On Wed, Oct 23, 2013 at 08:32:35AM +1000, Peter Waltenberg wrote:
There is no 'safe' way to do this other than hardwired. Admitted, we have a
fairly ugly stack on which to find that out, multiple independently
developed lumps of code jammed into the same process, quite a few using
*Version:
*This bug was found in openssl-fips 2.0.2; I looked in 2.0.5, and the
problem appears to be present there still.
*
Issue:*
The fips module has a bug that can result in segfaults when
fips_get_entropy() fails during initialization of openssl-linked-with-fips.
*Fix:
*Because the fix is
On Wed Oct 23 08:59:59 2013, mco...@akamai.com wrote:
*
Issue:*
The fips module has a bug that can result in segfaults when
fips_get_entropy() fails during initialization of openssl-linked-with-fips.
What version of OpenSSL are you using? This was worked around in 1.0.1e due to
the
Hello again,
Is there any way to speed up discussion on this topic?
Cheers,
Fedor.
On Mon, Oct 21, 2013 at 3:09 PM, Fedor Indutny fe...@indutny.com wrote:
Hello devs!
I just found that its impossible to get error from `RAND_bytes()` if
running on default `RAND_SSLeay()` method.
There're
Am 21.10.2013 13:09, schrieb Fedor Indutny:
Hello devs!
I just found that its impossible to get error from `RAND_bytes()` if
running on default `RAND_SSLeay()` method.
There're a couple of reasons and observations, that are confirming it
(sorry for using github, its just more convenient to
Hello Richard,
Yes, I see what this comment means. But what's the difference between
RAND_bytes() and RAND_pseudo_bytes() then? They seems to be using exactly
the same amount of entropy and can't ever fail or return `0` (meaning that
data is insecure).
In my opinion, current implementation could
Am 23.10.2013 18:49, schrieb Fedor Indutny:
Hello Richard,
Yes, I see what this comment means. But what's the difference between
RAND_bytes() and RAND_pseudo_bytes() then? They seems to be using
exactly the same amount of entropy and can't ever fail or return `0`
(meaning that data is
On 10/23/2013 06:16 AM, Stephen Henson via RT wrote:
What version of OpenSSL are you using? This was worked around in 1.0.1e due to
the difficulty of changing the FIPS module.
Ah, okay; I see the drbg_free_entropy functions are checking for NULL
there now, which works (even though it's probably
On Wed, Oct 23, 2013 at 12:59:53AM -0500, Nico Williams wrote:
On Wed, Oct 23, 2013 at 08:32:35AM +1000, Peter Waltenberg wrote:
There is no 'safe' way to do this other than hardwired. Admitted, we have a
fairly ugly stack on which to find that out, multiple independently
developed lumps of
No, multiple independently developed libraries in the same process space
calling the same crypto. code was the problem.
Multiple thread models can't work if they call common code, agreed
there :).
The problem we hit early on was that as a library the only way we could
ensure the stack above us
On Wed Oct 23 21:06:00 2013, mco...@akamai.com wrote:
For my curiosity, what's difficult about modifying FIPS? More involved
change-vetting process?
Any change has to be approved as part of a change letter process with labs
which takes time and costs real money. We normally try to include any
11 matches
Mail list logo
