The source code is mostly written to the OpenSSL coding standards, which
are seriously different from any other coding standard I've seen (it's
not Linux/KR, nor GNU, nor Microsoft, nor Sun/Oracle). Nonconformance
with the coding standards in later patches is very common, so it's a
mishmash
On Mon, Nov 12, 2012 at 2:32 AM, Jeffrey Walton noloa...@gmail.com wrote:
GCC really should provide a function like SecureZeroMemory that cannot
be optimized away. Its easier than educating every developer about the
optimization issue and telling them to compile with -O0. The Ostrich
On Mon, Nov 5, 2012 at 5:07 AM, Nico Williams n...@cryptonector.com wrote:
On Sun, Nov 4, 2012 at 8:42 AM, Ben Laurie b...@links.org wrote:
On Sat, Nov 3, 2012 at 12:26 AM, James A. Donald jam...@echeque.com wrote:
On Oct 30, 2012 7:50 AM, Ben Laurie b...@links.org wrote:
The team has ruled
On 2012-11-05 09:31:08 + (+), Ben Laurie wrote:
On Mon, Nov 5, 2012 at 5:07 AM, Nico Williams n...@cryptonector.com wrote:
It's just git, so keep multiple clone repos. You could use an
internal one as the master and push updates to the github one if
you don't trust github -- use
On Sat, Nov 3, 2012 at 12:26 AM, James A. Donald jam...@echeque.com wrote:
On Oct 30, 2012 7:50 AM, Ben Laurie b...@links.org wrote:
The team has ruled out having the master at github.
What is wrong with github?
TBH, I wouldn't mind much, but I think the concern is that its not
under our
On Sun, Nov 4, 2012 at 8:42 AM, Ben Laurie b...@links.org wrote:
On Sat, Nov 3, 2012 at 12:26 AM, James A. Donald jam...@echeque.com wrote:
On Oct 30, 2012 7:50 AM, Ben Laurie b...@links.org wrote:
The team has ruled out having the master at github.
What is wrong with github?
TBH, I
On Fri, Oct 26, 2012 at 3:38 PM, Andy Isaacson a...@hexapodia.org wrote:
On Fri, Oct 26, 2012 at 06:29:47PM +, John Case wrote:
So, given what is in the stanford report and then reading this rant
about openssl, I am wondering just how bad openssl is ? I've never
had to implement it or
On Tue, Oct 30, 2012 at 11:29 AM, Thierry Moreau
thierry.mor...@connotech.com wrote:
Solar Designer wrote:
On Mon, Oct 29, 2012 at 04:06:58PM -0400, Jeffrey Walton wrote:
The OpenSSL cleanse() function will likely fail on BIOs created from
storage and memory mapped files when used on SSDs
On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Oct 26, 2012 at 2:29 PM, John Case c...@sdf.org wrote:
I was recently reading the most dangerous code in the world article at
stanford:
https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie b...@links.org wrote:
On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Oct 26, 2012 at 2:29 PM, John Case c...@sdf.org wrote:
[SNIP]
Apparently you think the best way to get a secure platform is to apply
pressure
On Tue, Oct 30, 2012 at 11:09 AM, Jeffrey Walton noloa...@gmail.com wrote:
On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie b...@links.org wrote:
On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Oct 26, 2012 at 2:29 PM, John Case c...@sdf.org wrote:
[SNIP]
On Tue, Oct 30, 2012 at 11:17 AM, Peter Gutmann
pgut...@cs.auckland.ac.nz wrote:
Ben Laurie b...@links.org writes:
Apparently you think the best way to get a secure platform is to apply
pressure through pointless security standards.
I think that's a bit of an extreme comment on FIPS 140. For
On Tue, Oct 30, 2012 at 5:03 AM, Ben Laurie b...@links.org wrote:
On Mon, Oct 29, 2012 at 10:34 PM, Jeffrey Walton noloa...@gmail.com wrote:
On Fri, Oct 26, 2012 at 2:29 PM, John Case c...@sdf.org wrote:
[SNIP]
Apparently you think the best way to get a secure platform is to apply
pressure
Ben Laurie b...@links.org writes:
On Tue, Oct 30, 2012 at 11:17 AM, Peter Gutmann pgut...@cs.auckland.ac.nz
wrote:
Ben Laurie b...@links.org writes:
Apparently you think the best way to get a secure platform is to apply
pressure through pointless security standards.
I think that's a bit of an
So:
1. What is the process by which you get OpenSSL contributors to notice a
serious issue and apply a patch?
2. What are the criteria for applying a patch? Is it just 'whatever interests
the devs'? It seems that publishing an exploit works, but is that necessary?
3. It's 2012 -- why the
On Tue, Oct 30, 2012 at 2:21 PM, Matthew Green matthewdgr...@gmail.com wrote:
So:
1. What is the process by which you get OpenSSL contributors to notice a
serious issue and apply a patch?
I wouldn't know, I haven't tried :-)
In my case, just ask (me, that is, not some mailing list). If the
I strongly suggest you move to git ASAP. It's not hard, though some
history can be lost in the move using off-the-shelf conversion tools.
(MIT Kerberos recently moved from SVN to git, and before that, from
CVS to SVN, and they seem to have done a lot of manual cleanup to
avoid some losses of
On Tue, Oct 30, 2012 at 2:31 PM, Nico Williams n...@cryptonector.com wrote:
I strongly suggest you move to git ASAP. It's not hard, though some
history can be lost in the move using off-the-shelf conversion tools.
(MIT Kerberos recently moved from SVN to git, and before that, from
CVS to SVN,
I would be happy to volunteer to move everything to Github. But it really
is really, really easy to do, and the maintenance required is minimal. That
or git+redmine or git+JIRA would be my suggestion.
On Tue, Oct 30, 2012 at 3:28 PM, Ben Laurie b...@links.org wrote:
On Tue, Oct 30, 2012 at 2:21
On Tue, Oct 30, 2012 at 2:39 PM, Patrick Mylund Nielsen
cryptogra...@patrickmylund.com wrote:
I would be happy to volunteer to move everything to Github. But it really is
really, really easy to do, and the maintenance required is minimal. That or
git+redmine or git+JIRA would be my suggestion.
Thank god...
On Oct 30, 2012 7:50 AM, Ben Laurie b...@links.org wrote:
On Tue, Oct 30, 2012 at 2:39 PM, Patrick Mylund Nielsen
cryptogra...@patrickmylund.com wrote:
I would be happy to volunteer to move everything to Github. But it
really is
really, really easy to do, and the maintenance
Hopefully somebody's doing some kind of integrity check pre-release no
matter where it's hosted... :)
In either case, happy to help if it is manhours you need, and I'm sure
others on this list are as well.
On Tue, Oct 30, 2012 at 3:51 PM, Aaron Grattafiori
aa...@digitalinfinity.net wrote:
Solar Designer wrote:
On Tue, Oct 30, 2012 at 11:29:17AM -0400, Thierry Moreau wrote:
Isn't memory-space cleanse() isolated from file system specifics except
for the swap space?
Normally yes, but the swap space may be in a file (rather than a disk
partition), or the swap partition may be in a
On Oct 30, 2012, at 9:11 AM, Thierry Moreau thierry.mor...@connotech.com
wrote:
Then it's just a matter of the shortest route to finish: route a) secure the
swap, route b) monitor software components for maximum memory usage vs
physical mem plus make a memory exhaustion fault analysis.
On Tue, Oct 30, 2012 at 12:10 PM, Paul Hoffman paul.hoff...@vpnc.org wrote:
On Oct 30, 2012, at 9:11 AM, Thierry Moreau thierry.mor...@connotech.com
wrote:
Then it's just a matter of the shortest route to finish: route a) secure the
swap, route b) monitor software components for maximum
On Sun, Oct 28, 2012 at 3:01 PM, Solar Designer so...@openwall.com wrote:
On Sat, Oct 27, 2012 at 06:47:05PM -0700, Patrick Pelletier wrote:
For the most part, I would say that OpenSSL is not badly written, just
badly documented. I am not a cryptography expert (just a smart,
experienced
I am wondering just how bad openssl is ?
While one can find various software engineer faults, I think that main issue is
not that it is bad, it is that OpenSSL is written for cryptographic experts
not standard software developers.
The unfortunate thing is that most of the time the latter
On Mon, Oct 29, 2012 at 04:06:58PM -0400, Jeffrey Walton wrote:
On Sun, Oct 28, 2012 at 3:01 PM, Solar Designer so...@openwall.com wrote:
The OPENSSL_cleanse() function is such that the memory is overwritten
with the counter values, whereas the counter is incremented in ways
dependent on
Hi Alexander,
Sorry to go offlist.
On Mon, Oct 29, 2012 at 7:31 PM, Solar Designer so...@openwall.com wrote:
On Mon, Oct 29, 2012 at 04:06:58PM -0400, Jeffrey Walton wrote:
On Sun, Oct 28, 2012 at 3:01 PM, Solar Designer so...@openwall.com wrote:
[SNIP, SNIP, SNIP]
GCC uses volatile
On Sat, Oct 27, 2012 at 06:47:05PM -0700, Patrick Pelletier wrote:
For the most part, I would say that OpenSSL is not badly written, just
badly documented. I am not a cryptography expert (just a smart,
experienced programmer, trying to use TLS) so I'm not in a particularly
good position to
On 10/26/12 11:29 AM, John Case wrote:
So, given what is in the stanford report and then reading this rant
about openssl, I am wondering just how bad openssl is ? I've never had
to implement it or code with it, so I really have no idea.
I think that OpenSSL is written by monkeys is a bit
On 28/10/12 12:47 PM, Patrick Pelletier wrote:
Just a slow sunday morning so I thought I'd dive in on one point. For
the rest, nodding.
The other thing that bugged me a bit was in the infamous rand(3ssl) man
page:
3. The state should be very large. If the RNG is being used
On Fri, Oct 26, 2012 at 06:29:47PM +, John Case wrote:
So, given what is in the stanford report and then reading this rant
about openssl, I am wondering just how bad openssl is ? I've never
had to implement it or code with it, so I really have no idea.
How long has it been understood
33 matches
Mail list logo