Hi,
I tried to comment on the ticket via rt, but apparently there's more
to it than just sending it to [email protected] using a magic subject line
(or maybe it doesn't like "subject:" being replaced by the localized
"Betreff:" as the webmail-frontend I'm using apparently does?
Anyway, let me retry via openssl-dev:
First some comments on the original patch:
> These strings undesirably reveal absolute paths to the source
> files of libcrypto.
1. AFAIR not all versions of libc are happy with NULL being passed
for a string in printf and related functions (IIRC, e.g. SUN libc crashes
in such situations), so those NULLs should be replaced by
something like "\0" or similar, shouldn't they?
2. Also, I wonder, if defining OPENSSL_assert(e) instead of calling
OpenSSLDie without a filename really was intended.
3. Lastly, completely turning off MemChecks at the same time as
removing these strings seems a bit dubious.
Then I previously commented
> Along the same line of reasoning, there are some strings that
> reveal paths to your local installation directory (see
> crypto/x509/x509_def.c). [...]
For completeness, her is a trivial patch for that suggestion (reusing the
same NDEBUG define).
Regards,
Stefan
--- openssl/crypto/x509/x509_def.c~ 2014-07-22 21:41:22.000000000 +0200
+++ openssl/crypto/x509/x509_def.c 2014-12-11 16:17:03.000000000 +0100
@@ -61,6 +61,12 @@
#include <openssl/crypto.h>
#include <openssl/x509.h>
+#ifdef NDEBUG
+#define return(a) return NULL;
+#else
+#define return(a) return a;
+#endif
+
const char *X509_get_default_private_dir(void)
{ return(X509_PRIVATE_DIR); }
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
