If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.
This is probably made redundant by the previous commit - but you can never be
too careful.
With thanks to Qinghao Tang for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.
With thanks to Qinghao Tang for reporting this issue.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Fix a "&" that should have been "!" when processing read_ahead.
RT#3793
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Complete reimplementation of d2i_SSL_SESSION and i2d_SSL_SESSION using
new ASN.1 code and eliminating use of old ASN.1 macros.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This engine is for VMS only, and isn't really part of the core OpenSSL
but rather a side project of its own that just happens to have tagged
along for a long time. The reasons why it has remained within the
OpenSSL source are long lost in history, and there not being any real
reason for it to remain here, it's time for it to move out.
This side project will appear as a project in its own right, the
location of which will be announced later on.
Reviewed-by: Tim Hudson <tjh@openssl.org>
With no more symlinks, there's no need for those variables, or the links
target. This also goes for all install: and uninstall: targets that do
nothing but copy $(EXHEADER) files, since that's now taken care of by the
top Makefile.
Also, removed METHTEST from test/Makefile. It looks like an old test that's
forgotten...
Reviewed-by: Rich Salz <rsalz@openssl.org>
Rather than making include/openssl/foo.h a symlink to
crypto/foo/foo.h, this change moves the file to include/openssl/foo.h
once and for all.
Likewise, move crypto/foo/footest.c to test/footest.c, instead of
symlinking it there.
Originally-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Fix up various things that were missed during the record layer work. All
instances where we are breaking the encapsulation rules.
Reviewed-by: Richard Levitte <levitte@openssl.org>
EVP_.*free; this gets:
EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free
EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it
EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Fix some strange formatting in record.h. This was probably originally
introduced as part of the reformat work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Replace the hard coded value 8 (the size of the sequence number) with a
constant defined in a macro.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Also push some usage of last_write_sequence out of dtls1_retransmit_message
and into the record layer.
Reviewed-by: Richard Levitte <levitte@openssl.org>
up some access to them. Now that various functions have been moved into the
record layer they no longer need to use the accessor macros.
Reviewed-by: Richard Levitte <levitte@openssl.org>
