On Sat, Feb 23, 2008 at 10:44:15AM +0100, Dominik Herrmann wrote:
Hi all,
the TLS spec allows for padding TLS record messages with random length
(up to 256 bytes) which helps to disguise the actual length of messages.
I wondered if this has been implemented in openssl yet, but apparently
On Tue, Jan 29, 2008 at 10:22:16PM +0200, Paul Sheer wrote:
I find it hard to believe that there exists a platform where:
On FreeBSD/OpenBSD my program outright core dumped and I could not
figure out why for days and days. Now I have two separate builds - one built
with -D_REENTRANT
On Tue, Jan 29, 2008 at 07:54:54AM -0800, David Schwartz wrote:
There is no global variable named errno, it only exist in the TLS. You
could say that because there is only 1 TLS, that it's global, and it
acts that way. But it's not really the same as a normal global
variable. You
On Mon, Jan 21, 2008 at 05:34:43PM -0800, David Schwartz wrote:
- there is no difference between
multithreaded and non-multithreaded _compilation_ (surely not for errno
and malloc).
Really? So 'errno' refers to a process global in both cases?! (Note that I
said the definition, not the
On Mon, Jan 28, 2008 at 02:22:09PM -0800, David Schwartz wrote:
errno is stored in Thread Local Storage (TLS). You can't link to the
global errno anymore.
For a single-threaded process, there is no distinction between thread-local
storage and a global variable. For a multi-threaded
On Mon, Jan 21, 2008 at 09:24:34AM +0100, Tomas Mraz wrote:
On Sun, 2008-01-20 at 11:59 -0800, David Schwartz wrote:
I should be able to create a multithreaded application using
a non-multithreaded openssl build provided that I have an ssl
context per thread.
Most definitely not. At
On Thu, Jan 17, 2008 at 07:07:48PM -0500, Dave Thompson wrote:
3. Also (in g only) if aes-*-ige is included in the test set,
as it (now) is by default, subsequent tests or shutdown may fail
in any of various ways, because that mode uses IV of 2block = 32B
but only 1AESblock = 16B is
On Sat, Jan 19, 2008 at 03:40:12PM -0500, Brad House wrote:
I compiled OpenSSL (0.9.8g) with my own random number engine - in order to
generate
pseudo random numbers that are not based on unitialized values (if you run
openssl
without doing this you get infinite warnings - of course).
The
On Wed, Nov 07, 2007 at 08:51:45PM +0100, Simon Vallet via RT wrote:
Hi,
The system in question is indeed a Debian machine -- I should have
mentioned that previously. I can confirm that the libcrypto bundled
in e.g. FC7 does not contain such relocs (which, since it doesn't seem
to be an
On Mon, Nov 05, 2007 at 10:39:58AM +0100, Andy Polyakov wrote:
I believe that -Bsymbolic only gives you a fall sense of security and only
makes it a little harder to replace some functions, but not that much.
Consider following snippet:
void foo(){}
void bar(){foo();}
[...]
-Bsymbolic
Hi,
I would like to remove as many as possible symbols from the symbol table
that are not part of any API. One way of doing that is making those
symbols static. This might also have other positive side effects.
I've tried to find all variables and functions that are only used in 1
file, and
On Sat, Nov 03, 2007 at 10:26:14PM +0100, Andy Polyakov wrote:
[EMAIL PROTECTED]:~$ readelf -r
/usr/src/openssl-0.9.8e/i686/cmov/libcrypto.so.0.9.8
[...]
0006354c 000ce102 R_386_PC3200062630 DES_encrypt2
...
0006bd93 000c3e02 R_386_PC320006b820 BF_decrypt
[...]
On Sat, Oct 27, 2007 at 08:58:59PM +0200, Andy Polyakov via RT wrote:
Double-checking yields the following buried between 0x0013 relocs :
[EMAIL PROTECTED]:~$ readelf -r
/usr/src/openssl-0.9.8e/i686/cmov/libcrypto.so.0.9.8
[...]
0006354c 000ce102 R_386_PC3200062630
On Mon, Oct 22, 2007 at 12:07:30PM +0200, Simon Vallet via RT wrote:
Hi,
On 10/22/07, Andy Polyakov via RT [EMAIL PROTECTED] wrote:
avc: denied { execmod } for pid=1875 comm=ntpdate \
path=/usr/lib/i686/cmov/libcrypto.so.0.9.8 dev=sda8 ino=325290 \
On Wed, Oct 17, 2007 at 02:25:13PM +0200, [EMAIL PROTECTED] via RT wrote:
I found this problem originally when trying to use OpenSSH linked
against the new OpenSSL. I get the following error:
$ ssh -V
OpenSSL version mismatch. Built against 90805f, you have 908070
[...]
So OpenSSH stops
On Tue, Oct 16, 2007 at 01:54:44AM +0200, Dr. Stephen Henson wrote:
On Mon, Oct 15, 2007, Kurt Roeckx wrote:
Hi,
The security announcement had this in it:
Recommendation
--
Either
a) Upgrade to the latest version of OpenSSL (0.9.8f) and rebuild all
Hi,
The security announcement had this in it:
Recommendation
--
Either
a) Upgrade to the latest version of OpenSSL (0.9.8f) and rebuild all
packages using OpenSSL for DTLS.
or,
b) Disable DTLS.
How do I disable DTLS?
Is there an easy way I can build the library so
Hi,
It seems that in 0.9.8f you did an ABI change in struct ssl_st.
The problem is this change:
+ unsigned int max_send_fragment;
This will break things when something was build against the headers
from 0.9.8e or an older 0.9.8 versions and runs with a 0.9.8f versions.
Such a change needs
On Sat, Oct 13, 2007 at 01:59:38PM +0200, Kurt Roeckx wrote:
Hi,
It seems that in 0.9.8f you did an ABI change in struct ssl_st.
The problem is this change:
+ unsigned int max_send_fragment;
This will break things when something was build against the headers
from 0.9.8e or an older
On Tue, Sep 04, 2007 at 05:22:43PM +0200, Stephen Henson via RT wrote:
An alternative technique is mentioned in:
http://marc.info/?l=openssl-devm=118001266831974w=2
There patch from that thread is at:
http://marc.info/?l=openssl-devm=117983173402236w=2
There is also:
Hi,
I've just been informed that there has been a CVE published about
openssl. You can see some of it at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108
http://www.securityfocus.com/bid/25163/solution
http://openssl.org/news/patch-CVE-2007-3108.txt
But I haven't seen an
On Fri, Jun 08, 2007 at 05:00:37PM -0700, David Schwartz wrote:
Using the Intel 9.1 compiler on an IA64 system the performance of
AES and (to a lesser extent) other algorithms implemented in
assembly language is less than that using gcc. I've included the
speed output for several of the
On Tue, May 22, 2007 at 02:34:47PM +0400, Dmitri Dmitrienko wrote:
With that change, I can actually create a shared libcrypto.so without
using -Bsymbolic.
Great work, Kurt!
Would you please send me a patch? or patch openssl sources directly?
Here is a patch that works for me. I've only
On Sun, May 20, 2007 at 02:42:59PM +0200, Andy Polyakov via RT wrote:
Title: Failed to link static openssl libraries (or non-PIC x86_64cpuid.s)
OS: FC4
HARDWARE: AMD x86 64bit
OPENSSL VERSION: 0.9.8e
OPTIONS:
CFLAGS=-fPIC -O2 ./config no-dso no-shared no-threads
no-zlib -fPIC -O2
On Sun, May 20, 2007 at 03:21:56PM +0200, Andy Polyakov wrote:
The problem is that he's trying to make a shared library linked to a
static library, and the static library isn't built with -fPIC.
No. The way I read it, his static library is build with -fPIC. The user
Right, it seems that it
On Fri, Mar 02, 2007 at 10:19:31AM -0500, Richard Salz wrote:
Maybe valgrind should have a rule put in place which resets the
uninitialized data bit in the memory bitmap over the block of data
returned by the low level RAND_() functions provided by OpenSSL.
Yes, exactly my point.
On Fri, Mar 02, 2007 at 02:06:09PM +1100, Erik de Castro Lopo wrote:
Hi all,
I'm working with version 0.9.8c distributed as part of Ubuntu but
I have also veryfied that the same problem exists with the latest
release 0.9.8e.
Please see:
On Fri, Jan 05, 2007 at 12:06:15AM +0100, Andy Polyakov wrote:
Guys,
I've written some ARM assembler and would like to benchmark it. So if
anybody on the list has access to linux-arm hardware, please contact me
for instructions. A lot of thanks in advance. A.
I have access to one of
On Fri, Dec 22, 2006 at 05:34:08PM -0500, Mike Frysinger wrote:
On Friday 22 December 2006 10:58, Andy Polyakov wrote:
right now you need to include sys/types.h yourself before trying to
include openssl/sha.h or the build fails ... this patch does what some of
other openssl headers do
On Sat, Dec 16, 2006 at 08:03:43PM +0100, Goetz Babin-Ebell wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hello Ralf,
via RT wrote:
[EMAIL PROTECTED] ~]$ openssl s_client -connect mail.buu.ch:25
-starttls smtp -debug
[...]
I have a patch for s_client which allows
On Wed, Nov 08, 2006 at 12:47:03PM -0800, David Schwartz wrote:
But it gets cast back to the correct type before it is called. These
casts are done the way they are to get type-safety. Removing that option
strikes me as a bad thing.
It does not. Look closely at how these functions work:
On Mon, Oct 16, 2006 at 11:47:48AM +0200, ThMO via RT wrote:
What I would like to see is a single Makefile doing both in one go, which
simplies things a lot, e.g. considering the openssl binary, the following
procedure is needed:
· make -f Makefile.shared
· installing the stuff
· make -f
On Sun, Oct 15, 2006 at 08:18:59PM +0200, ThMO via RT wrote:
Hello,
I've attached a small unified diff, fixing a problem:
· crypto/rand/rand_unix.c:
linux kernel v2.0.35 doesn't support the `poll' system call, so this
file will only compile with the patch applied.
I've enclosed
On Sun, Oct 15, 2006 at 08:18:59PM +0200, ThMO via RT wrote:
Hello,
I've attached a small unified diff, fixing a problem:
· crypto/rand/rand_unix.c:
linux kernel v2.0.35 doesn't support the `poll' system call, so this
file will only compile with the patch applied.
I've enclosed
On Fri, Jun 23, 2006 at 04:36:07PM +0100, Joe Orton wrote:
Log:
New functions CRYPTO_set_idptr_callback(),
CRYPTO_get_idptr_callback(), CRYPTO_thread_idptr() for a 'void *' type
thread ID, since the 'unsigned long' type of the existing thread ID
does not always work
On Tue, Jun 20, 2006 at 02:06:25PM +0200, Bodo Moeller wrote:
On Fri, Jun 09, 2006 at 07:02:36PM +0200, Kurt Roeckx wrote:
On Fri, Jun 09, 2006 at 12:58:56PM +0200, Howard Chu via RT wrote:
Given the lack of response here, we're tracking this now as
http://www.openldap.org/its/index.cgi
On Mon, Jun 12, 2006 at 04:48:07PM +0200, authesserre samuel wrote:
- fragmentation seems to not work too (based on MTU move on network
interface so I'm not sure that the test is correct)
Is this related to:
http://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=1245
Kurt
On Fri, Jun 09, 2006 at 12:58:56PM +0200, Howard Chu via RT wrote:
Howard Chu wrote:
I'm seeing a lot of bad record mac errors when receiving a lot of
connection requests at once. It sounds the same as this email
http://www.redhat.com/archives/rhl-list/2005-May/msg01506.html
which
On Tue, May 02, 2006 at 12:34:12AM +0200, Ulf Möller wrote:
Kurt Roeckx schrieb:
What I currently see as best option is to actually comment out
those 2 lines of code. But I have no idea what effect this
really has on the RNG. The only effect I see is that the pool
might receive less entropy
On Tue, May 02, 2006 at 08:08:10AM +0200, Marco Roeland wrote:
On Tuesday May 2nd 2006 at 00:34 Ulf Möller wrote:
Not much. If it helps with debugging, I'm in favor of removing them.
(However the last time I checked, valgrind reported thousands of bogus
error messages. Has that
Hi,
When debbuging applications that make use of openssl using
valgrind, it can show alot of warnings about doing a conditional
jump based on an unitialised value. Those unitialised values are
generated in the random number generator. It's adding an
unintialiased buffer to the pool.
The code
On Sun, Mar 19, 2006 at 10:34:42PM -0800, Ted Mittelstaedt wrote:
I think we have 2 options:
- Completly drop the old des support, including des_old.h
- Drop the libdes compatibility, so that it's only compatible
with older openssl versions, and people can still use the des_*
versions.
Hi,
Various places in the source say that old des support is going to
be removed before 1.0. I think it's time to move forward.
I think we have 2 options:
- Completly drop the old des support, including des_old.h
- Drop the libdes compatibility, so that it's only compatible
with older
Hi,
Various places in the source say that old des support is going to
be removed before 1.0. I think it's time to move forward.
I think we have 2 options:
- Completly drop the old des support, including des_old.h
- Drop the libdes compatibility, so that it's only compatible
with older openssl
Hi,
The attached patch converts destest.c to use DES_* function
instead of des_* functions. It's the only part of the source
that is still using the old names.
Kurt
Index: crypto/des/destest.c
===
RCS file:
Hi,
I've attached a patch that fixed a warning about the arguments to
a printf function. strlen() returns an size_t, so it should have
the z modifier. I've also changed it from %d to %u, since it's
unsigned.
Since the BIO printf() doesn't actually support, I've also added
support for that.
On Sun, Mar 12, 2006 at 11:52:30PM +0200, Roumen Petrov wrote:
Kurt Roeckx wrote:
Hi,
I've attached a patch that fixed a warning about the arguments to
a printf function. strlen() returns an size_t, so it should have
the z modifier.
Is the patch tested on windows ?
z modifier - I'm
On Tue, Mar 07, 2006 at 04:20:16PM +1100, Damien Miller wrote:
On Sun, 5 Mar 2006, Kurt Roeckx wrote:
Hi,
I would like to properly place the documetation in the 1SSL,
3SSL, 5SSL and 7SSL section.
It might be proper for your operating system, but it certainly
isn't correct
On Wed, Feb 08, 2006 at 09:54:22AM +0100, Jason McIntyre via RT wrote:
-This document conatains all the information necessary to succesfully set up
+This document contains all the information necessary to succesfully set up
You forgot successfully.
Kurt
Hi,
The attached patch makes some function that are only used in that
file static. There doesn't seem to be a reason to export those
functions.
Kurt
Index: crypto/asn1/tasn_new.c
===
RCS file:
Hi,
The attached patch fixes some warnings.
2 of them actually show up using gcc -Wall:
pkcs12.c:508: warning: 'chain2' may be used uninitialized in this function
s_socket.c:288: warning: 'accept_socket' may be used uninitialized in this
function
They're both cases where gcc can inline the
On Sat, Jan 28, 2006 at 05:38:18AM -0800, Joe Gluck wrote:
In which library is that gettime() function in? I did not find it.
(I did not find it in any C library)
He probably meant time(2), but you could also use gettimeofday(2).
Kurt
On Fri, Jan 20, 2006 at 10:28:24AM +0100, [EMAIL PROTECTED] via RT wrote:
... hmmm, where is the patch ?
I did mail it, and it seems to be in the bug report at:
http://www.aet.tu-cottbus.de/rt2/Ticket/Display.html?id=1204
But it wasn't in the mail send to the list.
I've attached it
Hi,
It seems to me that tls1_enc() is setting
SSL_OP_TLS_BLOCK_PADDING_BUG, while the other side does
not have that bug.
The code looks like this:
/* First packet is even in size, so check */
if ((memcmp(s-s3-read_sequence,
Hi,
It seems tht when building a shared version of the library, all
the engines in crypto/engine/ get compiled in, but are
unavailable. Those in engines/ get compiled as a shared library
and are available.
If you make a static library, or link against the static library
they do work as
On Mon, Jan 02, 2006 at 06:57:59PM +0100, Andy Polyakov wrote:
So let's make it a vote.
1. Should there be or not option for built-in engine in shared library
context, or should all engines without exclusion be available as
loadable modules?
My vote is there should be an option for
Hi,
It seems tht when building a shared version of the library, all
the engines in crypto/engine/ get compiled in, but are
unavailable. Those in engines/ get compiled as a shared library
and are available.
If you make a static library, or link against the static library
they do work as
On Thu, Dec 29, 2005 at 02:44:18PM +0100, Peter Sylvester wrote:
I saw in the lastest snapshots that in the ssl library the fundction
time has been casted to an unsigned long.
This seems to be some hack to cover the 2038 problem on 32 bit machines.
I am not sure
whether the attempted
Hi,
Has there been any progress on finding what the cause of this is?
There is also a bug open about this in the Debian bug tracking at:
http://bugs.debian.org/338006
There might be some more useful information in it.
Kurt
Hi,
I believe this was fixed with the following commit:
http://cvs.openssl.org/chngview?cn=12647
Kurt
__
OpenSSL Project http://www.openssl.org
Development Mailing List
On Tue, Nov 15, 2005 at 09:57:59AM +0100, Andy Polyakov wrote:
Can you test if
http://cvs.openssl.org/chngview?cn=14621 fixes the problem?
Initial tests look good. I haven't seen a failure yet; I'm running a
script to
see if I can stress the problem into reappearing.
On Fri, Nov 11, 2005 at 09:20:58PM +0100, Andy Polyakov wrote:
Concensus was that the failure is caused by a hardware
deficiency. What's your hardware?
Mostly Sun Ultra 10s, running Solaris 8. I can produce the error on more
than
one host, too.
Then it can't be hardware...
platform:
On Wed, Nov 09, 2005 at 12:00:19AM +0100, Dirk Mueller wrote:
Hi,
the appended patch makes libcrypto.so compile without executable stack
requirements. it should be portable accross all versions of binutils (and
doesn't affect any non-linux platform anyway).
The problem is that
Hi,
Since the upgrade from 0.9.7g to 0.9.8a on Debian, we're getting
alot of bug reports about applictions that give an error that
they can't load zlib.so.
When calling SSL_library_init(), it will try to load zlib.so,
which doesn't have to exist. It should try to open zlib.so.1
instead because
On Tue, Nov 01, 2005 at 10:18:42AM +0100, Kurt Roeckx via RT wrote:
So this looks like an error that doesn't get cleared, and I have
to wonder who should clear it. I don't think COMP_zlib() should
return that it was actually succesful in opening the library,
so it should atleast return
On Fri, Oct 28, 2005 at 09:46:30AM +0200, Andy Polyakov wrote:
Now question to Johnny Lam [who is complaining that we don't bump
versions] and Christoph Martin [who suggests to add versioning on all
symbols]. What exactly didn't work for you? As far as I understand both
NetBSD and Debian
On Sat, Oct 29, 2005 at 03:12:24AM +0100, [EMAIL PROTECTED] wrote:
Hi,
Then when the dynamic linker looks for a symbol, it looks at it
by name. It will go over all objects to see if it exists in it.
It will use the symbol from the first library it finds it in.
This means,
Hi,
Mikael Magnusson found a problem in the handling of fragmented
DTLS handshake packets and has provided a patch for it.
See http://bugs.debian.org/335703 for more information and the
patch.
Kurt
__
OpenSSL Project
On Sat, Oct 29, 2005 at 02:45:51PM +0100, [EMAIL PROTECTED] wrote:
Hi,
If you simply use the -Bsymbolic flag when building libA, doesn't
that solve the problem as well? And in a more portable way, since
vrsioned symbols don't exist on many platforms?
AFAIK, the idea of the
On Fri, Oct 28, 2005 at 09:46:30AM +0200, Andy Polyakov wrote:
Now question to Johnny Lam [who is complaining that we don't bump
versions] and Christoph Martin [who suggests to add versioning on all
symbols]. What exactly didn't work for you? As far as I understand both
NetBSD and Debian
On Tue, Oct 25, 2005 at 05:13:17PM +0200, Bruce Stephens via RT wrote:
The following trivial C file fails to compile in 0.9.8a:
#include openssl/sha.h
I think the following files have that problem:
md2.h
md4.h
md5.h
ripemd.h
sha.h
They should all add an include to stddef.h
Kurt
501 - 571 of 571 matches
Mail list logo