Re: Static analysis?

2012-04-20 Thread Ben Laurie
On Tue, Apr 17, 2012 at 9:46 PM, Lubomír Sedlář lubomir.sed...@gmail.comwrote: Hello, I would like to ask if any static analysis tool was ever used to detect possible problems in OpenSSL source code. Is some tool used regularly? I tried running Clang Static Analyzer [1] on the source of

Re: Static analysis?

2012-04-20 Thread Ben Laurie
On Fri, Apr 20, 2012 at 4:53 PM, Jean-Marc Desperrier jmd...@free.frwrote: On Tue, 17 Apr 2012, Lubomír Sedlář wrote: I would like to ask if any static analysis tool was ever used to detect possible problems in OpenSSL source code. Is some tool used regularly? I tried running Clang Static

Re: [openssl.org #2826] OpenSSL Buffer Overflow Vulnerability Notification

2012-06-01 Thread Ben Laurie
LOL! On Thu, May 31, 2012 at 7:41 PM, David Anthony via RT r...@openssl.org wrote: Hello all, There has been a new security vulnerability we have reported over at Bugtraq (http://seclists.org/bugtraq/2012/May/155) and we feel that it should also be reported to the OpenSSL dev team. If there

Re: [CVS] OpenSSL: openssl/crypto/evp/ e_rc4_hmac_md5.c openssl/crypto/mod...

2012-06-05 Thread Ben Laurie
The point of these changes is to reduce the skew between versions. They are not random. On Mon, Jun 4, 2012 at 11:12 PM, Andy Polyakov ap...@openssl.org wrote:  OpenSSL CVS Repository  http://cvs.openssl.org/    

Re: [CVS] OpenSSL: openssl/crypto/evp/ e_rc4_hmac_md5.c openssl/crypto/mod...

2012-06-10 Thread Ben Laurie
On Sun, Jun 10, 2012 at 11:15 AM, Andy Polyakov ap...@openssl.org wrote: The point of these changes is to reduce the skew between versions. They are not random. Consider my http://cvs.openssl.org/filediff?f=openssl/crypto/x86cpuid.plv1=1.24v2=1.25. What is the criteria for two changes

Re: [CVS] OpenSSL: OpenSSL_1_0_1-stable: openssl/crypto/ cryptlib.c

2012-09-18 Thread Ben Laurie
On Mon, Sep 17, 2012 at 6:24 PM, Bodo Moeller b...@openssl.org wrote: OpenSSL CVS Repository http://cvs.openssl.org/ Server: cvs.openssl.org Name: Bodo Moeller Root: /v/openssl/cvs

Re: [CVS] OpenSSL: OpenSSL_1_0_1-stable: openssl/crypto/ cryptlib.c

2012-09-18 Thread Ben Laurie
On Tue, Sep 18, 2012 at 9:47 AM, Ben Laurie b...@links.org wrote: On Mon, Sep 17, 2012 at 6:24 PM, Bodo Moeller b...@openssl.org wrote: OpenSSL CVS Repository http://cvs.openssl.org/ Server

Re: OpenSSL and CRIME

2012-10-10 Thread Ben Laurie
On Mon, Oct 8, 2012 at 5:13 PM, Tomas Hoger tho...@redhat.com wrote: Hi! Are there any plans to apply any changes to OpenSSL related to the recent CRIME attack? Unlike other libraries (e.g. GnuTLS or NSS), OpenSSL enables zlib by default. Is there a plan to change the default in response

Re: Question on OpenSSL internals

2012-10-22 Thread Ben Laurie
On Sat, Oct 20, 2012 at 5:08 AM, Joe Pletcher joepletc...@gmail.com wrote: Hello all, I hope this question is more appropriate for this list. I tried openssl-users with no luck. If not, I apologize in advance. I'm working on an OpenSSL project, and I could use some help. I am writing a

Re: [CVS] OpenSSL: OpenSSL_1_0_2-stable: openssl/ CHANGES openssl/apps/ s_...

2012-12-26 Thread Ben Laurie
Why go via SSL_CTX_ctrl and SSL_ctrl? In fact, why do those exist at all? On Wed, Dec 26, 2012 at 2:25 PM, Dr. Stephen Henson st...@openssl.org wrote: OpenSSL CVS Repository http://cvs.openssl.org/ Server:

OpenSSL infrastructure changes

2013-01-06 Thread Ben Laurie
The sharp-eyed will have already noticed we're moving to git. Well, it looks like that's actually happened now. We're also shifting pretty much everything to new infrastructure. So, there may be outages, unexpected changes and general weirdness for a little while. We'll let you know when we're

Re: Windows: race condition (perl/nasm) building OpenSSL

2013-01-22 Thread Ben Laurie
On 16 January 2013 13:55, Bruce Cran br...@cran.org.uk wrote: We've been having regular build problems on Windows: sometimes nasm claims there are unresolved symbols. For example: set ASM=nasm -f win64 -DNEAR -Ox -g perl crypto\x86_64cpuid.pl tmp32dll.dbg\x86_64cpuid.asm nasm -f win64

Re: [PATCH] Fix IV check and padding removal.

2013-02-12 Thread Ben Laurie
On 11 February 2013 13:19, David Woodhouse dw...@infradead.org wrote: On Mon, 2013-02-11 at 20:59 +, David Woodhouse wrote: From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001 From: Dr. Stephen Henson st...@openssl.org Date: Thu, 7 Feb 2013 21:06:37 + Subject:

Re: TPM decryption

2013-03-04 Thread Ben Laurie
On 3 March 2013 04:36, Jonathan Buhacoff jonat...@buhacoff.net wrote: Hi, I have a school project to make use of a TPM to store the server's RSA private key for use with openssl. Specifically, that private key would be sealed to certain PCR values that are also encoded in the X509

Re: [openssl] OpenSSL source code branch master updated. e942c15451e1dedbe3a86e0e21a5312e5c43403e

2013-03-05 Thread Ben Laurie
Hey - why not make this a test? On 5 March 2013 18:31, Dr. Stephen Henson st...@openssl.org wrote: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project OpenSSL source code. The branch,

Re: Are Openssl Random Number Generator NIST compliant ?

2013-03-06 Thread Ben Laurie
On 6 March 2013 03:55, Nayna Jain naynj...@in.ibm.com wrote: Hi all, Are RAND_seed(), RAND_add() NIST SP 800-151A compliant ? 800-151 does not appear to exist, got a link? __ OpenSSL Project

Re: OpenSSL Wiki

2013-03-20 Thread Ben Laurie
On 19 March 2013 18:53, Steve Marquess marqu...@opensslfoundation.com wrote: On 03/19/2013 10:47 AM, Pierre DELAAGE wrote: Dear Steve, I was wondering whether the wiki could be fed at the beginning by all the Documents available at http://www.openssl.org/docs/;. Very often people are able to

Re: OpenSSL Wiki

2013-03-20 Thread Ben Laurie
On 19 March 2013 23:27, Steve Marquess marqu...@opensslfoundation.com wrote: On 03/19/2013 04:59 PM, Matt Caswell wrote: On 19 March 2013 19:38, Steve Marquess marqu...@opensslfoundation.com wrote: I took a quick look to see what utilities might be available to convert between pod and

Re: OCB Authenticated Encryption

2013-03-28 Thread Ben Laurie
On 27 March 2013 12:04, Matt Caswell fr...@baggins.org wrote: On 27 March 2013 11:52, Michael Sierchio ku...@tenebras.com wrote: Does Phil still teach at UC Davis? You could always ask him directly for clarification or a waiver. Hi contact details are on the web page describing the various

Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
...and don't intend to fix their broken ECDSA support in Safari. It is therefore suggested that I pull this patch: https://github.com/agl/openssl/commit/0d26cc5b32c23682244685975c1e9392244c0a4d What do people think? __ OpenSSL

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 09:39, Rob Stradling rob.stradl...@comodo.com wrote: On 13/06/13 17:39, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. Ben, you've got your wires a bit crossed there. The ECDHE-ECDSA ciphersuites are indeed broken in Safari on OSX 10.8

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 12:25, Rob Stradling rob.stradl...@comodo.com wrote: On 14/06/13 10:20, Ben Laurie wrote: On 14 June 2013 09:39, Rob Stradling rob.stradl...@comodo.com wrote: On 13/06/13 17:39, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. Ben

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 13:57, Rob Stradling rob.stradl...@comodo.com wrote: On 14/06/13 12:31, Ben Laurie wrote: On 14 June 2013 12:25, Rob Stradling rob.stradl...@comodo.com wrote: snip Ah, so you're criticizing Apple for not being willing to force all OSX 10.8.x users to update to 10.8.4

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 13:54, The Doctor doc...@doctor.nl2k.ab.ca wrote: On Thu, Jun 13, 2013 at 05:39:36PM +0100, Ben Laurie wrote: ...and don't intend to fix their broken ECDSA support in Safari. It is therefore suggested that I pull this patch: https://github.com/agl/openssl/commit

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 14:08, Rob Stradling rob.stradl...@comodo.com wrote: On 14/06/13 13:58, Ben Laurie wrote: On 14 June 2013 13:57, Rob Stradling rob.stradl...@comodo.com wrote: snip Safari's User-Agent string reveals the OSX version that it is running on. A few weeks ago I analyzed some

Re: Apple are, apparently, dicks...

2013-06-14 Thread Ben Laurie
On 14 June 2013 16:10, Bodo Moeller bmoel...@acm.org wrote: Note that the patch changes the value of SSL_OP_ALL so if OpenSSL shared libraries are updated to include the patch existing applications wont set it: they'd all need to be recompiled. That's a valid point. This is true,

Re: [Patch] ALPN Implementation for OpenSSL

2013-06-20 Thread Ben Laurie
On 20 June 2013 21:46, Jeff Mendoza (MS OPEN TECH) jemen...@microsoft.com wrote: -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Piotr Sikora Sent: Thursday, June 20, 2013 10:41 AM To: openssl-dev@openssl.org Subject: Re:

Re: [Patch] ALPN Implementation for OpenSSL

2013-06-22 Thread Ben Laurie
On 21 June 2013 02:29, Thor Lancelot Simon t...@panix.com wrote: On Thu, Jun 20, 2013 at 09:30:32PM +, Jeff Mendoza (MS OPEN TECH) wrote: Yeah, my point was that in the perfect world, you'd support both at runtime (at least on the server-side) and either ALPN or NPN could be used. I

Re: parallel make broken

2013-06-22 Thread Ben Laurie
On 22 June 2013 19:04, Mike Frysinger vap...@gentoo.org wrote: On Wednesday 19 June 2013 07:21:39 Ben Laurie wrote: On 18 June 2013 22:35, Mike Frysinger vap...@gentoo.org wrote: On Tuesday 18 June 2013 07:37:55 Richard Weinberger wrote: While building openssl-1.0.1e I noticed

Re: parallel make broken

2013-06-23 Thread Ben Laurie
On 22 June 2013 23:06, Mike Frysinger vap...@gentoo.org wrote: On Saturday 22 June 2013 15:07:49 Ben Laurie wrote: On 22 June 2013 19:04, Mike Frysinger vap...@gentoo.org wrote: On Wednesday 19 June 2013 07:21:39 Ben Laurie wrote: On 18 June 2013 22:35, Mike Frysinger vap...@gentoo.org wrote

Re: [Patch] ALPN Implementation for OpenSSL

2013-06-25 Thread Ben Laurie
On 24 June 2013 22:00, Jeff Mendoza (MS OPEN TECH) jemen...@microsoft.com wrote: We simply cannot drop support for NPN (i.e. SPDY) just to add support for ALPN. The idea is to have the choice as a ./config option. The default will stay as NPN, as to not disrupt anyone. I don't have this

Fwd: [Foundations] 2013 Doc Camp CFP

2013-08-05 Thread Ben Laurie
Since people are always complaining about OpenSSL docs, I thought this might be of interest. -- Forwarded message -- From: adam a...@flossmanuals.net Date: 1 August 2013 08:23 Subject: [Foundations] 2013 Doc Camp CFP To: Foundations List foundati...@lists.freedesktop.org hi If

bsdmake mystery

2013-08-11 Thread Ben Laurie
I'm trying to figure out why bsdmake on MacOS does this using the standard Makefiles: cc -c -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL

Re: AES GCM considerations in regards to SP800-38D

2013-08-19 Thread Ben Laurie
On 15 August 2013 09:21, Tomas Mraz tm...@redhat.com wrote: Hello OpenSSL developers, in a review of the AES GCM code it was found that there might be some requirements that are placed by SP800-38D document missing. Especially there is no checking that the key is not used with more than

Re: bsdmake mystery

2013-08-19 Thread Ben Laurie
Thanks for this ... haven't had the chance to test it yet (travel) but will do shortly. On 12 August 2013 05:49, Andy Polyakov ap...@openssl.org wrote: I'm trying to figure out why bsdmake on MacOS does this using the standard Makefiles: cc -c -I. -I.. -I../include -DOPENSSL_THREADS

Re: [openssl] OpenSSL source code branch supplemental-data-api-2 updated. 85b2ca671513df2b21df404d3dfa76cf681e553d

2013-09-05 Thread Ben Laurie
FWIW, I pushed this to the openssl repo instead of my own by mistake, but I guess since it is in a branch its not that big a deal. On 5 September 2013 14:45, Ben Laurie b...@openssl.org wrote: This is an automated email from the git hooks/post-receive script. It was generated because a ref

Re: [openssl] OpenSSL source code branch master updated. 5e3ff62c345c976cd1ffbcc5e6042f55264977f5

2013-09-08 Thread Ben Laurie
On 8 September 2013 13:35, Dr. Stephen Henson st...@openssl.org wrote: To enable it set the appropriate extension number (0x10 for the test server) using e.g. -DTLSEXT_TYPE_encrypt_then_mac=0x10 That's unfortunate, 16 is already allocated:

Re: [openssl.org #3125] [PATCH 1.0.1e] openssl/crypto/armcap.c: fix a typo in OPENSSL_rdtsc

2013-09-16 Thread Ben Laurie
I find these easier to deal with as pull requests... On 12 September 2013 17:14, Kyle McMartin via RT r...@openssl.org wrote: a | 1 is always true, regardless of OPENSSL_armcap_P, and mrc cp15 will fail on = v6. --- a/crypto/armcap.c +++ b/crypto/armcap.c @@ -23,7 +23,7 @@ unsigned int

Re: [openssl.org #3124] potential bug in ssl/s3_cbc.c

2013-09-16 Thread Ben Laurie
On 12 September 2013 17:14, Arthur Mesh via RT r...@openssl.org wrote: I am not 100% sure this is a real bug, hence first tried mailing openssl-users instead of rt@. But since there was no reply, I am sending this to rt@ 641 if (is_sslv3) 642 { snip

Mixing time into the pool

2013-09-21 Thread Ben Laurie
I just pushed 3cd8547a2018ada88a4303067a2aa15eadc17f39 to master, which adds time to the random pool. Before I cherry-pick back to earlier branches, it'd be nice if people let me know about any platform dependencies...

Re: bsdmake mystery

2013-10-21 Thread Ben Laurie
I finally got around to taking another look at this. The next weird thing is MacOS thinks it _is_ a .S file, even though there's only mention of .s in the makefile. MacOS is, of course, case-insensitive, which probably doesn't help. On 19 August 2013 15:39, Ben Laurie b...@links.org wrote

Re: Self-initialization of locking/threadid callbacks and auto-detection of features

2013-10-22 Thread Ben Laurie
On 22 October 2013 06:47, Nico Williams n...@cryptonector.com wrote: On Monday, October 21, 2013, Salz, Rich wrote: I like your proposal, but I'd prefer to see an already initialized error code returned. Or a flag to the (new?) init api that says ignore if already set Thanks for your

Re: Avoid multiple locks in FIPS mode commit to OpenSSL_1_0_1-stable

2013-12-11 Thread Ben Laurie
On 11 December 2013 08:55, Tomas Mraz tm...@redhat.com wrote: On Út, 2013-12-10 at 14:45 +0100, Dr. Stephen Henson wrote: On Mon, Dec 09, 2013, geoff_l...@mcafee.com wrote: Shouldn't the code read: if (!FIPS_mode()) CRYPTO_w_[un]lock(CRYPTO_LOCK_RAND); Note the '!'

Re: [openssl.org #3203] Normalize PFS key exchange labels

2014-01-02 Thread Ben Laurie
On 20 December 2013 18:51, Stephen Henson via RT r...@openssl.org wrote: On Fri Dec 20 19:04:32 2013, d...@fifthhorseman.net wrote: I can do whatever you think is most useful, but i need a bit more guidance to be sure i'm giving you what will be most useful for you. I've pulled the update

Re: [openssl.org #3203] Normalize PFS key exchange labels

2014-01-04 Thread Ben Laurie
On 1 January 2014 21:39, Daniel Kahn Gillmor d...@fifthhorseman.net wrote: On 01/01/2014 12:48 PM, Ben Laurie wrote: Pull requests on Github are quite useful - that way they also get tracked (so long as we remember to close them when applied, that is!). OK, i've rebased the series against

How to help OpenSSL

2014-04-25 Thread Ben Laurie
Note that this is just how to help me, not a consensus view from the whole team, though I have no doubt much of it will be helpful to the team, too. 1. Triage RT (https://rt.openssl.org/). RT has been neglected for a long time. People could usefully go through it and identify: a) Tickets that

Re: How to help OpenSSL

2014-04-26 Thread Ben Laurie
your.patch On 24 April 2014 10:06, Ben Laurie b...@links.org wrote: Note that this is just how to help me, not a consensus view from the whole team, though I have no doubt much of it will be helpful to the team, too. 1. Triage RT (https://rt.openssl.org/). RT has been neglected for a long

Attribution of pull requests in git

2014-04-26 Thread Ben Laurie
I just noticed that if I merge a pull request, then both author and committer are set to whoever made the pull request. From the POV of figuring out what went wrong, when things go wrong, that seems bad. Is there an easy way to fix that? That is, I would expect it to show me as the committer and

Re: How to help OpenSSL

2014-04-26 Thread Ben Laurie
On 24 April 2014 18:44, Mike Bland mbl...@acm.org wrote: On Thu, Apr 24, 2014 at 1:31 PM, Ben Laurie b...@links.org wrote: 6. Write new tests Our test suite sucks. More tests is better. Shall I send a pull request for this: https://github.com/mbland/openssl/commit

Re: How to help OpenSSL

2014-04-26 Thread Ben Laurie
On 25 April 2014 00:08, Matt Caswell fr...@baggins.org wrote: Ben - Is it possible for some of us to get RT users created? The above assumes we can configure RT statuses - is this possible? I think you now have RT access, right?

Re: How to help OpenSSL

2014-04-26 Thread Ben Laurie
On 24 April 2014 19:54, Kurt Roeckx k...@roeckx.be wrote: On Thu, Apr 24, 2014 at 06:31:34PM +0100, Ben Laurie wrote: Note that this is just how to help me, not a consensus view from the whole team, though I have no doubt much of it will be helpful to the team, too. 1. Triage RT (https

Re: Attribution of pull requests in git

2014-04-26 Thread Ben Laurie
On 26 April 2014 12:16, Kurt Roeckx k...@roeckx.be wrote: On Sat, Apr 26, 2014 at 11:29:39AM +0100, Ben Laurie wrote: Is there an easy way to fix that? That is, I would expect it to show me as the committer and the original author as the author. That is how it should always work, and I'm

Re: test/heartbleed_test.c

2014-05-20 Thread Ben Laurie
On 20 May 2014 06:40, The Doctor,3328-138 Ave Edmonton AB T5Y 1M4,669-2000,473-4587 doc...@doctor.nl2k.ab.ca wrote: Found that strndup would not work. I had to add #if !HAVE_STRNDUP #include stdio.h #include string.h #include sys/types.h #include malloc.h /* Find the length of STRING,

Fwd: Using Frankencerts for Automated Adversarial,Testing of Certificate Validation,in SSL/TLS Implementations

2014-05-23 Thread Ben Laurie
-- Forwarded message -- From: Martin Haufschild martin.haufsch...@uni-rostock.de Date: 23 May 2014 07:34 Subject: Using Frankencerts for Automated Adversarial,Testing of Certificate Validation,in SSL/TLS Implementations Hello, FYI

Re: Prime generation

2014-05-27 Thread Ben Laurie
On 27 May 2014 09:16, Joseph Birr-Pixton jpix...@gmail.com wrote: On 27 May 2014 08:45, Peter Waltenberg pwal...@au1.ibm.com wrote: ... I did change the RNG sources for some of the OpenSSL code in our hacked version to help with the performance problems using the wrong source causes, for

Re: open ssl rsa key generation improvement idea

2014-05-27 Thread Ben Laurie
Nice idea. It inspired my son, Felix, and I to think about a related idea: generate random numbers which are inherently coprime to small primes. Felix went on to implement the idea, and include benchmarks and tests. Not finished - while implementing, we noticed that the existing prime number

Re: open ssl rsa key generation improvement idea

2014-05-27 Thread Ben Laurie
Also, I should note that this approach is not portable. You need to operate in the same base as BIGNUM does, or account for endianness is the byte-level operations. On 26 May 2014 02:31, Russell Harkins russ...@russellharkins.info wrote: Hi SSL Team, I was looking for ways to make calculating

Re: open ssl rsa key generation improvement idea

2014-05-28 Thread Ben Laurie
On 28 May 2014 00:03, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Tue, May 27, 2014 at 09:04:20PM +0100, Ben Laurie wrote: It inspired my son, Felix, and I to think about a related idea: generate random numbers which are inherently coprime to small primes. Felix went on to implement

Re: Prime generation

2014-05-28 Thread Ben Laurie
On 28 May 2014 01:47, mancha manc...@zoho.com wrote: Fouque and Tibouchi [3] offer the differing view that it's preferable to minimize bias and generate primes that are almost uniform even if it is not immediately clear how such biases can help an adversary. They suggest a few algorithms that

Re: Re : Re: open ssl rsa key generation improvement idea Prime generation

2014-05-28 Thread Ben Laurie
incremental search This is just an idea as I didn't implement anything yet however with full optimization this could be quicker than incremental search And sorry if I'm mistaking anyhow Nico - Mail d'origine - De: Ben Laurie b...@links.org À: OpenSSL development openssl-dev@openssl.org

Re: New unbiased prime generator function fixes

2014-06-01 Thread Ben Laurie
You didn't update the test... On 1 June 2014 21:26, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Sun, Jun 01, 2014 at 08:14:00PM +, Viktor Dukhovni wrote: The new prime generator does not ensure that generated primes are safe modulo 2, 3, 5, 7 or 11. In particular (p-1)/2 might

Re: [PATCH] 1.0.1h does not build nor test HEARBEAT bug on OpenVMS

2014-06-07 Thread Ben Laurie
On 6 June 2014 22:21, Zoltan Arpadffy z...@polarhome.com wrote: Hi, after some testing the new release I realized that 1.0.1h does not build nor run HEARBEAT bug unit test on OpenVMS. The following patch corrects the problem. Best as a pull request on github. Thanks, Z -

Re: Crash in openSSL 1.0.1g

2014-06-10 Thread Ben Laurie
You should be using 1.0.1h. Also, not familiar with MacOS X heap checking, but it looks like heap corruption, which may or may not be OpenSSL's fault. Probably hard to diagnose without a test case! On 10 June 2014 07:25, Navneet Kumar (navneeku) navne...@cisco.com wrote: Update : Crashes are

Re: [openssl.org #3375] Patch: Off-by-one errors in ssl_cipher_get_evp()

2014-06-21 Thread Ben Laurie
On 12 June 2014 23:15, Matt Caswell m...@openssl.org wrote: On 12/06/14 22:43, Otto Moerbeek wrote: On Thu, Jun 12, 2014 at 10:26:56PM +0200, Matt Caswell via RT wrote: Patch applied: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=abfb989fe0b749ad61f1aa4cdb0ea4f952fc13e0 Many

Makedepend bug?

2014-07-01 Thread Ben Laurie
I've been trying to figure out why my make depend differs from other developers, and why it appears to be wrong. For example, apps/dsa.o depends, according to makedepend, on dh.o, but with the standard developer flags ($gcc_devteam_warn) it should not. AFAICS, makedepend gets passed the right

Re: Very old release, unsupported platform

2014-07-01 Thread Ben Laurie
On 1 July 2014 06:52, Zoltan Arpadffy z...@polarhome.com wrote: Hi, I see that Rich is doing a fantastic job by cleaning up the backlog... I absolutely agree that very old releases cannot be supported, but what about the platforms? I thought until now, that as long there are developers who

Reward for proactive security improvements

2014-07-01 Thread Ben Laurie
In case people haven't noticed, Google has announced a reward program for this (last year, in fact): https://www.google.com/about/appsecurity/patch-rewards/ __ OpenSSL Project

Re: Makedepend bug?

2014-07-01 Thread Ben Laurie
AM, Ben Laurie b...@links.org wrote: I've been trying to figure out why my make depend differs from other developers, and why it appears to be wrong. For example, apps/dsa.o depends, according to makedepend, on dh.o, but with the standard developer flags ($gcc_devteam_warn) it should

Re: Makedepend bug?

2014-07-01 Thread Ben Laurie
On 1 July 2014 18:34, Tim Rice t...@multitalents.net wrote: On Tue, 1 Jul 2014, Ben Laurie wrote: Aha! Well done. I suspect there's not really any reason to support makedepend anymore - should perhaps just switch to always using gcc/clang for dependencies? So now gcc/clang is required

Re: Makedepend bug?

2014-07-01 Thread Ben Laurie
On 1 July 2014 19:15, Salz, Rich rs...@akamai.com wrote: I was wondering why 'make depend' output was saved in the Makefiles. Because way back when (think like early X and xmkmf) that's the way things were done. So I guess adding the .d files to the repository and using include statements

Re: [openssl.org #3277] OpenSSL s_client doc missing option

2014-07-03 Thread Ben Laurie
On 2 July 2014 23:17, Rich Salz via RT r...@openssl.org wrote: Fixed, added -servername to the pod file. Looks to me like you've only fixed this (and many others) in master - surely should also go to 1.0.2 at least (and probably older branches, too)? Also, we generally rebase rather than

Re: [openssl.org #3277] OpenSSL s_client doc missing option

2014-07-03 Thread Ben Laurie
On 3 July 2014 12:04, Salz, Rich rs...@akamai.com wrote: Looks to me like you've only fixed this (and many others) in master - surely should also go to 1.0.2 at least (and probably older branches, too)? Okay, tell me which branches. Since this is a bug, all active branches (that it applies to

Re: [openssl.org #3277] OpenSSL s_client doc missing option

2014-07-03 Thread Ben Laurie
: rs...@jabber.me; Twitter: RichSalz -Original Message- From: owner-openssl-...@openssl.org [mailto:owner-openssl- d...@openssl.org] On Behalf Of Ben Laurie Sent: Thursday, July 03, 2014 7:15 AM To: OpenSSL development Cc: Jeffrey Walton Subject: Re: [openssl.org #3277] OpenSSL

Re: OpenSSL roadmap

2014-07-03 Thread Ben Laurie
On 3 July 2014 14:13, Theodore Ts'o ty...@mit.edu wrote: However, in the kernel we are much more lax about who gets access to the Coverity project. Part of this is the sure and certain knowledge that the bad guys are quite willing to pay for a Coverity license, and so for us the balance of

Re: OpenSSL roadmap

2014-07-03 Thread Ben Laurie
On 3 July 2014 15:28, Salz, Rich rs...@akamai.com wrote: release processes at various distributions. (Given that Microsoft has weekly patch Tuesdays, if even slow moving *Microsoft* can turn around a security update in a week, what's your excuse? :-) They have a regular release train, but

Google Patch rewards updated to include refactoring

2014-07-03 Thread Ben Laurie
https://www.google.com/about/appsecurity/patch-rewards/ Refactorings that make it easier to reason about the security properties of the code. __ OpenSSL Project http://www.openssl.org Development

Re: [openssl.org #3428] bug report : crypto/des/ofb64enc.c: Uninitialized variable: d

2014-07-03 Thread Ben Laurie
On 3 July 2014 20:06, Kurt Roeckx via RT r...@openssl.org wrote: On Thu, Jul 03, 2014 at 07:51:28PM +0200, Toralf Förster via RT wrote: I think cppcheck is right here in void DES_ofb64_encrypt(), line 84, 85 and 96, or ?: The line before that: dp=d; l2c(v0,dp);---

Re: [openssl.org #3428] bug report : crypto/des/ofb64enc.c: Uninitialized variable: d

2014-07-04 Thread Ben Laurie
On 3 July 2014 22:35, Kurt Roeckx k...@roeckx.be wrote: On Thu, Jul 03, 2014 at 09:28:47PM +0100, Ben Laurie wrote: On 3 July 2014 20:06, Kurt Roeckx via RT r...@openssl.org wrote: On Thu, Jul 03, 2014 at 07:51:28PM +0200, Toralf Förster via RT wrote: I think cppcheck is right here in void

Re: [openssl.org #3428] bug report : crypto/des/ofb64enc.c: Uninitialized variable: d

2014-07-04 Thread Ben Laurie
It'd be nice, btw, if someone would report the bug to cppcheck. On 4 July 2014 10:15, Ben Laurie b...@links.org wrote: On 3 July 2014 22:35, Kurt Roeckx k...@roeckx.be wrote: On Thu, Jul 03, 2014 at 09:28:47PM +0100, Ben Laurie wrote: On 3 July 2014 20:06, Kurt Roeckx via RT r...@openssl.org

Preventing the next Heartbleed

2014-07-04 Thread Ben Laurie
Interesting paper by David Wheeler: http://www.dwheeler.com/essays/heartbleed.html. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org

Re: [openssl.org #3428] bug report : crypto/des/ofb64enc.c: Uninitialized variable: d

2014-07-04 Thread Ben Laurie
On 4 July 2014 15:20, Toralf Förster toralf.foers...@gmx.de wrote: On 07/04/2014 11:17 AM, Ben Laurie wrote: It'd be nice, btw, if someone would report the bug to cppcheck. http://5.150.254.56:443/trac-cppcheck/ticket/5970#ticket Thanks. Thx On 4 July 2014 10:15, Ben Laurie b...@links.org

*_ctrl() functions

2014-07-05 Thread Ben Laurie
I've been experimenting with more type correctness and less casting. Some of the big casting culprits are the various _ctrl() functions, e.g. SSL_ctrl(). Does anyone have any clue why these exist? Is there any reason to not replace them with direct function calls (other than API stability)?

Re: [openssl.org #3436] Platform strategy

2014-07-05 Thread Ben Laurie
On 5 July 2014 18:46, Zoltan Arpadffy z...@polarhome.com wrote: Hi, I absolutely agree, that other less popular platforms need support. Unfortunately, reading the conversation in the last few days, I got a feeling that the OpenSSL core development is not willing to support those platforms

Re: BIO_get_accept_socket weirdness

2014-07-05 Thread Ben Laurie
On 5 July 2014 12:37, Kurt Roeckx k...@roeckx.be wrote: But then I found some MSDN documentation that says that Windows allows others to hijack your socket when you've set SO_REUSEADDR and the results are non-deterministic. They also created an SO_EXCLUSIVEADDRUSE and I'm getting confused

JPAKE?

2014-07-06 Thread Ben Laurie
Does anyone use it? We're considering removing or refactoring it... __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List

Re: Unit Testing/statically analysing OpenSSL

2014-07-09 Thread Ben Laurie
On 9 July 2014 14:38, Paul Morriss paul.morr...@tokenbay.co.uk wrote: I am keen to get more involved in the development of OpenSSL, I am curious, has the code been run through a static analysis tool (such as Coverity)? Coverity do run OpenSSL through their tool. The false positive rate is

Re: [openssl.org #3442] [patch] AES XTS: supporting custom iv from openssl enc command

2014-07-12 Thread Ben Laurie
On 11 July 2014 11:56, Andy Polyakov ap...@openssl.org wrote: Bottom line [still] is that enc is not the place to perform XTS, *unless* it's treated specially. In other words question should not be about setting IV, but about *if* XTS should be supported by enc, and if so, how exactly. It

Re: Default Security Level

2014-08-16 Thread Ben Laurie
On 16 August 2014 19:50, Dominyk Tiller dominyktil...@gmail.com wrote: Ah! That's where my confusion lies, I'm getting myself tied up between development stable. Thanks for the clarity on that. Homebrew is currently on 1.0.1i stable. These are the ssl2 ciphers active:

Re: [openssl.org #2917] [PATCH] dsa: fix return code when -noout is used

2014-08-17 Thread Ben Laurie
On 17 August 2014 06:44, Rich Salz via RT r...@openssl.org wrote: This will be fixed in the post-1.0.2 release. Why not fix in 1.0.2? Thanks. (rsalz-monolith branch on github, akamai/openssl) -- Rich Salz, OpenSSL dev team; rs...@openssl.org

1.0.2 head doesn't build...

2014-09-25 Thread Ben Laurie
Workaround (I wasn't sure if the functions were intended to be used somewhere, so not deleted yet): diff --git a/crypto/constant_time_test.c b/crypto/constant_time_test.c index 1b4b18d..78e7fca 100644 --- a/crypto/constant_time_test.c +++ b/crypto/constant_time_test.c @@ -195,7 +195,7 @@ static

HOST_c2l warnings...

2014-09-29 Thread Ben Laurie
Building 1.0.2 with gcc 4.9 and no-asm, I get a lot of: ADS -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIOS -O3 -Wall -c sha256.c In file included from sha256.c:115:0: sha256.c: In function 'sha256_block_data_order': ../md32_common.h:248:41: warning:

Re: [openssl-dev] FreeBSD build broken?

2015-06-08 Thread Ben Laurie
On 8 June 2015 at 13:27, John Foley fol...@cisco.com wrote: Is anyone having problems building 1.0.2-stable on FreeBSD? It appears the following commit may have broken the build: https://github.com/openssl/openssl/commit/f877da9cedb95df94105d7292f8e0963175e58dc Here's the error we're

Re: [openssl-dev] Continuous Integration for OpenSSL

2015-08-22 Thread Ben Laurie
On Sat, 22 Aug 2015 at 01:56 Salz, Rich rs...@akamai.com wrote: Thanks! We have several cross-compile builds running on Cisco's build farm. The more the merrier. I am sure ARM would be appreciated. Are these linked from the website somewhere? ___

Re: [openssl-dev] Continuous Integration for OpenSSL

2015-08-24 Thread Ben Laurie
On Mon, 24 Aug 2015 at 03:56 Salz, Rich rs...@akamai.com wrote: On Sat, 22 Aug 2015 at 01:56 Salz, Rich rs...@akamai.com wrote: Thanks! We have several cross-compile builds running on Cisco's build farm. The more the merrier. I am sure ARM would be appreciated. Are these linked from the

Re: [openssl-dev] Continuous Integration for OpenSSL

2015-08-24 Thread Ben Laurie
On Mon, 24 Aug 2015 at 09:53 Alessandro Ghedini alessan...@ghedini.me wrote: On Sat, Aug 22, 2015 at 12:55:43am +, Salz, Rich wrote: Thanks! We have several cross-compile builds running on Cisco's build farm. The more the merrier. I am sure ARM would be appreciated. Does this mean

Re: [openssl-dev] common factors in (p-1) and (q-1)

2015-08-01 Thread Ben Laurie
On Sat, 1 Aug 2015 at 14:22 mancha manc...@zoho.com wrote: On Fri, Jul 31, 2015 at 06:46:22PM +, Viktor Dukhovni wrote: On Fri, Jul 31, 2015 at 11:19:39AM -0700, Bill Cox wrote: Cool observation. From running a bit of Python code, it looks like the probability that GCD(p-1, p-q)

Re: [openssl-dev] [openssl.org #3992] [PATCH] Allow RFC6962 Signed Certificate Timestamps to be disabled

2015-08-07 Thread Ben Laurie
On Thu, 6 Aug 2015 at 14:14 David Woodhouse via RT r...@openssl.org wrote: This code does open-coded division on 64-bit quantities and thus when building with GCC on 32-bit platforms will require functions such as __umoddi3 and __udivdi3 from libgcc. In constrained environments such as

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-16 Thread Ben Laurie
On Fri, 16 Oct 2015 at 01:32 Matt Caswell via RT wrote: > > > On 15/10/15 20:53, Alexander Cherepanov via RT wrote: > > On 2015-10-15 15:41, Matt Caswell via RT wrote: > >> The purpose of the sanity check is not then for security, but to guard > >> against programmer error. For

Re: [openssl-dev] [openssl.org #4094] Nonsensical pointer comparison in PACKET_buf_init

2015-10-21 Thread Ben Laurie
On Sat, 17 Oct 2015 at 06:35 Kurt Roeckx via RT wrote: > On Fri, Oct 16, 2015 at 09:44:22PM +, Kaduk, Ben via RT wrote: > > On 10/16/2015 04:35 PM, Kurt Roeckx via RT wrote: > > > On Fri, Oct 16, 2015 at 06:50:36PM +, Kurt Roeckx via RT wrote: > > >> On Fri, Oct 16,

Re: [openssl-dev] Continuous Integration for OpenSSL

2015-08-25 Thread Ben Laurie
On Mon, 24 Aug 2015 at 19:35 Matt Caswell m...@openssl.org wrote: On 24/08/2015 10:08, Ben Laurie wrote: On Mon, 24 Aug 2015 at 03:56 Salz, Rich rs...@akamai.com mailto:rs...@akamai.com wrote: On Sat, 22 Aug 2015 at 01:56 Salz, Rich rs...@akamai.com mailto:rs

<    1   2   3   4   5   6   7   >