calloc vs kssl_calloc

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

calloc vs kssl_calloc

gjcoram
Hi -
In kssl.c around line 747, there's a definition of kssl_calloc.

Why, then, on line 875, is there a call to just "calloc" ?

Also line 1230,1262, 2058.

(This is in openssl-1.0.2j)


Thanks.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Salz, Rich
Kssl_calloc calls openssl_malloc which means the data must be free'd with openssl_free. And in debug builds any non-free'd data is a leak and reported.  Ton line 875 the data is allocated and never free'd, so it skips the leak detection.   In some of those other places, perhaps it's because the KRB API needs something it can free or realloc?  I'm not sure.

--  
Senior Architect, Akamai Technologies
IM: [hidden email] Twitter: RichSalz


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Benjamin Kaduk
On 09/26/2016 11:01 AM, Salz, Rich wrote:
Kssl_calloc calls openssl_malloc which means the data must be free'd with openssl_free. And in debug builds any non-free'd data is a leak and reported.  Ton line 875 the data is allocated and never free'd, so it skips the leak detection.   In some of those other places, perhaps it's because the KRB API needs something it can free or realloc?  I'm not sure.


It doesn't look like the allocated memory is used as input to a krb5 routine, so I think it's just a bug.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

gjcoram
On 09/26/2016 12:11, Benjamin Kaduk <[hidden email]> wrote:

>
> On 09/26/2016 11:01 AM, Salz, Rich wrote:
> > Kssl_calloc calls openssl_malloc which means the data must be
> free'd with openssl_free. And in debug builds any non-free'd data is
> a leak and reported.  Ton line 875 the data is allocated and never
> free'd, so it skips the leak detection.   In some of those other
> places, perhaps it's because the KRB API needs something it can free
> or realloc?  I'm not sure.
> >
>
> It doesn't look like the allocated memory is used as input to a krb5
> routine, so I think it's just a bug.
>
> -Ben

As it turns out, that wasn't the code that was giving me trouble in my
application.

Instead, it's the code in crypto\LPdir_win.c, which is included via
crypto\LPdir_wince.c, which is included in crypto\o_dir.c

I found a portability tip on the web that says not to use malloc or
calloc in Windows CE applications.  (Actually, Google found me a
result in the book "Making Win32 Applications Mobile" by Nancy
Nicolaisen.)

I've cc'ed Richard Levitte, who is credited for LPdir_win.c, perhaps
he can comment on whether LocalAlloc would be an appropriate
replacement.

Thanks.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

gjcoram
In reply to this post by Benjamin Kaduk
On Mon, Sep 26, 2016 at 12:11 PM, Benjamin Kaduk <[hidden email]> wrote:
On 09/26/2016 11:01 AM, Salz, Rich wrote:
Kssl_calloc calls openssl_malloc which means the data must be free'd with openssl_free. And in debug builds any non-free'd data is a leak and reported.  Ton line 875 the data is allocated and never free'd, so it skips the leak detection.   In some of those other places, perhaps it's because the KRB API needs something it can free or realloc?  I'm not sure.


It doesn't look like the allocated memory is used as input to a krb5 routine, so I think it's just a bug.


Is there something more I should do on this issue?  I recall the OpenSSL terms of use strongly discouraged people from the US from helping, due to US export restrictions.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Salz, Rich
> Is there something more I should do on this issue?  I recall the OpenSSL terms of use strongly discouraged people from the US from helping, due to US export restrictions.

That's kinda outdated.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Jakob Bohm-7
On 30/09/2016 15:29, Salz, Rich wrote:
>> Is there something more I should do on this issue?  I recall the OpenSSL terms of use strongly discouraged people from the US from helping, due to US export restrictions.
> That's kinda outdated.
However there are very many OpenSSL users (myself included)
who rely on the legal status of OpenSSL/SSLeay as having no
US origin parts.  If this has changed, it needs a big red
banner at the top of the www.openssl.org, every affected
source file with the original EAY copyright boilerplate or
its OpenSSL clone etc.

For example, this affects how the use of OpenSSL should be
declared on various customs forms with respect to US export
restrictions and embargoes.

It is also a legal reason to avoid the BoringSSL US clone
and to some extent the LibreSSL Canadian clone.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

gjcoram
In reply to this post by Salz, Rich
On 09/30/2016 09:29, "Salz, Rich" <[hidden email]> wrote:
>
> > Is there something more I should do on this issue?  I recall the
> OpenSSL terms of use strongly discouraged people from the US from
> helping, due to US export restrictions.
>
> That's kinda outdated.


That didn't answer my question.  I reported a bug, I'm not a developer
/ on the developer list; will someone else take this, or is there some
bug database that I should enter an issue into?
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Jeffrey Walton-3
On Sat, Oct 1, 2016 at 4:32 PM, Geoffrey Coram <[hidden email]> wrote:
> ....I reported a bug, I'm not a developer
> / on the developer list; will someone else take this, or is there some
> bug database that I should enter an issue into?

If its an OpenSSL bug, then I believe you send an email to
[hidden email] along with the details. OpenSSL makes it easy on folks.

Also see Item 17 in the FAQ: "I think I've found a bug, what should I
do?", http://www.openssl.org/docs/faq.html#BUILD17.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Salz, Rich
In reply to this post by gjcoram

> That didn't answer my question.  I reported a bug, I'm not a developer / on
> the developer list; will someone else take this, or is there some bug database
> that I should enter an issue into?

As it says in https://www.openssl.org/community/, email it to [hidden email]

It also says this in the README.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Salz, Rich
In reply to this post by Jakob Bohm-7

> However there are very many OpenSSL users (myself included) who rely on
> the legal status of OpenSSL/SSLeay as having no US origin parts.  If this has
> changed, it needs a big red banner at the top of the www.openssl.org, every
> affected source file with the original EAY copyright boilerplate or its OpenSSL
> clone etc.

As of 1.1.0 every single file has modifications by US Citizens because I globally changed the copyright.

We are NOT going to mark US/non-US contributions, sorry.

OpenSSL and SSLeay has always had US contributions, it's just that we were done indirectly.  For example, "git show eb64730" which was early 2000.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Jeffrey Walton-3
On Sat, Oct 1, 2016 at 5:18 PM, Salz, Rich <[hidden email]> wrote:
>
>> However there are very many OpenSSL users (myself included) who rely on
>> the legal status of OpenSSL/SSLeay as having no US origin parts.  If this has
>> changed, it needs a big red banner at the top of the www.openssl.org, every
>> affected source file with the original EAY copyright boilerplate or its OpenSSL
>> clone etc.
>
> We are NOT going to mark US/non-US contributions, sorry.

That's kind of a new twist on "Authentication is not X". For Java and
Web Apps, its "Authentication is not Authorizations" (Sandboxes and
Secure Contexts). For Git is "Authentication is not Code Integrity"
(Commit Signing).

In the new case, I thinks its "Authentication is not Lawfulness". Or
is it Lawlessness?

Jeff
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Benjamin Kaduk
In reply to this post by gjcoram
On 10/01/2016 03:32 PM, Geoffrey Coram wrote:
On 09/30/2016 09:29, "Salz, Rich" [hidden email] wrote:

        
Is there something more I should do on this issue?  I recall the 
OpenSSL terms of use strongly discouraged people from the US from 
helping, due to US export restrictions. 

That's kinda outdated.

That didn't answer my question.  I reported a bug, I'm not a developer
/ on the developer list; will someone else take this, or is there some
bug database that I should enter an issue into?

The general question has been answered already.  In this specific case, the best thing for you to do would be to test https://github.com/openssl/openssl/pull/1622 , which I submitted after making the claim that the calloc usage was "just a bug".

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Jakob Bohm-7
In reply to this post by Salz, Rich
On 01/10/2016 23:18, Salz, Rich wrote:
>> However there are very many OpenSSL users (myself included) who rely on
>> the legal status of OpenSSL/SSLeay as having no US origin parts.  If this has
>> changed, it needs a big red banner at the top of the www.openssl.org, every
>> affected source file with the original EAY copyright boilerplate or its OpenSSL
>> clone etc.
> As of 1.1.0 every single file has modifications by US Citizens because I globally changed the copyright.
Really, I thought the US team dealt exclusively with the FIPS
bureaucracy acting as "cutouts" between US government interests
and the non-US developers, never actually touching the code.
> We are NOT going to mark US/non-US contributions, sorry.
>
> OpenSSL and SSLeay has always had US contributions, it's just that we were done indirectly.  For example, "git show eb64730" which was early 2000.
>
This fact was *not* published widely enough to be seen by
everyone concerned.  It was certainly not published as widely
as the fact that SSLeay was created and maintained entirely
outside the US, and that this was one of its major attractions.

Basically that internal checkin (which I have no idea what is,
since I only see the released tarballs) or any earlier US code
changes would have been a watershed change.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: calloc vs kssl_calloc

Salz, Rich

> This fact was *not* published widely enough to be seen by everyone
> concerned.  It was certainly not published as widely as the fact that SSLeay
> was created and maintained entirely outside the US, and that this was one of
> its major attractions.
>
> Basically that internal checkin (which I have no idea what is, since I only see
> the released tarballs) or any earlier US code changes would have been a
> watershed change.

Well, I can't go back to 2000 and change things.

You'll have to decide what you want to do now.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users