Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Thu, Jul 30, 2015 at 08:58:21PM +0200, Kurt Roeckx k...@roeckx.be wrote: Yes, I was talking about -fsanitize=address. I suggest you make a static version of libcrypto/libssl and link that in gvpe. I suggest you build both openssl and gvpe with that option. I guess correctly then - I built

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Thu, Jul 30, 2015 at 09:39:56PM +0200, Kurt Roeckx k...@roeckx.be wrote: I guess correctly then - I built a gvpe binary with it and it works for a while now. I will have to look into building openssl this way - any tips on how to most easily achieve that with the debian openssl package?

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Thu, Jul 30, 2015 at 09:27:10PM +0200, Marc Lehmann wrote: On Thu, Jul 30, 2015 at 08:58:21PM +0200, Kurt Roeckx k...@roeckx.be wrote: Yes, I was talking about -fsanitize=address. I suggest you make a static version of libcrypto/libssl and link that in gvpe. I suggest you build both

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Tue, Jul 28, 2015 at 11:26:50PM +0200, Kurt Roeckx k...@roeckx.be wrote: but apart from lzf compression (which does access uninitialised data), there is no output from valgrind either, so it's at leats not some obvious corruption bug. You could always try something as address santizer.

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Thu, Jul 30, 2015 at 08:52:33PM +0200, Marc Lehmann wrote: On Tue, Jul 28, 2015 at 11:26:50PM +0200, Kurt Roeckx k...@roeckx.be wrote: but apart from lzf compression (which does access uninitialised data), there is no output from valgrind either, so it's at leats not some obvious

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Sat, Jul 25, 2015 at 07:40:41PM +0200, Kurt Roeckx k...@roeckx.be wrote: Well, many people work gvpe. Maybe you meant how? gvpe uses openssl's HMAC (by default hmac-sha512) to verify packet integrity, and when upgrading libssl to 1.0.2d-1, for some connections, every packet gets a HMAC

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Tue, Jul 28, 2015 at 01:16:17PM +0200, Marc Lehmann wrote: I additionally ran both binaries under valgrind to exclude obvious bugs, but apart from lzf compression (which does access uninitialised data), there is no output from valgrind either, so it's at leats not some obvious corruption

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Sat, Jul 25, 2015 at 08:45:39AM +0200, Marc Lehmann wrote: Package: libssl1.0.0 Version: 1.0.2d-1 Severity: normal Dear Maintainer, upgrading libssl1.0.0 from 1.0.1k-3+deb8u1 to 1.0.2d-1 breaks HMAC authentication in a gvpe compiled with 1.0.1k-3. I will need more information other

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Sat, Jul 25, 2015 at 06:15:10PM +0200, Marc Lehmann wrote: On Sat, Jul 25, 2015 at 10:48:51AM +0200, Kurt Roeckx k...@roeckx.be wrote: upgrading libssl1.0.0 from 1.0.1k-3+deb8u1 to 1.0.2d-1 breaks HMAC authentication in a gvpe compiled with 1.0.1k-3. I will need more information

Bug#793565: [Pkg-openssl-devel] Bug#793565: libssl1.0.0: HMAC broken after upgrade to 1.0.2d-1

On Sat, Jul 25, 2015 at 10:48:51AM +0200, Kurt Roeckx k...@roeckx.be wrote: upgrading libssl1.0.0 from 1.0.1k-3+deb8u1 to 1.0.2d-1 breaks HMAC authentication in a gvpe compiled with 1.0.1k-3. I will need more information other than that it doesn't work. Just ask, but without knowing what