Re: [openssl-users] calloc vs kssl_calloc

[Salz, Rich]

> This fact was *not* published widely enough to be seen by everyone
> concerned.  It was certainly not published as widely as the fact that SSLeay
> was created and maintained entirely outside the US, and that this was one of
> its major attractions.
> 
> Basically that internal checkin (which I have no idea what is, since I only 
> see
> the released tarballs) or any earlier US code changes would have been a
> watershed change.

Well, I can't go back to 2000 and change things.

You'll have to decide what you want to do now.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Jakob Bohm]

On 01/10/2016 23:18, Salz, Rich wrote:

However there are very many OpenSSL users (myself included) who rely on
the legal status of OpenSSL/SSLeay as having no US origin parts.  If this has
changed, it needs a big red banner at the top of the www.openssl.org, every
affected source file with the original EAY copyright boilerplate or its OpenSSL
clone etc.

As of 1.1.0 every single file has modifications by US Citizens because I 
globally changed the copyright.

Really, I thought the US team dealt exclusively with the FIPS
bureaucracy acting as "cutouts" between US government interests
and the non-US developers, never actually touching the code.

We are NOT going to mark US/non-US contributions, sorry.

OpenSSL and SSLeay has always had US contributions, it's just that we were done 
indirectly.  For example, "git show eb64730" which was early 2000.


This fact was *not* published widely enough to be seen by
everyone concerned.  It was certainly not published as widely
as the fact that SSLeay was created and maintained entirely
outside the US, and that this was one of its major attractions.

Basically that internal checkin (which I have no idea what is,
since I only see the released tarballs) or any earlier US code
changes would have been a watershed change.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Benjamin Kaduk]

On 10/01/2016 03:32 PM, Geoffrey Coram wrote:
> On 09/30/2016 09:29, "Salz, Rich"  wrote:
>>> Is there something more I should do on this issue?  I recall the 
>> OpenSSL terms of use strongly discouraged people from the US from 
>> helping, due to US export restrictions. 
>>
>> That's kinda outdated.
>
> That didn't answer my question.  I reported a bug, I'm not a developer
> / on the developer list; will someone else take this, or is there some
> bug database that I should enter an issue into?

The general question has been answered already.  In this specific case,
the best thing for you to do would be to test
https://github.com/openssl/openssl/pull/1622 , which I submitted after
making the claim that the calloc usage was "just a bug".

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Jeffrey Walton]

On Sat, Oct 1, 2016 at 5:18 PM, Salz, Rich  wrote:
>
>> However there are very many OpenSSL users (myself included) who rely on
>> the legal status of OpenSSL/SSLeay as having no US origin parts.  If this has
>> changed, it needs a big red banner at the top of the www.openssl.org, every
>> affected source file with the original EAY copyright boilerplate or its 
>> OpenSSL
>> clone etc.
>
> We are NOT going to mark US/non-US contributions, sorry.

That's kind of a new twist on "Authentication is not X". For Java and
Web Apps, its "Authentication is not Authorizations" (Sandboxes and
Secure Contexts). For Git is "Authentication is not Code Integrity"
(Commit Signing).

In the new case, I thinks its "Authentication is not Lawfulness". Or
is it Lawlessness?

Jeff
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Salz, Rich]

> However there are very many OpenSSL users (myself included) who rely on
> the legal status of OpenSSL/SSLeay as having no US origin parts.  If this has
> changed, it needs a big red banner at the top of the www.openssl.org, every
> affected source file with the original EAY copyright boilerplate or its 
> OpenSSL
> clone etc.

As of 1.1.0 every single file has modifications by US Citizens because I 
globally changed the copyright.

We are NOT going to mark US/non-US contributions, sorry.

OpenSSL and SSLeay has always had US contributions, it's just that we were done 
indirectly.  For example, "git show eb64730" which was early 2000.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Salz, Rich]

> That didn't answer my question.  I reported a bug, I'm not a developer / on
> the developer list; will someone else take this, or is there some bug database
> that I should enter an issue into?

As it says in https://www.openssl.org/community/, email it to r...@openssl.org

It also says this in the README.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Jeffrey Walton]

On Sat, Oct 1, 2016 at 4:32 PM, Geoffrey Coram  wrote:
> I reported a bug, I'm not a developer
> / on the developer list; will someone else take this, or is there some
> bug database that I should enter an issue into?

If its an OpenSSL bug, then I believe you send an email to
r...@openssl.org along with the details. OpenSSL makes it easy on folks.

Also see Item 17 in the FAQ: "I think I've found a bug, what should I
do?", http://www.openssl.org/docs/faq.html#BUILD17.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Geoffrey Coram]

On 09/30/2016 09:29, "Salz, Rich"  wrote:
>
> > Is there something more I should do on this issue?  I recall the 
> OpenSSL terms of use strongly discouraged people from the US from 
> helping, due to US export restrictions. 
> 
> That's kinda outdated.


That didn't answer my question.  I reported a bug, I'm not a developer
/ on the developer list; will someone else take this, or is there some
bug database that I should enter an issue into?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Jakob Bohm]

On 30/09/2016 15:29, Salz, Rich wrote:

Is there something more I should do on this issue?  I recall the OpenSSL terms 
of use strongly discouraged people from the US from helping, due to US export 
restrictions.

That's kinda outdated.

However there are very many OpenSSL users (myself included)
who rely on the legal status of OpenSSL/SSLeay as having no
US origin parts.  If this has changed, it needs a big red
banner at the top of the www.openssl.org, every affected
source file with the original EAY copyright boilerplate or
its OpenSSL clone etc.

For example, this affects how the use of OpenSSL should be
declared on various customs forms with respect to US export
restrictions and embargoes.

It is also a legal reason to avoid the BoringSSL US clone
and to some extent the LibreSSL Canadian clone.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Salz, Rich]

> Is there something more I should do on this issue?  I recall the OpenSSL 
> terms of use strongly discouraged people from the US from helping, due to US 
> export restrictions. 

That's kinda outdated.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Geoffrey Coram]

On Mon, Sep 26, 2016 at 12:11 PM, Benjamin Kaduk  wrote:

> On 09/26/2016 11:01 AM, Salz, Rich wrote:
>
> Kssl_calloc calls openssl_malloc which means the data must be free'd with 
> openssl_free. And in debug builds any non-free'd data is a leak and reported. 
>  Ton line 875 the data is allocated and never free'd, so it skips the leak 
> detection.   In some of those other places, perhaps it's because the KRB API 
> needs something it can free or realloc?  I'm not sure.
>
>
>
> It doesn't look like the allocated memory is used as input to a krb5
> routine, so I think it's just a bug.
>
>
Is there something more I should do on this issue?  I recall the OpenSSL
terms of use strongly discouraged people from the US from helping, due to
US export restrictions.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Geoffrey Coram]

On 09/26/2016 12:11, Benjamin Kaduk  wrote:
>
> On 09/26/2016 11:01 AM, Salz, Rich wrote:
> > Kssl_calloc calls openssl_malloc which means the data must be 
> free'd with openssl_free. And in debug builds any non-free'd data is
> a leak and reported.  Ton line 875 the data is allocated and never 
> free'd, so it skips the leak detection.   In some of those other 
> places, perhaps it's because the KRB API needs something it can free
> or realloc?  I'm not sure.
> >
> 
> It doesn't look like the allocated memory is used as input to a krb5
> routine, so I think it's just a bug.
> 
> -Ben

As it turns out, that wasn't the code that was giving me trouble in my
application.

Instead, it's the code in crypto\LPdir_win.c, which is included via 
crypto\LPdir_wince.c, which is included in crypto\o_dir.c

I found a portability tip on the web that says not to use malloc or 
calloc in Windows CE applications.  (Actually, Google found me a 
result in the book "Making Win32 Applications Mobile" by Nancy 
Nicolaisen.)

I've cc'ed Richard Levitte, who is credited for LPdir_win.c, perhaps 
he can comment on whether LocalAlloc would be an appropriate 
replacement.

Thanks.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Benjamin Kaduk]

On 09/26/2016 11:01 AM, Salz, Rich wrote:
> Kssl_calloc calls openssl_malloc which means the data must be free'd with 
> openssl_free. And in debug builds any non-free'd data is a leak and reported. 
>  Ton line 875 the data is allocated and never free'd, so it skips the leak 
> detection.   In some of those other places, perhaps it's because the KRB API 
> needs something it can free or realloc?  I'm not sure.
>

It doesn't look like the allocated memory is used as input to a krb5
routine, so I think it's just a bug.

-Ben
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] calloc vs kssl_calloc

[Salz, Rich]

Kssl_calloc calls openssl_malloc which means the data must be free'd with 
openssl_free. And in debug builds any non-free'd data is a leak and reported.  
Ton line 875 the data is allocated and never free'd, so it skips the leak 
detection.   In some of those other places, perhaps it's because the KRB API 
needs something it can free or realloc?  I'm not sure.

--  
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users