> On Jul 30, 2019, at 10:02 PM, Dr Paul Dale wrote:
>
> The #9454 description includes thread sanitisizer logs showing different lock
> orderings — this has the potential to dead lock. Agreed with Rich that
> giving up the lock would make sense, but I don’t see a way for this to be
> easily
Yes, I’m mostly talking about #9454 here. #9455 is a bug (clearing the flush
flag after flushing not before). The fix in #9477 addresses this and also
removes the dependence on RAND_bytes.
The #9454 description includes thread sanitisizer logs showing different lock
orderings — this has the
to OpenSSL 1.1.1.
Referenses
==
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20190730.txt
Note: the online version of the advisory may be updated with additional details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org
Do you need to hold the lock across dependant items? For example, why can't the
DRBG code unlock before fetching the AES-CTR code?
Sorry, my reply was misleading, since Pauli is talking mainly about #9454.
Please take a look at the issue description
https://github.com/openssl/openssl/issues/9454
instead.
Matthias
On 30.07.19 12:47, Matthias St. Pierre wrote:
On 30.07.19 12:43, Kurt Roeckx wrote:
I currently fail
On 30.07.19 12:43, Kurt Roeckx wrote:
I currently fail to see how that's a problem, unless that
EVP_CIPHER_CTX tries to use a DRBG.
This is what I mean when I say that things have gotten more complicated under
the hood
due to the replumbing. To understand the problem, please take at a
On Tue, Jul 30, 2019 at 12:41:16PM +0200, Matthias St. Pierre wrote:
> On 30.07.19 11:59, Kurt Roeckx wrote:
> > On Tue, Jul 30, 2019 at 12:42:33PM +1000, Dr Paul Dale wrote:
> > > Overly simplified, the problem boils down to the CTR DRBG needing an AES
> > > CTR cipher context to work. When
On Tue, Jul 30, 2019 at 12:42:33PM +1000, Dr Paul Dale wrote:
> Overly simplified, the problem boils down to the CTR DRBG needing an AES CTR
> cipher context to work. When creating the former, a recursive call is made
> to get the latter.
I'm not sure what you mean with "CTR" both times.
Are
On 30.07.19 04:42, Dr Paul Dale wrote:
> Bringing the discussions over to the project list.
That's a very good idea Pauli to bring this subject to a wider audience for
discussion.
I would like to take the opportunity to re-post a general remark which I made
in