One way to exploit this flaw would be for a remote attacker who is in
control of a malicious server or who can use a 'man in the middle'
attack to present a malformed SSL/TLS signature from a certificate chain
to a vulnerable client, bypassing validation.
In my opinion, this statement is not
Using the attached patch, OpenSSL can be built using lsbcc3 on Linux:
$ ./Configure linux-generic32-lsb
$ make CC=lsbcc3
Since this might be of general interest, could you please consider the
attached patch for future versions of OpenSSL?
Regards, Remo
diff -ru openssl-0.9.8g/Configure
We are currently working on a project, where a special kind of RA has
submit an unsigned CSR to a CA.
An unsigned CSR is a request where the signature field is unassigned
(null), because private key operations are inpractical and the RA has
already verified that the requester is in possession
Steve wrote in thread 'Field attributes of X509_REQ_INFO':
I see. Well that is probably best fixed within X509_REQ_add_extensions()
itself by checking to see if the field is NULL and allocating it if
necessary.
Here's a patch. While looking at the code, I've also checked the other
functions
Steve,
I see. Well that is probably best fixed within X509_REQ_add_extensions()
itself by checking to see if the field is NULL and allocating it if
necessary.
Here's a patch. While looking at the code, I've also checked the other
functions in x509_req.c. They all seem to either allocate the
While OpenSSL definitely does provide for blinding, several
widely-deployed applications don't seem to enable this option.
One reason is it doesn't appear possible to enable blinding
from the SSL library itself.
After reading the paper, and looking at the OpenSSL RSA blinding code, I
feel
While some OpenSSL objects (DH, DSA, RSA) offer an *_up_ref function
to increase the reference count, others have their internal structure
publicly available (EVP_PKEY, X509, etc), so you can use CRYPTO_add() to
increase the reference count.
In the process of writing wrapper classes for
Tom,
WE LIKE FREE SOFTWARE. WE LIKE IT WHEN IT WORKS. WE LIKE YOUR
SOFTWARE WHEN IT WORKS.
Hey, no reason for crying out. I downloaded the 0.9.4 release and
everything works great. Just make sure you read the docs carefully
and do exactly as you are told. This is, as you mentioned, free
with BoundsChecker or something similar enabled? I've got the buffer
overflows and some leeks. I am pretty sure that it's not me, even
though it may be possible that I'm using some of the OpenSSL APIs
the wrong way.
Thanks for sharing any similar experiences you had.
Remo Inverardi,
ABACUS Research
I was wondering if anybody ever managed to write functions which
emulate the standard socket read and write behaviour. My web server
uses the following logic to read from a socket:
a) do a select and wait until data is available
b) do a read (recv)
c) if read returns 0 goto c1
if read
Before the program exits, call EVP_cleanup() and ERR_free_strings()
to free the memory allocated in these steps.
Mmh, how come I've never read about these functions before? Is
there any place where I can get an idea of what every function
in the library is good for? I'm sorry, but I didn't find
When compiling with Visual C++, I usually put the following lines
somewhere in my debug code:
#ifdef _DEBUG
_CrtSetDbgFlag(_CRTDBG_CHECK_ALWAYS_DF ||
_CRTDBG_DELAY_FREE_MEM_DF ||
_CRTDBG_LEAK_CHECK_DF);
#endif
and
#ifdef _DEBUG
I tried compiling my OpenSSL 0.9.4 distribution on Windows NT using
Visual C++ 6.0 and debugging information enabled. My do_nt.bat file
looks as follows:
perl util\mkfiles.pl MINFO
perl util\mk1mf.pl debug no-asm VC-NT ms\nt.mak
perl util\mk1mf.pl debug dll no-asm VC-NT ms\ntdll.mak
How do you guys set up the windows sockets when using OpenSSL?
Do they have to be blocking or non-blocking? Are there any
socket options which do not work with OpenSSL?
Thanks for any information. If there is any documentation online
which may provide me with the answers, please tell me where to
Andrew,
there is a minor cast error in crypto\bn\bn_div.c. Replace line 241
which reads:
Thank you, Remo
__
OpenSSL Project http://www.openssl.org
Development Mailing List
15 matches
Mail list logo