[openssl.org #262] bug: init race in SSLv3_client_method

In this method in ssl/s3_clnt.c, there's a race condition with the static
init variable that is causing a crash in my multithreaded program.  init
gets set to 0 before the static structures have been set up.  I believe a
lock is needed.

    142 SSL_METHOD *SSLv3_client_method(void)
    143     {
    144     static int init=1;
    145     static SSL_METHOD SSLv3_client_data;
    146
    147     if (init)
    148         {
    149         init=0;
    150         memcpy((char *)&SSLv3_client_data,(char
*)sslv3_base_method(),
    151             sizeof(SSL_METHOD));
    152         SSLv3_client_data.ssl_connect=ssl3_connect;
    153         SSLv3_client_data.get_ssl_method=ssl3_get_client_method;
    154         }
    155     return(&SSLv3_client_data);
    156     }

Has anyone run into this before?  What method does OpenSSL use to lock
access to data structures?

thanks,
patrick

______________________________________________________________________

[openssl.org #263] Apparently Missing "OpenSSL_add_all_algorithms" in 0.9.7-beta3

In compiling MySql-4.0.2-alpha, I get the following error messages
related to OpenSSL shown below.

Using STRINGS to check the differences between OpenSSL-0.9.6a and
OpenSSL-0.9.7-beta3 shows "OpenSSL_add_all_algorithms" in 0.9.6a but not
in 0.9.7-beta3:

=================== OpenSSL-0.9.6a ============================
(as compiled and distributed by FreeBSD.org)
strings /usr/lib/libcrypto.so.2 | grep OpenSSL

OpenSSL_add_all_ciphers
OpenSSL_add_all_algorithms
OpenSSL_add_all_digests
DSA_OpenSSL
DH_OpenSSL
TXT_DB part of OpenSSL 0.9.6a 5 Apr 2001

=================== OpenSSL-0.9.7-beta3 ======================
(as compiled by user under FreeBSD using "config threads shared")
strings /usr/local/ssl/lib/libcrypto.so.0.9.7 | grep OpenSSL

OpenSSLDie
DSA_OpenSSL
DH_OpenSSL
OpenSSL_add_all_ciphers
OpenSSL_add_all_digests
UI_OpenSSL
%s(%d): OpenSSL internal error, assertion failed: %s

Re: [openssl.org #264] [Patch] for Windows OpenSSL 0.9.6g (or earlier)

I found that RegQueryValueEx(HKEY_PERFORMANCE_DATA,...) have more problems.

I can cause deadlocks in mutithreaded apllication during loading of dynamic DLL in another thread, if
loading DLL call inside DllMain function RegQueryValueEx(predefined constant HKEY_xxx, ) - like
microsoft ODBC library.

To solve this in RAND_WIN.C

a) don't use HKEY_PERFORMANCE_DATA - like on W2k or on all OS version in OpenSLL 0.9.7beta

b) access HKEY_PERFORMANCE_DATA using using RegOpenKey, RegQueryValueEx(handle), RegCloseKey
(this does not lock global process critical section _PredefinedHandleTableCriticalSection inside ADVAPI32.DLL)
    But this may cause other problems, because first open of HKEY_PERFORMANCE_DATA is loading all perfomance
DLL installed in system to current process. I have problem with this, because it take about 90 seconds
delay (inside RegQueryValueEx(HKEY_PERFORMANCE_DATA,...) during my service initialization after
OS start.

Milan Dadok

----- Puvodní zpráva ----- 
Od: "Bobco, Pete" <Pete.Bobco <at> hp.com>
Komu: <openssl-dev <at> openssl.org>
Odesláno: 30. srpna 2002 23:09
Predmet: [Patch] for Windows OpenSSL 0.9.6g (or earlier)

> I have found that OpenSSL version 0.9.6g (or earlier) on Windows can cause a problem that will prevent
Window's 
> Disk Administrator from being able to delete a logical drive from a system that has several logical drives
associated 

[STATUS] OpenSSL (Sun 1-Sep-2002)

  OpenSSL STATUS                           Last modified at
  ______________                           $Date: 2002/08/14 11:07:29 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.8:  Under development...
    o  OpenSSL 0.9.7-beta3: Released on July 30th, 2002
    o  OpenSSL 0.9.7-beta2: Released on June 16th, 2002
    o  OpenSSL 0.9.7-beta1: Released on June  1st, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
    o  OpenSSL 0.9.6f: Released on August     8th, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
    o  OpenSSL 0.9.6:  Released on September 24th, 2000
    o  OpenSSL 0.9.5a: Released on April      1st, 2000
    o  OpenSSL 0.9.5:  Released on February  28th, 2000
    o  OpenSSL 0.9.4:  Released on August    09th, 1999
    o  OpenSSL 0.9.3a: Released on May       29th, 1999
    o  OpenSSL 0.9.3:  Released on May       25th, 1999
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998

  [See also http://www.openssl.org/support/rt2.html]

  RELEASE SHOWSTOPPERS

[openssl.org #265] Bug Report - Ordinal 2915 cannot be found in Libeay32.dll

Windows 2000 Server
MS VC++ 6.0

http://www.openssl.org/docs/crypto/EVP_EncryptInit.html#EXAMPLES

I am receiving error messages about ordinal numbers not being found when executing the example code at the
above url.

The ordinal 2915 cannot be found in the dynamic link library LIBEAY32.dll.

OpenSSL 0.9.7-beta3 30 Jul 2002
built on: Sat Aug 31 23:19:05 2002
platform: VC-WIN32
options:  bn(64,32) md2(int) rc4(idx,int) des(idx,cisc,4,long) idea(int) blowfish(idx)
compiler: cl  /MD /W3 /WX /G5 /Ox /O2 /Ob2 /Gs0 /GF /Gy /nologo -DOPENSSL_SYSNAME_WIN32
-DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32 /Fdout32dll -DOPENSSL_NO_KRB5
OPENSSLDIR: "/usr/local/ssl"

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Re: [openssl.org #248] bad serial number length

Stephen Henson via RT wrote:
> [olaf <at> zaplinski.de - Mon Aug 26 10:33:29 2002]:
> 
> 
>>I found the solution: I just commented out the lines 675-676 in
> 
> apps/ca.c - 
> 
>>now everything works as expected.
>>
> 
> 
> Since this just disables the check it isn't a good idea.

It is not disabled - some other check then tells me what went wrong when I 
force an error by editing the serial file. This error message (which I don't 
remember) was far better than that simple 'bad serial number length' which 
does not mean more that 'ouch' to me. 

> The error message suggested that index.txt has somehow had an invalid
> serial number written to it. What does you index.txt and your serial
> file look like when you get this message?

This is what I did after 'make install':

cd /usr/local/ssl
mkdir rootCA
[edited openssl.cnf and adjusted the paths accordingly]
cd rootCA

Certificate Encoding-HELP!!!

[openssl.org #264] [Patch] for Windows OpenSSL 0.9.6g (or earlier)

I have found that OpenSSL version 0.9.6g (or earlier) on Windows can cause a problem that will prevent
Window's 
Disk Administrator from being able to delete a logical drive from a system that has several logical drives
associated 
with a physical drive.  By using a tool call Filemon.exe (from
http://www.sysinternals.com/sitemap.shtml) I was
able to isolate the problem to be one in which a registry handle is not closed   I was able to trace this
occurance to a line 
in RAND_WIN.C.  I then added a one line 'fix' after the query which closes the key and fixes the problem.

In more detail, using symbolic debugging inside of OpenSSL, I found that during the first call to SSL_accept()
OpenSSL ends up querying the HKEY_PERFORMANCE_DATA Registry key in order to get some random data.
It turns out that this is one of those Windows oddities whereby you do not need to explicitly open this key,
but you have
to explicity close it or it leaves a handle open that results in this Disk Administrator problem.

--- Pete Bobco ---

--------------------------------------------------------------------------------------------------------------------------------------------------

[Patch for RAND_WIN.C]

diff -ur \openssl-0.9.6g-orig/crypto/rand/rand_win.c 
\openssl-0.9.6g-work/crypto/rand/rand_win.c
--- \openssl-0.9.6g-orig/crypto/rand/rand_win.c  Thu Feb 21 05:56
:50 2002
+++ \openssl-0.9.6g-work/crypto/rand/rand_win.c  Fri Aug 23 10:48
:20 2002
 <at>  <at>  -286,6 +286,15  <at>  <at> 
                          */
                        RAND_add(&length, sizeof(length), 0);
                        RAND_add(buf, length, length / 4.0);
+
+         /* Close the Registry Key to allow Windows to cleanup/close the open handle
+          * Note: The 'HKEY_PERFORMANCE_DATA' key is implicitly opened when the

+          *       RegQueryValueEx above is done.  However, if it is not explicitly
+          *       closed, it can cause disk partition manipulation problems.
+         */
+
+         RegCloseKey(HKEY_PERFORMANCE_DATA);
+
                        }
                if (buf)
                        free(buf); 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Re: [openssl.org #248] bad serial number length

On Mon, Sep 02, 2002, Olaf Zaplinski via RT wrote:

> 
> Stephen Henson via RT wrote:
> > [olaf <at> zaplinski.de - Mon Aug 26 10:33:29 2002]:
> > 
> > 
> >>I found the solution: I just commented out the lines 675-676 in
> > 
> > apps/ca.c - 
> > 
> >>now everything works as expected.
> >>
> > 
> > 
> > Since this just disables the check it isn't a good idea.
> 
> It is not disabled - some other check then tells me what went wrong when I 
> force an error by editing the serial file. This error message (which I don't 
> remember) was far better than that simple 'bad serial number length' which 
> does not mean more that 'ouch' to me. 
> 

Its checking for errors in index.txt, not serial.

> > The error message suggested that index.txt has somehow had an invalid
> > serial number written to it. What does you index.txt and your serial
> > file look like when you get this message?
> 
> This is what I did after 'make install':
> 
> cd /usr/local/ssl
> mkdir rootCA
> [edited openssl.cnf and adjusted the paths accordingly]
> cd rootCA
> touch index.txt
> [edited serial and inserted one line containing '00']
> 
> So index.txt was a zero byte file, serial contains '00'.
> 
> Then I created the CA and the 1st server cert w/o problems. The 2nd cert 
> signing fails then.
> 

Yes but what does index.txt and serial contain after the error? Can you send
them to me, not just a description because it may be one stray character
that is confusing 'ca'.

> BTW, it would be great if 'make install' would setup the demoCA directory 
> with proper index.txt and serial (AFAIK this was the case for older versions).
> 

The command CA.pl -newca does that. Can you check if a demoCA created with
CA.pl -newca also produces this error?

Steve.
--
Dr. Stephen Henson      steve <at> openssl.org            
OpenSSL Project         http://www.openssl.org/~steve/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev <at> openssl.org
Automated List Manager                           majordomo <at> openssl.org

Hi...I have question...