[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri May 19 16:08:31 UTC 2017

The branch master has been updated
       via  aabe3a359197d99867abaab8a4beb42003ee7d79 (commit)
      from  ffbaf06ade6dab6a0805a24087cf2e84c5db8d43 (commit)

- Log -----------------------------------------------------------------
commit aabe3a359197d99867abaab8a4beb42003ee7d79
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 19 10:28:43 2017 +0100

    Fix return code in tls1_mac
    The return code from tls1_mac is supposed to be a boolean 0 for fail, 1 for
    success. In one place we returned -1 on error. This would cause code calling
    the mac function to erroneously see this as a success (because a non-zero
    value is being treated as success in all call sites).
    Fortunately, AFAICT, the place that returns -1 can only happen on an
    internal error so is not under attacker control. Additionally this code only
    appears in master. In 1.1.0 the return codes are treated differently.
    Therefore there are no security implications.
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/3495)


Summary of changes:
 ssl/record/ssl3_record.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ssl/record/ssl3_record.c b/ssl/record/ssl3_record.c
index 85d726f..8ebb1b9 100644
--- a/ssl/record/ssl3_record.c
+++ b/ssl/record/ssl3_record.c
@@ -1225,7 +1225,7 @@ int tls1_mac(SSL *ssl, SSL3_RECORD *rec, unsigned char *md, int sending)
                                    ssl->s3->read_mac_secret_size, 0) <= 0) {
-            return -1;
+            return 0;
     } else {
         /* TODO(size_t): Convert these calls */

More information about the openssl-commits mailing list