[openssl.org #387] Difference between SSL.H and SYMHACKS.H
This has been resolved in 0.9.7, where there are easier mechanisms to include platform information than has ever been available on 0.9.6. I don't know how to solve this elegantly in 0.9.6, which is apparently the development branch you're talking about. [[EMAIL PROTECTED] - Fri Dec 6 07:13:26 2002]: Hi, I ran across a difference between SSL.H and SYMHACKS.H: In SSL.H, there is: #define SSL_get_ex_data_X509_STORE_CTX_idx SSL_get_ex_data_X509_STORE_CTX_i This is embedded in about ten lines surrounded by an #ifdef VMS. SSL.H also does not include SYMHACKS.H, which I thought it would. In SYMHACKS.H, there is: #define SSL_get_ex_data_X509_STORE_CTX_idx SSL_get_ex_d_X509_STORE_CTX_idx The redefine in SYMHACKS.H is also the one we find in SSLEAY.NUM. Thanks, Kevin Kevin Greaney SSL for OpenVMS Team Hewlett Packard Company OpenVMS Engineering Group 110 Spitbrook Road Nashua, NH 03062 (603) 884-5099 -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #388] Building beta 5 on solaris 8 sparcv9
[[EMAIL PROTECTED] - Mon Dec 9 08:57:10 2002]: Hi, there is a bug in the Makefiles, where you write == for comparing $(PLATFORM). Should be = for traditionsl sh. This has already been solved. Thanks for the report. I guess when building shared library on sparcv9 one should have BOTH shared object, in case an application that interfaces the kernel (and hence needs to be -m64) has to use it. As to sizes/times they look comparable (see attached file). As it is right now, we can't very easily accomodate building several variants of the libraries. It might get in there in 0.9.8, however, so I'll mark this with an 0.9.8 milestone. -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #389] openssl 0.9.7-beta5 uses [ a == b ] instead of [ a = b ]
This has already been resolved (please try a recent snapshot). Thanks for the report. [[EMAIL PROTECTED] - Mon Dec 9 08:57:24 2002]: openssl 0.9.7-beta5 uses == as a comparison operator for the [ (test) command. I have found only two implementations that support this: the builtin test command in bash, and the external test command on Solaris. It is not supported by the GNU sh-utils test, the pdksh builtin test, NetBSD, FreeBSD, or Solaris sh's builtin test, or the external NetBSD or FreeBSD test. Please use = instead. paul -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #394] Restrictions using SSL
Dear Jeyalakshmi, would you consider running apache instead of IIS? I'd like to do this setup job for you mod_ssl is the well-known SSL solution for apache. php is another widely-used solution to run scripts. I'm ready to outline server components to meet your requirements and take informed decision best wishes, Vadim Fedukovich [EMAIL PROTECTED] consulting and software development Dnepropetrovsk Ukraine On Tue, Dec 10, 2002 at 08:24:09AM +0100, Jeyalakshmi via RT wrote: hi we would like to apply SSL to our Web site. Now most of our pages are using Request.Querystring object. I feel it would create pblm ie we can't user GET method in ASP while applying SSL. I would like to know what are the other issues will come. Can you help me to get a list of do's and don'ts. Thanks cheers jeya __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #393] 0.9.7 beta 5 crypto/x509/x509_vfy.c X509_STORE_CTX_init() memset required
Nope, no reversing there. However, what we're cleansing is the pointer itself, which is basically ridiculous and a mistake, as the memset() that was there before (and didn't generate an exception!) was really there to NULLify the ex_data pointers. I just committed a change back to using memset(). [[EMAIL PROTECTED] - Mon Dec 9 08:59:25 2002]: I'm tracking down the cause of an exception that did not occur with Kermit 95 with previous 0.9.7 builds. In the process I noticed that in X509_STORE_CTX_cleanup the buffer ctx-ex_data is freed with CRYPTO_free_ex_data prior to it being cleansed with OPENSSL_cleanse I'm pretty sure these two calls need to be reversed. - Jeff -- Richard Levitte __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
RE: [openssl.org #394] Restrictions using SSL
Hi Jeya, Is your values in the HTTP query are in plain text ? Then one way of doing it is converting the values to an encoded format. You can use Server.HTMLEncode to encode the query strings. Also, refer to http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iisref60/ht m/asp_sec_checklist.asp for the list of issues. Regards, Murali -Original Message- From: Jeyalakshmi via RT [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 10, 2002 12:54 PM Cc: [EMAIL PROTECTED] Subject: [openssl.org #394] Restrictions using SSL hi we would like to apply SSL to our Web site. Now most of our pages are using Request.Querystring object. I feel it would create pblm ie we can't user GET method in ASP while applying SSL. I would like to know what are the other issues will come. Can you help me to get a list of do's and don'ts. Thanks cheers jeya __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssh-3.5p1 with new DES functions
On Mon, Dec 09, 2002 at 05:45:47PM +0100, Richard Levitte - VMS Whacker wrote: In message 20021209122438.GB16737@folly on Mon, 9 Dec 2002 13:24:38 +0100, Markus Friedl [EMAIL PROTECTED] said: markus On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: markus cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) markus DES_cblock h,hh; markus ^ markus markus i don't think openssl's evp.h should include mdc2.h It's including all those headers because it used to, and people will complain if they don't get all those algorithms just by including evp.h. evp.h is supposed to hide the details of the algorithms. you should either use the EVP_ or the DES_ interface, but not both. However, that's not the problem here. Rather, it would seem that for some reason, des.h isn't included, and it should, from mdc2.h for example. it's probably not included because some other des.h is already included. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
no configue.in in src distribution
Hi, I want to add some patches to openssh for my personal experiments. I can change it in Makefile. But, I would like to change it in configure so that I can have an optional compilation of my code. But I couldn't find configure.in file in the src distribution. I just learnt that we can get configure from configure.in. Is there any other way in which I can make changes to configure file without modifing configure file manually with the files available in src distribution. TIA --kapil On Tue, 10 Dec 2002, Markus Friedl wrote: On Mon, Dec 09, 2002 at 05:45:47PM +0100, Richard Levitte - VMS Whacker wrote: In message 20021209122438.GB16737@folly on Mon, 9 Dec 2002 13:24:38 +0100, Markus Friedl [EMAIL PROTECTED] said: markus On Sun, Dec 08, 2002 at 12:39:04PM +0100, Martin MOKREJ? wrote: markus cc: Error: /usr/local/openssl/include/openssl/mdc2.h, line 79: Missing type specifier or type qualifier. (missingtype) markus DES_cblock h,hh; markus ^ markus markus i don't think openssl's evp.h should include mdc2.h It's including all those headers because it used to, and people will complain if they don't get all those algorithms just by including evp.h. evp.h is supposed to hide the details of the algorithms. you should either use the EVP_ or the DES_ interface, but not both. However, that's not the problem here. Rather, it would seem that for some reason, des.h isn't included, and it should, from mdc2.h for example. it's probably not included because some other des.h is already included. ___ [EMAIL PROTECTED] mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
add new mode to des encryption
Hi, I tried to add one more mode (my version of counter mode) to des part, and I faced compilation problem. I am working on openssl-0.9.6h, RedHat 8 using kernel 2.4.20, gcc 3.2.1 on an Intel Pentium III desktop. Here are what I have done: 1 added function des_ectr_encrypt() to file crypto/des/ncbc_enc.c 2 added function des_ectr_cipher() to file crypto/evp/e_des.c 3 added EVP_CIPHER cname##_ctr, EVP_CIPHER * EVP_##cname##_ectr() to file crypto/evp/evp_locl.h for des's calling of BLOCK_CIPHER_defs macro. 4 added EVP_add_cipher(EVP_des_ectr()) to file c_allc.c ssl_algs.c all functions/objecst above are more or less similar to des_cbc version coding. until here everythings are ok. 5 added algorithm 10: DES-ECTR : des-ectr to file crypto/objects/objects.txt 6 added des_ectr406 to file crypto/objects/obj_mac.num until here compilation still ok, but when come to run, the following error comes out: Segmentation fault if I issue a openssl cmd. if I issue aopenssl des-cbc -in data -out data.out -k test -a cmd, the following errors come out, make: *** [des1] Segmentation fault p/s: very sorry that for number 5, I just 10 for the number besides algorithm, which I can't figure out what the number is for? appreciate helps. thanks regards, __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #239] Solaris 2/Intel shared libssl/libcrypto contain text relocations
Do you have the possibility to help out with this? The help needed would be to tell us exactly what assembler lines are incorrect, It's not just a couple of lines that needs to be fixed up. Let's wonder first why are those routines implemented in assembler? Basically two reasons. To reach for hardware rotate instruction [or any other instruction not normally reachable from C] *and* [most improtant] to master register allocation. With latter I mean that compilers apparently don't do the job good enough to avoid/optimize register spilling which affects performance [most] *drastically*. In other words the idea behind those assembler implementations is pretty much to use up every damn register and it's really tight there. Now what would it take to PIC-ify the code? Most likely an extra register! The one you'll be calculating offsets from. And the problem is that there is no register to spare and if you're really up to it you might end up rewriting major portion of code! Which is why it's not necessarily trivial to PIC-ify the affected code. And it should be explicitely pointed out that the problem is so to say generic, i.e. all Intel platforms [not only Solaris, but as well Linux, *BSD, etc.] are affected. It's just that Solaris is the only one that brings the issue up. And what *is* the issue anyway? The issue is that non-PIC code in .so library so to say ruins the whole idea. It actually *works*, but the startup times are larger (run-time linker has to resolve those references at run-time) and the pages containing those references are not shared between processes and gets added up to the application footprint. But it *does* *work*... so we can hack the Perl code appropriately, or perhaps direct help with said Perl code. A quick solution is to configure with no-asm... But the user has to understand that it will hurt the performance. Question is of course how much. Well, we can discuss it separately:-) Anyway, shared libraries with remaining text relocations are not really useful since they are not sharable, greatly diminishing their utility. Not the whole thing is affected, only pages containing those unresolved references that become private. The affected files during the Solaris 8/Intel compilation were crypto/bf/asm/bx86-sol.o crypto/cast/asm/cx86-sol.o crypto/des/asm/dx86-sol.o crypto/des/asm/yx86-sol.o crypto/md5/asm/mx86-sol.o crypto/rc4/asm/rx86-sol.o crypto/sha/asm/sx86-sol.o This is not true! Among listed modules only cast and des contain non-PIC. The rest is perfectly usable! Now cast is not really interesting and I find it hard to believe that anybody would miss the assembler implementation so that it probably should be just omitted [in shared context that is!] DES on the other hand is very popular and assembler implementation goes like 2-3 times faster so that I'd say it's essential to PIC-ify it. So that good news are that there is only one module that needs work. Bad news are that I've already challenged the community to fix it back in July 2001, but nobody has actually undertaken the effort. A. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Did someone made bn_asm for MPC860
Did someone made bn_asm for MPC860 Thanks, Avraham
Re: Building openssh-3.5p1 with new DES functions
In message 20021210110227.GA10920@folly on Tue, 10 Dec 2002 12:02:27 +0100, Markus Friedl [EMAIL PROTECTED] said: markus hm, i think this happens if kerberos is included before evp.h Interesting. That would mean one of two things: 1. Kerberos (was that with the KTH-KRB and Heimdal implementations?) was built with it's own copy of libdes instead of OpenSSL's, and the header reinclusion protector is exactly the same (hindering the OpenSSL des.h being included). OpenSSH includes the kerberos headers, and thereby any des.h it happens to include. 2. Kerberos was built against an older version of OpenSSL, and again, we get an inclusion that excludes the new names. I think the best way to solve this is to change the name of the protecting macro in OpenSSL 0.9.7's des.h, and give it's des_old.h the same protecting macro name as older versions use (and presumably libdes as well). Does that sound like a good idea? -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
OpenSSL Project Environment Migration on 10-Dec-2002 11:00 am CET
The OpenSSL project migrates today (10-Dec-2002, 11:00 am CET) its whole project environment to a completely new setup and location. In case of any problems after this switch time, please do not hesitate to contact me directly and describe the problem in detail. I'll make sure it is fixed as quick as possible. Sorry in advance for any inconviniences today. Thanks for understanding. Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssh-3.5p1 with new DES functions
In message 20021210085038.GA166@folly on Tue, 10 Dec 2002 09:50:38 +0100, Markus Friedl [EMAIL PROTECTED] said: markus It's including all those headers because it used to, and people will markus complain if they don't get all those algorithms just by including markus evp.h. markus markus evp.h is supposed to hide the details of the algorithms. I totally agree with the sentiment. And we did remove those inclusions at one point in the 0.9.7 branch. At some point (after another storm with Theo), I did a test compile of an old OpenSSH against whatever was in the HEAD fo OpenSSL development at that time. It went *KABOOM*, and the single cause for that *KABOOM* was that evp.h didn't include all those algorithm headers any more. After I placed them back, I got just a couple of warnings that were a piec of cake to deal with. So, in light of a huge complaint from Theo that we're changing so damn much between versions and breaking compiles of old programs that used to work fine, I put those inclusions back. I think that for 0.9.7, this part is staying as it is. markus you should either use the EVP_ or the DES_ interface, but not markus both. Quite true. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssh-3.5p1 with new DES functions
In message [EMAIL PROTECTED] on Tue, 10 Dec 2002 13:57:13 +0100 (CET), Martin MOKREJŠ [EMAIL PROTECTED] said: mmokrejs KTH KRB4 supported openssl I think since 1.1 release. Even with newer mmokrejs version you canget libdes compiled and installed, you just say to mmokrejs configure --without-openssl ^H^H^H^H^H--disable-openssl. Hmm? I thought it was the other way around, that you had to configure with explicit use of OpenSSL, and the default being to use the bundled copy of libdes... Has that changed? mmokrejs That's what I've done this time to test, if this would be mmokrejs solution to get rid of des originating from openssl. ;) I think that's a bad solution, because then you're explicitely asking for a mix of the two des.h, with the consequences that has. mmokrejs If you plan to rename des.h to des_old.h, fine for me, then only one mmokrejs des.h will be present. As I'm not a programmer, I can't comment the rest. Not the files, but the macros in them that are protecting them from duplicate inclusion. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssh-3.5p1 with new DES functions
On Tue, Dec 10, 2002 at 01:58:28PM +0100, Richard Levitte - VMS Whacker wrote: In message 20021210085038.GA166@folly on Tue, 10 Dec 2002 09:50:38 +0100, Markus Friedl [EMAIL PROTECTED] said: markus It's including all those headers because it used to, and people will markus complain if they don't get all those algorithms just by including markus evp.h. markus markus evp.h is supposed to hide the details of the algorithms. I totally agree with the sentiment. And we did remove those inclusions at one point in the 0.9.7 branch. At some point (after another storm with Theo), I did a test compile of an old OpenSSH against whatever was in the HEAD fo OpenSSL development at that time. no need to run old versions of OpenSSH. if i used the wrong interface then it's my fault. It went *KABOOM*, and the single cause for that *KABOOM* was that evp.h didn't include all those algorithm headers any more. then this was: 1. a bug in the old openssh, misusing evp.h, my bad. 2. a bug in older openssl, sucking in all includes. After I placed them back, I got just a couple of warnings that were a piec of cake to deal with. So, in light of a huge complaint from Theo that we're changing so damn much between versions and breaking compiles of old programs that used to work fine, I put those inclusions back. I've been asking Theo about this serveral times and he agrees with me, so i think this is some kind of miscommunication. I think that for 0.9.7, this part is staying as it is. I don't think people should be encourage to only include evp.h when they want md5.h markus you should either use the EVP_ or the DES_ interface, but not markus both. Quite true. -m __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Building openssh-3.5p1 with new DES functions
On Tue, Dec 10, 2002 at 01:38:03PM +0100, Richard Levitte - VMS Whacker wrote: I think the best way to solve this is to change the name of the protecting macro in OpenSSL 0.9.7's des.h, and give it's des_old.h the same protecting macro name as older versions use (and presumably libdes as well). Does that sound like a good idea? yes, i think that des_old should use the same protecting macros as the old libdes/openssl, and the DES_ file something completely different. -m __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[openssl.org #395] Problem with OpenSSL
We at ROXIO are looking at using STunnel in our GoBack product to provide a secure
link between a server and many client PCs. We have done some testing and this looks
like it will work. We plan to support WinNT, Win2000, and WinXP clients. In our
testing we had one (1 of 3) computer that would not start STunnel as a service. This
computer has WinNT installed, Service pack 6 build 1381. Investigation determined that
the OpenSSL was failing at line 279 in the code below. The call to RegQueryValueEx()
would never return when bufsz was greater than 32768. I do not know if this is the
same problem reported by Jeffrey Altman.
File crypto\rand\rand_win.c - OpenSSL 0.9.6g 9 Aug 2002
Code from the RAND_poll() function.
Line:
253/* It appears like this can cause an exception deep within ADVAPI32.DLL
254 * at random times on Windows 2000. Reported by Jeffrey Altman.
255 * Only use it on NT.
256 */
257if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT
258 osverinfo.dwMajorVersion 5)
259 {
260 /* Read Performance Statistics from NT/2000 registry
261 * The size of the performance data can vary from call
262 * to call so we must guess the size of the buffer to use
263 * and increase its size if we get an ERROR_MORE_DATA
264 * return instead of ERROR_SUCCESS.
265 */
266 LONG rc=ERROR_MORE_DATA;
267 char * buf=NULL;
268 DWORD bufsz=0;
269 DWORD length;
270
271 while (rc == ERROR_MORE_DATA)
272 {
273 buf = realloc(buf,bufsz+8192);
274 if (!buf)
275 break;
276 bufsz += 8192;
277
278 length = bufsz;
279 rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, Global,
280 NULL, NULL, buf, length);
281 }
282 if (rc == ERROR_SUCCESS)
283 {
284/* For entropy count assume only least significant
285 * byte of each DWORD is random.
286 */
287 RAND_add(length, sizeof(length), 0);
288 RAND_add(buf, length, length / 4.0);
289 }
290 if (buf)
291 free(buf);
292 }
I solved my problem 2 different ways.
One solution was to limit the bufsz to 32768 by inserting at line 273 the following:
if (bufsz = 8192*4)
{
rc = ERROR_SUCCESS;
break;
}
The other solution was to skip this section if ADVAPI32.DLL is present by changing the
line at 258 to
257if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT
258 osverinfo.dwMajorVersion 5 advapi == NULL)
This change would make the code behave the same way as Win2000 if ADVAPI32.DLL is
installed. When ADVAPI32.DLL is not installed is the only time the RegQueryValueEx()
function would be called.
I do not know the ramification of these changes. This code is run during the seeding
of the PRNG and it appears to me that this extra seeding is only needed if
ADVAPI32.DLL is not available. I could use advice on this.
Is it possible to get a fix into OpenSSL?
Misc Info:
Compiler: Microsoft Visual C++ 6.0
Thanks!
Ken Mattsen
Senior Software Engineer
ROXIO, IncThe Digital Media Company
6900 Wedgwood Road
Maple Grove, MN 55311 USA
763-494-7207 direct
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
www.roxio.com http://www.roxio.com
NASDAQ:ROXI
Featuring the Best-Selling CD-Recording Software in the World
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: Building openssh-3.5p1 with new DES functions
In message 20021210133035.GC31780@folly on Tue, 10 Dec 2002 14:30:35 +0100, Markus Friedl [EMAIL PROTECTED] said: markus yes, i think that des_old should use the same protecting macros as markus the old libdes/openssl, and the DES_ file something completely markus different. I'll commit that change as soon as I can. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #395] Problem with OpenSSL
When running as a Service there are order of loading dependencies.
Apparently, on the one machine you have in question your service is
being loaded prior to something else that is a blocking point for
Performance Gathering routines. This is known to happen in apps that
utilize OpenSSL with COM.
Ken Mattsen via RT wrote:
We at ROXIO are looking at using STunnel in our GoBack product to provide a secure link between a server and many client PCs. We have done some testing and this looks like it will work. We plan to support WinNT, Win2000, and WinXP clients. In our testing we had one (1 of 3) computer that would not start STunnel as a service. This computer has WinNT installed, Service pack 6 build 1381. Investigation determined that the OpenSSL was failing at line 279 in the code below. The call to RegQueryValueEx() would never return when bufsz was greater than 32768. I do not know if this is the same problem reported by Jeffrey Altman.
File crypto\rand\rand_win.c - OpenSSL 0.9.6g 9 Aug 2002
Code from the RAND_poll() function.
Line:
253/* It appears like this can cause an exception deep within ADVAPI32.DLL
254 * at random times on Windows 2000. Reported by Jeffrey Altman.
255 * Only use it on NT.
256 */
257if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT
258 osverinfo.dwMajorVersion 5)
259 {
260 /* Read Performance Statistics from NT/2000 registry
261 * The size of the performance data can vary from call
262 * to call so we must guess the size of the buffer to use
263 * and increase its size if we get an ERROR_MORE_DATA
264 * return instead of ERROR_SUCCESS.
265 */
266 LONG rc=ERROR_MORE_DATA;
267 char * buf=NULL;
268 DWORD bufsz=0;
269 DWORD length;
270
271 while (rc == ERROR_MORE_DATA)
272 {
273 buf = realloc(buf,bufsz+8192);
274 if (!buf)
275break;
276 bufsz += 8192;
277
278 length = bufsz;
279 rc = RegQueryValueEx(HKEY_PERFORMANCE_DATA, Global,
280NULL, NULL, buf, length);
281 }
282 if (rc == ERROR_SUCCESS)
283 {
284/* For entropy count assume only least significant
285 * byte of each DWORD is random.
286 */
287 RAND_add(length, sizeof(length), 0);
288 RAND_add(buf, length, length / 4.0);
289 }
290 if (buf)
291 free(buf);
292 }
I solved my problem 2 different ways.
One solution was to limit the bufsz to 32768 by inserting at line 273 the following:
if (bufsz = 8192*4)
{
rc = ERROR_SUCCESS;
break;
}
The other solution was to skip this section if ADVAPI32.DLL is present by changing the line at 258 to
257if ( osverinfo.dwPlatformId == VER_PLATFORM_WIN32_NT
258 osverinfo.dwMajorVersion 5 advapi == NULL)
This change would make the code behave the same way as Win2000 if ADVAPI32.DLL is installed. When ADVAPI32.DLL is not installed is the only time the RegQueryValueEx() function would be called.
I do not know the ramification of these changes. This code is run during the seeding of the PRNG and it appears to me that this extra seeding is only needed if ADVAPI32.DLL is not available. I could use advice on this.
Is it possible to get a fix into OpenSSL?
Misc Info:
Compiler: Microsoft Visual C++ 6.0
Thanks!
Ken Mattsen
Senior Software Engineer
ROXIO, IncThe Digital Media Company
6900 Wedgwood Road
Maple Grove, MN 55311 USA
763-494-7207 direct
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
www.roxio.com http://www.roxio.com
NASDAQ:ROXI
Featuring the Best-Selling CD-Recording Software in the World
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
__
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
Re: [openssl.org #394] Restrictions using SSL
I'm sorry for sending that to the list On Tue, Dec 10, 2002, Vadim Fedukovich via RT wrote: Dear Jeyalakshmi, [...] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Bug in CRYPTO_get_new_dynlockid()
In message [EMAIL PROTECTED] on Mon, 09 Dec 2002 11:17:07 +, Bertie [EMAIL PROTECTED] said: bertie The patch fixed the CRYPTO_get_new_dynlockid() bug. Maybe bertie CRYPTO_lock could also be made safer when called with an bertie invalid lockid, do you think it should assert rather silently bertie do nothing ? That makes sense. OK, I'll add an OPENSSL_assert() just after the fetch of the pointer in there. bertie My mod_ssl callback implementation was also broken because I bertie was using a global apr_pool_t variable to pass in to bertie apr_thread_mutex_create() in my dyn_create_callback bertie function. This doesn't work in a multi-process, multi-threaded bertie environment. bertie It would be good for CRYPTO_set_dynlock_create_callback() to bertie take an app defined structure which gets returned to the bertie caller in ssl_util_dyn_create_function(). So something like: bertie bertie struct CRYPTO_dynlock_value *dyn_create_function(struct bertie CRYPTO_dynlock_context *context, const char *file, int line) bertie void CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_context bertie *context, bertie struct CRYPTO_dynlock_value *(*dyn_create_function)(struct bertie CRYPTO_dynlock_context *context,const char *file, int line)) Could actually just be a void*, since the OpenSSL routines wouldn't care at all about the value of the pointer. Of course, that would require some casting, but in this case, I don't see that as a problem (and we pass void* for user data to most of our callbacks today anyway). I'll ponder that. I understand the use, it's just that this close to a final beta release, I'm quite reluctant to add new functionality... bertie BTW: You never replied to the mail with subject Requiring bertie multithreaded apps to provide dynamic locking upcalls was bertie this because you agreed with it :-) Not really. It's more like haven't quite had the time to really read it, have marked it for later processing... I will respond to one small part, however: you're suggesting breaking the API for 0.9.7. However, we're at the end of the release cycle, and making such a break is a rather large effort, and would basically mean that the release cycle would start over. Therefore, I must say that it won't happen for 0.9.7. I'll ponder over this for 0.9.8. -- Richard Levitte \ Spannvägen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis-- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See http://www.stacken.kth.se/~levitte/mail/ for more info. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
