-
-
Notifications
You must be signed in to change notification settings - Fork 9.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
X509_print fixes #19963
X509_print fixes #19963
Conversation
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead.
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well.
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect.
Would it be possible to add a testcase? Or is it too big effort in comparison to the fix itself? |
Might be a bit much, but I guess that a test for the second patch (Fix X509_REQ_print_ex bug) could be added to test that trying to print an X509_REQ with an invalid name doesn't silently discard the failure. The other two are basically no-ops post compilation. |
@t8m So, after looking more closely at the implementation of
I took a quick look at the test framework, but I didn't notice any way to easily simulate malloc failures. Is there some standardized wrapper provided for doing this? If not, I don't think that there is an easy way to write a test that verifies the problem and shows that the 2nd commit in this series fixes it. I'm fine with dropping the "Fix X509_REQ_print_ex bug" commit from the series, if its unfeasible without a testcase. The function has been in use as is for a long time without complaint, and only affects the operation when the unrecommended XN_FLAG_COMPAT flag is used. |
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
This PR is in a state where it requires action by @openssl/committers but the last update was 61 days ago |
This PR is in a state where it requires action by @openssl/committers but the last update was 30 days ago |
This PR is in a state where it requires action by @openssl/committers but the last update was 61 days ago |
This PR is in a state where it requires action by @openssl/committers but the last update was 92 days ago |
This PR is in a state where it requires action by @openssl/committers but the last update was 123 days ago |
This PR is in a state where it requires action by @openssl/committers but the last update was 154 days ago |
This PR is in a state where it requires action by @openssl/committers but the last update was 185 days ago |
This pull request is ready to merge |
This may need a rebase. |
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit da2dd3b)
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit 2b5e028)
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit 2126ca3)
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963)
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963)
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963)
Pushed to master/3.2/3.1/3.0. Thanks. |
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit da2dd3b)
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit 2b5e028)
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit 2126ca3)
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit da2dd3b)
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit 2b5e028)
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from #19963) (cherry picked from commit 2126ca3)
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) Signed-off-by: fly2x <fly2x@hitls.org>
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) Signed-off-by: fly2x <fly2x@hitls.org>
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) Signed-off-by: fly2x <fly2x@hitls.org>
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) (cherry picked from commit da2dd3b51ddd69aae0fd840c0d23afa954c24ded) Signed-off-by: fly2x <fly2x@hitls.org>
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) (cherry picked from commit 2b5e028a2f70de216458a5140bcf4ec3d9236eeb) Signed-off-by: fly2x <fly2x@hitls.org>
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) (cherry picked from commit 2126ca3dba3907f49b232442c06db1cae8bee0c3) Signed-off-by: fly2x <fly2x@hitls.org>
The X509_FLAG_COMPAT constant is defined as a value of the X509_print_ex() cflags argument, and so it should not be used to compare against values for use with X509_NAME_print flags. Use XN_FLAG_COMPAT, which has the same value, instead. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) (cherry picked from commit da2dd3b51ddd69aae0fd840c0d23afa954c24ded) Signed-off-by: fly2x <fly2x@hitls.org>
Similar to the bug fixed in 02db735 (Fix bug in X509_print_ex). The error return value from X509_NAME_print_ex() is different depending on whether the flags are XN_FLAG_COMPAT or not. Apply a similar fix to what was done for X509_print_ex here as well. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) (cherry picked from commit 2b5e028a2f70de216458a5140bcf4ec3d9236eeb) Signed-off-by: fly2x <fly2x@hitls.org>
Calling X509_NAME_print_ex with XN_FLAG_COMPAT falls back to calling X509_NAME_print(). The obase parameter to X509_NAME_print() is not used, so setting it to a different value has no effect. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> (Merged from openssl/openssl#19963) (cherry picked from commit 2126ca3dba3907f49b232442c06db1cae8bee0c3) Signed-off-by: fly2x <fly2x@hitls.org>
Some minor fixes to
X509_print_ex()
andX509_REQ_print_ex()
around the handling ofnmflags
and use ofX509_NAME_print_ex()
.