Hi,

I tried to comment on the ticket via rt, but apparently there's more
to it than just sending it to r...@openssl.org using a magic subject line
(or maybe it doesn't like "subject:" being replaced by the localized
"Betreff:" as the webmail-frontend I'm using apparently does?

Anyway, let me retry via openssl-dev:

First some comments on the original patch:
> These strings undesirably reveal absolute paths to the source
> files of libcrypto.

1. AFAIR not all versions of libc are happy with NULL being passed
   for a string in printf and related functions (IIRC, e.g. SUN libc crashes
   in such situations), so those NULLs should be replaced by
   something like "\0" or similar, shouldn't they?
2. Also, I wonder, if defining OPENSSL_assert(e) instead of calling
   OpenSSLDie without a filename really was intended.
3. Lastly, completely turning off MemChecks at the same time as
   removing these strings seems a bit dubious.

Then I previously commented
> Along the same line of reasoning, there are some strings  that
> reveal paths to your local installation directory (see
>  crypto/x509/x509_def.c). [...]

For completeness, her is a trivial patch for that suggestion (reusing the
same NDEBUG define).

        Regards,
               Stefan


--- openssl/crypto/x509/x509_def.c~	2014-07-22 21:41:22.000000000 +0200
+++ openssl/crypto/x509/x509_def.c	2014-12-11 16:17:03.000000000 +0100
@@ -61,6 +61,12 @@
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
+#ifdef NDEBUG
+#define return(a) return NULL;
+#else
+#define return(a) return a;
+#endif
+
 const char *X509_get_default_private_dir(void)
 	{ return(X509_PRIVATE_DIR); }
 	
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

Reply via email to