Re: [openssl-users] [openssl-user] How to use memory debug functions (CRYPTO_mem_leaks) in OpenSSL 1.1.0 (pre6 release) ?

2016-08-24 Thread Salz, Rich 
Look at what the apps or test programs do
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] CVE-2016-2108 and openssl 0.9.8zf

2016-08-24 Thread Zhang, Lily (USD) 
Hi

>From the openssl website, it mentioned that 
>CVE-2016-2108 
>affected version of Openssl prior to April 2015.
We used openssl 0.98zf in our old product which was released several years ago.

Do you know if 
CVE-2016-2108 
affected version 0.9.8zf?  We want to get this info to plan our work.

Thanks
Lily

CVE-2016-2108 
(OpenSSL advisory)  [High 
severity] 3rd May 2016: [https://www.openssl.org/img/up.gif] 

This issue affected versions of OpenSSL prior to April 2015.

CVE-2016-2108 
(OpenSSL advisory)  [High 
severity] 3rd May 2016: [https://www.openssl.org/img/up.gif] 

* Fixed in OpenSSL 1.0.1o (Affected 1.0.1n, 1.0.1m, 1.0.1l, 1.0.1k, 
1.0.1j, 1.0.1i, 1.0.1h, 1.0.1g, 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 
1.0.1)
* Fixed in OpenSSL 1.0.2c (Affected 1.0.2b, 1.0.2a, 1.0.2)


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] [openssl-user] How to use memory debug functions (CRYPTO_mem_leaks) in OpenSSL 1.1.0 (pre6 release) ?

2016-08-24 Thread Wei, Changzheng 
I used memory debug functions (such as CRYPTO_mem_leaks/CRYPTO_mem_leaks_fp) to 
check the memory leak. In the old version, such as openssl-1.0.2d, I can call 
CRYPTO_mem_leaks() functions any time in my application to dump the memory 
information. But in OpenSSL-1.1.0, it will fail due to the new 
CRYPTO_mem_leaks() introduce the RUN_ONCE() function to initialize the memory 
lock and cleanup the locks at the end of the function.
My application is a multi-process application, parent process will perform the 
memory lock initialization once, so in child process the RUN_ONCE() function 
will never be performed. After I perform CRYPTO_mem_leaks(), at the end of this 
function, the malloc_lock will be freed, so it will cause unexpected coredump 
if I insert CRYPTO_mem_leaks() function in my code. What I can do now is 
register this function to atexit(), when the process exit, CRYPTO_mem_leaks() 
will be performed to dump the memory leakage information.
Is this behavior expected?

int CRYPTO_mem_leaks(BIO *b)
{
MEM_LEAK ml;

/*
 * OPENSSL_cleanup() will free the ex_data locks so we can't have any
 * ex_data hanging around
 */
bio_free_ex_data(b);

/* Ensure all resources are released */
OPENSSL_cleanup();

if (!RUN_ONCE(_init, do_memdbg_init))
return -1;

CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_DISABLE);

ml.bio = b;
ml.bytes = 0;
ml.chunks = 0;
if (mh != NULL)
lh_MEM_doall_MEM_LEAK(mh, print_leak, );

if (ml.chunks != 0) {
BIO_printf(b, "%ld bytes leaked in %d chunks\n", ml.bytes, ml.chunks);
} else {
/*
 * Make sure that, if we found no leaks, memory-leak debugging itself
 * does not introduce memory leaks (which might irritate external
 * debugging tools). (When someone enables leak checking, but does not
 * call this function, we declare it to be their fault.)
 */
int old_mh_mode;

CRYPTO_THREAD_write_lock(malloc_lock);

/*
 * avoid deadlock when lh_free() uses CRYPTO_mem_debug_free(), which 
uses
 * mem_check_on
 */
old_mh_mode = mh_mode;
mh_mode = CRYPTO_MEM_CHECK_OFF;

lh_MEM_free(mh);
mh = NULL;

mh_mode = old_mh_mode;
CRYPTO_THREAD_unlock(malloc_lock);
}
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_OFF);

/* Clean up locks etc */
CRYPTO_THREAD_cleanup_local();
CRYPTO_THREAD_lock_free(malloc_lock);
CRYPTO_THREAD_lock_free(long_malloc_lock);
malloc_lock = NULL;
long_malloc_lock = NULL;

return ml.chunks == 0 ? 1 : 0;
}


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Example on SSL_SESSION_set_ex_data?

2016-08-24 Thread Michael Wojcik 
(Top-posting because Outlook still can't handle HTML email correctly.)

Unless I'm missing something, you're using the OpenSSL functions correctly - 
though I admit I just looked at them here and didn't check the documentation or 
my own use of them. Perhaps you're not using C correctly.

We can't tell what the storage class of "b" is, because we don't have context. 
Is it static or automatic? If it's automatic, then as soon as it goes out of 
scope, bang - the pointer you've stored is invalid.

The pointer you store should be to an object of static or dynamic storage 
class. Static doesn't generally make sense, unless your sessions need to be 
associated with one of a handful of objects that don't change after creation. 
More typically you'd use a dynamic object. For example:

static const BLAH blah0 = {0};
BLAH *bp = malloc(sizeof *bp);
if (! bp) { error handling }
*bp = blah0;
bp->b = 12345;
...
SSL_SESSION_set_ex_data(session, my_data_idx, bp);

If you're using C++, of course, you'd want to create an object instance using 
operator new, rather than calling malloc. But the principle remains the same - 
don't use a pointer to an object which will be invalidated when it goes out of 
scope.

Michael Wojcik
Distinguished Engineer, Micro Focus


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Eric To
Sent: Wednesday, August 24, 2016 15:50
To: openssl-users@openssl.org
Subject: [openssl-users] Example on SSL_SESSION_set_ex_data?

Can someone give an example on how to use the SSL_SESSION_set_ex_data?
I'm trying to set custom information in apache mod_ssl and after trying many 
different ways, but can't get it to stick...

struct st_blah_t {
  int blah;
} BLAH;

my_data_idx = SSL_SESSION_get_ex_new_index(0, "BLAH", NULL, NULL, NULL);

BLAH b;
b.blah = 12345;

SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_set_ex_data(session, my_data_idx, );
SSL_set_session(ssl, sess);

Am I using the functions right?


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Example on SSL_SESSION_set_ex_data?

2016-08-24 Thread Salz, Rich 
> BLAH b;
> b.blah = 12345;
> 
> SSL_SESSION *session = SSL_get_session(ssl);
> SSL_SESSION_set_ex_data(session, my_data_idx, );
> SSL_set_session(ssl, sess);

Is "b" a stack variable?  You should malloc it.

--  
Senior Architect, Akamai Technologies
IM: richs...@jabber.at Twitter: RichSalz
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Example on SSL_SESSION_set_ex_data?

2016-08-24 Thread Eric To 
Can someone give an example on how to use the SSL_SESSION_set_ex_data?
I'm trying to set custom information in apache mod_ssl and after trying
many different ways, but can't get it to stick...

struct st_blah_t {
  int blah;
} BLAH;

my_data_idx = SSL_SESSION_get_ex_new_index(0, "BLAH", NULL, NULL, NULL);

BLAH b;
b.blah = 12345;

SSL_SESSION *session = SSL_get_session(ssl);
SSL_SESSION_set_ex_data(session, my_data_idx, );
SSL_set_session(ssl, sess);

Am I using the functions right?
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] regarding openssl and openssl fips

2016-08-24 Thread Steve Marquess 
On 08/24/2016 09:31 AM, Test ssl wrote:
> Hi,
> 
> I am having a product which is right now using openssl1.0.1s and
> opensslfips 2.0.1
> 
> I am upgrading to openssl1.0.2h, is it OK to still be at openssfips
> 2.0.1 or do i need to upgrade the opensslfips too to 2.0.12?
> 
> Regards,
> 
> 

Yes, it's fine to stay at 2.0.1 if that's working for you now.

With one singular exception, we're not allowed to implement improvements
or bug fixes in a validated cryptographic module, so the later revisions
of the OpenSSL FIPS module (now up to 2.0.13) are not "better" in any
real-world sense (i.e. better performance, security vulnerability
mitigations, etc.). The permitted mods are for platform portability and
have to implemented in a way that does not impact any previously tested
platforms.

The exception is the complete removal of Dual EC DRBG as of 2.0.6 (and
again for 2.0.8, long story). The Dual EC DRBG was disabled all along,
but its complete removal was arguably a vulnerability mitigation. I
think that was only allowed (after much delay) as a special case
exception due to the notoriety of that algorithm. If not having a
dormant Dual EC DRBG matters to you then upgrade to any revision 2.0.8
or later.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] regarding openssl and openssl fips

2016-08-24 Thread Test ssl 
Hi,

I am having a product which is right now using openssl1.0.1s and
opensslfips 2.0.1

I am upgrading to openssl1.0.2h, is it OK to still be at openssfips 2.0.1
or do i need to upgrade the opensslfips too to 2.0.12?

Regards,
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users