From owner-freebsd-hackers@FreeBSD.ORG Thu Sep 2 16:20:01 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 980C516A4CF for ; Thu, 2 Sep 2004 16:20:01 +0000 (GMT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id 523D143D5A for ; Thu, 2 Sep 2004 16:20:00 +0000 (GMT) (envelope-from roam@ringlet.net) Received: (qmail 27312 invoked from network); 2 Sep 2004 16:18:28 -0000 Received: from unknown (HELO straylight.m.ringlet.net) (217.75.134.254) by gandalf.online.bg with SMTP; 2 Sep 2004 16:18:28 -0000 Received: (qmail 24549 invoked by uid 1000); 2 Sep 2004 16:20:17 -0000 Date: Thu, 2 Sep 2004 19:20:17 +0300 From: Peter Pentchev To: freebsd-hackers@FreeBSD.org Message-ID: <20040902162017.GI1469@straylight.m.ringlet.net> Mail-Followup-To: freebsd-hackers@FreeBSD.org, Dag-Erling Smorgrav , "Jacques A. Vidrine" , Mark Murray References: <20040902160300.GH1469@straylight.m.ringlet.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8/UBlNHSEJa6utmr" Content-Disposition: inline In-Reply-To: <20040902160300.GH1469@straylight.m.ringlet.net> User-Agent: Mutt/1.5.6i cc: "Jacques A. Vidrine" cc: Mark Murray cc: Dag-Erling Smorgrav Subject: Re: [CFR] OpenSSL ENGINE fix X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Sep 2004 16:20:01 -0000 --8/UBlNHSEJa6utmr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Sep 02, 2004 at 07:03:00PM +0300, Peter Pentchev wrote: > Hi, >=20 > The stunnel port had been badly broken on -CURRENT for some time, and > today I seem to have tracked it down. There is a problem in > OpenSSL's ENGINE code, which seems to depend on realloc()'s initializing > unused memory with zeroes. Since this is certainly not true with > malloc's 'J' option, the ENGINE code never actually runs out of RAND > routines to look for, and dumps core on attempting to dereference a > structure at 0xd0d0d0d0. >=20 > The following simple patch seems to fix this particular problem, but I > think there are others lurking close beneath the surface. When I built > stunnel with this patch, it did not immediately segfault on > initialization, but it did later, when it attempted to get a couple of > random bytes in order to actually establish an SSL connection. A quick > examination shows that the ENGINE code had "successfully" loaded and > initialized all built-in engines and then tried to use the last one > loaded - in this case, the 4758cca one - which promptly invoked a > function pointed to by the static randomNumberGenerate variable, which, > as you may have guessed by this point, held a NULL value. Apparently, > something else is rotten in ENGINE initialization land, and (at least) > the 4758cca driver cannot properly detect that it has not properly > detected its hardware :( Oh, and of course, here's a program that demonstrates the null pointer problem after the eng_table.c patch is applied: #include #include #include #include /* for CRYPTO_* and SSLeay_version */ #include #if SSLEAY_VERSION_NUMBER >=3D 0x00907000L #include #else #error weird openssl version #endif int main(void) { unsigned char buf[256]; int ret; =09 ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); if (RAND_status()) { printf("RAND_status said ok\n"); } else { printf("RAND_status kinda sorta failed\n"); } ret =3D RAND_pseudo_bytes(buf, sizeof(buf) / 2); printf("RAND_pseudo_bytes() returned %d\n", ret); return (0); } G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@cnsys.bg roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, --8/UBlNHSEJa6utmr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQFBN0hB7Ri2jRYZRVMRAgkyAJ95nBS6F1XOyk4GiH/uS1Y9qjXIvgCfR2QI WItMs8RoSratewuphmcnhbw= =Eggr -----END PGP SIGNATURE----- --8/UBlNHSEJa6utmr--