RAND function using OpenSSL 0.9.7 (A Solution)

This is a multi-part message in MIME format.

------_=_NextPart_001_01C22C31.1DFE690D
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Hi All,


I change a function call and it works fine now. I do not know if this is =
the real way to solve my problem but this provide a solution.

In file pkg.modssl/ssl_engine_int.c:
move "ssl_init_Engine(s, p);" function call before =
"ssl_init_SSLLibrary();" function call instead of after.
=20
In fact if you want to use ENGINE default functionnalities you muste set =
ENGINE before everything.


Regards
Fred



------_=_NextPart_001_01C22C31.1DFE690D
Content-Type: text/html;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable




charset=3DWindows-1252">
6.0.5762.3">

Hi All,





I change a function call and it works fine now. I do not know if this is =
the real way to solve my problem but this provide a solution.



In file pkg.modssl/ssl_engine_int.c:

move "ssl_init_Engine(s, p);" function call before =
"ssl_init_SSLLibrary();" function call instead of after.



In fact if you want to use ENGINE default functionnalities you muste set =
ENGINE before everything.





Regards

Fred

Re: RAND function using OpenSSL 0.9.7 (A Solution)

Hi Fred,

I was just starting to wonder what might be behind all this when you hit
the nail on the head.

On Mon, 15 Jul 2002, Frederic DONNAT wrote:

> I change a function call and it works fine now. I do not know if this is
> the real way to solve my problem but this provide a solution.
>
> In file pkg.modssl/ssl_engine_int.c:
> move "ssl_init_Engine(s, p);" function call before
> "ssl_init_SSLLibrary();" function call instead of after.
>
> In fact if you want to use ENGINE default functionnalities you muste set
> ENGINE before everything.

That is not *a* solution, it is *the* solution. ssl_init_SSLLibrary() must
be seeding the PRNG, and thus initialising the set-on-first-use pointer in
openssl to a default RAND_METHOD. Do you want to post a patch to the list?
I suggest "diff -u", I suggest a subject starting with "[PATCH]", and I
suggest you CC Ralf. Otherwise, things have a way of slipping through the
net. (Resists temptation to harp on about the simple but important session
caching bug, read "potential security problem", that Ralf still hasn't
incorporated despite me repeatedly harping on about it ...)

Cheers,
Geoff


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: RAND function using OpenSSL 0.9.7 (A Solution)

On Mon, 15 Jul 2002, Geoff Thorpe wrote:

> > I change a function call and it works fine now. I do not know if this is
> > the real way to solve my problem but this provide a solution.
> >
> > In file pkg.modssl/ssl_engine_int.c:
> > move "ssl_init_Engine(s, p);" function call before
> > "ssl_init_SSLLibrary();" function call instead of after.
> >
> > In fact if you want to use ENGINE default functionnalities you muste set
> > ENGINE before everything.
>
> That is not *a* solution, it is *the* solution. ssl_init_SSLLibrary() must
> be seeding the PRNG, and thus initialising the set-on-first-use pointer in
> openssl to a default RAND_METHOD. Do you want to post a patch to the list?

Well, I can't do anything about 1.3's mod_ssl, but if somebody can verify
for me that the following fixes Apache 2.0's mod_ssl, I'll commit it.

--Cliff


Index: ssl_engine_init.c
============================================================ =======
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.102
diff -u -d -r1.102 ssl_engine_init.c
--- ssl_engine_init.c 8 Jul 2002 17:43:33 -0000 1.102
+++ ssl_engine_init.c 15 Jul 2002 20:22:13 -0000
@@ -266,6 +266,11 @@

}

+#ifdef SSL_EXPERIMENTAL_ENGINE
+ /* SSL external crypto device ("engine") support */
+ ssl_init_Engine(base_server, p);
+#endif
+
ssl_init_SSLLibrary(base_server);

#if APR_HAS_THREADS
@@ -290,13 +295,6 @@
if (ssl_tmp_keys_init(base_server)) {
return !OK;
}
-
- /*
- * SSL external crypto device ("engine") support
- */
-#ifdef SSL_EXPERIMENTAL_ENGINE
- ssl_init_Engine(base_server, p);
-#endif

/*
* initialize the mutex handling


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: compile of openssl-0.9.6d stops

Strange behavior: The error I recently reported on compiling under WIN2000
with MSVC++ diappeared on re-trying the same compile. First time through an
error was reported and compilation stopped. But the same batch file ran and
completed when tried a second time. This time with no errors.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: RAND function using OpenSSL 0.9.7 (A Solution)

This is a multi-part message in MIME format.

------_=_NextPart_001_01C231AA.5008B8DF
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable

Hi,


I've tested it with Apache-2.0.39 using openssl-0.9.7-beta2, on linux =
Mdk-8.0.
kernel 2.4.3-20mdk
gcc version 2.96
And initializing engine before library enable rand redirection.
That works fine for me.
file: modules/ssl/ssl_engine_init.c

Regards,
Fred


-----Original Message-----
From: Cliff Woolley [mailto:jwoolley@apache.org]
Sent: Mon 07/15/2002 10:22 PM
To: modssl-users@modssl.org
Cc:=09
Subject: Re: RAND function using OpenSSL 0.9.7 (A Solution)

On Mon, 15 Jul 2002, Geoff Thorpe wrote:

> > I change a function call and it works fine now. I do not know if =
this is
> > the real way to solve my problem but this provide a solution.
> >
> > In file pkg.modssl/ssl_engine_int.c:
> > move "ssl_init_Engine(s, p);" function call before
> > "ssl_init_SSLLibrary();" function call instead of after.
> >
> > In fact if you want to use ENGINE default functionnalities you muste =
set
> > ENGINE before everything.
>
> That is not *a* solution, it is *the* solution. ssl_init_SSLLibrary() =
must
> be seeding the PRNG, and thus initialising the set-on-first-use =
pointer in
> openssl to a default RAND_METHOD. Do you want to post a patch to the =
list?

Well, I can't do anything about 1.3's mod_ssl, but if somebody can =
verify
for me that the following fixes Apache 2.0's mod_ssl, I'll commit it.

--Cliff


Index: ssl_engine_init.c
==================== =====3D=
==================== =====3D=
=================3D
RCS file: /home/cvs/httpd-2.0/modules/ssl/ssl_engine_init.c,v
retrieving revision 1.102
diff -u -d -r1.102 ssl_engine_init.c
--- ssl_engine_init.c 8 Jul 2002 17:43:33 -0000 1.102
+++ ssl_engine_init.c 15 Jul 2002 20:22:13 -0000
@@ -266,6 +266,11 @@

}

+#ifdef SSL_EXPERIMENTAL_ENGINE
+ /* SSL external crypto device ("engine") support */
+ ssl_init_Engine(base_server, p);
+#endif
+
ssl_init_SSLLibrary(base_server);

#if APR_HAS_THREADS
@@ -290,13 +295,6 @@
if (ssl_tmp_keys_init(base_server)) {
return !OK;
}
-
- /*
- * SSL external crypto device ("engine") support
- */
-#ifdef SSL_EXPERIMENTAL_ENGINE
- ssl_init_Engine(base_server, p);
-#endif

/*
* initialize the mutex handling


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org




------_=_NextPart_001_01C231AA.5008B8DF
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64

eJ8+IgkSAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcA GAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEEgAEAMwAAAFJFOiBS QU5EIGZ1bmN0aW9u
IHVzaW5nIE9wZW5TU0wgMC45LjcgKEEgU29sdXRpb24pANEPAQWAAwAOAAAA 0gcHABYAFAAFAAcA
AQAXAQEggAMADgAAANIHBwAWABQABQAHAAEAFwEBCYABACEAAABCRjJCNTk5 OUNCRjgwNDRDQTc2
MjJBMjlDOTI4MUQ4MAA7BwEDkAYAjA0AADcAAAADACYAAAAAAAMANgAAAAAA QAA5AN+4CFCqMcIB
HgA9AAEAAAAFAAAAUkU6IAAAAAACAUcAAQAAADMAAABjPXVzO2E9IDtwPVpF TkNPRDtsPUVYQ0hB
TkdFLVVMSVMtMDIwNzIyMTgwNTA3Wi01NwAAHgBJAAEAAAAzAAAAUmU6IFJB TkQgZnVuY3Rpb24g
dXNpbmcgT3BlblNTTCAwLjkuNyAoQSBTb2x1dGlvbikAAEAATgAA8jhNPSzC AR4AWgABAAAADgAA
AENsaWZmIFdvb2xsZXkAAAACAVsAAQAAAD8AAAAAAAAAgSsfpL6jEBmdbgDd AQ9UAgAAAABDbGlm
ZiBXb29sbGV5AFNNVFAAandvb2xsZXlAYXBhY2hlLm9yZwAAAgFcAAEAAAAZ AAAAU01UUDpKV09P
TExFWUBBUEFDSEUuT1JHAAAAAB4AXQABAAAADgAAAENsaWZmIFdvb2xsZXkA AAACAV4AAQAAAD8A
AAAAAAAAgSsfpL6jEBmdbgDdAQ9UAgAAAABDbGlmZiBXb29sbGV5AFNNVFAA andvb2xsZXlAYXBh
Y2hlLm9yZwAAAgFfAAEAAAAZAAAAU01UUDpKV09PTExFWUBBUEFDSEUuT1JH AAAAAB4AZgABAAAA
BQAAAFNNVFAAAAAAHgBnAAEAAAAUAAAAandvb2xsZXlAYXBhY2hlLm9yZwAe AGgAAQAAAAUAAABT
TVRQAAAAAB4AaQABAAAAFAAAAGp3b29sbGV5QGFwYWNoZS5vcmcAHgBwAAEA AAAvAAAAUkFORCBm
dW5jdGlvbiB1c2luZyBPcGVuU1NMIDAuOS43IChBIFNvbHV0aW9uKQAAAgFx AAEAAAAbAAAAAcIs
PcWvdrwmA3CuSA2hwgJLRue4GAFa+N7aAB4AdAABAAAAGAAAAG1vZHNzbC11 c2Vyc0Btb2Rzc2wu
b3JnAB4AGgwBAAAAEAAAAEZyZWRlcmljIERPTk5BVAAeAB0OAQAAAC8AAABS QU5EIGZ1bmN0aW9u
IHVzaW5nIE9wZW5TU0wgMC45LjcgKEEgU29sdXRpb24pAAACAQkQAQAAAJ8G AACbBgAASQwAAExa
RnV+jOI8AwAKAHJjcGcxMjXiMgNDdGV4BUEBAwH3/wqAAqQD5AcTAoAP8wBQ BFY/CFUHshElDlED
AQIAY2jhCsBzZXQyBgAGwxEl9jMERhO3MBIsETMI7wn3tjsYHw4wNREiDGBj AFAzCwkBZDM2FlAL
piBIHGksCqIKhB1mSSd2FGUgDrBzDrBkIGlzBUAD8HRoEMAKsBPQZQAtMi4w LjM5IIJ1AJBuZyBv
cAnwCQQQbC0gEDkuNy1iYhQgYTIsILADoGwJC4B1eAXQZGstOGsgAR0kawSR ZQMgH/A0MyAgH+Aw
bSKwHSRnY2xjIB5gFABpIhEf8DmyNh0kQW4e4QMAdAcx7Gl6IIIJ8GcLgB5w IaCnAhAYICIxYnIK
wHknYb0BoGwecCiAJnEYIWkYIO5jJtACICMVVBPgHxEFsNprBCBmJ6IoASAH gCMVWytgKRA6K+AE
cHUpEHNWLyEBLVJfJ3RfJqIuowDgHTlSZWcLEXMdFaZGGCEdLwotMbJPBRCP J5EHQAXQB5BzYWcf
0Pcxsi/2A3A6DIISICJAASC4IFdvBvApECiwWwDAYQMQdG86aisANNNAymEf ky4FsGddMJQGYAsC
MDP0TSIRMDcvMRQ1LwHQMBRAMTA68jIUQFBNKlU1kDQDBGF3IQIgYCVRQDpE NqIwlEPGYzP0NvV1
Ymop4TP0Qy9wLMBSQU5EK1B1Fm4p8yBVTyDRU1NMYzggIVIgKEEGAAbwdfUq Aikwmk8DoDfxIfA4
YDwgSi0QI+A4oSHwR2X+bzSBKrAFsCDQHyADYA6wkzPwMKk+IETgSSAT0esg kB5wYT5IYwdAAyAp
UkMfAisYbm93LkURZPZvR8EFQGtH0R7wNJAfULsEAB7wc0SIH1ApIWUyYcx3 YSiwNYAgcwbwHmHa
bSiwcANgKQFtJ9BAgPNJJEvRdmkBAEWhS0FAgz8jFUThRIkDoCyCS8BrZ/4u OkQtnC6BRBVE4gRg
HmGmIi2iJqJfRSeDKC/Q8UvAKTsiRc0n5ESIUnh1P4FMKGQoU88mkR6xYf8e 4EMQRaABgASQTg9P
FQDQ+wVASQF5CGBKwQIwSwI6sYAgRU5HSU5FSDD9ARBhLRAFQD5WMlEmwQeR /VtCbSBgDrBLMBQg
RIhcRfUn5WUlQXlJMSCQWVZEhscqs0lRSHIqYSpNdyHw+x8BSVEqSkFjGEgA Vf9XAn9ec0SGIaBe
0SmhIJFKQlD+UlxQIfApUh9QIGAmlyBz60pCFBEtAiAtK2AUAGpg+VwCcG9R IRKBC4FElSDFD0sC
RbBctj4CX01FVOhIT0RIAERIUFtKa1D3HrBFoQqwdBPQSwJKQmmR1HQ/MJpX I8BsIfBFIf0AcCcF
QEhBAHBg1EWgBuC1TGExICAnBCAEYV8hAb8h8ExSSQFLQAeABuBkKLD3clEl MgaQeSwlK8NJISrR
v0pCAhA04EfgIIIrYHgHkXsfhCPhMHQKHkBGgQWgbf5tY9IugDD8NFMwnx4w JnDvDsAswC2vfEQ9
f0+AX4Fv24JtLxVDBfAshC9DYAeAKC9jdi1AaAJAcGTNH+IvLO9+Kix2fEQY IP50CIFNECCRGCBN
ECVzc9D/OOAOUHxTKbA0gTqgijAe4PwtcolDfc8upTGxix8lIA2N4DhCRzjQ Nzo0M/g6MzOKMDig
OKCN4Y+i/YlJK5DAjM+N0kIpQoE5AUw6MY81fERAQIowMkA2Niw2ICuUgjGc MSCUQHxKj6NcfXxK
fCsjBpABAQYAP5BTAFgQUEVSSW4QTlRB75gRXFOQZY+iL2MQP4IOwfcEkTJh BQB5BTBIUAEATRBS
Yx5wKCIndCJmcHPcdXBrUAAgYuAvmWlSjvxiYRQQdGAEkCVBU5OXFv8J8Inx kGWV6WU/VwGe+Z/W
D5Xll4EQwGhAX0hBU4JfbjBSRUFEU5PpnDkwlSCPMJTgOTWUsR+VZo+jSQFT cIsxdG1wcl8jgHlz
LkOjG2ZwXD8AAJX4j6KIAQhwA6AhT/5Ln+WWSzNFjLCZ462JYuDfmj+bT5xa rludNS2Xj5if/63F
nf+fD7MEoHmsSa42j6S/YxAmp3cSS4FAgA7AIEVR7mQiQTulvJpfvb++z7/f /cDvXyYFeNRPQFkh
WsEecftIUD9GKHQ1ZnDEzx8gxfC7T/U7eFU6wQYAnLVNNVF/IIJWsG+hyM+P ojpPO1pB/0CAA3Ee
wsiDyAAo4DLgBcDzzV/JiWFqBbBIQARgyu8F0Fp90YAAHgA1EAEAAABHAAAA PEE5RUUwMTJDMDY4
NUNCNDg5OEE3MEVCNDU5NEE2Q0E3MTJFNkVEQGV4Y2hhbmdlLXVsaXMudWxp cy56ZW5jb2QuY29t
PgAAHgBHEAEAAAAPAAAAbWVzc2FnZS9yZmM4MjIAAAsA8hABAAAAHwDzEAEA AAByAAAAUgBFACUA
MwBBACAAUgBBAE4ARAAgAGYAdQBuAGMAdABpAG8AbgAgAHUAcwBpAG4AZwAg AE8AcABlAG4AUwBT
AEwAIAAwAC4AOQAuADcAIAAoAEEAIABTAG8AbAB1AHQAaQBvAG4AKQAuAEUA TQBMAAAAAAALAPYQ
AAAAAEAABzAkuSipqTHCAUAACDDkhxlQqjHCAQMA3j/kBAAAAwDxPwkAAAAe APg/AQAAABAAAABG
cmVkZXJpYyBET05OQVQAAgH5PwEAAABgAAAAAAAAANynQMjAQhAatLkIACsv 4YIBAAAAAAAAAC9P
PVpFTkNPRC9PVT1QUkVNSUVSIEdST1VQRSBBRE1JTklTVFJBVElGL0NOPVJF Q0lQSUVOVFMvQ049
RlJFREVSSUMAHgD6PwEAAAAVAAAAU3lzdGVtIEFkbWluaXN0cmF0b3IAAAAA AgH7PwEAAAAeAAAA
AAAAANynQMjAQhAatLkIACsv4YIBAAAAAAAAAC4AAAADAP0/5AQAAAMAGUAA AAAAAwAaQAAAAAAD
AB1AAAAAAAMAHkAAAAAAHgAwQAEAAAAJAAAARlJFREVSSUMAAAAAHgAxQAEA AAAJAAAARlJFREVS
SUMAAAAAHgAyQAEAAAAUAAAAandvb2xsZXlAYXBhY2hlLm9yZwAeADNAAQAA ABQAAABqd29vbGxl
eUBhcGFjaGUub3JnAB4AOEABAAAACQAAAEZSRURFUklDAAAAAB4AOUABAAAA AgAAAC4AAAALACkA
AAAAAAsAIwAAAAAAAwAGEE0PoZcDAAcQ/QYAAAMAEBAAAAAAAwAREAAAAAAe AAgQAQAAAGUAAABI
SSxJVkVURVNURURJVFdJVEhBUEFDSEUtMjAzOVVTSU5HT1BFTlNTTC0wOTct QkVUQTIsT05MSU5V
WE1ESy04MEtFUk5FTDI0My0yME1ES0dDQ1ZFUlNJT04yOTZBTkRJTklUAAAA AAIBfwABAAAARwAA
ADxBOUVFMDEyQzA2ODVDQjQ4OThBNzBFQjQ1OTRBNkNBNzEyRTZFREBleGNo YW5nZS11bGlzLnVs
aXMuemVuY29kLmNvbT4AAGPN

------_=_NextPart_001_01C231AA.5008B8DF--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org