Compare commits
5 Commits
OpenSSL_0_
...
OpenSSL_0_
| Author | SHA1 | Date | |
|---|---|---|---|
|
1917fb6dd8 | ||
|
|
0fc93c4b92 | ||
|
|
c99c47f19e | ||
|
|
3ce3e7211f | ||
|
|
8b56f9c81d |
10
CHANGES
10
CHANGES
@@ -2,6 +2,16 @@
|
||||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 0.9.8k and 0.9.8l [5 Nov 2009]
|
||||
|
||||
*) Disable renegotiation completely - this fixes a severe security
|
||||
problem (CVE-2009-3555) at the cost of breaking all
|
||||
renegotiation. Renegotiation can be re-enabled by setting
|
||||
SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at
|
||||
run-time. This is really not recommended unless you know what
|
||||
you're doing.
|
||||
[Ben Laurie]
|
||||
|
||||
Changes between 0.9.8j and 0.9.8k [25 Mar 2009]
|
||||
|
||||
*) Don't set val to NULL when freeing up structures, it is freed up by
|
||||
|
||||
2
FAQ
2
FAQ
@@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions
|
||||
* Which is the current version of OpenSSL?
|
||||
|
||||
The current version is available from <URL: http://www.openssl.org>.
|
||||
OpenSSL 0.9.8k was released on Mar 25th, 2009.
|
||||
OpenSSL 0.9.8l was released on Nov 5th, 2009.
|
||||
|
||||
In addition to the current stable release, you can also access daily
|
||||
snapshots of the OpenSSL development version at <URL:
|
||||
|
||||
4
NEWS
4
NEWS
@@ -5,6 +5,10 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
|
||||
|
||||
o Ban renegotiation.
|
||||
|
||||
Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
|
||||
|
||||
o Fix various build issues.
|
||||
|
||||
2
README
2
README
@@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 0.9.8k
|
||||
OpenSSL 0.9.8l
|
||||
|
||||
Copyright (c) 1998-2008 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
||||
3
STATUS
3
STATUS
@@ -1,10 +1,11 @@
|
||||
|
||||
OpenSSL STATUS Last modified at
|
||||
______________ $Date: 2009/03/25 10:46:55 $
|
||||
______________ $Date: 2009/11/05 14:09:14 $
|
||||
|
||||
DEVELOPMENT STATE
|
||||
|
||||
o OpenSSL 0.9.9: Under development...
|
||||
o OpenSSL 0.9.8l: Released on November 5th, 2009
|
||||
o OpenSSL 0.9.8k: Released on March 25th, 2009
|
||||
o OpenSSL 0.9.8j: Released on January 7th, 2009
|
||||
o OpenSSL 0.9.8i: Released on September 15th, 2008
|
||||
|
||||
@@ -1158,6 +1158,7 @@ void ERR_load_ASN1_strings(void);
|
||||
#define ASN1_F_ASN1_VERIFY 137
|
||||
#define ASN1_F_B64_READ_ASN1 208
|
||||
#define ASN1_F_B64_WRITE_ASN1 209
|
||||
#define ASN1_F_BIO_NEW_NDEF 212
|
||||
#define ASN1_F_BITSTR_CB 180
|
||||
#define ASN1_F_BN_TO_ASN1_ENUMERATED 138
|
||||
#define ASN1_F_BN_TO_ASN1_INTEGER 139
|
||||
|
||||
@@ -132,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]=
|
||||
{ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"},
|
||||
{ERR_FUNC(ASN1_F_B64_READ_ASN1), "B64_READ_ASN1"},
|
||||
{ERR_FUNC(ASN1_F_B64_WRITE_ASN1), "B64_WRITE_ASN1"},
|
||||
{ERR_FUNC(ASN1_F_BIO_NEW_NDEF), "BIO_NEW_NDEF"},
|
||||
{ERR_FUNC(ASN1_F_BITSTR_CB), "BITSTR_CB"},
|
||||
{ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED), "BN_to_ASN1_ENUMERATED"},
|
||||
{ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER), "BN_to_ASN1_INTEGER"},
|
||||
|
||||
@@ -25,11 +25,11 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
#define OPENSSL_VERSION_NUMBER 0x009080bfL
|
||||
#define OPENSSL_VERSION_NUMBER 0x009080cfL
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k-fips 25 Mar 2009"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8l-fips 5 Nov 2009"
|
||||
#else
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k 25 Mar 2009"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8l 5 Nov 2009"
|
||||
#endif
|
||||
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
||||
@@ -678,6 +678,28 @@ STACK_OF(type) \
|
||||
#define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st))
|
||||
#define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st))
|
||||
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_new(st) SKM_sk_new(EVP_PKEY_ASN1_METHOD, (st))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_new_null() SKM_sk_new_null(EVP_PKEY_ASN1_METHOD)
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_free(st) SKM_sk_free(EVP_PKEY_ASN1_METHOD, (st))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_num(st) SKM_sk_num(EVP_PKEY_ASN1_METHOD, (st))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_value(st, i) SKM_sk_value(EVP_PKEY_ASN1_METHOD, (st), (i))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_set(st, i, val) SKM_sk_set(EVP_PKEY_ASN1_METHOD, (st), (i), (val))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_zero(st) SKM_sk_zero(EVP_PKEY_ASN1_METHOD, (st))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_push(st, val) SKM_sk_push(EVP_PKEY_ASN1_METHOD, (st), (val))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_unshift(st, val) SKM_sk_unshift(EVP_PKEY_ASN1_METHOD, (st), (val))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_find(st, val) SKM_sk_find(EVP_PKEY_ASN1_METHOD, (st), (val))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_find_ex(st, val) SKM_sk_find_ex(EVP_PKEY_ASN1_METHOD, (st), (val))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_delete(st, i) SKM_sk_delete(EVP_PKEY_ASN1_METHOD, (st), (i))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_delete_ptr(st, ptr) SKM_sk_delete_ptr(EVP_PKEY_ASN1_METHOD, (st), (ptr))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_insert(st, val, i) SKM_sk_insert(EVP_PKEY_ASN1_METHOD, (st), (val), (i))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(EVP_PKEY_ASN1_METHOD, (st), (cmp))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_dup(st) SKM_sk_dup(EVP_PKEY_ASN1_METHOD, st)
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY_ASN1_METHOD, (st), (free_func))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_shift(st) SKM_sk_shift(EVP_PKEY_ASN1_METHOD, (st))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_pop(st) SKM_sk_pop(EVP_PKEY_ASN1_METHOD, (st))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_sort(st) SKM_sk_sort(EVP_PKEY_ASN1_METHOD, (st))
|
||||
#define sk_EVP_PKEY_ASN1_METHOD_is_sorted(st) SKM_sk_is_sorted(EVP_PKEY_ASN1_METHOD, (st))
|
||||
|
||||
#define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st))
|
||||
#define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME)
|
||||
#define sk_GENERAL_NAME_free(st) SKM_sk_free(GENERAL_NAME, (st))
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
%define libmaj 0
|
||||
%define libmin 9
|
||||
%define librel 8
|
||||
%define librev k
|
||||
%define librev l
|
||||
Release: 1
|
||||
|
||||
%define openssldir /var/ssl
|
||||
|
||||
@@ -2592,6 +2592,9 @@ int ssl3_renegotiate(SSL *s)
|
||||
if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
|
||||
return(0);
|
||||
|
||||
if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
return(0);
|
||||
|
||||
s->s3->renegotiate=1;
|
||||
return(1);
|
||||
}
|
||||
|
||||
@@ -985,6 +985,7 @@ start:
|
||||
|
||||
if (SSL_is_init_finished(s) &&
|
||||
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
|
||||
(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) &&
|
||||
!s->s3->renegotiate)
|
||||
{
|
||||
ssl3_renegotiate(s);
|
||||
@@ -1117,7 +1118,8 @@ start:
|
||||
if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake)
|
||||
{
|
||||
if (((s->state&SSL_ST_MASK) == SSL_ST_OK) &&
|
||||
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS))
|
||||
!(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) &&
|
||||
(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
{
|
||||
#if 0 /* worked only because C operator preferences are not as expected (and
|
||||
* because this is not really needed for clients except for detecting
|
||||
|
||||
@@ -718,6 +718,14 @@ int ssl3_get_client_hello(SSL *s)
|
||||
#endif
|
||||
STACK_OF(SSL_CIPHER) *ciphers=NULL;
|
||||
|
||||
if (s->new_session
|
||||
&& !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION))
|
||||
{
|
||||
al=SSL_AD_HANDSHAKE_FAILURE;
|
||||
SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR);
|
||||
goto f_err;
|
||||
}
|
||||
|
||||
/* We do this so that we will respond with our native type.
|
||||
* If we are TLSv1 and we get SSLv3, we will respond with TLSv1,
|
||||
* This down switching should be handled by a different method.
|
||||
|
||||
@@ -1952,6 +1952,7 @@ void ERR_load_SSL_strings(void);
|
||||
#define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190
|
||||
#define SSL_R_NO_PROTOCOLS_AVAILABLE 191
|
||||
#define SSL_R_NO_PUBLICKEY 192
|
||||
#define SSL_R_NO_RENEGOTIATION 318
|
||||
#define SSL_R_NO_SHARED_CIPHER 193
|
||||
#define SSL_R_NO_VERIFY_CALLBACK 194
|
||||
#define SSL_R_NULL_SSL_CTX 195
|
||||
|
||||
@@ -326,10 +326,11 @@ typedef struct ssl3_buffer_st
|
||||
#define SSL3_CT_NUMBER 7
|
||||
|
||||
|
||||
#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
|
||||
#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
|
||||
#define SSL3_FLAGS_POP_BUFFER 0x0004
|
||||
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
|
||||
#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001
|
||||
#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002
|
||||
#define SSL3_FLAGS_POP_BUFFER 0x0004
|
||||
#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
|
||||
#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010
|
||||
|
||||
typedef struct ssl3_state_st
|
||||
{
|
||||
|
||||
@@ -384,6 +384,7 @@ static ERR_STRING_DATA SSL_str_reasons[]=
|
||||
{ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"},
|
||||
{ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"},
|
||||
{ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"},
|
||||
{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"},
|
||||
{ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"},
|
||||
{ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"},
|
||||
{ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"},
|
||||
|
||||
Reference in New Issue
Block a user