OpenSSL CHANGES
_______________
- Changes between 0.9.7c and 0.9.7d [xx XXX XXXX]
+ Changes between 0.9.7c and 0.9.7d [17 Mar 2004]
+
+ *) Fix null-pointer assignment in do_change_cipher_spec() revealed
+ by using the Codenomicon TLS Test Tool (CAN-2004-0079)
+ [Joe Orton, Steve Henson]
+
+ *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
+ (CAN-2004-0112)
+ [Joe Orton, Steve Henson]
*) Make it possible to have multiple active certificates with the same
subject in the CA index file. This is done only if the keyword
* Which is the current version of OpenSSL?
The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7c was released on September 30, 2003.
+OpenSSL 0.9.7d was released on March 17, 2004.
In addition to the current stable release, you can also access daily
snapshots of the OpenSSL development version at <URL:
---------------
/* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
+ * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+
+ o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
+ o Security: Fix null-pointer assignment in do_change_cipher_spec()
+ o Allow multiple active certificates with same subject in CA index
+ o Multiple X590 verification fixes
+ o Speed up HMAC and other operations
+
Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
o Security: fix various ASN1 parsing bugs.
- OpenSSL 0.9.7c 30 Sep 2003
+ OpenSSL 0.9.7d 17 Mar 2004
- Copyright (c) 1998-2003 The OpenSSL Project
+ Copyright (c) 1998-2004 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
All rights reserved.
OpenSSL STATUS Last modified at
- ______________ $Date: 2003/09/30 12:08:19 $
+ ______________ $Date: 2004/03/17 12:01:16 $
DEVELOPMENT STATE
o OpenSSL 0.9.8: Under development...
+ o OpenSSL 0.9.7d: Released on March 17th, 2004
o OpenSSL 0.9.7c: Released on September 30th, 2003
o OpenSSL 0.9.7b: Released on April 10th, 2003
o OpenSSL 0.9.7a: Released on February 19th, 2003
o OpenSSL 0.9.7: Released on December 31st, 2002
+ o OpenSSL 0.9.6m: Released on March 17th, 2004
+ o OpenSSL 0.9.6l: Released on November 4th, 2003
o OpenSSL 0.9.6k: Released on September 30th, 2003
o OpenSSL 0.9.6j: Released on April 10th, 2003
o OpenSSL 0.9.6i: Released on February 19th, 2003
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-#define OPENSSL_VERSION_NUMBER 0x00907040L
-#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d-dev xx XXX XXXX"
+#define OPENSSL_VERSION_NUMBER 0x0090704fL
+#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.7d 17 Mar 2004"
#define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
%define libmaj 0
%define libmin 9
%define librel 7
-%define librev c
+%define librev d
Release: 1
%define openssldir /var/ssl
goto err;
}
+ /* Check we have a cipher to change to */
+ if (s->s3->tmp.new_cipher == NULL)
+ {
+ i=SSL_AD_UNEXPECTED_MESSAGE;
+ SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+ goto err;
+ }
+
rr->length=0;
if (s->msg_callback)
n2s(p,i);
enc_ticket.length = i;
+
+ if (n < enc_ticket.length + 6)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+
enc_ticket.data = (char *)p;
p+=enc_ticket.length;
n2s(p,i);
authenticator.length = i;
+
+ if (n < enc_ticket.length + authenticator.length + 6)
+ {
+ SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
+ SSL_R_DATA_LENGTH_TOO_LONG);
+ goto err;
+ }
+
authenticator.data = (char *)p;
p+=authenticator.length;
projects / openssl.git / commitdiff