Re: [openssl-dev] [openssl.org #4673] a weird error, please help to check whether is it a but. thanks!

another. > actually these 2 servers is mirrow relationship. 2. I checked the pem file > (as attached), also is same on two servers3. I checked the error reason, but > cannot find any description about it in the website.I am almost crazy for > this issue, would you help to check what'

Re: [openssl-dev] [openssl.org #4673] a weird error, please help to check whether is it a but. thanks!

another. > actually these 2 servers is mirrow relationship. 2. I checked the pem file > (as attached), also is same on two servers3. I checked the error reason, but > cannot find any description about it in the website.I am almost crazy for > this issue, would you help to check what'

[openssl-dev] [openssl.org #4673] a weird error, please help to check whether is it a but. thanks!

 Key:%s", ERR_error_string( ERR_get_error(),  NULL )); return false; } /* Check if the client certificate and private-key matches 验证私钥是否与证书一致*/ if (0 == SSL_CTX_check_private_key(m_pCtx)) { ERRLOG("Private key does not match the certificate public key"); retur

[openssl-dev] [openssl.org #4662] overflow check missing on BIO_new_file

not be validated? Also if i agrees with you i can say simply strlen(...) is also valid then but its depreciated by MSFT and other strlen_l(...) is provided which accept size For you convenience check this http://linux.die.net/man/3/alloca<https://urldefense.proofpoint.com/v2/url?u=h

[openssl-dev] [openssl.org #4621] BUG: nistz256 point addition check for a = +/-b doesn't work for unreduced values

Fixed in master by b62b2454f and dfde4219f. Still needs cherry-picking to 1.0.2. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4621 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

On Mon Aug 22 15:05:17 2016, david...@google.com wrote: > I may not have time to fully digest the change before the release date, but > I'm not sure this snippet quite works: > > if (ctx->read_start == ctx->read_end) { /* time to read more data */ > ctx->read_end = ctx->read_start =

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

There are definitely some OpenSSL APIs which return -2 expecting that the usual error-check patterns don't care.) Anyway, I believe it gets stuck if non-blocking BIO causes BIO_read to fail on a retryable error like EWOULDBLOCK and we try again. I see calls to BIO_should_retry, so I gather thi

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

The krb5 PKINIT tests still pass. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4628 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

There are two commits, one that addresses bio_enc problems and one adding test. Please double-check. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4628 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org

[openssl-dev] [openssl.org #4382] [PATCH] Missing Sanity Check(s) for BUF_strdup() in OpenSSL-1.0.2g

Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4382 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4371] [PATCH] Missing Sanity Check for malloc() in openssl-1.0.2g for 'apps/speed.c'

Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4371 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4384] [PATCH] Missing Sanity Check plus potential NULL pointer deref (CWE-476)

Fixed with commit a03f81f, will be part of next 1.0.2 release. Thanks! -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4384 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

Hi, As I obviously needed to improve my test program, I am now encrypting and decrypting files trying all ciphers in all their available modes. ( ChaCha20, AES-128, AES-192, AES-256, Blowfish, Cast5, Camellia-128, Camellia-192, Camellia-256, IDEA, Seed, 3 Keys Triple-DES, 2 Keys Triple-DES ) (

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

Hi David, After checking you are obviously right. Contrary to my belief, my internal buffer was always larger than the longest line I read. :-( Sorry for the noise, but thanks David for the explanations. It helps me to fix my software (even if I will keep some spare bytes for some time) ;-( --

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

Hi David, After checking you are obviously right. Contrary to my belief, my internal buffer was always larger than the longest line I read. :-( Sorry for the noise, but thanks David for the explanations. It helps me to fix my software (even if I will keep some spare bytes for some time) ;-( --

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

On Sun, Jul 31, 2016 at 6:18 PM Michel via RT wrote: > > I was able to trigger a crash simply by chaining an encrypt BIO with a > memory BIO containing a large plaintext and then stream 100 bytes out of it > at a time. BIO_read would consistently return 128 and, by the time the

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

> I was able to trigger a crash simply by chaining an encrypt BIO with a memory BIO containing a large plaintext and then stream 100 bytes out of it at a time. BIO_read would consistently return 128 and, by the time the function returned, the stack was thoroughly clobbered. I am surprised. I

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

> I was able to trigger a crash simply by chaining an encrypt BIO with a memory BIO containing a large plaintext and then stream 100 bytes out of it at a time. BIO_read would consistently return 128 and, by the time the function returned, the stack was thoroughly clobbered. I am surprised. I

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

urn less than buf_len. That will feed a partial block into the EVP_CIPHER_CTX and, the next time around, we output more data than expected. 3. Actually, #2 even means the EVP_CIPHER overlapping buffers check is wrong. The true requirement is not "if the buffers alias, then i

[openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

Resolved by Andy's fix. Closing. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4628 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

 : [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check Does current master work? I think Andy checked in a fix. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

 : [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check Does current master work? I think Andy checked in a fix. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4628 Please log in as guest with password guest if prompted -- openssl-dev mailing list

Re: [openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

> Does current master work? I think Andy checked in a fix. Rich was few minutes ahead. Now it's committed. Provided test case was verified to work. Thanks for report. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4628 Please log in as guest with password guest if prompted --

[openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

Does current master work? I think Andy checked in a fix. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4628 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4628] EVP_f_cipher regression due to overlapping regions check

The attached test program works in 1.0, but fails in master with: a.out: crypto/evp/evp_enc.c:290: is_partially_overlapping: Assertion `!condition' failed. See also: https://mta.openssl.org/pipermail/openssl-dev/2016-July/007953.html -- Ticket here:

Re: [openssl-dev] [openssl.org #4621] BUG: nistz256 point addition check for a = +/-b doesn't work for unreduced values

Brian Smith via RT wrote: > Finally, as I mentioned on the mailing list, it seems the function is_zero > is missing a comparison of the last limb in the 32-bit case. > And of course, when I said "is_zero" I meant "is_one":

Re: [openssl-dev] [openssl.org #4621] BUG: nistz256 point addition check for a = +/-b doesn't work for unreduced values

Brian Smith via RT wrote: > Finally, as I mentioned on the mailing list, it seems the function is_zero > is missing a comparison of the last limb in the 32-bit case. > And of course, when I said "is_zero" I meant "is_one":

[openssl-dev] [openssl.org #4621] BUG: nistz256 point addition check for a = +/-b doesn't work for unreduced values

o be represented as either 0 or as P + 0. This brings into question whether is_zero is correct, because it doesn't consider P to be zero. Here there was some disagreement about whether it is necessary to check for P. I personally think that it is safer to check for both 0 and P like the nistp256 code

[openssl-dev] Overlapping regions check

With current OpenSSL master, the krb5 PKINIT tests are getting an assertion failure which I can't attribute to our code (stack trace at the end). It appears that EVP_EncryptUpdate() now insists on non-overlapping regions, but bio_enc.c:enc_read() relies on being able to decrypt an overlapping

[openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

fixed some time ago., -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4175 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3533] [PATCH] Ensures that EVP encryption & decryption operations check the encrypt flag on the context.

https://github.com/openssl/openssl/pull/172 Closing ticket. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3533 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #3918] check return value of EC_POINT_mul

GOST is now a separate engine. Ping Dmitry :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=3918 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g

this is a "can't happen" kind of thing. If you pass in a NID_xxx value, you MUST get back the object. They are two tables built in-sync. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4381 Please log in as guest with password guest if prompted -- openssl-dev mailing list To

Re: [openssl-dev] [openssl.org #3053] [PATCH] Check for null pointer in cms envelopedData

Wow, only 3 years to apply the simplest patch you have ever seen. Well, better late than never... :) Phillip On Sun, Jun 12, 2016 at 5:55 AM, Rich Salz via RT <r...@openssl.org> wrote: > OpenSSL_1_0_2-stable 63b2499 RT3053: Check for NULL before dereferencing > > master 6b3602

Re: [openssl-dev] [openssl.org #3053] [PATCH] Check for null pointer in cms envelopedData

Wow, only 3 years to apply the simplest patch you have ever seen. Well, better late than never... :) Phillip On Sun, Jun 12, 2016 at 5:55 AM, Rich Salz via RT <r...@openssl.org> wrote: > OpenSSL_1_0_2-stable 63b2499 RT3053: Check for NULL before dereferencing > > master 6b3602

[openssl-dev] [openssl.org #3053] [PATCH] Check for null pointer in cms envelopedData

OpenSSL_1_0_2-stable 63b2499 RT3053: Check for NULL before dereferencing master 6b36028 RT3053: Check for NULL before dereferencing Author: Phillip Hellewell <ssh...@gmail.com> Date: Sat Jun 11 20:04:21 2016 -0400 RT3053: Check for NULL before dereferencing Reviewed-by: Tim Hud

[openssl-dev] [openssl.org #2877] openssl rand does not check write(2) return code

Fixed in master with commit 0f91e1d. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=2877 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4244] dhparam -check should

dhparam will never generate parameters that fail DH_check(). It would be an internal error if it did. I added a sanity check anyway and also brought the documentation up to date. Commit eeb21772e. Closing this ticket. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4244

Re: [openssl-dev] [openssl.org #4173] help to check whether handshake negociates SRP or PSK ciphersuite

Cool ! Many thanks Steve. -Message d'origine- De : Stephen Henson via RT [mailto:r...@openssl.org] Envoyé : mardi 10 mai 2016 17:00 À : michel.sa...@free.fr Cc : openssl-dev@openssl.org Objet : [openssl.org #4173] help to check whether handshake negociates SRP or PSK ciphersuite

[openssl-dev] [openssl.org #4494] Fix: check the FD_SETSIZE before the call to select() in speed.c

The referenced pull request was merged. Closing. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4494 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4173] help to check whether handshake negociates SRP or PSK ciphersuite

This is now supported in the master branch with the SSL_CIPHER_get_auth_nid() function. The equivalent cannot be added to 1.0.2 as we do not add new features to stable branches. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see:

[openssl-dev] [openssl.org #4404] [PATCH] Missing Sanity Check for OPENSSL_strdup() in OpenSSL-1.1 pre-4

This appears to have been fixed. Closing. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4404 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

Steve explained how this should be done. Closing. Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4343 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4533] [PATCH] Add missing NULL check in i2d_PrivateKey()

Applied after a bit of adaptation. Thank you! Vid Ons, 04 May 2016 kl. 21.52.21, skrev k...@x64architecture.com: > Attached is the patch to fix the issue, also please close RT#4534 I > sent an invalid reply which got translated into another RT issue. > > -- > Kurt Cancemi >

[openssl-dev] [openssl.org #4534] Re: [PATCH] Add missing NULL check in i2d_PrivateKey()

Closing this ticket at request of submitter. Erroneous duplicate of #4533 Matt -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4534 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

Re: [openssl-dev] [openssl.org #4533] AutoReply: [PATCH] Add missing NULL check in i2d_PrivateKey()

if prompted >From c27b3a648532388cf59ee55c41ad433c8f323542 Mon Sep 17 00:00:00 2001 From: Kurt Cancemi <k...@x64architecture.com> Date: Wed, 4 May 2016 17:34:23 -0400 Subject: [PATCH] Add missing NULL check in i2d_PrivateKey() --- crypto/asn1/i2d_pr.c | 4 +++- 1 file changed, 3 inserti

[openssl-dev] [openssl.org #4534] Re: [PATCH] Add missing NULL check in i2d_PrivateKey()

ed, 4 May 2016 17:34:23 -0400 Subject: [PATCH] Add missing NULL check in i2d_PrivateKey() --- crypto/asn1/i2d_pr.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/crypto/asn1/i2d_pr.c b/crypto/asn1/i2d_pr.c index 7ca643f..8b6c92c 100644 --- a/crypto/asn1/i2d_pr.c +++ b/cr

[openssl-dev] [openssl.org #4533] [PATCH] Add missing NULL check in i2d_PrivateKey()

The attached patch adds a missing NULL check in i2d_PrivateKey(), it also removes the parentheses around the last return value to be consistent with the rest of the function. -- Kurt Cancemi https://www.x64architecture.com -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4533

[openssl-dev] [openssl.org #4494] Fix: check the FD_SETSIZE before the call to select() in speed.c

The behavior of select() is undefined when the value of max_fd is bigger or equal to FD_SETSIZE. When using a big number of async_jobs in speed.c this condition might not be satisfied. The following pull request add a check and print an error message: https://github.com/openssl/openssl/pull/926

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Friday 26 February 2016 17:37:11 Viktor Dukhovni wrote: > On Fri, Feb 26, 2016 at 05:29:26PM +, Salz, Rich wrote: > > As just about the only team member who trolls through RT and closes > > things with any quantity, I am not sure that I agree that fixing a > > bug requires documentation if

[openssl-dev] [openssl.org #4404] [PATCH] Missing Sanity Check for OPENSSL_strdup() in OpenSSL-1.1 pre-4

Hello All, In reviewing code in directory 'crypto/conf', file 'conf_mod.c', there is a call to OPENSSL_strdup() which is not checked for a return value of NULL, indicating failure. The patch file below adds the test, and releases the previously allocated memory assigned to 'tmod': ---

[openssl-dev] [openssl.org #4402] [PATCH] Missing Sanity Check for BN_new in 'apps/prime.c' for OpenSSL-1.1 pre4

Hello All, In reviewing code in directory 'apps', file 'prime.c', there is a call to BN_new() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue: --- prime.c.orig2016-03-08 16:13:24.841500061 -0800 +++ prime.c

[openssl-dev] [openssl.org #4384] [PATCH] Missing Sanity Check plus potential NULL pointer deref (CWE-476)

Hello All, In reviewing code in directory 'engines', file 'e_aep.c', there is a call to function 'bn_expand()', but it is not checked for a return value of NULL. However, a member of the variable 'bn' (bn->d) are used in memset()/memcpy() calls, but if 'bn' is NULL, a segmentation

[openssl-dev] [openssl.org #4382] [PATCH] Missing Sanity Check(s) for BUF_strdup() in OpenSSL-1.0.2g

Hello All, In reviewing source code in directory 'crypto/conf', file 'conf_mod.c', there is a call to BUF_strdup() in function 'module_add()' which is not checked for a return value of NULL, indicating failure. The patch file below adds the check and calls OPENSSL_free(tmod) to release

[openssl-dev] [openssl.org #4381] [PATCH] Missing Sanity Check for OBJ_nid2obj() in OpenSSL-1.0.2g

In reviewing code in directory 'crypto/asn1', file 'asn_moid.c', in function 'do_create()', there is a call to 'OBJ_nid2obj()' which is not checked for a return value of NULL. The patch file below adds the check and returns 0 if NULL is returned: --- asn_moid.c.orig 2016-03-06 17:09

[openssl-dev] [openssl.org #4372] [PATCH] Missing sanity check for OPENSSL_malloc() in openssl-1.0.2g in th-lock.c

th_lock is sample code :) fixed in 1.1 with the integration of ntive threads support. -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4372 Please log in as guest with password guest if prompted -- openssl-dev mailing list To

[openssl-dev] [openssl.org #4372] [PATCH] Missing sanity check for OPENSSL_malloc() in openssl-1.0.2g in th-lock.c

Hello All, In reviewing code in OpenSSL-1.0.2g, in directory 'crypto/threads', file 'th-lock.c', in function 'CRYPTO_thread_setup', there is a call to OPENSSL_malloc() which is not checked for a return value of NULL, indicating failure. The patch file below should address/correct this issue:

[openssl-dev] [openssl.org #4371] [PATCH] Missing Sanity Check for malloc() in openssl-1.0.2g for 'apps/speed.c'

Hello All, In reviewing source code for OpenSSL-1.0.2g, it would appear in file 'apps/speed.c', in function 'static int do_multi()', a call to malloc() is made without being tested for a return value of NULL, indicating failure. The patch file below should address/correct this issue: ---

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

he policy? > > In the past, we knew from the upper-case lower-case thing. I'm > guessing that held until OpenSSL 1.0.2. I'm also guessing that's is > going to change at 1.1.x. > > What do we use now? What are the actionable items or prescriptive > items we can pivot on? Those

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

FWIW, I agree with Viktor. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

> On Feb 28, 2016, at 12:17 PM, Jeffrey Walton wrote: > > Thanks Viktor. > > Here's the practical problem I am trying to solve. Its a policy and > procedure problem. > > Suppose an organization has a rule that says, "no private APIs shall > be used". How do I tell an

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Sun, Feb 28, 2016 at 12:18 AM, Viktor Dukhovni wrote: > >> On Feb 27, 2016, at 7:42 PM, Jeffrey Walton wrote: >> >> Please ensure this is documented somewhere. I'm having trouble finding >> information on the new rules. >> >> There's 15 or 20

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri 2016-02-26 18:04:43 +0100, Viktor Dukhovni wrote: > I'd like to propose a policy of no bug fixes to undocumented public > interfaces. If the interface is useful enough to fix, it has to be > documented. fwiw, i agree with Viktor on this proposal. Clear, sane

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

> On Feb 27, 2016, at 7:42 PM, Jeffrey Walton wrote: > > Please ensure this is documented somewhere. I'm having trouble finding > information on the new rules. > > There's 15 or 20 years of using capitol and lower case identifiers to > denote public and private APIs with

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

>> Correct me if I am wrong... API's that start with capitol letters are >> public. Private interfaces use lowercase letters. >> Documented/undocumented does not really factor things. > > You're wrong. Once OpenSSL's past sins are remediated, public > interfaces are precisely those that are

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

>>> Nonsense. Source code is not API documentation, it is an >> > implementation, not an interface contract. >> >> I'm not sure I'd consider it nonsense. > >Comments in source code are not documentation, they explain the >internals of the implementation, not the contract. Actually they can (and

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 05:34:14PM +, Viktor Dukhovni wrote: > On Fri, Feb 26, 2016 at 05:29:26PM +, Salz, Rich wrote: > > > As just about the only team member who trolls through RT and closes things > > with any quantity, I am not sure that I agree that fixing a bug requires > >

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 12:50:24PM -0500, Jeffrey Walton wrote: > > Nonsense. Source code is not API documentation, it is an > > implementation, not an interface contract. > > I'm not sure I'd consider it nonsense. Comments in source code are not documentation, they explain the internals of

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 12:42 PM, Viktor Dukhovni wrote: > On Fri, Feb 26, 2016 at 12:37:22PM -0500, Jeffrey Walton wrote: > >> It seems like (to me) the the most direct way to mark a function as >> private is to add a comment in the source code stating such. > >

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 12:37:22PM -0500, Jeffrey Walton wrote: > It seems like (to me) the the most direct way to mark a function as > private is to add a comment in the source code stating such. Nonsense. Source code is not API documentation, it is an implementation, not an interface

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 12:29 PM, Salz, Rich wrote: > As just about the only team member who trolls through RT and closes things > with any quantity, I am not sure that I agree that fixing a bug requires > documentation if the API isn't already documented. +1. Concepts seem

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 05:29:26PM +, Salz, Rich wrote: > As just about the only team member who trolls through RT and closes things > with any quantity, I am not sure that I agree that fixing a bug requires > documentation if the API isn't already documented. We should also get the word out

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 05:29:26PM +, Salz, Rich wrote: > As just about the only team member who trolls through RT and closes things > with any quantity, I am not sure that I agree that fixing a bug requires > documentation if the API isn't already documented. Focus on fixing bugs in

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

As just about the only team member who trolls through RT and closes things with any quantity, I am not sure that I agree that fixing a bug requires documentation if the API isn't already documented. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 05:10:42PM +, Salz, Rich wrote: > > I'd like to propose a policy of no bug fixes to undocumented public > > interfaces. > > That seems extreme, given how much of the API is undocumented and how much > external stuff depends on private things. Not at all. You're well

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

>> > I'd like to propose a policy of no bug fixes to undocumented public >> > interfaces. If the interface is useful enough to fix, it has to be >> > documented. Anyone care to produce manpages for EC_KEY_priv2buf or >> > EC_KEY_priv2oct? >> > >> Correct me if I am wrong... API's that start with

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 12:10:09PM -0500, Jeffrey Walton wrote: > > I'd like to propose a policy of no bug fixes to undocumented public > > interfaces. If the interface is useful enough to fix, it has to be > > documented. Anyone care to produce manpages for EC_KEY_priv2buf or > >

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

> I'd like to propose a policy of no bug fixes to undocumented public > interfaces. That seems extreme, given how much of the API is undocumented and how much external stuff depends on private things. I understand the goal. I just want to make sure you've thought about the proposal. (And

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

>> > I have PR https://github.com/openssl/openssl/pull/739 with the below >> > changes, please have a look. >> > >> > - In EC_KEY_priv2buf(), check for pbuf sanity. >> > - If invoked with NULL, gracefully returns the key length. > ... > I'd like

Re: [openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Fri, Feb 26, 2016 at 04:50:27PM +, Stephen Henson via RT wrote: > > I have PR https://github.com/openssl/openssl/pull/739 with the below > > changes, please have a look. > > > > - In EC_KEY_priv2buf(), check for pbuf sanity. > > - If invoked with NULL, gra

[openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

On Wed Feb 24 12:07:05 2016, mo...@computer.org wrote: > Hi, > > I have PR https://github.com/openssl/openssl/pull/739 with the below > changes, please have a look. > > - In EC_KEY_priv2buf(), check for pbuf sanity. > - If invoked with NULL, gracefully returns the key lengt

[openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

commit acae59b pushed, thanks! -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4343 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4340] ASN1_item_sign_ctx(): method check before access and release ctx in error paths

done, closing. -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4340 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #4343] master: EC_KEY_priv2buf (): check parameter sanity

Hi, I have PR https://github.com/openssl/openssl/pull/739 with the below changes, please have a look. - In EC_KEY_priv2buf(), check for pbuf sanity. - If invoked with NULL, gracefully returns the key length. Thanks, Mohan -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4343

[openssl-dev] [openssl.org #4340] ASN1_item_sign_ctx(): method check before access and release ctx in error paths

- In error paths, EVP_MD_CTX allocated by the callee is not released (master) - Checking method before access (in master and earlier versions) Pull request with these changes (on master) are as below, please have a look. https://github.com/openssl/openssl/pull/737 Thanks, Mohan --

[openssl-dev] [openssl.org #4334] Check for UEFI before __STDC_VERSION__ for

fixed in commit a2d0baa thanks! -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4334 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe:

[openssl-dev] [openssl.org #4334] Check for UEFI before __STDC_VERSION__ for

Adding -nostdinc to the EDK2 showed that we were including for some UEFI builds, because the check for __STDC_VERSION__ happens before the check for OPENSSL_SYS_UEFI. Fix that. ---  include/openssl/e_os2.h | 12 ++--  1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/include

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

> If you say that removing the #ifdef instead of removing the whole code block > that it contained was a mistake, then I shall take you at your word and > refrain > from harping on *too* much about how naughty it was to have a functional > change hidden away in a commit which simply entitled

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

rue. This always used to work; there was a "sanity" check for external data being passed to PKCS7_verify() with a non-detached PKCS#7 signature, but it was always #ifdef'd out. It was broken in HEAD by commit 55500ea7c ("GH354: Memory leak fixes") and in 1.0.2 by cherry-pi

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

nature. In this case, we need to allow PKCS7_verify() to be called with external data even though PKCS7_get_detached() is not true. This always used to work; there was a "sanity" check for external data being passed to PKCS7_verify() with a non-detached PKCS#7 signature, but it was

[openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

can you make a PR (separate from the one you have for UEFI) that does the right thing? Or attach it to this ticket? I've kinda lost track :( -- Rich Salz, OpenSSL dev team; rs...@openssl.org -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4175 Please log in as guest with password

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

On Fri, 2016-02-05 at 17:31 +, Salz, Rich via RT wrote: > And update the PR to say that it also closes this ticket :) Well, it can be a separate PR if the first is already merged... -- dwmw2 -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4175 Please log in as guest with

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

On Fri, 2016-02-05 at 17:31 +, Salz, Rich via RT wrote: > And update the PR to say that it also closes this ticket :) Well, it can be a separate PR if the first is already merged... -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- openssl-dev mailing list To

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

And update the PR to say that it also closes this ticket :) -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4175 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

On Fri, 2016-02-05 at 17:20 +, Rich Salz via RT wrote: > can you make a PR (separate from the one you have for UEFI) that does > the right > thing? Or attach it to this ticket? > I've kinda lost track :( Oops, forgot this one in the set of patches I lined up today. Will add it.  -- dwmw2

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

On Tue, 2015-12-08 at 12:56 +, Salz, Rich via RT wrote: > I think that instead of the #ifdef being removed, the if() test > should be removed.   > This was my mistake. What was the verdict here? I'm trying to update my builds, as promised this morning. But EDK2 has updated to 1.0.2e and

Re: [openssl-dev] [openssl.org #4175] Add new macro or PKCS7 flag to disable the check for both data and content

On Tue, 2015-12-08 at 12:56 +, Salz, Rich via RT wrote: > I think that instead of the #ifdef being removed, the if() test > should be removed.   > This was my mistake. What was the verdict here? I'm trying to update my builds, as promised this morning. But EDK2 has updated to 1.0.2e and

[openssl-dev] [openssl.org #2493] [PATCH] Engines: Eliminate the unneccesary null check

sureware engine is no longer supported. -- Rich Salz, OpenSSL dev team; rs...@openssl.org - http://rt.openssl.org/Ticket/Display.html?id=2493 Please log in as guest with password guest if prompted

[openssl-dev] [openssl.org #4148] PCKS1 type 1 Padding check error

Resolved in ba2de73b185016e0a98e62f75b368ab6ae673919 for master (1.1.0). This isn't really a bug so we won't be backporting to stable branches, though. ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] [openssl.org #1292] SSL_add_dir_cert_subjects_to_stack does not check for read access of file, breaking TLS enabled LDAP clients

This is reported against 0.9.8; please open a new ticket if still a problem with current releases. -- Rich Salz, OpenSSL dev team; rs...@openssl.org ___ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

  1   2   3   4   >