On Thu, Jan 16, 2003, Larry West wrote: > I've searched the archives, don't find a mention of this, and the Jan 15 snapshot >has the same apparent bug. I'm not absolutely sure, and even if I'm right it's a >one-line fix so I'm hoping one of the active members would be willing to patch it. > > > [[By the way, the webpage form to submit to MajorDomo seems broken: though it >reports success, no email ever arrives; when I sent the subscription request manually >it worked immediately.]] > > > The problem is that EVP_DecryptInit() calls EVP_CipherInit_ex() rather than >EVP_CipherInit(). > > The reasons I believe this is a problem: > > (1) Paralellism: EVP_EncryptInit() calls EVP_CipherInit(), not the _ex() form. > > (2) In v0.9.6, both EVP_DecryptInit() and EVP_EncryptInit() called EVP_CipherInit(). >[there was no _ex()]. In v0.9.7, there is no comment to indicate why these two now >differ, so it may be a typo. > > (3) The PTPTL v0.2 code I'm building (Peer-to-peer Trusted Library from Intel, don't >ask me why) was built to SSL v0.9.6, and it calls EVP_DecryptInit() immediately after >declaring the EVP_CIPHER_CTX variable -- this worked fine with v0.9.6, because in >that version, EVP_DecryptInit() calls EVP_CipherInit() which, in both 0.9.6 and >0.9.7, initializes the ctx (given that the cipher param is non-null). > > [This code crashes because of the lack of initialization of the ctx: at the testing >of ctx->cipher->nid on line 99 of evp_enc.c -- ctx->cipher being initialized to >0xcccccccc in the debugging version.] > > (4) It could be the case that users are now required to call EVP_CIPHER_CTX_init() >manually for the decryption phase (only), but the lack of symmetry here strikes me as >very unlikely. > > > So, assuming I've got this right, my one line fix would be to change line 239 of >crypto\evp\evp_enc.c (in EVP_DecryptInit()) > > from: > > return EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0); > > to: > return EVP_CipherInit(ctx, cipher, key, iv, 0); > > > Needless to say, if I've misunderstood anything here, I'd appreciate a brief note to >that effect. > > Thanks very much! > > Oh, not that it matters but: MSVC6 on Windows 2000. Also using on RedHat Linux, but >not this function. >
Agreed, fix being checked in. Thanks for the report. Steve. -- Dr. Stephen Henson [EMAIL PROTECTED] OpenSSL Project http://www.openssl.org/~steve/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
