On Fri, Oct 16, 2015 at 04:50:59PM +, Matt Caswell via RT wrote:
> In a well-behaved program there is no undefined behaviour. The "buf +
> len < buf" check will always evaluate to false, so in that sense is
> useless but it *is* well defined.
The defined behaviour for the "buf + len" part is
On 10/16/2015 11:50 AM, Matt Caswell via RT wrote:
>
> On 16/10/15 17:32, Viktor Dukhovni wrote:
>> My take is that we should generally stay clear of relying on any
>> remotely sensible outcome for undefined behaviour. If this thread
>> is about such a situation, then we may have to code around
On Fri, Oct 16, 2015 at 06:50:36PM +, Kurt Roeckx via RT wrote:
> On Fri, Oct 16, 2015 at 04:50:59PM +, Matt Caswell via RT wrote:
> > In a well-behaved program there is no undefined behaviour. The "buf +
> > len < buf" check will always evaluate to false, so in that sense is
> > useless
On 15/10/15 20:53, Alexander Cherepanov via RT wrote:
> On 2015-10-15 15:41, Matt Caswell via RT wrote:
>> The purpose of the sanity check is not then for security, but to guard
>> against programmer error. For a correctly functioning program this test
>> should never fail. For an incorrectly
On Friday 16 October 2015 09:55:41 Matt Caswell wrote:
> On 16/10/15 09:53, Matt Caswell via RT wrote:
> > On 13/10/15 12:31, Hubert Kario via RT wrote:
> >> On Tuesday 13 October 2015 09:22:53 Matt Caswell via RT wrote:
> >>> On 12/10/15 17:19, Matt Caswell via RT wrote:
> On 12/10/15 16:39,
On Wed Oct 14 19:29:42 2015, beld...@gmail.com wrote:
> Hello!
>
> The attached patch fixes it.
Patch applied. Thanks!
Matt
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
I've opened the following PR to add support for GCC v5 and
address sanitizer (not sure if we want valgrind as well...):
https://github.com/openssl/openssl/pull/429
>
> I've commented there on other -fsanitize options as well as about
> option to execute them without --debug and/or
On 16/10/15 11:57, Kurt Roeckx via RT wrote:
> On Fri, Oct 16, 2015 at 08:53:06AM +, Matt Caswell via RT wrote:
>>
>> So now I really don't know what the "right" way forward is. Should we be
>> applying the patch or not?
>
> Has anybody contact Oracle about this issue? It seems useful that
My application is written for vxWorks OS and openssl and vxWorks are part
of the binary that I need to verify
On Fri, Oct 16, 2015 at 3:13 PM, tosif tamboli wrote:
> Hi,
>
> below is my application code
> sshX509CACertStore = X509_STORE_new();
>
>
On 13/10/15 12:31, Hubert Kario via RT wrote:
> On Tuesday 13 October 2015 09:22:53 Matt Caswell via RT wrote:
>> On 12/10/15 17:19, Matt Caswell via RT wrote:
>>> On 12/10/15 16:39, Matt Caswell via RT wrote:
The value of "in_read_app_data" not being true when it is supposed
to
Hubert Kario wrote:
> On Friday 16 October 2015 08:53:06 Matt Caswell via RT wrote:
>> I raised the ambiguity in the spec about when in the handshake
>> interleaved app data is allowed with the TLS WG. You can see the
>> thread here:
>>
On 16/10/15 09:53, Matt Caswell via RT wrote:
>
>
> On 13/10/15 12:31, Hubert Kario via RT wrote:
>> On Tuesday 13 October 2015 09:22:53 Matt Caswell via RT wrote:
>>> On 12/10/15 17:19, Matt Caswell via RT wrote:
On 12/10/15 16:39, Matt Caswell via RT wrote:
> The value of
Hi,
below is my application code
sshX509CACertStore = X509_STORE_new();
X509_STORE_set_verify_cb_func(sshX509CACertStore,
sshX509CertVerifyCallback);
pLookup = X509_STORE_add_lookup(sshX509CACertStore,
On Fri, Oct 16, 2015 at 08:53:06AM +, Matt Caswell via RT wrote:
>
> So now I really don't know what the "right" way forward is. Should we be
> applying the patch or not?
Has anybody contact Oracle about this issue? It seems useful that
they fix it on their end, regardless of what we do.
Thanks Martin. (Re-closing the ticket.)
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
On 16/10/15 10:56, Hubert Kario via RT wrote:
> On Friday 16 October 2015 08:53:06 Matt Caswell via RT wrote:
>> So now I really don't know what the "right" way forward is. Should we
>> be applying the patch or not?
>
> I can't think of a way to exploit it if two assumptions hold:
> 1). we
Hi,
I'm using the openssl command to generate test certificates and I'm
running into an annoying "not valid yet" certificate issue. I cannot
set the notbefore field using the openssl command.
I've made a patch (see attachment) that add the support of a
"-start-days-before' option which is
On Friday 16 October 2015 13:52:14 Matt Caswell via RT wrote:
> On 16/10/15 10:56, Hubert Kario via RT wrote:
> > On Friday 16 October 2015 08:53:06 Matt Caswell via RT wrote:
> >> So now I really don't know what the "right" way forward is. Should
> >> we
> >> be applying the patch or not?
> >
>
On 10/16/2015 03:32 AM, Matt Caswell via RT wrote:
>
> On 15/10/15 20:53, Alexander Cherepanov via RT wrote:
>> What was not entirely clear from the original bug report is that, while
>> the check is not compiled away, it's compiled into something completely
>> different from what is written in
On Fri, 16 Oct 2015 at 01:32 Matt Caswell via RT wrote:
>
>
> On 15/10/15 20:53, Alexander Cherepanov via RT wrote:
> > On 2015-10-15 15:41, Matt Caswell via RT wrote:
> >> The purpose of the sanity check is not then for security, but to guard
> >> against programmer error. For
On Fri, 16 Oct 2015 at 01:32 Matt Caswell via RT wrote:
>
>
> On 15/10/15 20:53, Alexander Cherepanov via RT wrote:
> > On 2015-10-15 15:41, Matt Caswell via RT wrote:
> >> The purpose of the sanity check is not then for security, but to guard
> >> against programmer error. For
On 2015-10-17 01:46, Ben Laurie via RT wrote:
> On Fri, 16 Oct 2015 at 01:32 Matt Caswell via RT wrote:
>> On 15/10/15 20:53, Alexander Cherepanov via RT wrote:
>>> On 2015-10-15 15:41, Matt Caswell via RT wrote:
The purpose of the sanity check is not then for security, but
On Fri, Oct 16, 2015 at 09:44:22PM +, Kaduk, Ben via RT wrote:
> On 10/16/2015 04:35 PM, Kurt Roeckx via RT wrote:
> > On Fri, Oct 16, 2015 at 06:50:36PM +, Kurt Roeckx via RT wrote:
> >> On Fri, Oct 16, 2015 at 04:50:59PM +, Matt Caswell via RT wrote:
> >>> In a well-behaved program
On Fri, Oct 16, 2015 at 04:09:57PM +, Kaduk, Ben via RT wrote:
> I hope I am not dragging this thread on too long, but with all due
> respect, we are not asking the compiler/optimizer to detect overflow --
> we are asking the compiler to instantiate undefined behavior in a way
> that is
On 16/10/15 17:32, Viktor Dukhovni wrote:
> On Fri, Oct 16, 2015 at 04:09:57PM +, Kaduk, Ben via RT wrote:
>
>> I hope I am not dragging this thread on too long, but with all due
>> respect, we are not asking the compiler/optimizer to detect overflow --
>> we are asking the compiler to
25 matches
Mail list logo