Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Kurt Roeckx
On Fri, Oct 16, 2015 at 04:50:59PM +, Matt Caswell via RT wrote: > In a well-behaved program there is no undefined behaviour. The "buf + > len < buf" check will always evaluate to false, so in that sense is > useless but it *is* well defined. The defined behaviour for the "buf + len" part is

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Kaduk, Ben via RT
On 10/16/2015 11:50 AM, Matt Caswell via RT wrote: > > On 16/10/15 17:32, Viktor Dukhovni wrote: >> My take is that we should generally stay clear of relying on any >> remotely sensible outcome for undefined behaviour. If this thread >> is about such a situation, then we may have to code around

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Kurt Roeckx via RT
On Fri, Oct 16, 2015 at 06:50:36PM +, Kurt Roeckx via RT wrote: > On Fri, Oct 16, 2015 at 04:50:59PM +, Matt Caswell via RT wrote: > > In a well-behaved program there is no undefined behaviour. The "buf + > > len < buf" check will always evaluate to false, so in that sense is > > useless

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Matt Caswell via RT
On 15/10/15 20:53, Alexander Cherepanov via RT wrote: > On 2015-10-15 15:41, Matt Caswell via RT wrote: >> The purpose of the sanity check is not then for security, but to guard >> against programmer error. For a correctly functioning program this test >> should never fail. For an incorrectly

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Hubert Kario
On Friday 16 October 2015 09:55:41 Matt Caswell wrote: > On 16/10/15 09:53, Matt Caswell via RT wrote: > > On 13/10/15 12:31, Hubert Kario via RT wrote: > >> On Tuesday 13 October 2015 09:22:53 Matt Caswell via RT wrote: > >>> On 12/10/15 17:19, Matt Caswell via RT wrote: > On 12/10/15 16:39,

[openssl-dev] [openssl.org #4093] Problem loading engine from config

2015-10-16 Thread Matt Caswell via RT
On Wed Oct 14 19:29:42 2015, beld...@gmail.com wrote: > Hello! > > The attached patch fixes it. Patch applied. Thanks! Matt ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] who wants to fix travis builds?

2015-10-16 Thread Andy Polyakov
I've opened the following PR to add support for GCC v5 and address sanitizer (not sure if we want valgrind as well...): https://github.com/openssl/openssl/pull/429 > > I've commented there on other -fsanitize options as well as about > option to execute them without --debug and/or

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Matt Caswell via RT
On 16/10/15 11:57, Kurt Roeckx via RT wrote: > On Fri, Oct 16, 2015 at 08:53:06AM +, Matt Caswell via RT wrote: >> >> So now I really don't know what the "right" way forward is. Should we be >> applying the patch or not? > > Has anybody contact Oracle about this issue? It seems useful that

Re: [openssl-dev] [openssl.org #4095] X509_STORE_get_by_subject crash

2015-10-16 Thread tosif tamboli via RT
My application is written for vxWorks OS and openssl and vxWorks are part of the binary that I need to verify On Fri, Oct 16, 2015 at 3:13 PM, tosif tamboli wrote: > Hi, > > below is my application code > sshX509CACertStore = X509_STORE_new(); > >

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Matt Caswell via RT
On 13/10/15 12:31, Hubert Kario via RT wrote: > On Tuesday 13 October 2015 09:22:53 Matt Caswell via RT wrote: >> On 12/10/15 17:19, Matt Caswell via RT wrote: >>> On 12/10/15 16:39, Matt Caswell via RT wrote: The value of "in_read_app_data" not being true when it is supposed to

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Albe Laurenz via RT
Hubert Kario wrote: > On Friday 16 October 2015 08:53:06 Matt Caswell via RT wrote: >> I raised the ambiguity in the spec about when in the handshake >> interleaved app data is allowed with the TLS WG. You can see the >> thread here: >>

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Matt Caswell
On 16/10/15 09:53, Matt Caswell via RT wrote: > > > On 13/10/15 12:31, Hubert Kario via RT wrote: >> On Tuesday 13 October 2015 09:22:53 Matt Caswell via RT wrote: >>> On 12/10/15 17:19, Matt Caswell via RT wrote: On 12/10/15 16:39, Matt Caswell via RT wrote: > The value of

Re: [openssl-dev] [openssl.org #4095] X509_STORE_get_by_subject crash

2015-10-16 Thread tosif tamboli via RT
Hi, below is my application code sshX509CACertStore = X509_STORE_new(); X509_STORE_set_verify_cb_func(sshX509CACertStore, sshX509CertVerifyCallback); pLookup = X509_STORE_add_lookup(sshX509CACertStore,

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Kurt Roeckx via RT
On Fri, Oct 16, 2015 at 08:53:06AM +, Matt Caswell via RT wrote: > > So now I really don't know what the "right" way forward is. Should we be > applying the patch or not? Has anybody contact Oracle about this issue? It seems useful that they fix it on their end, regardless of what we do.

[openssl-dev] [openssl.org #3645] openssl-1.0.1h-cmp - Linking issue

2015-10-16 Thread Emilia Käsper via RT
Thanks Martin. (Re-closing the ticket.) ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Matt Caswell via RT
On 16/10/15 10:56, Hubert Kario via RT wrote: > On Friday 16 October 2015 08:53:06 Matt Caswell via RT wrote: >> So now I really don't know what the "right" way forward is. Should we >> be applying the patch or not? > > I can't think of a way to exploit it if two assumptions hold: > 1). we

[openssl-dev] [openssl.org #4096] apps/req.c: support start_days_before option for x509

2015-10-16 Thread jeremy.composte...@intel.com via RT
Hi, I'm using the openssl command to generate test certificates and I'm running into an annoying "not valid yet" certificate issue. I cannot set the notbefore field using the openssl command. I've made a patch (see attachment) that add the support of a "-start-days-before' option which is

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

2015-10-16 Thread Hubert Kario via RT
On Friday 16 October 2015 13:52:14 Matt Caswell via RT wrote: > On 16/10/15 10:56, Hubert Kario via RT wrote: > > On Friday 16 October 2015 08:53:06 Matt Caswell via RT wrote: > >> So now I really don't know what the "right" way forward is. Should > >> we > >> be applying the patch or not? > > >

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Kaduk, Ben via RT
On 10/16/2015 03:32 AM, Matt Caswell via RT wrote: > > On 15/10/15 20:53, Alexander Cherepanov via RT wrote: >> What was not entirely clear from the original bug report is that, while >> the check is not compiled away, it's compiled into something completely >> different from what is written in

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Ben Laurie
On Fri, 16 Oct 2015 at 01:32 Matt Caswell via RT wrote: > > > On 15/10/15 20:53, Alexander Cherepanov via RT wrote: > > On 2015-10-15 15:41, Matt Caswell via RT wrote: > >> The purpose of the sanity check is not then for security, but to guard > >> against programmer error. For

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Ben Laurie via RT
On Fri, 16 Oct 2015 at 01:32 Matt Caswell via RT wrote: > > > On 15/10/15 20:53, Alexander Cherepanov via RT wrote: > > On 2015-10-15 15:41, Matt Caswell via RT wrote: > >> The purpose of the sanity check is not then for security, but to guard > >> against programmer error. For

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Alexander Cherepanov via RT
On 2015-10-17 01:46, Ben Laurie via RT wrote: > On Fri, 16 Oct 2015 at 01:32 Matt Caswell via RT wrote: >> On 15/10/15 20:53, Alexander Cherepanov via RT wrote: >>> On 2015-10-15 15:41, Matt Caswell via RT wrote: The purpose of the sanity check is not then for security, but

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Kurt Roeckx via RT
On Fri, Oct 16, 2015 at 09:44:22PM +, Kaduk, Ben via RT wrote: > On 10/16/2015 04:35 PM, Kurt Roeckx via RT wrote: > > On Fri, Oct 16, 2015 at 06:50:36PM +, Kurt Roeckx via RT wrote: > >> On Fri, Oct 16, 2015 at 04:50:59PM +, Matt Caswell via RT wrote: > >>> In a well-behaved program

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Viktor Dukhovni
On Fri, Oct 16, 2015 at 04:09:57PM +, Kaduk, Ben via RT wrote: > I hope I am not dragging this thread on too long, but with all due > respect, we are not asking the compiler/optimizer to detect overflow -- > we are asking the compiler to instantiate undefined behavior in a way > that is

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Matt Caswell via RT
On 16/10/15 17:32, Viktor Dukhovni wrote: > On Fri, Oct 16, 2015 at 04:09:57PM +, Kaduk, Ben via RT wrote: > >> I hope I am not dragging this thread on too long, but with all due >> respect, we are not asking the compiler/optimizer to detect overflow -- >> we are asking the compiler to