Can't someone just create a valgrind suppression entry for this?
Valgrind can read a file that tells it things to ignore, like lint's old
NOTREACHED comment.
/r$
--
STSM
Senior Security Architect
DataPower SOA Appliances
Maybe valgrind should have a rule put in place which resets the
uninitialized data bit in the memory bitmap over the block of data
returned by the low level RAND_() functions provided by OpenSSL.
Yes, exactly my point.Until someone enhances valgrind, however,
something like this
Ah. You're correct about BN_num_bytes. Actually, in the above code, if
you use BN_num_bytes(bn), it will return 0 which should not be the
case. I just hardcoded the 16 there to illustrate. I believe the bug
might be in BN_hex2bn.
Nope, a zero has an optimized representation of no digits. The
A read of a 'volatile uint64_t', btw, is supposed to make sure that it
reads from the original memory locations, not cached copies of it in
register or spread across multiple registers.
No. The computing model in ANSI/ISO C doesn't really go below the level
of source code.
Volatile only
This is the precise optimization that 'volatile' inhibits. 'volatile'
requires that the value not be cached in cheap-to-access locations
like registers, instead being re-loaded from expensive-to-access
locations like the original memory -- because it may be changed from
outside the
I was not commenting on any part of the message that I didn't quote. :)
Kyle's claim about things like cache's and registers is wrong, not even
sort-of right. The standard talks about only in terms of sequence points,
and volatile limits what can be done in terms of sequence points. So
Suppose another thread does this:
*p=99;
*p=98;
Out of scope -- the C standard does not define ANY semantics for multiple
threads of execution.
The standard is discussed in terms of an abstract machine and the
machine
the code is running on may bear only as much resemblance to the
The Z suffix indicates GMT/UTC timezone. You are seeing them displayed in
your timezone.
--
STSM
Senior Security Architect
DataPower SOA Appliances
__
OpenSSL Project http://www.openssl.org
pszSig[ unLen ] = '\0';
CString sSigVal( pszSig );
delete[] pszSig;
return sSigVal;
You can't treat a signature as a C-style string. It's a binary buffer.
/r$
--
STSM
Senior Security Architect
DataPower SOA Appliances
I'm not able to find code for some of the digest functions like
MD5_Update() ,SHA1_Update().
in the latest source dump.
Many OpenSSL functions are implemented in non-traditional manners, such as
via macro's, assembly language, etc.
If you are on a Unix/Linux platform, using something like
It would help a great deal if you posted a sample signature. Did you c14n
the data?
Without a doubt, the easiestthing to do is to use
http://www.aleksey.com/xmlsec/ rather than try to roll your own.
/r$
--
STSM, Senior Security Architect
DataPower SOA Appliances
This is not an issue for openssl developers because it does not require
fixes or changes to the openssl code. Unfortunately I don't know of a
list for general xml-signature questions. :(
If I cut and paste your fragment into a file and edit it to be one long
line, I get
; openssl sha1
Being able to load/save the digest state is a good idea. Management of
the buffer should be left to the caller, however. Much simpler and
cleaner that way. For example, work like the DER/i2d routines: if given a
NULL pointer, return how much space is needed. Or provide something like
the
The portable solution (all the way back to v7)
echo 'foo' | tr -d '\012'
--
STSM, Senior Security Architect
DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
__
OpenSSL Project
I seriously doubt ppl are using SSL_shutdown() with non-blocking BIOs,
together with the current API semantics. Seriously.
Are you new here? This library has been around for more than a decade.
There are *lots* of people using the current API with non-blocking.
Seriously.
double/triple
Define elegantly.
The current API works. Better is not a reason to change it.
/r$
--
STSM, DataPower Chief Programmer
Websphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
__
OpenSSL
Wait for both, keep your own state. Works well enough. See the products
at the URL in my .sig for proof :)
/r$
--
STSM, DataPower Chief Programmer
Websphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
If that's an example of working API for someone, it's no surprise
websphere blows.
There's no need to be rude.
And WebSphere doesn't use OpenSSL.
/r$
--
STSM, DataPower Chief Programmer
Websphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
compile was successfull. but i get linking error as follows.
i have installed and copied the include and lib files of openSSL to
the respective folders of VC++.
Did you tell VC to actually *use* the libraries you made available? (I
don't know details of how to do that any more. Thankfully
IMO, writing security software by doing something that is specifically
not
documented or guaranteed to work and then trying to fix every problem it
creates (at least, that you can find) is completely insane.
Guaranteed to work? Who's doing the indemnification?
Security's all about
Locking with no contention is not pretty expensive, it's darn near
free.
On systems with only one processor and nothing like hyperthreading.
/r$
--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
On systems with only one processor and nothing like hyperthreading.
Did you miss the with no contention part?
No. I didn't realize you meant it as 'no possible contention.'
/r$
--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
If client authentication requested by the server, is it MUST to send
the certificate chain along with client certificate? Does RFC
mandates sending certificate chain?
The client is supposed to send the chain up to, but not necessarily
including, the root. Look at teh description of
Is a 2-4x speedup for RSA decryption consistent with what others have
seen?
yes.
disadvantage: the assembly optimizations preclude building the library
with the /SafeSEH linker option, an important security countermeasure.
See http://www.uninformed.org/?v=5a=2t=txt for a possible
In the practice of engineering, we should try to avoid 'hoping'
about anything.
Don't know much about cryptography, do you?
/r$
--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
Would a runtime flag for don't seed with uninitialized memory, rather
than (or in addition to) -DPURIFY, satisfy everybody?
Everybody?
It seems to me that only one or two people who don't really understand
what's going on are complaining.
OpenSSL should stay as it is. A contributed valgrind
on the other hand it may be a known plaintext attack.
Using those words in this context makes it sound that you not only don't
understand what is being discussed right here and now, but also that you
don't understand the term you just used. Are you sure you understood,
e.g., Ted Tso's
Leave everything as all zero's; that will make it real obvious not to use
this in production code.
#ifdef PURIFY
memset(buf, 0, num);
memset(md_c, 0, sizeof md_c);
memset(local_md, 0, sizeof local_md);
#endif
--
STSM, DataPower Chief Programmer
WebSphere
Your test is wrong. NaN != NaN.
/r$
--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
__
OpenSSL Project
If a browser has a maliciously-included root certificate placed
there by an attacker and ...
I'm not aware of any definition of MITM that includes compromising any
part of an endpoint. Could you point to one?
/r$
--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA
Which is faster (memcpy or inline or and operations)? It varies widely
depending on the compiler, the CPU, the length of the data, the
implementation of the library, etc. It's impossible to make any kind of
generalization (other than this one :).
/r$
--
Visiting Member, IBM Academy
When using
ca -revoke filename
it would be nice if filename had no slash, that the value of the
new_certs_dir was prepended.
--
Visiting Member, IBM Academy
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
The best thing to do is to crash ASAP so that the calling code is fixed.
Returning a run-time error turns out, in the long run, to not be useful --
the incorrect code never gets cleaned up, folks don't check return status,
and people complain my code doesn't work.
/r$
--
Visiting
My guess is that the stack is smashed, giving you garbage. Run the
program under GDB and try to reproduce it -- you might get a more
reasonable backtrace.
/r$
--
Visiting Member, IBM Academy
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
A fair amount of openssl code is written this way:
type v1 = NULL;
type v2 = NULL;
...do stuff...
if (error) goto escape:
normal return
escape:
if (v1) v1_free(v1);
if (v2) v2_free(v2);
...
Sometimes there's only v1, and sometimes
You should use a standard certificate and add your own extensions. Don't
try to create your own certificate format -- there's no need. Then you
just implement your own verify callback that looks for those extensions
and their value.
/r$
--
Visiting Member, IBM Academy
STSM,
I'm mildly curious why x509 doesn't work for you. But good luck.
--
Visiting Member, IBM Academy
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/
__
OpenSSL
Wow,
You keep updating and submitting these patches. I hope you find a
core-team commit in your christmas stocking, finally :)
/r$
--
STSM, WebSphere Appliance Architect
https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/
You're missing the point -- your comment is the height of irony, in a way.
Use a suppression to make Valgrind shut up.
/r$
--
STSM, WebSphere Appliance Architect
https://www.ibm.com/developerworks/mydeveloperworks/blogs/soma/
I took a closer look at current valgrind and the client requests. I
assume you mean doing something like this:
if (VG_USERREQ__RUNNING_ON_VALGRIND) memset(st, 0, sizeof st);
It might be a nuisance to fix these, but at least it keeps the code more
correct. Right?
(Separating valgrind
the limitation is that stdio can only use fds that are below 256 (due to
the fd being kept in a char in the FILE struct, which can't be changed
without breaking binary backwards compatibility).
Amazing. I first came across this problem with INN over a decade ago.
It's still an issue? Wow.
Well, how *do* you fix it without breaking binary backwards
compatibility? The layout of the FILE struct is embedded in all
binaries using the stdio macros (e.g. getc()/putc()).
I don't know, but I can't believe that within a decade that they couldn't
have come up with something. A fixup
You should probably also be concerned with someone messing with the
header and making you get false denials. For that reason, and because
it's generally safer, you want to use the DER, not any wrapped format; for
example, line endings might change.
Doing memcmp() on the DER will be more
I'd consider an implementation of memcmp that doesn't early stop as soon
as it sees a difference as completely broken, performance wise. Memcmp
returns an ordered comparison but that can be done as soon as the first
bit difference is seen.
Me too. But look at the ASN1 for a certificate.
Robustness demands checking of everything passed into a function for
possible failures -- such as an inappropriate NULL pointer.
That depends. Often returning a run-time error will just mask the
problem, while a segfault means the programming error will be fixed.
You're supposed to check
I'm looking to collect information on what various clients do when sent a
cert request with no DN's.
One possible reading of the spec is send any cert you want, as opposed
to anchored in the specified trust chain.
Does it work that way in real life?
/r$
--
SOA Appliance Group
IBM
Certificates do not contain private keys. There are other data
structures, most notably a PKCS#12 object, that pairs keys and certs.
/r$
--
SOA Appliances
Application Integration Middleware
__
OpenSSL Project
Ok, so PKCS#12 defines an own fileformat to store private keys together
with
the associated certificate.
It's a data format, which can be written out in a couple of ways (DER,
PEM, etc).
So are they password protected and also stored in the certificate
store??
The format allows for a
I will be out of the office starting 07/09/2006 and will not return until
07/15/2006.
If this is going to a mailing list, I apologize.
In case of emergency, please contact my manager Bill Tao.
__
OpenSSL Project
I propose that OpenSSL move to DocBook, an XML format, for its
documentation. DocBook (www.docbook.org) is an XML language for
structured/technical documentation. It includes XSLT stylesheets to
convert docbook into many formats, including: roff manpages, HTML pages, a
single HTML document,
I agree completely. This was actually brought up a while ago by
someone else (was that Dave Pawson, the one you're mentioning below?),
and should probably have been discussed already then.
Yes, same guy. :)
I think the only thing that's an obstacle
for me is that the synopsis for C
I wish to make it very clear that in this message I am speaking solely as
an individual, and do not represent my employer or its views in any way at
all.
We don't know the full story behind this yet, and perhaps never will. As
John Weathersby noted in the article, This is not about
You're probably referring to the critique that Tim Hudson of RSA SI has
been circulating.
No, I didn't know Tim has been circulating a critique.
As for ?breaks in security?, for level 1 validations the CMVP recognizes
that there is no effective defense against malicious subversion of
So anything that uses LD_PRELOAD is suspect, such as ElectricFence?
Well, it shouldn't be; that's the point. And the problem with the current
code.
Since using the same malloc() and calloc() implementations are
extremely important for application compatibility [especially on
Windows as a
I guess I'm trying to look at this from a guarantee-of-parameter,
operation, guarantee of output integrity contract-based
programming view.
It might make more sense to do this with C++ classes built on top of the C
API. If you had a common base class with void*,size_t, and then defined
all
I guess I don't understand. At one point you mention that C++ wrappers
don't meet the need because you are addressing corruption by something
that occurred inside OpenSSL, yet later on you say you're trying to
address the library being used in the wrong way. No biggie, I'll wait
until code
So you are saying that email is getting everywhere but to you?
I suggest you look there, first.
/r$
--
STSM, Senior Security Architect
SOA Appliances
Application Integration Middleware
__
OpenSSL Project
davids simple -- if you are going to call a function whose types you
davids don't know (through a prototype), you must cast each type you
davids pass to the type the function expects. End of story. OpenSSL
davids does not do this. This is not valid C whether or not the type
davids sizes are
Incorrect. When the compiler encounters this statement, if there's no
prototype for d2i() in scope, it is _required_ to act as if the
prototype were:
int d2i(int, int, int);
This is wrong. The usual integral promotions apply -- but only to
integral parameters, not to ALL of them.
As I understood it, calling a function without a prototype was precisely
equivalent to declaring a prototype of the function with the exact
parameter
types passed (after promotion rules).
Nope. Calling a function without a prototype is precisely equivalent to
KR rules. If a function will
This means you cannot pass an 'X509 **' as a 'char **'.
Unfortunately 'X509 *' and 'char *' are not compatible types because
'X509' and 'char' are not compatible. They are not both unions, they
are not both structures.
But you can pass 'X509 **' as 'void *'. So...
void
E.g., the patterns for linux are fine, but in order to avoid confusing
the environment, I'd like to override cc with gcc -m32 or gcc33 and
otherwise accept openssl's other opt patterns verbatim.
something like this, around line 943:
my $cc = $ENV{'CC'} || $fields[$idx_cc];
So you can
BEAM is an IBM research tool that does static code analysis. It's cool
because it makes hypotheses about the code paths and traces them through
to see if something bad would happen. There's a webpage here:
http://domino.research.ibm.com/comm/research.nsf/pages/r.da.beam.html I
don't think
In doc/crypto/RSA_get_ex_new_index.pod, the typedef's for new_func,
free_func, dup_func are wrong. All of them should look like:
typedef int (*new_func)... etc
typedef void (*free_func)...
typedef int (*dup_func)...
doing
grep 'typedef.*(' *.pod | fgrep -v ')('
64 matches
Mail list logo