In message <[EMAIL PROTECTED]> on Fri, 21 Feb 2003 12:36:09 -0500, Geoff Thorpe <[EMAIL PROTECTED]> said:
geoff> * Harald Koch ([EMAIL PROTECTED]) wrote: geoff> > In message <[EMAIL PROTECTED]>, Richard Levitte - VMS Whacker writes: geoff> > > geoff> > > In message <[EMAIL PROTECTED]> on Thu, 20 Feb 2003 10:06:55 +0300, Solar Designer <[EMAIL PROTECTED]> said: geoff> > > geoff> > > solar> --- openssl-0.9.6h/crypto/x509/x509_vfy.c Thu Nov 28 11:06:30 2002 geoff> > > solar> +++ openssl-0.9.6i/crypto/x509/x509_vfy.c Tue Dec 10 11:28:16 2002 geoff> > > solar> @@ -897,7 +897,7 @@ geoff> > > solar> ctx->chain=NULL; geoff> > > solar> } geoff> > > solar> CRYPTO_free_ex_data(x509_store_ctx_method,ctx,&(ctx->ex_data)); geoff> > > solar> - OPENSSL_cleanse(&ctx->ex_data,sizeof(CRYPTO_EX_DATA)); geoff> > > solar> + memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA)); geoff> > > solar> } geoff> > > solar> geoff> > > solar> Is this change intentional, it appears to undo the change introduced geoff> > > solar> between 0.9.6g and 0.9.6h? geoff> > > geoff> > > Yes. ex_data is a pointer, need I say more? :-) geoff> > geoff> > What's wrong with the much simpler "ctx->ex_data = 0;" then? geoff> geoff> erm, ex_data is not a pointer, it is a CRYPTO_EX_DATA structure. geoff> &ex_data is a pointer, of course. geoff> geoff> Anyway, looking at the implementation of CRYPTO_free_ex_data(), I can't geoff> understand why any cleanse/memset is required anyway? Richard - did you geoff> change it just as part of the memset->cleanse audit, or is there a geoff> reason in this specific case that some sanitisation is required? There was a memset() there from the start, which I converted to a OPENSSL_cleanse(), which was then correctly reported as a bug, so I changed it back. IIRC and without looking at the history... -- Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED] Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
