Re: Crash in BIO_set_fp(): Windows esp SL VC9?

2010-03-15 Thread Michael Boman 
OpenSSL mailserver didn't like the attachment, see
http://www.michaelboman.org/how-to/building-openssl-on-windows for the
previous attached file.

Best regards
Michael Boman

On Mon, Mar 15, 2010 at 6:21 AM, Michael Boman mich...@michaelboman.orgwrote:

 Thanks for your input, clarifications inline:

 On Fri, Mar 12, 2010 at 12:04 AM, Dave Thompson 
 dave.thomp...@princetonpayments.com wrote:

 -dev added, I think this is actually a bug

From: owner-openssl-us...@openssl.org On Behalf Of Michael Boman
Sent: Monday, 01 March, 2010 11:40
 re: crash in BIO_set_fp, on Windows, could it be faq#PROG2?

I am using OpenSSL 0.9.8l from
 http://www.slproweb.com/products/Win32OpenSSL.html

I link to these libraries for debugging:
C:\OpenSSL\lib\VC\ssleay32MTd.lib
C:\OpenSSL\lib\VC\libeay32MTd.lib

And these ones for release:
C:\OpenSSL\lib\VC\ssleay32MT.lib
C:\OpenSSL\lib\VC\libeay32MT.lib

I compile the program using the /MT (Release) and /MTd (Debug)
 flag
  under C/C++ - Code Generation

 Aside: all 4 pairs of .lib's in lib\VC (and one in lib) are
 exportlibs for the one pair of DLL's, which are actually /MD
 but use the applink mechanism, as mentioned in the FAQ, to get
 the right CRT -- assuming the EXE correctly compiles applink.c,
 and the code you referenced does.

 So this should work. And using the corresponding files from
 my (DLL) build of 0.9.8m it sort of does (see below), but using
 the SL distro I also get a crash. Stepping in the debugger I see
 code in SL that is similar but not identical. It appears to be
 built with VC++08 or possibly later, in particular for MSVCR90,
 while I use (elderly but still functional) VC++6.0 and MSVCRT[d],
 and the exit 0xC417 occurs in MSVCR90 appparently below _setmode.
 You didn't say what version of VC++ (and CRT) you are using.


 I am using VC++ 2008 Express on Windows 7 (64-bit), compiling against
 0.9.8m (currently; OP was 0.9.8l). Up-to-date code is available at
 http://code.google.com/p/sslscan-win together with required VC++ project
 and solution files.

 As I mentioned above I am currently using 0.9.8m, which I have compiled
 myself using the attached script (place it in OpenSSL source directory)
 using the following syntax: vc_build.cmd -d -i

 I am now linking to following libs for both debug and release:
 C:\OpenSSL\openssl-0.9.8m\lib\libeay32.lib
 C:\OpenSSL\openssl-0.9.8m\lib\ssleay32.lib

 OpenSSL include files are being picked up
 from C:\OpenSSL\openssl-0.9.8m\include and I am now printing
 out OPENSSL_VERSION_TEXT to confirm what header files I was building
 against.


 I believe this is a bug:

 bss_file.c file_ctrl() case for SET_FILE_PTR uses UP_fsetmode
 not UP_fsetmod so it doesn't uplink when it apparently should;
 instead uses direct _fileno and _setmode which faults in MSVCR90.
 On (old) VC++6.0/MSVCRT _fileno is inlined and works, and _setmode
 sets an error (EBADF) which is ignored, and the mode (bin/text)
 set by the app at fopen is apparently left intact (and works OK).

 Also looking in the same area:

 bss_file.c BIO_new_file() calls *ctrl BIO_C_SET_FILE_PTR with
 flags not including BIO_FP_TEXT, which sets binary even if the
 call said e.g. w or wt; on Windows this gives poor results
 if the output actually is text and needs \n=CRLF translation.
 Similarly BIO_{read,rw,write,append}_filename do SET_FILENAME
 with flags not containing TEXT. Explicitly calling BIO_ctrl
 SET_FILENAME with e.g. BIO_FP_WRITE|BIO_FP_TEXT does work.
 And BIO_new_fp() although prototyped as 'close_flag' actually
 honors TEXT as well, as documented.

 Some other things I noticed in working on this app:

 Personally I would do each formatting op once to a membio or
 string, and then duplicate the result to stdout and xmlOutput.
 That would also avoid this problem, since then the app wouldn't
 be using an fpbio for xmlOutput; everything else seems to work.

 And I wouldn't indent SO deeply. And I would handle long
 serials, as apps/x509.c does, since bigger than 32b are pretty
 common and (often spurious) negatives shouldn't be misleading.

 And officially WSAStartup should be once per process,
 although since about W2k as I recall repeats are benign.
 And unextended (insecure) client-initiated renegotiation is
 probably -- we hope! -- going to stop working soon.

 Logically I think it should work to compile the app /MD with a
 new(er) compiler that uses MSVCR90 and thus doesn't need uplink,
 or any supported mode(s) and static link (lib\VC\STATIC\various.lib)
 against a new-enough library to be compatible (old MSVCRT is not,
 it apparently doesn't have some _cookie stuff the SL build wants).
 But I'm not in a position to try those out for now.


 Thank you so much for the general feedback, it is much appreciated. I will
 take note of the suggested improvements and work them in to the application.

 Best regards
 Michael Boman

 --
 http://michaelboman.org - Security Blog

Re: Crash in BIO_set_fp()

2010-03-01 Thread Michael Boman 
I am using OpenSSL 0.9.8l from
http://www.slproweb.com/products/Win32OpenSSL.html

I link to these libraries for debugging:
C:\OpenSSL\lib\VC\ssleay32MTd.lib
C:\OpenSSL\lib\VC\libeay32MTd.lib

And these ones for release:
C:\OpenSSL\lib\VC\ssleay32MT.lib
C:\OpenSSL\lib\VC\libeay32MT.lib

I compile the program using the /MT (Release) and /MTd (Debug) flag under
C/C++ - Code Generation

Best regards
Michael Boman

On Sat, Feb 27, 2010 at 2:25 AM, Dave Thompson 
dave.thomp...@princetonpayments.com wrote:

From: owner-openssl-us...@openssl.org On Behalf Of Michael Boman
Sent: Thursday, 25 February, 2010 15:26

if (options-xmlOutput != 0)
{
fileBIO = BIO_new(BIO_s_file());
BIO_set_fp(fileBIO, options-xmlOutput, BIO_NOCLOSE); // -
 Crashing
 here
}

Help  suggestions are most welcome.

 Your screenshots look like Windows; if so, what
 compiler/runtime and OpenSSL build are you using
 and could you have the wrong-MSVC-runtime issue?
 http://www.openssl.org/support/faq.html#PROG2


 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org




-- 
http://michaelboman.org - Security Blog  Wiki

Re: Crash in BIO_set_fp()

2010-02-25 Thread Michael Boman 
I forgot to mention the important stuff:

OpenSSL 0.9.8l 5 Nov 2009
Visual C++ 2008 Express Edition
Windows 7 Enterprise (64-bit)

Best regards
Michael Boman

2010/2/25 Michael Boman mich...@michaelboman.org

 Hello list,

 On line 1014 in the code uploaded at http://pastebin.ca/1810624 the
 program crashes. The relevant code snippet looks like this:

  // Setup BIO's
 stdoutBIO = BIO_new(BIO_s_file());
 BIO_set_fp(stdoutBIO, stdout, BIO_NOCLOSE);
  if (options-xmlOutput != 0)
 {
 fileBIO = BIO_new(BIO_s_file());
  BIO_set_fp(fileBIO, options-xmlOutput, BIO_NOCLOSE); // - Crashing here
 }

 I have checked and none of the arguments to BIO_set_fp() is NULL (See
 http://imagebin.ca/view/yX28fMI0.html for a screenshot of the debugger
 just before it crashing). At the crash the following is in the
 disassembler: http://imagebin.ca/view/5a-PGS.html

 Help  suggestions are most welcome.

 Best regards
 Michael Boman

 --
 http://michaelboman.org - Security Blog  Wiki




-- 
http://michaelboman.org - Security Blog  Wiki

Crash in BIO_set_fp()

2010-02-25 Thread Michael Boman 
Hello list,

On line 1014 in the code uploaded at http://pastebin.ca/1810624 the program
crashes. The relevant code snippet looks like this:

// Setup BIO's
stdoutBIO = BIO_new(BIO_s_file());
BIO_set_fp(stdoutBIO, stdout, BIO_NOCLOSE);
if (options-xmlOutput != 0)
{
fileBIO = BIO_new(BIO_s_file());
BIO_set_fp(fileBIO, options-xmlOutput, BIO_NOCLOSE); // - Crashing here
}

I have checked and none of the arguments to BIO_set_fp() is NULL (See
http://imagebin.ca/view/yX28fMI0.html for a screenshot of the debugger just
before it crashing). At the crash the following is in the disassembler:
http://imagebin.ca/view/5a-PGS.html

Help  suggestions are most welcome.

Best regards
Michael Boman

-- 
http://michaelboman.org - Security Blog  Wiki