Compare commits
16 Commits
OpenSSL_0_
...
OpenSSL_0_
| Author | SHA1 | Date | |
|---|---|---|---|
|
b71e69ad8e | ||
|
|
f856173c43 | ||
|
|
d742f9ebbd | ||
|
|
36dd4cba3d | ||
|
|
3978429ad5 | ||
|
|
885945d6e1 | ||
|
|
e22e770147 | ||
|
|
e0c0203341 | ||
|
|
e1eec61e26 | ||
|
|
296fa128c9 | ||
|
|
6dde222aae | ||
|
|
391ac37018 | ||
|
|
8d038a08fb | ||
|
|
747c6ffda4 | ||
|
|
d4cddc54f0 | ||
|
|
eb7112c18e |
22
CHANGES
22
CHANGES
@@ -2,6 +2,28 @@
|
||||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 0.9.8w and 0.9.8x [10 May 2012]
|
||||
|
||||
*) Sanity check record length before skipping explicit IV in DTLS
|
||||
to fix DoS attack.
|
||||
|
||||
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
|
||||
fuzzing as a service testing platform.
|
||||
(CVE-2012-2333)
|
||||
[Steve Henson]
|
||||
|
||||
*) Initialise tkeylen properly when encrypting CMS messages.
|
||||
Thanks to Solar Designer of Openwall for reporting this issue.
|
||||
[Steve Henson]
|
||||
|
||||
Changes between 0.9.8v and 0.9.8w [23 Apr 2012]
|
||||
|
||||
*) The fix for CVE-2012-2110 did not take into account that the
|
||||
'len' argument to BUF_MEM_grow and BUF_MEM_grow_clean is an
|
||||
int in OpenSSL 0.9.8, making it still vulnerable. Fix by
|
||||
rejecting negative len parameter. (CVE-2012-2131)
|
||||
[Tomas Hoger <thoger@redhat.com>]
|
||||
|
||||
Changes between 0.9.8u and 0.9.8v [19 Apr 2012]
|
||||
|
||||
*) Check for potentially exploitable overflows in asn1_d2i_read_bio
|
||||
|
||||
22
FAQ
22
FAQ
@@ -10,6 +10,7 @@ OpenSSL - Frequently Asked Questions
|
||||
* Why aren't tools like 'autoconf' and 'libtool' used?
|
||||
* What is an 'engine' version?
|
||||
* How do I check the authenticity of the OpenSSL distribution?
|
||||
* How does the versioning scheme work?
|
||||
|
||||
[LEGAL] Legal questions
|
||||
|
||||
@@ -82,7 +83,7 @@ OpenSSL - Frequently Asked Questions
|
||||
* Which is the current version of OpenSSL?
|
||||
|
||||
The current version is available from <URL: http://www.openssl.org>.
|
||||
OpenSSL 1.0.0i was released on Apr 19th, 2012.
|
||||
OpenSSL 1.0.1c was released on May 10th, 2012.
|
||||
|
||||
In addition to the current stable release, you can also access daily
|
||||
snapshots of the OpenSSL development version at <URL:
|
||||
@@ -108,7 +109,9 @@ In addition, you can read the most current versions at
|
||||
<URL: http://www.openssl.org/docs/>. Note that the online documents refer
|
||||
to the very latest development versions of OpenSSL and may include features
|
||||
not present in released versions. If in doubt refer to the documentation
|
||||
that came with the version of OpenSSL you are using.
|
||||
that came with the version of OpenSSL you are using. The pod format
|
||||
documentation is included in each OpenSSL distribution under the docs
|
||||
directory.
|
||||
|
||||
For information on parts of libcrypto that are not yet documented, you
|
||||
might want to read Ariel Glenn's documentation on SSLeay 0.9, OpenSSL's
|
||||
@@ -173,6 +176,19 @@ just do:
|
||||
|
||||
pgp TARBALL.asc
|
||||
|
||||
* How does the versioning scheme work?
|
||||
|
||||
After the release of OpenSSL 1.0.0 the versioning scheme changed. Letter
|
||||
releases (e.g. 1.0.1a) can only contain bug and security fixes and no
|
||||
new features. Minor releases change the last number (e.g. 1.0.2) and
|
||||
can contain new features that retain binary compatibility. Changes to
|
||||
the middle number are considered major releases and neither source nor
|
||||
binary compatibility is guaranteed.
|
||||
|
||||
Therefore the answer to the common question "when will feature X be
|
||||
backported to OpenSSL 1.0.0/0.9.8?" is "never" but it could appear
|
||||
in the next minor release.
|
||||
|
||||
[LEGAL] =======================================================================
|
||||
|
||||
* Do I need patent licenses to use OpenSSL?
|
||||
@@ -284,7 +300,7 @@ current directory in this case, but this has changed with 0.9.6a.)
|
||||
Check out the CA.pl(1) manual page. This provides a simple wrapper round
|
||||
the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
|
||||
out the manual pages for the individual utilities and the certificate
|
||||
extensions documentation (currently in doc/openssl.txt).
|
||||
extensions documentation (in ca(1), req(1), x509v3_config(5) )
|
||||
|
||||
|
||||
* Why can't I create certificate requests?
|
||||
|
||||
8
NEWS
8
NEWS
@@ -5,6 +5,14 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 0.9.8w and OpenSSL 0.9.8x:
|
||||
|
||||
o Fix DTLS record length checking bug CVE-2012-2333
|
||||
|
||||
Major changes between OpenSSL 0.9.8v and OpenSSL 0.9.8w:
|
||||
|
||||
o Fix for CVE-2012-2131 (corrected fix for 0.9.8 and CVE-2012-2110)
|
||||
|
||||
Major changes between OpenSSL 0.9.8u and OpenSSL 0.9.8v:
|
||||
|
||||
o Fix for ASN1 overflow bug CVE-2012-2110
|
||||
|
||||
2
README
2
README
@@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 0.9.8v 19 Apr 2012
|
||||
OpenSSL 0.9.8x 10 May 2012
|
||||
|
||||
Copyright (c) 1998-2011 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
||||
9
STATUS
9
STATUS
@@ -1,16 +1,23 @@
|
||||
|
||||
OpenSSL STATUS Last modified at
|
||||
______________ $Date: 2012/04/19 11:39:02 $
|
||||
______________ $Date: 2012/05/10 14:36:07 $
|
||||
|
||||
DEVELOPMENT STATE
|
||||
|
||||
o OpenSSL 1.1.0: Under development...
|
||||
o OpenSSL 1.0.1: Under development...
|
||||
o OpenSSL 1.0.0i: Released on April 19th, 2012
|
||||
o OpenSSL 1.0.0h: Released on March 12th, 2012
|
||||
o OpenSSL 1.0.0g: Released on January 18th, 2012
|
||||
o OpenSSL 1.0.0f: Released on January 4th, 2012
|
||||
o OpenSSL 1.0.0e: Released on September 6th, 2011
|
||||
o OpenSSL 1.0.0d: Released on February 8nd, 2011
|
||||
o OpenSSL 1.0.0c: Released on December 2nd, 2010
|
||||
o OpenSSL 1.0.0b: Released on November 16th, 2010
|
||||
o OpenSSL 1.0.0a: Released on June 1st, 2010
|
||||
o OpenSSL 1.0.0: Released on March 29th, 2010
|
||||
o OpenSSL 0.9.8x: Released on May 10th, 2012
|
||||
o OpenSSL 0.9.8w: Released on April 23rd, 2012
|
||||
o OpenSSL 0.9.8v: Released on April 19th, 2012
|
||||
o OpenSSL 0.9.8u: Released on March 12th, 2012
|
||||
o OpenSSL 0.9.8t: Released on January 18th, 2012
|
||||
|
||||
@@ -99,6 +99,11 @@ int BUF_MEM_grow(BUF_MEM *str, int len)
|
||||
char *ret;
|
||||
unsigned int n;
|
||||
|
||||
if (len < 0)
|
||||
{
|
||||
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
if (str->length >= len)
|
||||
{
|
||||
str->length=len;
|
||||
@@ -141,6 +146,11 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
|
||||
char *ret;
|
||||
unsigned int n;
|
||||
|
||||
if (len < 0)
|
||||
{
|
||||
BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
if (str->length >= len)
|
||||
{
|
||||
memset(&str->data[len],0,str->length-len);
|
||||
@@ -156,7 +166,7 @@ int BUF_MEM_grow_clean(BUF_MEM *str, int len)
|
||||
/* This limit is sufficient to ensure (len+3)/3*4 < 2**31 */
|
||||
if (len > LIMIT_BEFORE_EXPANSION)
|
||||
{
|
||||
BUFerr(BUF_F_BUF_MEM_GROW,ERR_R_MALLOC_FAILURE);
|
||||
BUFerr(BUF_F_BUF_MEM_GROW_CLEAN,ERR_R_MALLOC_FAILURE);
|
||||
return 0;
|
||||
}
|
||||
n=(len+3)/3*4;
|
||||
|
||||
@@ -139,10 +139,10 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
|
||||
CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR);
|
||||
goto err;
|
||||
}
|
||||
tkeylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
/* Generate random session key */
|
||||
if (!enc || !ec->key)
|
||||
{
|
||||
tkeylen = EVP_CIPHER_CTX_key_length(ctx);
|
||||
tkey = OPENSSL_malloc(tkeylen);
|
||||
if (!tkey)
|
||||
{
|
||||
@@ -174,7 +174,7 @@ BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
|
||||
/* Only reveal failure if debugging so we don't
|
||||
* leak information which may be useful in MMA.
|
||||
*/
|
||||
if (ec->debug)
|
||||
if (enc || ec->debug)
|
||||
{
|
||||
CMSerr(CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO,
|
||||
CMS_R_INVALID_KEY_LENGTH);
|
||||
|
||||
@@ -25,11 +25,11 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
#define OPENSSL_VERSION_NUMBER 0x0090816fL
|
||||
#define OPENSSL_VERSION_NUMBER 0x0090818fL
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8v-fips 19 Apr 2012"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8x-fips 10 May 2012"
|
||||
#else
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8v 19 Apr 2012"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8x 10 May 2012"
|
||||
#endif
|
||||
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
||||
@@ -57,7 +57,7 @@ following methods:
|
||||
|
||||
- in all other cases, proxy certificate validation can be enabled
|
||||
before starting the application by setting the envirnoment variable
|
||||
OPENSSL_ALLOW_PROXY with some non-empty value.
|
||||
OPENSSL_ALLOW_PROXY_CERTS with some non-empty value.
|
||||
|
||||
There are thoughts to allow proxy certificates with a line in the
|
||||
default openssl.cnf, but that's still in the future.
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
%define libmaj 0
|
||||
%define libmin 9
|
||||
%define librel 8
|
||||
%define librev v
|
||||
%define librev x
|
||||
Release: 1
|
||||
|
||||
%define openssldir /var/ssl
|
||||
|
||||
@@ -249,7 +249,7 @@ int dtls1_enc(SSL *s, int send)
|
||||
}
|
||||
/* TLS 1.0 does not bound the number of padding bytes by the block size.
|
||||
* All of them must have value 'padding_length'. */
|
||||
if (i > (int)rec->length)
|
||||
if (i + bs > (int)rec->length)
|
||||
{
|
||||
/* Incorrect padding. SSLerr() and ssl3_alert are done
|
||||
* by caller: we don't want to reveal whether this is
|
||||
|
||||
Reference in New Issue
Block a user