In the next version of Linux glibc, SIGSTKSZ is defined at runtime if
source is built with _GNU_SOURCE. On LibreSSL-portable, this is set to
bring in asprintf/vasprintf, which causes the explicit_bzero test to
fail to compile since the size of SIGSTKSZ is no longer known at compile
time. This adjus
On Fri, Mar 26, 2021 at 1:56 PM Alexander Bluhm wrote:
>
> On Mon, Mar 22, 2021 at 08:38:23PM -0500, Brent Cook wrote:
> > In the next version of Linux glibc, SIGSTKSZ is defined at runtime if
> > source is built with _GNU_SOURCE. On LibreSSL-portable, this is set to
>
This makes sense, ok bcook@
On Wed, Oct 17, 2018 at 6:28 PM Theo Buehler wrote:
> The spec, https://tools.ietf.org/html/rfc3394, section 2, states that
> we need at least two 64 bit blocks for wrapping and, accordingly, three
> 64 bit blocks for unwrapping. That is: we need at least 16 bytes for
This switches libcrypto and libssl to use endian.h over
machine/endian.h, easing some portability contortions. The Austin group
works in mysterious ways, but endian.h also might be a POSIX
standard in the wings, whatever 'Applied' means.
https://www.austingroupbugs.net/view.php?id=162
ok?
diff --
ok bcook@
On Thu, Nov 5, 2020 at 6:16 AM Claudio Jeker wrote:
>
> Since newer compilers default to -fno-common fix bgpd to not depend on
> common symbols. The last few ones can just be converted to static symbols
> since these are only used in the RDE or SE main code.
> With the previous diffs an
This updates the getentropy implementation for Windows to use the newer
"Cryptography Next Generation APIs", replacing CryptGenRandom, which
already has been removed from applications built for the Windows Store.
Tested with libressl-portable, it passes all regression tests. Details
of the API a
Hi,
I haven’t looked deeply into this, but there was a reported issue with OCSP
stapling with Nginx between the LibreSSL portable releases 2.9.0 and 2.9.1
(which would have been between December 15th, 2018 and April 21st, 2019)
Reposting here for visibility:
https://github.com/libressl-portabl
Sure, looks fine in this micro context so maybe someone copying code from
here as an example will do better. Though note that wider-scoped key/iv
still contain the key material after EVP_CipherInit_ex and so on.
Doesn't appear we've sprinkled many explicit_bzero's into openssl(1) in
general given
ok bcook@
On Thu, Apr 5, 2018 at 12:06 PM, Theo Buehler wrote:
> If EVP_Digest() fails, str is leaked.
>
> This is part of the combo-diff 83b4049ab75e9da1815e9c854a9297bca3d4af6b
> some more of which may also apply to us, but I'm still disentangling it.
> See also https://github.com/openssl/open
OK bcook@
On Mon, Apr 23, 2018 at 3:27 AM, Theo Buehler wrote:
> This is a practically unused function (both in our tree and globally),
> but it is the only remaining public *_free() function in libcrypto that
> segfaults on being passed NULL. I'll of course add it to the regress
> tests should
Nice to see the "const unsigned char *p = d;" hackery going away. ok bcook@
On Tue, Apr 24, 2018 at 2:50 PM, Theo Buehler wrote:
> OpenSSL started adding const to functions all over the place. The patch
> below makes all our libssl functions match theirs wrt const, except for
> BIO_f_ssl(3). I p
Looks good, ok bcook@
On Wed, Apr 25, 2018 at 3:22 AM, Theo Buehler wrote:
> This is the second, larger part of the diff that was part of sthen's
> i386 bulk and it had no fallout. It adds const like OpenSSL to most of
> the public API exposed in asn1.h and needs some adjustments in internal
> f
ok bcook@
On Fri, May 18, 2018 at 9:13 AM, Theo Buehler wrote:
> On Fri, May 18, 2018 at 04:03:16PM +0200, Theo Buehler wrote:
> > Simple diff that adds const qualifiers to the X509_CRL *x and
> > ASN1_OBJECT *obj arguments of X509_CRL_get_ext_count(3),
> > X509_CRL_get_ext_by_NID(3), X509_CRL_g
ok bcook@
On Wed, May 23, 2018 at 2:11 AM, Theo Buehler wrote:
> Very minor polishing, really:
>
> Since we converted EVP_PKEY_asn1_new() to using calloc(), there's no
> need to set the structure to zero manually with an odd spelling of NULL.
> Besides, the list of zeroed members is incomplete:
On Thu, May 24, 2018 at 10:10:58AM +, Cameron Palmer wrote:
> It is beneficial for projects that depend on LibreSSL libraries and are built
> with CMake to use target_link_libraries and automatically receive the PUBLIC
> or INTERFACE headers without needing to specify include_directories. Thi
On Mon, Feb 12, 2018 at 09:27:16AM -0600, ed...@pettijohn-web.com wrote:
> Has there been any discussion of packaging libtls separately from libressl
> for portable use? With my limited skills I was able to write a program to
> talk to smtpd and starttls using nothing but the manuals. I seriously
ok bcook@
On Mon, May 28, 2018 at 3:23 PM, Theo Buehler wrote:
> This is the first trivial part of the last batch of diffs catching up
> with OpenSSL's const additions.
>
> As usual, sthen kindly ran the whole diff through a ports bulk build.
>
> Only this small change caused some fallout, namel
add a
> compiler define like -D HAVE_CLOCK_GETTIME in the linking project to avoid
> a conflict.
>
> > On 29 May 2018, at 12:48, Brent Cook wrote:
> >
> > On Thu, May 24, 2018 at 10:10:58AM +, Cameron Palmer wrote:
> >> It is beneficial for projects
On Thu, Feb 14, 2019 at 4:21 PM Ted Unangst wrote:
> Alexander Bluhm wrote:
> > GNU dd has the conv=fsync feature which does an fsync(2) after final
> > write to output. I find this useful for write performance measurement
> > through the file system without buffer cache optimization. Others
>
Since the relatively recent logging unification, log_init needs a
debug level > 1 in order for log_debug to print anything. This change
makes it so 'ntpd -d' stays in the foreground but doesn't log much
(the current behavior, different than previous releases though), 'ntpd
-dd' actually prints more
to run -d to get lots of
> output. check main() there?
>
> i think thats more intuitive, but maybe i'm just used to it.
>
> Brent Cook(bust...@gmail.com) on 2016.01.20 06:31:44 -0600:
>> Since the relatively recent logging unification, log_init needs a
>> debug le
On Sat, Jan 23, 2016 at 08:48:22PM +0100, Reyk Floeter wrote:
> On Sat, Jan 23, 2016 at 12:39:19PM -0600, Brent Cook wrote:
> > I'm going with this instead. That way it works like the manual
> > specifies already (-v enables logging debug messages)
> >
>
> Yes, the
Noted here, https://github.com/libressl-portable/portable/issues/161, we
document a non-existent constant in the examples
for EVP_PKEY_CTX_set_rsa_padding. Is this the correct one to use?
Index: EVP_PKEY_decrypt.pod
===
RCS file: /cvs
yes, that is correct - ok bcook@
On Sun, Apr 24, 2016 at 2:06 AM, Jason McIntyre wrote:
> On Sat, Apr 23, 2016 at 06:24:58PM +0200, Remco wrote:
> > Index: tls_init.3
> >
> > ===
> >
>
> i think your diff is correct - in -r1.33 beck
announce at openbsd.org
Thu, 13 Jul 2017 10:41:48 -0500
We have made two new portable OpenNTPD releases today. These should be
arriving soon in the OpenNTPD directory of an OpenBSD mirror near you.
OpenNTPD 6.1p1 represents the version shipped with OpenBSD 6.1. It
provides a number of new features and reliability improvements.
OpenNTPD 6.2p1 is the fi
OPENSSL_NO_EC_NISTP_64_GCC_128 has been defined in opensslfeatures.h for a
long time, which effectively means that ecp_nistp* are all empty files. So,
there is no reason to build them in the first place. OK?
Index: Makefile
===
RCS fi
This patch came by way of the openntpd github. Linux (and possibly others)
will attempt to bind to 0.0.0.0 when binding to '::' and return an error if
it can't, unless IPV6_V6ONLY is set. See
https://github.com/openntpd-portable/openntpd-portable/issues/19
OK as an in-tree patch? OpenBSD seems to
> On May 17, 2016, at 10:21 AM, Stuart Henderson wrote:
>
> On 2016/05/17 08:27, Brent Cook wrote:
>> This patch came by way of the openntpd github. Linux (and possibly others)
>> will attempt to bind to 0.0.0.0 when binding to '::' and return an error if
>>
Hi,
Our errata patch for fixing large memory allocations in
asn1_d2i_read_bio dropped the while (want > 0) loop, causing the
function to only read chunk_max bytes once. This limits the max size
read to 16k. This patch restores the outer loop. Noted on misc@
ftp http://ccd.serpro.gov.br/lcr/ac
On Tue, May 17, 2016 at 2:56 PM, Stuart Henderson
wrote:
> On 2016/05/17 08:27, Brent Cook wrote:
> > This patch came by way of the openntpd github. Linux (and possibly
> others)
> > will attempt to bind to 0.0.0.0 when binding to '::' and return an error
> if
>
A bug in the previous libcrypto errata caused an error when reading
ASN.1 elements over 16kb.
Patches for OpenBSD are available. Updated LibreSSL-portable releases
will be available later.
http://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/009_crypto.patch.sig
http://ftp.openbsd.org/pub/OpenB
We have released a first development snapshot of LibreSSL 2.4.0 along
with two stable builds, 2.3.5 and 2.2.8. These should be arriving in
the LibreSSL directory of your local OpenBSD mirror soon.
The 2.3.5 and 2.2.8 releases contain a reliability fix, correcting an
error when parsing certain ASN.
Hi,
This is a patch from Cesar Pereida, removing support for
DSA_FLAG_NO_EXP_CONSTTIME by making DSA always operate in constant time.
See https://github.com/libressl-portable/openbsd/pull/61 for more
details.
ok?
diff --git a/src/lib/libssl/src/crypto/dsa/dsa.h
b/src/lib/libssl/src/crypto/dsa/
This fixes a bug where the default certificate path locations would only
be loaded if the CAfile or CApath locations were succesfully loaded
first. Original patch from OpenSSL:
https://github.com/openssl/openssl/commit/fe9b85c3cb79f1e29e61f01de105b34ce8177190
Noted here on the LibreSSL-portable
No problem, I undid that bit.
Thanks all.
On Mon, Jun 20, 2016 at 11:32 AM, Ted Unangst wrote:
> Brent Cook wrote:
> > diff --git a/src/lib/libssl/src/crypto/dsa/dsa_key.c
> b/src/lib/libssl/src/crypto/dsa/dsa_key.c
> > index 2968fa2..e01bacb 100644
> > --- a/src/l
This is another patch from César Pereida that disables the DH and RSA
non-constant-time flags as well.
ok?
Index: src/crypto/dh/dh.h
===
RCS file: /cvs/src/lib/libssl/src/crypto/dh/dh.h,v
retrieving revision 1.16
diff -u -p -u -p -r1
obably #ifndef
> LIBRESSL_INTERNAL - and failing that should
> we nuke them and bump majors?
>
>
> On Wed, Jun 22, 2016 at 7:44 AM, Brent Cook wrote:
> > This is another patch from César Pereida that disables the DH and RSA
> > non-constan
On Sat, Jun 25, 2016 at 07:19:09PM -0600, Bob Beck wrote:
> If we are going to delete it, lets just do so
>
> IMO we can commit this removing the define. bets are we see nothing in
> ports for fallout so lets just blow it away
>
Sounds good, I'll commit this:
Index: src/crypto/dh/dh.h
=
On Sun, Jun 26, 2016 at 12:00:51AM -0500, Brent Cook wrote:
> On Sat, Jun 25, 2016 at 07:19:09PM -0600, Bob Beck wrote:
> > If we are going to delete it, lets just do so
> >
> > IMO we can commit this removing the define. bets are we see nothing in
> > ports for fallou
On Sun, Jun 26, 2016 at 06:26:36AM +, César Pereida wrote:
>
> On Sun, Jun 26, 2016, 8:19 AM Brent Cook wrote:
>
> > Hmm, on second review, something seems odd.
> >
> > César, why does this patch also replace all of the stack-allocated
> > BIGNUM'
On Sun, Jun 26, 2016 at 12:22 PM, Brent Cook wrote:
> On Sun, Jun 26, 2016 at 06:26:36AM +, César Pereida wrote:
> >
> > On Sun, Jun 26, 2016, 8:19 AM Brent Cook wrote:
> >
> > > Hmm, on second review, something seems odd.
> > >
> > > César, w
This is something I noticed while reviewing this report:
https://github.com/libressl-portable/portable/issues/200
In the event of a failure in _rs_allocate for rsx, we still return the
freed memory for rs. Not a huge deal since we subsequently abort in
_rs_init, but it looks strange on its own.
As a precedent, nc has a conversational, specific style of error
reporting when a socketopt fails. With the IPv4/6-specific options, we
refactored the code to the point that the error messages are less
specific and maybe misleading (e.g. setting ToS on an IPv6 socket).
This patch makes the per-add
On systems where we do not have BN_ULLONG (notably Win64), BN_mod_word()
can return incorrect results if the supplied modulus is too big.
Note now that BN_mod_word may fail, like BN_div_word. Handle this
properly and document in the man page.
Thanks to Brian Smith for pointing out these fixes fro
I copied some of the commit text here from BoringSSL, but it's wrong for
LibreSSL it seems.
BN_ULLONG is not defined on all 64-bit systems as far as I can tell. So, this
fix is more widely applicable than Win64 for LibreSSL.
Any comments?
- Brent
> On Jun 30, 2016, at 8:40 AM, Br
sure, this makes it easier to patch in the right path in portable as well
On Thu, Jul 7, 2016 at 7:23 AM, Kinichiro Inoguchi <
kinichiro.inogu...@gmail.com> wrote:
> Hi,
>
> I would like to add error check for CAfile loading
> since some OS doesn't have /etc/ssl/cert.pem.
>
> Best regards,
> Kini
Noted by VS2013, const values should be initialized (though I think
the 'static' should also implicitly zero).
This also removes some unused code that also contained uninitialized
static consts.
ok?
Index: evp/e_chacha20poly1305.c
=
On Tue, Jul 12, 2016 at 6:41 AM, Miod Vallat wrote:
> >> Noted by VS2013, const values should be initialized (though I think
> >> the 'static' should also implicitly zero).
> >
> > this sounds like the compiler doesn't know C?
>
> He is talking about Visual Studio. The C part of that piece of shi
I didn't notice it at first, because the patch wasn't inline, but the union
here needed to be initialized with memset or use a different kind of
initializer.
I went with the memset on top of your patch:
--- bn_nist.c 17 Jul 2016 21:21:40 - 1.16
+++ bn_nist.c 17 Jul 2016 22:00:45 -000
We have released LibreSSL 2.4.2 and 2.3.7, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
LibreSSL 2.4.2 is based on the new OpenBSD 6.0 release branch, and is
now the current stable version. LibreSSL 2.3.7 is based on the previous
OpenBSD 5.9 release, and will
No objection here. Anyone else?
> On Aug 25, 2016, at 8:54 AM, Guenther Niess wrote:
>
> Hi,
>
> is there a reason why the Camellia cipher suits with SHA2 HMAC is not
> supported?
>
> I added them and tested the result with an Nginx server and the s_client
> command.
>
> I would like to have
On Sun, Jul 17, 2016 at 01:32:43PM +0200, Tobias Pape wrote:
> Hi all,
>
> I'm Tobias and fond of using libtls.
> I have a certain use case, where I want to do TLS/SSL but
> can only work with buffers/callbacks and not sockets or FDs.
> In p(l)ain openssl, this is doable, but not nice. Libtls
> doe
On Sun, Sep 04, 2016 at 05:57:54AM -0400, Ted Unangst wrote:
> Brent Cook wrote:
> > @@ -246,14 +252,18 @@ An already existing socket can be upgrad
> > .Fn tls_connect_socket .
> > Alternatively, a secure connection can be established over a pair of
> > existing
>
Thanks!
On Wed, Sep 14, 2016 at 4:48 AM, wrote:
> Hi again,
>
> On 07.09.2016, at 18:08, tob...@netshed.de wrote:
> [..]
> >> On 05.09.2016, at 15:50, bust...@gmail.com wrote:
> >>
> >>> Hey, the typedef came in handy :) Ok bcook@
> >>>
> >>> On Sep 5, 2016, at 11:52 AM, Bob Beck wrote:
> >>>
On Wed, Sep 14, 2016 at 6:41 AM, Tobias Pape wrote:
> Hi
>
> On 14.09.2016, at 13:37, Brent Cook wrote:
>
> >
> > Once the expectations of the callbacks are finalized, this needs a good
> explanation in the manual.
>
>
> Ok, how would I do that best?
>
Looks fine to me. Shall I commit it?
On Thu, Sep 15, 2016 at 2:32 AM, Kinichiro Inoguchi <
kinichiro.inogu...@gmail.com> wrote:
> Sorry, I attached wrong patch file.
> I re-post the patch file again.
>
> On Thu, Sep 15, 2016 at 04:10:55PM +0900, Kinichiro Inoguchi wrote:
> > Hi,
> >
> > I would l
ok
On Sun, Oct 2, 2016 at 12:34 AM, David Gwynne wrote:
> this gets rid of a linker warning.
>
> the impression i get is that EVP_CipherFinal_ex explicitely does
> not do cleanup of the cipher context thing, while EVP_CipherFinal
> could if it wanted to.
>
> ok?
>
> Index: usm.c
> ==
On Sat, Oct 1, 2016 at 7:12 PM, Ted Unangst wrote:
> Kinichiro Inoguchi wrote:
> > I would like to cast the return variable explicitly in tls_load_file().
> > This fix also avoiding Intel C++ compiler "assertion failed" described
> here.
> > https://github.com/libressl-portable/portable/issues/20
On Sun, Oct 02, 2016 at 08:50:39AM -0500, Brent Cook wrote:
> On Sat, Oct 1, 2016 at 7:12 PM, Ted Unangst wrote:
>
> > Kinichiro Inoguchi wrote:
> > > I would like to cast the return variable explicitly in tls_load_file().
> > > This fix also avoiding Intel
> On Oct 7, 2016, at 12:18 PM, Ted Unangst wrote:
>
> Kinichiro Inoguchi wrote:
>> I think this 16 bytes string assignment has boundary issue.
>>
>>static const char sigma[16] = "expand 32-byte k";
>>
>> I found this when I tried to build libressl-portable with MSVC on Windows.
>
> anothe
> On Oct 7, 2016, at 2:52 PM, Otto Moerbeek wrote:
>
> On Fri, Oct 07, 2016 at 02:33:13PM -0500, Brent Cook wrote:
>
>>
>>> On Oct 7, 2016, at 12:18 PM, Ted Unangst wrote:
>>>
>>> Kinichiro Inoguchi wrote:
>>>> I think this 16 bytes
OK bcook@, looks fine for portable too.
> On Nov 4, 2016, at 11:02 AM, Tom Cosgrove
> wrote:
>
Miod Vallat 4-Nov-16 08:53 >>>
>>
>> I386_ONLY was used to prefer a different assembler sequence in the
>> sha512 code, which would be faster on 80386 processors, but slower on
>> 80486 and abov
OK bcook@
On Fri, Dec 2, 2016 at 10:29 AM, Rafael Zalamena
wrote:
> On Sat, Oct 01, 2016 at 07:05:51PM +0200, Rafael Zalamena wrote:
> > The ntpd(8) constraint fork+exec diff changed the way the constraint
> > processes are created, but then it introduced new calloc()s to avoid
> > increasing di
Looks good to me, ok bcook@
On Sat, Dec 31, 2016 at 2:45 PM, Stuart Henderson
wrote:
> Since there wasn't much interest in that (which unbreaks e.g.
> https://www.nginx.com),
> here's a longer diff that syncs with Mozilla's release branch for those CA
> organisations
> which we currently carry.
We have released LibreSSL 2.2.0, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This release is the first from the OpenBSD 5.8 development tree and
features mainly on build system improvements and new OS support.
We have also released LibreSSL 2.1.7, which con
On Mon, Jun 29, 2015 at 1:22 AM, mxb wrote:
> Hey,
>
> getting following error on OpenBSD-current as of yesterdays 'cvs up’:
Does this imply that it worked in some earlier version of
OpenBSD-current? If so, what was the version that worked?
> unable to load Private Key
> 30008934842236:error:090
e interesting to see if you're hitting any of the extra checks added
here:
https://github.com/libressl-portable/openbsd/commit/d1114a9633e1f7004537f5238a5f1f111898ebeb
Would you be comfortable adding some extra output to the various failure points
in EVP_DecodeUpdate to see where we a
We have released LibreSSL 2.2.1, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This release continues from the OpenBSD 5.8 development tree, featuring
expanded OS support, code improvements, and feature removal. Also note
that SSLv3 support has not been remove
On Wed, Jul 8, 2015 at 7:49 AM, Brent Cook wrote:
> We have released LibreSSL 2.2.1, which will be arriving in the
> LibreSSL directory of your local OpenBSD mirror soon.
>
> This release continues from the OpenBSD 5.8 development tree, featuring
> expanded OS support, code im
Up to now, we have only bumped the LIBRESSL_VERSION_TEXT for each
portable release in the portable tree, and the VERSION_NUMBER has never
incremented.
This change establishes a policy of bumping the number for each portable
release, and syncs the version string between the portable and in-tree
rel
This diff converts bzero calls to memset, which is more portable and
compilers can optimize as well.
---
src/usr.sbin/ntpd/client.c | 2 +-
src/usr.sbin/ntpd/config.c | 6 +++---
src/usr.sbin/ntpd/control.c | 2 +-
src/usr.sbin/ntpd/ntp.c | 6 +++---
src/usr.sbin/ntpd/ntpd.c| 4 ++--
sr
/dev/null will be available on any POSIX system, but _PATH_DEVNULL may
not, e.g. Solaris. There doesn't seem to be any advantage to
using the define (and we don't use it much in the tree either.)
http://pubs.opengroup.org/onlinepubs/95399/basedefs/xbd_chap10.html
---
src/usr.sbin/ntpd/ntp.c |
I have posted a test release of LibreSSL-portable 2.2.2 for testing here:
https://github.com/libressl-portable/portable/releases/tag/v2.2.2-test
Let me know if I have missed anything in the Changelog, or if you run into any
issues.
Thanks
- Brent
We have released LibreSSL 2.2.2, which will be arriving in the
LibreSSL directory of your local OpenBSD mirror soon.
This release marks the end of the OpenBSD 5.8 development cycle,
featuring expanded portable build support, code improvements, removal of
obsolete workarounds.
SSLv3 deprecation co
> On Aug 9, 2015, at 10:07 AM, Jan Engelhardt wrote:
>
>> We have released LibreSSL 2.2.2, which will be arriving in the
>> LibreSSL directory of your local OpenBSD mirror soon.
>
> The .pc files in libressl-2.2.2 upset the package mechanisms at hand, in
> particular rpm, where ':' is used to
On Mon, Aug 10, 2015 at 5:10 AM, Mark Kettenis wrote:
> Jan Engelhardt schreef op 2015-08-10 10:29:
>
>> On Monday 2015-08-10 02:38, Brent Cook wrote:
>>>>
>>>> On Aug 9, 2015, at 10:07 AM, Jan Engelhardt wrote:
>>>>
>>>>>
On Wed, Aug 12, 2015 at 1:29 PM, Mark Kettenis wrote:
>> Date: Tue, 11 Aug 2015 09:15:43 -0600
>> From: Bob Beck
>>
>> I'm wondering out loud if these versions should follow the openbsd shlib
>> major minor numbers. That is where we are careful about semantic
>> versioning for api change/add/rem
We have put together a prerelease of LibreSSL 2.2.3. This release
primarily targets a bug that causes connections with some SSL clients
to fail during the initial handshake. Preliminary release notes and a
tarball are available at the following link:
https://github.com/libressl-portable/portable/r
On Wed, Sep 9, 2015 at 10:15 AM, Todd C. Miller
wrote:
> On Wed, 09 Sep 2015 10:02:17 -0400, Lawrence Teo wrote:
>
>> This diff removes redundant defines in two files.
>>
>> In s_socket.c, SOCKET_PROTOCOL is defined as IPPROTO_TCP, but it's only
>> used once.
>
> OK.
>
>> In s_time.c, NO_SHUTDOWN
On Wed, Sep 9, 2015 at 9:43 PM, Lawrence Teo wrote:
> On Wed, Sep 09, 2015 at 11:17:55AM -0500, Brent Cook wrote:
>> On Wed, Sep 9, 2015 at 10:15 AM, Todd C. Miller
>> wrote:
>> > On Wed, 09 Sep 2015 10:02:17 -0400, Lawrence Teo wrote:
>> >> In s_time.c, NO_
I think this is the right thing to do for now. ok bcook@
On Thu, Sep 17, 2015 at 5:19 PM, Stuart Henderson wrote:
> CC'ing tech@.
>
> The last commit to bn_print.c is wrong, it dereferences t while it's still
> NULL.
>
> Backout diff below.
>
>
> On 2015/09/17 22:42, Mikolaj Kucharski wrote:
>>
It be significant that this patch slowed me browser because o' it's length.
Methinks you deserve t' be keelhauled for such transgressions.
U
On Tue, Oct 20, 2015 at 12:12 AM, Jonathan Gray > wrote:
> On Wed, Oct 01, 2014 at 10:53:34AM +0100, Stuart Henderson wrote:
>> On 2014/10/01 19:05, Joel Sing wrote:
>> > > I should also add that the other obvious/easy "fix" is to initialise
digest
>> > > in openssl/req.c to the SHA-256 EVP. Tha
Thank you Jan. This is a good thing to fix, but I had a hard time envisioning a
security issue with it. Will see about backporting it though.
Regards
- Brent
> On Oct 26, 2017, at 6:50 PM, Jan Engelhardt wrote:
>
>
> libressl-2.6.2 is susceptible to an out-of-bounds read:
>
> #include
> in
Thanks guys. This will make enabling this on the odder platforms in
portable easier.
On Fri, Nov 24, 2017 at 7:03 AM, Scott Cheloha
wrote:
> > On Nov 24, 2017, at 6:58 AM, Jeremie Courreges-Anglas
> wrote:
> >
> > On Wed, Nov 22 2017, Scott Cheloha wrote:
> >> Whoops, ignore that last patch, i
Finally getting around to trying out nc on some more platforms for
LibreSSL-portable, and ran into Sun/Oracle's silly definition of 'sun'
in the system headers. OK to rename the local sockaddr_un variables?
Portable contains a patch full of #ifdef's around other systems-specific
nc features (e.g.
Applied, thanks Andreas!
On Sun, Jan 3, 2016 at 7:01 PM, Andreas Bartelt wrote:
> Hello,
>
> the use of certificates for TLS didn't work with nc(1). Fix is attached.
>
> Best regards
> Andreas
This patch set fixes a series of issues flagged by recent versions of clang and
gcc.
Do these look OK?
- Brent
write() warns if its return value is unchecked. Replace with a BIO_write
like all of the surrounding code uses anyway.
---
src/apps/s_server.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/apps/s_server.c b/src/apps/s_server.c
index 51f6b47..fb28489 100644
--- a/src/apps/
clang warning:
pem/pem_lib.c:472:6: error: variable 'i' is used uninitialized whenever 'if'
condition is false
[-Werror,-Wsometimes-uninitialized]
if (o)
^
pem/pem_lib.c:479:7: note: uninitialized use occurs here
j += i;
^
pem/pem_lib.c:472:2: note: r
ASN1_STRING_data returns an unsigned char *, but strlcat's second
parameter is a const char *
---
src/crypto/ts/ts_rsp_verify.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/crypto/ts/ts_rsp_verify.c b/src/crypto/ts/ts_rsp_verify.c
index 2a4c0c5..49754b5 100644
--- a/src/
Neither of these is used anywhere within their object files.
---
src/crypto/ec/ec_lib.c | 3 ---
src/crypto/engine/eng_dyn.c | 3 ---
2 files changed, 6 deletions(-)
diff --git a/src/crypto/ec/ec_lib.c b/src/crypto/ec/ec_lib.c
index 3313573..b8e0e98 100644
--- a/src/crypto/ec/ec_lib.c
+++ b/
with pqueue moving to a private interface, the typedef can occur twice
../include/openssl/dtls1.h:147:25: error: redefinition of typedef 'pqueue' is a
C11 feature [-Werror,-Wtypedef-redefinition]
typedef struct _pqueue *pqueue;
^
../include/pqueue.h:63:25: note: previous d
This is a series of fixes to issues found while building libcrypto regression
tests with -Werror and LIBRESSL_INTERNAL.
Do these look OK?
- Brent
Avoid having to use -I trickery to find public header files included as
though they are private.
---
src/crypto/bn/bn_const.c | 2 +-
src/crypto/chacha/chacha.c | 2 +-
src/crypto/o_init.c| 2 +-
src/crypto/poly1305/poly1305.c | 2 +-
src/crypto/ts/ts_lib.c | 2 +-
sr
include string.h for memcmp
remove unused variables
---
aeswrap/aes_wrap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/aeswrap/aes_wrap.c b/aeswrap/aes_wrap.c
index b5157d7..c3079e3 100644
--- a/aeswrap/aes_wrap.c
+++ b/aeswrap/aes_wrap.c
@@ -10,7 +10,7 @@
* are met
---
ecdh/ecdhtest.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ecdh/ecdhtest.c b/ecdh/ecdhtest.c
index 620424d..ee220dc 100644
--- a/ecdh/ecdhtest.c
+++ b/ecdh/ecdhtest.c
@@ -358,7 +358,7 @@ static int ecdh_kat(BIO *out, const char *cname, int nid,
Ztmplen = (E
Since the random number generator no longer allows being seeded, remove
support for parsing the unused -rand option and the unused random buffer
variables. Better to fail than to be surprised when the RNG seed does not
function as expected.
This fixes compiler warnings about unused random seed var
I totally agree in the general case. BIO is a big pain, and it does seem crazy
to use it for stdio.
However, in this specific case, this file already calls BIO_printf, BIO_puts
and BIO_write to stdout and stderr, in an unchecked manner, several hundred
times. I’m not sure if checking write() ac
1 - 100 of 189 matches
Mail list logo
