bring HEAD up to date, add CVE-2010-3864 fix, update NEWS files

diff --git a/CHANGES b/CHANGES
index bc985c517b710677d4c0f0dab4557226575a0bea..f5351f857f13c2030a21d0447aa6cee771af9fe6 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -161,6 +161,10 @@
 
  Changes between 1.0.0a and 1.0.0b  [xx XXX xxxx]
 
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
   *) Fix WIN32 build system to correctly link an ENGINE directory into
      a DLL. 
      [Steve Henson]
@@ -1014,6 +1018,10 @@
   
  Changes between 0.9.8o and 0.9.8p [xx XXX xxxx]
 
+  *) Fix extension code to avoid race conditions which can result in a buffer
+     overrun vulnerability: resumed sessions must not be modified as they can
+     be shared by multiple threads. CVE-2010-3864
+
   *) Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939
      [Steve Henson]
 

diff --git a/NEWS b/NEWS
index 3a787ea06cef7296aeaaaf2d5a77e74b2d160f53..23edac2e2b493ecc2a08ccea436ec2b958607af8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,12 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+
+      o Fix for security issue CVE-2010-3864.
+      o Fix for CVE-2010-2939
+      o Fix WIN32 build system for GOST ENGINE.
+
   Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
 
       o Fix for security issue CVE-2010-1633.

diff --git a/STATUS b/STATUS
index 1d4f8b9fbe9499f145b22b6f5d1f6ea39fa72892..3692c483f49bccaabaf859a7a906a7c0a67e8d97 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -1,10 +1,19 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2009/04/03 11:45:14 $
+  ______________                           $Date: 2010/11/16 14:18:51 $
 
   DEVELOPMENT STATE
 
-    o  OpenSSL 1.0.0-beta1: Released on April 1st, 2009
+    o  OpenSSL 1.1.0:  Under development...
+    o  OpenSSL 1.0.0b: Released on November  16th, 2010
+    o  OpenSSL 1.0.0a: Released on June      1st,  2010
+    o  OpenSSL 1.0.0:  Released on March     29th, 2010
+    o  OpenSSL 0.9.8n: Released on March     24th, 2010
+    o  OpenSSL 0.9.8m: Released on February  25th, 2010
+    o  OpenSSL 0.9.8l: Released on November   5th, 2009
+    o  OpenSSL 0.9.8k: Released on March     25th, 2009
+    o  OpenSSL 0.9.8j: Released on January    7th, 2009
+    o  OpenSSL 0.9.8i: Released on September 15th, 2008
     o  OpenSSL 0.9.8h: Released on May       28th, 2008
     o  OpenSSL 0.9.8g: Released on October   19th, 2007
     o  OpenSSL 0.9.8f: Released on October   11th, 2007

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 74638cc9b12f851e224eabd0b3ef8ca8dc76f2bc..9684280d173f5285ab5189a55cb609afad0cabfb 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -751,14 +751,23 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                switch (servname_type)
                                        {
                                case TLSEXT_NAMETYPE_host_name:
-                                       if (s->session->tlsext_hostname == NULL)
+                                       if (!s->hit)
                                                {
-                                               if (len > TLSEXT_MAXLEN_host_name || 
-                                                       ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL))
+                                               if(s->session->tlsext_hostname)
+                                                       {
+                                                       *al = SSL_AD_DECODE_ERROR;
+                                                       return 0;
+                                                       }
+                                               if (len > TLSEXT_MAXLEN_host_name)
                                                        {
                                                        *al = TLS1_AD_UNRECOGNIZED_NAME;
                                                        return 0;
                                                        }
+                                               if ((s->session->tlsext_hostname = OPENSSL_malloc(len+1)) == NULL)
+                                                       {
+                                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                                       return 0;
+                                                       }
                                                memcpy(s->session->tlsext_hostname, sdata, len);
                                                s->session->tlsext_hostname[len]='\0';
                                                if (strlen(s->session->tlsext_hostname) != len) {
@@ -771,7 +780,8 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
 
                                                }
                                        else 
-                                               s->servername_done = strlen(s->session->tlsext_hostname) == len 
+                                               s->servername_done = s->session->tlsext_hostname
+                                                       && strlen(s->session->tlsext_hostname) == len 
                                                        && strncmp(s->session->tlsext_hostname, (char *)sdata, len) == 0;
                                        
                                        break;
@@ -802,15 +812,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                                }
-                       s->session->tlsext_ecpointformatlist_length = 0;
-                       if (s->session->tlsext_ecpointformatlist != NULL) OPENSSL_free(s->session->tlsext_ecpointformatlist);
-                       if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                       if (!s->hit)
                                {
-                               *al = TLS1_AD_INTERNAL_ERROR;
-                               return 0;
+                               if(s->session->tlsext_ecpointformatlist)
+                                       {
+                                       *al = TLS1_AD_DECODE_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ecpointformatlist_length = 0;
+                               if ((s->session->tlsext_ecpointformatlist = OPENSSL_malloc(ecpointformatlist_length)) == NULL)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+                               memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
                                }
-                       s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
-                       memcpy(s->session->tlsext_ecpointformatlist, sdata, ecpointformatlist_length);
 #if 0
                        fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ecpointformatlist (length=%i) ", s->session->tlsext_ecpointformatlist_length);
                        sdata = s->session->tlsext_ecpointformatlist;
@@ -831,15 +848,22 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                *al = TLS1_AD_DECODE_ERROR;
                                return 0;
                                }
-                       s->session->tlsext_ellipticcurvelist_length = 0;
-                       if (s->session->tlsext_ellipticcurvelist != NULL) OPENSSL_free(s->session->tlsext_ellipticcurvelist);
-                       if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+                       if (!s->hit)
                                {
-                               *al = TLS1_AD_INTERNAL_ERROR;
-                               return 0;
+                               if(s->session->tlsext_ellipticcurvelist)
+                                       {
+                                       *al = TLS1_AD_DECODE_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ellipticcurvelist_length = 0;
+                               if ((s->session->tlsext_ellipticcurvelist = OPENSSL_malloc(ellipticcurvelist_length)) == NULL)
+                                       {
+                                       *al = TLS1_AD_INTERNAL_ERROR;
+                                       return 0;
+                                       }
+                               s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
+                               memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
                                }
-                       s->session->tlsext_ellipticcurvelist_length = ellipticcurvelist_length;
-                       memcpy(s->session->tlsext_ellipticcurvelist, sdata, ellipticcurvelist_length);
 #if 0
                        fprintf(stderr,"ssl_parse_clienthello_tlsext s->session->tlsext_ellipticcurvelist (length=%i) ", s->session->tlsext_ellipticcurvelist_length);
                        sdata = s->session->tlsext_ellipticcurvelist;