RE: RAND function using OpenSSL 0.9.7 (A Solution)
Hi,
I've tested it with Apache-2.0.39 using openssl-0.9.7-beta2, on linux Mdk-8.0.
kernel 2.4.3-20mdk
gcc version 2.96
And initializing engine before library enable rand redirection.
That works fine for me.
file: modules/ssl/ssl_engine_init.c
Regards,
Fred
-Original Message-
From: Cliff Woolley [mailto:[EMAIL PROTECTED]]
Sent: Mon 07/15/2002 10:22 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: RAND function using OpenSSL 0.9.7 (A Solution)
On Mon, 15 Jul 2002, Geoff Thorpe wrote:
> > I change a function call and it works fine now. I do not know if this is
> > the real way to solve my problem but this provide a solution.
> >
> > In file pkg.modssl/ssl_engine_int.c:
> > move "ssl_init_Engine(s, p);" function call before
> > "ssl_init_SSLLibrary();" function call instead of after.
> >
> > In fact if you want to use ENGINE default functionnalities you muste set
> > ENGINE before everything.
>
> That is not *a* solution, it is *the* solution. ssl_init_SSLLibrary() must
> be seeding the PRNG, and thus initialising the set-on-first-use pointer in
> openssl to a default RAND_METHOD. Do you want to post a patch to the list?
Well, I can't do anything about 1.3's mod_ssl, but if somebody can verify
for me that the following fixes Apache 2.0's mod_ssl, I'll commit it.
--Cliff
Index: ssl_engine_init.c
===
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.102
diff -u -d -r1.102 ssl_engine_init.c
--- ssl_engine_init.c 8 Jul 2002 17:43:33 - 1.102
+++ ssl_engine_init.c 15 Jul 2002 20:22:13 -
@@ -266,6 +266,11 @@
}
+#ifdef SSL_EXPERIMENTAL_ENGINE
+/* SSL external crypto device ("engine") support */
+ssl_init_Engine(base_server, p);
+#endif
+
ssl_init_SSLLibrary(base_server);
#if APR_HAS_THREADS
@@ -290,13 +295,6 @@
if (ssl_tmp_keys_init(base_server)) {
return !OK;
}
-
-/*
- * SSL external crypto device ("engine") support
- */
-#ifdef SSL_EXPERIMENTAL_ENGINE
-ssl_init_Engine(base_server, p);
-#endif
/*
* initialize the mutex handling
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
<>
Re: RAND function using OpenSSL 0.9.7 (A Solution)
On Mon, 15 Jul 2002, Geoff Thorpe wrote:
> > I change a function call and it works fine now. I do not know if this is
> > the real way to solve my problem but this provide a solution.
> >
> > In file pkg.modssl/ssl_engine_int.c:
> > move "ssl_init_Engine(s, p);" function call before
> > "ssl_init_SSLLibrary();" function call instead of after.
> >
> > In fact if you want to use ENGINE default functionnalities you muste set
> > ENGINE before everything.
>
> That is not *a* solution, it is *the* solution. ssl_init_SSLLibrary() must
> be seeding the PRNG, and thus initialising the set-on-first-use pointer in
> openssl to a default RAND_METHOD. Do you want to post a patch to the list?
Well, I can't do anything about 1.3's mod_ssl, but if somebody can verify
for me that the following fixes Apache 2.0's mod_ssl, I'll commit it.
--Cliff
Index: ssl_engine_init.c
===
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.102
diff -u -d -r1.102 ssl_engine_init.c
--- ssl_engine_init.c 8 Jul 2002 17:43:33 - 1.102
+++ ssl_engine_init.c 15 Jul 2002 20:22:13 -
@@ -266,6 +266,11 @@
}
+#ifdef SSL_EXPERIMENTAL_ENGINE
+/* SSL external crypto device ("engine") support */
+ssl_init_Engine(base_server, p);
+#endif
+
ssl_init_SSLLibrary(base_server);
#if APR_HAS_THREADS
@@ -290,13 +295,6 @@
if (ssl_tmp_keys_init(base_server)) {
return !OK;
}
-
-/*
- * SSL external crypto device ("engine") support
- */
-#ifdef SSL_EXPERIMENTAL_ENGINE
-ssl_init_Engine(base_server, p);
-#endif
/*
* initialize the mutex handling
__
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager[EMAIL PROTECTED]
Re: RAND function using OpenSSL 0.9.7 (A Solution)
Hi Fred, I was just starting to wonder what might be behind all this when you hit the nail on the head. On Mon, 15 Jul 2002, Frederic DONNAT wrote: > I change a function call and it works fine now. I do not know if this is > the real way to solve my problem but this provide a solution. > > In file pkg.modssl/ssl_engine_int.c: > move "ssl_init_Engine(s, p);" function call before > "ssl_init_SSLLibrary();" function call instead of after. > > In fact if you want to use ENGINE default functionnalities you muste set > ENGINE before everything. That is not *a* solution, it is *the* solution. ssl_init_SSLLibrary() must be seeding the PRNG, and thus initialising the set-on-first-use pointer in openssl to a default RAND_METHOD. Do you want to post a patch to the list? I suggest "diff -u", I suggest a subject starting with "[PATCH]", and I suggest you CC Ralf. Otherwise, things have a way of slipping through the net. (Resists temptation to harp on about the simple but important session caching bug, read "potential security problem", that Ralf still hasn't incorporated despite me repeatedly harping on about it ...) Cheers, Geoff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RAND function using OpenSSL 0.9.7 (A Solution)
Title: RAND function using OpenSSL 0.9.7 (A Solution) Hi All, I change a function call and it works fine now. I do not know if this is the real way to solve my problem but this provide a solution. In file pkg.modssl/ssl_engine_int.c: move "ssl_init_Engine(s, p);" function call before "ssl_init_SSLLibrary();" function call instead of after. In fact if you want to use ENGINE default functionnalities you muste set ENGINE before everything. Regards Fred
RE: RAND function using OpenSSL 0.9.7
Cliff, I compile using --enable-rule=SSL_EXPERIMENTAL like i ve seen it inorder to enable Openssl "ENGINE" use. (also set SSLCryptoDevice ".." in /conf/httpd.conf) As i said it works fine for symetric (cipher, digest) and asymetric (RSA, DSA, DH) stuff! only rand one seems invalid. In fact in OpenSSL 0.9.7 i have to change some part of code in apps/s_client.c (just call "e = setup_engine(bio_err, engine_id, 1);" before any RAND function call) to be able to use RAND redirection. Fred -Original Message- From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: Mon 07/15/2002 7:16 PM To: [EMAIL PROTECTED] Cc: Subject: Re: RAND function using OpenSSL 0.9.7 On Mon, 15 Jul 2002, Frederic DONNAT wrote: > I try using OpenSSL0.9.7 with a crypto accelerator and it works fine > for asymetric and symetric stuff, but it fails when trying to use > ENGINE random (rand engine is not used, everything is done with > classic software random). Don't you have to compile mod_ssl with SSL_EXPERIMENTAL_ENGINE or something like that? Did you do that? Or are you even talking about mod_ssl here? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED] <>
Re: RAND function using OpenSSL 0.9.7
On Mon, 15 Jul 2002, Frederic DONNAT wrote: > I try using OpenSSL0.9.7 with a crypto accelerator and it works fine > for asymetric and symetric stuff, but it fails when trying to use > ENGINE random (rand engine is not used, everything is done with > classic software random). Don't you have to compile mod_ssl with SSL_EXPERIMENTAL_ENGINE or something like that? Did you do that? Or are you even talking about mod_ssl here? --Cliff __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager[EMAIL PROTECTED]
RAND function using OpenSSL 0.9.7
Title: RAND function using OpenSSL 0.9.7 Hi all, I try using OpenSSL0.9.7 with a crypto accelerator and it works fine for asymetric and symetric stuff, but it fails when trying to use ENGINE random (rand engine is not used, everything is done with classic software random). Has someone solve this problem? Regards Fred
