Loading CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,11 @@ Changes between 0.9.6 and 0.9.7 [xx XXX 2000] *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits when writing a 32767 byte record. [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), obtain lock CRYPTO_LOCK_RSA before creating BN_MONT_CTX structures and setting rsa->_method_mod_{n,p,q}. Loading ssl/s2_lib.c +7 −1 Original line number Diff line number Diff line Loading @@ -273,10 +273,16 @@ int ssl2_new(SSL *s) if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2,0,sizeof *s2); #if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 # error "assertion failed" #endif if ((s2->rbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; /* wbuf needs one byte more because when using two-byte headers, * we leave the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err; s->s2=s2; ssl2_clear(s); Loading ssl/s2_pkt.c +21 −4 Original line number Diff line number Diff line Loading @@ -541,6 +541,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) { bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); j=len+mac_size; /* Two-byte headers allow for a larger record length than * three-byte headers, but we can't use them if we need * padding or if we have to set the escape bit. */ if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && (!s->s2->escape)) { Loading @@ -556,25 +559,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) } else if ((bs <= 1) && (!s->s2->escape)) { /* len=len; */ /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */ s->s2->three_byte_header=0; p=0; } else /* 3 byte header */ else /* we may have to use a 3 byte header */ { /*len=len; */ /* If s->s2->escape is not set, then * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */ p=(j%bs); p=(p == 0)?0:(bs-p); if (s->s2->escape) { s->s2->three_byte_header=1; if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER; } else s->s2->three_byte_header=(p == 0)?0:1; } } /* Now * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER * holds, and if s->s2->three_byte_header is set, then even * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER. */ /* mac_size is the number of MAC bytes * len is the number of data bytes we are going to send * p is the number of padding bytes * if p == 0, it is a 2 byte header */ * (if it is a two-byte header, then p == 0) */ s->s2->wlength=len; s->s2->padding=p; Loading ssl/ssl2.h +3 −3 Original line number Diff line number Diff line Loading @@ -134,11 +134,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 #ifdef MPE #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ #endif #define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ #define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ #define SSL2_CHALLENGE_LENGTH 16 /*#define SSL2_CHALLENGE_LENGTH 32 */ Loading Loading
CHANGES +5 −0 Original line number Diff line number Diff line Loading @@ -3,6 +3,11 @@ Changes between 0.9.6 and 0.9.7 [xx XXX 2000] *) Increase s2->wbuf allocation by one byte in ssl2_new (ssl/s2_lib.c). Otherwise do_ssl_write (ssl/s2_pkt.c) will write beyond buffer limits when writing a 32767 byte record. [Bodo Moeller; problem reported by Eric Day <eday@concentric.net>] *) In RSA_eay_public_{en,ed}crypt and RSA_eay_mod_exp (rsa_eay.c), obtain lock CRYPTO_LOCK_RSA before creating BN_MONT_CTX structures and setting rsa->_method_mod_{n,p,q}. Loading
ssl/s2_lib.c +7 −1 Original line number Diff line number Diff line Loading @@ -273,10 +273,16 @@ int ssl2_new(SSL *s) if ((s2=OPENSSL_malloc(sizeof *s2)) == NULL) goto err; memset(s2,0,sizeof *s2); #if SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER + 3 > SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER + 2 # error "assertion failed" #endif if ((s2->rbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; /* wbuf needs one byte more because when using two-byte headers, * we leave the first byte unused in do_ssl_write (s2_pkt.c) */ if ((s2->wbuf=OPENSSL_malloc( SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+2)) == NULL) goto err; SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER+3)) == NULL) goto err; s->s2=s2; ssl2_clear(s); Loading
ssl/s2_pkt.c +21 −4 Original line number Diff line number Diff line Loading @@ -541,6 +541,9 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) { bs=EVP_CIPHER_CTX_block_size(s->enc_read_ctx); j=len+mac_size; /* Two-byte headers allow for a larger record length than * three-byte headers, but we can't use them if we need * padding or if we have to set the escape bit. */ if ((j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) && (!s->s2->escape)) { Loading @@ -556,25 +559,39 @@ static int do_ssl_write(SSL *s, const unsigned char *buf, unsigned int len) } else if ((bs <= 1) && (!s->s2->escape)) { /* len=len; */ /* j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, thus * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER */ s->s2->three_byte_header=0; p=0; } else /* 3 byte header */ else /* we may have to use a 3 byte header */ { /*len=len; */ /* If s->s2->escape is not set, then * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER, and thus * j < SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER. */ p=(j%bs); p=(p == 0)?0:(bs-p); if (s->s2->escape) { s->s2->three_byte_header=1; if (j > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) j=SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER; } else s->s2->three_byte_header=(p == 0)?0:1; } } /* Now * j <= SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER * holds, and if s->s2->three_byte_header is set, then even * j <= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER. */ /* mac_size is the number of MAC bytes * len is the number of data bytes we are going to send * p is the number of padding bytes * if p == 0, it is a 2 byte header */ * (if it is a two-byte header, then p == 0) */ s->s2->wlength=len; s->s2->padding=p; Loading
ssl/ssl2.h +3 −3 Original line number Diff line number Diff line Loading @@ -134,11 +134,11 @@ extern "C" { /* Upper/Lower Bounds */ #define SSL2_MAX_MASTER_KEY_LENGTH_IN_BITS 256 #ifdef MPE #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)29998 #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 29998u #else #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER (unsigned int)32767 #define SSL2_MAX_RECORD_LENGTH_2_BYTE_HEADER 32767u /* 2^15-1 */ #endif #define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /**/ #define SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER 16383 /* 2^14-1 */ #define SSL2_CHALLENGE_LENGTH 16 /*#define SSL2_CHALLENGE_LENGTH 32 */ Loading
