OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Incoming/8791
Full headers

From: bbaetz@google.com
Subject: OpenSSL 1.1.1 compat issue
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 13 Dec 2017 22:53:29 +0000
From: bbaetz@google.com
To: openldap-its@OpenLDAP.org
Subject: OpenSSL 1.1.1 compat issue
Full_Name: Bradley Baetz
Version: 2.4.45
OS: linux
URL: ftp://ftp.openldap.org/incoming/bradley-baetz-20171214.patch
Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb)


ITS#8533 added support for the OpenSSL's hiding of the bio_method_st struct.

However, it did this by re-defining the now-private structure, using the OpenSSL
1.0 version. That will fail when OpenSSL changes their structure, which they
have already done for v1.1.1 - see
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=include/internal/bio.h;hb=e1dd8fa00a1e06d27c8b024dac7657a8d8a9b451#l16
    
It also fails with BoringSSL, which has v1.0's OPENSSL_VERSION_NUMBER define,
but has not yet hidden the struct definition.

The attached file is derived from OpenLDAP Software. All of the modifications to
OpenLDAP Software represented in the following patch(es) were developed by
Google, LLC. Google, LLC has not assigned rights and/or interest in this work to
any party. I, Bradley Baetz am authorized by Google, LLC, my employer, to
release this work under the following terms.

The attached modifications to OpenLDAP Software are subject to the following
notice:
Copyright 2017 Google, LLC.
Redistribution and use in source and binary forms, with or without modification,
are permitted only as authorized by the OpenLDAP Public License.

Followup 1

Download message
Subject: Re: (ITS#8791) OpenSSL 1.1.1 compat issue
To: bbaetz@google.com, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Thu, 14 Dec 2017 17:36:07 +0000
bbaetz@google.com wrote:
> Full_Name: Bradley Baetz
> Version: 2.4.45
> OS: linux
> URL: ftp://ftp.openldap.org/incoming/bradley-baetz-20171214.patch
> Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb)

Thanks for the patch. The initialization of the static tlso_bio_method is 
racy. One-time initializations should be done in tlso_init, and the allocated 
memory should be freed in tlso_destroy.

> 
> ITS#8533 added support for the OpenSSL's hiding of the bio_method_st
struct.
> 
> However, it did this by re-defining the now-private structure, using the
OpenSSL
> 1.0 version. That will fail when OpenSSL changes their structure, which
they
> have already done for v1.1.1 - see
> https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=include/internal/bio.h;hb=e1dd8fa00a1e06d27c8b024dac7657a8d8a9b451#l16
>      
> It also fails with BoringSSL, which has v1.0's OPENSSL_VERSION_NUMBER
define,
> but has not yet hidden the struct definition.
> 
> The attached file is derived from OpenLDAP Software. All of the
modifications to
> OpenLDAP Software represented in the following patch(es) were developed by
> Google, LLC. Google, LLC has not assigned rights and/or interest in this
work to
> any party. I, Bradley Baetz am authorized by Google, LLC, my employer, to
> release this work under the following terms.
> 
> The attached modifications to OpenLDAP Software are subject to the
following
> notice:
> Copyright 2017 Google, LLC.
> Redistribution and use in source and binary forms, with or without
modification,
> are permitted only as authorized by the OpenLDAP Public License.
> 
> 


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
From: Bradley Baetz <bbaetz@google.com>
Date: Fri, 15 Dec 2017 01:08:03 +0000
Subject: Re: (ITS#8791) OpenSSL 1.1.1 compat issue
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@openldap.org
--94eb2c05eb72af425f056056a2cc
Content-Type: text/plain; charset="UTF-8"

Done in ftp://ftp.openldap.org/incoming/bradley-baetz-20171215.patch


On Fri, 15 Dec 2017 at 04:36 Howard Chu <hyc@symas.com> wrote:

> bbaetz@google.com wrote:
> > Full_Name: Bradley Baetz
> > Version: 2.4.45
> > OS: linux
> > URL: ftp://ftp.openldap.org/incoming/bradley-baetz-20171214.patch
> > Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb)
>
> Thanks for the patch. The initialization of the static tlso_bio_method is
> racy. One-time initializations should be done in tlso_init, and the
> allocated
> memory should be freed in tlso_destroy.
>
> >
> > ITS#8533 added support for the OpenSSL's hiding of the bio_method_st
> struct.
> >
> > However, it did this by re-defining the now-private structure, using
the
> OpenSSL
> > 1.0 version. That will fail when OpenSSL changes their structure,
which
> they
> > have already done for v1.1.1 - see
> >
> https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=include/internal/bio.h;hb=e1dd8fa00a1e06d27c8b024dac7657a8d8a9b451#l16
> >
> > It also fails with BoringSSL, which has v1.0's OPENSSL_VERSION_NUMBER
> define,
> > but has not yet hidden the struct definition.
> >
> > The attached file is derived from OpenLDAP Software. All of the
> modifications to
> > OpenLDAP Software represented in the following patch(es) were
developed
> by
> > Google, LLC. Google, LLC has not assigned rights and/or interest in
this
> work to
> > any party. I, Bradley Baetz am authorized by Google, LLC, my employer,
to
> > release this work under the following terms.
> >
> > The attached modifications to OpenLDAP Software are subject to the
> following
> > notice:
> > Copyright 2017 Google, LLC.
> > Redistribution and use in source and binary forms, with or without
> modification,
> > are permitted only as authorized by the OpenLDAP Public License.
> >
> >
>
>
> --
>    -- Howard Chu
>    CTO, Symas Corp.           http://www.symas.com
>    Director, Highland Sun     http://highlandsun.com/hyc/
>    Chief Architect, OpenLDAP  http://www.openldap.org/project/
>

--94eb2c05eb72af425f056056a2cc
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><span style=3D"font-size:small">Done
in=C2=A0</span><a hre=
f=3D"ftp://ftp.openldap.org/incoming/bradley-baetz-20171215.patch" style=3D=
"font-size:small">ftp://ftp.openldap.org/incoming/bradley-baetz-20171215.pa=
tch</a><br><br
class=3D"inbox-inbox-Apple-interchange-newline"></div><br><d=
iv class=3D"gmail_quote"><div dir=3D"ltr">On Fri, 15 Dec 2017 at 04:36
Howa=
rd Chu &lt;<a
href=3D"mailto:hyc@symas.com">hyc@symas.com</a>&gt; wrote:<br=
></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0
.8ex;border-=
left:1px #ccc solid;padding-left:1ex"><a href=3D"mailto:bbaetz@google.com"
=
target=3D"_blank">bbaetz@google.com</a> wrote:<br>
&gt; Full_Name: Bradley Baetz<br>
&gt; Version: 2.4.45<br>
&gt; OS: linux<br>
&gt; URL: <a href=3D"ftp://ftp.openldap.org/incoming/bradley-baetz-20171214=
.patch" rel=3D"noreferrer" target=3D"_blank">ftp://ftp.openldap.org/incomin=
g/bradley-baetz-20171214.patch</a><br>
&gt; Submission from: (NULL) (2401:fa00:9:11:7ac0:58b5:299c:bebb)<br>
<br>
Thanks for the patch. The initialization of the static tlso_bio_method is<b=
r>
racy. One-time initializations should be done in tlso_init, and the allocat=
ed<br>
memory should be freed in tlso_destroy.<br>
<br>
&gt;<br>
&gt; ITS#8533 added support for the OpenSSL&#39;s hiding of the
bio_method_=
st struct.<br>
&gt;<br>
&gt; However, it did this by re-defining the now-private structure, using t=
he OpenSSL<br>
&gt; 1.0 version. That will fail when OpenSSL changes their structure, whic=
h they<br>
&gt; have already done for v1.1.1 - see<br>
&gt; <a href=3D"https://git.openssl.org/gitweb/?p=3Dopenssl.git;a=3Dblob;f=
=3Dinclude/internal/bio.h;hb=3De1dd8fa00a1e06d27c8b024dac7657a8d8a9b451#l16=
" rel=3D"noreferrer" target=3D"_blank">https://git.openssl.org/gitweb/?p=3D=
openssl.git;a=3Dblob;f=3Dinclude/internal/bio.h;hb=3De1dd8fa00a1e06d27c8b02=
4dac7657a8d8a9b451#l16</a><br>
&gt;<br>
&gt; It also fails with BoringSSL, which has v1.0&#39;s
OPENSSL_VERSION_NUM=
BER define,<br>
&gt; but has not yet hidden the struct definition.<br>
&gt;<br>
&gt; The attached file is derived from OpenLDAP Software. All of the modifi=
cations to<br>
&gt; OpenLDAP So

Message of length 6462 truncated

Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org