On Tue, Apr 22, 2014 at 13:17, Vadim Lebedev wrote: > I was alarmed by this: > > http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/s3_clnt.c.diff? > r1=1.34;r2=1.35;f=h > > Maybe i do misread something else but it seems like calls > to OPENSSL_malloc/free routines are being replaced by malloc/free etc.. > > Would you mind to explain what i've been missing?
You are correct. The interface remains for applications that use it, but it's no longer possible to change its behavior. We believe overriding these functions to allow sharing memory like you're describing is an inherently insecure construction, and we won't allow it.
