Re: Fix for openssl bug #2240
I was told the diff got mangled, so here's another attempt. -- viq Index: t1_lib.c === RCS file: /cvs/src/lib/libssl/src/ssl/t1_lib.c,v retrieving revision 1.8 diff -u -d -r1.8 t1_lib.c --- t1_lib.c10 Feb 2011 22:40:27 - 1.8 +++ t1_lib.c23 Sep 2011 19:38:13 - @@ -1453,23 +1453,20 @@ int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC - /* If we are client and using an elliptic curve cryptography cipher suite, then server -* must return a an EC point formats lists containing uncompressed. + /* If we are client and using an elliptic curve cryptography cipher +* suite, then if server returns an EC point formats lists extension +* it must contain uncompressed. */ unsigned long alg_k = s-s3-tmp.new_cipher-algorithm_mkey; unsigned long alg_a = s-s3-tmp.new_cipher-algorithm_auth; if ((s-tlsext_ecpointformatlist != NULL) (s-tlsext_ecpointformatlist_length 0) + (s-session-tlsext_ecpointformatlist != NULL) (s-session-tlsext_ecpointformatlist_length 0) ((alg_k (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; - if ((s-session-tlsext_ecpointformatlist == NULL) || (s-session-tlsext_ecpointformatlist_length == 0)) - { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIS T); - return -1; - } list = s-session-tlsext_ecpointformatlist; for (i = 0; i s-session-tlsext_ecpointformatlist_length; i++) { [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Fix for openssl bug #2240
Argh, maybe this time... -- viq Index: t1_lib.c === RCS file: /cvs/src/lib/libssl/src/ssl/t1_lib.c,v retrieving revision 1.8 diff -u -d -r1.8 t1_lib.c --- t1_lib.c10 Feb 2011 22:40:27 - 1.8 +++ t1_lib.c23 Sep 2011 19:38:13 - @@ -1453,23 +1453,20 @@ int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC - /* If we are client and using an elliptic curve cryptography cipher suite, then server -* must return a an EC point formats lists containing uncompressed. + /* If we are client and using an elliptic curve cryptography cipher +* suite, then if server returns an EC point formats lists extension +* it must contain uncompressed. */ unsigned long alg_k = s-s3-tmp.new_cipher-algorithm_mkey; unsigned long alg_a = s-s3-tmp.new_cipher-algorithm_auth; if ((s-tlsext_ecpointformatlist != NULL) (s-tlsext_ecpointformatlist_length 0) + (s-session-tlsext_ecpointformatlist != NULL) (s-session-tlsext_ecpointformatlist_length 0) ((alg_k (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; - if ((s-session-tlsext_ecpointformatlist == NULL) || (s-session-tlsext_ecpointformatlist_length == 0)) - { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIS T); - return -1; - } list = s-session-tlsext_ecpointformatlist; for (i = 0; i s-session-tlsext_ecpointformatlist_length; i++) { [demime 1.01d removed an attachment of type application/pgp-signature]
Re: Fix for openssl bug #2240
Apologies, if it doesn't work this last time I give up... -- viq Index: t1_lib.c === RCS file: /cvs/src/lib/libssl/src/ssl/t1_lib.c,v retrieving revision 1.8 diff -u -d -r1.8 t1_lib.c --- t1_lib.c10 Feb 2011 22:40:27 - 1.8 +++ t1_lib.c23 Sep 2011 19:38:13 - @@ -1453,23 +1453,20 @@ int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC - /* If we are client and using an elliptic curve cryptography cipher suite, then server -* must return a an EC point formats lists containing uncompressed. + /* If we are client and using an elliptic curve cryptography cipher +* suite, then if server returns an EC point formats lists extension +* it must contain uncompressed. */ unsigned long alg_k = s-s3-tmp.new_cipher-algorithm_mkey; unsigned long alg_a = s-s3-tmp.new_cipher-algorithm_auth; if ((s-tlsext_ecpointformatlist != NULL) (s-tlsext_ecpointformatlist_length 0) + (s-session-tlsext_ecpointformatlist != NULL) (s-session-tlsext_ecpointformatlist_length 0) ((alg_k (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; - if ((s-session-tlsext_ecpointformatlist == NULL) || (s-session-tlsext_ecpointformatlist_length == 0)) - { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); - return -1; - } list = s-session-tlsext_ecpointformatlist; for (i = 0; i s-session-tlsext_ecpointformatlist_length; i++) {
Fix for openssl bug #2240
http://rt.openssl.org/Ticket/Display.html?id=2240user=guestpass=guest This affects us, I noticed when I had problems connecting with gajim to a certain server using TLS. Below patch lifted from openssl CVS fixes this. On a different note, we still have openssl 1.0.0a when OpenSSL 1.0.0e is now available, including important bug and security fixes. -- viq Index: src/ssl/t1_lib.c === RCS file: /cvs/src/lib/libssl/src/ssl/t1_lib.c,v retrieving revision 1.8 diff -u -d -r1.8 t1_lib.c --- src/ssl/t1_lib.c10 Feb 2011 22:40:27 - 1.8 +++ src/ssl/t1_lib.c17 Sep 2011 20:57:50 - @@ -1453,23 +1453,20 @@ int al = SSL_AD_UNRECOGNIZED_NAME; #ifndef OPENSSL_NO_EC - /* If we are client and using an elliptic curve cryptography cipher suite, then server -* must return a an EC point formats lists containing uncompressed. + /* If we are client and using an elliptic curve cryptography cipher +* suite, then if server returns an EC point formats lists extension +* it must contain uncompressed. */ unsigned long alg_k = s-s3-tmp.new_cipher-algorithm_mkey; unsigned long alg_a = s-s3-tmp.new_cipher-algorithm_auth; if ((s-tlsext_ecpointformatlist != NULL) (s-tlsext_ecpointformatlist_length 0) + (s-session-tlsext_ecpointformatlist != NULL) (s-session-tlsext_ecpointformatlist_length 0) ((alg_k (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe)) || (alg_a SSL_aECDSA))) { /* we are using an ECC cipher */ size_t i; unsigned char *list; int found_uncompressed = 0; - if ((s-session-tlsext_ecpointformatlist == NULL) || (s-session-tlsext_ecpointformatlist_length == 0)) - { - SSLerr(SSL_F_SSL_CHECK_SERVERHELLO_TLSEXT,SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST); - return -1; - } list = s-session-tlsext_ecpointformatlist; for (i = 0; i s-session-tlsext_ecpointformatlist_length; i++) {