Merge OpenSSL 0.9.8n into head.
This fixes CVE-2010-0740 which only affected -CURRENT (OpenSSL 0.9.8m) but not -STABLE branches. I have not yet been able to find out if CVE-2010-0433 impacts FreeBSD. This will be investigated further. Security: CVE-2010-0433, CVE-2010-0740 Security: http://www.openssl.org/news/secadv_20100324.txt
This commit is contained in:
commit
ab8565e267
@ -2,6 +2,21 @@
|
||||
OpenSSL CHANGES
|
||||
_______________
|
||||
|
||||
Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
|
||||
|
||||
*) When rejecting SSL/TLS records due to an incorrect version number, never
|
||||
update s->server with a new major version number. As of
|
||||
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
|
||||
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
|
||||
the previous behavior could result in a read attempt at NULL when
|
||||
receiving specific incorrect SSL/TLS records once record payload
|
||||
protection is active. (CVE-2010-0740)
|
||||
[Bodo Moeller, Adam Langley <agl@chromium.org>]
|
||||
|
||||
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
|
||||
could be crashed if the relevant tables were not present (e.g. chrooted).
|
||||
[Tomas Hoger <thoger@redhat.com>]
|
||||
|
||||
Changes between 0.9.8l and 0.9.8m [25 Feb 2010]
|
||||
|
||||
*) Always check bn_wexpend() return values for failure. (CVE-2009-3245)
|
||||
|
@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions
|
||||
* Which is the current version of OpenSSL?
|
||||
|
||||
The current version is available from <URL: http://www.openssl.org>.
|
||||
OpenSSL 0.9.8m was released on Feb 25th, 2010.
|
||||
OpenSSL 0.9.8n was released on Mar 24th, 2010.
|
||||
|
||||
In addition to the current stable release, you can also access daily
|
||||
snapshots of the OpenSSL development version at <URL:
|
||||
|
@ -4,7 +4,7 @@
|
||||
## Makefile for OpenSSL
|
||||
##
|
||||
|
||||
VERSION=0.9.8m
|
||||
VERSION=0.9.8n
|
||||
MAJOR=0
|
||||
MINOR=9.8
|
||||
SHLIB_VERSION_NUMBER=0.9.8
|
||||
|
@ -5,6 +5,11 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
|
||||
|
||||
o CFB cipher definition fixes.
|
||||
o Fix security issues CVE-2010-0740 and CVE-2010-0433.
|
||||
|
||||
Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
|
||||
|
||||
o Cipher definition fixes.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
OpenSSL 0.9.8m
|
||||
OpenSSL 0.9.8n
|
||||
|
||||
Copyright (c) 1998-2009 The OpenSSL Project
|
||||
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
|
||||
|
@ -1433,11 +1433,17 @@ start2: for (;;)
|
||||
|
||||
BIO_snprintf(buf,sizeof buf,"%s_min",type);
|
||||
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
|
||||
{
|
||||
ERR_clear_error();
|
||||
n_min = -1;
|
||||
}
|
||||
|
||||
BIO_snprintf(buf,sizeof buf,"%s_max",type);
|
||||
if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
|
||||
{
|
||||
ERR_clear_error();
|
||||
n_max = -1;
|
||||
}
|
||||
|
||||
if (!add_attribute_object(req,
|
||||
v->value,def,value,nid,n_min,n_max, chtype))
|
||||
|
@ -254,12 +254,18 @@
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
|
||||
# define NO_FORK 1
|
||||
#elif HAVE_FORK
|
||||
#ifndef HAVE_FORK
|
||||
# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MACINTOSH_CLASSIC) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
|
||||
# define HAVE_FORK 0
|
||||
# else
|
||||
# define HAVE_FORK 1
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#if HAVE_FORK
|
||||
# undef NO_FORK
|
||||
#else
|
||||
# define NO_FORK 1
|
||||
# define NO_FORK
|
||||
#endif
|
||||
|
||||
#undef BUFSIZE
|
||||
|
@ -741,6 +741,10 @@ case "$GUESSOS" in
|
||||
OBJECT_MODE=${OBJECT_MODE:-32}
|
||||
if [ "$CC" = "gcc" ]; then
|
||||
OUT="aix-gcc"
|
||||
if [ $OBJECT_MODE -eq 64 ]; then
|
||||
echo 'Your $OBJECT_MODE was found to be set to 64'
|
||||
OUT="aix64-gcc"
|
||||
fi
|
||||
elif [ $OBJECT_MODE -eq 64 ]; then
|
||||
echo 'Your $OBJECT_MODE was found to be set to 64'
|
||||
OUT="aix64-cc"
|
||||
|
@ -291,12 +291,12 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
|
||||
ASN1_OBJECT *ret=NULL;
|
||||
const unsigned char *p;
|
||||
int i;
|
||||
/* Sanity check OID encoding: can't have 0x80 in subidentifiers, see:
|
||||
* X.690 8.19.2
|
||||
/* Sanity check OID encoding: can't have leading 0x80 in
|
||||
* subidentifiers, see: X.690 8.19.2
|
||||
*/
|
||||
for (i = 0, p = *pp + 1; i < len - 1; i++, p++)
|
||||
{
|
||||
if (*p == 0x80)
|
||||
if (*p == 0x80 && (!i || !(p[-1] & 0x80)))
|
||||
{
|
||||
ASN1err(ASN1_F_C2I_ASN1_OBJECT,ASN1_R_INVALID_OBJECT_ENCODING);
|
||||
return NULL;
|
||||
|
@ -272,9 +272,9 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
|
||||
BIO_clear_flags(b,BIO_FLAGS_UPLINK);
|
||||
#endif
|
||||
#endif
|
||||
#ifdef UP_fsetmode
|
||||
#ifdef UP_fsetmod
|
||||
if (b->flags&BIO_FLAGS_UPLINK)
|
||||
UP_fsetmode(b->ptr,num&BIO_FP_TEXT?'t':'b');
|
||||
UP_fsetmod(b->ptr,(char)((num&BIO_FP_TEXT)?'t':'b'));
|
||||
else
|
||||
#endif
|
||||
{
|
||||
|
@ -2074,5 +2074,7 @@ EOF
|
||||
$data =~ s/^(\s*)cmplw(\s+)([^,]+),(.*)/$1cmpl$2$3,0,$4/gm;
|
||||
# assembler X doesn't accept li, load immediate value
|
||||
#$data =~ s/^(\s*)li(\s+)([^,]+),(.*)/$1addi$2$3,0,$4/gm;
|
||||
# assembler Y chokes on apostrophes in comments
|
||||
$data =~ s/'//gm;
|
||||
return($data);
|
||||
}
|
||||
|
@ -59,6 +59,7 @@
|
||||
|
||||
#undef mul
|
||||
#undef mul_add
|
||||
#undef sqr
|
||||
|
||||
/*
|
||||
* "m"(a), "+m"(r) is the way to favor DirectPath µ-code;
|
||||
|
@ -337,7 +337,10 @@ X) -> 0x%08X\n",
|
||||
t2 -= d1;
|
||||
}
|
||||
#else /* !BN_LLONG */
|
||||
BN_ULONG t2l,t2h,ql,qh;
|
||||
BN_ULONG t2l,t2h;
|
||||
#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
|
||||
BN_ULONG ql,qh;
|
||||
#endif
|
||||
|
||||
q=bn_div_words(n0,n1,d0);
|
||||
#ifdef BN_DEBUG_LEVITTE
|
||||
@ -561,7 +564,10 @@ X) -> 0x%08X\n",
|
||||
t2 -= d1;
|
||||
}
|
||||
#else /* !BN_LLONG */
|
||||
BN_ULONG t2l,t2h,ql,qh;
|
||||
BN_ULONG t2l,t2h;
|
||||
#if !defined(BN_UMULT_LOHI) && !defined(BN_UMULT_HIGH)
|
||||
BN_ULONG ql,qh;
|
||||
#endif
|
||||
|
||||
q=bn_div_words(n0,n1,d0);
|
||||
#ifdef BN_DEBUG_LEVITTE
|
||||
|
@ -104,7 +104,7 @@ void ENGINE_load_builtin_engines(void)
|
||||
#endif
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_HW
|
||||
#if defined(__OpenBSD__) || defined(__FreeBSD__)
|
||||
#if defined(__OpenBSD__) || defined(__FreeBSD__) || defined(HAVE_CRYPTODEV)
|
||||
ENGINE_load_cryptodev();
|
||||
#endif
|
||||
#if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
|
||||
|
@ -755,10 +755,18 @@ cryptodev_bn_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
|
||||
goto err;
|
||||
kop.crk_iparams = 3;
|
||||
|
||||
if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL) == -1) {
|
||||
if (cryptodev_asym(&kop, BN_num_bytes(m), r, 0, NULL)) {
|
||||
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
|
||||
printf("OCF asym process failed, Running in software\n");
|
||||
ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
|
||||
|
||||
} else if (ECANCELED == kop.crk_status) {
|
||||
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
|
||||
printf("OCF hardware operation cancelled. Running in Software\n");
|
||||
ret = meth->bn_mod_exp(r, a, p, m, ctx, in_mont);
|
||||
}
|
||||
/* else cryptodev operation worked ok ==> ret = 1*/
|
||||
|
||||
err:
|
||||
zapparams(&kop);
|
||||
return (ret);
|
||||
@ -801,10 +809,18 @@ cryptodev_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
|
||||
goto err;
|
||||
kop.crk_iparams = 6;
|
||||
|
||||
if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL) == -1) {
|
||||
if (cryptodev_asym(&kop, BN_num_bytes(rsa->n), r0, 0, NULL)) {
|
||||
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
|
||||
printf("OCF asym process failed, running in Software\n");
|
||||
ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
|
||||
|
||||
} else if (ECANCELED == kop.crk_status) {
|
||||
const RSA_METHOD *meth = RSA_PKCS1_SSLeay();
|
||||
printf("OCF hardware operation cancelled. Running in Software\n");
|
||||
ret = (*meth->rsa_mod_exp)(r0, I, rsa, ctx);
|
||||
}
|
||||
/* else cryptodev operation worked ok ==> ret = 1*/
|
||||
|
||||
err:
|
||||
zapparams(&kop);
|
||||
return (ret);
|
||||
@ -940,7 +956,8 @@ cryptodev_dsa_verify(const unsigned char *dgst, int dlen,
|
||||
kop.crk_iparams = 7;
|
||||
|
||||
if (cryptodev_asym(&kop, 0, NULL, 0, NULL) == 0) {
|
||||
dsaret = kop.crk_status;
|
||||
/*OCF success value is 0, if not zero, change dsaret to fail*/
|
||||
if(0 != kop.crk_status) dsaret = 0;
|
||||
} else {
|
||||
const DSA_METHOD *meth = DSA_OpenSSL();
|
||||
|
||||
|
@ -235,6 +235,7 @@ static int do_evp_md_engine(EVP_MD_CTX *ctx, const EVP_MD **ptype, ENGINE *impl)
|
||||
{
|
||||
/* Same comment from evp_enc.c */
|
||||
EVPerr(EVP_F_DO_EVP_MD_ENGINE,EVP_R_INITIALIZATION_ERROR);
|
||||
ENGINE_finish(impl);
|
||||
return 0;
|
||||
}
|
||||
/* We'll use the ENGINE's private digest definition */
|
||||
|
@ -127,9 +127,9 @@ BLOCK_CIPHER_def1(cname, cbc, cbc, CBC, kstruct, nid, block_size, key_len, \
|
||||
#define BLOCK_CIPHER_def_cfb(cname, kstruct, nid, key_len, \
|
||||
iv_len, cbits, flags, init_key, cleanup, \
|
||||
set_asn1, get_asn1, ctrl) \
|
||||
BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, \
|
||||
(cbits + 7)/8, key_len, iv_len, \
|
||||
flags, init_key, cleanup, set_asn1, get_asn1, ctrl)
|
||||
BLOCK_CIPHER_def1(cname, cfb##cbits, cfb##cbits, CFB, kstruct, nid, 1, \
|
||||
key_len, iv_len, flags, init_key, cleanup, set_asn1, \
|
||||
get_asn1, ctrl)
|
||||
|
||||
#define BLOCK_CIPHER_def_ofb(cname, kstruct, nid, key_len, \
|
||||
iv_len, cbits, flags, init_key, cleanup, \
|
||||
|
@ -90,7 +90,7 @@ int EVP_add_digest(const EVP_MD *md)
|
||||
r=OBJ_NAME_add(OBJ_nid2ln(md->type),OBJ_NAME_TYPE_MD_METH,(const char *)md);
|
||||
if (r == 0) return(0);
|
||||
|
||||
if (md->type != md->pkey_type)
|
||||
if (md->pkey_type && md->type != md->pkey_type)
|
||||
{
|
||||
r=OBJ_NAME_add(OBJ_nid2sn(md->pkey_type),
|
||||
OBJ_NAME_TYPE_MD_METH|OBJ_NAME_ALIAS,name);
|
||||
|
@ -241,11 +241,11 @@
|
||||
#ifndef PEDANTIC
|
||||
# if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
|
||||
# if defined(__s390x__)
|
||||
# define HOST_c2l(c,l) ({ asm ("lrv %0,0(%1)" \
|
||||
:"=r"(l) : "r"(c)); \
|
||||
# define HOST_c2l(c,l) ({ asm ("lrv %0,%1" \
|
||||
:"=d"(l) :"m"(*(const unsigned int *)(c));\
|
||||
(c)+=4; (l); })
|
||||
# define HOST_l2c(l,c) ({ asm ("strv %0,0(%1)" \
|
||||
: : "r"(l),"r"(c) : "memory"); \
|
||||
# define HOST_l2c(l,c) ({ asm ("strv %1,%0" \
|
||||
:"=m"(*(unsigned int *)(c)) :"d"(l));\
|
||||
(c)+=4; (l); })
|
||||
# endif
|
||||
# endif
|
||||
|
@ -275,6 +275,7 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags)
|
||||
}
|
||||
if (!X509V3_extensions_print(bp, "Response Extensions",
|
||||
rd->responseExtensions, flags, 4))
|
||||
goto err;
|
||||
if(X509_signature_print(bp, br->signatureAlgorithm, br->signature) <= 0)
|
||||
goto err;
|
||||
|
||||
|
@ -25,11 +25,11 @@
|
||||
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
|
||||
* major minor fix final patch/beta)
|
||||
*/
|
||||
#define OPENSSL_VERSION_NUMBER 0x009080dfL
|
||||
#define OPENSSL_VERSION_NUMBER 0x009080efL
|
||||
#ifdef OPENSSL_FIPS
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m-fips 25 Feb 2010"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n-fips 24 Mar 2010"
|
||||
#else
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8m 25 Feb 2010"
|
||||
#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8n 24 Mar 2010"
|
||||
#endif
|
||||
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
|
||||
|
||||
|
@ -750,7 +750,7 @@ static void readscreen(void)
|
||||
int y; /* y-coordinate of screen lines to grab */
|
||||
int n = 16; /* number of screen lines to grab at a time */
|
||||
|
||||
if (GetVersion() >= 0x80000000 || !OPENSSL_isservice())
|
||||
if (GetVersion() < 0x80000000 && OPENSSL_isservice()>0)
|
||||
return;
|
||||
|
||||
/* Create a screen DC and a memory DC compatible to screen DC */
|
||||
|
@ -83,6 +83,10 @@
|
||||
#define CERT_STORE_CREATE_NEW_FLAG 0x00002000
|
||||
#endif
|
||||
|
||||
#ifndef CERT_SYSTEM_STORE_CURRENT_USER
|
||||
#define CERT_SYSTEM_STORE_CURRENT_USER 0x00010000
|
||||
#endif
|
||||
|
||||
#include <openssl/engine.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/x509v3.h>
|
||||
|
@ -1204,6 +1204,11 @@ static int hwcrhk_get_pass(const char *prompt_info,
|
||||
pem_password_cb *callback = NULL;
|
||||
void *callback_data = NULL;
|
||||
UI_METHOD *ui_method = NULL;
|
||||
/* Despite what the documentation says prompt_info can be
|
||||
* an empty string.
|
||||
*/
|
||||
if (prompt_info && !*prompt_info)
|
||||
prompt_info = NULL;
|
||||
|
||||
if (cactx)
|
||||
{
|
||||
@ -1305,8 +1310,10 @@ static int hwcrhk_insert_card(const char *prompt_info,
|
||||
{
|
||||
char answer;
|
||||
char buf[BUFSIZ];
|
||||
|
||||
if (wrong_info)
|
||||
/* Despite what the documentation says wrong_info can be
|
||||
* an empty string.
|
||||
*/
|
||||
if (wrong_info && *wrong_info)
|
||||
BIO_snprintf(buf, sizeof(buf)-1,
|
||||
"Current card: \"%s\"\n", wrong_info);
|
||||
ok = UI_dup_info_string(ui, buf);
|
||||
|
@ -123,7 +123,7 @@ fips_premain_dso$(EXE_EXT): fips_premain.c
|
||||
$(FIPSLIBDIR)fipscanister.o ../libcrypto.a $(EX_LIBS)
|
||||
# this is executed only when linking with external fipscanister.o
|
||||
fips_standalone_sha1$(EXE_EXT): sha/fips_standalone_sha1.c
|
||||
if [ -z $(HOSTCC) ] ; then \
|
||||
if [ -z "$(HOSTCC)" ] ; then \
|
||||
$(CC) $(CFLAGS) -DFIPSCANISTER_O -o $@ sha/fips_standalone_sha1.c $(FIPSLIBDIR)fipscanister.o $(EX_LIBS) ; \
|
||||
else \
|
||||
$(HOSTCC) $(HOSTCFLAGS) -o $ $@ -I../include -I../crypto sha/fips_standalone_sha1.c ../crypto/sha/sha1dgst.c ; \
|
||||
|
@ -2,7 +2,7 @@
|
||||
%define libmaj 0
|
||||
%define libmin 9
|
||||
%define librel 8
|
||||
%define librev m
|
||||
%define librev n
|
||||
Release: 1
|
||||
|
||||
%define openssldir /var/ssl
|
||||
|
@ -1802,6 +1802,9 @@ kssl_ctx_show(KSSL_CTX *kssl_ctx)
|
||||
kssl_ctx->service_name ? kssl_ctx->service_name: KRB5SVC,
|
||||
KRB5_NT_SRV_HST, &princ);
|
||||
|
||||
if (krb5rc)
|
||||
goto exit;
|
||||
|
||||
krb5rc = krb5_kt_get_entry(krb5context, krb5keytab,
|
||||
princ,
|
||||
0 /* IGNORE_VNO */,
|
||||
|
@ -291,9 +291,9 @@ static int ssl3_get_record(SSL *s)
|
||||
if (version != s->version)
|
||||
{
|
||||
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_WRONG_VERSION_NUMBER);
|
||||
/* Send back error using their
|
||||
* version number :-) */
|
||||
s->version=version;
|
||||
if ((s->version & 0xFF00) == (version & 0xFF00))
|
||||
/* Send back error using their minor version number :-) */
|
||||
s->version = (unsigned short)version;
|
||||
al=SSL_AD_PROTOCOL_VERSION;
|
||||
goto f_err;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user