Bug#511520: marked as done (erlang: openssl return values.)

Mon, 12 Jan 2009 02:59:49 -0800 

Your message dated Mon, 12 Jan 2009 13:55:19 +0300
with message-id <f60b7eb60901120255r53a924fq428d277754e67...@mail.gmail.com>
and subject line Re: Bug#511520: erlang: openssl return values.
has caused the Debian Bug report #511520,
regarding erlang: openssl return values.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
511520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511520
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: erlang
Severity: serious
Tags: security

Hi,

I've been checking packages to see if they properly check the return
value of some of the functions in openssl.  In
lib/crypto/c_src/crypto_drv.c there is this code:
      i =  DSA_do_verify(hmacbuf, SHA_DIGEST_LENGTH,
                         dsa_sig, dsa);
      *rbuf = (char *)(bin = driver_alloc_binary(1));
      (bin->orig_bytes)[0] = (char)(i & 0xff);

And I have no idea what happens with this afterwards.  But
I currently assume that it's not properly checking the
return value.

Note that DSA_do_verify can return 0 and -1 on errors and
1 on success.


Kurt

--- End Message ---
--- Begin Message --- 
On Sun, Jan 11, 2009 at 10:41 PM, Kurt Roeckx <k...@roeckx.be> wrote:
>
> I've been checking packages to see if they properly check the return
> value of some of the functions in openssl.  In
> lib/crypto/c_src/crypto_drv.c there is this code:
>      i =  DSA_do_verify(hmacbuf, SHA_DIGEST_LENGTH,
>                         dsa_sig, dsa);
>      *rbuf = (char *)(bin = driver_alloc_binary(1));
>      (bin->orig_bytes)[0] = (char)(i & 0xff);

This return value (i & 0xff) (which may be 1, 0 or 0xff) is sent back
to the caller where it is compared to 1.
The corresponding excerpt from lib/crypto/src/crypto.erl:

dss_verify(Dgst,Signature,Key) ->
    control(?DSS_VERIFY, [Dgst,Signature,Key]) == <<1>>.

So, this report is invalid and I'm closing it.

Cheers!
-- 
Sergei Golovan

--- End Message ---

Reply via email to