From 2fb2e00d949028935654c49c85e5100340624c28 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 23 Mar 2004 15:01:13 +0000 Subject: [PATCH] Recent changes from 0.9.7-stable. --- CHANGES | 14 +++++++++++++- FAQ | 2 +- LICENSE | 2 +- Makefile.org | 2 +- NEWS | 8 ++++++++ README | 4 ++-- STATUS | 5 ++++- apps/apps.c | 7 +++++-- apps/x509.c | 1 - crypto/bio/b_print.c | 2 +- crypto/bio/bss_file.c | 18 +++++++++--------- crypto/ec/ecp_smpl.c | 2 +- crypto/opensslv.h | 4 ++-- doc/crypto/pem.pod | 2 +- openssl.spec | 2 +- ssl/kssl.c | 4 ++-- ssl/s3_pkt.c | 8 ++++++++ ssl/s3_srvr.c | 16 ++++++++++++++++ tools/c_issuer | 2 +- 19 files changed, 77 insertions(+), 28 deletions(-) diff --git a/CHANGES b/CHANGES index c2ad5a196..d388a528c 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,19 @@ OpenSSL CHANGES _______________ - Changes between 0.9.7c and 0.9.7d [xx XXX XXXX] + Changes between 0.9.7d and 0.9.7e [XX xxx XXXX] + + *) + + Changes between 0.9.7c and 0.9.7d [17 Mar 2004] + + *) Fix null-pointer assignment in do_change_cipher_spec() revealed + by using the Codenomicon TLS Test Tool (CAN-2004-0079) + [Joe Orton, Steve Henson] + + *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites + (CAN-2004-0112) + [Joe Orton, Steve Henson] *) Make it possible to have multiple active certificates with the same subject in the CA index file. This is done only if the keyword diff --git a/FAQ b/FAQ index 01e2ccf18..0b40039ef 100644 --- a/FAQ +++ b/FAQ @@ -68,7 +68,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 0.9.7c was released on September 30, 2003. +OpenSSL 0.9.7d was released on March 17, 2004. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at &1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \ set -x; ${CC} ${SHARED_LDFLAGS} \ -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \ diff --git a/NEWS b/NEWS index f0282ebb8..4c1ba0a24 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,14 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d: + + o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug + o Security: Fix null-pointer assignment in do_change_cipher_spec() + o Allow multiple active certificates with same subject in CA index + o Multiple X590 verification fixes + o Speed up HMAC and other operations + Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c: o Security: fix various ASN1 parsing bugs. diff --git a/README b/README index 65e3a1242..f72a21036 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ - OpenSSL 0.9.7c 30 Sep 2003 + OpenSSL 0.9.7d 17 Mar 2004 - Copyright (c) 1998-2003 The OpenSSL Project + Copyright (c) 1998-2004 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson All rights reserved. diff --git a/STATUS b/STATUS index 7f3b29eb6..4951a464f 100644 --- a/STATUS +++ b/STATUS @@ -1,14 +1,17 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2003/10/02 10:55:20 $ + ______________ $Date: 2004/03/23 15:00:59 $ DEVELOPMENT STATE o OpenSSL 0.9.8: Under development... + o OpenSSL 0.9.7d: Released on March 17th, 2004 o OpenSSL 0.9.7c: Released on September 30th, 2003 o OpenSSL 0.9.7b: Released on April 10th, 2003 o OpenSSL 0.9.7a: Released on February 19th, 2003 o OpenSSL 0.9.7: Released on December 31st, 2002 + o OpenSSL 0.9.6m: Released on March 17th, 2004 + o OpenSSL 0.9.6l: Released on November 4th, 2003 o OpenSSL 0.9.6k: Released on September 30th, 2003 o OpenSSL 0.9.6j: Released on April 10th, 2003 o OpenSSL 0.9.6i: Released on February 19th, 2003 diff --git a/apps/apps.c b/apps/apps.c index 77fa39d27..ec5f5c1c9 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -1944,6 +1944,9 @@ int rotate_index(char *dbfile, char *new_suffix, char *old_suffix) void free_index(CA_DB *db) { - TXT_DB_free(db->db); - OPENSSL_free(db); + if (db) + { + if (db->db) TXT_DB_free(db->db); + OPENSSL_free(db); + } } diff --git a/apps/x509.c b/apps/x509.c index 58f89de58..9b95f7bd3 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -1025,7 +1025,6 @@ end: static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create) { char *buf = NULL, *p; - MS_STATIC char buf2[1024]; ASN1_INTEGER *bs = NULL; BIGNUM *serial = NULL; size_t len; diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index fbff33179..c2bb357b4 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -641,7 +641,7 @@ fmtfp( multiplying by a factor of 10 */ fracpart = roundv((pow10(max)) * (ufvalue - intpart)); - if (fracpart >= pow10(max)) { + if (fracpart >= (long)pow10(max)) { intpart++; fracpart -= (long)pow10(max); } diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index 9cdf159f8..554474733 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -213,14 +213,14 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) b->shutdown=(int)num&BIO_CLOSE; b->ptr=(char *)ptr; b->init=1; -#if defined(OPENSSL_SYS_WINDOWS) - if (num & BIO_FP_TEXT) - _setmode(fileno((FILE *)ptr),_O_TEXT); - else - _setmode(fileno((FILE *)ptr),_O_BINARY); -#elif defined(OPENSSL_SYS_MSDOS) { int fd = fileno((FILE*)ptr); +#if defined(OPENSSL_SYS_WINDOWS) + if (num & BIO_FP_TEXT) + _setmode(fd,_O_TEXT); + else + _setmode(fd,_O_BINARY); +#elif defined(OPENSSL_SYS_MSDOS) /* Set correct text/binary mode */ if (num & BIO_FP_TEXT) _setmode(fd,_O_TEXT); @@ -235,13 +235,13 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr) else _setmode(fd,_O_BINARY); } - } #elif defined(OPENSSL_SYS_OS2) if (num & BIO_FP_TEXT) - setmode(fileno((FILE *)ptr), O_TEXT); + setmode(fd, O_TEXT); else - setmode(fileno((FILE *)ptr), O_BINARY); + setmode(fd, O_BINARY); #endif + } break; case BIO_C_SET_FILENAME: file_free(b); diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index 4666a052b..e9a51fb87 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -896,7 +896,7 @@ int ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } form = buf[0]; y_bit = form & 1; - form = form & ~1; + form = form & ~1U; if ((form != 0) && (form != POINT_CONVERSION_COMPRESSED) && (form != POINT_CONVERSION_UNCOMPRESSED) && (form != POINT_CONVERSION_HYBRID)) diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 102f11454..64337d9e7 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -25,8 +25,8 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x00907040L -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d-dev [fips] xx XXX XXXX" +#define OPENSSL_VERSION_NUMBER 0x00907050L +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7e-dev [fips] XX xxx XXXX" #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/doc/crypto/pem.pod b/doc/crypto/pem.pod index 861311445..4f9a27df0 100644 --- a/doc/crypto/pem.pod +++ b/doc/crypto/pem.pod @@ -471,6 +471,6 @@ is guaranteed to work. =head1 RETURN CODES The read routines return either a pointer to the structure read or NULL -is an error occurred. +if an error occurred. The write routines return 1 for success or 0 for failure. diff --git a/openssl.spec b/openssl.spec index 9ce236e0d..6a272f696 100644 --- a/openssl.spec +++ b/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 7 -%define librev c +%define librev d Release: 1 %define openssldir /var/ssl diff --git a/ssl/kssl.c b/ssl/kssl.c index 7c45f8ff4..51378897f 100644 --- a/ssl/kssl.c +++ b/ssl/kssl.c @@ -953,7 +953,7 @@ print_krb5_authdata(char *label, krb5_authdata **adata) printf("%s, authdata==0\n", label); return; } - printf("%s [%p]\n", label, adata); + printf("%s [%p]\n", label, (void *)adata); #if 0 { int i; @@ -1725,7 +1725,7 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx) return; } else - printf("%p\n", kssl_ctx); + printf("%p\n", (void *)kssl_ctx); printf("\tservice:\t%s\n", (kssl_ctx->service_name)? kssl_ctx->service_name: "NULL"); diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index 3f88429e7..9f3e5139a 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -1085,6 +1085,14 @@ start: goto err; } + /* Check we have a cipher to change to */ + if (s->s3->tmp.new_cipher == NULL) + { + i=SSL_AD_UNEXPECTED_MESSAGE; + SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY); + goto err; + } + rr->length=0; if (s->msg_callback) diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 79278680c..2a87852fd 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1597,11 +1597,27 @@ static int ssl3_get_client_key_exchange(SSL *s) n2s(p,i); enc_ticket.length = i; + + if (n < enc_ticket.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + enc_ticket.data = (char *)p; p+=enc_ticket.length; n2s(p,i); authenticator.length = i; + + if (n < enc_ticket.length + authenticator.length + 6) + { + SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE, + SSL_R_DATA_LENGTH_TOO_LONG); + goto err; + } + authenticator.data = (char *)p; p+=authenticator.length; diff --git a/tools/c_issuer b/tools/c_issuer index 4c691201b..55821ab74 100644 --- a/tools/c_issuer +++ b/tools/c_issuer @@ -6,5 +6,5 @@ for i in $* do n=`openssl x509 -issuer -noout -in $i` - echo "$i\t$n" + echo "$i $n" done