diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2010-11-16 14:18:51 +0000 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2010-11-16 14:18:51 +0000 |
commit | 732d31beeeb2e2e9f44d05da8387cfeca06b91b8 (patch) | |
tree | 32d0001d19dac7c63816b01a00adc512ccbcccec | |
parent | f7d2f17a0709abb641799e32a11a2408d733d8ed (diff) |
bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files
-rw-r--r-- | CHANGES | 8 | ||||
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | STATUS | 13 | ||||
-rw-r--r-- | ssl/t1_lib.c | 60 |
4 files changed, 67 insertions, 20 deletions
@@ -161,6 +161,10 @@ Changes between 1.0.0a and 1.0.0b [xx XXX xxxx] + *) Fix extension code to avoid race conditions which can result in a buffer + overrun vulnerability: resumed sessions must not be modified as they can + be shared by multiple threads. CVE-2010-3864 + *) Fix WIN32 build system to correctly link an ENGINE directory into a DLL. [Steve Henson] @@ -1014,6 +1018,10 @@ Changes between 0.9.8o and 0.9.8p [xx XXX xxxx] + *) Fix extension code to avoid race conditions which can result in a buffer + overrun vulnerability: resumed sessions must not be modified as they can + be shared by multiple threads. CVE-2010-3864 + *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 [Steve Henson] @@ -5,6 +5,12 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b: + + o Fix for security issue CVE-2010-3864. + o Fix for CVE-2010-2939 + o Fix WIN32 build system for GOST ENGINE. + Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a: o Fix for security issue CVE-2010-1633. @@ -1,10 +1,19 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2009/04/03 11:45:14 $ + ______________ $Date: 2010/11/16 14:18:51 $ DEVELOPMENT STATE - o OpenSSL 1.0.0-beta1: Released on April 1st, 2009 + o OpenSSL 1.1.0: Under development... + o OpenSSL 1.0.0b: Released on November 16th, 2010 + o OpenSSL 1.0.0a: Released on June 1st, 2010 + o OpenSSL 1.0.0: Released on March 29th, 2010 + o OpenSSL 0.9.8n: Released on March 24th, 2010 + o OpenSSL 0.9.8m: Released on February 25th, 2010 + o OpenSSL 0.9.8l: Released on November 5th, 2009 + o OpenSSL 0.9.8k: Released on March 25th, 2009 + o OpenSSL 0.9.8j: Released on January 7th, 2009 + o OpenSSL 0.9.8i: Released on September 15th, 2008 o OpenSSL 0.9.8h: Released on May 28th, 2008 o OpenSSL 0.9.8g: Released on October 19th, 2007 o OpenSSL 0.9.8f: Released on October 11th, 2007 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 74638cc9b1..9684280d17 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -751,14 +751,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (s->session->tlsext_hostname == NULL) + if (!s->hit) { - if (len > TLSEXT_MAXLEN_host_name || - ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s->session->tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { @@ -771,7 +780,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } else - s->servername_done = strlen(s->session->tlsext_hostname) == len + s->servername_done = s->session->tlsext_hostname + && strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break; @@ -802,15 +812,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ecpointformatlist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = 0; + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist; @@ -831,15 +848,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ellipticcurvelist_length = 0; - if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); - if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ellipticcurvelist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = 0; + if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; + memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); } - s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; - memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist; |