diff options
| author | Mark J. Cox <mark@openssl.org> | 2005-10-11 14:10:05 +0400 |
|---|---|---|
| committer | Mark J. Cox <mark@openssl.org> | 2005-10-11 14:10:05 +0400 |
| commit | a40916cbba82e54f632c5312b4c02248ba49760e (patch) | |
| tree | 24c16b2fcef0a65665b346592cb1375c7295a801 | |
| parent | 62ecdf077f5788ff99cca1e6411ded610601c928 (diff) | |
Add fixes for CAN-2005-2969OpenSSL_0_9_7h
Bump release ready for OpenSSL_0_9_7h tag
| -rw-r--r-- | CHANGES | 15 | ||||
| -rw-r--r-- | FAQ | 2 | ||||
| -rw-r--r-- | NEWS | 6 | ||||
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | STATUS | 7 | ||||
| -rw-r--r-- | crypto/opensslv.h | 6 | ||||
| -rw-r--r-- | doc/ssl/SSL_CTX_set_options.pod | 2 | ||||
| -rw-r--r-- | ssl/s23_srvr.c | 7 | ||||
| -rw-r--r-- | ssl/ssl.h | 2 |
9 files changed, 33 insertions, 16 deletions
@@ -2,7 +2,17 @@ OpenSSL CHANGES _______________ - Changes between 0.9.7g and 0.9.7h [XX xxx XXXX] + Changes between 0.9.7g and 0.9.7h [11 Oct 2005] + + *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING + (part of SSL_OP_ALL). This option used to disable the + countermeasure against man-in-the-middle protocol-version + rollback in the SSL 2.0 server implementation, which is a bad + idea. (CAN-2005-2969) + + [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center + for Information Security, National Institute of Advanced Industrial + Science and Technology [AIST], Japan)] *) Minimal support for X9.31 signatures and PSS padding modes. This is mainly for FIPS compliance and not fully integrated at this stage. @@ -53,6 +63,9 @@ Changes between 0.9.7f and 0.9.7g [11 Apr 2005] + [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after + OpenSSL 0.9.8.] + *) Fixes for newer kerberos headers. NB: the casts are needed because the 'length' field is signed on one version and unsigned on another with no (?) obvious way to tell the difference, without these VC++ @@ -70,7 +70,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from <URL: http://www.openssl.org>. -OpenSSL 0.9.7g was released on April 11, 2005. +OpenSSL 0.9.7h was released on October 11, 2005. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at <URL: @@ -5,6 +5,12 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h: + + o Fix SSL 2.0 Rollback, CAN-2005-2969 + o Allow use of fixed-length exponent on DSA signing + o Default fixed-window RSA, DSA, DH private-key operations + Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g: o More compilation issues fixed. @@ -1,5 +1,5 @@ - OpenSSL 0.9.7h-dev XX xxx XXXX + OpenSSL 0.9.7h 11 Oct 2005 Copyright (c) 1998-2005 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson @@ -1,10 +1,13 @@ OpenSSL STATUS Last modified at - ______________ $Date: 2005/04/11 15:10:06 $ + ______________ $Date: 2005/10/11 10:10:03 $ DEVELOPMENT STATE - o OpenSSL 0.9.8: Under development... + o OpenSSL 0.9.9: Under development... + o OpenSSL 0.9.8a: Released on October 11th, 2005 + o OpenSSL 0.9.8: Released on July 5th, 2005 + o OpenSSL 0.9.7h: Released on October 11th, 2005 o OpenSSL 0.9.7g: Released on April 11th, 2005 o OpenSSL 0.9.7f: Released on March 22nd, 2005 o OpenSSL 0.9.7e: Released on October 25th, 2004 diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 1c6053defb..8993dae43e 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x00907080L +#define OPENSSL_VERSION_NUMBER 0x0090708fL #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7h-fips-dev XX xxx XXXX" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7h-fips 11 Oct 2005" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7h-dev XX xxx XXXX" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7h 11 Oct 2005" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod index 5ab1b32f93..fa63263601 100644 --- a/doc/ssl/SSL_CTX_set_options.pod +++ b/doc/ssl/SSL_CTX_set_options.pod @@ -86,7 +86,7 @@ doing a re-connect, always takes the first cipher in the cipher list. =item SSL_OP_MSIE_SSLV2_RSA_PADDING -... +As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect. =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG diff --git a/ssl/s23_srvr.c b/ssl/s23_srvr.c index 92f3391f60..1612ba2b1d 100644 --- a/ssl/s23_srvr.c +++ b/ssl/s23_srvr.c @@ -268,9 +268,6 @@ int ssl23_get_client_hello(SSL *s) int n=0,j; int type=0; int v[2]; -#ifndef OPENSSL_NO_RSA - int use_sslv2_strong=0; -#endif if (s->state == SSL23_ST_SR_CLNT_HELLO_A) { @@ -528,9 +525,7 @@ int ssl23_get_client_hello(SSL *s) } s->state=SSL2_ST_GET_CLIENT_HELLO_A; - if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) || - use_sslv2_strong || - (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)) + if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3) s->s2->ssl2_rollback=0; else /* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0 @@ -467,7 +467,7 @@ typedef struct ssl_session_st #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L -#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L +#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect since 0.9.7h and 0.9.8b */ #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L #define SSL_OP_TLS_D5_BUG 0x00000100L #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L |