RE: CVE-2022-37454 SHA-3 buffer overflow

This is probably more difficult to exploit than I thought in my first read through. Workarounds The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to r

CVE-2022-37454 SHA-3 buffer overflow

I was reading that SHA-3 has a buffer overflow in the C implementation that is used by PHP and Python. https://nvd.nist.gov/vuln/detail/CVE-2022-37454 https://mouha.be/sha-3-buffer-overflow/ How does OpenSSL implement SHA-3 in the following algorithms? Is SHA3 only used in SHA3-224, SHA3-256,

how to use session ticketing at client/server level

Dear Team, Please provide me the list of API's(or any sample programs) to be used at server/client side to process session ticketing. Currently we are in the process of migrating from session ID usage to session ticketing. Regards, Sethu V

RE: OpenSSL 1.1.1 Windows dependencies

> From: David Harris > Sent: Friday, 21 October, 2022 01:42 > > On 20 Oct 2022 at 20:04, Michael Wojcik wrote: > > > I think more plausible causes of this failure are things like OpenSSL > > configuration and interference from other software such as an endpoint > > firewall. Getting SYSCALL from

Re: Fwd: Proper API usage with DTLS over custom net transport

On 20/10/2022 20:33, Павел Балашов wrote: So now the questions: (1) If we receive some dtls data at the line above with '' what should we do in terms of OpenSSL API calls ?  I assume this dtls data could be a client's retransmission due to server's last flight was lost or this could be

Re: openssl-users Digest, Vol 95, Issue 27

Hi, - Why are you trying to build OpenSSL? My objective is to sign an 'image.bin' with RSA2048 and verify the signature. I managed to build OpenSSL on linux and test the signature and verification with RSA2048 (private & public keys). Now, I would like to port it to vxWorks 7. - Why did you clone

Re: OpenSSL 1.1.1 Windows dependencies

On 21 Oct 2022 at 7:27, Richard Levitte wrote: > Let me ask you this: on what Windows version was your application > built? Common wisdom would be to build on the oldest version... My application is a very traditional Win32 application, and at the moment (and until circumstances *force* me to c

Re: OpenSSL 1.1.1 Windows dependencies

On 20 Oct 2022 at 20:04, Michael Wojcik wrote: > OpenSSL 1.1.1 uses Windows cryptographic routines in two areas I'm > aware of: rand_win.c and the CAPI engine. I don't offhand see a way > that a problem with the calls in rand_win.c would cause the particular > symptom you described. My guess is th