[openssl.org #274] session ID length bug (in 0.9.6g and 0.9.7beta3)
This SSLeay/OpenSSL behaviour appears to be correct; from RFC 2246: session_id_length This field must have a value of either zero or 16. If zero, the client is creating a new session. If 16, the session_id field __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #262] bug: init race in SSLv3_client_method
All (most?) similar cases clear the 'init' flag *after* having set up the data structures appropriately, e.g. see ssl/s3_meth.c. No locking should be needed because the assignments are idempotent. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #274] session ID length bug (in 0.9.6g and 0.9.7beta3)
Sorry, the RFC 2246 quote was incorrect -- the value 16 is for SSL 2.0 session IDs only, and the SSLeay/OpenSSL interpretation indeed is buggy. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #274] session ID length bug (in 0.9.6g and 0.9.7beta3)
__ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #289] [Fwd: Bug#161359: openssl_0.9.6e-1_i386.deb reports wrong version]
[[EMAIL PROTECTED] - Thu Sep 19 12:11:15 2002]: ljaenicke@lutz:~$ dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- ii openssl0.9.6e-1 Secure Socket Layer (SSL) binary and related ljaenicke@lutz:~$ which openssl /usr/bin/openssl ljaenicke@lutz:~$ /usr/bin/openssl version OpenSSL 0.9.6e 30 Jul 2002 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so lrwxrwxrwx1 root root 18 Aug 28 11:42 /usr/lib/libcrypto.so - libcrypto.so.0.9.6 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so.0.9.6 -rw-r--r--1 root root 744164 Jul 30 18:50 /usr/lib/libcrypto.so.0.9.6 ljaenicke@lutz:~/newsoft/multiplexer$ strings usr/lib/libcrypto.so.0.9.6 | grep 0.9.6 libcrypto.so.0.9.6 OpenSSL 0.9.6e 30 Jul 2002 MD2 part of OpenSSL 0.9.6e 30 Jul 2002 MD4 part of OpenSSL 0.9.6e 30 Jul 2002 MD5 part of OpenSSL 0.9.6e 30 Jul 2002 SHA part of OpenSSL 0.9.6e 30 Jul 2002 SHA1 part of OpenSSL 0.9.6e 30 Jul 2002 RIPE-MD160 part of OpenSSL 0.9.6e 30 Jul 2002 libdes part of OpenSSL 0.9.6e 30 Jul 2002 DES part of OpenSSL 0.9.6e 30 Jul 2002 RC2 part of OpenSSL 0.9.6e 30 Jul 2002 RC4 part of OpenSSL 0.9.6e 30 Jul 2002 Blowfish part of OpenSSL 0.9.6e 30 Jul 2002 CAST part of OpenSSL 0.9.6e 30 Jul 2002 Big Number part of OpenSSL 0.9.6e 30 Jul 2002 RSA part of OpenSSL 0.9.6e 30 Jul 2002 DSA part of OpenSSL 0.9.6e 30 Jul 2002 Diffie-Hellman part of OpenSSL 0.9.6e 30 Jul 2002 Stack part of OpenSSL 0.9.6e 30 Jul 2002 lhash part of OpenSSL 0.9.6e 30 Jul 2002 RAND part of OpenSSL 0.9.6e 30 Jul 2002 EVP part of OpenSSL 0.9.6e 30 Jul 2002 ASN.1 part of OpenSSL 0.9.6e 30 Jul 2002 PEM part of OpenSSL 0.9.6e 30 Jul 2002 X.509 part of OpenSSL 0.9.6e 30 Jul 2002 CONF part of OpenSSL 0.9.6e 30 Jul 2002 CONF_def part of OpenSSL 0.9.6e 30 Jul 2002 TXT_DB part of OpenSSL 0.9.6e 30 Jul 2002 So I cannot reproduce the bug reported... Best regards, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Why does OpenSSL_add_all_algorithms() exist?
Can anyone explain why this routine exists? When would you *not* want this? Is there any reason not to, say, call those routines from within EVP_PKEY_new ? /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #289] [Fwd: Bug#161359: openssl_0.9.6e-1_i386.debreports wrong version]
Argh, you are right. When I tried to verify the problem. I only testet the 0.9.6g binary but had the 0.9.6c libraries installed. So I assume, the submitter of the bug made a similar mistake. Sorry, to bug you. Christoph Am Don, 2002-09-19 um 15.23 schrieb Lutz Jaenicke via RT: [[EMAIL PROTECTED] - Thu Sep 19 12:11:15 2002]: ljaenicke@lutz:~$ dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- ii openssl0.9.6e-1 Secure Socket Layer (SSL) binary and related ljaenicke@lutz:~$ which openssl /usr/bin/openssl ljaenicke@lutz:~$ /usr/bin/openssl version OpenSSL 0.9.6e 30 Jul 2002 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so lrwxrwxrwx1 root root 18 Aug 28 11:42 /usr/lib/libcrypto.so - libcrypto.so.0.9.6 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so.0.9.6 -rw-r--r--1 root root 744164 Jul 30 18:50 /usr/lib/libcrypto.so.0.9.6 ljaenicke@lutz:~/newsoft/multiplexer$ strings usr/lib/libcrypto.so.0.9.6 | grep 0.9.6 libcrypto.so.0.9.6 OpenSSL 0.9.6e 30 Jul 2002 MD2 part of OpenSSL 0.9.6e 30 Jul 2002 MD4 part of OpenSSL 0.9.6e 30 Jul 2002 MD5 part of OpenSSL 0.9.6e 30 Jul 2002 SHA part of OpenSSL 0.9.6e 30 Jul 2002 SHA1 part of OpenSSL 0.9.6e 30 Jul 2002 RIPE-MD160 part of OpenSSL 0.9.6e 30 Jul 2002 libdes part of OpenSSL 0.9.6e 30 Jul 2002 DES part of OpenSSL 0.9.6e 30 Jul 2002 RC2 part of OpenSSL 0.9.6e 30 Jul 2002 RC4 part of OpenSSL 0.9.6e 30 Jul 2002 Blowfish part of OpenSSL 0.9.6e 30 Jul 2002 CAST part of OpenSSL 0.9.6e 30 Jul 2002 Big Number part of OpenSSL 0.9.6e 30 Jul 2002 RSA part of OpenSSL 0.9.6e 30 Jul 2002 DSA part of OpenSSL 0.9.6e 30 Jul 2002 Diffie-Hellman part of OpenSSL 0.9.6e 30 Jul 2002 Stack part of OpenSSL 0.9.6e 30 Jul 2002 lhash part of OpenSSL 0.9.6e 30 Jul 2002 RAND part of OpenSSL 0.9.6e 30 Jul 2002 EVP part of OpenSSL 0.9.6e 30 Jul 2002 ASN.1 part of OpenSSL 0.9.6e 30 Jul 2002 PEM part of OpenSSL 0.9.6e 30 Jul 2002 X.509 part of OpenSSL 0.9.6e 30 Jul 2002 CONF part of OpenSSL 0.9.6e 30 Jul 2002 CONF_def part of OpenSSL 0.9.6e 30 Jul 2002 TXT_DB part of OpenSSL 0.9.6e 30 Jul 2002 So I cannot reproduce the bug reported... Best regards, signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Re: [openssl.org #289] [Fwd: Bug#161359: openssl_0.9.6e-1_i386.deb reports wrong version]
Argh, you are right. When I tried to verify the problem. I only testet the 0.9.6g binary but had the 0.9.6c libraries installed. So I assume, the submitter of the bug made a similar mistake. Sorry, to bug you. Christoph Am Don, 2002-09-19 um 15.23 schrieb Lutz Jaenicke via RT: [[EMAIL PROTECTED] - Thu Sep 19 12:11:15 2002]: ljaenicke@lutz:~$ dpkg -l openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name VersionDescription +++-==-==- ii openssl0.9.6e-1 Secure Socket Layer (SSL) binary and related ljaenicke@lutz:~$ which openssl /usr/bin/openssl ljaenicke@lutz:~$ /usr/bin/openssl version OpenSSL 0.9.6e 30 Jul 2002 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so lrwxrwxrwx1 root root 18 Aug 28 11:42 /usr/lib/libcrypto.so - libcrypto.so.0.9.6 ljaenicke@lutz:~/newsoft/multiplexer$ ls -al /usr/lib/libcrypto.so.0.9.6 -rw-r--r--1 root root 744164 Jul 30 18:50 /usr/lib/libcrypto.so.0.9.6 ljaenicke@lutz:~/newsoft/multiplexer$ strings usr/lib/libcrypto.so.0.9.6 | grep 0.9.6 libcrypto.so.0.9.6 OpenSSL 0.9.6e 30 Jul 2002 MD2 part of OpenSSL 0.9.6e 30 Jul 2002 MD4 part of OpenSSL 0.9.6e 30 Jul 2002 MD5 part of OpenSSL 0.9.6e 30 Jul 2002 SHA part of OpenSSL 0.9.6e 30 Jul 2002 SHA1 part of OpenSSL 0.9.6e 30 Jul 2002 RIPE-MD160 part of OpenSSL 0.9.6e 30 Jul 2002 libdes part of OpenSSL 0.9.6e 30 Jul 2002 DES part of OpenSSL 0.9.6e 30 Jul 2002 RC2 part of OpenSSL 0.9.6e 30 Jul 2002 RC4 part of OpenSSL 0.9.6e 30 Jul 2002 Blowfish part of OpenSSL 0.9.6e 30 Jul 2002 CAST part of OpenSSL 0.9.6e 30 Jul 2002 Big Number part of OpenSSL 0.9.6e 30 Jul 2002 RSA part of OpenSSL 0.9.6e 30 Jul 2002 DSA part of OpenSSL 0.9.6e 30 Jul 2002 Diffie-Hellman part of OpenSSL 0.9.6e 30 Jul 2002 Stack part of OpenSSL 0.9.6e 30 Jul 2002 lhash part of OpenSSL 0.9.6e 30 Jul 2002 RAND part of OpenSSL 0.9.6e 30 Jul 2002 EVP part of OpenSSL 0.9.6e 30 Jul 2002 ASN.1 part of OpenSSL 0.9.6e 30 Jul 2002 PEM part of OpenSSL 0.9.6e 30 Jul 2002 X.509 part of OpenSSL 0.9.6e 30 Jul 2002 CONF part of OpenSSL 0.9.6e 30 Jul 2002 CONF_def part of OpenSSL 0.9.6e 30 Jul 2002 TXT_DB part of OpenSSL 0.9.6e 30 Jul 2002 So I cannot reproduce the bug reported... Best regards, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[PATCH] no-engine (openssl-0.9.7-stable-SNAP-20020918)
Here is the patch for configuring-out the engine. This one should work; the previous one had a single misplaced #ifndef. I've tested it both with and without the no-engine option for the following platforms: Cygwin VC-WIN32 (dll and static) VC-CE (dll and static) Linux VC-CE is the Windows CE port that I'm working on and the reason that I need the no-engine option, although I imagine that I'll need it in my day job too when we upgrade. Is it possible to get this into a 0.9.7 snapshot soon? I'll need it before I can finalise the port. Regards, Steven openssl-0.9.7-stable-SNAP-20020918-NO_ENGINE.patch Description: Binary data
RE: Why does OpenSSL_add_all_algorithms() exist?
Those of us who make heavy use of the crypto library, with a limited group of algorithms and without SSL, would certainly not want this pulling in all the algorithms every time we call EVP_PKEY_new. Chris Brook -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED] Sent: Thursday, September 19, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: Why does OpenSSL_add_all_algorithms() exist? Can anyone explain why this routine exists? When would you *not* want this? Is there any reason not to, say, call those routines from within EVP_PKEY_new ? /r$ __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #262] bug: init race in SSLv3_client_method
All (most?) similar cases clear the 'init' flag *after* having set up the data structures appropriately, e.g. see ssl/s3_meth.c. Yes, SSLv3_client_method is the only one I saw which had init set in the wrong place. I may have missed some. No locking should be needed because the assignments are idempotent. However, the assignments are not atomic. The following unprotected operation: if (init) { memcpy((char *)SSLv3_server_data,(char *)sslv3_base_method(), sizeof(SSL_METHOD)); SSLv3_server_data.ssl_accept=ssl3_accept; SSLv3_server_data.get_ssl_method=ssl3_get_server_method; init=0; } can result in a thread calling .ssl_accept or .get_ssl_method after the memcpy but before the assignment. In this case, ssl_undefined_function is called and it errors out. To make this code properly thread-safe, locks and atomic sets should be used to protect any non-atomic functions working on shared data. patrick __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]