OpenSSL Security Advisory [30 July 2002]

  *) Clean old EAY MD5 hack from e_os.h.

     [Richard Levitte]

 Changes between 0.9.6d and 0.9.6e  [XX xxx XXXX]

 Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]

  *) Add various sanity checks to asn1_get_length() to reject

     the ASN1 length bytes if they exceed sizeof(long), will appear

     negative or the content length exceeds the length of the

     supplied buffer.

     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]

  *) Fix cipher selection routines: ciphers without encryption had no flags

     for the cipher strength set and where therefore not handled correctly

     applications.

     [Bodo Moeller]

  *) Changes in security patch:

     Changes marked "(CHATS)" were sponsored by the Defense Advanced

     Research Projects Agency (DARPA) and Air Force Research Laboratory,

     Air Force Materiel Command, USAF, under agreement number

     F30602-01-2-0537.

  *) Add various sanity checks to asn1_get_length() to reject

     the ASN1 length bytes if they exceed sizeof(long), will appear

     negative or the content length exceeds the length of the

     supplied buffer. (CAN-2002-0659)

     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]

  *) Assertions for various potential buffer overflows, not known to

     happen in practice.

     [Ben Laurie (CHATS)]

  *) Various temporary buffers to hold ASCII versions of integers were

     too small for 64 bit platforms. (CAN-2002-0655)

     [Matthew Byng-Maddick <mbm@aldigital.co.uk> and Ben Laurie (CHATS)>

  *) Remote buffer overflow in SSL3 protocol - an attacker could

     supply an oversized master key in Kerberos-enabled versions.

     (CAN-2002-0657)

     [Ben Laurie (CHATS)]

  *) Remote buffer overflow in SSL3 protocol - an attacker could

     supply an oversized session ID to a client. (CAN-2002-0656)

     [Ben Laurie (CHATS)]

  *) Remote buffer overflow in SSL2 protocol - an attacker could

     supply an oversized client master key. (CAN-2002-0656)

     [Ben Laurie (CHATS)]

 Changes between 0.9.6c and 0.9.6d  [9 May 2002]

  *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not

		(int)(omax+ *pp));

#endif

#if 0

	if ((p+ *plength) > (omax+ *pp))

	if (*plength > (omax - (*pp - p)))

		{

		ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG);

		/* Set this so that even if things are not long enough

		 * the values are set correctly */

		ret|=0x80;

		}

#endif

	*pp=p;

	return(ret|inf);

err:

		i= *p&0x7f;

		if (*(p++) & 0x80)

			{

			if (i > sizeof(long))

				return 0;

			if (max-- == 0) return(0);

			while (i-- > 0)

				{

		else

			ret=i;

		}

	if (ret < 0)

		return 0;

	*pp=p;

	*rl=ret;

	return(1);

void asn1_add_error(unsigned char *address, int offset)

	{

	char buf1[16],buf2[16];

	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];

	sprintf(buf1,"%lu",(unsigned long)address);

	sprintf(buf2,"%d",offset);

conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h

conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h

conf_api.o: conf_api.c

conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h

conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h

conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h

conf_def.o: ../../include/openssl/err.h ../../include/openssl/lhash.h

conf_def.o: ../../include/openssl/opensslconf.h

conf_def.o: ../../e_os.h ../../include/openssl/bio.h

conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h

conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h

conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h

conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h

conf_def.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h

conf_def.o: conf_def.c conf_def.h

conf_def.o: ../cryptlib.h conf_def.c conf_def.h

conf_err.o: ../../include/openssl/bio.h ../../include/openssl/conf.h

conf_err.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h

conf_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h

#include "conf_def.h"

#include <openssl/buffer.h>

#include <openssl/err.h>

#include "cryptlib.h"

static char *eat_ws(CONF *conf, char *p);

static char *eat_alpha_numeric(CONF *conf, char *p);

static int def_load_bio(CONF *conf, BIO *in, long *line)

	{

#define BUFSIZE	512

	char btmp[16];

	int bufnum=0,i,ii;

	BUF_MEM *buff=NULL;

	char *s,*p,*end;

	int again,n;

	long eline=0;

	char btmp[DECIMAL_SIZE(eline)+1];

	CONF_VALUE *v=NULL,*tv;

	CONF_VALUE *sv=NULL;

	char *section=NULL,*buf;

		{

		if (!(flags & CONF_MFLAGS_SILENT))

			{

			char rcode[10];

			char rcode[DECIMAL_SIZE(ret)+1];

			CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR);

			sprintf(rcode, "%-8d", ret);

			ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode);