OpenSSL Security Advisory [30 July 2002]

     applications.

     [Bodo Moeller]

  *) Changes in security patch:

     Changes marked "(CHATS)" were sponsored by the Defense Advanced

     Research Projects Agency (DARPA) and Air Force Research Laboratory,

     Air Force Materiel Command, USAF, under agreement number

     F30602-01-2-0537.

  *) Add various sanity checks to asn1_get_length() to reject

     the ASN1 length bytes if they exceed sizeof(long), will appear

     negative or the content length exceeds the length of the

     supplied buffer.

     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]

  *) Assertions for various potential buffer overflows, not known to

     happen in practice.

     [Ben Laurie (CHATS)]

  *) Various temporary buffers to hold ASCII versions of integers were

     too small for 64 bit platforms. (CAN-2002-0655)

     [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>

  *) Remote buffer overflow in SSL3 protocol - an attacker could

     supply an oversized session ID to a client. (CAN-2002-0656)

     [Ben Laurie (CHATS)]

  *) Remote buffer overflow in SSL2 protocol - an attacker could

     supply an oversized client master key. (CAN-2002-0656)

     [Ben Laurie (CHATS)]

 Changes between 0.9.6c and 0.9.6d  [9 May 2002]

  *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not

		(int)(omax+ *pp));

#endif

#if 0

	if ((p+ *plength) > (omax+ *pp))

	if (*plength > (omax - (*pp - p)))

		{

		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);

		/* Set this so that even if things are not long enough

		 * the values are set correctly */

		ret|=0x80;

		}

#endif

	*pp=p;

	return(ret|inf);

err:

		i= *p&0x7f;

		if (*(p++) & 0x80)

			{

			if (i > sizeof(long))

				return 0;

			if (max-- == 0) return(0);

			while (i-- > 0)

				{

		else

			ret=i;

		}

	if (ret < 0)

		return 0;

	*pp=p;

	*rl=ret;

	return(1);

void asn1_add_error(unsigned char *address, int offset)

	{

	char buf1[16],buf2[16];

	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];

	sprintf(buf1,"%lu",(unsigned long)address);

	sprintf(buf2,"%d",offset);

conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h

conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h

conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h

conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/err.h

conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h

conf_def.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h

conf_def.o: ../../include/openssl/symhacks.h conf_def.h

conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h

conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h

conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h

conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h

conf_def.o: ../cryptlib.h conf_def.h

conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h

conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h

conf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h

#include "conf_def.h"

#include <openssl/buffer.h>

#include <openssl/err.h>

#include "cryptlib.h"

static char *eat_ws(CONF *conf, char *p);

static char *eat_alpha_numeric(CONF *conf, char *p);

static int def_load(CONF *conf, BIO *in, long *line)

	{

#define BUFSIZE	512

	char btmp[16];

	int bufnum=0,i,ii;

	BUF_MEM *buff=NULL;

	char *s,*p,*end;

	int again,n;

	long eline=0;

	char btmp[DECIMAL_SIZE(eline)+1];

	CONF_VALUE *v=NULL,*tv;

	CONF_VALUE *sv=NULL;

	char *section=NULL,*buf;

#endif

#endif

void OpenSSLDie(const char *file,int line,const char *assertion)

    {

    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",

	    file,line,assertion);

    abort();

    }