Compare commits
9 Commits
OpenSSL_0_
...
OpenSSL_0_
| Author | SHA1 | Date | |
|---|---|---|---|
|
f71d59c70e | ||
|
|
3309f8313c | ||
|
|
6cc5f194a7 | ||
|
|
096327a99a | ||
|
|
cc10bcf25e | ||
|
|
875ac0ec00 | ||
|
|
bf240f063a | ||
|
|
dd016b0570 | ||
|
|
244788464a |
12
CHANGES
12
CHANGES
@@ -2,6 +2,14 @@
|
||||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 0.9.8s and 0.9.8t [18 Jan 2012]
|
||||
|
||||
*) Fix for DTLS DoS issue introduced by fix for CVE-2011-4109.
|
||||
Thanks to Antonio Martin, Enterprise Secure Access Research and
|
||||
Development, Cisco Systems, Inc. for discovering this bug and
|
||||
preparing a fix. (CVE-2012-0050)
|
||||
[Antonio Martin]
|
||||
|
||||
Changes between 0.9.8r and 0.9.8s [4 Jan 2012]
|
||||
|
||||
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
|
||||
@@ -25,7 +33,9 @@
|
||||
(CVE-2011-4576)
|
||||
[Adam Langley (Google)]
|
||||
|
||||
*) Only allow one SGC handshake restart for SSL/TLS. (CVE-2011-4619)
|
||||
*) Only allow one SGC handshake restart for SSL/TLS. Thanks to George
|
||||
Kadianakis <desnacked@gmail.com> for discovering this issue and
|
||||
Adam Langley for preparing the fix. (CVE-2011-4619)
|
||||
[Adam Langley (Google)]
|
||||
|
||||
*) Prevent malformed RFC3779 data triggering an assertion failure.
|
||||
|
||||
2
FAQ
2
FAQ
@@ -82,7 +82,7 @@ OpenSSL - Frequently Asked Questions
|
||||
* Which is the current version of OpenSSL?
|
||||
|
||||
The current version is available from <URL: http://www.openssl.org>.
|
||||
OpenSSL 1.0.0f was released on Jan 4th, 2012.
|
||||
OpenSSL 1.0.0g was released on Jan 18th, 2012.
|
||||
|
||||
In addition to the current stable release, you can also access daily
|
||||
snapshots of the OpenSSL development version at <URL:
|
||||
|
||||
4
NEWS
4
NEWS
@@ -5,6 +5,10 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 0.9.8s and OpenSSL 0.9.8t:
|
||||
|
||||
o Fix for DTLS DoS issue CVE-2012-0050
|
||||
|
||||
Major changes between OpenSSL 0.9.8r and OpenSSL 0.9.8s:
|
||||
|
||||
o Fix for DTLS plaintext recovery attack CVE-2011-4108
|
||||
|
||||
2
README
2
README
@@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 0.9.8s 4 Jan 2012
|
||||
OpenSSL 0.9.8t 18 Jan 2012
|
||||
|
||||
Copyright (c) 1998-2011 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
||||
3
STATUS
3
STATUS
@@ -1,6 +1,6 @@
|
||||
|
||||
OpenSSL STATUS Last modified at
|
||||
______________ $Date: 2012/01/04 19:20:48 $
|
||||
______________ $Date: 2012/01/18 13:14:48 $
|
||||
|
||||
DEVELOPMENT STATE
|
||||
|
||||
@@ -11,6 +11,7 @@
|
||||
o OpenSSL 1.0.0b: Released on November 16th, 2010
|
||||
o OpenSSL 1.0.0a: Released on June 1st, 2010
|
||||
o OpenSSL 1.0.0: Released on March 29th, 2010
|
||||
o OpenSSL 0.9.8t: Released on January 18th, 2012
|
||||
o OpenSSL 0.9.8s: Released on January 4th, 2012
|
||||
o OpenSSL 0.9.8r: Released on February 8nd, 2011
|
||||
o OpenSSL 0.9.8q: Released on December 2nd, 2010
|
||||
|
||||
@@ -611,7 +611,7 @@ int MAIN(int argc, char **argv)
|
||||
BIO_printf (bio_err, "-certsout file certificate output file\n");
|
||||
BIO_printf (bio_err, "-signer file signer certificate file\n");
|
||||
BIO_printf (bio_err, "-recip file recipient certificate file for decryption\n");
|
||||
BIO_printf (bio_err, "-keyid use subject key identifier\n");
|
||||
BIO_printf (bio_err, "-keyid use subject key identifier\n");
|
||||
BIO_printf (bio_err, "-in file input file\n");
|
||||
BIO_printf (bio_err, "-inform arg input format SMIME (default), PEM or DER\n");
|
||||
BIO_printf (bio_err, "-inkey file input private key (if not signer or recipient)\n");
|
||||
|
||||
@@ -289,7 +289,8 @@ int test_builtin(BIO *out)
|
||||
ECDSA_SIG *ecdsa_sig = NULL;
|
||||
unsigned char digest[20], wrong_digest[20];
|
||||
unsigned char *signature = NULL;
|
||||
unsigned char *sig_ptr;
|
||||
const unsigned char *sig_ptr;
|
||||
unsigned char *sig_ptr2;
|
||||
unsigned char *raw_buf = NULL;
|
||||
unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len;
|
||||
int nid, ret = 0;
|
||||
@@ -464,8 +465,8 @@ int test_builtin(BIO *out)
|
||||
(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
|
||||
goto builtin_err;
|
||||
|
||||
sig_ptr = signature;
|
||||
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
|
||||
sig_ptr2 = signature;
|
||||
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
|
||||
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) == 1)
|
||||
{
|
||||
BIO_printf(out, " failed\n");
|
||||
@@ -477,8 +478,8 @@ int test_builtin(BIO *out)
|
||||
(BN_bin2bn(raw_buf + bn_len, bn_len, ecdsa_sig->s) == NULL))
|
||||
goto builtin_err;
|
||||
|
||||
sig_ptr = signature;
|
||||
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr);
|
||||
sig_ptr2 = signature;
|
||||
sig_len = i2d_ECDSA_SIG(ecdsa_sig, &sig_ptr2);
|
||||
if (ECDSA_verify(0, digest, 20, signature, sig_len, eckey) != 1)
|
||||
{
|
||||
BIO_printf(out, " failed\n");
|
||||
|
||||
@@ -25,11 +25,11 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
#define OPENSSL_VERSION_NUMBER 0x0090813fL
|
||||
#define OPENSSL_VERSION_NUMBER 0x0090814fL
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8s-fips 4 Jan 2012"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8t-fips 18 Jan 2012"
|
||||
#else
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8s 4 Jan 2012"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8t 18 Jan 2012"
|
||||
#endif
|
||||
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
%define libmaj 0
|
||||
%define libmin 9
|
||||
%define librel 8
|
||||
%define librev s
|
||||
%define librev t
|
||||
Release: 1
|
||||
|
||||
%define openssldir /var/ssl
|
||||
|
||||
17
ssl/d1_pkt.c
17
ssl/d1_pkt.c
@@ -336,6 +336,7 @@ dtls1_process_record(SSL *s)
|
||||
unsigned int mac_size;
|
||||
unsigned char md[EVP_MAX_MD_SIZE];
|
||||
int decryption_failed_or_bad_record_mac = 0;
|
||||
unsigned char *mac = NULL;
|
||||
|
||||
|
||||
rr= &(s->s3->rrec);
|
||||
@@ -403,19 +404,15 @@ if ( (sess == NULL) ||
|
||||
#endif
|
||||
}
|
||||
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
|
||||
if (rr->length < mac_size)
|
||||
if (rr->length >= mac_size)
|
||||
{
|
||||
#if 0 /* OK only for stream ciphers */
|
||||
al=SSL_AD_DECODE_ERROR;
|
||||
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
|
||||
goto f_err;
|
||||
#else
|
||||
decryption_failed_or_bad_record_mac = 1;
|
||||
#endif
|
||||
rr->length -= mac_size;
|
||||
mac = &rr->data[rr->length];
|
||||
}
|
||||
rr->length-=mac_size;
|
||||
else
|
||||
rr->length = 0;
|
||||
s->method->ssl3_enc->mac(s,md,0);
|
||||
if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
|
||||
if (mac == NULL || memcmp(md, mac, mac_size) != 0)
|
||||
{
|
||||
decryption_failed_or_bad_record_mac = 1;
|
||||
}
|
||||
|
||||
@@ -1000,8 +1000,10 @@ long SSL_ctrl(SSL *s,int cmd,long larg,void *parg)
|
||||
s->max_cert_list=larg;
|
||||
return(l);
|
||||
case SSL_CTRL_SET_MTU:
|
||||
#ifndef OPENSSL_NO_DTLS1
|
||||
if (larg < (long)dtls1_min_mtu())
|
||||
return 0;
|
||||
#endif
|
||||
|
||||
if (SSL_version(s) == DTLS1_VERSION ||
|
||||
SSL_version(s) == DTLS1_BAD_VER)
|
||||
|
||||
Reference in New Issue
Block a user