[openssl-dev] [openssl.org #4580] "openssl verify -CAfile cacerts.pem cert.pem" fails if cacerts.pem is ordered in certain ways

Dear OpenSSL developers, We recently experienced an issue with our internal Mercurial repositories where Mercurial will refuse to connect to the repository due to an SSL certificate error. The problem appeared to show up randomly on some machines, but not others. The repository is hosted on an

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

We are not going to check for NULL pointers in all arguments. Ever. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

On 6/20/16, 17:12 , "openssl-dev on behalf of Salz, Rich" wrote: >> Defensive programming is about handling gracefully the cases when the >> user/caller does something he “is not supposed to do”. > >There is a limit. True. >Should we return an error code that will most likely be ignored? Yes,

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

> Defensive programming is about handling gracefully the cases when the > user/caller does something he “is not supposed to do”. There is a limit. Should we return an error code that will most likely be ignored? Should the C library be defensive about fprintf, strcpy, etc., etc.? > Software tha

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

On 6/20/16, 16:48 , "openssl-dev on behalf of Rich Salz via RT" wrote: >You are not supposed to pass NULL into OpenSSL API's. Just like doing >this will >cause a crash strcpy(NULL, "hello”) in a C program. Defensive programming is about handling gracefully the cases when the user/caller does som

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

I know. The register be NULL therefore crashing. it dont find address. I'am search overflow in openssl but I found it while searching for something else. 2016-06-20 23:48 GMT+03:00 Rich Salz via RT : > You are not supposed to pass NULL into OpenSSL API's. Just like doing this > will > cause a cra

[openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

You are not supposed to pass NULL into OpenSSL API's. Just like doing this will cause a crash strcpy(NULL, "hello") in a C program. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe

[openssl-dev] [openssl.org #4398] BUG / 1.0.2g breaks CURL extension

We believe this is fixed by the commit that viktor pointed out. Is this not true? What are folks asking OpenSSL to do? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4398 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta

Re: [openssl-dev] [openssl.org #4579] Resolved: Bug - libcrypto.a null pointer dereference bug

i have a different bug and a different place. There is again null pointer derefenrence. As it does not matter. 2016-06-20 23:35 GMT+03:00 Rich Salz via RT : > According to our records, your request has been resolved. If you have any > further questions or concerns, please respond to this message.

[openssl-dev] [openssl.org #4376] pull request 785

There was some discussion over on the pull request thread, https://github.com/openssl/openssl/pull/785 And there the feeling was this is a new feature. Closing the ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4376 Please log in as guest with password guest if prompted --

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

Yes, i know. I'am vulnerability researcher. Thanks. 2016-06-20 21:59 GMT+03:00 Rich Salz via RT : > When I added this line: > (if x509==NULL) { ERR_print_errors_fp(stderr); exit(1); } > it complained > 140259630204736:error:0906D06C:PEM routines:PEM_read_bio:no start > line:crypto/pem/pem_lib.c:

[openssl-dev] [openssl.org #1852] [BUG] Invalid Proxy Certificates Pass Validation

On Tue Feb 02 01:44:47 2016, openssl-dev@openssl.org wrote: > On Mon, Feb 01, 2016 at 07:18:04PM +, Rich Salz via RT wrote: > > > This is reported against 0.9.x; please open a new ticket if still a > > problem > > with current releases. > > The same behaviour is present in all releases includin

[openssl-dev] Assembler warns about constants in poly1306-x86_64.pl

Yasm 1.3.0 (Like nasm, but it embeds debug symbols into the asm code on Windows) reports: poly1305-x86_64.asm(456): warning : value does not fit in 32 bit field poly1305-x86_64.asm(459): warning : value does not fit in 32 bit field poly1305-x86_64.asm(1346): warning : value does not fit in 32 bit

[openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

When I added this line: (if x509==NULL) { ERR_print_errors_fp(stderr); exit(1); } it complained 140259630204736:error:0906D06C:PEM routines:PEM_read_bio:no start line:crypto/pem/pem_lib.c:691:Expecting: CERTIFICATE When I fixed the file to say "BEGIN CERTIFICATE" (added a space) and changed the c

[openssl-dev] [openssl.org #3925] [PATCH] Removed trailing semicolon from macro body of three function-like macros

OpenSSL_1_0_2-stable commit 398260a; master commit 54f24e3 thanks. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3925 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

I have a simple code; #include #include #include #include int verify_cert(const char* pem_c_str) { BIO *bio_mem = BIO_new(BIO_s_mem()); BIO_puts(bio_mem, pem_c_str); X509 * x509 = PEM_read_bio_X509(bio_mem, NULL, NULL, NULL); EVP_PKEY *pkey=X509_get_pubkey(x509); int r= X

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

Need more information, like a full backtrace and how to reproduce it. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

1.0.2t version crashed in same place. Operating System Version: Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty Linux 3.19.0-28-generic OpenSSL Version : openssl-1.0.1t Critical Function : X509_verify (); And: 0x080e15ef in X509_verify (a=a@entry=0x0, r=r

Re: [openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

Ok, i will try 1.0.2t version and open new ticket. Thanks. 2016-06-20 21:08 GMT+03:00 Rich Salz via RT : > 1.0.1 is end of life and only getting bugfixes now. > If you can reproduce this on 1.0.2 or master, please open a new ticket. > We also need more information, cannot reproduce this issue he

[openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

1.0.1 is end of life and only getting bugfixes now. If you can reproduce this on 1.0.2 or master, please open a new ticket. We also need more information, cannot reproduce this issue here. Thanks. closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4579 Please log in as g

[openssl-dev] [openssl.org #4579] Bug - libcrypto.a null pointer dereference bug

Operating System Version: Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty Linux 3.19.0-28-generic OpenSSL Version : openssl-1.0.1t Critical Function : X509_verify (); And: 0x080e15ef in X509_verify (a=a@entry=0x0, r=r@entry=0x0) at x_all.c:75 75if (X50

[openssl-dev] [openssl.org #3934] [PATCH] test: use _DEFAULT_SOURCE with newer glibc versions

looks like someone already fixed this. closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3934 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4416] 1.0.1s makes porting to HP-UX much harder than before

Discussion happened in https://github.com/openssl/openssl/issues/806 (which looks like it can be c losed). Closing this ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4416 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: ht

[openssl-dev] [openssl.org #4570] Enhancement request: Configuration option no-hw-aes

Thanks for the discussion; closing this ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4570 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4469] Openssl linker errors

You have turned off so many things, that some files are not compiled. Try building without all your no-xxx flags. You don't need to turn them all off, the patents are expired. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4469 Please log in as guest with password guest if prompted

[openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

There will be no free since you've got the SSL lifetime. and esp for 1.1 which uses atomics, closing this. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3868 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org

Re: [openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

Not strictly necessary; mostly convenience. Decrementing the pointer usually requires doing the corresponding free, which really shouldn’t do anything but decrement the refcount if you just got it. -- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, t

[openssl-dev] [openssl.org #3918] check return value of EC_POINT_mul

GOST is now a separate engine. Ping Dmitry :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3918 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3868] [PATCH] Add SSL_get0_peer_certificate()

Is this needed? Can your get0 function just call get and decrement the refcount? -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3868 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-

[openssl-dev] [openssl.org #3844] FW: regarding shared library for openssl -1.0.2a

A local environment/compiler issue that we cannot address. No activity in years on this. closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3844 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/m

[openssl-dev] [openssl.org #3728] Question: does "sslv3" in log mean we're using SSLv3?

There are no plans, at this point, to change the names used in logging. If you think it's worthwhile, please open a *github issue* for this. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3728 Please log in as guest with password guest if prompted -- openssl-dev mailing list To un

[openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g

this is a "can't happen" kind of thing. If you pass in a NID_xxx value, you MUST get back the object. They are two tables built in-sync. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4381 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubs

[openssl-dev] [openssl.org #3136] [PATCH] get rid of extra space when printing -subject and -issuer in x509

commit fb0303f in master. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3136 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4578] ARMv7a and failed self test

>>> ../test/recipes/30-test_evp.t .. >>> 1..1 >>> Test line 2163(aligned in-place): unexpected error VALUE_MISMATCH >>> Expected: >>> 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B

Re: [openssl-dev] [openssl.org #4545] Crash in crypto/rand/md_rand.c

On 20/06/16 10:49, Mick Saxton via RT wrote: > I modified your patch to also catch the similar problem in ssleay_rand_bytes. > Results from the instrumented tests attached. > > These tests were run on 64-bit Windows 7. > I have not specified a locking callback so will be using the default – coul

Re: [openssl-dev] [openssl.org #4545] Crash in crypto/rand/md_rand.c

I modified your patch to also catch the similar problem in ssleay_rand_bytes. Results from the instrumented tests attached. These tests were run on 64-bit Windows 7. I have not specified a locking callback so will be using the default – could this be the problem? Each thread has it’s own SSL_ctx

[openssl-dev] [openssl.org #4561] BUG: openssl-1.0.2h, evp_enc.c, non-portable bitwise operation

On Mon Jun 13 09:37:59 2016, loic.etie...@qnective.com wrote: > My claim about portability issues was wrong (sorry): The C-standard > ensures that positive values are handled in the two's complement > system, indeed. > > However, inl % block_size == inl & (block_size-1) is true if and only > if blo