Re: Static analysis?

A few years ago, we did some experiments on finding problems in error handling in OpenSSL using Coccinelle: Finding Error Handling Bugs in OpenSSL using Coccinelle Julia Lawall, Ben Laurie, René Rydhof Hansen, Nicolas Palix, Gilles Muller. Eighth European Dependable Computing Conference, EDCC

Re: [openssl.org #2792] Crash in rc4 on x86_64

I've had 2 users report a crash in RC4() on x86_64. The backtrace looks like: #0 RC4 () at rc4-x86_64.s:343 #1 0x012d in ?? () #2 0x00df in ?? () #3 0x020b5660 in ?? () #4 0x7fc075f6a9c9 in rc4_hmac_md5_cipher (ctx=optimized out, out=0x20aae98

RE: ENGINE reference leak using FIPS-capable OpenSSL

Any takers? Should I be able to build a FIPS-capable OpenSSL and have some of the implementation be provided via an ENGINE (e.g. let's say I have a hardware module to perform AES) but some by the OpenSSL FIPS canister? Or is it truly all or nothing? Thanks.

[openssl.org #2793] bug report : SCRIPTS environment variable overrides makefile variable

Hello, Installation of openssl-1.0.0e fails if SCRIPTS environment variable is defined (export SCRIPTS=/home/xxx/scripts for example). making install in apps... installing openssl installing /home/xxx/scripts In apps/Makefile, SCRIPTS is defined (SCRIPTS=CA.sh CA.pl tsget), but it seems

Re: ENGINE reference leak using FIPS-capable OpenSSL

On Wed, Apr 18, 2012, Erik Tkal wrote: Any takers? Should I be able to build a FIPS-capable OpenSSL and have some of the implementation be provided via an ENGINE (e.g. let's say I have a hardware module to perform AES) but some by the OpenSSL FIPS canister? Or is it truly all or nothing?