On 12/10/2015 12:09 PM, openssl-us...@dukhovni.org wrote:
>> On Dec 10, 2015, at 12:45 PM, Jakob Bohm wrote:
>>
>> On 10/12/2015 18:33, Viktor Dukhovni wrote:
>>> On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
>>>
>>>
static inline unsigned int
On 10/12/2015 18:33, Viktor Dukhovni wrote:
On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
static inline unsigned int constant_time_msb(unsigned int a) {
- return 0 - (a >> (sizeof(a) * 8 - 1));
+ return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1;
}
The replacement
> On Dec 10, 2015, at 12:45 PM, Jakob Bohm wrote:
>
> On 10/12/2015 18:33, Viktor Dukhovni wrote:
>> On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
>>
>>
>>> static inline unsigned int constant_time_msb(unsigned int a) {
>>> - return 0 - (a >>
On 10/12/2015 19:13, Benjamin Kaduk wrote:
On 12/10/2015 12:09 PM, openssl-us...@dukhovni.org wrote:
On Dec 10, 2015, at 12:45 PM, Jakob Bohm wrote:
On 10/12/2015 18:33, Viktor Dukhovni wrote:
On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
static
Bonsoir,
The OCSP responder can respond « unknown » if it doesn’t know the status of the
requested certificate. « Unknown » can generally not be used when the issuer is
not known, because such a response is signed, and if the responder doesn’t know
about the issuer, it can’t choose its own
Thanks for chiming in Erwann. This OCSP service is CRL based. The software
I am using has a "default signing certificate". I also have #X CA specific
signing certificates for each CA in our lab PKI. It chooses to use the
default signing certificate for all unknown issuers (like if someone
On 12/10/2015 11:45 AM, Jakob Bohm wrote:
> 3. The compiler wasn't written by a fanatic who put
> the "right shift of negative signed values is
> undefined" rule above common sense.
This is only implementation-defined behavior, not undefined behavior.
It is not permitted to crash the system
On 09/12/15 23:13, Benjamin Kaduk wrote:
> On 12/09/2015 05:04 PM, Matt Caswell wrote:
>>
>> On 09/12/15 11:44, Jayalakshmi bhat wrote:
>>> Hi Matt,
>>>
>>> I could build and execute the constant_time_test. I have attached the .c
>>> file and test results. 34 tests have failed. All failures are
Le 08/12/2015 18:16, Jakob Bohm a écrit :
On 07/12/2015 11:52, zosrothko wrote:
Hi Jacob
I saw that in ssl.h, the 'NO' particule means no support of as for
example
/* Don't use RFC4507 ticket extension */
# define SSL_OP_NO_TICKET0x4000L
What does mean the 'NO' in
On 10/12/15 04:47, Viktor Dukhovni wrote:
> On Wed, Dec 09, 2015 at 11:04:35PM +, Matt Caswell wrote:
>
>> unsigned char c = op(a, b);
>> if (is_true && c != CONSTTIME_TRUE_8) {
>> printf( "Test failed for %s(%du, %du): expected %u "
>> "(TRUE), got %u at
xxiao,
have you changed the code to also increase the timeout and not try to use
other devices to get entropy? If /dev/random is blocking at the time, it
may run into issues trying to look for other sources of entropy than giving
up.
On Tue, Dec 8, 2015 at 8:25 PM, xxiao8
Update: after I disabled aes-gcm the server selected
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d) and the connection succeeded
(disabling aes-gcm also disabled the available ciphers with SHA384 so it's not
clear whether that was the culprit or not).
So things are working again but still not sure
On Wed, Dec 09, 2015 at 05:13:32PM -0600, Benjamin Kaduk wrote:
> C does not make such a guarantee, though recent-ish POSIX does. (This
> system is a windows one, thought, right?)
There are DSPs that only support 32 bit, they don't have a concept
of 8 bit. But I think there is various code that
On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks for the patch. Unfortunately patch did not work. I continued
> debugging and found that issue was in constant_time_msb.
>
> static inline unsigned int constant_time_msb(unsigned int a) {
> -*return 0 - (a
Hi Matt,
Thanks for the patch. Unfortunately patch did not work. I continued
debugging and found that issue was in constant_time_msb.
static inline unsigned int constant_time_msb(unsigned int a) {
-*return 0 - (a >> (sizeof(a) * 8 - 1));*
+ return (((unsigned)((int)(a) >> (sizeof(int) * 8 -
On 12/10/2015 05:55 AM, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks for the patch. Unfortunately patch did not work. I continued
> debugging and found that issue was in constant_time_msb.
>
> static inline unsigned int constant_time_msb(unsigned int a) {
> -*return 0 - (a >> (sizeof(a) * 8 -
On Thu, Dec 10, 2015 at 04:55:29AM -0700, Jayalakshmi bhat wrote:
> static inline unsigned int constant_time_msb(unsigned int a) {
> - return 0 - (a >> (sizeof(a) * 8 - 1));
> + return (((unsigned)((int)(a) >> (sizeof(int) * 8 - 1;
> }
The replacement is not right. This function is
On Thu, Dec 10, 2015 at 6:55 AM, Jayalakshmi bhat
wrote:
> Hi Matt,
>
> Thanks for the patch. Unfortunately patch did not work. I continued
> debugging and found that issue was in constant_time_msb.
>
> static inline unsigned int constant_time_msb(unsigned int a) {
> -
Hi Walter,
I agree with your addition regarding the fact that it is not saying the
cert is good, it's saying unknown. However, my understanding of the RFC is
that unknown should be returned when the OCSP service does not know about
the certificate issuer. I'm not sure that's the case.
Regarding
On 10/12/15 17:04, Benjamin Kaduk wrote:
> On 12/10/2015 05:55 AM, Jayalakshmi bhat wrote:
>> Hi Matt,
>>
>> Thanks for the patch. Unfortunately patch did not work. I continued
>> debugging and found that issue was in constant_time_msb.
>>
>> static inline unsigned int constant_time_msb(unsigned
On 11/12/2015 00:16, Kurt Roeckx wrote:
On Wed, Dec 09, 2015 at 05:13:32PM -0600, Benjamin Kaduk wrote:
C does not make such a guarantee, though recent-ish POSIX does. (This
system is a windows one, thought, right?)
There are DSPs that only support 32 bit, they don't have a concept
of 8 bit.
On 10/12/15 11:55, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks for the patch. Unfortunately patch did not work. I continued
> debugging and found that issue was in constant_time_msb.
>
> static inline unsigned int constant_time_msb(unsigned int a) {
> -*return 0 - (a >> (sizeof(a) * 8 -
On 10/12/2015 17:53, Matt Caswell wrote:
On 10/12/15 11:55, Jayalakshmi bhat wrote:
Hi Matt,
Thanks for the patch. Unfortunately patch did not work. I continued
debugging and found that issue was in constant_time_msb.
static inline unsigned int constant_time_msb(unsigned int a) {
-*return
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.1.0 pre release 1 (alpha)
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
OpenSSL 1.1.0 is currently in alpha. OpenSSL 1.1.0 pre release 1 has now
Hello,
I was researching how expired CRLs affect revocation checking via openssl.
* TEST #1: *The first test was to find out what status is returned when i
verify a certificate against the CRL:
[dan@canttouchthis PKI]$ openssl verify -CAfile CAS/cabundle.pem -CRLfile
CRLS/ABC-expired.crl
Hi Dan,
On 10.12.2015 16:27, daniel bryan wrote:
*TEST #2: *Next test was using OCSP:
[dan@canttouchthis PKI]$ openssl ocsp -CAfile CAS/cabundle.pem -VAfile
VAS/def_ocsp.pem -issuer CAS/IC\ ABC\ CA3\ DEV.cer -cert
CERTS/0x500c8bd-revoked.pem -url http://ocspresponder:8080
/Response verify
26 matches
Mail list logo