generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

In ssl3_clear, preserve s3->init_extra along with s3->rbuf.

Browse Source 
Submitted by: Bob Buckholz <bbuckholz@google.com>
This commit is contained in:
Bodo Möller 2011-10-13 13:05:58 +00:00
parent cdfe0fdde6
commit 3ddc06f082
2 changed files with 60 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
CHANGES
View File

@ -184,16 +184,59 @@
by Google. by Google.
[Adam Langley <agl@google.com> and Ben Laurie] [Adam Langley <agl@google.com> and Ben Laurie]
*) Use type ossl_ssize_t instad of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
*) New function OPENSSL_gmtime_diff to find the difference in days *) New function OPENSSL_gmtime_diff to find the difference in days
and seconds between two tm structures. This will be used to provide and seconds between two tm structures. This will be used to provide
additional functionality for ASN1_TIME. additional functionality for ASN1_TIME.
[Steve Henson] [Steve Henson]
*) Add -trusted_first option which attempts to find certificates in the
trusted store even if an untrusted chain is also supplied.
[Steve Henson]
*) Initial experimental support for explicitly trusted non-root CAs.
OpenSSL still tries to build a complete chain to a root but if an
intermediate CA has a trust setting included that is used. The first
setting is used: whether to trust or reject.
[Steve Henson]
*) New -verify_name option in command line utilities to set verification
parameters by name.
[Steve Henson]
*) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
Add CMAC pkey methods.
[Steve Henson]
*) Experiemental regnegotiation in s_server -www mode. If the client
browses /reneg connection is renegotiated. If /renegcert it is
renegotiated requesting a certificate.
[Steve Henson]
*) Add an "external" session cache for debugging purposes to s_server. This
should help trace issues which normally are only apparent in deployed
multi-process servers.
[Steve Henson]
*) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
return value is ignored. NB. The functions RAND_add(), RAND_seed(),
BIO_set_cipher() and some obscure PEM functions were changed so they
can now return an error. The RAND changes required a change to the
RAND_METHOD structure.
[Steve Henson]
*) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
a gcc attribute to warn if the result of a function is ignored. This
is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
whose return value is often ignored.
[Steve Henson]
Changes between 1.0.0f and 1.0.1 [xx XXX xxxx]
*) Use type ossl_ssize_t instad of ssize_t which isn't available on
all platforms. Move ssize_t definition from e_os.h to the public
header file e_os2.h as it now appears in public header file cms.h
[Steve Henson]
*) New -sigopt option to the ca, req and x509 utilities. Additional *) New -sigopt option to the ca, req and x509 utilities. Additional
signature parameters can be passed using this option and in signature parameters can be passed using this option and in
particular PSS. particular PSS.
@ -228,34 +271,6 @@
parameters r, s. parameters r, s.
[Steve Henson] [Steve Henson]
*) Add -trusted_first option which attempts to find certificates in the
trusted store even if an untrusted chain is also supplied.
[Steve Henson]
*) Initial experimental support for explicitly trusted non-root CAs.
OpenSSL still tries to build a complete chain to a root but if an
intermediate CA has a trust setting included that is used. The first
setting is used: whether to trust or reject.
[Steve Henson]
*) New -verify_name option in command line utilities to set verification
parameters by name.
[Steve Henson]
*) Initial CMAC implementation. WARNING: EXPERIMENTAL, API MAY CHANGE.
Add CMAC pkey methods.
[Steve Henson]
*) Experiemental regnegotiation in s_server -www mode. If the client
browses /reneg connection is renegotiated. If /renegcert it is
renegotiated requesting a certificate.
[Steve Henson]
*) Add an "external" session cache for debugging purposes to s_server. This
should help trace issues which normally are only apparent in deployed
multi-process servers.
[Steve Henson]
*) Password based recipient info support for CMS library: implementing *) Password based recipient info support for CMS library: implementing
RFC3211. RFC3211.
[Steve Henson] [Steve Henson]
@ -266,21 +281,6 @@
password based CMS). password based CMS).
[Steve Henson] [Steve Henson]
*) Extensive audit of libcrypto with DEBUG_UNUSED. Fix many cases where
return value is ignored. NB. The functions RAND_add(), RAND_seed(),
BIO_set_cipher() and some obscure PEM functions were changed so they
can now return an error. The RAND changes required a change to the
RAND_METHOD structure.
[Steve Henson]
*) New macro __owur for "OpenSSL Warn Unused Result". This makes use of
a gcc attribute to warn if the result of a function is ignored. This
is enable if DEBUG_UNUSED is set. Add to several functions in evp.h
whose return value is often ignored.
[Steve Henson]
Changes between 1.0.0e and 1.0.1 [xx XXX xxxx]
*) Session-handling fixes: *) Session-handling fixes:
- Fix handling of connections that are resuming with a session ID, - Fix handling of connections that are resuming with a session ID,
but also support Session Tickets. but also support Session Tickets.
@ -452,7 +452,12 @@
Add command line options to s_client/s_server. Add command line options to s_client/s_server.
[Steve Henson] [Steve Henson]
Changes between 1.0.0d and 1.0.0e [xx XXX xxxx] Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
[Bob Buckholz (Google)]
Changes between 1.0.0d and 1.0.0e [6 Sep 2011]
*) Fix bug where CRLs with nextUpdate in the past are sometimes accepted *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
by initialising X509_STORE_CTX properly. (CVE-2011-3207) by initialising X509_STORE_CTX properly. (CVE-2011-3207)
@ -1359,6 +1364,9 @@
Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] Changes between 0.9.8r and 0.9.8s [xx XXX xxxx]
*) In ssl3_clear, preserve s3->init_extra along with s3->rbuf.
[Bob Buckholz (Google)]
*) Fix SSL memory handling for (EC)DH ciphersuites, in particular *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
for multi-threaded use of ECDH. for multi-threaded use of ECDH.
[Adam Langley (Google)] [Adam Langley (Google)]

3
ssl/s3_lib.c
View File

@ -3000,6 +3000,7 @@ void ssl3_clear(SSL *s)
{ {
unsigned char *rp,*wp; unsigned char *rp,*wp;
size_t rlen, wlen; size_t rlen, wlen;
int init_extra;
#ifdef TLSEXT_TYPE_opaque_prf_input #ifdef TLSEXT_TYPE_opaque_prf_input
if (s->s3->client_opaque_prf_input != NULL) if (s->s3->client_opaque_prf_input != NULL)
@ -3038,6 +3039,7 @@ void ssl3_clear(SSL *s)
wp = s->s3->wbuf.buf; wp = s->s3->wbuf.buf;
rlen = s->s3->rbuf.len; rlen = s->s3->rbuf.len;
wlen = s->s3->wbuf.len; wlen = s->s3->wbuf.len;
init_extra = s->s3->init_extra;
if (s->s3->handshake_buffer) { if (s->s3->handshake_buffer) {
BIO_free(s->s3->handshake_buffer); BIO_free(s->s3->handshake_buffer);
s->s3->handshake_buffer = NULL; s->s3->handshake_buffer = NULL;
@ -3050,6 +3052,7 @@ void ssl3_clear(SSL *s)
s->s3->wbuf.buf = wp; s->s3->wbuf.buf = wp;
s->s3->rbuf.len = rlen; s->s3->rbuf.len = rlen;
s->s3->wbuf.len = wlen; s->s3->wbuf.len = wlen;
s->s3->init_extra = init_extra;
ssl_free_wbio_buffer(s); ssl_free_wbio_buffer(s);