From 732d31beeeb2e2e9f44d05da8387cfeca06b91b8 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 16 Nov 2010 14:18:51 +0000 Subject: [PATCH] bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files --- CHANGES | 8 +++++++ NEWS | 6 ++++++ STATUS | 13 ++++++++++-- ssl/t1_lib.c | 60 ++++++++++++++++++++++++++++++++++++---------------- 4 files changed, 67 insertions(+), 20 deletions(-) diff --git a/CHANGES b/CHANGES index bc985c517b..f5351f857f 100644 --- a/CHANGES +++ b/CHANGES @@ -161,6 +161,10 @@ Changes between 1.0.0a and 1.0.0b [xx XXX xxxx] + *) Fix extension code to avoid race conditions which can result in a buffer + overrun vulnerability: resumed sessions must not be modified as they can + be shared by multiple threads. CVE-2010-3864 + *) Fix WIN32 build system to correctly link an ENGINE directory into a DLL. [Steve Henson] @@ -1014,6 +1018,10 @@ Changes between 0.9.8o and 0.9.8p [xx XXX xxxx] + *) Fix extension code to avoid race conditions which can result in a buffer + overrun vulnerability: resumed sessions must not be modified as they can + be shared by multiple threads. CVE-2010-3864 + *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 [Steve Henson] diff --git a/NEWS b/NEWS index 3a787ea06c..23edac2e2b 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,12 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b: + + o Fix for security issue CVE-2010-3864. + o Fix for CVE-2010-2939 + o Fix WIN32 build system for GOST ENGINE. + Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a: o Fix for security issue CVE-2010-1633. diff --git a/STATUS b/STATUS index 1d4f8b9fbe..3692c483f4 100644 --- a/STATUS +++ b/STATUS @@ -1,10 +1,19 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2009/04/03 11:45:14 $ + ______________ $Date: 2010/11/16 14:18:51 $ DEVELOPMENT STATE - o OpenSSL 1.0.0-beta1: Released on April 1st, 2009 + o OpenSSL 1.1.0: Under development... + o OpenSSL 1.0.0b: Released on November 16th, 2010 + o OpenSSL 1.0.0a: Released on June 1st, 2010 + o OpenSSL 1.0.0: Released on March 29th, 2010 + o OpenSSL 0.9.8n: Released on March 24th, 2010 + o OpenSSL 0.9.8m: Released on February 25th, 2010 + o OpenSSL 0.9.8l: Released on November 5th, 2009 + o OpenSSL 0.9.8k: Released on March 25th, 2009 + o OpenSSL 0.9.8j: Released on January 7th, 2009 + o OpenSSL 0.9.8i: Released on September 15th, 2008 o OpenSSL 0.9.8h: Released on May 28th, 2008 o OpenSSL 0.9.8g: Released on October 19th, 2007 o OpenSSL 0.9.8f: Released on October 11th, 2007 diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index 74638cc9b1..9684280d17 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -751,14 +751,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in switch (servname_type) { case TLSEXT_NAMETYPE_host_name: - if (s->session->tlsext_hostname == NULL) + if (!s->hit) { - if (len > TLSEXT_MAXLEN_host_name || - ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)) + if(s->session->tlsext_hostname) + { + *al = SSL_AD_DECODE_ERROR; + return 0; + } + if (len > TLSEXT_MAXLEN_host_name) { *al = TLS1_AD_UNRECOGNIZED_NAME; return 0; } + if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } memcpy(s->session->tlsext_hostname, sdata, len); s->session->tlsext_hostname[len]='\0'; if (strlen(s->session->tlsext_hostname) != len) { @@ -771,7 +780,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in } else - s->servername_done = strlen(s->session->tlsext_hostname) == len + s->servername_done = s->session->tlsext_hostname + && strlen(s->session->tlsext_hostname) == len && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0; break; @@ -802,15 +812,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ecpointformatlist_length = 0; - if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist); - if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ecpointformatlist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = 0; + if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; + memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); } - s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length; - memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length); sdata = s->session->tlsext_ecpointformatlist; @@ -831,15 +848,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in *al = TLS1_AD_DECODE_ERROR; return 0; } - s->session->tlsext_ellipticcurvelist_length = 0; - if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist); - if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + if (!s->hit) { - *al = TLS1_AD_INTERNAL_ERROR; - return 0; + if(s->session->tlsext_ellipticcurvelist) + { + *al = TLS1_AD_DECODE_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = 0; + if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL) + { + *al = TLS1_AD_INTERNAL_ERROR; + return 0; + } + s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; + memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); } - s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length; - memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length); #if 0 fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length); sdata = s->session->tlsext_ellipticcurvelist; -- 2.25.1