From 5a9bc8545f771742e48d31e1635e15f156cc9c17 Mon Sep 17 00:00:00 2001 From: "Justin R. Wilson" Date: Wed, 17 Apr 2024 12:59:03 -0500 Subject: [PATCH] `gov_gen` uses openssl API incorrectly Problem ------- The `gov_gen` application generates governance files for testing and signs them with openssl. `gov_gen` has a bug on Debian 12.5 (openssl 3.0.11) where a null argument is passed. Solution -------- Pass `mem` as the "in"" parameter and use `PKCS7_STREAM`. --- docs/news.d/gov-gen.rst | 5 +++++ tests/security/attributes/gov_gen.cpp | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 docs/news.d/gov-gen.rst diff --git a/docs/news.d/gov-gen.rst b/docs/news.d/gov-gen.rst new file mode 100644 index 00000000000..4a628c16593 --- /dev/null +++ b/docs/news.d/gov-gen.rst @@ -0,0 +1,5 @@ +.. news-prs: 4591 + +.. news-start-section: Fixes +- Fixed incorrect usage of OpenSSL in ``gov_gen`` application. +.. news-end-section diff --git a/tests/security/attributes/gov_gen.cpp b/tests/security/attributes/gov_gen.cpp index ee1adbdf446..b35dd89ed49 100644 --- a/tests/security/attributes/gov_gen.cpp +++ b/tests/security/attributes/gov_gen.cpp @@ -403,7 +403,7 @@ int ACE_TMAIN(int argc, ACE_TCHAR* argv[]) return EXIT_FAILURE; } - PKCS7* p7 = PKCS7_sign(cert, key, NULL, NULL, PKCS7_TEXT | PKCS7_DETACHED); + PKCS7* p7 = PKCS7_sign(cert, key, NULL, mem, PKCS7_TEXT | PKCS7_DETACHED | PKCS7_STREAM); if (!p7) { std::cerr << "ERROR: could not sign" << std::endl; print_ssl_error(); @@ -418,7 +418,7 @@ int ACE_TMAIN(int argc, ACE_TCHAR* argv[]) } - if (!SMIME_write_PKCS7(out, p7, mem, PKCS7_TEXT | PKCS7_DETACHED)) { + if (!SMIME_write_PKCS7(out, p7, mem, PKCS7_TEXT | PKCS7_DETACHED | PKCS7_STREAM)) { std::cerr << "ERROR: could not write " << outpath << std::endl; print_ssl_error(); return EXIT_FAILURE;