Re: [openssl-dev] [openssl.org #3940] Missing CRL checks in cms/smime cmdline utilities
Thank you very much! 19 авг. 2016 г. 6:47 PM пользователь "Rich Salz via RT"написал: > For now we just added a comment to master, 1.0.2, 1.0.1 in the cms.pod and > smime.pod files: > > Note that no revocation check is done for the recipient cert, so if that > key has been compromised, others may be able to decrypt the text. > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3940 > Please log in as guest with password guest if prompted > > -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3940 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] [openssl.org #3940] Missing CRL checks in cms/smime cmdline utilities
Thank you very much! 19 авг. 2016 г. 6:47 PM пользователь "Rich Salz via RT"написал: > For now we just added a comment to master, 1.0.2, 1.0.1 in the cms.pod and > smime.pod files: > > Note that no revocation check is done for the recipient cert, so if that > key has been compromised, others may be able to decrypt the text. > > -- > Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3940 > Please log in as guest with password guest if prompted > > -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #3940] Missing CRL checks in cms/smime cmdline utilities
For now we just added a comment to master, 1.0.2, 1.0.1 in the cms.pod and smime.pod files: Note that no revocation check is done for the recipient cert, so if that key has been compromised, others may be able to decrypt the text. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3940 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4653] [1.0.2] fails to compile on VC-WIN32
Please try out this github pull request: https://github.com/openssl/openssl/pull/1470 Cheers, Richard On Fri Aug 19 14:40:02 2016, levitte wrote: > We totally missed out on adapting util/mk1mf.pl. Fix on its way. > > On Fri Aug 19 14:20:20 2016, simon.rich...@hogyros.de wrote: > > Hi, > > > > the 1.0.2 branch fails to compile for me: > > > > link /nologo /subsystem:console /opt:ref /debug > > /out:out32dll\dtlstest.exe @C:\Windows\TEMP\nm8D73.tmp > > Creating library tmp32dll\junk.lib and object tmp32dll\junk.exp > > dtlstest.obj : error LNK2019: unresolved external symbol > > _create_ssl_ctx_pair referenced in function _test_dtls_unprocessed > > dtlstest.obj : error LNK2019: unresolved external symbol > > _create_ssl_objects referenced in function _test_dtls_unprocessed > > dtlstest.obj : error LNK2019: unresolved external symbol > > _create_ssl_connection referenced in function _test_dtls_unprocessed > > dtlstest.obj : error LNK2019: unresolved external symbol > > _bio_f_tls_dump_filter referenced in function _test_dtls_unprocessed > > dtlstest.obj : error LNK2019: unresolved external symbol > > _mempacket_test_inject referenced in function _test_dtls_unprocessed > > out32dll\dtlstest.exe : fatal error LNK1120: 5 unresolved externals > > > > Changes in this build: > > > > http://ci.kicad-pcb.org/job/windows-openssl- > > msvc/build=release,cpu=x86,label=windows/458/changes' > > > > Full build log: > > > > http://ci.kicad-pcb.org/job/windows-openssl- > > msvc/build=release,cpu=x86,label=windows/458/consoleFull > > > > Simon > > > -- > Richard Levitte > levi...@openssl.org -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4653 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4377] Prevent potential NULL pointer dereference in OpenSSL-1.0.2g (CWE-476)
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4377 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4380] [PATCH] Missing Sanity Checks for EVP_PKEY_new() in OpenSSL-1.0.2g
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4380 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4382] [PATCH] Missing Sanity Check(s) for BUF_strdup() in OpenSSL-1.0.2g
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4382 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4375] [PATCH] Missing Sanity Checks for OPENSSL_malloc() in OpenSSL-1.0.2g
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4375 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4385] [PATCH] Missing Sanity Checks for RSA_new_method() in OpenSSL-1.0.2g
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4385 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4374] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476)
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4374 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4371] [PATCH] Missing Sanity Check for malloc() in openssl-1.0.2g for 'apps/speed.c'
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4371 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4370] [PATCH] Potential for NULL pointer dereferences in OpenSSL-1.0.2g (CWE-476)
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4370 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4384] [PATCH] Missing Sanity Check plus potential NULL pointer deref (CWE-476)
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4384 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4386] [PATCH] Add sanity checks for BN_new() in OpenSSL-1.0.2g
Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4386 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4653] [1.0.2] fails to compile on VC-WIN32
We totally missed out on adapting util/mk1mf.pl. Fix on its way. On Fri Aug 19 14:20:20 2016, simon.rich...@hogyros.de wrote: > Hi, > > the 1.0.2 branch fails to compile for me: > > link /nologo /subsystem:console /opt:ref /debug > /out:out32dll\dtlstest.exe @C:\Windows\TEMP\nm8D73.tmp > Creating library tmp32dll\junk.lib and object tmp32dll\junk.exp > dtlstest.obj : error LNK2019: unresolved external symbol > _create_ssl_ctx_pair referenced in function _test_dtls_unprocessed > dtlstest.obj : error LNK2019: unresolved external symbol > _create_ssl_objects referenced in function _test_dtls_unprocessed > dtlstest.obj : error LNK2019: unresolved external symbol > _create_ssl_connection referenced in function _test_dtls_unprocessed > dtlstest.obj : error LNK2019: unresolved external symbol > _bio_f_tls_dump_filter referenced in function _test_dtls_unprocessed > dtlstest.obj : error LNK2019: unresolved external symbol > _mempacket_test_inject referenced in function _test_dtls_unprocessed > out32dll\dtlstest.exe : fatal error LNK1120: 5 unresolved externals > > Changes in this build: > > http://ci.kicad-pcb.org/job/windows-openssl- > msvc/build=release,cpu=x86,label=windows/458/changes' > > Full build log: > > http://ci.kicad-pcb.org/job/windows-openssl- > msvc/build=release,cpu=x86,label=windows/458/consoleFull > > Simon -- Richard Levitte levi...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4653 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4653] [1.0.2] fails to compile on VC-WIN32
Hi, the 1.0.2 branch fails to compile for me: link /nologo /subsystem:console /opt:ref /debug /out:out32dll\dtlstest.exe @C:\Windows\TEMP\nm8D73.tmp Creating library tmp32dll\junk.lib and object tmp32dll\junk.exp dtlstest.obj : error LNK2019: unresolved external symbol _create_ssl_ctx_pair referenced in function _test_dtls_unprocessed dtlstest.obj : error LNK2019: unresolved external symbol _create_ssl_objects referenced in function _test_dtls_unprocessed dtlstest.obj : error LNK2019: unresolved external symbol _create_ssl_connection referenced in function _test_dtls_unprocessed dtlstest.obj : error LNK2019: unresolved external symbol _bio_f_tls_dump_filter referenced in function _test_dtls_unprocessed dtlstest.obj : error LNK2019: unresolved external symbol _mempacket_test_inject referenced in function _test_dtls_unprocessed out32dll\dtlstest.exe : fatal error LNK1120: 5 unresolved externals Changes in this build: http://ci.kicad-pcb.org/job/windows-openssl-msvc/build=release,cpu=x86,label=windows/458/changes' Full build log: http://ci.kicad-pcb.org/job/windows-openssl-msvc/build=release,cpu=x86,label=windows/458/consoleFull Simon -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4653 Please log in as guest with password guest if prompted signature.asc Description: PGP signature -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[openssl-dev] [openssl.org #4652] [consultation] SSL_get_error returns SSL_ERROR_SSL if read() returns -1 / EAGAIN
Same situation, please use a current/modern release; 1.0.1 is only getting security fixes. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4652 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
Re: [openssl-dev] Partially- vs. full- reduced inputs to ecp_nistz256_neg
>> It appears to me that with multiplication, squaring, subtraction, >> negation, halving *preserving* property of being fully reduced (i.e. if >> inputs are fully reduced, then output is too), we only have to watch out >> for mul_by_[23], i.e. ensure that their outputs are fully reduced. This >> would ensure that output will always be fully reduced. > > Let me state thing in a different way, and see if this is what you > meant: Every function will have as a prerequisite that its inputs are > fully reduced and will have a postcondition that its output is fully > reduced. Assertion is that every function but addition and mul_by_[23] *has* (not "will have", but "has") such postcondition that their outputs are fully reduced as long as inputs are. Not to mention that multiplication (and squaring) *can* (or should we say "is likely to") produce fully reduced output even if inputs are not fully reduced. > We know that ecp_nistz256_add doesn't fully reduce its output > even if the input is fully reduced, and we know that > ecp_nistz256_mul_by_[23] are implemented in terms of ecp_nistz256_add > (or equivalent logic, in the case of some of the ASM stuff). > Accordingly, the plan of action is: > > * Fix ecp_nistz256_mul_by_2 and ecp_nistz256_mul_by_3 to fully reduce > their outputs. > > * Fix ecp_nistz256_add to fully reduce its output. As for specifically addition see below. As for fixing mul_by_[23] and the fact that they use addition. There are two ways. a) Modify addition so that it *preserves* property of being fully reduced and leave mul_by_[23] as is. b) Let addition as is and add additional step to mul_by_[23]. The choice of approach can be platform-specific. For example on x86_64 a) is simpler and appears more efficient. But on some platforms b) could be better option. > * Ensure in ecp_nistz256_points_mul that all the input coordinates are > fully reduced. I didn't mean to add any additional steps, but simply see that inputs should be fully reduced. Simply put question is if output from conversion to Montgomery representation is fully reduced. And then as all involved subroutines would *preserve* the property, everything remains fully reduced throughout the complete course. > After all of this, we won't have to worry about the handling of > partially-reduced values anywhere. > > Is that correct? In particular, you said "we only have to watch out > for mul_by_[23]" but you didn't mention ecp_nistz256_add, which *is* > used directly in ecp_nistz256_point_double, according to the reference > C implementation. Rationale behind not explicitly mentioning addition is following sequence from ecp_nistz256_point_double: ecp_nistz256_add(M, in_x, Zsqr); ecp_nistz256_mul_mont(M, M, Zsqr); ecp_nistz256_mul_by_3(M, M); ecp_nistz256_sqr_mont(res_x, M); It doesn't matter if addition returns partially reduced result, as long as mul_by_3 ties it up. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev