Re: [openssl-dev] ecp_nistz256 correctness/constant-timedness

On Sun, Apr 26, 2015 at 10:37 PM, Brian Smith br...@briansmith.org wrote: On Fri, Apr 24, 2015 at 5:54 AM, Emilia Käsper emi...@openssl.org wrote: commit c028254b12 fixes 1., 2. and 3. (also applied to 1.0.2). commit 53dd4ddf71 fixes 5 and some of 4. Still ploughing my way through the rest

[openssl-dev] [openssl.org #2561] Re: Memory leak with SSL built-in compressions

Is there any progress on this? Its been about 5 years, and folks are still having trouble with it. For example: * http://stackoverflow.com/questions/29845527/how-to-properly-uninitialize-openssl. * http://openssl.6102.n7.nabble.com/Preferred-way-to-free-ssl-comp-methods-td48573.html *

[openssl-dev] Concerns regarding bn_wexpand/bn_expand2/bn_expand_internal

Although bn_wexpand is a private function within the crypto/bn module, it is exposed to other modules through bn_int.h. It is used from outside crypto/bn quite frequently. bn_wexpand is implemented in terms of a function called bn_expand2: /* * This is an internal function that should not be

[openssl-dev] [openssl.org #3823] [PATCH] Improve the robustness of event logging

Hello, Summary: handle possible failures when writing a message to the event log. In debug builds, send data to the debugger as a last resort. Additional data: 1) Operating systems affected: all versions of Windows. 2) OpenSSL versions affected: all versions running on Windows. Thank you,

[openssl-dev] [openssl.org #3824] FEATURE: Please provide a function to unintialize the library

This question crops up on occasion: How do you shutdown the OpenSSL library. See, for example: * How to properly uninitialize OpenSSL, http://stackoverflow.com/questions/29845527/how-to-properly-uninitialize-openssl. * Order of Cleanup to avoid memory leaks?,

[openssl-dev] [openssl.org #3226]

A patch was posted a year ago, but it's not merged in. It looks like typically errors are not checked after calls like EVP_DigestInit_ex(), is it considered unlikely, or is error always buffered in context? +nosy ___ openssl-dev mailing list To

[openssl-dev] out-of-bounds read in BN_mod_exp_mont_consttime

Hi, BoringSSL reported an out-of-bounds read in BN_mod_exp_mont_consttime and appear to have patched it: https://boringssl-review.googlesource.com/#/c/1393/ https://boringssl-review.googlesource.com/#/c/1393/ How serious is this issue? Are there any plans for OpenSSL to use a similar fix too?

[openssl-dev] [openssl.org #2883]

It looks like proposed patch to srp_lib.c is obsolete, there's `return 0` there now. proposed patch to tasn_new.c is obsolete too, `if (!it)` is checked at the top of the function. I think it's time to close this ticket. +nosy ___ openssl-dev mailing