[Info-vax] An HP SSL mystery
Steven Schweda
sms.antinode at gmail.com
Tue Jun 23 19:16:04 EDT 2015
> Has someone reported this to HP?
Not I. (I don't even have good patch access.)
Currently, SSLROOT gets used in two (pretty subterranean)
places:
crypto/cryptlib.h:
#define X509_CERT_AREA "SSLROOT:[000000]"
crypto/engine/eng_list.c:
if((load_dir = getenv("OPENSSL_ENGINES")) == 0) load_dir = "SSLROOT:[ENGINES]";
I'll try to open a discussion with the OpenSSL folks about
ways to pull this wart into some better, single place where
it'd be easier to adjust.
> [...] it appears that HP is using some combination of
> scripts and manual steps to port over the code.
That was my impression, based on a quick [g]diff of a
normal OpenSSL 0.9.8ze kit and the HP V1.4-502 source kit.
>From the number of white-space differences, I'd guess that
someone did a one-time port of some 0.9.x kit, and has been
backporting the security fixes into it ever since. There
seem to be more VMS-specific bits in the HP kit, too, but I
didn't look closely enough to be able to tell which problems
they might be intended to solve. (If there were extensive,
explanatory comments near those changes, then I missed them.)
If I read it correctly, then widespread distribution of an
Alpha DEC C without the 64-bit argv[] bug(s) could have saved
considerable bother for more than just me.
More information about the Info-vax
mailing list