Openssl-0.9.8za will not build in FIPS mode. The openssl-fips-1.2(.4) seems to
be missing the symbol BN_consttime_swap.
Woody
Gatewood C Green Jr (Woody)
Principal Software Engineer, Product Security Champion
SIEM Engineering
McAfee. Part of Intel Security.
Direct: 208.552.8269
Mobile:
OpenSSL 0.9.8za fails to build on Solaris 9. It uses INT_MAX in
ssl/s3_pkt.c but doesn't include limits.h. This is a new change since
0.9.8y (confirmed by diffing the source code). The fix is trivial:
--- tmp/openssl-0.9.8za/ssl/s3_pkt.c2014-06-05 09:09:26.0 +0100
+++
The following shows up using SGI IRIX cc:
cc -I.. -I../include -DOPENSSL_THREADS -D_SGI_MP_SOURCE -DDSO_DLFCN
-DHAVE_DLFCN_H -DOPENSSL_USE_IPV6=0 -n32 -mips3 -O2 -use_readonly_const -G0
-rdata_shared -DTERMIOS -DB_ENDIAN -DBN_DIV3W -c -o heartbeat_test.o
heartbeat_test.c
cc-1020 cc: ERROR
ASN1_R_UNKOWN_FORMAT should be ASN1_R_UNKNOWN_FORMAT:
./crypto/asn1/asn1_err.c:{ERR_REASON(ASN1_R_UNKOWN_FORMAT),unknown
format},
./crypto/asn1/asn1_gen.c: ASN1err(ASN1_F_ASN1_CB,
ASN1_R_UNKOWN_FORMAT);
./crypto/asn1/asn1.h:#define ASN1_R_UNKOWN_FORMAT
195
On Fri, Jun 06, 2014 at 01:27:02AM -0400, Mike Frysinger wrote:
On Thu 05 Jun 2014 22:53:32 Matt Caswell via RT wrote:
On Sun Apr 27 13:04:20 2014, vap...@gentoo.org wrote:
It's a standard setting that other build systems use.
Can you explain why you need this?
because people want to
On Fri, Jun 06, 2014 at 01:27:02AM -0400, Mike Frysinger wrote:
On Thu 05 Jun 2014 22:53:32 Matt Caswell via RT wrote:
On Sun Apr 27 13:04:20 2014, vap...@gentoo.org wrote:
It's a standard setting that other build systems use.
Can you explain why you need this?
because people want to
Good morning,
OpenSSL 0.9.8za ‘ssl/s3_pkt.c’ now references the ‘INT_MAX’ define on line 536,
but
without the ‘limit.h’ include, this produces a compilation fail on Solaris 10 /
Studio 12.
Easy fix is to add the limit.h include at the top of s3_pkt.c, and this allows
the compilation to
Hello,
In the OpenSSL Security Advisory [05 Jun 2014], regarding SSL/TLS MITM
vulnerability (CVE-2014-0224), it says:
Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.
Usersof OpenSSL servers earlier than 1.0.1 are advised to upgrade as a
precaution.
We are using
I wish you had elaborated a bit on why it is intentional? Links to
an existing FAQ (if applicable to this specifically), or just
something you or one of the other people involved with openssl wrote
in response to a similar question. Not that I think it likely to be
changed, but simply for my own
On 6 June 2014 08:27, Zhong Chen zc...@sonicwall.com wrote:
Hello,
In the “OpenSSL Security Advisory [05 Jun 2014]”, regarding “SSL/TLS MITM
vulnerability (CVE-2014-0224)”, it says:
Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1.
Usersof OpenSSL servers earlier
On Fri, Jun 06, 2014, Matt Caswell wrote:
On 6 June 2014 08:27, Zhong Chen zc...@sonicwall.com wrote:
We are using openssl 1.0.0 as a server. Looking at the diff between 1.0.0m
and 1.0.0k, same patch is applied to s3_srvr.c and s3_pkt.c. I want to
confirm this is just for precaution, or
Hi Openssl-dev team
I am porting Openssl 1.0.1g in Embedded which is developed with OpenWRT -
MIPS64 CPU.
I found SHA is not working and it will always dead when calling
sha1_block_data_order defined in sha1-mips.pl. If I ./configure with no-asm
then everything is fine.
My questions is
On Thu, Jun 05, 2014, Green, Gatewood wrote:
Openssl-0.9.8za will not build in FIPS mode. The openssl-fips-1.2(.4) seems
to be missing the symbol BN_consttime_swap.
Fixed now. Workaround is to compile with no-ec: the EC algorithsm aren't
approved for FIPS operation for the FIPS capable
Hi,
the 1.0.0m fails to build on OpenVMS Alpha architecture.
OPENSSL_assert(s-s3-wnum INT_MAX);
^
%CC-E-UNDECLARED, In this statement, INT_MAX is not declared.
at line number 586 in file DKA300:[WORK.OPENSSL-100M.SSL]S3_PKT.C;1
On IA64 and VAX it builds well.
I'll return
On 6 June 2014 14:42, Zoltan Arpadffy z...@polarhome.com wrote:
Hi,
the 1.0.0m fails to build on OpenVMS Alpha architecture.
OPENSSL_assert(s-s3-wnum INT_MAX);
^
%CC-E-UNDECLARED, In this statement, INT_MAX is not declared.
at line number 586 in file
__func__ is defined in C99. What version of the SGI C compiler are you
using? According to the following, as of version 7.4, the -c99 flag
should enable this to compile:
http://www.sgi.com/products/software/irix/tools/c.html
Mike
On Fri, Jun 6, 2014 at 3:14 AM, Pieter Bowman via RT
On Fri, Jun 06, 2014, Zoltan Arpadffy wrote:
Hi,
the 1.0.0m fails to build on OpenVMS Alpha architecture.
OPENSSL_assert(s-s3-wnum INT_MAX);
^
%CC-E-UNDECLARED, In this statement, INT_MAX is not declared.
at line number 586 in file
On Fri, Jun 06, 2014 at 09:15:02AM +0200, Kurt Roeckx wrote:
I ended up using the cflags in Configure for that.
I wrote a script that takes the output of Configure TABLE to
extract the settings for my desired target, makes appropriate
additions to the desired field, and then runs Configure with
Thanks Steve and Matt. That makes sense.
-Original Message-
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On
Behalf Of Dr. Stephen Henson
Sent: Friday, June 06, 2014 6:11 PM
To: openssl-dev@openssl.org
Subject: Re: Question about SSL/TLS MITM vulnerability
Perhaps Configure should have a -f nnn flag, that lets folks add their own
local table without having to patch the script
--
Principal Security Engineer
Akamai Technologies, Cambridge, MA
IM: rs...@jabber.me; Twitter: RichSalz
-Original Message-
From: owner-openssl-...@openssl.org
Patch to fix few issue related to ECC support in ciphers(1) man page:
* Make a clear distinction between DH and ECDH key exchange.
* Group all key exchange cipher suite identifiers, first DH then ECDH
* add descriptions for all supported *DH* identifiers
* add ECDSA authentication
On Fri, Jun 06, 2014 at 10:42:06AM -0400, Salz, Rich wrote:
Perhaps Configure should have a -f nnn flag, that lets folks
add their own local table without having to patch the script
I think this misses the point, one can already just pass a table
entry on the command-line as a colon-separated
I think this misses the point, one can already just pass a table entry on the
command-line as a colon-separated target name.
Yes, you're right, I was mis-using the thread.
But putting a config spec on the command line is, shall we say, awkward. And
adding the flag would help with code
On Fri 06 Jun 2014 09:15:09 Kurt Roeckx via RT wrote:
On Fri, Jun 06, 2014 at 01:27:02AM -0400, Mike Frysinger wrote:
On Thu 05 Jun 2014 22:53:32 Matt Caswell via RT wrote:
On Sun Apr 27 13:04:20 2014, vap...@gentoo.org wrote:
It's a standard setting that other build systems use.
On Fri 06 Jun 2014 09:15:09 Kurt Roeckx via RT wrote:
On Fri, Jun 06, 2014 at 01:27:02AM -0400, Mike Frysinger wrote:
On Thu 05 Jun 2014 22:53:32 Matt Caswell via RT wrote:
On Sun Apr 27 13:04:20 2014, vap...@gentoo.org wrote:
It's a standard setting that other build systems use.
Hello
I work on source code injection, for roughness purposes.
Is it possible to adapt the Configure tool in order to
- first execute the preprocessing stage (macro expand and source code
generation) like gcc -E
- execute some custom source code manipulation (free/malloc enhance,
array bound
Is it possible to adapt the Configure tool in order to
- first execute the preprocessing stage (macro expand and source code
generation) like gcc -E
- execute some custom source code manipulation (free/malloc enhance, array
bound checks, etc) of my own
One way to do this would be to use
I've created the openssl-testing mailing list (via Google Groups) to
discuss the OpenSSL unit/automated testing effort, to avoid clogging
openssl-dev:
https://groups.google.com/d/forum/openssl-testing
Membership is open to whoever wishes to join, even if only to lurk.
Ideally all testing
On Fri, Jun 06, 2014, Mike Bland wrote:
__func__ is defined in C99. What version of the SGI C compiler are you
using? According to the following, as of version 7.4, the -c99 flag
should enable this to compile:
http://www.sgi.com/products/software/irix/tools/c.html
Note that VC++ under
The Microsoft compilers support __FUNCTION__, same functionality as
__func__. Could be the SGI compiler supports
__FUNCTION__, but it's been a long time since I had access to a SGI
machine, so I couldn't check.
On Fri, Jun 6, 2014 at 2:02 PM, Dr. Stephen Henson st...@openssl.org
wrote:
On
Thank you.
This fixed the problem.
Regards,
Z
-Original Message-
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On
Behalf Of Matt Caswell
Sent: den 6 juni 2014 15:54
To: openssl-dev@openssl.org
Subject: Re: 1.0.0m problem on OpenVMS Alpha
On 6 June 2014
Hi,
after some testing the new release I realized that 1.0.1h does not build nor
run HEARBEAT bug unit test on OpenVMS.
The following patch corrects the problem.
Thanks,
Z
-
SYSTEM@ia64$ mc DKA0:[UTIL]gdiff.exe -p
DKA0:[WORK.openssl-101h.test]maketests.com;1
Hello everyone!
Discovered this problem while trying to fix
https://github.com/joyent/node/issues/7704.
Attached is a fix for it.
Cheers,
Fedor.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- From c6a4d5ff66cd886023f75780e876053f019ed8de Mon Sep 17 00:00:00 2001
From: Fedor Indutny
All,
Running into an issue with OpenSSL 1.0.1h and EAP-FAST/wpa_supplicant TLS
session resumption.
CVE-2014-0224 code added code to reject the ChangeCipherSpec message if it is
received in incorrect order.
Normally the TLS client sends the Finished message before the ChangeCipherSpec
message
A colleague here noticed that the pthreads-based locking loses the distinction
between read and write locks. We've collected mutex contention data, and found
that the CRYPTO_ERR lock, used while getting error info, is one of the biggest
offenders.
It turns out that pthreads_locking_callback
35 matches
Mail list logo