Does anyone reuse the (type **) parameter to the ASN1 functions and
friends (such as PEM)?
As many of you may know I'm currently revising the OpenSSL code and I'm
seeing what features are used and which should be dumped or fixed. The
parameter is one case where there is a feature which is horribly
broken...
Background: many of the ASN1 functions take a (type **) parameter.
This initial parameter has a special meaning. If it is NULL then it is
effectively ignored and a fresh structure is allocated and returned.
This is the usual case because most people do:
X509 *x509;
x509 = d2i_X509(NULL,...);
If it points to NULL then a new structure is allocated and the pointer
set to it. If it doesn't point to NULL then the existing structure is
(supposed to be) reused for example:
X509 *x509 = NULL;
d2i_X509(&x509,...);
... some code ...
d2i_X509(&x509,...);
This last case which reuses and existing structure is the only case
where the parameter is really needed. The idea presumably was that the
existing ASN1 structure could be overwritten with the new one and reduce
the number of memory allocations for example.
The problem is this last case doesn't work! Admittedly a few cases do
but there's all manner of examples which don't. For example if the first
structure contains an OPTIONAL item but the second doesn't the first
will be merged with the second. SET OF and SEQUENCE OF can get merged
too (try two PKCS#7 structures for example). This can cause all manner
of painful things to happen such as seemingly random signature
verification problems.
Now since I've never heard a report of this problem I can only assume
hardly anyone uses this parameter. Fixing the existing code is a very
painful task and the only advice that can be given is don't use that
parameter!
So with that in mind, is there a good reason to try and have this
functionality (but working this time!) in the new ASN1 code or should
any existing structure be freed and a new one freshly allocate?
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
