[openssl-dev] [openssl.org #3715] Possible bug in openssl 64 bit version

Tobias Firnges via RT rt at openssl.org
Mon Feb 23 15:16:02 UTC 2015 

Hello,

I would like you to verify the following issue:

You can find the version information in the attached screenshot.

- OS: Windows 8.1 64 bit
- Hardware: Hyper-V on a Dell T110 II as well as a HP ProBook 470 G2
- I used the version of openssl from http://slproweb.com/products/Win32OpenSSL.html
- Compiler: Visual Studio 2013 and also tested with codeblocks.org software <-- Same result
- Detailed description of the error here:

I have tested the following code with Win32 OpenSSL v1.0.1L and Win64 OpenSSL:
----------------------------------
#define _CRT_SECURE_NO_WARNINGS

#include <iostream> 
#include <sstream> 
#include <string> 
#include <iomanip> 
#include <stdio.h> 
#include <openssl/sha.h>

using namespace std;

string sha256(const string str)
{
    unsigned char hash[SHA256_DIGEST_LENGTH];
    SHA256_CTX sha256;
    SHA256_Init(&sha256);
    SHA256_Update(&sha256, str.c_str(), str.size());

    SHA256_Final(hash, &sha256);

    stringstream ss;
    for (int i = 0; i < SHA256_DIGEST_LENGTH; i++)
    {
        ss << hex << std::setw(2) << setfill('0') << (int)hash[i];
    }

    return ss.str();
}

void sha256_hash_string(unsigned char hash[SHA256_DIGEST_LENGTH], char outputBuffer[65])
{
    int i = 0;

    for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
    {
        sprintf(outputBuffer + (i * 2), "%02x", hash[i]);
    }

    outputBuffer[64] = 0;
}

int sha256_file(char* path, char output[65])
{
    FILE *file = fopen(path, "rb");
    if (!file) return -1;

    unsigned char hash[SHA256_DIGEST_LENGTH];
    SHA256_CTX sha256;
    SHA256_Init(&sha256);
    const int bufSize = 32768;
    char *buffer = new char[bufSize];
    int bytesRead = 0;
    if (!buffer) return -1;
    while ((bytesRead = (int)fread(buffer, 1, bufSize, file)))
    {
        SHA256_Update(&sha256, buffer, bytesRead);
    }
    SHA256_Final(hash, &sha256);

    sha256_hash_string(hash, output);
    fclose(file);
    delete[] buffer;
    return 0;
}

int main()
{

    // hash a string 
    std::cout << "SHA-256 hash of \"Sample String\" text:" << std::endl;
    std::cout << sha256("Sample String") << std::endl << std::endl;

    // hash a file 
    cout << "SHA-256 hash of file cmd.exe:" << std::endl;
    char calc_hash[65];
    sha256_file("C:\\Windows\\System32\\cmd.exe", calc_hash);
    cout << calc_hash << std::endl;
    cout << "SHA-256 hash of file NETSTAT.exe:" << std::endl;
    sha256_file("C:\\Windows\\System32\\NETSTAT.exe", calc_hash);
    cout << calc_hash << std::endl;
    cout << "SHA-256 hash of file eula.1028.txt:" << std::endl;
    sha256_file("C:\\eula.1028.txt", calc_hash);
    cout << calc_hash << std::endl;

    cin.clear();
    cin.ignore(255, '\n');
    cin.get();

    return 0;
}
----------------------------------
The code worked fine with Win32 OpenSSL v1.0.1L, however, when I tried the code with Win64 OpenSSL v1.0.1L, I get a wrong result.

In my test I did the following:

1. On a 64 bit Windows 8.1 machine, I first tested Win32 OpenSSL v1.0.1L. The results were correct
2. I then changed to Win64 OpenSSL v1.0.1.L (inculuding the 64 bit Visual C++ redistributables). The result was correct for Strings and for the txt file, but for exe files the hash is not correct. (See attached screenshot)
3. I then compiled the same code on a 32 bit Windows 7 machine with Win32 OpenSSL v1.0.1L and copied the file to the 64 bit machine. Now the String, txt file and exe file hash show the right value.

For compiling I used Visual Studio 2013 and do compare, if the compiler was the issue, I used the latest version of the codeblocks.org software to compile. I always got the same result. All hashs created with Win32 OpenSSL were correct, the hash of exe files created with Win64 OpenSSL was wrong.


And my target is to get the correct hash of each file I check in the 32 bit, as well as in the 64 bit environment.

Note: I double checked all the files I tested in online hash calculators. And there I could see, the value for the exe files created with Win64 OpenSSL v1.0.1L were wrong.

Can you please confirm my result. Maybe you find an error in my code. If the error is in Win64 OpenSSL v1.0.1L, please help to release a new version of the tool with the issue fixed.

Note: I first sent the issue to Shining Light Production where I got the following answer:
-------------------------
Even if there is a problem, there's nothing I can do.  I just build the 
upstream source code into binaries using the officially published 
directions for building OpenSSL.
 
You need to take this upstream to the openssl-users mailing list. 
However, you are the first person to have this issue (or I'd see a LOT 
more yelling about it), so I'd wager that there is something wrong with 
your code rather than with OpenSSL.  Still, there are people there who 
can look at your code and evaluate it for accuracy and correctness.
-------------------------


Thank you for your answer in advance.


Best regards
Tobias 		 	   		  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssl-version.jpg
Type: image/jpeg
Size: 76310 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150223/e731aa9d/attachment-0003.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hash_x86.jpg
Type: image/jpeg
Size: 55436 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150223/e731aa9d/attachment-0004.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hash_x64.jpg
Type: image/jpeg
Size: 59625 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150223/e731aa9d/attachment-0005.jpg>

More information about the openssl-dev mailing list