[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Mon Nov 2 14:30:37 UTC 2015
The branch master has been updated
via 1c2e5d560d5143d8fc1cf7e6b598199201e60a45 (commit)
via 6929b4477b83c8e759ccc5dbc9483095e1c5a146 (commit)
via 267b7789f83f7177c96a308a7b30ce4c234ceb52 (commit)
from 9f07c405bb66d4cba03b00f3a3c1df8bee300120 (commit)
- Log -----------------------------------------------------------------
commit 1c2e5d560d5143d8fc1cf7e6b598199201e60a45
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 30 17:01:01 2015 +0000
Remove a reachable assert from ssl3_write_bytes
A buggy application that call SSL_write with a different length after a
NBIO event could cause an OPENSSL_assert to be reached. The assert is not
actually necessary because there was an explicit check a little further
down that would catch this scenario. Therefore remove the assert an move
the check a little higher up.
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 6929b4477b83c8e759ccc5dbc9483095e1c5a146
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 30 16:50:17 2015 +0000
Remove an OPENSSL_assert which could fail
An OPENSSL_assert was being used which could fail (e.g. on a malloc
failure).
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 267b7789f83f7177c96a308a7b30ce4c234ceb52
Author: Matt Caswell <matt at openssl.org>
Date: Fri Oct 30 16:39:29 2015 +0000
Remove a trivially true OPENSSL_assert
This OPENSSL_assert in (d)tls1_hearbeat is trivially always going to be
true because it is testing the sum of values that have been set as
constants just a few lines above and nothing has changed them. Therefore
remove this.
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
ssl/d1_lib.c | 6 ------
ssl/record/rec_layer_s3.c | 30 +++++++++++++++---------------
ssl/record/ssl3_record.c | 3 ++-
ssl/t1_lib.c | 6 ------
4 files changed, 17 insertions(+), 28 deletions(-)
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 733973b..b865ad4 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -1023,12 +1023,6 @@ int dtls1_heartbeat(SSL *s)
return -1;
}
- /*
- * Check if padding is too long, payload and padding must not exceed 2^14
- * - 3 = 16381 bytes in total.
- */
- OPENSSL_assert(payload + padding <= 16381);
-
/*-
* Create HeartBeat message, we just use a sequence number
* as payload to distuingish different messages and add
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index e59c203..c9f1b71 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -455,20 +455,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
}
s->rwstate = SSL_NOTHING;
- OPENSSL_assert(s->rlayer.wnum <= INT_MAX);
tot = s->rlayer.wnum;
- s->rlayer.wnum = 0;
-
- if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)) {
- i = s->handshake_func(s);
- if (i < 0)
- return (i);
- if (i == 0) {
- SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
- return -1;
- }
- }
-
/*
* ensure that if we end up with a smaller value of data to write out
* than the the original len from a write which didn't complete for
@@ -478,9 +465,22 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
* promptly send beyond the end of the users buffer ... so we trap and
* report the error in a way the user will notice
*/
- if (len < tot) {
+ if ((unsigned int)len < s->rlayer.wnum) {
SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_BAD_LENGTH);
- return (-1);
+ return -1;
+ }
+
+
+ s->rlayer.wnum = 0;
+
+ if (SSL_in_init(s) && !ossl_statem_get_in_handshake(s)) {
+ i = s->handshake_func(s);
+ if (i < 0)
+ return (i);
+ if (i == 0) {
+ SSLerr(SSL_F_SSL3_WRITE_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
+ return -1;
+ }
}
/*
diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 86aaf4f..359d247 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -954,7 +954,8 @@ int tls1_mac(SSL *ssl, unsigned char *md, int send)
EVP_DigestSignUpdate(mac_ctx, header, sizeof(header));
EVP_DigestSignUpdate(mac_ctx, rec->input, rec->length);
t = EVP_DigestSignFinal(mac_ctx, md, &md_size);
- OPENSSL_assert(t > 0);
+ if (t <= 0)
+ return -1;
if (!send && !SSL_USE_ETM(ssl) && FIPS_mode())
tls_fips_digest_extra(ssl->enc_read_ctx,
mac_ctx, rec->input,
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f42fb64..2db0d74 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -3685,12 +3685,6 @@ int tls1_heartbeat(SSL *s)
return -1;
}
- /*
- * Check if padding is too long, payload and padding must not exceed 2^14
- * - 3 = 16381 bytes in total.
- */
- OPENSSL_assert(payload + padding <= 16381);
-
/*-
* Create HeartBeat message, we just use a sequence number
* as payload to distuingish different messages and add
More information about the openssl-commits
mailing list