Hi,
I find EVP_read_pw_string() bug in openssl0.9.7, perhaps.
line 91 in crypto/evp/evp_key.c
91 int EVP_read_pw_string(char *buf, int len, const char *prompt, int verify)
92 {
93 int ret;
94 char buff[BUFSIZ];
95 UI *ui;
96
97 if ((prompt == NULL) && (prompt_string[0] != '\0'))
98 prompt=prompt_string;
99 ui = UI_new();
100 UI_add_input_string(ui,prompt,0,buf,0,(len>=BUFSIZ)?BUFSIZ-1:len);
101 if (verify)
102 UI_add_verify_string(ui,prompt,0,
103 buff,0,(len>=BUFSIZ)?BUFSIZ-1:len,buf);
104 ret = UI_process(ui);
105 UI_free(ui);
106 OPENSSL_cleanse(buff,BUFSIZ);
107 return ret;
108 }
line 99, ui intialized UI_new().
but, ui->flags is not initialized in UI_new().
line 104, EVP_read_pw_string() pass ui to UI_process().
and, ui->flags is used in UI_process().
I guess EVP_read_pw_string()'s behavier cannot expect.
Is this bug?
Thanks.
Hiroyoshi Kageyama
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
