diff options
Diffstat (limited to 'openssl')
-rw-r--r-- | openssl/CHANGES | 10 | ||||
-rw-r--r-- | openssl/FAQ | 2 | ||||
-rw-r--r-- | openssl/Makefile | 4 | ||||
-rw-r--r-- | openssl/NEWS | 4 | ||||
-rw-r--r-- | openssl/README | 2 | ||||
-rw-r--r-- | openssl/apps/CA.pl | 2 | ||||
-rw-r--r-- | openssl/crypto/asn1/asn1.h | 1 | ||||
-rw-r--r-- | openssl/crypto/asn1/asn1_err.c | 1 | ||||
-rw-r--r-- | openssl/crypto/opensslv.h | 6 | ||||
-rw-r--r-- | openssl/crypto/stack/safestack.h | 22 | ||||
-rw-r--r-- | openssl/openssl.spec | 2 | ||||
-rw-r--r-- | openssl/ssl/s3_lib.c | 3 | ||||
-rw-r--r-- | openssl/ssl/s3_pkt.c | 4 | ||||
-rw-r--r-- | openssl/ssl/s3_srvr.c | 8 | ||||
-rw-r--r-- | openssl/ssl/ssl.h | 1 | ||||
-rw-r--r-- | openssl/ssl/ssl3.h | 9 | ||||
-rw-r--r-- | openssl/ssl/ssl_err.c | 1 | ||||
-rw-r--r-- | openssl/tools/c_rehash | 2 |
18 files changed, 69 insertions, 15 deletions
diff --git a/openssl/CHANGES b/openssl/CHANGES index 04d332e33..3c9f51c5b 100644 --- a/openssl/CHANGES +++ b/openssl/CHANGES @@ -2,6 +2,16 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8k and 0.9.8l [5 Nov 2009] + + *) Disable renegotiation completely - this fixes a severe security + problem (CVE-2009-3555) at the cost of breaking all + renegotiation. Renegotiation can be re-enabled by setting + SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION in s3->flags at + run-time. This is really not recommended unless you know what + you're doing. + [Ben Laurie] + Changes between 0.9.8j and 0.9.8k [25 Mar 2009] *) Don't set val to NULL when freeing up structures, it is freed up by diff --git a/openssl/FAQ b/openssl/FAQ index 942a671f2..93613bb19 100644 --- a/openssl/FAQ +++ b/openssl/FAQ @@ -78,7 +78,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.8k was released on Mar 25th, 2009. +OpenSSL 0.9.8l was released on Nov 5th, 2009. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: diff --git a/openssl/Makefile b/openssl/Makefile index 57d742e4d..cec055f63 100644 --- a/openssl/Makefile +++ b/openssl/Makefile @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.8k +VERSION=0.9.8l MAJOR=0 MINOR=9.8 SHLIB_VERSION_NUMBER=0.9.8 @@ -69,7 +69,7 @@ ARFLAGS= AR=ar $(ARFLAGS) r ARD=ar $(ARFLAGS) d RANLIB= /usr/bin/ranlib -PERL= /usr/bin/perl +PERL= /usr/bin/perl5 TAR= tar TARFLAGS= --no-recursion MAKEDEPPROG=makedepend diff --git a/openssl/NEWS b/openssl/NEWS index 37156fc59..87ed3646e 100644 --- a/openssl/NEWS +++ b/openssl/NEWS @@ -5,6 +5,10 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l: + + o Ban renegotiation. + Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k: o Fix various build issues. diff --git a/openssl/README b/openssl/README index 99a6a7b4b..b976e2b0f 100644 --- a/openssl/README +++ b/openssl/README @@ -1,5 +1,5 @@ - OpenSSL 0.9.8k + OpenSSL 0.9.8l Copyright (c) 1998-2008 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/openssl/apps/CA.pl b/openssl/apps/CA.pl index a3965ecea..05f11dd61 100644 --- a/openssl/apps/CA.pl +++ b/openssl/apps/CA.pl @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl5 # # CA - wrapper around ca to make it easier to use ... basically ca requires # some setup stuff to be done before you can use it and this makes diff --git a/openssl/crypto/asn1/asn1.h b/openssl/crypto/asn1/asn1.h index e3385226d..b57aac0d3 100644 --- a/openssl/crypto/asn1/asn1.h +++ b/openssl/crypto/asn1/asn1.h @@ -1158,6 +1158,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_F_ASN1_VERIFY 137 #define ASN1_F_B64_READ_ASN1 208 #define ASN1_F_B64_WRITE_ASN1 209 +#define ASN1_F_BIO_NEW_NDEF 212 #define ASN1_F_BITSTR_CB 180 #define ASN1_F_BN_TO_ASN1_ENUMERATED 138 #define ASN1_F_BN_TO_ASN1_INTEGER 139 diff --git a/openssl/crypto/asn1/asn1_err.c b/openssl/crypto/asn1/asn1_err.c index 5f5de98ee..1cf41e55e 100644 --- a/openssl/crypto/asn1/asn1_err.c +++ b/openssl/crypto/asn1/asn1_err.c @@ -132,6 +132,7 @@ static ERR_STRING_DATA ASN1_str_functs[]= {ERR_FUNC(ASN1_F_ASN1_VERIFY), "ASN1_verify"}, {ERR_FUNC(ASN1_F_B64_READ_ASN1), "B64_READ_ASN1"}, {ERR_FUNC(ASN1_F_B64_WRITE_ASN1), "B64_WRITE_ASN1"}, +{ERR_FUNC(ASN1_F_BIO_NEW_NDEF), "BIO_NEW_NDEF"}, {ERR_FUNC(ASN1_F_BITSTR_CB), "BITSTR_CB"}, {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED), "BN_to_ASN1_ENUMERATED"}, {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER), "BN_to_ASN1_INTEGER"}, diff --git a/openssl/crypto/opensslv.h b/openssl/crypto/opensslv.h index c6207f76b..c41a38a36 100644 --- a/openssl/crypto/opensslv.h +++ b/openssl/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x009080bfL +#define OPENSSL_VERSION_NUMBER 0x009080cfL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k-fips 25 Mar 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8l-fips 5 Nov 2009" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8k 25 Mar 2009" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8l 5 Nov 2009" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl/crypto/stack/safestack.h b/openssl/crypto/stack/safestack.h index 40b17902e..5e482a2ef 100644 --- a/openssl/crypto/stack/safestack.h +++ b/openssl/crypto/stack/safestack.h @@ -678,6 +678,28 @@ STACK_OF(type) \ #define sk_ENGINE_CLEANUP_ITEM_sort(st) SKM_sk_sort(ENGINE_CLEANUP_ITEM, (st)) #define sk_ENGINE_CLEANUP_ITEM_is_sorted(st) SKM_sk_is_sorted(ENGINE_CLEANUP_ITEM, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_new(st) SKM_sk_new(EVP_PKEY_ASN1_METHOD, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_new_null() SKM_sk_new_null(EVP_PKEY_ASN1_METHOD) +#define sk_EVP_PKEY_ASN1_METHOD_free(st) SKM_sk_free(EVP_PKEY_ASN1_METHOD, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_num(st) SKM_sk_num(EVP_PKEY_ASN1_METHOD, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_value(st, i) SKM_sk_value(EVP_PKEY_ASN1_METHOD, (st), (i)) +#define sk_EVP_PKEY_ASN1_METHOD_set(st, i, val) SKM_sk_set(EVP_PKEY_ASN1_METHOD, (st), (i), (val)) +#define sk_EVP_PKEY_ASN1_METHOD_zero(st) SKM_sk_zero(EVP_PKEY_ASN1_METHOD, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_push(st, val) SKM_sk_push(EVP_PKEY_ASN1_METHOD, (st), (val)) +#define sk_EVP_PKEY_ASN1_METHOD_unshift(st, val) SKM_sk_unshift(EVP_PKEY_ASN1_METHOD, (st), (val)) +#define sk_EVP_PKEY_ASN1_METHOD_find(st, val) SKM_sk_find(EVP_PKEY_ASN1_METHOD, (st), (val)) +#define sk_EVP_PKEY_ASN1_METHOD_find_ex(st, val) SKM_sk_find_ex(EVP_PKEY_ASN1_METHOD, (st), (val)) +#define sk_EVP_PKEY_ASN1_METHOD_delete(st, i) SKM_sk_delete(EVP_PKEY_ASN1_METHOD, (st), (i)) +#define sk_EVP_PKEY_ASN1_METHOD_delete_ptr(st, ptr) SKM_sk_delete_ptr(EVP_PKEY_ASN1_METHOD, (st), (ptr)) +#define sk_EVP_PKEY_ASN1_METHOD_insert(st, val, i) SKM_sk_insert(EVP_PKEY_ASN1_METHOD, (st), (val), (i)) +#define sk_EVP_PKEY_ASN1_METHOD_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(EVP_PKEY_ASN1_METHOD, (st), (cmp)) +#define sk_EVP_PKEY_ASN1_METHOD_dup(st) SKM_sk_dup(EVP_PKEY_ASN1_METHOD, st) +#define sk_EVP_PKEY_ASN1_METHOD_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY_ASN1_METHOD, (st), (free_func)) +#define sk_EVP_PKEY_ASN1_METHOD_shift(st) SKM_sk_shift(EVP_PKEY_ASN1_METHOD, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_pop(st) SKM_sk_pop(EVP_PKEY_ASN1_METHOD, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_sort(st) SKM_sk_sort(EVP_PKEY_ASN1_METHOD, (st)) +#define sk_EVP_PKEY_ASN1_METHOD_is_sorted(st) SKM_sk_is_sorted(EVP_PKEY_ASN1_METHOD, (st)) + #define sk_GENERAL_NAME_new(st) SKM_sk_new(GENERAL_NAME, (st)) #define sk_GENERAL_NAME_new_null() SKM_sk_new_null(GENERAL_NAME) #define sk_GENERAL_NAME_free(st) SKM_sk_free(GENERAL_NAME, (st)) diff --git a/openssl/openssl.spec b/openssl/openssl.spec index 329e3925b..1f9be87eb 100644 --- a/openssl/openssl.spec +++ b/openssl/openssl.spec @@ -1,7 +1,7 @@ %define libmaj 0 %define libmin 9 %define librel 8 -%define librev k +%define librev l Release: 1 %define openssldir /var/ssl diff --git a/openssl/ssl/s3_lib.c b/openssl/ssl/s3_lib.c index 8916a0b1b..5aa7bb21d 100644 --- a/openssl/ssl/s3_lib.c +++ b/openssl/ssl/s3_lib.c @@ -2592,6 +2592,9 @@ int ssl3_renegotiate(SSL *s) if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) return(0); + if (!(s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + return(0); + s->s3->renegotiate=1; return(1); } diff --git a/openssl/ssl/s3_pkt.c b/openssl/ssl/s3_pkt.c index 9476dcddf..b98b84044 100644 --- a/openssl/ssl/s3_pkt.c +++ b/openssl/ssl/s3_pkt.c @@ -985,6 +985,7 @@ start: if (SSL_is_init_finished(s) && !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION) && !s->s3->renegotiate) { ssl3_renegotiate(s); @@ -1117,7 +1118,8 @@ start: if ((s->s3->handshake_fragment_len >= 4) && !s->in_handshake) { if (((s->state&SSL_ST_MASK) == SSL_ST_OK) && - !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)) + !(s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) && + (s->s3->flags & SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) { #if 0 /* worked only because C operator preferences are not as expected (and * because this is not really needed for clients except for detecting diff --git a/openssl/ssl/s3_srvr.c b/openssl/ssl/s3_srvr.c index 80b45eb86..79f3706c3 100644 --- a/openssl/ssl/s3_srvr.c +++ b/openssl/ssl/s3_srvr.c @@ -718,6 +718,14 @@ int ssl3_get_client_hello(SSL *s) #endif STACK_OF(SSL_CIPHER) *ciphers=NULL; + if (s->new_session + && !(s->s3->flags&SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)) + { + al=SSL_AD_HANDSHAKE_FAILURE; + SSLerr(SSL_F_SSL3_GET_CLIENT_HELLO, ERR_R_INTERNAL_ERROR); + goto f_err; + } + /* We do this so that we will respond with our native type. * If we are TLSv1 and we get SSLv3, we will respond with TLSv1, * This down switching should be handled by a different method. diff --git a/openssl/ssl/ssl.h b/openssl/ssl/ssl.h index ff8a128d3..5ef11a3b2 100644 --- a/openssl/ssl/ssl.h +++ b/openssl/ssl/ssl.h @@ -1952,6 +1952,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_NO_PRIVATE_KEY_ASSIGNED 190 #define SSL_R_NO_PROTOCOLS_AVAILABLE 191 #define SSL_R_NO_PUBLICKEY 192 +#define SSL_R_NO_RENEGOTIATION 318 #define SSL_R_NO_SHARED_CIPHER 193 #define SSL_R_NO_VERIFY_CALLBACK 194 #define SSL_R_NULL_SSL_CTX 195 diff --git a/openssl/ssl/ssl3.h b/openssl/ssl/ssl3.h index 4b1e2e983..a1a19cbfc 100644 --- a/openssl/ssl/ssl3.h +++ b/openssl/ssl/ssl3.h @@ -326,10 +326,11 @@ typedef struct ssl3_buffer_st #define SSL3_CT_NUMBER 7 -#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 -#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 -#define SSL3_FLAGS_POP_BUFFER 0x0004 -#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 +#define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 +#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 +#define SSL3_FLAGS_POP_BUFFER 0x0004 +#define TLS1_FLAGS_TLS_PADDING_BUG 0x0008 +#define SSL3_FLAGS_ALLOW_UNSAFE_LEGACY_RENEGOTIATION 0x0010 typedef struct ssl3_state_st { diff --git a/openssl/ssl/ssl_err.c b/openssl/ssl/ssl_err.c index 24a994fe0..ce2a5557a 100644 --- a/openssl/ssl/ssl_err.c +++ b/openssl/ssl/ssl_err.c @@ -384,6 +384,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {ERR_REASON(SSL_R_NO_PRIVATE_KEY_ASSIGNED),"no private key assigned"}, {ERR_REASON(SSL_R_NO_PROTOCOLS_AVAILABLE),"no protocols available"}, {ERR_REASON(SSL_R_NO_PUBLICKEY) ,"no publickey"}, +{ERR_REASON(SSL_R_NO_RENEGOTIATION) ,"no renegotiation"}, {ERR_REASON(SSL_R_NO_SHARED_CIPHER) ,"no shared cipher"}, {ERR_REASON(SSL_R_NO_VERIFY_CALLBACK) ,"no verify callback"}, {ERR_REASON(SSL_R_NULL_SSL_CTX) ,"null ssl ctx"}, diff --git a/openssl/tools/c_rehash b/openssl/tools/c_rehash index e614fb546..bfd964961 100644 --- a/openssl/tools/c_rehash +++ b/openssl/tools/c_rehash @@ -1,4 +1,4 @@ -#!/usr/bin/perl +#!/usr/bin/perl5 # Perl c_rehash script, scan all files in a directory |