From owner-freebsd-hackers@FreeBSD.ORG  Thu Sep  2 16:20:01 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 980C516A4CF
	for <freebsd-hackers@FreeBSD.org>;
	Thu,  2 Sep 2004 16:20:01 +0000 (GMT)
Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9])
	by mx1.FreeBSD.org (Postfix) with SMTP id 523D143D5A
	for <freebsd-hackers@FreeBSD.org>;
	Thu,  2 Sep 2004 16:20:00 +0000 (GMT)
	(envelope-from roam@ringlet.net)
Received: (qmail 27312 invoked from network); 2 Sep 2004 16:18:28 -0000
Received: from unknown (HELO straylight.m.ringlet.net) (217.75.134.254)
  by gandalf.online.bg with SMTP; 2 Sep 2004 16:18:28 -0000
Received: (qmail 24549 invoked by uid 1000); 2 Sep 2004 16:20:17 -0000
Date: Thu, 2 Sep 2004 19:20:17 +0300
From: Peter Pentchev <roam@ringlet.net>
To: freebsd-hackers@FreeBSD.org
Message-ID: <20040902162017.GI1469@straylight.m.ringlet.net>
Mail-Followup-To: freebsd-hackers@FreeBSD.org,
	Dag-Erling Smorgrav <des@FreeBSD.org>,
	"Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Mark Murray <markm@FreeBSD.org>
References: <20040902160300.GH1469@straylight.m.ringlet.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="8/UBlNHSEJa6utmr"
Content-Disposition: inline
In-Reply-To: <20040902160300.GH1469@straylight.m.ringlet.net>
User-Agent: Mutt/1.5.6i
cc: "Jacques A. Vidrine" <nectar@FreeBSD.org>
cc: Mark Murray <markm@FreeBSD.org>
cc: Dag-Erling Smorgrav <des@FreeBSD.org>
Subject: Re: [CFR] OpenSSL ENGINE fix
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2004 16:20:01 -0000


--8/UBlNHSEJa6utmr
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Sep 02, 2004 at 07:03:00PM +0300, Peter Pentchev wrote:
> Hi,
>=20
> The stunnel port had been badly broken on -CURRENT for some time, and
> today I seem to have tracked it down.  There is a problem in
> OpenSSL's ENGINE code, which seems to depend on realloc()'s initializing
> unused memory with zeroes.  Since this is certainly not true with
> malloc's 'J' option, the ENGINE code never actually runs out of RAND
> routines to look for, and dumps core on attempting to dereference a
> structure at 0xd0d0d0d0.
>=20
> The following simple patch seems to fix this particular problem, but I
> think there are others lurking close beneath the surface.  When I built
> stunnel with this patch, it did not immediately segfault on
> initialization, but it did later, when it attempted to get a couple of
> random bytes in order to actually establish an SSL connection.  A quick
> examination shows that the ENGINE code had "successfully" loaded and
> initialized all built-in engines and then tried to use the last one
> loaded - in this case, the 4758cca one - which promptly invoked a
> function pointed to by the static randomNumberGenerate variable, which,
> as you may have guessed by this point, held a NULL value.  Apparently,
> something else is rotten in ENGINE initialization land, and (at least)
> the 4758cca driver cannot properly detect that it has not properly
> detected its hardware :(

Oh, and of course, here's a program that demonstrates the null pointer
problem after the eng_table.c patch is applied:

#include <openssl/lhash.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/crypto.h> /* for CRYPTO_* and SSLeay_version */
#include <openssl/rand.h>
#if SSLEAY_VERSION_NUMBER >=3D 0x00907000L
#include <openssl/engine.h>
#else
#error weird openssl version
#endif

int main(void)
{
	unsigned char buf[256];
	int ret;
=09
	ENGINE_load_builtin_engines();
	ENGINE_register_all_complete();
	if (RAND_status()) {
		printf("RAND_status said ok\n");
	} else {
		printf("RAND_status kinda sorta failed\n");
	}
	ret =3D RAND_pseudo_bytes(buf, sizeof(buf) / 2);
	printf("RAND_pseudo_bytes() returned %d\n", ret);
	return (0);
}

G'luck,
Peter

--=20
Peter Pentchev	roam@ringlet.net    roam@cnsys.bg    roam@FreeBSD.org
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint	FDBA FD79 C26F 3C51 C95E  DF9E ED18 B68D 1619 4553
If I had finished this sentence,

--8/UBlNHSEJa6utmr
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (FreeBSD)

iD8DBQFBN0hB7Ri2jRYZRVMRAgkyAJ95nBS6F1XOyk4GiH/uS1Y9qjXIvgCfR2QI
WItMs8RoSratewuphmcnhbw=
=Eggr
-----END PGP SIGNATURE-----

--8/UBlNHSEJa6utmr--