[openssl.org #1834] PKCS7_verify return value -1?
on 1.0.2: commit dd3c21b2d2a5183c5a2f212bdd8377faeab48f3f on head: commit 4f13dabe72a43234435b96c8cbdaf77337e3532d Author: Rich Salz rs...@openssl.org Date: Fri Sep 5 18:01:31 2014 -0400 RT1834: Fix PKCS7_verify return value The function returns 0 or 1, only. Reviewed-by: Dr. Stephen Henson st...@openssl.org -- Rich Salz, OpenSSL dev team; rs...@openssl.org __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1834] PKCS7_verify return value -1?
Kurt Roeckx wrote: On Sat, 31 Jan 2009 02:15:21 +0100, David Schwartz dav...@webmaster.com wrote: The documentation for PKCS7_verify says: PKCS7_verify() returns 1 for a successful verification and zero or a negative value if an error occurs. This is correct. And in apps/smime.c there is this code: if (PKCS7_verify(p7, other, store, indata, out, flags)) BIO_printf(bio_err, Verification successful\n); else { BIO_printf(bio_err, Verification failure\n); goto end; } This is correct. But looking at the code for PKCS7_verify I can't see a case where it returns something other than 0 or 1. This is correct. Could either the code or the documentation be fixed? Neither is broken. So it's ok to change PKCS7_verify() to return a negative value and not change apps/smime.c? Because both are correct? Either the doc is right in which case the usage should be changed to if (PKCS7_verify(p7, other, store, indata, out, flags) == 1). Or the usage is right, in which case the doc should be changed to PKCS7_verify() returns 1 for a successful verification and zero if an error occurs.. Yes, it doesnt cause any problems right now. But if the usage does not reflect the doc, one of them is wrong. If a future implementation wants to return ten different error codes to indicate different failure modes, it can currently do so without breaking any current code that follows the specification. Yes, but the if(PKCS7_verify(...)) does _NOT_ follow the specification. If PKCS7_verify() returns a negative value, the code is _broken_. Kosta __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #1834] PKCS7_verify return value -1?
On Fri, Jan 30, 2009 at 10:37 PM, Kurt Roeckx via RT r...@openssl.org wrote: The documentation for PKCS7_verify says: PKCS7_verify() returns 1 for a successful verification and zero or a negative value if an error occurs. And in apps/smime.c there is this code: if (PKCS7_verify(p7, other, store, indata, out, flags)) BIO_printf(bio_err, Verification successful\n); else { BIO_printf(bio_err, Verification failure\n); goto end; } But looking at the code for PKCS7_verify I can't see a case where it returns something other than 0 or 1. Could either the code or the documentation be fixed? Or both: apps/smime.c isn't changed with the patch from http://www.openssl.org/news/secadv_20090107.txt, and that's certainly because PKCS7_verify() doesn't actually ever return -1. Thanks for bringing up the inconsistency with the documentation. Using if (PKCS7_verify(...) 0) in smime.c can't hurt (that's the pattern that you have to follow with certain functions, after all), and updating the documentation to describe the actual PKCS7_verify() behavior that smime.c is currently relying on can't hurt either. Bodo __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
[openssl.org #1834] PKCS7_verify return value -1?
Hi, The documentation for PKCS7_verify says: PKCS7_verify() returns 1 for a successful verification and zero or a negative value if an error occurs. And in apps/smime.c there is this code: if (PKCS7_verify(p7, other, store, indata, out, flags)) BIO_printf(bio_err, Verification successful\n); else { BIO_printf(bio_err, Verification failure\n); goto end; } But looking at the code for PKCS7_verify I can't see a case where it returns something other than 0 or 1. Could either the code or the documentation be fixed? Kurt __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
RE: [openssl.org #1834] PKCS7_verify return value -1?
Hi, The documentation for PKCS7_verify says: PKCS7_verify() returns 1 for a successful verification and zero or a negative value if an error occurs. This is correct. And in apps/smime.c there is this code: if (PKCS7_verify(p7, other, store, indata, out, flags)) BIO_printf(bio_err, Verification successful\n); else { BIO_printf(bio_err, Verification failure\n); goto end; } This is correct. But looking at the code for PKCS7_verify I can't see a case where it returns something other than 0 or 1. This is correct. Could either the code or the documentation be fixed? Neither is broken. The documentation documents the *defined* interface, which can be a superset of the implemented interface. This permits the implementation to change without having to change the documentation. For example, a function that never allocates memory in any current implementation may still have a not enough memory to complete this operation return value defined. That way, if any future implementation does need to allocate memory and is unable to, it has something to return. Failure to allow for such things, even if they are not needed now, constrains future development. If a future implementation wants to return ten different error codes to indicate different failure modes, it can currently do so without breaking any current code that follows the specification. DS __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org