Satria Bakti (13297096) wrote:
> Hi,
>
> I'm doing some experiment on openssl-0.9.7-stable-SNAP-20020421.
> I replaced the AES code (the original AES code) with
> Brian Gladman's AES code (with some modification).
> (http://fp.gladman.plus.com/cryptography_technology/rijndael/)
>
> Then, I meas
Bodo Moeller wrote:
> On Sat, Jun 01, 2002 at 01:18:35PM +0100, Ben Laurie wrote:
>
>
>>Also, the "thread id" may be used elsewhere - is there any point if its
>>actually the PID?
>
>
> Applications that are actually multi-threaded should (an
Bodo Moeller wrote:
> On Mon, Jun 17, 2002 at 07:02:45PM +0100, Ben Laurie wrote:
>
>>Avery Pennarun via RT wrote:
>>
>>>On Mon, Jun 17, 2002 at 11:19:31AM +0200, Bodo Moeller wrote:
>>
>
>>>>Good question, but this problem does not appear to ap
[EMAIL PROTECTED] wrote:
> levitte 27-Jun-2002 07:03:04
>
> Modified:crypto/evp evp.h
> Log:
> A number of includes were removed from evp.h some time ago. The reason
> was that they weren't really needed any more for EVP itself. However,
> it seems like soma applications (I kn
Geoff Thorpe wrote:
> Any/all feedback is welcome. Patches too. :-)
Interesting. Nice. I say commit it to HEAD. No time for it right now,
but when I have it'll be much easier if its in CVS!
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit
Tom Wu wrote:
> When I specify the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag to
> SSL_CTX_set_verify, it has the intended effect if I set it on the server
> side; a client not presenting a cert is rejected. Setting this on the
> client side does not appear to have the same effect; a server that doe
Harald Koch wrote:
> Of all the gin joints in all the towns in all the world, Yuval Pemper
> had to walk into mine and say:
>
>>Another problem with my code: the buffer I allocated wasn't freed...
>>Thanks to Peter Sylvester for pointing this out. I also moved the
>>allocation of the buffer to
[EMAIL PROTECTED] wrote:
> Thanks for the tip. Now, how do we get this fix into an official codebase?
I have a patch queued that fixes this.
Cheers,
Ben.
>
> Yuval
>
> -Original Message-
> From: Harald Koch [mailto:[EMAIL PROTECTED]]
> Sent: Mon, July 15, 2002 17:33
> To: [EMAIL PROT
Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Thu, 18 Jul
>2002 11:17:41 +0200, Bodo Moeller <[EMAIL PROTECTED]> said:
>
> moeller> I think this is wrong.
> moeller>
> moeller> The output file is opened in text mode (not binary), so on systems
> moeller> where line en
Geoff Thorpe via RT wrote:
> G'day,
>
> [levitte - Thu Jul 18 20:55:58 2002]:
>
>
>>I just did a tentative addition of history. Please check it and
>>complete it if needed.
>
>
> Yup the history stuff looks great, thanks Richard. However I'm not sure
> who understands the EVP behavioural ch
The project leading to this advisory is sponsored by the Defense
Advanced Research Projects Agency (DARPA) and Air Force Research
Laboratory, Air Force Materiel Command, USAF, under agreement number
F30602-01-2-0537.
The patch and advisory were prepared by Ben Laurie.
Advisory 2
Lutz Jaenicke via RT wrote:
> On Tue, Jul 30, 2002 at 04:10:45PM +0200, Richard Levitte - VMS Whacker via RT wrote:
>
>>In message <[EMAIL PROTECTED]> on Tue, 30 Jul 2002
>15:56:30 +0200 (CEST), Richard Levitte - VMS Whacker <[EMAIL PROTECTED]> said:
>>
>>levitte> In message <[EMAIL PROTECTED]>
Enclosed are patches for today's OpenSSL security alert which apply to
other versions. The patch for 0.9.7 is supplied by Ben Laurie
<[EMAIL PROTECTED]> and the remainder by Vincent Danen (email not
supplied).
Patches are for 0.9.5a, 0.9.6 (use 0.9.6b patch), 0.9.6b, 0.9.6c, 0.9.7-
Jeffrey Altman wrote:
> The answer to your questions is 'yes'. As I understand it, the
> patches were released as they are "for the time being" because it is
> better to crash your application then allow the attacker to compromise
> your computer.
>
> New patches will have to be released to prop
[EMAIL PROTECTED] wrote:
> Index: rsaref.c
> ===
> RCS file: /e/openssl/cvs/openssl/demos/engines/rsaref/rsaref.c,v
> retrieving revision 1.5
> retrieving revision 1.5.2.1
> diff -u -r1.5 -r1.5.2.1
> --- rsaref.c
[EMAIL PROTECTED] wrote:
> bodo02-Aug-2002 13:38:16
>
> Modified:.Tag: OpenSSL-engine-0_9_6-stable CHANGES Configure
> Makefile.org PROBLEMS STATUS config
>crypto Tag: OpenSSL-engine-0_9_6-stable cryptlib.h mem.c
>ssl
David Schwartz wrote:
> On Sun, 11 Aug 2002 17:54:49 -0700 (PDT), James Shelby wrote:
>
>
>>My first thought was the same. Which brought up
>>another interesting questionthe 32bit Pentium II
>>333 is still faster than the UltraSparc 400.
>
>
> Frankly, I don't find this surprising.
Jeffrey Altman wrote:
>>Jeffrey Altman wrote:
>>
>>>The answer to your questions is 'yes'. As I understand it, the
>>>patches were released as they are "for the time being" because it is
>>>better to crash your application then allow the attacker to compromise
>>>your computer.
>>>
>>>New patches
Bodo Moeller wrote:
> Ben Laurie <[EMAIL PROTECTED]>:
>
>
>> As noted elsewhere, I really object to returning internal errors!
>> It makes no sense to attempt to continue after the impossible has
>> occurred.
>
>
> If we could be abso
Bodo Moeller wrote:
> On Wed, Aug 14, 2002 at 01:24:32PM +0300, Arne Ansper wrote:
>
>
>>[...] what if some standalone application thinks that the
>>best solution for _its own_ problems is to reboot the machine? (happens
>>all the time under the windows btw, you install some crap a
Lutz Jaenicke wrote:
> On Tue, Aug 13, 2002 at 07:45:30PM +0200, Bodo Moeller wrote:
>
>>On Tue, Aug 13, 2002 at 05:10:34PM +0100, Ben Laurie wrote:
>>
>>>Yes, and the application will continue as if it were sensible to do so.
>>
>>In fact it *is* often se
Bodo Moeller wrote:
> On Tue, Aug 13, 2002 at 05:10:34PM +0100, Ben Laurie wrote:
>
>>Bodo Moeller wrote:
>>
>>>Ben Laurie <[EMAIL PROTECTED]>:
>>
>
>>>>As noted elsewhere, I really object to returning internal errors!
>>>>
Bodo Moeller wrote:
> On Tue, Aug 13, 2002 at 08:09:02PM +0200, Lutz Jaenicke wrote:
>
>>On Tue, Aug 13, 2002 at 07:45:30PM +0200, Bodo Moeller wrote:
>>
>>>On Tue, Aug 13, 2002 at 05:10:34PM +0100, Ben Laurie wrote:
>>
>
>>>>Yes, and the applic
Arne Ansper wrote:
>
>>Example: when working through the internal session cache we learn, that
>>the linked list is corrupted, we have dangling pointers and don't know
>>what is going on. This would touch all threads using the same SSL_CTX.
>>Thus: we don't know how to repair it -> abort().
>
>
Bodo Moeller wrote:
> On Wed, Aug 14, 2002 at 01:53:29PM +0100, Ben Laurie wrote:
>
>
>>>The consistency checks don't detect that memory *has* been corrupted.
>>>They detect that memory *would* be corrupted if the library simply
>>>continued to do what i
Kenneth R. Robinette wrote:
> Date sent:Wed, 14 Aug 2002 13:51:43 +0100
> From: Ben Laurie <[EMAIL PROTECTED]>
> To: Arne Ansper <[EMAIL PROTECTED]>
> Copies to:[EMAIL PROTECTED],
> Bodo Moeller &l
Arne Ansper wrote:
>
> On Wed, 14 Aug 2002, Ben Laurie wrote:
>
>
>>The point is that the application is now in an inconsistent state and
>>cannot reliably know anything. Even returning from a function could
>>cause an exploit. The only safe thing to do is
Bodo Moeller wrote:
> On Wed, Aug 14, 2002 at 03:39:03PM +0100, Ben Laurie wrote:
>
>
>>So how did the buffer get to be too small?
>
>
> Well, in one of the cases it was improper protocol data checking
> (fixed in 0.9.6f). The others should really be impossible
Rainer Orth wrote:
> With the introduction of public key cryptography into the Network Time
> Protocol (NTP v4, cf. http://www.ntp.org/), the current version of NTP
> became a heavy user of OpenSSL.
>
> NTP developers strive to keep the sources warning-free with gcc (using
> -Wall -Wcast-qual -Wm
Matthias Loepfe wrote:
> Hi
>
> I just want to give you some background information why AdNovum has
> choosen the let's call it the 'interceptor-way' of implementing
> the PKCS#11 functionality.
>
> We are working in an environment where the main purpose of the
> hardware security modules (HSM)
Michael Sierchio wrote:
> Leif Kremkow wrote:
>
>> I'm looking for some guidance. I'd like to change the OpenSSL library
>> to be
>> able to use a TRNG for all random numbers, not just to seed the PRNG.
>
>
> There are no such devices which produce adequate quantities of random
> material for
Tushar wrote:
> Hi,
>
> I have a question regarding the buffer overflow checks
> in 0.9.6g.
>
> Why do we always check for
> SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER?
> ^^^
> Shouldn't it be for
> SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER
> ^^^
>
> Line# 4
Stefan Richter wrote:
> Hi all,
>
> i have a problem with the PKCS12_gen_mac() which is called from within
> PKCS12_verify_mac().
> I've a function which extracts the private key from a PKCS#12 file. If I
> call it once all is fine, but if I call it twice (with the same or another
> PKCS#12 file)
Lutz Jaenicke wrote:
> On Fri, Sep 20, 2002 at 10:34:27AM +0200, Bodo Moeller wrote:
>
>>On Thu, Sep 19, 2002 at 01:44:01PM +0200, Bodo Moeller via RT wrote:
>>
>>I don't know why that message is empty. What I wrote is that this
>>should now be fixed in the current snapshots (0.9.6-stable and
>>
Chris Brook wrote:
> Those of us who make heavy use of the crypto library, with a limited group
> of algorithms and without SSL, would certainly not want this pulling in all
> the algorithms every time we call EVP_PKEY_new.
What do you mean by "pulling in"? They get linked in anyway. And only
th
John O Goyo wrote:
> Greetings:
>
> Certicom has intellectual property rights relating to safe primes in DH and
> point compression in elliptic-curve cryptography.
Really? Has that been tested?
> I ask that the following patches be implemented to inform people of
> these facts.
Why would we wa
Sam Leffler wrote:
> 0.9.7 caused massive havoc compiling kerberos 4 (and to some extent 5) when
> I integrated beta 3 into the freebsd tree. The crypt() macro was a minor
> annoyance. The bigger problem was the redefinition of the DES key state
> block (from array to struct). openbsd apparentl
Nathan Bardsley wrote:
> Hello everyone!
>
> I work for a company that uses OpenSSH/OpenSSL to remotely support
> systems we've sold. Since some of our clients are US Dept. of Defense
> hospitals, our access to these servers needs to comply with a whole
> range of requirements and standards.
[EMAIL PROTECTED] wrote:
> levitte 06-Oct-2002 02:23:34
>
> Modified:crypto/des Tag: OpenSSL_0_9_7-stable des_old.h
> Log:
> Do not define crypt(). The supported function is DES_crypt() (an des_crypt()
> when backward compatibility is desired).
Hooray!
Cheers,
Ben.
--
http:/
Bodo Moeller wrote:
> On Mon, Oct 14, 2002 at 12:52:30PM +0200, Richard Levitte - VMS Whacker wrote:
>
>
>The problem seems to be manifested in BN_dec2bn() because of
>the BN_mul_words and BN_add_words (e.g. line b). Since the
>upper parts of d aren't cleared out, those routines end
Chris Brook wrote:
Forget my previous email. destest is actually only passing 29 bytes I see,
so the predicted ciphertext will of course be wrong if I pass 32 bytes for
encryption.
So what was the correct test entry in the end?
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://
Jeffrey Altman wrote:
I think we need to take a very close look at the situations when it is
safe to replace memset(buf,0,sizeof(buf)) with
OPENSSL_cleanse(buf,sizeof(buf)).
It is clearly safe to make this replacement when the buffer is a stack
allocation because there can be no future use of
Richard Levitte - VMS Whacker via RT wrote:
In message <[EMAIL PROTECTED]> on Tue, 14 Jan 2003 14:49:31 +0100 (MET), "Stephen Henson via RT" <[EMAIL PROTECTED]> said:
rt> I've analysed this further and the cause seems to be that it bcc 5.5
rt> complains about taking the address of a structure tha
Bodo Moeller via RT wrote:
On Tue, Nov 26, 2002 at 10:44:15PM +0200, Arne Ansper wrote:
I just checked. Seems that SSL_CTX_use_certificate_chain_file has a same
problem. Other uses of ERR_peek_error seem to be immune to the old entries
in error stack.
One theory is that applications should n
Arne Ansper wrote:
I just checked. Seems that SSL_CTX_use_certificate_chain_file has a same
problem. Other uses of ERR_peek_error seem to be immune to the old entries
in error stack.
One theory is that applications should not call arbitrary OpenSSL
functions while there is stuff in the error
Richard Levitte - VMS Whacker wrote:
In message <[EMAIL PROTECTED]> on Sat, 1 Feb 2003 21:55:30 +0100 (CET), "Ben Laurie" <[EMAIL PROTECTED]> said:
ben> OpenSSL CVS Repository
ben>
Eric Cronin wrote:
The Guillou-Quisquater (GQ) signature scheme seems to be popular in
theory literature due to its efficiency compared to other signature
algorithms. In the real world however, there does not seem to be much
use of GQ... It's not is any of the common cryptographic libraries
(
Eric Cronin wrote:
a) How much more efficient is it?
I don't know the answer to this one... Lacking any implementations to actually benchmark, all I have are some big-O space and time complexities as compared to RSA/DSA/ECDSA. This is why I was wondering if anyone had experience with it in t
I expect a release to follow shortly.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
OpenSSL v0.9.7a and 0.9.6i vulnerability
-
Corinna Vinschen wrote:
Hi,
is it recommended to apply the below patch to 0.9.6i as well? We're
still releasing both versions, 0.9.6i and 0.9.7a in the Cygwin net distro.
Yes.
Corinna
On Mon, Mar 17, 2003 at 08:47:01AM +0000, Ben Laurie wrote:
I expect a release to follow shortly.
--
dean gaudet wrote:
> hi there, i tried sending this ages ago but i guess some spam filters
> probably lost it... i see i have to be subscribed to post stuff.
Actually, I've been sitting on it waiting for some free time to take a
look :-)
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
Brian C Morris wrote:
>
> Hi -
>
> We're entertaining the possibility of porting openssl to the AS/400
> (iSeries).
>
> It seems from searching the archives this effort has been started before
> - but I assume not finished as I don't see reference to the platform in
> the code?
>
> Is there st
Stephen Sprunk wrote:
> Thus spake "Richard Levitte - VMS Whacker" <[EMAIL PROTECTED]>
>
>>lee_dilkie> (the other thing to remember is that CTR can be used with
>>lee_dilkie> any block cipher, it's not limited to AES)
>>
>>Absolutely. However, since it's currently very obviously an
>>experimenta
Peter Sylvester wrote:
> Well, sorry for the message below. The
> result is the destest crashes.
>
> So, on solaris, trying the "no-asm shared", somehow now
> I get problems conpiling engines, ok trying no-engine
> since I don't have any.
>
> Why does engines insist to compile the engines wit
Richard Levitte wrote:
> OpenSSL CVS Repository
> http://cvs.openssl.org/
>
>
> Server: cvs.openssl.org Name: Richard Levitte
> Root: /e/openssl/cvs Email: [EMAIL PROTECTE
I'm coming close to the end of the work to get OpenSSL FIPS-140ed. So,
if people have comments/changes/concerns, they'd better get a move on
and clue me in, because once its done we can't change it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no
Verdon Walker wrote:
> After reviewing the email archives for both the developer and user
> groups, I have a lot of questions:
Answers in quotes were written by someone else, answers not in quotes
are my own.
> - What platforms are being FIPS certified?
"The formal test platform is HP-9000/HP-UX
Mathias Brossard wrote:
> On Fri, 2003-09-05 at 11:55, Ben Laurie wrote:
>
>>>- What version of OpenSSL does it correspond to? 0.9.7b?
>>
>>"Yes, and the FIPS specific routines will be carried forward in future
>>OpenSSL releases. Only the "cryp
Chris Brook wrote:
> If I read your reply right, responsibility for DAC and Known Answer Test
> checking is the responsibility of the app developer, though you will provide
> the DAC checksum for the crypto module. Have you also included the KATs,
> since they essentially exist the OpenSSL test m
Chris Brook wrote:
> Item #2: typically FIPS-140 certified code is delivered as a binary,
> tested by a lab and checked at both source and binary level, so the
> opportunity to modify is not there (DAC test will fail). With
> OpenSSL source that's not the case unless the developer of the
> produc
Mathias Brossard wrote:
> On Fri, 2003-09-05 at 19:59, Ben Laurie wrote:
>
>>Mathias Brossard wrote:
>>
>>>- Asymmetric: DSA, RSA, ECDSA
>>
>>Not my understanding. Anyway, DSS only. RSA can't be, and ECDSA we
>>aren't doing.
>
>
&g
Richard Levitte wrote:
> OpenSSL CVS Repository
> http://cvs.openssl.org/
>
>
> Server: cvs.openssl.org Name: Richard Levitte
> Root: /e/openssl/cvs Email: [EMAIL PROTECT
Verdon Walker wrote:
> I have downloaded the latest FIPS snapshot (9/9) and I have a couple
> more questions about it:
>
> 1) How do I build it? If I just do a "./config" (Linux) and "make", it
> will build everything, but I'm not sure I'm getting all the FIPS stuff.
> Do I need to specify someth
Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Tue, 09 Sep 2003 13:55:43 -0600, "Verdon Walker"
> <[EMAIL PROTECTED]> said:
>
> VWalker> I have downloaded the latest FIPS snapshot (9/9) and I have a couple
> VWalker> more questions about it:
> VWalker>
> VWalker> 1) How
Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Wed, 10 Sep 2003 09:45:29 +0100, Ben Laurie
> <[EMAIL PROTECTED]> said:
>
> ben> Richard Levitte - VMS Whacker wrote:
> ben> > In message <[EMAIL PROTECTED]> on Tue, 09 Sep 2003
Richard Levitte wrote:
> OpenSSL CVS Repository
> http://cvs.openssl.org/
>
>
> Server: cvs.openssl.org Name: Richard Levitte
> Root: /e/openssl/cvs Email: [EMAIL PROTECT
Richard Levitte - VMS Whacker wrote:
> In message <[EMAIL PROTECTED]> on Sat, 13 Sep 2003 18:57:57 +0200 (CEST), "Ben
> Laurie" <[EMAIL PROTECTED]> said:
>
> ben> OpenSSL CVS Repository
&
Geoff Thorpe wrote:
> There is a patch that illustrates how I've been going about the crypto/bn/
> "audit" that can be browsed/downloaded at;
>
> http://www.openssl.org/~geoff/bn_debug.diff
>
> The comment in the bn.h header changes explains what the basic idea is and
> of course the macro d
David Schwartz wrote:
One of the applications we are working on requires us
to generate RSA key pairs at a rate of about 20-25 key
pairs/second
is there any application out there which can do this??
is using /dev/random, /etc/entropy or accelerator card
with RNG any faster?? and can this achieve t
Richard Levitte wrote:
+
+#ifdef __OpenBSD__
+ /* given that all random loads just fail if the file can't be
+ * seen on a stat, we stat the file we're returning, if it
+ * fails, use /dev/arandom instead. this allows the user to
+ * use their own source for good random data, but d
I have been told that the FIPS code doesn't work on Windows.
Unfortunately, I don't build OpenSSL on Windows, so that's not something
I can fix. But unless it is fixed, the FIPS certification will not apply
to builds made on Windows, because the certification requires the use of
unmodified sour
Richard Levitte wrote:
OpenSSL CVS Repository
http://cvs.openssl.org/
Server: cvs.openssl.org Name: Richard Levitte
Root: /e/openssl/cvs Email: [EMAIL PROTECTED]
Module:
Jeffrey Altman wrote:
Steve:
Thank you for the answer.
Just fyi, I and Richard Levitte did spend time to get the code to
work on Windows to the extent that was possible without an
answer to the questions you have now answered.
One concern with your answer is that it appears to imply that
FIPS cer
Troy Monaghen wrote:
2) I have a multi-threaded AIX application for which I needed to add a
couple of compiler flags in the OpenSSL Configure script in order to
support threading under AIX. After the FIPS code is validated would
making this change be allowed within the security policy?
Yes.
Would
Michael Sierchio wrote:
Ben Laurie wrote:
My understanding is that our security policy is that if you can show a
chain of SHA-1 HMAC signatures from the certified source to
whatever-it-is-you-are-running, then you are certified. We provide one
mechanism to do that. You can provide others.
Note
Dr. Stephen Henson wrote:
Then the EVP routines would just check to see if EVP_FIPS_MD or
EVP_FIPS_CIPHER is set in the flags field in FIPS mode.
Which EVP routines need to be visited? I could leave out the non-FIPS
algorithms in OpenSSL_add_all_{ciphers|digests} as you suggested in an
earlier msg
Dr. Stephen Henson wrote:
On Thu, Jun 24, 2004, Ben Laurie wrote:
Dr. Stephen Henson wrote:
Well my personal perference would be to give a hard assertion error in
EVP_DigestInit_ex() and EVP_CipherInit_ex() because a non-FIPS algorithm
will
only appear in there due to an application source error
victor sherbinin wrote:
I'm wondering whether generation of SSL session ID has to be based on
random numbers. In my system, it would be more comfortable for me to
generate a sequentially incrementing 64-bit or 128-bit session ID,
with some constant padding. Does this violate the security of SSL in
Jack Lloyd wrote:
On Wed, Nov 24, 2004 at 10:06:10PM +, Ben Laurie wrote:
victor sherbinin wrote:
I'm wondering whether generation of SSL session ID has to be based on
random numbers. In my system, it would be more comfortable for me to
generate a sequentially incrementing 64-bit or 12
Jim Schneider wrote:
Sorry, I goofed - I thought we were talking about generating the prime for DH,
not the subsequent operations. In the case of the secret exponents, there's
no real justification for it (x just needs to be larger than C*ln(p)/ln(g),
where g is the DH generator, p is the DH pr
n the offending files doesn't
seem to remove the -kb...
Any ideas?
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |
I think. Do we need pem.org?
Actually, what really needs doing is to build pem before err. Fixed.
You'll need to Configure again to see the fix.
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.
py of Makefile.ssl instead of a link,
perhaps?
Use includes?
What?
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |A
Dr Stephen Henson wrote:
>
> Ben Laurie wrote:
> >
> > What are we going to do about them? They are currently slapped on the
> > end of Makefile.ssl in the traditional way, but of course this causes a
> > problem with CVS.
> >
> > Developing witho
Dr Stephen Henson wrote:
>
> Better change the subject...
>
> Ben Laurie wrote:
> >
> >
> > Isn't that how its done already? But anyway, that wasn't what I meant -
> > I mean how do we deal with the result of doing a "make depend", whic
anches are involved).
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apache-SSL author http://www.apache-ssl.o
igure.diff?r1=1.1&r2=1.2&hideattic=1&sortbydate=0
which should be (I assume):
http://www.openssl.org/source/cvs/Configure.diff?r1=1.1.1.3&r2=1.2&hideattic=1&sortbydate=0
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax
I think. Do we need pem.org?
Ah, shit. I had this problem with my CVS tree, but I forget what the
resolution was. Its late, so I'll look into it tomorrow. I _really_ wish
I didn't have to do all this twice :-)
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Gro
y get that way in the first place?
Cheers,
Ben.
--
Ben Laurie|Phone: +44 (181) 735 0686| Apache Group member
Freelance Consultant |Fax: +44 (181) 735 0689|http://www.apache.org/
and Technical Director|Email: [EMAIL PROTECTED] |
A.L. Digital Ltd, |Apache-SSL author
can be run as separate programs rather than via
> "ssleay x509" etc? I've never liked or used them, but do others think that
> they are useful?
I've never even noticed them, so I'm quite happy to lose them! However,
isn't that likely to break things for use
ose
> which are based on hashes of things like public keys etc.
Presumably the first case can be handled by allowing the config to be
overridden on the command line (with just name-value pairs, as in the
config file, or perhaps it would have to be something like
"extension.name=value"
Dr Stephen Henson wrote:
>
> Hmm lets try this again...
What was wrong with the first attempt?
Cheers,
Ben.
--
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition
Ralf S. Engelschall wrote:
>
> In article <[EMAIL PROTECTED]> you wrote:
> > On Sat, 2 Jan 1999, Ralf S. Engelschall wrote:
>
> >> What about those old/working files Eric left in the SSLeay 0.9.1b
> >> source tree and which are still part of our CVS tree? These
> >> old/* (e.g. crypto/bn/old/) a
Arne Ansper wrote:
>
> hi!
>
> i would like to report some bugs in ssleay. unfortunately i don't have
> diffs against latest openssl source, but the fixes are really small, so i
> hope it's not too much trouble to incorporate them.
>
> 1) crypto/bio/b_printf.c uses static buffer for vsprintf wh
Arne Ansper wrote:
> > > 5) crypto/err/err.c ERR_get_state has static variable fallback. this
> > > should be initalized before returning pointer to it.
> >
> > As far as I can see it is only used when allocation fails. In this case,
> > what should it be initialised to?
>
> at least top and bott
Ralf S. Engelschall wrote:
>
> In article <[EMAIL PROTECTED]> you wrote:
>
> >> Since it is a static, they will already be clear.
>
> > you are right.
>
> Nevertheless it's clean coding style to initialize the stuff explicitly IMHO.
> Because this "ANSI C requires static's to be initialized to
[EMAIL PROTECTED] wrote:
>
> >BTW, it isn't ANSI, its just C.
>
> This brings up another question.
>
> How important is 16bit and K&R C support?
>
> I claim it's feasible to leave those platforms dead-ended with SSLeay0.9.b.
>
> I'd really like to see us move to prototypes, const, etc.
So wo
Arne Ansper wrote:
> > > 8) ssl/s2_pkt.c and ssl/s3_pkt.c write_pending and
> > > ssl3_write_pending have unnecessary check at the beginning which stops
> > > me from moving data around in my buffers between calls to SSL_write.
> > > this data is already copied to internal buffers and there is no
[EMAIL PROTECTED] wrote:
>
> >For large structures this maybe the case, yes. But even there you either
> >already use some sort of constructors or at least just can initialize it
> with
> >a memcpy(ptr, 0, sizeof(ptr)) explicitly.
> Note that the memcpy idea is wrong for two reasons:
> It
Rodent of Unusual Size wrote:
> Thaks for the pointer to the tables. Anyone have any additional
> information? (I haven't looked at the URLs yet, but) Do these
> apply to Apache-SSL and Stronhold as well, or just mod_ssl?
Apache-SSL's are described on the webpage:
http://www.apache-ssl.org/doc
1 - 100 of 670 matches
Mail list logo
