.org Tue Mar 29 13:58:21 2016 From: rt at openssl.org (noloader@gmail.com via RT) Date: Tue, 29 Mar 2016 13:58:21 +0000 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> <56FA6C32.6000004@openssl.org> <42773d894d59439fb8a44ac80c00c692@usma1ex-dag1mb1.msg.corp.akamai.com> Message-ID: On Tue, Mar 29, 2016 at 9:53 AM, Salz, Rich via RT wrote: > We use strdup because none of the openssl machinery (error stack, etc) might be set up yet. > > The comment a few lines above says this! Thanks. That does not explain why this had not effect on Windows, even after including "openssl/e_os.h": # define strdup _strdup It cleared the warning at other places, but not conf_lib.c. Jeff -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4489 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 14:07:27 2016 From: rt at openssl.org (Kaduk, Ben via RT) Date: Tue, 29 Mar 2016 14:07:27 +0000 Subject: [openssl-dev] [openssl.org #4489] PATCH: fix Windows deprecated strdup in crypto\conf\conf_lib.c In-Reply-To: <56FA8C1D.3080908@akamai.com> References: <8D8F432F-5C2B-43D5-B709-FA144D91B1F2@dukhovni.org> <42773d894d59439fb8a44ac80c00c692@usma1ex-dag1mb1.msg.corp.akamai.com> <56FA8C1D.3080908@akamai.com> Message-ID: On 03/29/2016 08:58 AM, noloader at gmail.com via RT wrote: > On Tue, Mar 29, 2016 at 9:53 AM, Salz, Rich via RT wrote: >> We use strdup because none of the openssl machinery (error stack, etc) might be set up yet. >> >> The comment a few lines above says this! > Thanks. > > That does not explain why this had not effect on Windows, even after > including "openssl/e_os.h": > > # define strdup _strdup > > It cleared the warning at other places, but not conf_lib.c. > Did you look at the cc -E output for the file in question to see whether something was preventing the #define from taking effect? -Ben -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4489 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 14:24:24 2016 From: rt at openssl.org (Justus Winter via RT) Date: Tue, 29 Mar 2016 14:24:24 +0000 Subject: [openssl-dev] [openssl.org #4493] [PATCH] crypto/ec: fix setting the private key. In-Reply-To: <1459259703-25067-1-git-send-email-justus@gnupg.org> References: <1459259703-25067-1-git-send-email-justus@gnupg.org> Message-ID: From: Justus Winter Use the function from the group vtable after checking for it. Signed-off-by: Justus Winter --- crypto/ec/ec_key.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index d241154..ef8176f 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -484,7 +484,7 @@ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) if (key->group == NULL || key->group->meth == NULL) return 0; if (key->group->meth->set_private - && key->meth->set_private(key, priv_key) == 0) + && key->group->meth->set_private(key, priv_key) == 0) return 0; if (key->meth->set_private != NULL && key->meth->set_private(key, priv_key) == 0) -- 2.1.4 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4493 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 14:50:33 2016 From: rt at openssl.org (Andy Polyakov via RT) Date: Tue, 29 Mar 2016 14:50:33 +0000 Subject: [openssl-dev] [openssl.org #4439] poly1305-x86.pl produces incorrect output In-Reply-To: <56FA9662.5050805@openssl.org> References: <56EF10A4.70304@openssl.org> <56FA9662.5050805@openssl.org> Message-ID: >>> No, it doesn't depend on call pattern. Please confirm that attached >>> patch solves the problem. Thanks. >>> >> >> (Right, sorry, I meant that the test vectors I have seem to only with >> their corresponding call patterns.) And I meant that I observed failure pattern other than suggested. Never mind... >> The patch works on my end, and naively comparing random inputs against a >> reference implementation doesn't reveal any other issues. Thanks for fixing >> it so quickly! >> > > Andy, there appears to be a typo in the patch. It says defined(extra) > rather than defined($extra). It was evaluating a bare word and always using > paddq. Thanks, fixed. > The $extra version seems to work too, but may I suggest adding some > comments here? I'll add comment (and elaborate on below questions) at later point, more specifically after RT#4483 is resolved. > If I'm understanding correctly, the paddd vs paddq decision is about > whether the sum fits in 2^32 rather than needing the full 2^64, right? And > you use paddd preferentially over paddq because paddq is slow on Atom? This > isn't very clear from "because paddq is "broken" on Atom". It's also no > longer next to where $paddx is computed. > > Moreover, it seems lazy_reduction conditioning on $extra isn't because > $extra is in itself significant, but because $extra being set means we are > following the tail logic and a horizontal addition, so the bounds don't > hold anymore? This could do with a clear comment. > > Finally, where paddd is used, it's probably worth a comment for why the > bounds hold and under what assumptions. I haven't been able to trace > through them myself (based on the paper, it looks like the result of the h4 > -> h0 carry after the horizontal addition should be bound by 2^26 + 2^26 * > 5 * 2 * 5 = 2^26 * 51, but looking in a debugger, it's larger, so clearly > I'm missing something), so I can't suggest any particular text. > > David > > PS: By the way, this typo would have been caught by use strict. Have you > all considered moving perlasm to be use strict clean? > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4439 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 16:01:37 2016 From: rt at openssl.org (David Benjamin via RT) Date: Tue, 29 Mar 2016 16:01:37 +0000 Subject: [openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions In-Reply-To: References: <20160325115042.5b8be48f@pc1> <56FA877F.8040200@openssl.org> Message-ID: On Tue, Mar 29, 2016 at 9:47 AM Andy Polyakov via RT wrote: > > In the non-SIMD paths, I believe this is fine because $r0's and $r1's > > cleared high bits mean we should have plenty of slack to leave that > > unreduced. (And indeed its normally not reduced on input from the > > addition.) Then poly1305_emit's reduction after adding s will resolve > > things before output. But, in the SIMD paths, __poly1305_blocks is called > > and then bits are shifted without any reduction. > > What do you mean shifted without any reduction? There is reduction step > after base 2^26 -> 2^64 conversion (which also needs additional adc, but > there *is* reduction step) *prior* call to __poly1305_block. And there > naturally is reduction step at the end of __poly1305_block, so that base > 2^64 -> 2^26 conversion *after* __poly1305_block is performed at reduced > value. > I mean that here: https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/poly1305/asm/poly1305-x86_64.pl;h=8977d563a25166b5c3bfac9bb952703c40962cfd;hb=HEAD#l535 We call __poly1305_block, which is just poly1305_iteration. If we add the missing adc, $h2 may exceed two bits, right, so it's not completely reduced. And the code after the __poly1305_block call above doesn't do an extra reduction and only shifts bits to convert from 2^64 to 2^26. I later realized there's plenty of room to spare in the 2^26 representation even when you put everything in 32-bit values, so we won't lose the extra bit. I imagine the SIMD logic can tolerate this slightly-unreduced value just fine, but that was my question. David > > Wouldn't that cause a > > problem? Or is this situation impossible? > > If neither of above answers questions, then please elaborate. > > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 > Please log in as guest with password guest if prompted > > -- > openssl-dev mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 16:16:59 2016 From: rt at openssl.org (=?UTF-8?B?RW1pbGlhIEvDpHNwZXI=?= via RT) Date: Tue, 29 Mar 2016 16:16:59 +0000 Subject: [openssl-dev] [openssl.org #4393] [PATCH] Call EC_GROUP_order_bits in priv2opt. In-Reply-To: References: Message-ID: While we're at this, shouldn't we then also check the length in oct2priv? (And either reject or reduce mod n.) Afaics it accepts arbitrary BNs currently, which means some keys can be parsed but cannot be re-encoded? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4393 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 29 18:05:23 2016 From: rt at openssl.org (=?UTF-8?B?RW1pbGlhIEvDpHNwZXI=?= via RT) Date: Tue, 29 Mar 2016 18:05:23 +0000 Subject: [openssl-dev] [openssl.org #4393] [PATCH] Call EC_GROUP_order_bits in priv2opt. In-Reply-To: References: Message-ID: Merged. (Please reopen if you think we should also follow up in the other direction.) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4393 Please log in as guest with password guest if prompted From uri at ll.mit.edu Tue Mar 29 18:25:20 2016 From: uri at ll.mit.edu (Blumenthal, Uri - 0553 - MITLL) Date: Tue, 29 Mar 2016 18:25:20 +0000 Subject: [openssl-dev] FW: Current Github build broken (crypto/comp/c_zlib.c:334:25: error: variable has incomplete type 'const BIO_METHOD') In-Reply-To: References: Message-ID: Mac OS X 10.10.5, Xcode-7.2.1. OpenSSL-1.1.0-pre5 >$ git clone https://github.com/openssl/openssl.git >Cloning into 'openssl'... >remote: Counting objects: 193677, done. >remote: Compressing objects: 100% (127/127), done. >remote: Total 193677 (delta 54), reused 8 (delta 8), pack-reused 193542 >Receiving objects: 100% (193677/193677), 85.73 MiB | 5.27 MiB/s, done. >Resolving deltas: 100% (153073/153073), done. >Checking connectivity... done. >Checking out files: 100% (2271/2271), done. >$ cd openssl >$ ./Configure darwin64-x86_64-cc threads shared zlib >enable-ec_nistp_64_gcc_128 enable-rfc3779 >--prefix=/Users/ur20980/src/openssl-1.1 >--openssldir=/Users/ur20980/src/openssl-1.1/etc >Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] >OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib-dynamic [default] >Configuring for darwin64-x86_64-cc >CC =clang >CFLAG =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall >SHARED_CFLAG =-fPIC >DEFINES =ZLIB DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS >OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 >OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM >SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM >ECP_NISTZ256_ASM POLY1305_ASM >LFLAG = >PLIB_LFLAG =-Wl,-search_paths_first >EX_LIBS =-lz >APPS_OBJ = >CPUID_OBJ =x86_64cpuid.o >UPLINK_OBJ = >BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o >x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o >EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o >DES_ENC =des_enc.o fcrypt_b.o >AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o >aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o >BF_ENC =bf_enc.o >CAST_ENC =c_enc.o >RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o >RC5_ENC =rc5_enc.o >MD5_OBJ_ASM =md5-x86_64.o >SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o >sha1-mb-x86_64.o sha256-mb-x86_64.o >RMD160_OBJ_ASM= >CMLL_ENC =cmll-x86_64.o cmll_misc.o >MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o >PADLOCK_OBJ =e_padlock-x86_64.o >CHACHA_ENC =chacha-x86_64.o >POLY1305_OBJ =poly1305-x86_64.o >BLAKE2_OBJ = >PROCESSOR = >RANLIB =ranlib -c >ARFLAGS = >PERL =/opt/local/bin/perl5 > >SIXTY_FOUR_BIT_LONG mode > >Configured for darwin64-x86_64-cc. >$ make depend && make clean && make all && make test && make install >rm -f libcrypto.1.1.dylib >rm -f libcrypto.dylib >rm -f libssl.1.1.dylib >rm -f libssl.dylib >rm -f libcrypto.a libssl.a >rm -f apps/openssl test/aborttest test/afalgtest test/asynctest >test/bftest test/bntest test/casttest test/clienthellotest >test/constant_time_test test/ct_test test/danetest test/destest >test/dhtest test/dsatest test/dtlsv1listentest test/ecdhtest >test/ecdsatest test/ectest test/enginetest test/evp_extra_test >test/evp_test test/exptest test/gmdifftest test/heartbeat_test >test/hmactest test/ideatest test/igetest test/md2test test/md4test >test/md5test test/mdc2test test/memleaktest test/nptest >test/p5_crpt2_test test/packettest test/pbelutest test/randtest >test/rc2test test/rc4test test/rc5test test/rmdtest test/rsa_test >test/secmemtest test/sha1test test/sha256t test/sha512t test/srptest >test/ssltest test/threadstest test/v3nametest test/verify_extra_test >test/wp_test engines/capi.dylib engines/dasync.dylib >engines/ossltest.dylib engines/padlock.dylib apps/CA.pl tools/c_rehash >rm -f crypto/aes/aesp8-ppc.s crypto/modes/ghash-alpha.s >crypto/sha/sha256-mips.s crypto/aes/aes-parisc.s crypto/sha/sha256-586.s >crypto/sha/sha256-sparcv9.s crypto/rc4/rc4-x86_64.s >crypto/chacha/chacha-ppc.s crypto/chacha/chacha-armv4.s >crypto/bn/sparcv9a-mont.s crypto/sha/sha512-sparcv9.s >crypto/sha/sha256-x86_64.s crypto/aes/vpaes-ppc.s >crypto/sha/sha512-ia64.s crypto/aes/aes-586.s crypto/des/dest4-sparcv9.s >crypto/bn/rsaz-avx2.s crypto/modes/ghash-parisc.s >crypto/poly1305/poly1305-x86_64.s crypto/sha/sha256-ia64.s >crypto/modes/ghash-sparcv9.s crypto/sha/sha1-mips.s >crypto/modes/ghashv8-armx.s crypto/des/des_enc-sparc.s >crypto/modes/ghash-ia64.s crypto/sha/sha256-armv8.s >crypto/aes/aesv8-armx.s crypto/bn/ia64-mont.s crypto/aes/bsaes-armv7.s >crypto/aes/aes-ppc.s crypto/aes/aes-sparcv9.s crypto/bn/sparcv9-mont.s >crypto/bn/x86-mont.s crypto/sha/sha256-mb-x86_64.s crypto/des/crypt586.s >crypto/sha/sha512p8-ppc.s crypto/alphacpuid.s crypto/md5/md5-586.s >crypto/sha/sha512-armv4.s crypto/aes/aesni-x86_64.s >crypto/bn/ppc64-mont.s crypto/poly1305/poly1305-ppcfp.s >crypto/aes/aes-x86_64.s crypto/bn/armv4-gf2m.s crypto/uplink-ia64.s >crypto/ia64cpuid.s crypto/sha/sha1-armv8.s crypto/sha/sha1-ppc.s >crypto/aes/bsaes-x86_64.s crypto/modes/aesni-gcm-x86_64.s >crypto/aes/vpaes-x86_64.s crypto/bn/sparcv9-gf2m.s crypto/aes/aes-armv4.s >crypto/buildinf.h crypto/sha/sha1-parisc.s >crypto/poly1305/poly1305-sparcv9.s crypto/camellia/cmll-x86.s >crypto/sha/sha1-586.s crypto/armv4cpuid.s crypto/bn/armv4-mont.s >crypto/sha/sha512-mips.s crypto/poly1305/poly1305-armv4.s >crypto/sha/sha1-x86_64.s crypto/bn/x86_64-gf2m.s crypto/whrlpool/wp-mmx.s >crypto/chacha/chacha-x86.s crypto/bn/bn-586.s crypto/bn/mips-mont.s >crypto/md5/md5-x86_64.s crypto/sha/sha512-x86_64.s crypto/aes/vpaes-x86.s >crypto/modes/ghashp8-ppc.s crypto/ec/ecp_nistz256-sparcv9.s >crypto/uplink-x86_64.s crypto/uplink-x86.s crypto/rc4/rc4-md5-x86_64.s >crypto/poly1305/poly1305-ppc.s crypto/ec/ecp_nistz256-armv8.s >crypto/pariscid.s crypto/sha/sha256p8-ppc.s crypto/bn/parisc-mont.s >crypto/aes/vpaes-armv8.s crypto/bn/ppc-mont.s >crypto/ec/ecp_nistz256-x86_64.s crypto/x86_64cpuid.s crypto/arm64cpuid.s >crypto/modes/ghash-armv4.s crypto/aes/aes-ia64.s crypto/x86cpuid.s >crypto/modes/ghash-x86_64.s crypto/bn/x86_64-mont5.s crypto/rc4/rc4-586.s >crypto/chacha/chacha-armv8.s crypto/aes/aes-mips.s crypto/sha/sha1-ia64.s >engines/e_padlock-x86_64.s crypto/modes/ghash-x86.s >crypto/sha/sha512-armv8.s crypto/bn/co-586.s crypto/sha/sha256-parisc.s >crypto/bn/vis3-mont.s crypto/sha/sha512-ppc.s crypto/sha/sha1-sparcv9.s >crypto/sha/sha256-ppc.s crypto/cast/cast-586.s crypto/bf/bf-586.s >crypto/aes/aesni-x86.s crypto/bn/armv8-mont.s crypto/bn/bn-ia64.s >crypto/poly1305/poly1305-x86.s crypto/chacha/chacha-x86_64.s >crypto/ec/ecp_nistz256-x86.s crypto/bn/rsaz-x86_64.s >crypto/bn/s390x-mont.s crypto/sha/sha1-mb-x86_64.s >crypto/ec/ecp_nistz256-armv4.s crypto/aes/aest4-sparcv9.s >crypto/bn/x86_64-mont.s crypto/sha/sha1-alpha.s >crypto/aes/aesni-mb-x86_64.s crypto/bn/sparct4-mont.s >crypto/sha/sha256-armv4.s engines/e_padlock-x86.s crypto/des/des-586.s >crypto/sha/sha512-parisc.s crypto/aes/aesni-sha1-x86_64.s >crypto/bn/bn-ppc.s crypto/md5/md5-sparcv9.s crypto/bn/x86-gf2m.s >crypto/ppccpuid.s crypto/bn/bn-mips.s crypto/ec/ecp_nistz256-avx2.s >crypto/rc4/rc4-parisc.s crypto/sha/sha512-586.s >crypto/poly1305/poly1305-armv8.s crypto/camellia/cmll-x86_64.s >crypto/camellia/cmllt4-sparcv9.s crypto/sha/sha1-armv4-large.s >crypto/ripemd/rmd-586.s crypto/bn/s390x-gf2m.s >crypto/aes/aesni-sha256-x86_64.s crypto/bn/alpha-mont.s >crypto/whrlpool/wp-x86_64.s >rm -f `find . -name '*.d'` >rm -f `find . -name '*.o'` >rm -f core >rm -f tags TAGS >rm -f openssl.pc libcrypto.pc libssl.pc >rm -f `find . -type l` >rm -f ../openssl-1.1.0-pre5-dev.tar >CC="clang" /opt/local/bin/perl5 crypto/aes/asm/aes-x86_64.pl macosx >crypto/aes/aes-x86_64.s >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT >crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o >crypto/aes/aes-x86_64.s >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_cfb.d.tmp -MT >crypto/aes/aes_cfb.o -c -o crypto/aes/aes_cfb.o crypto/aes/aes_cfb.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_ecb.d.tmp -MT >crypto/aes/aes_ecb.o -c -o crypto/aes/aes_ecb.o crypto/aes/aes_ecb.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_ige.d.tmp -MT >crypto/aes/aes_ige.o -c -o crypto/aes/aes_ige.o crypto/aes/aes_ige.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_misc.d.tmp -MT >crypto/aes/aes_misc.o -c -o crypto/aes/aes_misc.o crypto/aes/aes_misc.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_ofb.d.tmp -MT >crypto/aes/aes_ofb.o -c -o crypto/aes/aes_ofb.o crypto/aes/aes_ofb.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_wrap.d.tmp -MT >crypto/aes/aes_wrap.o -c -o crypto/aes/aes_wrap.o crypto/aes/aes_wrap.c >CC="clang" /opt/local/bin/perl5 crypto/aes/asm/aesni-mb-x86_64.pl macosx >crypto/aes/aesni-mb-x86_64.s >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aesni-mb-x86_64.d.tmp -MT >crypto/aes/aesni-mb-x86_64.o -c -o crypto/aes/aesni-mb-x86_64.o >crypto/aes/aesni-mb-x86_64.s >CC="clang" /opt/local/bin/perl5 crypto/aes/asm/aesni-sha1-x86_64.pl >macosx crypto/aes/aesni-sha1-x86_64.s >. . . . . . . . . . . . >. . . . . . . . . . . . >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/cms/cms_smime.d.tmp -MT >crypto/cms/cms_smime.o -c -o crypto/cms/cms_smime.o crypto/cms/cms_smime.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/comp/c_zlib.d.tmp -MT >crypto/comp/c_zlib.o -c -o crypto/comp/c_zlib.o crypto/comp/c_zlib.c >crypto/comp/c_zlib.c:334:25: error: variable has incomplete type 'const >BIO_METHOD' > (aka 'const struct bio_method_st') >static const BIO_METHOD bio_meth_zlib = { > ^ >include/openssl/bio.h:293:16: note: forward declaration of 'struct >bio_method_st' >typedef struct bio_method_st BIO_METHOD; > ^ >crypto/comp/c_zlib.c:374:7: error: incomplete definition of type 'struct >bio_st' > bi->init = 1; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:375:7: error: incomplete definition of type 'struct >bio_st' > bi->ptr = (char *)ctx; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:376:7: error: incomplete definition of type 'struct >bio_st' > bi->flags = 0; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:385:30: error: incomplete definition of type 'struct >bio_st' > ctx = (BIO_ZLIB_CTX *) bi->ptr; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:397:7: error: incomplete definition of type 'struct >bio_st' > bi->ptr = NULL; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:398:7: error: incomplete definition of type 'struct >bio_st' > bi->init = 0; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:399:7: error: incomplete definition of type 'struct >bio_st' > bi->flags = 0; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:410:29: error: incomplete definition of type 'struct >bio_st' > ctx = (BIO_ZLIB_CTX *) b->ptr; > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:445:25: error: incomplete definition of type 'struct >bio_st' > ret = BIO_read(b->next_bio, ctx->ibuf, ctx->ibufsize); > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:466:29: error: incomplete definition of type 'struct >bio_st' > ctx = (BIO_ZLIB_CTX *) b->ptr; > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:490:30: error: incomplete definition of type 'struct >bio_st' > ret = BIO_write(b->next_bio, ctx->optr, ctx->ocount); > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >. . . . . . . . . . . . . . . >crypto/comp/c_zlib.c:590:30: error: incomplete definition of type 'struct >bio_st' > ret = BIO_flush(b->next_bio); > ~^ >include/openssl/bio.h:522:48: note: expanded from macro 'BIO_flush' ># define BIO_flush(b) (int)BIO_ctrl(b,BIO_CTRL_FLUSH,0,NULL) > ^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:623:25: error: incomplete definition of type 'struct >bio_st' > ret = BIO_ctrl(b->next_bio, cmd, num, ptr); > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:628:25: error: incomplete definition of type 'struct >bio_st' > ret = BIO_ctrl(b->next_bio, cmd, num, ptr); > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >fatal error: too many errors emitted, stopping now [-ferror-limit=] >20 errors generated. >make: *** [crypto/comp/c_zlib.o] Error 1 >$ perl Configure reconf >Configuring OpenSSL version 1.1.0-pre5-dev (0x0x10100005L) >Reconfiguring with: darwin64-x86_64-cc threads shared zlib >enable-ec_nistp_64_gcc_128 enable-rfc3779 >--prefix=/Users/ur20980/src/openssl-1.1 >--openssldir=/Users/ur20980/src/openssl-1.1/etc > CC = clang > no-crypto-mdebug [default] OPENSSL_NO_CRYPTO_MDEBUG (skip dir) > no-crypto-mdebug-backtrace [forced] >OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE (skip dir) > no-egd [default] OPENSSL_NO_EGD (skip dir) > no-heartbeats [default] OPENSSL_NO_HEARTBEATS (skip dir) > no-md2 [default] OPENSSL_NO_MD2 (skip dir) > no-rc5 [default] OPENSSL_NO_RC5 (skip dir) > no-sctp [default] OPENSSL_NO_SCTP (skip dir) > no-ssl-trace [default] OPENSSL_NO_SSL_TRACE (skip dir) > no-ssl3 [default] OPENSSL_NO_SSL3 (skip dir) > no-ssl3-method [default] OPENSSL_NO_SSL3_METHOD (skip dir) > no-unit-test [default] OPENSSL_NO_UNIT_TEST (skip dir) > no-weak-ssl-ciphers [default] OPENSSL_NO_WEAK_SSL_CIPHERS (skip dir) > no-zlib-dynamic [default] >Configuring for darwin64-x86_64-cc >CC =clang >CFLAG =-O3 -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall >SHARED_CFLAG =-fPIC >DEFINES =ZLIB DSO_DLFCN HAVE_DLFCN_H OPENSSL_THREADS >OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2 >OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM >SHA256_ASM SHA512_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM GHASH_ASM >ECP_NISTZ256_ASM POLY1305_ASM >LFLAG = >PLIB_LFLAG =-Wl,-search_paths_first >EX_LIBS =-lz >APPS_OBJ = >CPUID_OBJ =x86_64cpuid.o >UPLINK_OBJ = >BN_ASM =asm/x86_64-gcc.o x86_64-mont.o x86_64-mont5.o >x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o >EC_ASM =ecp_nistz256.o ecp_nistz256-x86_64.o >DES_ENC =des_enc.o fcrypt_b.o >AES_ENC =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o >aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o >BF_ENC =bf_enc.o >CAST_ENC =c_enc.o >RC4_ENC =rc4-x86_64.o rc4-md5-x86_64.o >RC5_ENC =rc5_enc.o >MD5_OBJ_ASM =md5-x86_64.o >SHA1_OBJ_ASM =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o >sha1-mb-x86_64.o sha256-mb-x86_64.o >RMD160_OBJ_ASM= >CMLL_ENC =cmll-x86_64.o cmll_misc.o >MODES_OBJ =ghash-x86_64.o aesni-gcm-x86_64.o >PADLOCK_OBJ =e_padlock-x86_64.o >CHACHA_ENC =chacha-x86_64.o >POLY1305_OBJ =poly1305-x86_64.o >BLAKE2_OBJ = >PROCESSOR = >RANLIB =ranlib -c >ARFLAGS = >PERL =/opt/local/bin/perl5 > >SIXTY_FOUR_BIT_LONG mode > >Configured for darwin64-x86_64-cc. >$ make depend && make clean && make all && make test && make install >rm -f libcrypto.1.1.dylib >rm -f libcrypto.dylib >rm -f libssl.1.1.dylib >rm -f libssl.dylib >rm -f libcrypto.a libssl.a >rm -f apps/openssl test/aborttest test/afalgtest test/asynctest >test/bftest test/bntest test/casttest test/clienthellotest >test/constant_time_test test/ct_test test/danetest test/destest >test/dhtest test/dsatest test/dtlsv1listentest test/ecdhtest >test/ecdsatest test/ectest test/enginetest test/evp_extra_test >test/evp_test test/exptest test/gmdifftest test/heartbeat_test >test/hmactest test/ideatest test/igetest test/md2test test/md4test >test/md5test test/mdc2test test/memleaktest test/nptest >test/p5_crpt2_test test/packettest test/pbelutest test/randtest >test/rc2test test/rc4test test/rc5test test/rmdtest test/rsa_test >test/secmemtest test/sha1test test/sha256t test/sha512t test/srptest >test/ssltest test/threadstest test/v3nametest test/verify_extra_test >test/wp_test engines/capi.dylib engines/dasync.dylib >engines/ossltest.dylib engines/padlock.dylib apps/CA.pl tools/c_rehash >rm -f crypto/poly1305/poly1305-armv4.s crypto/bf/bf-586.s >crypto/chacha/chacha-x86_64.s crypto/ripemd/rmd-586.s crypto/arm64cpuid.s >crypto/md5/md5-x86_64.s crypto/sha/sha256-586.s >crypto/aes/aesni-sha1-x86_64.s crypto/sha/sha512-mips.s >crypto/bn/s390x-mont.s crypto/sha/sha512-armv8.s >crypto/poly1305/poly1305-x86.s crypto/aes/aest4-sparcv9.s >crypto/bn/x86_64-mont.s crypto/alphacpuid.s >crypto/ec/ecp_nistz256-armv8.s crypto/bn/rsaz-avx2.s >crypto/modes/ghashp8-ppc.s crypto/aes/aesni-x86_64.s >crypto/aes/aes-sparcv9.s crypto/modes/ghash-sparcv9.s >crypto/chacha/chacha-armv4.s crypto/poly1305/poly1305-x86_64.s >crypto/ec/ecp_nistz256-x86_64.s crypto/camellia/cmll-x86_64.s >crypto/sha/sha256p8-ppc.s crypto/modes/ghash-parisc.s >crypto/aes/aesv8-armx.s crypto/aes/aes-586.s >crypto/camellia/cmllt4-sparcv9.s engines/e_padlock-x86_64.s >crypto/bn/x86_64-mont5.s crypto/bn/x86-mont.s crypto/bn/alpha-mont.s >crypto/rc4/rc4-586.s crypto/modes/ghash-x86_64.s >crypto/bn/sparcv9a-mont.s crypto/bn/armv8-mont.s crypto/bn/bn-ppc.s >crypto/sha/sha1-ia64.s crypto/sha/sha512-586.s crypto/modes/ghash-armv4.s >crypto/chacha/chacha-ppc.s crypto/bn/mips-mont.s crypto/sha/sha1-x86_64.s >crypto/bn/vis3-mont.s crypto/chacha/chacha-armv8.s >crypto/whrlpool/wp-mmx.s crypto/uplink-x86.s crypto/uplink-x86_64.s >crypto/sha/sha256-armv8.s crypto/aes/aes-x86_64.s crypto/bn/bn-586.s >crypto/bn/ppc64-mont.s crypto/x86cpuid.s crypto/sha/sha1-armv4-large.s >crypto/sha/sha1-sparcv9.s crypto/bn/co-586.s crypto/aes/aes-parisc.s >crypto/bn/x86-gf2m.s crypto/bn/bn-ia64.s crypto/ec/ecp_nistz256-x86.s >crypto/modes/ghash-x86.s crypto/rc4/rc4-parisc.s >crypto/sha/sha512-armv4.s crypto/x86_64cpuid.s >crypto/ec/ecp_nistz256-armv4.s crypto/sha/sha256-ia64.s >crypto/sha/sha512-parisc.s crypto/bn/sparcv9-mont.s crypto/ia64cpuid.s >crypto/aes/vpaes-x86.s crypto/aes/vpaes-armv8.s crypto/sha/sha1-armv8.s >crypto/aes/aes-armv4.s crypto/modes/ghashv8-armx.s >crypto/sha/sha512-sparcv9.s crypto/sha/sha1-586.s >crypto/ec/ecp_nistz256-sparcv9.s crypto/sha/sha1-ppc.s >crypto/poly1305/poly1305-ppc.s crypto/aes/aes-mips.s crypto/buildinf.h >crypto/bn/x86_64-gf2m.s crypto/aes/bsaes-armv7.s >crypto/sha/sha256-armv4.s crypto/modes/ghash-alpha.s crypto/md5/md5-586.s >crypto/sha/sha256-sparcv9.s crypto/md5/md5-sparcv9.s >crypto/aes/bsaes-x86_64.s crypto/sha/sha512-x86_64.s >crypto/bn/parisc-mont.s crypto/bn/armv4-mont.s crypto/bn/ia64-mont.s >crypto/des/crypt586.s crypto/sha/sha1-parisc.s crypto/uplink-ia64.s >crypto/des/dest4-sparcv9.s crypto/des/des-586.s >crypto/poly1305/poly1305-sparcv9.s engines/e_padlock-x86.s >crypto/poly1305/poly1305-armv8.s crypto/modes/ghash-ia64.s >crypto/sha/sha1-mb-x86_64.s crypto/bn/rsaz-x86_64.s >crypto/chacha/chacha-x86.s crypto/aes/aes-ia64.s >crypto/whrlpool/wp-x86_64.s crypto/pariscid.s crypto/bn/ppc-mont.s >crypto/rc4/rc4-md5-x86_64.s crypto/aes/vpaes-ppc.s >crypto/poly1305/poly1305-ppcfp.s crypto/armv4cpuid.s >crypto/bn/sparct4-mont.s crypto/cast/cast-586.s >crypto/des/des_enc-sparc.s crypto/sha/sha1-alpha.s crypto/bn/armv4-gf2m.s >crypto/bn/sparcv9-gf2m.s crypto/ppccpuid.s crypto/aes/aesp8-ppc.s >crypto/camellia/cmll-x86.s crypto/sha/sha512-ia64.s >crypto/sha/sha256-mb-x86_64.s crypto/sha/sha256-x86_64.s >crypto/sha/sha256-parisc.s crypto/sha/sha512-ppc.s crypto/bn/bn-mips.s >crypto/aes/aes-ppc.s crypto/modes/aesni-gcm-x86_64.s >crypto/aes/vpaes-x86_64.s crypto/aes/aesni-sha256-x86_64.s >crypto/sha/sha256-mips.s crypto/rc4/rc4-x86_64.s >crypto/ec/ecp_nistz256-avx2.s crypto/sha/sha512p8-ppc.s >crypto/sha/sha256-ppc.s crypto/sha/sha1-mips.s crypto/aes/aesni-x86.s >crypto/bn/s390x-gf2m.s crypto/aes/aesni-mb-x86_64.s >rm -f `find . -name '*.d'` >rm -f `find . -name '*.o'` >rm -f core >rm -f tags TAGS >rm -f openssl.pc libcrypto.pc libssl.pc >rm -f `find . -type l` >rm -f ../openssl-1.1.0-pre5-dev.tar >CC="clang" /opt/local/bin/perl5 crypto/aes/asm/aes-x86_64.pl macosx >crypto/aes/aes-x86_64.s >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes-x86_64.d.tmp -MT >crypto/aes/aes-x86_64.o -c -o crypto/aes/aes-x86_64.o >crypto/aes/aes-x86_64.s >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_cfb.d.tmp -MT >crypto/aes/aes_cfb.o -c -o crypto/aes/aes_cfb.o crypto/aes/aes_cfb.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/aes/aes_ecb.d.tmp -MT >crypto/aes/aes_ecb.o -c -o crypto/aes/aes_ecb.o crypto/aes/aes_ecb.c >. . . . . . . . . . >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/cms/cms_smime.d.tmp -MT >crypto/cms/cms_smime.o -c -o crypto/cms/cms_smime.o crypto/cms/cms_smime.c >clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >-DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >-DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >-DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >-D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >-Icrypto/include -MMD -MF crypto/comp/c_zlib.d.tmp -MT >crypto/comp/c_zlib.o -c -o crypto/comp/c_zlib.o crypto/comp/c_zlib.c >crypto/comp/c_zlib.c:334:25: error: variable has incomplete type 'const >BIO_METHOD' > (aka 'const struct bio_method_st') >static const BIO_METHOD bio_meth_zlib = { > ^ >include/openssl/bio.h:293:16: note: forward declaration of 'struct >bio_method_st' >typedef struct bio_method_st BIO_METHOD; > ^ >crypto/comp/c_zlib.c:374:7: error: incomplete definition of type 'struct >bio_st' > bi->init = 1; > ~~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ . . . . . . . . . . . . . . . > ret = BIO_ctrl(b->next_bio, cmd, num, ptr); > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >crypto/comp/c_zlib.c:628:25: error: incomplete definition of type 'struct >bio_st' > ret = BIO_ctrl(b->next_bio, cmd, num, ptr); > ~^ >include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >bio_st' >typedef struct bio_st BIO; > ^ >fatal error: too many errors emitted, stopping now [-ferror-limit=] >20 errors generated. >make: *** [crypto/comp/c_zlib.o] Error 1 >$ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4324 bytes Desc: not available URL: From matt at openssl.org Tue Mar 29 23:00:54 2016 From: matt at openssl.org (Matt Caswell) Date: Wed, 30 Mar 2016 00:00:54 +0100 Subject: [openssl-dev] FW: Current Github build broken (crypto/comp/c_zlib.c:334:25: error: variable has incomplete type 'const BIO_METHOD') In-Reply-To: References: Message-ID: <56FB0926.6020607@openssl.org> On 29/03/16 19:25, Blumenthal, Uri - 0553 - MITLL wrote: >> clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >> -DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >> -DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >> -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >> -Icrypto/include -MMD -MF crypto/cms/cms_smime.d.tmp -MT >> crypto/cms/cms_smime.o -c -o crypto/cms/cms_smime.o crypto/cms/cms_smime.c >> clang -DZLIB -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS >> -DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_IA32_SSE2 >> -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m >> -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM >> -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM >> -DOPENSSLDIR="\"/Users/ur20980/src/openssl-1.1/etc\"" >> -DENGINESDIR="\"/Users/ur20980/src/openssl-1.1/lib/engines\"" -O3 >> -D_REENTRANT -arch x86_64 -DL_ENDIAN -Wall -fPIC -Iinclude -I. >> -Icrypto/include -MMD -MF crypto/comp/c_zlib.d.tmp -MT >> crypto/comp/c_zlib.o -c -o crypto/comp/c_zlib.o crypto/comp/c_zlib.c >> crypto/comp/c_zlib.c:334:25: error: variable has incomplete type 'const >> BIO_METHOD' >> (aka 'const struct bio_method_st') >> static const BIO_METHOD bio_meth_zlib = { >> ^ >> include/openssl/bio.h:293:16: note: forward declaration of 'struct >> bio_method_st' >> typedef struct bio_method_st BIO_METHOD; >> ^ >> crypto/comp/c_zlib.c:374:7: error: incomplete definition of type 'struct >> bio_st' >> bi->init = 1; >> ~~^ >> include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >> bio_st' >> typedef struct bio_st BIO; >> ^ > . . . . . . . . . . . . . . . >> ret = BIO_ctrl(b->next_bio, cmd, num, ptr); >> ~^ >> include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >> bio_st' >> typedef struct bio_st BIO; >> ^ >> crypto/comp/c_zlib.c:628:25: error: incomplete definition of type 'struct >> bio_st' >> ret = BIO_ctrl(b->next_bio, cmd, num, ptr); >> ~^ >> include/openssl/ossl_typ.h:122:16: note: forward declaration of 'struct >> bio_st' >> typedef struct bio_st BIO; >> ^ >> fatal error: too many errors emitted, stopping now [-ferror-limit=] >> 20 errors generated. >> make: *** [crypto/comp/c_zlib.o] Error 1 >> $ >> >> Thanks for the report. This should be fixed now. Matt From waywardgeek at gmail.com Wed Mar 30 10:06:56 2016 From: waywardgeek at gmail.com (Bill Cox) Date: Wed, 30 Mar 2016 03:06:56 -0700 Subject: [openssl-dev] Token binding as a custom extension Message-ID: Hi. I implemented the token binding TLS negotiation extension in BoringSSL using the OpenSSL custom extension API. AFAIK, there are no current examples of any custom extensions in the OpenSSL code base. Is this correct? While my ulterior motive is to promote token binding (Google pays me to work on token binding), would the OpenSSL devs find it useful to have a token binding extension as an example of how to use the OpenSSL custom extension API? If so, there is one problem still in the OpenSSL custom extension API, which was a 1-line fix in BoringSSL. The server currently checks if the handshake is a resume, and if so, does not send custom extensions. This check can easily be done in the custom extensions, and having it hard-coded makes the custom extension API impossible to use for extensions like token binding that require the extension be sent from the server on a resume. Would there be any interest in changing this behavior in the custom extension API to support more use cases like token binding? It is a very simple change. If you folks are interested, I'll submit a PR on github. Thanks, Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: From rsalz at akamai.com Wed Mar 30 10:16:21 2016 From: rsalz at akamai.com (Salz, Rich) Date: Wed, 30 Mar 2016 10:16:21 +0000 Subject: [openssl-dev] Token binding as a custom extension In-Reply-To: References: Message-ID: Submit a PR -- Senior Architect, Akamai Technologies IM: richsalz at jabber.at Twitter: RichSalz From: Bill Cox [mailto:waywardgeek at gmail.com] Sent: Wednesday, March 30, 2016 3:07 AM To: openssl-dev at openssl.org Subject: [openssl-dev] Token binding as a custom extension Hi. I implemented the token binding TLS negotiation extension in BoringSSL using the OpenSSL custom extension API. AFAIK, there are no current examples of any custom extensions in the OpenSSL code base. Is this correct? While my ulterior motive is to promote token binding (Google pays me to work on token binding), would the OpenSSL devs find it useful to have a token binding extension as an example of how to use the OpenSSL custom extension API? If so, there is one problem still in the OpenSSL custom extension API, which was a 1-line fix in BoringSSL. The server currently checks if the handshake is a resume, and if so, does not send custom extensions. This check can easily be done in the custom extensions, and having it hard-coded makes the custom extension API impossible to use for extensions like token binding that require the extension be sent from the server on a resume. Would there be any interest in changing this behavior in the custom extension API to support more use cases like token binding? It is a very simple change. If you folks are interested, I'll submit a PR on github. Thanks, Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrea.grandi at intel.com Wed Mar 30 12:34:15 2016 From: andrea.grandi at intel.com (Grandi, Andrea) Date: Wed, 30 Mar 2016 12:34:15 +0000 Subject: [openssl-dev] AF_ALG engine support and kernel versions In-Reply-To: References: Message-ID: <02DF9A39E1EE92419A8C5BBE62973A231A4B1817@IRSMSX108.ger.corp.intel.com> Hi Jeffrey, I have checked with Tadeusz, which is one of the contributors for AF_alg . Here is what he said with regard to your question about the version number. _______ The async operation on a socket has been added with this this commit: commit 0345f93138b2224e0d7ce91fcffdb3dd23f364d7 Author: tadeusz.struk at intel.com Date: Thu Mar 19 12:31:25 2015 -0700 net: socket: add support for async operations Add support for async operations. Signed-off-by: Tadeusz Struk Signed-off-by: David S. Miller Before this change it didn't work i.e it was translated to a sync call. This change has been released in 4.1 kernel. ______ Hope this is useful!! Andrea -----Original Message----- From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Jeffrey Walton Sent: Saturday, March 26, 2016 6:56 PM To: OpenSSL Developer ML Subject: Re: [openssl-dev] AF_ALG engine support and kernel versions On Thu, Mar 17, 2016 at 11:38 PM, Jeffrey Walton wrote: > Hi Everyone, > > Looking at the code in engines/afalg/e_afalg.c, there is the following: > > ... > #define K_MAJ 4 > #define K_MIN1 1 > #define K_MIN2 0 > #if LINUX_VERSION_CODE <= KERNEL_VERSION(K_MAJ, K_MIN1, K_MIN2) > # warning "AFALG ENGINE requires Kernel Headers >= 4.1.0" > # warning "Skipping Compilation of AFALG engine" > #else > ... > > It appears AF_ALG was added to the kernel at 2.6.38. Asynchronous I/O > support appears to have surfaced in the kernel at 2.5.23. > > Where is the requirement for 4.1 coming from? This requirement does not look quite right. I've got a Ubuntu 3.19.0-56-generic kernel running on a 5th gen i7 that provides some async drivers for the ciphers. I've also got a Ubuntu 4.2.0-34-generic kernel running on an old VIA C7 that does not provide any async ciphers. I'm also building out-of-tree crypto kernel modules that have the latest patches. In this case, the kernel version has nothing to do with availability of async ciphers. Does anyone know where the requirement is coming from? Thanks in advance. ********** # Newer, Intel 5th gen Core-i7 $ uname -r 3.19.0-56-generic $ sudo cat /proc/crypto | egrep '^(name|driver|async|$)' name : crct10dif driver : crct10dif-pclmul name : crc32 driver : crc32-pclmul name : xts(aes) driver : xts-aes-aesni async : yes name : lrw(aes) driver : lrw-aes-aesni async : yes name : __xts-aes-aesni driver : __driver-xts-aes-aesni name : __lrw-aes-aesni driver : __driver-lrw-aes-aesni name : pcbc(aes) driver : pcbc-aes-aesni async : yes name : rfc4106(gcm(aes)) driver : rfc4106-gcm-aesni async : yes name : __gcm-aes-aesni driver : __driver-gcm-aes-aesni async : no name : ctr(aes) driver : ctr-aes-aesni async : yes name : __ctr-aes-aesni driver : __driver-ctr-aes-aesni name : cbc(aes) driver : cbc-aes-aesni async : yes name : ecb(aes) driver : ecb-aes-aesni async : yes name : __cbc-aes-aesni driver : __driver-cbc-aes-aesni name : __ecb-aes-aesni driver : __driver-ecb-aes-aesni name : __aes-aesni driver : __driver-aes-aesni name : aes driver : aes-aesni name : aes driver : aes-asm name : hmac(sha256) driver : hmac(sha256-generic) name : hmac(sha1) driver : hmac(sha1-generic) name : skein1024 driver : skein name : skein512 driver : skein name : skein256 driver : skein name : stdrng driver : krng name : lzo driver : lzo-generic name : crct10dif driver : crct10dif-generic name : crc32c driver : crc32c-generic name : aes driver : aes-generic name : sha384 driver : sha384-generic name : sha512 driver : sha512-generic name : sha224 driver : sha224-generic name : sha256 driver : sha256-generic name : sha1 driver : sha1-generic name : md5 driver : md5-generic name : crc32c driver : crc32c-intel ***** # Older, VIA C7 machine $ uname -r 4.2.0-34-generic $ sudo cat /proc/crypto | egrep '^(name|driver|async|$)' name : sha256 driver : sha256-padlock name : sha1 driver : sha1-padlock name : cbc(aes) driver : cbc-aes-padlock name : ecb(aes) driver : ecb-aes-padlock name : aes driver : aes-padlock name : lzo driver : lzo-generic name : crct10dif driver : crct10dif-generic name : crc32c driver : crc32c-generic name : aes driver : aes-generic name : sha384 driver : sha384-generic name : sha512 driver : sha512-generic name : sha224 driver : sha224-generic name : sha256 driver : sha256-generic name : sha1 driver : sha1-generic name : md5 driver : md5-generic via:linux$ -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -------------------------------------------------------------- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. From doctor at doctor.nl2k.ab.ca Wed Mar 30 14:55:00 2016 From: doctor at doctor.nl2k.ab.ca (The Doctor) Date: Wed, 30 Mar 2016 08:55:00 -0600 Subject: [openssl-dev] OPENSSL SNAP 20160330 issues Message-ID: <20160330145500.GA10017@doctor.nl2k.ab.ca> Just got make && make test gcc -DZLIB_SHARED -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS +-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS +-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM +-DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM +-DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" +-DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS +-fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. +-Icrypto/include -c -o crypto/mem_dbg.o crypto/mem_dbg.c crypto/mem_dbg.c: In function `CRYPTO_mem_leaks': crypto/mem_dbg.c:660: dereferencing pointer to incomplete type crypto/mem_dbg.c:662: dereferencing pointer to incomplete type *** Error code 1 And what are these lines? /* Don't count the BIO that was passed in as a "leak" */ if (ml.seen && ml.chunks >= 1 && ml.bytes >= (int)sizeof (*b)) { ml.chunks--; ml.bytes -= (int)sizeof (*b); } Please fix -- Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca God,Queen and country!Never Satan President Republic!Beware AntiChrist rising! http://www.fullyfollow.me/rootnl2k Look at Psalms 14 and 53 on Atheism Manitoba and Saskatchewan! Save your provinces in April! Vote Liberal!! From matt at openssl.org Wed Mar 30 15:04:03 2016 From: matt at openssl.org (Matt Caswell) Date: Wed, 30 Mar 2016 16:04:03 +0100 Subject: [openssl-dev] OPENSSL SNAP 20160330 issues In-Reply-To: <20160330145500.GA10017@doctor.nl2k.ab.ca> References: <20160330145500.GA10017@doctor.nl2k.ab.ca> Message-ID: <56FBEAE3.1030104@openssl.org> On 30/03/16 15:55, The Doctor wrote: > > Just got > > make && make test > gcc -DZLIB_SHARED -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS > +-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS > +-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > +-DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM > +-DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" > +-DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS > +-fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. > +-Icrypto/include -c -o crypto/mem_dbg.o crypto/mem_dbg.c > crypto/mem_dbg.c: In function `CRYPTO_mem_leaks': > crypto/mem_dbg.c:660: dereferencing pointer to incomplete type > crypto/mem_dbg.c:662: dereferencing pointer to incomplete type > *** Error code 1 > > And what are these lines? > > /* Don't count the BIO that was passed in as a "leak" */ > if (ml.seen && ml.chunks >= 1 && ml.bytes >= (int)sizeof (*b)) { > ml.chunks--; > ml.bytes -= (int)sizeof (*b); > } > > Please fix > I have a patch for this already in review. Matt From rt at openssl.org Wed Mar 30 15:12:29 2016 From: rt at openssl.org (David Benjamin via RT) Date: Wed, 30 Mar 2016 15:12:29 +0000 Subject: [openssl-dev] [openssl.org #4393] [PATCH] Call EC_GROUP_order_bits in priv2opt. In-Reply-To: References: Message-ID: On Tue, Mar 29, 2016 at 12:17 PM Emilia K?sper wrote: > While we're at this, shouldn't we then also check the length in oct2priv? > (And > either reject or reduce mod n.) Afaics it accepts arbitrary BNs currently, > which means some keys can be parsed but cannot be re-encoded? > Probably. BoringSSL rejects keys that are too large. One compatibility note though: although RFC 5915 and SEC 1 (not sure about X9.62) requires that the private key in an ECPrivateKey structure be exactly the byte length of the order, OpenSSL prior to 30cd4ff294252c4b6a4b69cbef6a5b4117705d22 removed leading zeros, so ECPrivateKey parsers need to allow for short inputs. David -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4393 Please log in as guest with password guest if prompted From reichert at numachi.com Wed Mar 30 16:27:47 2016 From: reichert at numachi.com (Brian Reichert) Date: Wed, 30 Mar 2016 12:27:47 -0400 Subject: [openssl-dev] Could someone verify my efforts of a scan for the DROWN attack? Message-ID: <20160330162747.GJ76402@numachi.com> I'm applying the advice from this post: https://mta.openssl.org/pipermail/openssl-dev/2016-March/005602.html I've successfully downloaded and compiled this test utility. I have a number of varying SSL services I'm scanned; some are Java apps, and some are linked against OpenSSL. According to the above URL: In both cases all the individual tests in the scripts should print "OK" status if the specific cipher is not supported and report "failed: 0" together with exit status of 0 if you want to automate it. >From this, I infer that 'fail' means an SSL connection could indeed be established using that SSL version/cipher combination. (The code uses the 'conversation' term, so I'll use that in this post.) Whereas most of my services come up clean, I have one that I can't seem to reconfigure such that it passes. I'm concerned I'm getting bit by false 'failures'. My actual failing test yields these conversations that 'fail'. I slightly augmented this script to report the 'failed' conversation: else: print("BAD {0} ...".format(conversation_name)) bad+=1 # PYTHONPATH=. python scripts/test-sslv2-force-cipher.py \ -h localhost -p 10000 > out # grep BAD out BAD Connect with SSLv2 EXP-RC4-MD5 ... BAD Connect with SSLv3 EXP-RC4-MD5 ... BAD Connect with SSLv3 EXP-RC2-CBC-MD5 ... BAD Connect with SSLv2 EXP-RC2-CBC-MD5 ... Each failed conversation yields a 'TLSIllegalParameterException' error; e.g. Connect with SSLv2 EXP-RC4-MD5 ... Error encountered while processing node (child: ) with last message being: None Error while processing Traceback (most recent call last): File "scripts/test-sslv2-force-export-cipher.py", line 109, in main runner.run() File "/root/tlsfuzzer/tlsfuzzer/runner.py", line 129, in run header, parser = self.state.msg_sock.recvMessageBlocking() File "/root/tlsfuzzer/tlslite/messagesocket.py", line 100, in recvMessageBlocking for res in self.recvMessage(): File "/root/tlsfuzzer/tlslite/messagesocket.py", line 82, in recvMessage for ret in self.recvRecord(): File "/root/tlsfuzzer/tlslite/recordlayer.py", line 682, in recvRecord for result in self._recordSocket.recv(): File "/root/tlsfuzzer/tlslite/recordlayer.py", line 188, in recv for record in self._recvHeader(): File "/root/tlsfuzzer/tlslite/recordlayer.py", line 165, in _recvHeader "Malformed record layer header") TLSIllegalParameterException: Malformed record layer header When I test for each of these SSL version/ciphers individually using s_client, they all fail; e.g.: # openssl s_client -connect localhost:10000 -ssl2 \ -cipher EXP-RC4-MD5 > /dev/null; echo $? error setting cipher list 140548678301512:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314: 1 So - are the python-based tests really failing in my case? For example, hitting port 80, which isn't SSL-enabled at all, also yields the TLSIllegalParameterException error, and a non-zero exit status: # PYTHONPATH=. python scripts/test-sslv2-force-export-cipher.py \ -h localhost -p 80 | grep TLSIllegalParameterException TLSIllegalParameterException: Malformed record layer header TLSIllegalParameterException: Malformed record layer header TLSIllegalParameterException: Malformed record layer header TLSIllegalParameterException: Malformed record layer header TLSIllegalParameterException: Malformed record layer header TLSIllegalParameterException: Malformed record layer header I do appreciate any feedback on this matter! -- Brian Reichert BSD admin/developer at large From rt at openssl.org Thu Mar 31 12:34:42 2016 From: rt at openssl.org (Grandi, Andrea via RT) Date: Thu, 31 Mar 2016 12:34:42 +0000 Subject: [openssl-dev] [openssl.org #4494] Fix: check the FD_SETSIZE before the call to select() in speed.c In-Reply-To: <02DF9A39E1EE92419A8C5BBE62973A231A4B1FE6@IRSMSX108.ger.corp.intel.com> References: <02DF9A39E1EE92419A8C5BBE62973A231A4B1FE6@IRSMSX108.ger.corp.intel.com> Message-ID: The behavior of select() is undefined when the value of max_fd is bigger or equal to FD_SETSIZE. When using a big number of async_jobs in speed.c this condition might not be satisfied. The following pull request add a check and print an error message: https://github.com/openssl/openssl/pull/926 Regards, Andrea -------------------------------------------------------------- Intel Research and Development Ireland Limited Registered in Ireland Registered Office: Collinstown Industrial Park, Leixlip, County Kildare Registered Number: 308263 This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4494 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 31 13:00:48 2016 From: rt at openssl.org (Hejian via RT) Date: Thu, 31 Mar 2016 13:00:48 +0000 Subject: [openssl-dev] [openssl.org #4495] After upgrade openssl to 1.0.2g, it cause core accidently, please help me ! In-Reply-To: References: Message-ID: Hello, when upgrade openssl to 1.0.2g, If multi thread call the corba interface, it will cause core accidently. Please help analyze why the core is generated. There are two kinds of core stack list below. #0 0x00007f97729ad324 in RSA_verify () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #1 0x00007f97729b2c13 in pkey_rsa_verify () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #2 0x00007f97729e1e6a in EVP_DigestVerifyFinal () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #3 0x00007f97729ec0d0 in ASN1_item_verify () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #4 0x00007f9772a0b7f2 in internal_verify () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #5 0x00007f9772a0d03a in X509_verify_cert () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #6 0x00007f97727aed68 in ssl_verify_cert_chain () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #7 0x00007f977278a486 in ssl3_get_server_certificate () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #8 0x00007f977278da22 in ssl3_connect () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #9 0x00007f977279797a in ssl23_connect () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #10 0x00007f97719ad764 in ACE_SSL_SOCK_Connector::ssl_connect(ACE_SSL_SOCK_Stream&, ACE_Time_Value const*) () The first core stack, we suspect there is NULL ptr use in internal_verify function: when first thread run in X509_PUBKEY_get and create key->pkey, and go to EVP_PKEY_free(pkey); At same time another thread run to below function find key->pkey not NULL, get the value, and not goto add reference. The first thread think the reference decrease to 0 and free it. The second thread will call NULL ptr and cause core. Please help confirm whether my analyze is correct and why here is a core? /* Check to see if another thread set key->pkey first */ CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); if (key->pkey) { CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); EVP_PKEY_free(ret); ret = key->pkey; } else { key->pkey = ret; CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); } CRYPTO_add(&ret->references, 1, CRYPTO_LOCK_EVP_PKEY); The second stack we can't find why it cause core, please help analyze the source code where may cause core? #0 0x00007f84a332bf2d in sha1_block_data_order_ssse3 () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #1 0x78c793de7ab6c677 in ?? () #2 0x3113a1d9ca62c7fa in ?? () #3 0x9e7d9b9f3531665e in ?? () #4 0x36c547d69b42ed31 in ?? () #5 0x95b7ad7d683b2cde in ?? () #6 0x10e7cadd8a63d9da in ?? () #7 0x457d99208e4f622d in ?? () #8 0xb831aa9466c530cc in ?? () #9 0x00007f84322c49bc in ?? () #10 0x00007f84a35c59f2 in state () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #11 0xffffffffffffffed in ?? () #12 0x00007f84322c49a0 in ?? () #13 0x03ffffffffffffff in ?? () #14 0x00007f84a3329103 in SHA1_Update () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #15 0x00007f84a33b283b in ssleay_rand_bytes () from /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #16 0x00007f84a317a353 in ssl23_connect () -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4495 Please log in as guest with password guest if prompted From levitte at openssl.org Thu Mar 31 13:44:27 2016 From: levitte at openssl.org (Richard Levitte) Date: Thu, 31 Mar 2016 15:44:27 +0200 (CEST) Subject: [openssl-dev] OPENSSL SNAP 20160330 issues In-Reply-To: <20160330145500.GA10017@doctor.nl2k.ab.ca> References: <20160330145500.GA10017@doctor.nl2k.ab.ca> Message-ID: <20160331.154427.2155993824876241390.levitte@openssl.org> In message <20160330145500.GA10017 at doctor.nl2k.ab.ca> on Wed, 30 Mar 2016 08:55:00 -0600, The Doctor said: doctor> doctor> Just got doctor> doctor> make && make test doctor> gcc -DZLIB_SHARED -DDSO_DLFCN -DHAVE_DLFCN_H -DOPENSSL_THREADS doctor> +-DOPENSSL_NO_STATIC_ENGINE -DOPENSSL_PIC -DOPENSSL_BN_ASM_PART_WORDS doctor> +-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM doctor> +-DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM doctor> +-DPOLY1305_ASM -DOPENSSLDIR="\"/usr/contrib\"" doctor> +-DENGINESDIR="\"/usr/contrib/lib/engines\"" -DPERL5 -DL_ENDIAN -DTERMIOS doctor> +-fomit-frame-pointer -O2 -march=i486 -Wall -g -fPIC -Iinclude -I. doctor> +-Icrypto/include -c -o crypto/mem_dbg.o crypto/mem_dbg.c doctor> crypto/mem_dbg.c: In function `CRYPTO_mem_leaks': doctor> crypto/mem_dbg.c:660: dereferencing pointer to incomplete type doctor> crypto/mem_dbg.c:662: dereferencing pointer to incomplete type doctor> *** Error code 1 doctor> doctor> And what are these lines? doctor> doctor> /* Don't count the BIO that was passed in as a "leak" */ doctor> if (ml.seen && ml.chunks >= 1 && ml.bytes >= (int)sizeof (*b)) { doctor> ml.chunks--; doctor> ml.bytes -= (int)sizeof (*b); doctor> } doctor> doctor> Please fix I think a fix was pushed today. -- Richard Levitte levitte at openssl.org OpenSSL Project http://www.openssl.org/~levitte/ From rt at openssl.org Thu Mar 31 14:00:06 2016 From: rt at openssl.org (Matt Caswell via RT) Date: Thu, 31 Mar 2016 14:00:06 +0000 Subject: [openssl-dev] [openssl.org #4495] After upgrade openssl to 1.0.2g, it cause core accidently, please help me ! In-Reply-To: <56FD2D61.9050204@openssl.org> References: <56FD2D61.9050204@openssl.org> Message-ID: On 31/03/16 14:00, Hejian via RT wrote: > Hello, when upgrade openssl to 1.0.2g, If multi thread call the corba > interface, it will cause core accidently. Please help analyze why the > core is generated. > > There are two kinds of core stack list below. > > > #0 0x00007f97729ad324 in RSA_verify () from > /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #1 > 0x00007f97729b2c13 in pkey_rsa_verify () from > /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #2 > 0x00007f97729e1e6a in EVP_DigestVerifyFinal () from > /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #3 > 0x00007f97729ec0d0 in ASN1_item_verify () from > /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #4 > 0x00007f9772a0b7f2 in internal_verify () from > /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #5 > 0x00007f9772a0d03a in X509_verify_cert () from > /opt/oss/server/3rdTools/lib/libcrypto.so.1.0.0 #6 > 0x00007f97727aed68 in ssl_verify_cert_chain () from > /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #7 0x00007f977278a486 > in ssl3_get_server_certificate () from > /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #8 0x00007f977278da22 > in ssl3_connect () from /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 > #9 0x00007f977279797a in ssl23_connect () from > /opt/oss/server/3rdTools/lib/libssl.so.1.0.0 #10 0x00007f97719ad764 > in ACE_SSL_SOCK_Connector::ssl_connect(ACE_SSL_SOCK_Stream&, > ACE_Time_Value const*) () > > The first core stack, we suspect there is NULL ptr use in > internal_verify function: > > when first thread run in X509_PUBKEY_get and create key->pkey, and go > to EVP_PKEY_free(pkey); At same time another thread run to below > function find key->pkey not NULL, get the value, and not goto add > reference. The first thread think the reference decrease to 0 and > free it. The second thread will call NULL ptr and cause core. Please > help confirm whether my analyze is correct and why here is a core? > > /* Check to see if another thread set key->pkey first */ > CRYPTO_w_lock(CRYPTO_LOCK_EVP_PKEY); if (key->pkey) { > CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); EVP_PKEY_free(ret); ret = > key->pkey; } else { key->pkey = ret; > CRYPTO_w_unlock(CRYPTO_LOCK_EVP_PKEY); } CRYPTO_add(&ret->references, > 1, CRYPTO_LOCK_EVP_PKEY); > So you think pkey ends up being NULL? Is that just a theory or have you verified that in a debugger? I can't immediately see a problem with the above code - the reference counting looks ok to me. Don't forget when EVP_PKEY_new() gets called the reference count starts off as 1, and in order to return from the X509_PUBKEY_get() function you must have incremented the reference count by an additional 1 (no matter in which order the threads complete the function). Furthermore the ASN1_item_verify() function in the above stack trace verifies that pkey != NULL before it gets as far as calling EVP_DigestVerifyFinal(). Are you able to recompile OpenSSL with debugging symbols included (i.e. pass the "-d" flag to "config" when building). That may help narrow things down a bit. > > The second stack we can't find why it cause core, please help analyze > the source code where may cause core? #0 0x00007f84a332bf2d in Without debugging symbols it is difficult to say much about this one. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4495 Please log in as guest with password guest if prompted From rt at openssl.org Thu Mar 31 15:20:25 2016 From: rt at openssl.org (Rich Salz via RT) Date: Thu, 31 Mar 2016 15:20:25 +0000 Subject: [openssl-dev] [openssl.org #4468] #ifndefs incorrect for GOST In-Reply-To: <2015461.ps5oDIzqUp@acid> References: <2015461.ps5oDIzqUp@acid> Message-ID: pushed in commit 580731a, thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4468 Please log in as guest with password guest if prompted From rt at openssl.org Tue Mar 15 17:40:42 2016 From: rt at openssl.org (Richard Levitte via RT) Date: Tue, 15 Mar 2016 17:40:42 -0000 Subject: [openssl-dev] [openssl.org #4423] CentOS 7 x86_64, multiple self test failures In-Reply-To: References: Message-ID: You need to heed this, from README.PERL: - on Linux distributions based on RPMs, you will need to install 'perl-core' rather than just 'perl'. So 'yum install perl-core' should be the answer to this issue. Vid Sun, 13 Mar 2016 kl. 14.09.34, skrev noloader at gmail.com: > Working form Master at 4c1cf7e. > > $ which perl > /usr/bin/perl > > $ perl --version > This is perl 5, version 16, subversion 3 (v5.16.3) built for > x86_64-linux-thread-multi > > ********** > > $ make test > ... > > make[1]: Leaving directory `/home/jwalton/Desktop/openssl' > ( cd test; \ > SRCTOP=../. \ > BLDTOP=../. \ > EXE_EXT= \ > /usr/bin/perl .././test/run_tests.pl ) > ../test/recipes/01-test_ordinals.t ........ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/01-test_ordinals.t > line 56. > BEGIN failed--compilation aborted at ../test/recipes/01- > test_ordinals.t line 56. > ../test/recipes/01-test_ordinals.t ........ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_bf.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_bf.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_bf.t line > 3. > ../test/recipes/05-test_bf.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_cast.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_cast.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_cast.t > line 3. > ../test/recipes/05-test_cast.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_des.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_des.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_des.t > line 3. > ../test/recipes/05-test_des.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_hmac.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_hmac.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_hmac.t > line 3. > ../test/recipes/05-test_hmac.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_idea.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_idea.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_idea.t > line 3. > ../test/recipes/05-test_idea.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_md2.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_md2.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_md2.t > line 3. > ../test/recipes/05-test_md2.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_md4.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_md4.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_md4.t > line 3. > ../test/recipes/05-test_md4.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_md5.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_md5.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_md5.t > line 3. > ../test/recipes/05-test_md5.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_mdc2.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_mdc2.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_mdc2.t > line 3. > ../test/recipes/05-test_mdc2.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_rand.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_rand.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_rand.t > line 3. > ../test/recipes/05-test_rand.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_rc2.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_rc2.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_rc2.t > line 3. > ../test/recipes/05-test_rc2.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_rc4.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_rc4.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_rc4.t > line 3. > ../test/recipes/05-test_rc4.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_rc5.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_rc5.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_rc5.t > line 3. > ../test/recipes/05-test_rc5.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_rmd.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_rmd.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_rmd.t > line 3. > ../test/recipes/05-test_rmd.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_sha1.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_sha1.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_sha1.t > line 3. > ../test/recipes/05-test_sha1.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_sha256.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_sha256.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_sha256.t > line 3. > ../test/recipes/05-test_sha256.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_sha512.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_sha512.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_sha512.t > line 3. > ../test/recipes/05-test_sha512.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/05-test_wp.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/05-test_wp.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/05-test_wp.t line > 3. > ../test/recipes/05-test_wp.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/10-test_bn.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/10-test_bn.t line 8. > BEGIN failed--compilation aborted at ../test/recipes/10-test_bn.t line > 8. > ../test/recipes/10-test_bn.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/10-test_exp.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/10-test_exp.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/10-test_exp.t > line 3. > ../test/recipes/10-test_exp.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/15-test_dh.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/15-test_dh.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/15-test_dh.t line > 3. > ../test/recipes/15-test_dh.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/15-test_dsa.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/15-test_dsa.t line 7. > BEGIN failed--compilation aborted at ../test/recipes/15-test_dsa.t > line 7. > ../test/recipes/15-test_dsa.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/15-test_ec.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/15-test_ec.t line 7. > BEGIN failed--compilation aborted at ../test/recipes/15-test_ec.t line > 7. > ../test/recipes/15-test_ec.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/15-test_ecdh.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/15-test_ecdh.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/15-test_ecdh.t > line 3. > ../test/recipes/15-test_ecdh.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/15-test_ecdsa.t ........... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/15-test_ecdsa.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/15-test_ecdsa.t > line 3. > ../test/recipes/15-test_ecdsa.t ........... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/15-test_rsa.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/15-test_rsa.t line 7. > BEGIN failed--compilation aborted at ../test/recipes/15-test_rsa.t > line 7. > ../test/recipes/15-test_rsa.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/20-test_enc.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/20-test_enc.t line > 10. > BEGIN failed--compilation aborted at ../test/recipes/20-test_enc.t > line 10. > ../test/recipes/20-test_enc.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/25-test_crl.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/25-test_crl.t line 7. > BEGIN failed--compilation aborted at ../test/recipes/25-test_crl.t > line 7. > ../test/recipes/25-test_crl.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/25-test_gen.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/25-test_gen.t line 7. > BEGIN failed--compilation aborted at ../test/recipes/25-test_gen.t > line 7. > ../test/recipes/25-test_gen.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/25-test_pkcs7.t ........... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/25-test_pkcs7.t line > 7. > BEGIN failed--compilation aborted at ../test/recipes/25-test_pkcs7.t > line 7. > ../test/recipes/25-test_pkcs7.t ........... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/25-test_req.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/25-test_req.t line 7. > BEGIN failed--compilation aborted at ../test/recipes/25-test_req.t > line 7. > ../test/recipes/25-test_req.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/25-test_sid.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/25-test_sid.t line 7. > BEGIN failed--compilation aborted at ../test/recipes/25-test_sid.t > line 7. > ../test/recipes/25-test_sid.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/25-test_verify.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/25-test_verify.t line > 7. > BEGIN failed--compilation aborted at ../test/recipes/25-test_verify.t > line 7. > ../test/recipes/25-test_verify.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/25-test_x509.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/25-test_x509.t line > 7. > BEGIN failed--compilation aborted at ../test/recipes/25-test_x509.t > line 7. > ../test/recipes/25-test_x509.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/30-test_afalg.t ........... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/30-test_afalg.t line > 55. > BEGIN failed--compilation aborted at ../test/recipes/30-test_afalg.t > line 55. > ../test/recipes/30-test_afalg.t ........... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/30-test_engine.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/30-test_engine.t line > 6. > BEGIN failed--compilation aborted at ../test/recipes/30-test_engine.t > line 6. > ../test/recipes/30-test_engine.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/30-test_evp.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/30-test_evp.t line 6. > BEGIN failed--compilation aborted at ../test/recipes/30-test_evp.t > line 6. > ../test/recipes/30-test_evp.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/30-test_evp_extra.t ....... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/30-test_evp_extra.t > line 6. > BEGIN failed--compilation aborted at ../test/recipes/30- > test_evp_extra.t line 6. > ../test/recipes/30-test_evp_extra.t ....... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/30-test_pbelu.t ........... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/30-test_pbelu.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/30-test_pbelu.t > line 3. > ../test/recipes/30-test_pbelu.t ........... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/40-test_rehash.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/40-test_rehash.t line > 9. > BEGIN failed--compilation aborted at ../test/recipes/40-test_rehash.t > line 9. > ../test/recipes/40-test_rehash.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_clienthello.t ..... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/70-test_clienthello.t > line 3. > BEGIN failed--compilation aborted at > ../test/recipes/70-test_clienthello.t line 3. > ../test/recipes/70-test_clienthello.t ..... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_packet.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/70-test_packet.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/70-test_packet.t > line 3. > ../test/recipes/70-test_packet.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_sslcertstatus.t ... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/recipes/70-test_sslcertstatus.t line 56. > BEGIN failed--compilation aborted at > ../test/recipes/70-test_sslcertstatus.t line 56. > ../test/recipes/70-test_sslcertstatus.t ... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_sslextension.t .... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/70- > test_sslextension.t line 56. > BEGIN failed--compilation aborted at > ../test/recipes/70-test_sslextension.t line 56. > ../test/recipes/70-test_sslextension.t .... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_sslsessiontick.t .. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/recipes/70-test_sslsessiontick.t line 56. > BEGIN failed--compilation aborted at > ../test/recipes/70-test_sslsessiontick.t line 56. > ../test/recipes/70-test_sslsessiontick.t .. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_sslskewith0p.t .... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/70- > test_sslskewith0p.t line 56. > BEGIN failed--compilation aborted at > ../test/recipes/70-test_sslskewith0p.t line 56. > ../test/recipes/70-test_sslskewith0p.t .... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_sslvertol.t ....... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/70-test_sslvertol.t > line 56. > BEGIN failed--compilation aborted at > ../test/recipes/70-test_sslvertol.t line 56. > ../test/recipes/70-test_sslvertol.t ....... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_tlsextms.t ........ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/70-test_tlsextms.t > line 56. > BEGIN failed--compilation aborted at ../test/recipes/70- > test_tlsextms.t line 56. > ../test/recipes/70-test_tlsextms.t ........ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/70-test_verify_extra.t .... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/70- > test_verify_extra.t line 3. > BEGIN failed--compilation aborted at > ../test/recipes/70-test_verify_extra.t line 3. > ../test/recipes/70-test_verify_extra.t .... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_ca.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/80-test_ca.t line 8. > BEGIN failed--compilation aborted at ../test/recipes/80-test_ca.t line > 8. > ../test/recipes/80-test_ca.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_cms.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/80-test_cms.t line 9. > BEGIN failed--compilation aborted at ../test/recipes/80-test_cms.t > line 9. > ../test/recipes/80-test_cms.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_ct.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/80-test_ct.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/80-test_ct.t line > 3. > ../test/recipes/80-test_ct.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_dane.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/80-test_dane.t line > 5. > BEGIN failed--compilation aborted at ../test/recipes/80-test_dane.t > line 5. > ../test/recipes/80-test_dane.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_dtlsv1listen.t .... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/80- > test_dtlsv1listen.t line 3. > BEGIN failed--compilation aborted at > ../test/recipes/80-test_dtlsv1listen.t line 3. > ../test/recipes/80-test_dtlsv1listen.t .... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_ocsp.t ............ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/80-test_ocsp.t line > 9. > BEGIN failed--compilation aborted at ../test/recipes/80-test_ocsp.t > line 9. > ../test/recipes/80-test_ocsp.t ............ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_ssl.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/80-test_ssl.t line 9. > BEGIN failed--compilation aborted at ../test/recipes/80-test_ssl.t > line 9. > ../test/recipes/80-test_ssl.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/80-test_tsa.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/80-test_tsa.t line 9. > BEGIN failed--compilation aborted at ../test/recipes/80-test_tsa.t > line 9. > ../test/recipes/80-test_tsa.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_async.t ........... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_async.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_async.t > line 3. > ../test/recipes/90-test_async.t ........... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_constant_time.t ... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90- > test_constant_time.t line 3. > BEGIN failed--compilation aborted at > ../test/recipes/90-test_constant_time.t line 3. > ../test/recipes/90-test_constant_time.t ... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_gmdiff.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_gmdiff.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_gmdiff.t > line 3. > ../test/recipes/90-test_gmdiff.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_heartbeat.t ....... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_heartbeat.t > line 3. > BEGIN failed--compilation aborted at ../test/recipes/90- > test_heartbeat.t line 3. > ../test/recipes/90-test_heartbeat.t ....... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_ige.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_ige.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_ige.t > line 3. > ../test/recipes/90-test_ige.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_memleak.t ......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/90-test_memleak.t > line 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_memleak.t > line 3. > ../test/recipes/90-test_memleak.t ......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_networking.t ...... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at ../test/recipes/90-test_networking.t > line 56. > BEGIN failed--compilation aborted at > ../test/recipes/90-test_networking.t line 56. > ../test/recipes/90-test_networking.t ...... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_np.t .............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_np.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_np.t line > 3. > ../test/recipes/90-test_np.t .............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_p5_crpt2.t ........ Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_p5_crpt2.t > line 3. > BEGIN failed--compilation aborted at ../test/recipes/90- > test_p5_crpt2.t line 3. > ../test/recipes/90-test_p5_crpt2.t ........ Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_secmem.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_secmem.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_secmem.t > line 3. > ../test/recipes/90-test_secmem.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_srp.t ............. Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_srp.t line 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_srp.t > line 3. > ../test/recipes/90-test_srp.t ............. Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_threads.t ......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_threads.t > line 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_threads.t > line 3. > ../test/recipes/90-test_threads.t ......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > ../test/recipes/90-test_v3name.t .......... Can't locate Test/More.pm > in @INC (@INC contains: ../test/testlib ../util /usr/local/lib64/perl5 > /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl > /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at > ../test/testlib/OpenSSL/Test.pm line 6. > BEGIN failed--compilation aborted at ../test/testlib/OpenSSL/Test.pm > line 6. > Compilation failed in require at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > BEGIN failed--compilation aborted at > ../test/testlib/OpenSSL/Test/Simple.pm line 30. > Compilation failed in require at ../test/recipes/90-test_v3name.t line > 3. > BEGIN failed--compilation aborted at ../test/recipes/90-test_v3name.t > line 3. > ../test/recipes/90-test_v3name.t .......... Dubious, test returned 2 > (wstat 512, 0x200) > No subtests run > > Test Summary Report > ------------------- > ../test/recipes/01-test_ordinals.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_bf.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_cast.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_des.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_hmac.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_idea.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_md2.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_md4.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_md5.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_mdc2.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_rand.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_rc2.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_rc4.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_rc5.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_rmd.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_sha1.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_sha256.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_sha512.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/05-test_wp.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/10-test_bn.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/10-test_exp.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/15-test_dh.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/15-test_dsa.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/15-test_ec.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/15-test_ecdh.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/15-test_ecdsa.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/15-test_rsa.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/20-test_enc.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/25-test_crl.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/25-test_gen.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/25-test_pkcs7.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/25-test_req.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/25-test_sid.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/25-test_verify.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/25-test_x509.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/30-test_afalg.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/30-test_engine.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/30-test_evp.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/30-test_evp_extra.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/30-test_pbelu.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/40-test_rehash.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_clienthello.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_packet.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_sslcertstatus.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_sslextension.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_sslsessiontick.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_sslskewith0p.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_sslvertol.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_tlsextms.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/70-test_verify_extra.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_ca.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_cms.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_ct.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_dane.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_dtlsv1listen.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_ocsp.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_ssl.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/80-test_tsa.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_async.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_constant_time.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_gmdiff.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_heartbeat.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_ige.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_memleak.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_networking.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_np.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_p5_crpt2.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_secmem.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_srp.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_threads.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > ../test/recipes/90-test_v3name.t (Wstat: 512 Tests: 0 Failed: > 0) > Non-zero exit status: 2 > Parse errors: No plan found in TAP output > Files=71, Tests=0, 0 wallclock secs ( 0.13 usr 0.10 sys + 0.37 cusr > 0.18 csys = 0.78 CPU) > Result: FAIL > Failed 71/71 test programs. 0/0 subtests failed. > make: *** [test] Error 2 > [jwalton at localhost openssl]$ -- Richard Levitte levitte at openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4423 Please log in as guest with password guest if prompted From michel.sales at free.fr Thu Mar 17 00:03:55 2016 From: michel.sales at free.fr (Michel) Date: Thu, 17 Mar 2016 00:03:55 -0000 Subject: [openssl-dev] configure results in conflicting CRT switches for win DLL In-Reply-To: <20160317.004341.876693309005882017.levitte@openssl.org> References: <001b01d17fcd$109d9100$31d8b300$@sales@free.fr> <20160316.233726.1350815458305070246.levitte@openssl.org> <005501d17fdb$58d73800$0a85a800$@sales@free.fr> <20160317.004341.876693309005882017.levitte@openssl.org> Message-ID: <005d01d17fe0$6eb56ac0$4c204040$@sales@free.fr> Yes sure ! Here they are, with the output of the 'PERL Configure' script. As it is quite late (in France), or rather early now ;-), if you don't mind I will answer you next time in a few hours. Thanks for your help, Michel. -----Message d'origine----- De?: openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de Richard Levitte Envoy??: jeudi 17 mars 2016 00:44 ??: openssl-dev at openssl.org Objet?: Re: [openssl-dev] configure results in conflicting CRT switches for win DLL I can't reproduce what you're getting, but tell you what, if you send me these two files, I can try to figure out what's going on: configdata.pm ms\ntdll.mak -------------- next part -------------- A non-text attachment was scrubbed... Name: config.dll.out Type: application/octet-stream Size: 2776 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: configdata.pm Type: application/octet-stream Size: 6526 bytes Desc: not available URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: nt.mak URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ntdll.mak URL: From rt at openssl.org Sat Mar 19 01:31:56 2016 From: rt at openssl.org (Erik Forsberg via RT) Date: Sat, 19 Mar 2016 01:31:56 -0000 Subject: [openssl-dev] [openssl.org #4444] [openssl-1.1.0-pre4] Make fails with "recipe for target 'depend' failed" on solaris64-x86_64 In-Reply-To: References: Message-ID: still not working right. Attached a longish log file extract. But root cause seems to be that we try to process test dependencies while doing depend in crypto, way before we had done any work in the test subdir. That causes the find to exit with failed status aborting the depend. >-- Original Message -- > >Fixup show in last message has now been merged with master, commit >a6adf099cbd7c3bc5c7051ad3d334636ef5e7f90 > >-- >Richard Levitte >levitte at openssl.org > >-- >Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 >Please log in as guest with password guest if prompted > >-- >openssl-dev mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4444 Please log in as guest with password guest if prompted -------------- next part -------------- A non-text attachment was scrubbed... Name: depend.log Type: application/octet-stream Size: 34335 bytes Desc: not available URL: