Re: [openssl-users] X509_verify_cert cannot be called twice

I'm sure I'm missing something obvious, but why isn't the operation XXX_verify_xxx() idempotent? It seems very weird that two subsequent calls to verify() wouldn't return exactly the same thing. Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE network.   Original Message  

Re: [openssl-users] X509_verify_cert cannot be called twice

On 2016-03-24 19:12, Viktor Dukhovni wrote: On Mar 24, 2016, at 2:02 PM, DEXTER wrote: So let me get this straight. If someone had a software where they called X509_verify_cert from SSL_CTX_set_cert_verify_callback callback twice (to verify first with crls, and maybe

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

When FIPS is enabled: missed that. We enable it when we load the modules - we're in a mode where we only have the FIPS libraries installed, and when we load them, we enable FIPS. In searching for a temporary work-around, I put different code at that place in x509v3_cache_extensions() -

Re: [openssl-users] X509_verify_cert cannot be called twice

> On Mar 24, 2016, at 2:02 PM, DEXTER wrote: > > So let me get this straight. > If someone had a software where they called X509_verify_cert from > SSL_CTX_set_cert_verify_callback callback twice (to verify first with > crls, and maybe verify again without crls) and it

Re: [openssl-users] X509_verify_cert cannot be called twice

So let me get this straight. If someone had a software where they called X509_verify_cert from SSL_CTX_set_cert_verify_callback callback twice (to verify first with crls, and maybe verify again without crls) and it worked as expected, after this patch their software is broken. Am I right? And

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

Hi Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when the dialog box was displayed, and that's how I got the call stack. if (x->ex_flags & EXFLAG_SET) return; #ifndef OPENSSL_NO_SHA X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); #endif I inspected

Re: [openssl-users] [openssl-dev] Low level API call to digest SHA1 forbidden in FIPS mode - within openssl code

On Wed, Mar 23, 2016, Glen Matthews wrote: > Hi > > Right, sorry about the wrong posting - and thanks. > > The message is correct - we got this in the 1.0.2f tree and are still getting > in in the 1.0.2g tree. > > I notice that in crypto\x509v3\v3_purp.c there is this: > > if

Re: [openssl-users] RDRAND and engine (was: how to generate EC public key from EC private key)

Thank you - employing the pointers (no pun intended :) that you gave, the code now is doing exactly what’s needed, and utilizes RDRAND (as required by the specs I have, and my personal preferences as well). > set the default RAND_method to the engine This is what I did not do originally -

Re: [openssl-users] X509_verify_cert cannot be called twice

> On Mar 24, 2016, at 1:09 PM, Szilárd Pfeiffer > wrote: > > I am afraid the patch causes a serious compatibility break. In practice, > after an OS upgrade (which upgrades OpenSSL to the patched version) each > and every application, which calls the

Re: [openssl-users] X509_verify_cert cannot be called twice

On 2016-03-24 16:17, openssl-users at dukhovni.org (Viktor Dukhovni) wrote: >> On Mar 24, 2016, at 4:21 AM, DEXTER wrote: >> >> So this patch: >> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0 >> >> magically made itself into ubuntu trusty's

Re: [openssl-users] X509_verify_cert cannot be called twice

> On Mar 24, 2016, at 4:21 AM, DEXTER wrote: > > So this patch: > https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0 > > magically made itself into ubuntu trusty's version of openssl in a > security update. > > My question

[openssl-users] SHA1_Update() call leads to segfault

Greetings openssl-users, We had several segmentation faults, all starting from SHA1_Update() call. See [1], [2] and [3]. Some details: We are using libcurl to send HTTPS requests to Amazon S3 service. We are using "curl_multi" handles to submit and track these HTTPS requests. The problem

[openssl-users] X509_verify_cert cannot be called twice

Hi! So this patch: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=b3b1eb5735c5b3d566a9fc3bf745bf716a29afa0 magically made itself into ubuntu trusty's version of openssl in a security update. My question is: What is the recommended way now to call X509_verify_cert twice or unlimited

Re: [openssl-users] Master thesis: implementation of a new ciphersuite into OpenSSL -- feedback wanted

> What type of feedback are you looking for? If I understood and used the OpenSSL API correctly, with respect to crypto development best practices (e.g. constant time operations). I have generic C programming experience, but crypto was new for me. The important pieces of the new code is there in

Re: [openssl-users] Master thesis: implementation of a new ciphersuite into OpenSSL -- feedback wanted

> Last year I successfully finished my Master studies at Czech Technical > University by a thesis defense about implementing a new CAESAR ciphersuite > (specifically with NORX, but not restricted to it) into OpenSSL. I was > supervised by prof. Wu Hongjun from Nangyang Technological University, >

[openssl-users] Master thesis: implementation of a new ciphersuite into OpenSSL -- feedback wanted

Hi, Last year I successfully finished my Master studies at Czech Technical University by a thesis defense about implementing a new CAESAR ciphersuite (specifically with NORX, but not restricted to it) into OpenSSL. I was supervised by prof. Wu Hongjun from Nangyang Technological University,