On 02/06/07, Dr. Stephen Henson <[EMAIL PROTECTED]> wrote:
On Fri, Jun 01, 2007, Robin Bryce wrote:
> Hi,
>
> In both openssl-0.9.8b and openssl trunk ssl3_send_server_key_exchange
> passes the address of an uninitialised variable to RSA_sign as the
> siglen parameter.
The problem is that the RSA_sign() function has always worked like that since
the SSLeay days and it is documented behaviour. The siglen parameter is
effectively treated as an output parameter only and it cannot be assumed to be
initialized.
It is also a requirement that the buffer must contain RSA_size(key) bytes of
memory.
Even if we change the ssl library other applications following the docs are not
guaranteed to initialize siglen.
Ok, understood. Thanks for the explanation. pkcs11 specs and libp11
are giving me a severe case of cognitive dissonance. I withdraw my
patch and assertions re bugs in openssl.
Cheers,
Robin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
