David Benjamin
David Benjamin
@paulidale That's not quite right. Or, at least, it doesn't match what the algorithms do. It does seem to match OpenSSL's `BN_FLG_CONSTTIME` checks, but that seems to be a mistake...
Looks like the mixup came from https://github.com/openssl/openssl/pull/4477
We've found [Intel SDE](https://www.intel.com/content/www/us/en/developer/articles/tool/software-development-emulator.html) to be extremely useful for this thing. (To the point that we even run it in CI.) I'd suggest getting that out and running through the...
On a phone so I can't look it up easily, but we just use the flags that tell it to simulate a particular CPU model and run through a bunch...
It looks like a problem with the server, not the OpenSSL incant. If it were an SSLv3 host, you would not expect ERR_CONNECTION_RESET in Chrome. Minimum versions are enforced by...
Is the proposal to make CORS depend on Cookie and Authorization header? Did you have an implementation in mind? I also don't see how that could work in, say, Chromium....
That sounds reasonable. I think I would prefer links to magic URLs, even if short. Then you will forget which URLs are important and people who need them will forget...
> Please add the comment string # v8.2 after each new defintion in codec.txt before merging. Done. > There are upcoming changes to prepare the codec for new versions of...
> Sorry, I think you meant that BoringSSL emulates instructions not on your CI's host machines didn't you? After DynamoRIO tells you which instructions are not supported on the h/w....
ASan should be able to check both of these without reaching into BoringSSL's private structures (unsupported). If you over-decrement, ASan will report a UAF. If you under-decrement, ASan will report...