On 10 April 2014 18:54, Kylo Ginsberg k...@kylo.net wrote:
Looking at the heartbeat code, I notice that neither of the process
heartbeat functions check whether RAND_pseudo_bytes returned success when it
is generating the heartbeat padding.
I don't know if there are real-world scenarios where
Hi
In light of recent bad news I checked openssl master against some of the
typical tools. (As many other I guess)
Not symbolic sat solvers yet, stp with cryptominisat is used by some
fine fuzzers, checkers and other tools already.
* valgrind https://gist.github.com/rurban/10414413
valgrind
For the record, I have reviewed Adam's versions of the code before these were
posted here, and Adam has resolved the problems that I pointed out. As of the
latest patch, I think the code is suitable for inclusion in OpenSSL. The final
missing part is support that makes it easy to build with or
On 11 April 2014 00:00, Steve Marquess marqu...@opensslfoundation.com wrote:
With the very, very important caveat that I'm not one of the people who
directly carry this burden:
There is certainly room for improvement in the process by which patches
are reviewed and merged into OpenSSL. For
- Original Message -
From: Reini Urban re...@cpanel.net
To: openssl-dev@openssl.org
Sent: Thursday, 10 April, 2014 11:57:32 PM
Subject: valgrind and ubsan tests
Hi
In light of recent bad news I checked openssl master against some of the
typical tools. (As many other I guess)
Not
Hello,
In the apps `pkcs8', `passwd', `enc' and `pkcs12' there are hard-coded
maximum lengths for passwords given:
(all of the following examples will use the respective char * as buffer
for `EVP_read_pw_string')
pkcs8.c:
86 char pass[50], /* ... */;
enc.c:
78 #define SIZE
- Original Message -
From: Jakob Kramer jakob.kra...@gmx.de
To: openssl-dev@openssl.org
Sent: Friday, 11 April, 2014 3:01:42 PM
Subject: [openssl-dev] Maximum length of passwords
There should either be a function that automatically allocates enough
memory to put the whole password
RFC 6520, section 4 states that
The total length of a HeartbeatMessage MUST NOT exceed 2^14 or
max_fragment_length when negotiated as defined in [RFC6066].
and
If the payload_length of a received HeartbeatMessage is too large,
the received HeartbeatMessage MUST be discarded silently.
On Fri, Apr 11, 2014 at 10:26:08AM +0100, Matt Caswell wrote:
On 11 April 2014 00:00, Steve Marquess marqu...@opensslfoundation.com wrote:
With the very, very important caveat that I'm not one of the people who
directly carry this burden:
There is certainly room for improvement in the
On Thu, Apr 10, 2014 at 12:04 PM, Joseph Birr-Pixton jpix...@gmail.comwrote:
On 10 April 2014 18:54, Kylo Ginsberg k...@kylo.net wrote:
Looking at the heartbeat code, I notice that neither of the process
heartbeat functions check whether RAND_pseudo_bytes returned success
when it
is
On 4/11/2014 8:51 AM, Hubert Kario wrote:
- Original Message -
From: Jakob Kramer jakob.kra...@gmx.de
To: openssl-dev@openssl.org
Sent: Friday, 11 April, 2014 3:01:42 PM
Subject: [openssl-dev] Maximum length of passwords
There should either be a function that automatically allocates
On Fri, Apr 11, 2014 at 5:17 AM, Salz, Rich rs...@akamai.com wrote:
Karma has a sense of humor.
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ssl/Makefile?f=h;rev=1.29
http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ssl/Makefile.diff?r1=1.29;r2=1.30;f=h
Two people
Steve Marquess-3 wrote
I think you will find that a number of other code modifications will
also be required.
Are you saying that you think more than just what Leon mentioned will have
to be changed in order to validate RSA Key Generation? Is there any chance
that OpenSSL would be willing to
Leon Brits wrote
I am in no way capable of writing such a patch and was hoping that someone
is willing to share.
To be more specific I need a patch that will change the key generation
from:
d = e-1 mod((p-1)(q-1))
to this:
d = e-1 mod(LCM(p-1, q-1))
We’re also pursuing a patch to RSA Key
On 10/04/14 18:46, Salz, Rich wrote:
We've been compiling -DOPENSSL_NO_BUF_FREELISTS forever. Our only complaint
is that the BUF is misspelled :)
Theo can be obnoxious. This should not be news to most folks.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge,
Hi Erik,
Presumably this restriction is already enforced at the record level for
all message types?
Regards,
Pete Dettman
On 11/04/2014 9:43 PM, Erik Auerswald via RT wrote:
RFC 6520, section 4 states that
The total length of a HeartbeatMessage MUST NOT exceed 2^14 or
16 matches
Mail list logo