Hi, I tried to comment on the ticket via rt, but apparently there's more to it than just sending it to r...@openssl.org using a magic subject line (or maybe it doesn't like "subject:" being replaced by the localized "Betreff:" as the webmail-frontend I'm using apparently does?
Anyway, let me retry via openssl-dev: First some comments on the original patch: > These strings undesirably reveal absolute paths to the source > files of libcrypto. 1. AFAIR not all versions of libc are happy with NULL being passed for a string in printf and related functions (IIRC, e.g. SUN libc crashes in such situations), so those NULLs should be replaced by something like "\0" or similar, shouldn't they? 2. Also, I wonder, if defining OPENSSL_assert(e) instead of calling OpenSSLDie without a filename really was intended. 3. Lastly, completely turning off MemChecks at the same time as removing these strings seems a bit dubious. Then I previously commented > Along the same line of reasoning, there are some strings that > reveal paths to your local installation directory (see > crypto/x509/x509_def.c). [...] For completeness, her is a trivial patch for that suggestion (reusing the same NDEBUG define). Regards, Stefan
--- openssl/crypto/x509/x509_def.c~ 2014-07-22 21:41:22.000000000 +0200 +++ openssl/crypto/x509/x509_def.c 2014-12-11 16:17:03.000000000 +0100 @@ -61,6 +61,12 @@ #include <openssl/crypto.h> #include <openssl/x509.h> +#ifdef NDEBUG +#define return(a) return NULL; +#else +#define return(a) return a; +#endif + const char *X509_get_default_private_dir(void) { return(X509_PRIVATE_DIR); }
_______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev