894f48c6b3
This guarantees that we never read beyond the first record, even if the first record is empty. Between removing SSL_set_read_ahead and DTLS enforcing record boundaries, this means the buffer need never memmove data. The memmove isn't really much of a burden and we can probably just put SSL_set_read_ahead back after the cleanup if desired. But while the non-existant read_ahead is off, we should avoid reading more than needed. (Also the current memmove logic is completely wrong for TLS. Checking align != 0 doesn't make sense. The real reason to memmove is that the next record may still be full size. So now line 209 of s3_pkt.c should *actually* be unreachable.) SSL_R_HTTPS_PROXY_REQUEST detection is now slightly less accurate, but OpenSSL was already not parsing HTTP completely. We could asynchronously read the extra 3 bytes once the first 5 match, but that seems unnecessary. (Shall we just get rid of all these HTTP detectors? The only consumer of those error codes is some diagnostics logic.) BUG=468889 Change-Id: Ie3bf148ae7274795e1d048d78282d1d8063278ea Reviewed-on: https://boringssl-review.googlesource.com/5714 Reviewed-by: Adam Langley <agl@google.com> |
||
|---|---|---|
| crypto | ||
| decrepit | ||
| doc | ||
| include/openssl | ||
| ssl | ||
| tool | ||
| util | ||
| .clang-format | ||
| .gitignore | ||
| BUILDING | ||
| CMakeLists.txt | ||
| codereview.settings | ||
| LICENSE | ||
| STYLE | ||