I believe that this is a bug. Please check.
~~
The call tree is:
./testsuite-0.3/tcg/nv/Tspi_NV_DefineSpace02.c
result = Tspi_Policy_SetSecret(hPolicy, TESTSUITE_OWNER_SECRET_MODE,
TESTSUITE_WRONG_OWNER_SECRET_LEN,
TESTSUITE_WRONG_OWNER_SECRET);
./trousers-0.3.13/src/tspi/tspi_policy.c
return obj_policy_set_secret(hPolicy, secretMode, ulSecretLength,
rgbSecret);
,/trousers-0.3.13/src/tspi/obj_policy.c:
if ((result = Trspi_Hash(TSS_HASH_SHA1, size, data,
(BYTE *)&digest.digest)))
/trousers-0.3.13/src/trspi/crypto/openssl/hash.c
rv = EVP_DigestUpdate(&md_ctx, Buf, BufSize);
~~
This all looks OK until one notices that TESTSUITE_WRONG_OWNER_SECRET
is not a constant string. It's a (IMHO far too clever) macro, hiding
an getenv call.
./testsuite-0.3/tcg/include/common.h:
#define TESTSUITE_WRONG_OWNER_SECRET
getenv("TESTSUITE_WRONG_OWNER_SECRET")
When the env variable isn't defined, the macro hides the fact that a
NULL pointer is passed into the code, which crashes deep within openssl.
~~
As a minimum, not checking for a NULL anywhere is a bug.
IMHO, the real bug is use of the clever macro to trick the user into
using what they think is a simple constant but is really code that can
fail with no error checking.
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
TrouSerS-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/trousers-users
