Release of OpenSSL 1.0.1 approaching...

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Release of OpenSSL 1.0.1 approaching...

Dr. Stephen Henson
OpenSSL 1.0.1 is expected to be released in the next few weeks.

There have been many changes since OpenSSL 1.0.0 including:

        o PSS signatures in certificates, requests and CRLs.
        o Support for password based recipient info for CMS.
        o Support TLS v1.2 and TLS v1.1.
        o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
        o SRP support.

Users are encouraged to test recent snapshots of OpenSSL 1.0.1 and
report any problems via the request tracker ([hidden email]).

The actual 1.0.1 release date will depend on the number and
severity of issues uncovered.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Tim Rice
On Fri, 9 Dec 2011, Dr. Stephen Henson wrote:

> OpenSSL 1.0.1 is expected to be released in the next few weeks.
[snip]
> Users are encouraged to test recent snapshots of OpenSSL 1.0.1 and
> report any problems via the request tracker ([hidden email]).

I assume the snapshots are built from the OpenSSL_1_0_1-stable CVS tag.

On UnixWare 7.1.4 (i586-sco-unixware7) configured with
./config --prefix=/opt/mt/openssl-1.0.0 --openssldir=/etc/ssl zlib -Kpentium_pro
I'm getting this error

making all in crypto...
        cc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o x86cpuid.o x86cpuid.s
UX:as: ERROR: x86cpuid.s:311:unknown instruction: loopl
*** Error code 1 (bu21)
UX:make: ERROR: fatal error.
*** Error code 1 (bu21)
UX:make: ERROR: fatal error.


--
Tim Rice Multitalents (707) 456-1146
[hidden email] (707) 887-1469


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Andy Polyakov-2
>> OpenSSL 1.0.1 is expected to be released in the next few weeks.
> [snip]
>> Users are encouraged to test recent snapshots of OpenSSL 1.0.1 and
>> report any problems via the request tracker ([hidden email]).
>
> I assume the snapshots are built from the OpenSSL_1_0_1-stable CVS tag.
>
> On UnixWare 7.1.4 (i586-sco-unixware7) configured with
> ./config --prefix=/opt/mt/openssl-1.0.0 --openssldir=/etc/ssl zlib -Kpentium_pro
> I'm getting this error
>
> making all in crypto...
> cc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o x86cpuid.o x86cpuid.s
> UX:as: ERROR: x86cpuid.s:311:unknown instruction: loopl

What happens if you edit crypto/x86cpuid.s in text editor and replace
'loopl' with 'loop'. Question is if assembler supports loop instruction
at all.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Tim Rice
On Fri, 9 Dec 2011, Andy Polyakov wrote:

> > I assume the snapshots are built from the OpenSSL_1_0_1-stable CVS tag.
> >
> > On UnixWare 7.1.4 (i586-sco-unixware7) configured with
> > ./config --prefix=/opt/mt/openssl-1.0.0 --openssldir=/etc/ssl zlib -Kpentium_pro
> > I'm getting this error
> >
> > making all in crypto...
> > cc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o x86cpuid.o x86cpuid.s
> > UX:as: ERROR: x86cpuid.s:311:unknown instruction: loopl
>
> What happens if you edit crypto/x86cpuid.s in text editor and replace
> 'loopl' with 'loop'. Question is if assembler supports loop instruction
> at all.

The build continues and "make tests" passes.

.....
ALL TESTS SUCCESSFUL.
        OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.1-dev 16 Oct 2011
built on: Thu Dec  8 17:10:38 PST 2011
platform: unixware-7
options:  bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) idea(int) blowfish(idx)
compiler: cc -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/ssl"
.....

Thanks.

--
Tim Rice Multitalents (707) 456-1146
[hidden email] (707) 887-1469


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Andy Polyakov-2
>>> I assume the snapshots are built from the OpenSSL_1_0_1-stable CVS tag.
>>>
>>> On UnixWare 7.1.4 (i586-sco-unixware7) configured with
>>> ./config --prefix=/opt/mt/openssl-1.0.0 --openssldir=/etc/ssl zlib -Kpentium_pro
>>> I'm getting this error
>>>
>>> making all in crypto...
>>> cc -I. -I.. -I../include  -DZLIB -DOPENSSL_THREADS -Kthread -DDSO_DLFCN -DHAVE_DLFCN_H -Kpentium_pro -D__i386__ -O -DFILIO_H -Kalloca -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -c -o x86cpuid.o x86cpuid.s
>>> UX:as: ERROR: x86cpuid.s:311:unknown instruction: loopl
>> What happens if you edit crypto/x86cpuid.s in text editor and replace
>> 'loopl' with 'loop'. Question is if assembler supports loop instruction
>> at all.
>
> The build continues and "make tests" passes.

http://cvs.openssl.org/chngview?cn=21817
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Release of OpenSSL 1.0.1 approaching...

Green, Paul
In reply to this post by Dr. Stephen Henson
Dr. Stephen Henson wrote:

> OpenSSL 1.0.1 is expected to be released in the next few weeks.
[snip]

> Users are encouraged to test recent snapshots of OpenSSL 1.0.1 and
report any problems via the
> request tracker ([hidden email]).

I submitted RT #2563 back on July 14, 2011. It contains a major
improvement to the default random-number seeding method used on OpenVOS
(and only on OpenVOS). I submitted patches for 1.0.0 and 1.0.1 (they
happen to be the same, but I was trying to make it easy for people). I
tested it very carefully here, and all of the self-tests still pass. I
have received no comments or objections to it.

Would it be possible to apply this patch to the 1.0.1 repository?   I
just re-ran the patch here, and it applies cleanly to today's 1.0.1
snapshot.

It would also be nice to apply it to the 1.0.0 repository, if possible.

PG
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Tim Rice
In reply to this post by Andy Polyakov-2
On Fri, 9 Dec 2011, Andy Polyakov wrote:

> http://cvs.openssl.org/chngview?cn=21817

Yes that works. Thanks.

--
Tim Rice Multitalents
[hidden email]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Rainer Jung-3
In reply to this post by Dr. Stephen Henson
the config script contains

    414  # Only set CC if not supplied already
    415  if [ -z "$CROSS_COMPILE$CC" ]; then
    416    GCCVER=`sh -c "gcc -dumpversion" 2>/dev/null`

In our case we do set "CC", but we do not cross compile. Since CC is
set, the "-z" test fails and consequently the GCCVER variable is not
set. Later down, for Solaris it compares GCCVER to "28" and due to the
variable being "0" it falls back to old gcc compiler mode despite we are
using gcc 4.

I don't know enough about cross compilation, but the following is a
proposed fix assuming that non-gcc compilers set in CC will only write
an error when called with "-dumpversion":

--- config Sat Dec 10 11:57:36 2011
+++ config Sat Dec 10 12:56:36 2011
@@ -411,9 +411,9 @@
  # this is where the translation occurs into SSLeay terms
  #
---------------------------------------------------------------------------

-# Only set CC if not supplied already
-if [ -z "$CROSS_COMPILE$CC" ]; then
-  GCCVER=`sh -c "gcc -dumpversion" 2>/dev/null`
+# Only set if not cross compiling
+if [ -z "$CROSS_COMPILE" ]; then
+  GCCVER=`sh -c "${CC:-gcc} -dumpversion" 2>/dev/null`
    if [ "$GCCVER" != "" ]; then
      # then strip off whatever prefix egcs prepends the number with...
      # Hopefully, this will work for any future prefixes as well.
@@ -423,9 +423,9 @@
      # major and minor version numbers.
      # peak single digit before and after first dot, e.g. 2.95.1 gives 29
      GCCVER=`echo $GCCVER | sed 's/\([0-9]\)\.\([0-9]\).*/\1\2/'`
-    CC=gcc
+    CC=${CC:-gcc}
    else
-    CC=cc
+    CC=${CC:-cc}
    fi
  fi
  GCCVER=${GCCVER:-0}



Alternatively one could only try to use "-dumpversion" if C is not set
or e.g. the first token in CC has a basename "gcc". But this would not
work, e.g. for CC=/my/path/bin/gcc-4.1.2 or similar.

Regards,

Rainer
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Rainer Jung-3
In reply to this post by Dr. Stephen Henson
Two compiler warnings (gcc 4.1.2) during compilation:

sparcv9cap.c: In function 'OPENSSL_cpuid_setup':
sparcv9cap.c:173: warning: unused variable 'sig'

It seems the line

     173         int                     sig;

could simply be dropped.


apps.c: In function 'set_ext_copy':
apps.c:1306: warning: implicit declaration of function 'strcasecmp'

The file defined "_POSIX_C_SOURCE 2", which results in strcasecmp no
longer being defined. Adding "-D__EXTENSIONS__" activates all compatible
extensions (on Solaris) and resolves this. The Configure entry for
Solaris debug already contains -D__EXTENSIONS__. Alternatively one might
only set "_POSIX_C_SOURCE 2" for the platform that needs it. In apps.c
it says:

/* On VMS, you need to define this to get
    the declaration of fileno().  The value
    2 is to make sure no function defined
    in POSIX-2 is left undefined. */

but then sets it unconditionally for all platforms :(


In addition one assembler warning (Solaris Sparc):

/usr/ccs/bin/as: "sha512-sparcv9.s", line 676: warning: v8+ ABI
violation: illegal use of %i or %l register as rs1 in "brnz,a" instruction

All of these also occur in 1.0.0e.

Regards,

Rainer
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Peter Sylvester-3
In reply to this post by Tim Rice
hi,

since a few days the current snapshots seem to provoke a

     tar: A lone zero block at ....

has there been any change in producing the tar.gz?

/P
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Andy Polyakov-2
In reply to this post by Rainer Jung-3
> In addition one assembler warning (Solaris Sparc):
>
> /usr/ccs/bin/as: "sha512-sparcv9.s", line 676: warning: v8+ ABI
> violation: illegal use of %i or %l register as rs1 in "brnz,a" instruction

What version is it? Solaris and assembler (as -V)?

For reference, instruction in question performs conditional branch
depending on content of 64-bit %i4 register. Thing about v8+ ABI is that
upper halves of %i and %l registers can be zeroed at any time. While it
would be plain wrong to rely on upper half having non-zero value, the
warning is safe to ignore in *this* case, because %i4 is used to keep a
5-bit value, so it doesn't matter if system zeros upper half or not.
I'll see how to work around the warning...

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Rainer Jung-3
On 12.01.2012 15:54, Andy Polyakov wrote:
>> In addition one assembler warning (Solaris Sparc):
>>
>> /usr/ccs/bin/as: "sha512-sparcv9.s", line 676: warning: v8+ ABI
>> violation: illegal use of %i or %l register as rs1 in "brnz,a" instruction
>
> What version is it? Solaris and assembler (as -V)?

% as -V
as: Sun Compiler Common 10 Patch 09/04/2007

% uname -a
SunOS xxxx5.10 Generic_142900-07 sun4u sparc SUNW,Sun-Fire-V240

% cat /etc/release
                       Solaris 10 10/08 s10s_u6wos_07b SPARC
            Copyright 2008 Sun Microsystems, Inc.  All Rights Reserved.
                         Use is subject to license terms.
                             Assembled 27 October 2008

gcc was a self-compiled 4.6.2.

> For reference, instruction in question performs conditional branch
> depending on content of 64-bit %i4 register. Thing about v8+ ABI is that
> upper halves of %i and %l registers can be zeroed at any time. While it
> would be plain wrong to rely on upper half having non-zero value, the
> warning is safe to ignore in *this* case, because %i4 is used to keep a
> 5-bit value, so it doesn't matter if system zeros upper half or not.

Thanks for the explanation.

> I'll see how to work around the warning...

Great, thank's a lot. Happy to retest.

Regards,

Rainer

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Andy Polyakov-2
>> I'll see how to work around the warning...
>
> Great, thank's a lot. Happy to retest.

http://cvs.openssl.org/chngview?cn=22016.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Release of OpenSSL 1.0.1 approaching...

Rainer Jung-3
On 13.01.2012 10:23, Andy Polyakov wrote:
>>> I'll see how to work around the warning...
>>
>> Great, thank's a lot. Happy to retest.
>
> http://cvs.openssl.org/chngview?cn=22016.

I applied the change to the current 1.0.1 snapshot. The warning is gone
now, "make test" doesn't show any regression.

Thanks!

Regards,

Rainer

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]