merge in changes in OpenSSL_0_9_6-stable (conflicts resolved)

ssl/s2_lib.c

@@ -415,7 +415,7 @@ int ssl2_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p)
 	return(3);
 	}
 
-void ssl2_generate_key_material(SSL *s)
+int ssl2_generate_key_material(SSL *s)
 	{
 	unsigned int i;
 	MD5_CTX ctx;
@@ -428,14 +428,24 @@ void ssl2_generate_key_material(SSL *s)
 #endif
 
 	km=s->s2->key_material;
- 	die(s->s2->key_material_length <= sizeof s->s2->key_material);
+
+	if (s->session->master_key_length < 0 || s->session->master_key_length > sizeof s->session->master_key)
+		{
+		SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
+		return 0;
+		}
+
 	for (i=0; i<s->s2->key_material_length; i+=MD5_DIGEST_LENGTH)
 		{
+		if (((km - s->s2->key_material) + MD5_DIGEST_LENGTH) > sizeof s->s2->key_material)
+			{
+			/* MD5_Final() below would write beyond buffer */
+			SSLerr(SSL_F_SSL2_GENERATE_KEY_MATERIAL, SSL_R_INTERNAL_ERROR);
+			return 0;
+			}
+
 		MD5_Init(&ctx);
 
- 		die(s->session->master_key_length >= 0
- 		    && s->session->master_key_length
- 		    < sizeof s->session->master_key);
 		MD5_Update(&ctx,s->session->master_key,s->session->master_key_length);
 		MD5_Update(&ctx,&c,1);
 		c++;
@@ -444,6 +454,8 @@ void ssl2_generate_key_material(SSL *s)
 		MD5_Final(km,&ctx);
 		km+=MD5_DIGEST_LENGTH;
 		}
+
+	return 1;
 	}
 
 void ssl2_return_error(SSL *s, int err)
@@ -468,18 +480,20 @@ void ssl2_write_error(SSL *s)
 	buf[2]=(s->error_code)&0xff;
 
 /*	state=s->rwstate;*/
-	error=s->error;
+
+	error=s->error; /* number of bytes left to write */
 	s->error=0;
-	die(error >= 0 && error <= 3);
+	if (error < 0 || error > sizeof buf) /* can't happen */
+		return;
+	
 	i=ssl2_write(s,&(buf[3-error]),error);
+
 /*	if (i == error) s->rwstate=state; */
 
 	if (i < 0)
 		s->error=error;
 	else if (i != s->error)
 		s->error=error-i;
-	/* else
-		s->error=0; */
 	}
 
 int ssl2_shutdown(SSL *s)