[openssl.org #1834] PKCS7_verify return value -1?
on 1.0.2: commit dd3c21b2d2a5183c5a2f212bdd8377faeab48f3f on head: commit 4f13dabe72a43234435b96c8cbdaf77337e3532d Author: Rich Salz rs...@openssl.org Date: Fri Sep 5 18:01:31 2014 -0400 RT1834: Fix PKCS7_verify return value The function returns 0 or 1, only. Reviewed-by: Dr. Stephen Henson st...@openssl.org -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1834] PKCS7_verify return value -1?
Kurt Roeckx wrote:
On Sat, 31 Jan 2009 02:15:21 +0100, David Schwartz dav...@webmaster.com
wrote:
The documentation for PKCS7_verify says:
PKCS7_verify() returns 1 for a successful verification and zero
or a
negative value if an error occurs.
This is correct.
And in apps/smime.c there is this code:
if (PKCS7_verify(p7, other, store, indata, out, flags))
BIO_printf(bio_err, Verification
successful\n);
else
{
BIO_printf(bio_err, Verification failure\n);
goto end;
}
This is correct.
But looking at the code for PKCS7_verify I can't see a case where
it returns something other than 0 or 1.
This is correct.
Could either the code or the documentation be fixed?
Neither is broken.
So it's ok to change PKCS7_verify() to return a negative value and not
change apps/smime.c? Because both are correct?
Either the doc is right in which case the usage should be changed to if
(PKCS7_verify(p7, other, store, indata, out, flags) == 1).
Or the usage is right, in which case the doc should be changed to
PKCS7_verify() returns 1 for a successful verification and zero if an
error occurs..
Yes, it doesnt cause any problems right now. But if the usage does not
reflect the doc, one of them is wrong.
If a future implementation wants to return ten different error codes to
indicate different failure modes, it can currently do so without
breaking any current code that follows the specification.
Yes, but the if(PKCS7_verify(...)) does _NOT_ follow the specification. If
PKCS7_verify() returns a negative value, the code is _broken_.
Kosta
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
Re: [openssl.org #1834] PKCS7_verify return value -1?
On Fri, Jan 30, 2009 at 10:37 PM, Kurt Roeckx via RT r...@openssl.org wrote:
The documentation for PKCS7_verify says:
PKCS7_verify() returns 1 for a successful verification and zero or a
negative value if an error occurs.
And in apps/smime.c there is this code:
if (PKCS7_verify(p7, other, store, indata, out, flags))
BIO_printf(bio_err, Verification successful\n);
else
{
BIO_printf(bio_err, Verification failure\n);
goto end;
}
But looking at the code for PKCS7_verify I can't see a case where
it returns something other than 0 or 1.
Could either the code or the documentation be fixed?
Or both:
apps/smime.c isn't changed with the patch from
http://www.openssl.org/news/secadv_20090107.txt, and that's certainly
because PKCS7_verify() doesn't actually ever return -1. Thanks for
bringing up the inconsistency with the documentation. Using if
(PKCS7_verify(...) 0) in smime.c can't hurt (that's the pattern
that you have to follow with certain functions, after all), and
updating the documentation to describe the actual PKCS7_verify()
behavior that smime.c is currently relying on can't hurt either.
Bodo
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
[openssl.org #1834] PKCS7_verify return value -1?
Hi,
The documentation for PKCS7_verify says:
PKCS7_verify() returns 1 for a successful verification and zero or a
negative value if an error occurs.
And in apps/smime.c there is this code:
if (PKCS7_verify(p7, other, store, indata, out, flags))
BIO_printf(bio_err, Verification successful\n);
else
{
BIO_printf(bio_err, Verification failure\n);
goto end;
}
But looking at the code for PKCS7_verify I can't see a case where
it returns something other than 0 or 1.
Could either the code or the documentation be fixed?
Kurt
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
RE: [openssl.org #1834] PKCS7_verify return value -1?
Hi,
The documentation for PKCS7_verify says:
PKCS7_verify() returns 1 for a successful verification and
zero or a
negative value if an error occurs.
This is correct.
And in apps/smime.c there is this code:
if (PKCS7_verify(p7, other, store, indata, out, flags))
BIO_printf(bio_err, Verification successful\n);
else
{
BIO_printf(bio_err, Verification failure\n);
goto end;
}
This is correct.
But looking at the code for PKCS7_verify I can't see a case where
it returns something other than 0 or 1.
This is correct.
Could either the code or the documentation be fixed?
Neither is broken. The documentation documents the *defined* interface, which
can be a superset of the implemented interface. This permits the implementation
to change without having to change the documentation.
For example, a function that never allocates memory in any current
implementation may still have a not enough memory to complete this operation
return value defined. That way, if any future implementation does need to
allocate memory and is unable to, it has something to return.
Failure to allow for such things, even if they are not needed now, constrains
future development. If a future implementation wants to return ten different
error codes to indicate different failure modes, it can currently do so without
breaking any current code that follows the specification.
DS
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
