Re: [openssl-dev] cert_cb and TLS tickets

On Sat, Dec 10, 2016 at 11:13:48AM +0100, Fedor Indutny wrote: > This totally makes sense. Unfortunately, adding a new API method for this > means that I'll have to re-introduce ClientHello parser in bud, and make a > wider use of it in Node.js again. FWIW, BoringSSL offers an early callback that

Re: [openssl-dev] [openssl.org #4614] pthread_once and malloc failures

On Mon, Jul 11, 2016 at 04:20:29PM +, Kurt Roeckx via RT wrote: > Hi, > > When trying to check what happens if we simulate malloc() > returning NULL I'm running into a problem that I'm not sure how to > deal with. > > We have CRYPTO_THREAD_run_once(), which takes an init() function > that

[openssl-dev] TLSv1.3

Hello everyone, I know that I'm probably getting way ahead of myself here, but I thought it would be interesting to start looking into adding TLS 1.3 support to OpenSSL (for post 1.1.0 of course). Unfortunately I didn't get very far, so I'm hoping someone more experienced in TLS 1.3 and

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Mon, Feb 08, 2016 at 05:30:52pm +, Nich Ramsey via RT wrote: > I said I would be willing to help, but got no reply on how best to ramp up > on developing a stable addition likely to be accepted by the dev team. FWIW, the necessary code has already been written (by me) for this particular

Re: [openssl-dev] [openssl.org #4271] Enhancement Request: Support TCP Fast Open

On Mon, Jan 25, 2016 at 06:24:55pm +, Sara Dickinson via RT wrote: > Hi, > > I would like to request that support be added to OpenSSL to enable client > applications to make use use of TCP Fast Open > (https://tools.ietf.org/html/rfc7413 ) > when

[openssl-dev] [openssl.org #4253] [PATCH] Build system fixes for GCC

Hello, I opened two pull request regarding fixes for builds using GCC: * Fix versioned GCC detection https://github.com/openssl/openssl/pull/552 * Support link time optimization with GCC https://github.com/openssl/openssl/pull/553 Cheers signature.asc Description: PGP signature

Re: [openssl-dev] [openssl.org #4157] Download Documentation

Seems to me this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4159] BUG ::: Null dereference in ssl3_free

Kurt said this is fixed in git, can be closed I guess. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4026] patches to eliminate some warnings from clang

Looks like some things are already fixed in master, does this needs any more actions? Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4219] [typos] DANE related docs

Seems fixed in master, so this can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4183] No SSL_CIPHER_description() for ChaCha20/Poly1305

Looks fixed in master, can probably be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4140] GITHUB PULL REQUEST: do not load engines twice

PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4112] GH458: Fix "primarility" typo

PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4222] Wrong definition of the macro SSL_set1_sigalgs in ssl.h (PR #519)

PR merged, can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4174] Support the TLS Feature (aka Must Staple) X.509v3 extension (RFC7633)

PR merged, can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

This has been (partially) fixed, so it can probably be closed. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4054] [BUG] engine-provided ciphers are unavailable for command-line utility

Seems that this works in master, so it can probably be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4239] [PATCH] fixing wildcard matching on punycode domains

On Fri, Jan 15, 2016 at 06:08:38pm +, Viktor Dukhovni via RT wrote: > > > On Jan 15, 2016, at 10:32 AM, Zi Lin via RT wrote: > > > > > > Yes, this will get fixed. Thanks. Patches merged, can be closed now. Cheers ___

Re: [openssl-dev] '-CIPHER_DEBUG' error on 'dh_dsa'

On Sat, Jan 16, 2016 at 01:51:28pm +0100, Gisle Vanem wrote: > Having '-DCIPHER_DEBUG' in the CFLAGS causes this error in > MingW (gcc 5.1): > ssl/ssl_lib.c:2499:58: error: 'dh_dsa' undeclared (first use in this > function) > dh_tmp, rsa_enc, rsa_sign, dsa_sign, dh_rsa, dh_dsa); >

Re: [openssl-dev] [PATCH][OpenSSL-1.0.2] making it possible to do async session lookup during session resumption

On Wed, Jan 06, 2016 at 06:21:13AM +, Viktor Dukhovni wrote: > On Tue, Jan 05, 2016 at 02:44:32PM -0800, Zi Lin wrote: > > > Hi OpenSSL devs, > > > > I want to propose a patch that makes OpenSSL compatible with > > asynchronous session lookup during session resumption. > > I think this is a

Re: [openssl-dev] [openssl-team] Discussion: design issue: async and -lpthread

On Tue, Nov 24, 2015 at 07:56:15am +1000, Paul Dale wrote: > Somewhat tangentially related to this is the how thread locking in OpenSSL is > slowing things up. > > We've been doing some connection establishment performance analysis recently > and have discovered a lot of waiting on locks is

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

(sorry for the delay, but I've been travelling and moving) On Sat, Oct 31, 2015 at 11:01:22pm +, Brian Smith via RT wrote: > On Sat, Oct 31, 2015 at 11:50 AM, Alessandro Ghedini via RT <r...@openssl.org> > The point is to let the person building OPENSSL say "I want th

Re: [openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

On Sat, Oct 31, 2015 at 08:34:33am -0400, Steve Marquess wrote: > On 10/31/2015 08:26 AM, Alessandro Ghedini via RT wrote: > > Hi, > > > > I don't know what your intentions are with FIPS support in master, ... > > We would like to continue to provide a FIPS v

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

On Wed, Nov 11, 2015 at 01:06:54PM +, Kurt Roeckx via RT wrote: > On Wed, Nov 11, 2015 at 12:37:56PM +0000, Alessandro Ghedini via RT wrote: > > On Wed, Nov 11, 2015 at 11:52:56AM +, Kurt Roeckx via RT wrote: > > > On Wed, Nov 11, 2015 at 11:16:56AM +, Alessandro Gh

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

On Wed, Nov 11, 2015 at 11:52:56AM +, Kurt Roeckx via RT wrote: > On Wed, Nov 11, 2015 at 11:16:56AM +0000, Alessandro Ghedini via RT wrote: > > > > I also added support for explicit_bzero() on OpenBSD. > > An explicit_bzero() call is no better than whatever > OPENSSL

[openssl-dev] [openssl.org #4113] [PATCH] Cleanup and update README

Hi, the current README in master contains a lot of outdated information and some weird wording, so I prepared a patch to fix it. See the following GitHub pull request: https://github.com/openssl/openssl/pull/457 Cheers ___ openssl-bugs-mod mailing

[openssl-dev] [openssl.org #4114] Continuous integration for Windows

Hi, the current Travis CI setup lacks support for proper Windows support, so I prepared a patch to add configuration for the AppVeyor service [0] which provides continuous integration on Windows. See the following GitHub pull request: https://github.com/openssl/openssl/pull/456 Cheers [0]

[openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

Hi, the current platform-generic implementation of OPENSSL_cleanse() is very weird and IMO overly complex (its initial intent was to cleanse with values other than 0, but AFAICT none of the asm implementations do it), so I reimplemented it in a simpler way. I was also wondering whether it would

[openssl-dev] [openssl.org #4115] [PATCH] Remove remaining FIPS code

Hi, I don't know what your intentions are with FIPS support in master, but after the removal of most if the fips/ code, several bits and pieces of now broken code have remained in the codebase. IMO it'd be better to just remove it for now. See the following GitHub pull request:

[openssl-dev] [openssl.org #4117] [PATCH] Remove useless locking code

Hi, in commit 070c233 I didn't notice that the CRYPTO_w_lock()/CRYPTO_w_unlock() calls are now useless, so I made a patch to fix that. See the following GitHub pull request: https://github.com/openssl/openssl/pull/454 Cheers ___ openssl-bugs-mod

Re: [openssl-dev] [openssl.org #4116] [PATCH] Reimplement non-asm OPENSSL_cleanse()

On Sat, Oct 31, 2015 at 07:59:03PM +, Brian Smith via RT wrote: > Alessandro Ghedini via RT <r...@openssl.org> wrote: > > > I was also wondering whether it would make sense to just drop the asm > > implementations. Does the speed-up justify the added complexity? >

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Fri, Oct 09, 2015 at 05:02:47pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 07:57:21pm +0000, Alessandro Ghedini via RT wrote: > > FYI, I just pushed another patch that does the above (moving the check and > > sending an alert) which I think is the best o

[openssl-dev] Improving OpenSSL default RNG

Hello everyone, (sorry for the wall of text...) one of the things that both BoringSSL and LibreSSL have in common is the replacement of OpenSSL's default RNG RAND_SSLeay() with a simpler and saner alternative. Given RAND_SSLeay() complexity I think it'd be worth to at least consider possible

Re: [openssl-dev] Improving OpenSSL default RNG

On Fri, Oct 23, 2015 at 02:30:14pm +, Salz, Rich wrote: > I am very interested in cleaning this area up. We still do care about > Netware, OS/2, and VMS; I don't think we care about pre-XP Windows. Ok. > We have broader portability issues than boringSSL does, so my thoughts on > threading

Re: [openssl-dev] Improving OpenSSL default RNG

On Fri, Oct 23, 2015 at 05:40:29PM +0300, Dmitry Belyavsky wrote: > Hello Alexander, > > On Fri, Oct 23, 2015 at 4:22 PM, Alessandro Ghedini <alessan...@ghedini.me> > wrote: > > > > So, any thought? If there's interest in this, I can look into investigating &

Re: [openssl-dev] Improving OpenSSL default RNG

On Fri, Oct 23, 2015 at 04:34:11PM +0200, Dr. Matthias St. Pierre wrote: > > Hi, > > I have a related question concerning alternative RNGs, hope it is not too > off-topic: > > Currently we are using the NIST-SP800-90a compliant DRBG (fips_drbg_method()), > because it seemed to us to be more

Re: [openssl-dev] who wants to fix travis builds?

On Fri, Oct 16, 2015 at 10:56:43am +0200, Andy Polyakov wrote: > I've opened the following PR to add support for GCC v5 and > address sanitizer (not sure if we want valgrind as well...): > https://github.com/openssl/openssl/pull/429 > > > > I've commented there on other -fsanitize

[openssl-dev] [openssl.org #4090] [PATCH] Assorted fixes

Hello, I've prepared a few patches to fix several minor-ish issues (I though it didn't make much sense to submit them one by one). See GitHub pull request at: https://github.com/openssl/openssl/pull/436 The patches are: - Do not treat 0 return value from BIO_get_fd() as error (fixes RT#4068) -

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

On Mon, Oct 12, 2015 at 01:45:20PM +, Hubert Kario via RT wrote: > On Friday 09 October 2015 18:05:19 Matt Caswell via RT wrote: > > On 09/10/15 19:02, Hubert Kario via RT wrote: > > > And for good measure, I also created a test script that > > > combines fragmentation with interleaving. > >

Re: [openssl-dev] who wants to fix travis builds?

On Tue, Oct 06, 2015 at 07:41:13pm +, Salz, Rich wrote: > > I've opened the following PR to add support for GCC v5 and address sanitizer > > (not sure if we want valgrind as well...): > > https://github.com/openssl/openssl/pull/429 > > I've started the internal review. Asan is awesome.

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 07:57:21pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 06:26:27pm +0000, Alessandro Ghedini via RT wrote: > > On Thu, Oct 08, 2015 at 06:14:00pm +, Alessandro Ghedini via RT wrote: > > > On Thu, Oct 08, 2015 at 05:19:06pm +,

Re: [openssl-dev] [openssl.org #4084] correction to the message i sent earlier...

This was supposed to be a reply to another message (#4083), but a new report has been created instead. I think it can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #3712] TLS Renegotiation with Java is broken

On Fri, Oct 09, 2015 at 06:05:19pm +, Matt Caswell via RT wrote: > > > On 09/10/15 19:02, Hubert Kario via RT wrote: > > And for good measure, I also created a test script that > > combines fragmentation with interleaving. > > Did you try my patch with it? And if so what happened? I just

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thu, Oct 08, 2015 at 12:47:21AM +, Moonchild via RT wrote: > Hello people, > > An enhancement request here for OpenSSL to add support for Camellia in GCM > with ECC key exchange. > > Rationale: > Camellia has been recognized as a modern and supported cipher by ENISA, > NESSIE, CRYPTREC,

Re: [openssl-dev] [openssl.org #4075] Enhancement request: Camellia ECDHE+GCM suites

On Thu, Oct 08, 2015 at 11:39:56am +, Salz, Rich via RT wrote: > Also, note that the earliest this could happen is for 1.1 (it's a new > feature), and it's not high on our priority list for that release right now. > Patches that are regularly rebased against master would help. I rebase my

Re: [openssl-dev] [openssl.org #3982] [PATCH] Fix unhandled error condition in sslv2 client hello parsing

The GitHub pull request was merged, so this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 04:12:50pm +, Hubert Kario via RT wrote: > The server does not abort connection upon receiving a Client Hello > message with malformed session_id field. > > Affects 1.0.1, 1.0.2 and master. > > In SSLv3 and all versions of TLS (e.g. RFC 5246), the SessionID is >

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 06:14:00pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 05:19:06pm +0000, Alessandro Ghedini via RT wrote: > > On Thu, Oct 08, 2015 at 04:12:50pm +, Hubert Kario via RT wrote: > > > The server does not abort connection upon receiv

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 05:19:06pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 04:12:50pm +, Hubert Kario via RT wrote: > > The server does not abort connection upon receiving a Client Hello > > message with malformed session_id field. > > >

Re: [openssl-dev] [openssl.org #4080] Malformed Client Hello messages are accepted (session_id length)

On Thu, Oct 08, 2015 at 06:26:27pm +, Alessandro Ghedini via RT wrote: > On Thu, Oct 08, 2015 at 06:14:00pm +0000, Alessandro Ghedini via RT wrote: > > On Thu, Oct 08, 2015 at 05:19:06pm +, Alessandro Ghedini via RT wrote: > > > On Thu, Oct 08, 2015 at 04:12:50pm +, H

Re: [openssl-dev] [openssl.org #4081] crypto/evp/e_dsa.c is orphaned

On Thu, Oct 08, 2015 at 04:18:53pm +, Kaduk, Ben via RT wrote: > crypto/evp/e_dsa.c contains only a single static struct variable, and > the file appears unreferenced from anywhere else in the tree. > > It should be safe to remove. This is now fixed in my "Remove useless code" patch at

Re: [openssl-dev] [openssl.org #4068] Bug ocsp - bio_get_fd

On Fri, Oct 02, 2015 at 02:06:12am +, vince technical address via RT wrote: > Hi, > > Can you tell me why in the source file "ocsp.c" (apps directory), the test > on the return of the function BIO_get_fd defines 0 as an invalid file > descriptor? > > if (BIO_get_fd (CBIO, & fd) <= 0) > >

Re: [openssl-dev] [openssl.org #4069] Malformed Client Hello messages are accepted (custom message padding and length)

On Fri, Oct 02, 2015 at 11:26:36am +, Hubert Kario via RT wrote: > Current git checkout of 1.0.1, 1.0.2 and master accept malformed Client > Hello messages. > > If the client sends a Client Hello message with extensions.length field > equal to 0, but padded with bytes > FF01 0001 00 > then

Re: [openssl-dev] [openssl.org #4069] Malformed Client Hello messages are accepted (custom message padding and length)

On Fri, Oct 02, 2015 at 11:51:10am +, Alessandro Ghedini via RT wrote: > On Fri, Oct 02, 2015 at 11:26:36am +, Hubert Kario via RT wrote: > > Current git checkout of 1.0.1, 1.0.2 and master accept malformed Client > > Hello messages. > > > > If the client s

Re: [openssl-dev] [openssl.org #3964] Fix OPENSSL_NO_STDIO build

On Wed, Sep 30, 2015 at 02:01:54am +, Rich Salz via RT wrote: > We fixed this in a slightly different way. We made BIO_new_file and BIO_s_file > return an alternate implementation that returns run-time failures. Almost all > of the OpenSSL code uses the BIO object, so we didn't have to remove

Re: [openssl-dev] who wants to fix travis builds?

On Mon, Sep 28, 2015 at 08:49:12pm +0200, Andy Polyakov wrote: > > FWIW, Travis CI allows you to define specific builds to be "non-fatal". The > > failures would still be listed but they wouldn't affect the general state. > > See > > for example:

Re: [openssl-dev] [openssl.org #3986] [PATCH] Implement HKDF algorithm (RFC 5869)

Just FYI, I updated the GitHub pull request [0] with the following: - Merged patches into a single commit. This just makes more sense, and it's not much more complicated to review. - Added HKDF_Extract() function to the interface. This is basically equivalent to calling HMAC(), but the TLS

Re: [openssl-dev] who wants to fix travis builds?

On Sun, Sep 27, 2015 at 10:32:11am +0200, Andy Polyakov wrote: > >>> - mingw debug and shared builds in master. > >> > >> While I can confirm problem with shared (fixable with attached > >> patch, please double-check), I can't confirm problem with debug > >> (please elaborate). > > > > I just

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 02:02:36pm +, Hubert Kario via RT wrote: > On Friday 25 September 2015 13:55:56 Alessandro Ghedini via RT wrote: > > On Fri, Sep 25, 2015 at 01:20:12pm +, Hubert Kario via RT wrote: > > > Current OpenSSL-1.0.1, 1.0.2 as well as state-machine-rewr

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 03:02:27pm +, Hubert Kario via RT wrote: > On Friday 25 September 2015 14:51:17 Alessandro Ghedini via RT wrote: > > As a matter of test I changed the ssl_get_message() in > > ssl3_get_client_hello() to use 0xFF (uint24 max) as maximum size, >

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 04:17:33PM +, Matt Caswell via RT wrote: > > > On 25/09/15 17:05, Alessandro Ghedini via RT wrote: > > On Fri, Sep 25, 2015 at 03:02:27pm +, Hubert Kario via RT wrote: > >> On Friday 25 September 2015 14:51:17 Alessandro Ghedini via RT

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 05:11:39pm +, Hubert Kario via RT wrote: > On Friday 25 September 2015 16:54:02 Alessandro Ghedini via RT wrote: > > On Fri, Sep 25, 2015 at 04:17:33PM +, Matt Caswell via RT wrote: > > > On 25/09/15 17:05, Alessandro Ghedini via RT wrote: >

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 07:06:31PM +0200, Hubert Kario wrote: > (since we're not talking about OpenSSL any more, I'm dropping the RT) > > On Friday 25 September 2015 16:54:02 Alessandro Ghedini via RT wrote: > > FWIW I checked a couple of TLS implementations I have around (Gnu

[openssl-dev] [openssl.org #4062] [PATCH] Fix build failure

Hello, due to commit a93d3e0 the ./config script currently fails with the error: > Operating system: x86_64-whatever-linux2 > This system (linux-x86_64) is not supported. See file INSTALL for details. see the following GitHub pull request for a fix: https://github.com/openssl/openssl/pull/412

Re: [openssl-dev] [openssl.org #4063] Client Hello longer than 2^14 bytes are rejected

On Fri, Sep 25, 2015 at 01:20:12pm +, Hubert Kario via RT wrote: > Current OpenSSL-1.0.1, 1.0.2 as well as state-machine-rewrite branches > reject Client Hello messages bigger than 2^14+4 bytes. IIRC SSLv3 does place the limit at 2^14 or so bytes, so I think the problem is that OpenSSL only

Re: [openssl-dev] who wants to fix travis builds?

On Wed, Sep 23, 2015 at 03:57:18pm +0200, Andy Polyakov wrote: > > - mingw debug and shared builds in master. > > While I can confirm problem with shared (fixable with attached patch, > please double-check), Can confirm that your patch works. > I can't confirm problem with debug (please

Re: [openssl-dev] who wants to fix travis builds?

On Thu, Sep 24, 2015 at 04:23:52pm +0200, Andy Polyakov wrote: > >>> - mingw debug and shared builds in master. > >> > >> While I can confirm problem with shared (fixable with attached patch, > >> please double-check), > > > > Can confirm that your patch works. > > > >> I can't confirm problem

Re: [openssl-dev] Request for new API for getting role of SSL endpoint

On Fri, Sep 25, 2015 at 01:05:34am +0530, Devchandra L Meetei wrote: > Hey all Hi, > Just uploaded a patch at https://rt.openssl.org/Ticket/Display.html?id=4061 > for adding a new API for getting role, client or server. > > Please let me know what do you think of it. There seems to be no patch

Re: [openssl-dev] [openssl.org #4048] [PATCH] Fix potential read buffer overflow in PACKET_strndup()

The GitHub pull request was merged, so this can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] who wants to fix travis builds?

On Wed, Sep 23, 2015 at 10:06:24AM +0200, Andy Polyakov wrote: > > Please see https://travis-ci.org/openssl/openssl/jobs/81672180 > > --debug is not recognized by earlier ./Configures? Yeah, it seems that earlier ./Configure only support the debug-$platform arguments. For general travis debug

[openssl-dev] [openssl.org #4052] [PATCH] Print debug info for extended master secret extension

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/404 This is like RT#4016, but for extended master secret. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] OpenSSL 1.1.0 Release Timetable

On Wed, Sep 16, 2015 at 11:16:18AM +0100, Matt Caswell wrote: > The OpenSSL Project team would like to announce the publication of our > current plans for the OpenSSL 1.1.0 release timetable. This has been > included in our release strategy available here: > >

[openssl-dev] [openssl.org #4048] [PATCH] Fix potential read buffer overflow in PACKET_strndup()

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/399 It provides a short analysis of the problem and a fix. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] [openssl.org #3986] [PATCH] Implement HKDF algorithm (RFC 5869)

Hello, FYI I rebased the code [0] on master and updated it to use the new test suite framework. As mentioned in the GitHub PR, I kept the actual implementation and the tests on two separate commits for easier review, but if you prefer I can squash them together. Could someone please review this?

Re: [openssl-dev] [openssl.org #1542] others quick patches for memory leaks in pk7_smime.c and pk7_mime.c

The proposed patch is mangled and very hard to read, but I think all proposed changes have already been committed, or the code has been removed. So I think this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #1543] memory leak in crypto/asn1/x_x509a.c

Same as #1542, the patch is mangled but I think everything is already fixed so this can be closed. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4030] Re: [openssl-dev #1542] others quick patches for memory leaks in pk7_smime.c and pk7_mime.c

On Sat, Sep 05, 2015 at 01:49:23pm +, Alessandro Ghedini via RT wrote: > The proposed patch is mangled and very hard to read, but I think all proposed > changes have already been committed, or the code has been removed. > > So I think this can be closed now. Ugh, w

Re: [openssl-dev] [openssl.org #4031] Re: [openssl-dev #1543] memory leak in crypto/asn1/x_x509a.c

On Sat, Sep 05, 2015 at 01:49:52pm +, Alessandro Ghedini via RT wrote: > Same as #1542, the patch is mangled but I think everything is already fixed so > this can be closed. Same as #4031. It was supposed to be a reply to #1543 and can be closed.

[openssl-dev] [openssl.org #4031] Re: [openssl-dev #1543] memory leak in crypto/asn1/x_x509a.c

Same as #1542, the patch is mangled but I think everything is already fixed so this can be closed. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-bugs-mod

[openssl-dev] [openssl.org #4030] Re: [openssl-dev #1542] others quick patches for memory leaks in pk7_smime.c and pk7_mime.c

The proposed patch is mangled and very hard to read, but I think all proposed changes have already been committed, or the code has been removed. So I think this can be closed now. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

Re: [openssl-dev] [openssl.org #3985] [PATCH] Fix potential memory leaks

The corresponding GitHub pull request was merged, so this can be closed now. Cheers ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] FW: Website changing this weekend

On Mon, Aug 24, 2015 at 07:05:26pm +, Salz, Rich wrote: > > https://www.openssl.org/docs/fipsvalidation.html (the UserGuide links lead > > to nowhere, and a few others as well). > > I fixed the two that I found, thanks. FWIW there are a bunch of other broken references to the user guide pdf

Re: [openssl-dev] Continuous Integration for OpenSSL

On Sat, Aug 22, 2015 at 12:55:43am +, Salz, Rich wrote: Thanks! We have several cross-compile builds running on Cisco's build farm. The more the merrier. I am sure ARM would be appreciated. Does this mean that you are not oging to enable Travis CI? If anything this buildfarm didn't seem

[openssl-dev] [openssl.org #4016] [PATCH] Print debug info for ALPN extension

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/371 Which simply adds ALPN to the -tlsextdebug output, so that the extension is not shown as unknown. Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

[openssl-dev] [openssl.org #4017] [PATCH] Implement Camellia GCM suites (RFC 6367)

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/374 Which adds support for Camellia GCM and adds the correspondent TLS cipher suites. Most of the code comes from the AES GCM implementation, so maybe there's an opportunity for some refactoring there. This fixes issue

Re: [openssl-dev] [openssl.org #4017] [PATCH] Implement Camellia GCM suites (RFC 6367)

On Sat, Aug 22, 2015 at 01:17:36PM +, Stephen Henson via RT wrote: On Sat Aug 22 10:21:42 2015, alessan...@ghedini.me wrote: Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/374 Which adds support for Camellia GCM and adds the correspondent TLS cipher

[openssl-dev] Continuous Integration for OpenSSL

Hello, given the recent incident with [0] I think it would make a lot of sense for the OpenSSL project to have some kind of continuous integration system in place, in order to catch similar problems more quickly. The easiest way would probably be to enable Travis CI [1] for the GitHub

Re: [openssl-dev] FW: Website changing this weekend

On Thu, Aug 20, 2015 at 07:32:31pm +, Salz, Rich wrote: You can use the W3C link checker [0] for that, with an appripriate recursion depth. I know the links are broken :) I need script fixes -- see http://perlmonks.org/?node_id=1139219 I don't quite understand what you are trying

Re: [openssl-dev] FW: Website changing this weekend

On Thu, Aug 20, 2015 at 06:57:39PM +, Salz, Rich wrote: There are still some href/link problems. I need a perl expert :) You can use the W3C link checker [0] for that, with an appripriate recursion depth. Cheers [0] https://validator.w3.org/checklink signature.asc Description: Digital

[openssl-dev] [openssl.org #3985] [PATCH] Fix potential memory leaks

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/354 which fixes memory leaks on error conditions in X509_add1_reject_object() and PKCS7_verify(). Cheers ___ openssl-bugs-mod mailing list openssl-bugs-...@openssl.org

[openssl-dev] [openssl.org #3986] [PATCH] Implement HKDF algorithm (RFC 5869)

Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/355 which implements the HMAC-based Extract-and-Expand Key Derivation Function (HKDF) as defined in RFC 5869, and used by QUIC and TLS 1.3. It comes with tests as defined in the Appendix A of the same RFC. Cheers

Re: [openssl-dev] [openssl.org #3985] [PATCH] Fix potential memory leaks

On Wed, Aug 05, 2015 at 11:01:13am +, Alessandro Ghedini via RT wrote: Hello, see GitHub pull request at https://github.com/openssl/openssl/pull/354 which fixes memory leaks on error conditions in X509_add1_reject_object() and PKCS7_verify(). I also added a couple more patches fixing

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On Tue, Mar 24, 2015 at 01:19:31PM +0100, Stephen Henson via RT wrote: On Fri Mar 20 13:20:07 2015, alessan...@ghedini.me wrote: Months have passed and I haven't received a reply yet (even worse, the recent obfuscation of the OCSP structures in 6ef869d7d0a9d made it impossible to

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in crypto/ocsp

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in crypto/ocsp

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in crypto/ocsp

Re: [openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

On mar, gen 20, 2015 at 02:31:14 +0100, Alessandro Ghedini wrote: Currently the OCSP_basic_verify() function fails with many apparently valid OCSP responses (e.g. all those sent by Cloudflare servers). Other libraries (GnuTLS, NSS) have no problem with them. Essentially, in crypto/ocsp

[openssl-dev] [openssl.org #3668] [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain

38ce9b993e9ffc76416ccdc26dee53b24b2cd33c Mon Sep 17 00:00:00 2001 From: Alessandro Ghedini alessan...@ghedini.me Date: Tue, 20 Jan 2015 12:27:00 +0100 Subject: [PATCH] Don't use the cert list embedded in the OCSP response to build the trust chain Instead use the certificate stack passed by the user. This is required