Attachment 69860 Details for Bug 108046 – patch-0.9.7

[patch] patch-0.9.7

patch-0.9.7 (text/plain), 3.46 KB, created by Sune Kloppenborg Jeppesen (RETIRED) on 2005-10-04 09:30:59 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sune Kloppenborg Jeppesen (RETIRED)

Created: 2005-10-04 09:30:59 UTC

Size: 3.46 KB

patch

obsolete

>Index: CHANGES
>===================================================================
>RCS file: /e/openssl/cvs/openssl/CHANGES,v
>retrieving revision 1.977.2.163
>diff -u -r1.977.2.163 CHANGES
>--- CHANGES	2 Jun 2005 20:30:03 -0000	1.977.2.163
>+++ CHANGES	23 Sep 2005 03:38:41 -0000
>@@ -4,6 +4,16 @@
> 
>  Changes between 0.9.7g and 0.9.7h  [XX xxx XXXX]
> 
>+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
>+     (part of SSL_OP_ALL).  This option used to disable the
>+     countermeasure against man-in-the-middle protocol-version
>+     rollback in the SSL 2.0 server implementation, which is a bad
>+     idea.
>+
>+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
>+     for Information Security, National Institute of Advanced Industrial
>+     Science and Technology [AIST], Japan)]
>+
>   *) Minimal support for X9.31 signatures and PSS padding modes. This is
>      mainly for FIPS compliance and not fully integrated at this stage.
>      [Steve Henson]
>@@ -53,6 +63,9 @@
> 
>  Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
> 
>+  [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
>+  OpenSSL 0.9.8.]
>+
>   *) Fixes for newer kerberos headers. NB: the casts are needed because
>      the 'length' field is signed on one version and unsigned on another
>      with no (?) obvious way to tell the difference, without these VC++
>Index: doc/ssl/SSL_CTX_set_options.pod
>===================================================================
>RCS file: /e/openssl/cvs/openssl/doc/ssl/SSL_CTX_set_options.pod,v
>retrieving revision 1.9.2.4
>diff -u -r1.9.2.4 SSL_CTX_set_options.pod
>--- doc/ssl/SSL_CTX_set_options.pod	22 Mar 2005 17:54:13 -0000	1.9.2.4
>+++ doc/ssl/SSL_CTX_set_options.pod	23 Sep 2005 03:38:43 -0000
>@@ -86,7 +86,7 @@
> 
> =item SSL_OP_MSIE_SSLV2_RSA_PADDING
> 
>-...
>+As of OpenSSL 0.9.7h and 0.9.8a, this option has no effect.
> 
> =item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
> 
>Index: ssl/s23_srvr.c
>===================================================================
>RCS file: /e/openssl/cvs/openssl/ssl/s23_srvr.c,v
>retrieving revision 1.41.2.6
>diff -u -r1.41.2.6 s23_srvr.c
>--- ssl/s23_srvr.c	31 Jan 2005 01:33:35 -0000	1.41.2.6
>+++ ssl/s23_srvr.c	23 Sep 2005 03:38:44 -0000
>@@ -268,9 +268,6 @@
> 	int n=0,j;
> 	int type=0;
> 	int v[2];
>-#ifndef OPENSSL_NO_RSA
>-	int use_sslv2_strong=0;
>-#endif
> 
> 	if (s->state ==	SSL23_ST_SR_CLNT_HELLO_A)
> 		{
>@@ -528,9 +525,7 @@
> 			}
> 
> 		s->state=SSL2_ST_GET_CLIENT_HELLO_A;
>-		if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
>-			use_sslv2_strong ||
>-			(s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
>+		if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
> 			s->s2->ssl2_rollback=0;
> 		else
> 			/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
>Index: ssl/ssl.h
>===================================================================
>RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v
>retrieving revision 1.126.2.23
>diff -u -r1.126.2.23 ssl.h
>--- ssl/ssl.h	10 Jun 2005 20:00:39 -0000	1.126.2.23
>+++ ssl/ssl.h	23 Sep 2005 03:38:47 -0000
>@@ -467,7 +467,7 @@
> #define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG		0x00000008L
> #define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG		0x00000010L
> #define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER		0x00000020L
>-#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L
>+#define SSL_OP_MSIE_SSLV2_RSA_PADDING			0x00000040L /* no effect since 0.9.7h and 0.9.8b */
> #define SSL_OP_SSLEAY_080_CLIENT_DH_BUG			0x00000080L
> #define SSL_OP_TLS_D5_BUG				0x00000100L
> #define SSL_OP_TLS_BLOCK_PADDING_BUG			0x00000200L

Actions: View | Diff

Attachments on bug 108046: 69860 | 69861 | 70011 | 70012 | 70297