While developing some chain verify code (yes it'll get there
eventually!) and always on the lookout for problems with shared
libraries something nasty has become apparent.
Its been decided that OpenSSL should be made more "shared library
friendly" so that software designed to work with older versions of
OpenSSL can still work with newer version by just upgrading OpenSSL
shared libs and not recompiling the sofware.
OpenSSL currently does several "naughty" things that cause problems. One
is the use of macros to access structures directly. These will be
ultimately translated into functions... however there are *lots* of
them.
Anyway enough background.. heres the problem. The verify code does
something like this:
X509_STORE_CTX ctx;
X509_STORE_CTX_init(&ctx,...);
This isn't the only place where this construction occurs digest and
cipher code and several other areas have this general construction:
SOME_STRUCTURE x;
SOME_STRUCTURE_init(&x,...);
This is a problem because the size of 'x' is determined at compile time.
If a new version of the library increases the size of the structure the
functions could end up walking over memory they shouldn't.
The chain verify code for example will considerably expand the
X509_STORE_CTX structure (well actually X509_STORE_CTX will be a bad
name: maybe X509_VERIFY_CTX would be better).
Thats the problem. I've got various possible solutions but all involve
some disruption and breaking of existing code :-(
So suggestions, comments anyone?
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
