[openssl-dev] [openssl.org #4518] OpenSSL-1.1.0-pre5 RSA_set0_key and related RSA_get0_*, RSA_set0_*, DSA_set0_* and DSA_get0_* problems

Richard Levitte levitte at openssl.org
Tue Apr 26 07:26:13 UTC 2016 

[temporarly taking this thread away from RT]

Basically, I can see two solutions:

- Allow calls like RSA_set0_key(rsa, NULL, NULL, d);

  That's what's implemented in GH#995, except it doesn't check if the
  input parameters are NULL before setting the corresponding fields,
  so that call ends up clearing n and e.

  GH#995 could be changed so that any input parameter can be NULL, and
  that the corresponding RSA structure fields are left untouched.  The
  consequence is that can never be made NULL.  I can live with that,
  as I can't imagine a reason to reset the fields to NULL.

- Add a function RSA_set0_d(RSA *rsa, BIGNUM *d)

I personally prefer the first variant, but would like to have some
input and thoughts (or just a "go ahead").

Cheers,
Richard

In message <rt-4.0.19-29511-1461650518-591.4518-6-0 at openssl.org> on Tue, 26 Apr 2016 06:01:59 +0000, Richard Levitte via RT <rt at openssl.org> said:

rt> Unfortunately, the solution in that PR is flawed. Back to the drawing board.
rt> 
rt> Vid Mon, 25 apr 2016 kl. 18.39.24, skrev levitte:
rt> > So, listening to what everyone had to say, perhaps this PR is better
rt> > then:
rt> >
rt> > https://github.com/openssl/openssl/pull/995
rt> >
rt> > In message <a35573177bdb41388fb1d6c2670fefd6 at usma1ex-
rt> > dag1mb1.msg.corp.akamai.com> on Mon, 25 Apr 2016 17:45:05 +0000,
rt> > "Salz, Rich" <rsalz at akamai.com> said:
rt> >
rt> > rsalz>
rt> > rsalz> > The 3-slot function is I think cleaner.
rt> > rsalz> >
rt> > rsalz> > I'll leave the decision of whether and when to support NULL
rt> > rsalz> > parameters to
rt> > rsalz> > the folks working on that code, but it is pretty clear that
rt> > rsalz> > one must not pass an
rt> > rsalz> > object one does not "own", such as one returned from a "get0"
rt> > rsalz> > function, to a
rt> > rsalz> > function that expects to take ownership of the indicated
rt> > rsalz> > object.
rt> > rsalz>
rt> > rsalz> Agree with both of those.
rt> > rsalz>
rt> > rsalz> After a "set0" call, set your pointer to NULL, it's no longer
rt> > rsalz> yours :)
rt> > rsalz> --
rt> > rsalz> openssl-dev mailing list
rt> > rsalz> To unsubscribe:
rt> > rsalz> https://mta.openssl.org/mailman/listinfo/openssl-dev
rt> > rsalz>
rt> 
rt> 
rt> --
rt> Richard Levitte
rt> levitte at openssl.org
rt> 
rt> -- 
rt> Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4518
rt> Please log in as guest with password guest if prompted
rt> 
rt> -- 
rt> openssl-dev mailing list
rt> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
rt>

More information about the openssl-dev mailing list