Loading CHANGES +27 −1 Original line number Diff line number Diff line Loading @@ -2,7 +2,7 @@ OpenSSL CHANGES _______________ Changes between 0.9.8c and 0.9.9 [xx XXX xxxx] Changes between 0.9.8d and 0.9.9 [xx XXX xxxx] *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. Modify get_crl() to find a valid (unexpired) CRL if possible. Loading Loading @@ -379,6 +379,32 @@ Changes between 0.9.8c and 0.9.8d [xx XXX xxxx] *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites match only those. Before that, "AES256-SHA" would be interpreted as a pattern and match "AES128-SHA" too since we currently only have a single AES bit in the ciphersuite description bitmap. That change, however, also applied to ciphersuite strings such as "RC4-MD5" that intentionally matched multiple ciphersuites -- namely, SSL 2.0 ciphersuites in addition to the more common ones from SSL 3.0/TLS 1.0. So we change the selection algorithm again: Naming an explicit ciphersuite selects this one ciphersuite, and any other similar ciphersuite (same bitmap) from *other* protocol versions. Thus, "RC4-MD5" again will properly select both the SSL 2.0 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. Since SSL 2.0 does not have any ciphersuites for which the 128/256 bit distinction would be relevant, this works for now. The proper fix will be to use different bits for AES128 and AES256, which would have avoided the problems from the beginning; however, bits are scarce, so we can only do this in a new release (not just a patchlevel) when we can change the SSL_CIPHER definition to split the single 'unsigned long mask' bitmap into multiple values to extend the available space. [Bodo Moeller] Changes between 0.9.8b and 0.9.8c [05 Sep 2006] *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher Loading ssl/ssl_ciph.c +16 −12 Original line number Diff line number Diff line Loading @@ -638,7 +638,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, *ca_curr = NULL; /* end of list */ } static void ssl_cipher_apply_rule(unsigned long cipher_id, static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version, unsigned long algorithms, unsigned long mask, unsigned long algo_strength, unsigned long mask_strength, int rule, int strength_bits, Loading @@ -665,9 +665,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, cp = curr->cipher; /* If explicit cipher suite match that one only */ /* If explicit cipher suite, match only that one for its own protocol version. * Usual selection criteria will be used for similar ciphersuites from other version! */ if (cipher_id) if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version) { if (cp->id != cipher_id) continue; Loading Loading @@ -789,7 +790,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, */ for (i = max_strength_bits; i >= 0; i--) if (number_uses[i] > 0) ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i, ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p); OPENSSL_free(number_uses); Loading @@ -803,7 +804,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, unsigned long algorithms, mask, algo_strength, mask_strength; const char *l, *start, *buf; int j, multi, found, rule, retval, ok, buflen; unsigned long cipher_id = 0; unsigned long cipher_id = 0, ssl_version = 0; char ch; retval = 1; Loading Loading @@ -894,6 +895,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, */ j = found = 0; cipher_id = 0; ssl_version = 0; while (ca_list[j]) { if (!strncmp(buf, ca_list[j]->name, buflen) && Loading @@ -908,12 +910,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str, if (!found) break; /* ignore this entry */ if (ca_list[j]->valid) { cipher_id = ca_list[j]->id; break; } /* New algorithms: * 1 - any old restrictions apply outside new mask * 2 - any new restrictions apply outside old mask Loading @@ -928,6 +924,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str, (algo_strength & ca_list[j]->algo_strength); mask_strength |= ca_list[j]->mask_strength; /* explicit ciphersuite found */ if (ca_list[j]->valid) { cipher_id = ca_list[j]->id; ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK; break; } if (!multi) break; } Loading Loading @@ -956,7 +960,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, } else if (found) { ssl_cipher_apply_rule(cipher_id, algorithms, mask, ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask, algo_strength, mask_strength, rule, -1, head_p, tail_p); } Loading Loading
CHANGES +27 −1 Original line number Diff line number Diff line Loading @@ -2,7 +2,7 @@ OpenSSL CHANGES _______________ Changes between 0.9.8c and 0.9.9 [xx XXX xxxx] Changes between 0.9.8d and 0.9.9 [xx XXX xxxx] *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names. Modify get_crl() to find a valid (unexpired) CRL if possible. Loading Loading @@ -379,6 +379,32 @@ Changes between 0.9.8c and 0.9.8d [xx XXX xxxx] *) Since 0.9.8b, ciphersuite strings naming explicit ciphersuites match only those. Before that, "AES256-SHA" would be interpreted as a pattern and match "AES128-SHA" too since we currently only have a single AES bit in the ciphersuite description bitmap. That change, however, also applied to ciphersuite strings such as "RC4-MD5" that intentionally matched multiple ciphersuites -- namely, SSL 2.0 ciphersuites in addition to the more common ones from SSL 3.0/TLS 1.0. So we change the selection algorithm again: Naming an explicit ciphersuite selects this one ciphersuite, and any other similar ciphersuite (same bitmap) from *other* protocol versions. Thus, "RC4-MD5" again will properly select both the SSL 2.0 ciphersuite and the SSL 3.0/TLS 1.0 ciphersuite. Since SSL 2.0 does not have any ciphersuites for which the 128/256 bit distinction would be relevant, this works for now. The proper fix will be to use different bits for AES128 and AES256, which would have avoided the problems from the beginning; however, bits are scarce, so we can only do this in a new release (not just a patchlevel) when we can change the SSL_CIPHER definition to split the single 'unsigned long mask' bitmap into multiple values to extend the available space. [Bodo Moeller] Changes between 0.9.8b and 0.9.8c [05 Sep 2006] *) Avoid PKCS #1 v1.5 signature attack discovered by Daniel Bleichenbacher Loading
ssl/ssl_ciph.c +16 −12 Original line number Diff line number Diff line Loading @@ -638,7 +638,7 @@ static void ssl_cipher_collect_aliases(SSL_CIPHER **ca_list, *ca_curr = NULL; /* end of list */ } static void ssl_cipher_apply_rule(unsigned long cipher_id, static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long ssl_version, unsigned long algorithms, unsigned long mask, unsigned long algo_strength, unsigned long mask_strength, int rule, int strength_bits, Loading @@ -665,9 +665,10 @@ static void ssl_cipher_apply_rule(unsigned long cipher_id, cp = curr->cipher; /* If explicit cipher suite match that one only */ /* If explicit cipher suite, match only that one for its own protocol version. * Usual selection criteria will be used for similar ciphersuites from other version! */ if (cipher_id) if (cipher_id && (cp->algorithms & SSL_SSL_MASK) == ssl_version) { if (cp->id != cipher_id) continue; Loading Loading @@ -789,7 +790,7 @@ static int ssl_cipher_strength_sort(CIPHER_ORDER **head_p, */ for (i = max_strength_bits; i >= 0; i--) if (number_uses[i] > 0) ssl_cipher_apply_rule(0, 0, 0, 0, 0, CIPHER_ORD, i, ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, CIPHER_ORD, i, head_p, tail_p); OPENSSL_free(number_uses); Loading @@ -803,7 +804,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, unsigned long algorithms, mask, algo_strength, mask_strength; const char *l, *start, *buf; int j, multi, found, rule, retval, ok, buflen; unsigned long cipher_id = 0; unsigned long cipher_id = 0, ssl_version = 0; char ch; retval = 1; Loading Loading @@ -894,6 +895,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, */ j = found = 0; cipher_id = 0; ssl_version = 0; while (ca_list[j]) { if (!strncmp(buf, ca_list[j]->name, buflen) && Loading @@ -908,12 +910,6 @@ static int ssl_cipher_process_rulestr(const char *rule_str, if (!found) break; /* ignore this entry */ if (ca_list[j]->valid) { cipher_id = ca_list[j]->id; break; } /* New algorithms: * 1 - any old restrictions apply outside new mask * 2 - any new restrictions apply outside old mask Loading @@ -928,6 +924,14 @@ static int ssl_cipher_process_rulestr(const char *rule_str, (algo_strength & ca_list[j]->algo_strength); mask_strength |= ca_list[j]->mask_strength; /* explicit ciphersuite found */ if (ca_list[j]->valid) { cipher_id = ca_list[j]->id; ssl_version = ca_list[j]->algorithms & SSL_SSL_MASK; break; } if (!multi) break; } Loading Loading @@ -956,7 +960,7 @@ static int ssl_cipher_process_rulestr(const char *rule_str, } else if (found) { ssl_cipher_apply_rule(cipher_id, algorithms, mask, ssl_cipher_apply_rule(cipher_id, ssl_version, algorithms, mask, algo_strength, mask_strength, rule, -1, head_p, tail_p); } Loading
