Re: [openssl-users] calloc vs kssl_calloc
> This fact was *not* published widely enough to be seen by everyone > concerned. It was certainly not published as widely as the fact that SSLeay > was created and maintained entirely outside the US, and that this was one of > its major attractions. > > Basically that internal checkin (which I have no idea what is, since I only > see > the released tarballs) or any earlier US code changes would have been a > watershed change. Well, I can't go back to 2000 and change things. You'll have to decide what you want to do now. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On 01/10/2016 23:18, Salz, Rich wrote: However there are very many OpenSSL users (myself included) who rely on the legal status of OpenSSL/SSLeay as having no US origin parts. If this has changed, it needs a big red banner at the top of the www.openssl.org, every affected source file with the original EAY copyright boilerplate or its OpenSSL clone etc. As of 1.1.0 every single file has modifications by US Citizens because I globally changed the copyright. Really, I thought the US team dealt exclusively with the FIPS bureaucracy acting as "cutouts" between US government interests and the non-US developers, never actually touching the code. We are NOT going to mark US/non-US contributions, sorry. OpenSSL and SSLeay has always had US contributions, it's just that we were done indirectly. For example, "git show eb64730" which was early 2000. This fact was *not* published widely enough to be seen by everyone concerned. It was certainly not published as widely as the fact that SSLeay was created and maintained entirely outside the US, and that this was one of its major attractions. Basically that internal checkin (which I have no idea what is, since I only see the released tarballs) or any earlier US code changes would have been a watershed change. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On 10/01/2016 03:32 PM, Geoffrey Coram wrote: > On 09/30/2016 09:29, "Salz, Rich"wrote: >>> Is there something more I should do on this issue? I recall the >> OpenSSL terms of use strongly discouraged people from the US from >> helping, due to US export restrictions. >> >> That's kinda outdated. > > That didn't answer my question. I reported a bug, I'm not a developer > / on the developer list; will someone else take this, or is there some > bug database that I should enter an issue into? The general question has been answered already. In this specific case, the best thing for you to do would be to test https://github.com/openssl/openssl/pull/1622 , which I submitted after making the claim that the calloc usage was "just a bug". -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On Sat, Oct 1, 2016 at 5:18 PM, Salz, Richwrote: > >> However there are very many OpenSSL users (myself included) who rely on >> the legal status of OpenSSL/SSLeay as having no US origin parts. If this has >> changed, it needs a big red banner at the top of the www.openssl.org, every >> affected source file with the original EAY copyright boilerplate or its >> OpenSSL >> clone etc. > > We are NOT going to mark US/non-US contributions, sorry. That's kind of a new twist on "Authentication is not X". For Java and Web Apps, its "Authentication is not Authorizations" (Sandboxes and Secure Contexts). For Git is "Authentication is not Code Integrity" (Commit Signing). In the new case, I thinks its "Authentication is not Lawfulness". Or is it Lawlessness? Jeff -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
> However there are very many OpenSSL users (myself included) who rely on > the legal status of OpenSSL/SSLeay as having no US origin parts. If this has > changed, it needs a big red banner at the top of the www.openssl.org, every > affected source file with the original EAY copyright boilerplate or its > OpenSSL > clone etc. As of 1.1.0 every single file has modifications by US Citizens because I globally changed the copyright. We are NOT going to mark US/non-US contributions, sorry. OpenSSL and SSLeay has always had US contributions, it's just that we were done indirectly. For example, "git show eb64730" which was early 2000. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
> That didn't answer my question. I reported a bug, I'm not a developer / on > the developer list; will someone else take this, or is there some bug database > that I should enter an issue into? As it says in https://www.openssl.org/community/, email it to r...@openssl.org It also says this in the README. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On Sat, Oct 1, 2016 at 4:32 PM, Geoffrey Coramwrote: > I reported a bug, I'm not a developer > / on the developer list; will someone else take this, or is there some > bug database that I should enter an issue into? If its an OpenSSL bug, then I believe you send an email to r...@openssl.org along with the details. OpenSSL makes it easy on folks. Also see Item 17 in the FAQ: "I think I've found a bug, what should I do?", http://www.openssl.org/docs/faq.html#BUILD17. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On 09/30/2016 09:29, "Salz, Rich"wrote: > > > Is there something more I should do on this issue? I recall the > OpenSSL terms of use strongly discouraged people from the US from > helping, due to US export restrictions. > > That's kinda outdated. That didn't answer my question. I reported a bug, I'm not a developer / on the developer list; will someone else take this, or is there some bug database that I should enter an issue into? -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On 30/09/2016 15:29, Salz, Rich wrote: Is there something more I should do on this issue? I recall the OpenSSL terms of use strongly discouraged people from the US from helping, due to US export restrictions. That's kinda outdated. However there are very many OpenSSL users (myself included) who rely on the legal status of OpenSSL/SSLeay as having no US origin parts. If this has changed, it needs a big red banner at the top of the www.openssl.org, every affected source file with the original EAY copyright boilerplate or its OpenSSL clone etc. For example, this affects how the use of OpenSSL should be declared on various customs forms with respect to US export restrictions and embargoes. It is also a legal reason to avoid the BoringSSL US clone and to some extent the LibreSSL Canadian clone. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
> Is there something more I should do on this issue? I recall the OpenSSL > terms of use strongly discouraged people from the US from helping, due to US > export restrictions. That's kinda outdated. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On Mon, Sep 26, 2016 at 12:11 PM, Benjamin Kadukwrote: > On 09/26/2016 11:01 AM, Salz, Rich wrote: > > Kssl_calloc calls openssl_malloc which means the data must be free'd with > openssl_free. And in debug builds any non-free'd data is a leak and reported. > Ton line 875 the data is allocated and never free'd, so it skips the leak > detection. In some of those other places, perhaps it's because the KRB API > needs something it can free or realloc? I'm not sure. > > > > It doesn't look like the allocated memory is used as input to a krb5 > routine, so I think it's just a bug. > > Is there something more I should do on this issue? I recall the OpenSSL terms of use strongly discouraged people from the US from helping, due to US export restrictions. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On 09/26/2016 12:11, Benjamin Kadukwrote: > > On 09/26/2016 11:01 AM, Salz, Rich wrote: > > Kssl_calloc calls openssl_malloc which means the data must be > free'd with openssl_free. And in debug builds any non-free'd data is > a leak and reported. Ton line 875 the data is allocated and never > free'd, so it skips the leak detection. In some of those other > places, perhaps it's because the KRB API needs something it can free > or realloc? I'm not sure. > > > > It doesn't look like the allocated memory is used as input to a krb5 > routine, so I think it's just a bug. > > -Ben As it turns out, that wasn't the code that was giving me trouble in my application. Instead, it's the code in crypto\LPdir_win.c, which is included via crypto\LPdir_wince.c, which is included in crypto\o_dir.c I found a portability tip on the web that says not to use malloc or calloc in Windows CE applications. (Actually, Google found me a result in the book "Making Win32 Applications Mobile" by Nancy Nicolaisen.) I've cc'ed Richard Levitte, who is credited for LPdir_win.c, perhaps he can comment on whether LocalAlloc would be an appropriate replacement. Thanks. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
On 09/26/2016 11:01 AM, Salz, Rich wrote: > Kssl_calloc calls openssl_malloc which means the data must be free'd with > openssl_free. And in debug builds any non-free'd data is a leak and reported. > Ton line 875 the data is allocated and never free'd, so it skips the leak > detection. In some of those other places, perhaps it's because the KRB API > needs something it can free or realloc? I'm not sure. > It doesn't look like the allocated memory is used as input to a krb5 routine, so I think it's just a bug. -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] calloc vs kssl_calloc
Kssl_calloc calls openssl_malloc which means the data must be free'd with openssl_free. And in debug builds any non-free'd data is a leak and reported. Ton line 875 the data is allocated and never free'd, so it skips the leak detection. In some of those other places, perhaps it's because the KRB API needs something it can free or realloc? I'm not sure. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users