Re: [openssl-dev] [openssl.org #3939] AutoReply: [PATCH] Tests for CVE-2015-1788

2015-09-14 Thread Joseph Birr-Pixton via RT
Apologies, that patch was HTMLised by github. Attached is the actual patch. On 12 July 2015 at 12:44, The default queue via RT wrote: > > Greetings, > > This message has been automatically generated in response to the > creation of a trouble ticket regarding: > "[PATCH]

Re: Prime generation

2014-05-28 Thread Joseph Birr-Pixton
On 27 May 2014 11:11, Ben Laurie b...@links.org wrote: On 27 May 2014 09:16, Joseph Birr-Pixton jpix...@gmail.com wrote: To restate: Callers of RAND_pseudo_bytes are either unreliable, or equivalent to RAND_bytes. Do not use it. Have I missed something? What are you referring to here

Re: Prime generation

2014-05-27 Thread Joseph Birr-Pixton
On 27 May 2014 08:45, Peter Waltenberg pwal...@au1.ibm.com wrote: ... I did change the RNG sources for some of the OpenSSL code in our hacked version to help with the performance problems using the wrong source causes, for example RSA blinding data can safely come from a DRBG

Re: [openssl.org #3312] OpenSSL :: crypto/mem.c without memset() calls?

2014-04-16 Thread Joseph Birr-Pixton
This patch is incorrect. You cannot hope to get the length of an arbitrary heap block using strlen. A lot of the time you might get 'lucky' and this memset will be short and therefore just ineffective at zeroing the to-be-freed block. Sometimes you'll be unlucky and you will completely trash your

Re: tls1_process_heartbeat/dtls1_process_heartbeat don't check RAND_pseudo_bytes return value

2014-04-11 Thread Joseph Birr-Pixton
On 10 April 2014 18:54, Kylo Ginsberg k...@kylo.net wrote: Looking at the heartbeat code, I notice that neither of the process heartbeat functions check whether RAND_pseudo_bytes returned success when it is generating the heartbeat padding. I don't know if there are real-world scenarios where

Re: Analysis of random API

2014-03-28 Thread Joseph Birr-Pixton
Hi, Is there anything which is preventing this patch/pull request being accepted? Thanks, Joe On 16 January 2014 22:48, Joseph Birr-Pixton jpix...@gmail.com wrote: Greetings, I performed an analysis of the RAND_bytes/RAND_pseudo_bytes API and its callers. My write up is here: http

Analysis of random API

2014-01-17 Thread Joseph Birr-Pixton
is both an improvement to the OpenSSL, and has the nice side effect of improving the error behaviour of many downstream callers. There are testing and documentation improvements alongside. Thanks, Joseph Birr-Pixton __ OpenSSL