[Cryptography] LibreSSL unaffected by DROWN

Georgi Guninski guninski at guninski.com
Wed Mar 2 22:10:44 PST 2016


On Wed, Mar 02, 2016 at 10:27:44PM -0500, grarpamp wrote:
> > Theo is an avid marketer, the reality is a bit more complex.
> 
> So then where is the link to an independant website which
> stays current and puts say Libre 2.2.[x] and Open 1.0.2[x]
> side by side in a feature / protocol / api review table?

Both share usage of a lot of if(0) {label:}, what C experts say
about this?

in libressl 2.3.2 (latest as of now) and openssl 1.0.1p 
(and probably later) in ssl/s3_clnt.c

984:  if (CBS_len(&cert_list) < 3)
         goto truncated;


1657:     if (0) {
truncated:
        SSLerr(SSL_F_SSL3_GET_CERTIFICATE_REQUEST,
            SSL_R_BAD_PACKET_LENGTH);
    }
    
Some more info on my blog:
https://j.ludost.net/blog/archives/2016/03/02/literate_programming_in_c_if0/index.html




More information about the cypherpunks mailing list