Hi - I built an rpm of openssl-0.9.6 and contributed it to redhat's site a few weeks
ago;
OpenSSL 0.9.6 24 Sep 2000
built on: Tue Oct 10 12:13:56 EDT 2000
platform: linux-elf
options: bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long) idea(int)
blowfish(idx)
compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN
-DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
I recently received communication from Dave Johnson <[EMAIL PROTECTED]> pointing out
some incompatability issuess he's having.
Discourse as follows:
ddj, Tue, 31 Oct 2000 09:28:39 -0500
I ran into a problem where openssh started failing right and left with
fatal error messages that xmalloc was called with a NULL pointer. After
too many hours of trying to trace back the change that started the problem,
I found that openssl-0.9.6-1 was the culprit. Backing it out to 0-9.5a-14
(on RH7.0 intel) resolved the problem.
I would have to guess there was either an incompatible change made to the
API, or a subtle difference between your build environment and the one at
porky.devel.redhat.com, or a bad assumption being made in the openssh code.
Anyhow, I think it might be "The Right Thing"TM to warn others users of
this problem. I don't know if it is at all possible to do in the RPM
software from your end; the natural place would be a version check in
the openssh packaging. But if there is a way to detect when openssh
has a dependency on openssl >= 0.9.5a and warn that openssl-0.9.6 will
break everything, I'm sure a lot of hours of anguish will be saved.
On Tue, Oct 31, 2000 at 11:01:20AM -0500, ben h kram wrote:
> > I ran into a problem where openssh started failing right and left with
> > fatal error messages that xmalloc was called with a NULL pointer....
> ....
> It may be that the bin I posted was compiled under rh6.1 with some updated libs, but
>not under rh7.
>
One other difference I changed about the same time was to go up to
glibc-2.1.94-3(i686) from 2.1.92-14(i386). Would rather not back that
out right now, though.
> I posted a src rpm too, would you try rebuilding that and see if that solves the
>problem?
>
I'm building it now, it's in the test directory, running tests.
I'll reinstall it after lunch and check to see if it still gives problems
with openssh.
ddj, Tue, 31 Oct 2000 11:49:29 -0500
k, it finished building quicker than I thought.
I had the same problem with the package I just built.
With "ssh -v -v control date" (control is local machine), I get
this after the kexinit messages:
debug: first kex follow: 0
debug: reserved: 0
debug: done
debug: kex: server->client 3des-cbc hmac-sha1 none
debug: kex: client->server 3des-cbc hmac-sha1 none
debug: Sending SSH2_MSG_KEXDH_INIT.
debug: bits set: 486/1024
debug: Wait SSH2_MSG_KEXDH_REPLY.
debug: Got SSH2_MSG_KEXDH_REPLY.
debug: Host 'control.cascv.brown.edu' is known and matches the DSA host key.
debug: bits set: 509/1024
xfree: NULL pointer given as argument
debug: Calling cleanup 0x805db10(0x0)
ddj, Wed, 1 Nov 2000 10:08:58 -0500
> Hmm. We may want to email our conversation to the good folks at openssl;
>
> I am using the binaries I built w/o problems. If they recognise the problem,
> we can prob get new src, and get redhat to send an advisory.
>
> thank you,
> ben
Ok, I looked into it further, and the problem is definitely in openssl.
I rebuilt ssh under openssl-0.9.5a, then upgraded to openssl-0.9.6, and
it stopped working. Just rebuilding dsa.o kex.o and key.o wass enough to
make it work again in a simple test. Replacing libcrypto.so to match the
version used in the build makes it work again.
Between 0.9.5a and 0.9.6, several major structures in the include file
/usr/include/openssl/evp.h was changed. A new "flags" field was stuck
in the middle of evp_cipher_st (EVP_CIPHER), pushing some function pointers
down, and the evp_cipher_ctx_st was completely de-arranged.
I don't have a clue how to contact the openssl group; I had just seen
your email address in the "packager" field of the rpm file. I have no
reservations with you forwarding any/all of our messages to them.
If you won't get a chance to report this, let me know and I will check
the openssl website for bug reporting procedures.
The bottom line is there is no binary compatibility between these two
versions, and to make matters worse, there is no version checking that
I can see in the API. At a minimum there should be a version flag passed
into the first openssl init function call, which can be used to decide
how to interpret the data provided by the caller.
Regards,
-- ddj
cheers,
ben
--
"...human heads are opaque and there's no way to see inside except
through those tiny little windows, the eyes."
-Yevgeny Zamyatin
"We"
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
