OpenSSL bug exposed up to 255 bytes of server heap and existed since 2011

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

InfluxDB - Purpose built for real-time analytics at any scale.
InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • OkHttp

    Square’s meticulous HTTP client for the JVM, Android, and GraalVM.

    > Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

    BoringSSL fix: https://boringssl.googlesource.com/boringssl/+/c1d9ac02514a1...

    The heap leak was independently observed in 2014 in the Android okhttp library: https://github.com/square/okhttp/issues/437#issuecomment-358...

  • InfluxDB

    Purpose built for real-time analytics at any scale. InfluxDB Platform is powered by columnar analytics, optimized for cost-efficient storage, and built with open data standards.

    InfluxDB logo
  • boringssl

    Mirror of BoringSSL

    > Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer.

    BoringSSL fix: https://boringssl.googlesource.com/boringssl/+/c1d9ac02514a1...

    The heap leak was independently observed in 2014 in the Android okhttp library: https://github.com/square/okhttp/issues/437#issuecomment-358...

  • rustls-openssl-compat

    OpenSSL compatibility layers

    I had to check if that was a meme joke or that is actually what happened, and it seems that it actually was found by rewriting it in Rust:

    > 2024-04-23 - Discovery of SSL_select_next_proto memory unsafety while rewriting it in rust. [ https://github.com/rustls/rustls-openssl-compat/tree/main/ru... ]

  • s2n

    An implementation of the TLS/SSL protocols

    I started writing s2n the day after Heartbleed and the first lines of code were for the stuffer interface. A stuffer is a buffer for stuff, and it's like Java buffered I/O for C. You can get a flavor from reading the header: https://github.com/aws/s2n-tls/blob/main/stuffer/s2n_stuffer...

    The implementation is incredibly simple. Treat all blocks of memory as blob with a known size and then read/write into those blobs with a cursor to track progress and bounds checks on every access. Fence all serialization/deserialization through a safe low level interface. Not only do you get memory safety (which we later proved using formal reasoning) ... but when you're parsing message formats it lends itself to a declarative coding style that makes it very clear what the structure is. You can also do lifecycle things, like erasing sensitive memory with zeroes when you're done with it, making sure things don't show up in core dumps, etc. BoringSSL introduced a Crypto_bytes API that also did some of this plus bounds checking, and retrofit it into OpenSSL.

    OpenSSL on the other hand is a horrific mash up of raw pointer arithmetic, ad-hoc parsers interleaved with business logic and control flow. I could never keep it straight, and it always scared me to review.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Chat with any GPT right through your favorite text editor

    3 projects | dev.to | 27 Dec 2023
  • Is there a server simulator available for testing API endpoints with low code or no code configuration?

    1 project | /r/java | 26 Sep 2023
  • Do you use OkHttp with custom maxRequestsPerHost or maxIdleConnections?

    1 project | /r/androiddev | 6 Jun 2023
  • Introduction to HTTP Multipart

    4 projects | news.ycombinator.com | 25 Apr 2023
  • [HELP] Add a dependency in IntelliJ

    1 project | /r/gradle | 27 Mar 2023

Did you konow that C is
the 7th most popular programming language
based on number of metions?