Add fixes for CAN-2005-2969.

(This were in 0.9.7-stable and 0.9.8-stable, but not in HEAD so far.)

Add fixes for CAN-2005-2969.
(This were in 0.9.7-stable and 0.9.8-stable, but not in HEAD so far.)
72dce768 · Bodo Möller · ee8836c4 · 72dce768 · 72dce768 · 72dce768
Showing with 13 addition and 10 deletion

FAQ FAQ +1 -1

NEWS NEWS +5 -0

STATUS STATUS +4 -1

doc/ssl/SSL_CTX_set_options.pod doc/ssl/SSL_CTX_set_options.pod +1 -1

ssl/s23_srvr.c ssl/s23_srvr.c +1 -6

ssl/ssl.h ssl/ssl.h +1 -1

未找到文件。
--- a/FAQ
+++ b/FAQ
@@ -73,7 +73,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.8 was released on July 5th, 2005.
+OpenSSL 0.9.8a was released on October 11th, 2005.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,11 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+      o Fix potential SSL 2.0 rollback, CAN-2005-2969
+      o Extended Windows CE support
  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
      o Major work on the BIGNUM library for higher efficiency and to

--- a/STATUS
+++ b/STATUS
  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2005/07/05 19:16:24 $
+  ______________                           $Date: 2005/10/26 19:40:44 $
  DEVELOPMENT STATE
    o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 0.9.8a: Released on October   11th, 2005
    o  OpenSSL 0.9.8:  Released on July       5th, 2005
+    o  OpenSSL 0.9.7i: Released on October   15th, 2005
+    o  OpenSSL 0.9.7h: Released on October   11th, 2005
    o  OpenSSL 0.9.7g: Released on April     11th, 2005
    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
    o  OpenSSL 0.9.7e: Released on October   25th, 2004

--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -86,7 +86,7 @@ doing a re-connect, always takes the first cipher in the cipher list.
 =item SSL_OP_MSIE_SSLV2_RSA_PADDING
-...
+As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
 =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG

--- a/ssl/s23_srvr.c
+++ b/ssl/s23_srvr.c
@@ -250,9 +250,6 @@ int ssl23_get_client_hello(SSL *s)
 	int n=0,j;
 	int type=0;
 	int v[2];
-#ifndef OPENSSL_NO_RSA
-	int use_sslv2_strong=0;
-#endif
 	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
 		{
@@ -501,9 +498,7 @@ int ssl23_get_client_hello(SSL *s)
 			}
 		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
-		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
+		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
-			use_sslv2_strong ||
-			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
 			s->s2->ssl2_rollback=0;
 		else
 			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0

--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -480,7 +480,7 @@ typedef struct ssl_session_st
 #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
 #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
 #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
 #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
 #define SSL_OP_TLS_D5_BUG				0x00000100L
 #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L