On 02/06/07, Dr. Stephen Henson wrote:
> On Fri, Jun 01, 2007, Robin Bryce wrote:
> > Hi,
> >
> > In both openssl-0.9.8b and openssl trunk ssl3_send_server_key_exchange
> > passes the address of an uninitialised variable to RSA_sign as the
> > siglen parameter.

> The problem is that the RSA_sign() function has always worked like that since
> the SSLeay days and it is documented behaviour. The siglen parameter is
> effectively treated as an output parameter only and it cannot be assumed to be
> initialized.
> It is also a requirement that the buffer must contain RSA_size(key) bytes of
> memory.
> Even if we change the ssl library other applications following the docs are not
> guaranteed to initialize siglen.

Ok, understood. Thanks for the explanation. pkcs11 specs and libp11
are giving me a severe case of cognitive dissonance. I withdraw my
patch and assertions re bugs in openssl.

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org