Go to file
Adam Langley e976e4349d Don't read uninitialised data for short session IDs.
While it's always safe to read |SSL_MAX_SSL_SESSION_ID_LENGTH| bytes
from an |SSL_SESSION|'s |session_id| array, the hash function would do
so with without considering if all those bytes had been written to.

This change checks |session_id_length| before possibly reading
uninitialised memory. Since the result of the hash function was already
attacker controlled, and since a lookup of a short session ID will
always fail, it doesn't appear that this is anything more than a clean
up.

BUG=586800

Change-Id: I5f59f245b51477d6d4fa2cdc20d40bb6b4a3eae7
Reviewed-on: https://boringssl-review.googlesource.com/7150
Reviewed-by: David Benjamin <davidben@google.com>
2016-02-18 15:45:48 +00:00
crypto Add missing " in comment. 2016-02-17 21:17:26 +00:00
decrepit Tweaks for node.js 2016-01-26 23:23:42 +00:00
fuzz Have fuzz/cert.cc also call X509_get_pubkey. 2016-02-18 00:10:15 +00:00
include/openssl Fix SSL_get_{read,write}_sequence. 2016-02-17 22:05:29 +00:00
ssl Don't read uninitialised data for short session IDs. 2016-02-18 15:45:48 +00:00
tool Make it possible to tell what curve was used on the server. 2015-12-22 23:12:25 +00:00
util Have doc.go parse struct comments. 2016-01-26 23:23:23 +00:00
.clang-format
.gitignore Fix documentation generation on Windows. 2015-08-19 00:45:42 +00:00
BUILDING.md Updating BUILDING.md for windows. 2016-02-10 17:42:36 +00:00
CMakeLists.txt Prefer MSVC over GCC if both are in %PATH%. 2016-02-08 18:12:36 +00:00
codereview.settings
CONTRIBUTING.md Add a CONTRIBUTING.md file. 2016-02-10 21:38:19 +00:00
FUZZING.md Update and fix fuzzing instructions. 2015-11-10 23:37:36 +00:00
LICENSE Note that some files carry in Intel license. 2015-07-28 00:55:32 +00:00
PORTING.md Document the d2i object reuse changes in PORTING.md. 2016-02-02 16:21:20 +00:00
README.md Add a CONTRIBUTING.md file. 2016-02-10 21:38:19 +00:00
STYLE.md Update link to Google style guide. 2015-11-03 02:02:12 +00:00

BoringSSL

BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.

Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.

Programs ship their own copies of BoringSSL when they use it and we update everything as needed when deciding to make API changes. This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you.

BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.

Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.

There are other files in this directory which might be helpful: