search for: boringssl

...sing client authentication. This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. Note ==== As per our previous announcements and our Release Strategy (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions 1.0.0 and 0.9.8 will cease on 31st December 2015. No security updates for these releases will be p...

...'m sure this is good for RHEL/rawhide users who care about FIPS, > > > Portable OpenSSH won't be able to merge this. We explictly aim to support > > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the > > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that > > > I'd describe as "best effort"). > > > > > > If this changes we can look again. > > > > Yes, we understand and respect your choice. > > Would it be acceptable in any form being wrapped in necessary #ifdefs...

I am trying to cross compile an assembly file using clang but with " -fno-integrated-as" so that clang does not use its own assembler. Clangs calls the command: /usr/bin/aarch64-linux-gnu-as -o Myfile.o Myfile.s but it fails because of missing *-march=armv8-a+crypto *which is required to build build my source file Myfile.s I am passing "-march=armv8-a+crypto" to clang command

It would be great if anyone can share your thoughts about the cause and possibly fix of the error below ? I would like to know why it is caused and how it can be fixed (if possible) ? The error message is: ~/llvm/build/install_android/linux-x86/clang-3688880/bin/ld.lld: error: external/boringssl/linux-aarch64/crypto/sha/sha1-armv8.S:1202: can't create dynamic relocation R_AARCH64_PREL64 against symbol 'OPENSSL_armcap_P' defined in out/target/product/hikey/obj/STATIC_LIBRARIES/libcrypto_ intermediates/libcrypto.a(sha1-armv8.o) clang-5.0: error: linker command failed with exit co...

...no-dwarf-directory-asm -fdebug-compilation-dir ./out/Release -ferror-limit 19 -fmessage-length 205 -fallow-half-arguments-and-returns -fno-signed-char -fobjc-runtime=gcc -fdiagnostics-show-option -fcolor-diagnostics -vectorize-loops -vectorize-slp -o MyFile.s -x assembler-with-cpp ../../third_party/boringssl/linux-aarch64/crypto/modes/MyFile.S clang -cc1 version 3.8.0 based upon LLVM 3.8.0svn default target x86_64-unknown-linux-gnu #include "..." search starts here: #include <...> search starts here: gen ../../third_party/boringssl/src/include ../lib/clang/3.8.0/include ./debian_jess...

...he change is needed for the new API. While I'm sure this is good for RHEL/rawhide users who care about FIPS, Portable OpenSSH won't be able to merge this. We explictly aim to support LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that I'd describe as "best effort"). If this changes we can look again. -d

...the new API. > > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > Portable OpenSSH won't be able to merge this. We explictly aim to support > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that > I'd describe as "best effort"). > > If this changes we can look again. Yes, we understand and respect your choice. Would it be acceptable in any form being wrapped in necessary #ifdefs ? -- Dmitry Belyavskiy

...This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. > > OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d > OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p > > This issue was reported to OpenSSL on 24th June 2015 by Adam Langley/David > Benjamin (Google/BoringSSL). The fix was developed by the BoringSSL project. > > Note > ==== > > As per our previous announcements and our Release Strategy > (https://www.openssl.org/about/releasestrat.html), support for OpenSSL versions > 1.0.0 and 0.9.8 will cease on 31st December 2015. No security upd...

...t; > While I'm sure this is good for RHEL/rawhide users who care about FIPS, > > Portable OpenSSH won't be able to merge this. We explictly aim to support > > LibreSSL's libcrypto as well as openssl-1.1.x and neither supports the > > OSSL_PARAM_BLD API (neither does BoringSSL, though our support for that > > I'd describe as "best effort"). > > > > If this changes we can look again. > > Yes, we understand and respect your choice. > Would it be acceptable in any form being wrapped in necessary #ifdefs ? No, I think it would be to...

...possibly fix of the error below ? > > > > I would like to know why it is caused and how it can be fixed (if > possible) > > ? > > > > The error message is: > > > > ~/llvm/build/install_android/linux-x86/clang-3688880/bin/ld.lld: error: > > external/boringssl/linux-aarch64/crypto/sha/sha1-armv8.S:1202: can't > create > > dynamic relocation R_AARCH64_PREL64 against symbol 'OPENSSL_armcap_P' > > defined in > > out/target/product/hikey/obj/STATIC_LIBRARIES/libcrypto_ > intermediates/libcrypto.a(sha1-armv8.o) > > cl...

CentOS-6.6 We have sshd chroot working, mostly, for a particular groupid. However, we have two things that remain u/s, no doubt due to some omission on my part. Basically, we would like our users to be able to tunnel their https over the ssh connection to this server and be able to do X11 forwarding as well. At the moment both work when the user connects without chroot and neither works if

On 9/12/19 5:06 AM, David Zarzycki via llvm-dev wrote: I think adding a builtin to force CMOV or similar instructions on other architectures is long overdue. It’s generally useful, even if one isn’t mitigating speculative execution. I believe that you can currently get this effect using __builtin_unpredictable in Clang. __builtin_unpredictable wasn't added for this purpose, and it's a

...nd part of that will involve adding support to LLVM as well, so I suspect he'd be interested in this topic as well. Not sure what the timelines on any of our lpans are at this point though, so can't really promise much. > > For now, I'd really suggest using the techniques used by BoringSSL and OpenSSL. Sadly, these predominantly rely on assembly. They do have some constructs to use C/C++ code and ensure it remains data-invariant, but it isn't because the constructs are actually reliable. Instead, they have testing infrastructure that they continually run and that checks the speci...

...cherry-pick / rebase and merge with no merge commit): unfortunately loses the review information. - Gerrit: developers cannot merge directly, instead they use the web interface to submit a change. This will add a "Reviewed-on" link that references the review. (Used by Wireshark, Qt, boringssl, etc.) Projects that are use mailing lists to review patches (like Linux and QEMU) commonly include a Message-Id tag in the commit message that references the original mailing list discussion. The curl project also uses Github for reviews, but encourages developers with push permissions to manual...

On Mon, 14 Nov 2016, Jakub Jelen wrote: > Thank you for the comments. I understand the upstream directions and > that the OpenSSL step is not ideal. The distros will probably have to > carry these patches until the changes will settle down a bit. AFAIK Red Hat employs at least one OpenSSL maintainer. What is their view on this situation? > Other possible solution we were discussing

Hi OpenSSH mailing list, I would like to announce the newly introduced patch in Fedora rawhide [0] for FIPS compliance efforts. The change will be introduced in an upcoming RHEL 9 version. The patch targets OpenSSL support of OpenSSH, specifically the usage of old low level API. The new OpenSSL version 3.0 introduces a FIPS module (going through FIPS 140-2 validation and to be FIPS 140-3

On Mon, Oct 16, 2017 at 12:40:54AM +0200, Ingo Schwarze wrote: > Colin Watson wrote on Sun, Oct 15, 2017 at 10:51:46PM +0100: > > Is it actually a requirement that an API compatibility layer be > > maintained by the OpenSSL team, or could a hypothetical group of > > external developers interested in breaking this stalemate fork > > openssl-compat.tar.gz, stick it in a

...hat/openssh.spec, removing deprecated options and syntax. * configure: allow --without-ssl-engine with --without-openssl * sshd(8): fix multiple authentication using S/Key. bz#2502 * sshd(8): read back from libcrypto RAND_* before dropping privileges. Avoids sandboxing violations with BoringSSL. * Fix name collision with system-provided glob(3) functions. bz#2463 * Adapt Makefile to use ssh-keygen -A when generating host keys. bz#2459 * configure: correct default value for --with-ssh1 bz#2457 * configure: better detection of _res symbol bz#2259 * support getrandom() sysca...

Oh, I'm completely in favor of making bad commits much less likely. I simply think there is a decent solution between "let everything in" and "don't let everything in unless its proven to work everywhere" that gets 90% of the improvement. The complexity of guaranteeing a buildable branch is high. If someone wants to take that on, great! I just don't think we

...hat/openssh.spec, removing deprecated options and syntax. * configure: allow --without-ssl-engine with --without-openssl * sshd(8): fix multiple authentication using S/Key. bz#2502 * sshd(8): read back from libcrypto RAND_* before dropping privileges. Avoids sandboxing violations with BoringSSL. * Fix name collision with system-provided glob(3) functions. bz#2463 * Adapt Makefile to use ssh-keygen -A when generating host keys. bz#2459 * configure: correct default value for --with-ssh1 bz#2457 * configure: better detection of _res symbol bz#2259 * support getrandom() sysca...