Dear OpenSSL developers community,
The attached patch remove two conditions in for() loops that can cause
an undefined behavior leading to an out-of-bound read in ssl/s3_srvr.c.
However, I don't see any security implication here.
I have discovered them using the -fsanitize=undefined option of LLV
Anything wrong with the mailing list ? I got this message 20 times !
A+
Pascal
--
* Pascal Junod, [EMAIL PROTECTED] *
* Laboratoire de Sécurité et de Cryptographie (LASEC) *
* ++ 41 (0) 21
look
as soon as possible.
A+
Pascal
--
~~~~~~~~
* Pascal Junod, [EMAIL PROTECTED] *
* Laboratoire de Sécurité et de Cryptographie (LASEC) *
* ++ 41 (0) 21 693 7617, INR 313, EPFL,
s the des library severely and dramatically
improved in 3 years ?
I cannot trust the results of OpenSSL. For instance, crypto++ 3.2 claims
7 MB/s on my machine...
A+
Pascal
--
* Pascal Junod, [EMAIL PROTECTED]
L
> }
>
> The OCTETSTRING which probably holds the signature
> is not a parameter of the algorithm.
Interessant... Is it a (known) typo in the PKCS #1 standard ? It would
be cool if OpenSSL implements the
standard better than the standard itself :-)
A+
Pascal
--
<~~~
2B 0E 03 02 1A 05 00 04 14
The commercial crypto library rejects the OpenSSL for this purpose.
What do you think about ?
A+
Pascal
PS:
Please CC your responses to me !
--
<>
< Pascal Junod
the GNU Public Licence.]
*/
#define ENTROPY_NEEDED 16 /* require 128 bits = 16 bytes of randomness
*/
[...]
Is it a bad idea to define this constant in rand.h instead of md_rand.c
?
A+
Pascal
--
<>
<
ions that need randomness report
an error if the random
number generator has not been seeded with at least 128 bits of
randomness."
A+
Pascal
--
<>
< Pascal Junod >
< Europay AG,
