[openssl.org #274] session ID length bug (in 0.9.6g and 0.9.7beta3)

[Bodo Moeller via RT]

This SSLeay/OpenSSL behaviour appears to be correct; from RFC 2246:

   session_id_length
   This field must have a value of either zero or 16. If zero, the
   client is creating a new session. If 16, the session_id field
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #262] bug: init race in SSLv3_client_method

[Bodo Moeller via RT]

All (most?) similar cases clear the 'init' flag *after* having set up
the data structures appropriately, e.g. see ssl/s3_meth.c.
No locking should be needed because the assignments are idempotent.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #274] session ID length bug (in 0.9.6g and 0.9.7beta3)

[Bodo Moeller via RT]

Sorry, the RFC 2246 quote was incorrect -- the value 16 is for
SSL 2.0 session IDs only, and the SSLeay/OpenSSL interpretation
indeed is buggy.
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #274] session ID length bug (in 0.9.6g and 0.9.7beta3)

[Bodo Moeller via RT]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[openssl.org #289] [Fwd: Bug#161359: openssl_0.9.6e-1_i386.deb reports wrong version]

[Lutz Jaenicke via RT]

[[EMAIL PROTECTED] - Thu Sep 19 12:11:15 2002]:

ljaenicke@lutz:~$ dpkg -l openssl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name   VersionDescription
+++-==-==-
ii  openssl0.9.6e-1   Secure Socket Layer (SSL) binary and
related
ljaenicke@lutz:~$ which openssl
/usr/bin/openssl
ljaenicke@lutz:~$ /usr/bin/openssl version
OpenSSL 0.9.6e 30 Jul 2002
ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so
lrwxrwxrwx1 root root   18 Aug 28 11:42
/usr/lib/libcrypto.so - libcrypto.so.0.9.6
ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so.0.9.6
-rw-r--r--1 root root   744164 Jul 30 18:50
/usr/lib/libcrypto.so.0.9.6
ljaenicke@lutz:~/newsoft/multiplexer$ strings usr/lib/libcrypto.so.0.9.6
| grep 0.9.6
libcrypto.so.0.9.6
OpenSSL 0.9.6e 30 Jul 2002
MD2 part of OpenSSL 0.9.6e 30 Jul 2002
MD4 part of OpenSSL 0.9.6e 30 Jul 2002
MD5 part of OpenSSL 0.9.6e 30 Jul 2002
SHA part of OpenSSL 0.9.6e 30 Jul 2002
SHA1 part of OpenSSL 0.9.6e 30 Jul 2002
RIPE-MD160 part of OpenSSL 0.9.6e 30 Jul 2002
libdes part of OpenSSL 0.9.6e 30 Jul 2002
DES part of OpenSSL 0.9.6e 30 Jul 2002
RC2 part of OpenSSL 0.9.6e 30 Jul 2002
RC4 part of OpenSSL 0.9.6e 30 Jul 2002
Blowfish part of OpenSSL 0.9.6e 30 Jul 2002
CAST part of OpenSSL 0.9.6e 30 Jul 2002
Big Number part of OpenSSL 0.9.6e 30 Jul 2002
RSA part of OpenSSL 0.9.6e 30 Jul 2002
DSA part of OpenSSL 0.9.6e 30 Jul 2002
Diffie-Hellman part of OpenSSL 0.9.6e 30 Jul 2002
Stack part of OpenSSL 0.9.6e 30 Jul 2002
lhash part of OpenSSL 0.9.6e 30 Jul 2002
RAND part of OpenSSL 0.9.6e 30 Jul 2002
EVP part of OpenSSL 0.9.6e 30 Jul 2002
ASN.1 part of OpenSSL 0.9.6e 30 Jul 2002
PEM part of OpenSSL 0.9.6e 30 Jul 2002
X.509 part of OpenSSL 0.9.6e 30 Jul 2002
CONF part of OpenSSL 0.9.6e 30 Jul 2002
CONF_def part of OpenSSL 0.9.6e 30 Jul 2002
TXT_DB part of OpenSSL 0.9.6e 30 Jul 2002

So I cannot reproduce the bug reported...

Best regards,
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Why does OpenSSL_add_all_algorithms() exist?

[rsalz]

Can anyone explain why this routine exists?  When would you *not* want
this?  Is there any reason not to, say, call those routines from within
EVP_PKEY_new ?
/r$
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #289] [Fwd: Bug#161359: openssl_0.9.6e-1_i386.debreports wrong version]

[Christoph Martin]

Argh, you are right. When I tried to verify the problem. I only testet
the 0.9.6g binary but had the 0.9.6c libraries installed. So I assume,
the submitter of the bug made a similar mistake.

Sorry, to bug you.

Christoph

Am Don, 2002-09-19 um 15.23 schrieb Lutz Jaenicke via RT:
 
 [[EMAIL PROTECTED] - Thu Sep 19 12:11:15 2002]:
 
 ljaenicke@lutz:~$ dpkg -l openssl
 Desired=Unknown/Install/Remove/Purge/Hold
 | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
 |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
 uppercase=bad)
 ||/ Name   VersionDescription
 +++-==-==-
 ii  openssl0.9.6e-1   Secure Socket Layer (SSL) binary and
 related
 ljaenicke@lutz:~$ which openssl
 /usr/bin/openssl
 ljaenicke@lutz:~$ /usr/bin/openssl version
 OpenSSL 0.9.6e 30 Jul 2002
 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so
 lrwxrwxrwx1 root root   18 Aug 28 11:42
 /usr/lib/libcrypto.so - libcrypto.so.0.9.6
 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so.0.9.6
 -rw-r--r--1 root root   744164 Jul 30 18:50
 /usr/lib/libcrypto.so.0.9.6
 ljaenicke@lutz:~/newsoft/multiplexer$ strings usr/lib/libcrypto.so.0.9.6
 | grep 0.9.6
 libcrypto.so.0.9.6
 OpenSSL 0.9.6e 30 Jul 2002
 MD2 part of OpenSSL 0.9.6e 30 Jul 2002
 MD4 part of OpenSSL 0.9.6e 30 Jul 2002
 MD5 part of OpenSSL 0.9.6e 30 Jul 2002
 SHA part of OpenSSL 0.9.6e 30 Jul 2002
 SHA1 part of OpenSSL 0.9.6e 30 Jul 2002
 RIPE-MD160 part of OpenSSL 0.9.6e 30 Jul 2002
 libdes part of OpenSSL 0.9.6e 30 Jul 2002
 DES part of OpenSSL 0.9.6e 30 Jul 2002
 RC2 part of OpenSSL 0.9.6e 30 Jul 2002
 RC4 part of OpenSSL 0.9.6e 30 Jul 2002
 Blowfish part of OpenSSL 0.9.6e 30 Jul 2002
 CAST part of OpenSSL 0.9.6e 30 Jul 2002
 Big Number part of OpenSSL 0.9.6e 30 Jul 2002
 RSA part of OpenSSL 0.9.6e 30 Jul 2002
 DSA part of OpenSSL 0.9.6e 30 Jul 2002
 Diffie-Hellman part of OpenSSL 0.9.6e 30 Jul 2002
 Stack part of OpenSSL 0.9.6e 30 Jul 2002
 lhash part of OpenSSL 0.9.6e 30 Jul 2002
 RAND part of OpenSSL 0.9.6e 30 Jul 2002
 EVP part of OpenSSL 0.9.6e 30 Jul 2002
 ASN.1 part of OpenSSL 0.9.6e 30 Jul 2002
 PEM part of OpenSSL 0.9.6e 30 Jul 2002
 X.509 part of OpenSSL 0.9.6e 30 Jul 2002
 CONF part of OpenSSL 0.9.6e 30 Jul 2002
 CONF_def part of OpenSSL 0.9.6e 30 Jul 2002
 TXT_DB part of OpenSSL 0.9.6e 30 Jul 2002
 
 So I cannot reproduce the bug reported...
 
 Best regards,




signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

Re: [openssl.org #289] [Fwd: Bug#161359: openssl_0.9.6e-1_i386.deb reports wrong version]

[Christoph Martin via RT]

Argh, you are right. When I tried to verify the problem. I only testet
the 0.9.6g binary but had the 0.9.6c libraries installed. So I assume,
the submitter of the bug made a similar mistake.

Sorry, to bug you.

Christoph

Am Don, 2002-09-19 um 15.23 schrieb Lutz Jaenicke via RT:
 
 [[EMAIL PROTECTED] - Thu Sep 19 12:11:15 2002]:
 
 ljaenicke@lutz:~$ dpkg -l openssl
 Desired=Unknown/Install/Remove/Purge/Hold
 | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
 |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
 uppercase=bad)
 ||/ Name   VersionDescription
 +++-==-==-
 ii  openssl0.9.6e-1   Secure Socket Layer (SSL) binary and
 related
 ljaenicke@lutz:~$ which openssl
 /usr/bin/openssl
 ljaenicke@lutz:~$ /usr/bin/openssl version
 OpenSSL 0.9.6e 30 Jul 2002
 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so
 lrwxrwxrwx1 root root   18 Aug 28 11:42
 /usr/lib/libcrypto.so - libcrypto.so.0.9.6
 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so.0.9.6
 -rw-r--r--1 root root   744164 Jul 30 18:50
 /usr/lib/libcrypto.so.0.9.6
 ljaenicke@lutz:~/newsoft/multiplexer$ strings usr/lib/libcrypto.so.0.9.6
 | grep 0.9.6
 libcrypto.so.0.9.6
 OpenSSL 0.9.6e 30 Jul 2002
 MD2 part of OpenSSL 0.9.6e 30 Jul 2002
 MD4 part of OpenSSL 0.9.6e 30 Jul 2002
 MD5 part of OpenSSL 0.9.6e 30 Jul 2002
 SHA part of OpenSSL 0.9.6e 30 Jul 2002
 SHA1 part of OpenSSL 0.9.6e 30 Jul 2002
 RIPE-MD160 part of OpenSSL 0.9.6e 30 Jul 2002
 libdes part of OpenSSL 0.9.6e 30 Jul 2002
 DES part of OpenSSL 0.9.6e 30 Jul 2002
 RC2 part of OpenSSL 0.9.6e 30 Jul 2002
 RC4 part of OpenSSL 0.9.6e 30 Jul 2002
 Blowfish part of OpenSSL 0.9.6e 30 Jul 2002
 CAST part of OpenSSL 0.9.6e 30 Jul 2002
 Big Number part of OpenSSL 0.9.6e 30 Jul 2002
 RSA part of OpenSSL 0.9.6e 30 Jul 2002
 DSA part of OpenSSL 0.9.6e 30 Jul 2002
 Diffie-Hellman part of OpenSSL 0.9.6e 30 Jul 2002
 Stack part of OpenSSL 0.9.6e 30 Jul 2002
 lhash part of OpenSSL 0.9.6e 30 Jul 2002
 RAND part of OpenSSL 0.9.6e 30 Jul 2002
 EVP part of OpenSSL 0.9.6e 30 Jul 2002
 ASN.1 part of OpenSSL 0.9.6e 30 Jul 2002
 PEM part of OpenSSL 0.9.6e 30 Jul 2002
 X.509 part of OpenSSL 0.9.6e 30 Jul 2002
 CONF part of OpenSSL 0.9.6e 30 Jul 2002
 CONF_def part of OpenSSL 0.9.6e 30 Jul 2002
 TXT_DB part of OpenSSL 0.9.6e 30 Jul 2002
 
 So I cannot reproduce the bug reported...
 
 Best regards,

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

[PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020918)

[Steven Reddie]

Here is the patch for configuring-out the engine.  This one should work; the
previous one had a single misplaced #ifndef.  I've tested it both with and
without the no-engine option for the following platforms:

Cygwin
VC-WIN32 (dll and static)
VC-CE (dll and static)
Linux

VC-CE is the Windows CE port that I'm working on and the reason that I need
the no-engine option, although I imagine that I'll need it in my day job too
when we upgrade.  Is it possible to get this into a 0.9.7 snapshot soon?
I'll need it before I can finalise the port.

Regards,

Steven



openssl-0.9.7-stable-SNAP-20020918-NO_ENGINE.patch
Description: Binary data

RE: Why does OpenSSL_add_all_algorithms() exist?

[Chris Brook]

Those of us who make heavy use of the crypto library, with a limited group
of algorithms and without SSL, would certainly not want this pulling in all
the algorithms every time we call EVP_PKEY_new.
Chris Brook

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, September 19, 2002 10:16 AM
To: [EMAIL PROTECTED]
Subject: Why does OpenSSL_add_all_algorithms() exist?


Can anyone explain why this routine exists?  When would you *not* want
this?  Is there any reason not to, say, call those routines from within
EVP_PKEY_new ?
/r$
__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl.org #262] bug: init race in SSLv3_client_method

 All (most?) similar cases clear the 'init' flag *after* having set up
 the data structures appropriately, e.g. see ssl/s3_meth.c.

Yes, SSLv3_client_method is the only one I saw which had init set in the
wrong place.  I may have missed some.

 No locking should be needed because the assignments are idempotent.

However, the assignments are not atomic.  The following unprotected
operation:

if (init)
{
memcpy((char *)SSLv3_server_data,(char *)sslv3_base_method(),
sizeof(SSL_METHOD));
SSLv3_server_data.ssl_accept=ssl3_accept;
SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
init=0;
}

can result in a thread calling .ssl_accept or .get_ssl_method after the
memcpy but before the assignment.  In this case, ssl_undefined_function is
called and it errors out.

To make this code properly thread-safe, locks and atomic sets should be used
to protect any non-atomic functions working on shared data.

patrick


__
OpenSSL Project http://www.openssl.org
Development Mailing List   [EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]