Fix null-pointer assignment in do_change_cipher_spec() revealed

by using the Codenomicon TLS Test Tool (CAN-2004-0079)

Prepare for 0.9.6m release

Submitted by: Steven Henson
Reviewed by: Joe Orton
Approved by: Mark Cox

CHANGES

@@ -2,9 +2,11 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 0.9.6l and 0.9.6m  [xx XXX xxxx]
+ Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
 
-  *)
+  *) Fix null-pointer assignment in do_change_cipher_spec() revealed
+     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
+     [Joe Orton, Steve Henson]
 
  Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
 

FAQ

@@ -63,7 +63,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7c was released on September 30, 2003.
+OpenSSL 0.9.7d was released on March 17, 2004.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:

LICENSE

@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions

NEWS

@@ -5,6 +5,10 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.6l and OpenSSL 0.9.6m:
+
+      o Security: fix null-pointer bug leading to crash
+
   Major changes between OpenSSL 0.9.6k and OpenSSL 0.9.6l:
 
       o Security: fix ASN1 bug leading to large recursion

README

@@ -1,7 +1,7 @@
 
- OpenSSL 0.9.6l [engine] 04 Nov 2003
+ OpenSSL 0.9.6m [engine] 17 Mar 2004
 
- Copyright (c) 1998-2003 The OpenSSL Project
+ Copyright (c) 1998-2004 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
  All rights reserved.
 

STATUS

@@ -1,14 +1,16 @@
 
   OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2003/11/04 11:33:10 $
+  ______________                           $Date: 2004/03/17 11:45:33 $
 
   DEVELOPMENT STATE
 
     o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.7d: Released on March     17th, 2004
     o  OpenSSL 0.9.7c: Released on September 30th, 2003
     o  OpenSSL 0.9.7b: Released on April     10th, 2003
     o  OpenSSL 0.9.7a: Released on February  19th, 2003
     o  OpenSSL 0.9.7:  Released on December  31st, 2002
+    o  OpenSSL 0.9.6m: Released on March     17th, 2004
     o  OpenSSL 0.9.6l: Released on November   4th, 2003
     o  OpenSSL 0.9.6k: Released on September 30th, 2003
     o  OpenSSL 0.9.6j: Released on April     10th, 2003

crypto/opensslv.h

@@ -25,8 +25,8 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-#define OPENSSL_VERSION_NUMBER	0x009060d0L
-#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.6m-dev [engine] xx XXX xxxx"
+#define OPENSSL_VERSION_NUMBER	0x009060dfL
+#define OPENSSL_VERSION_TEXT	"OpenSSL 0.9.6m [engine] 17 Mar 2004"
 #define OPENSSL_VERSION_PTEXT	" part of " OPENSSL_VERSION_TEXT
 
 

openssl.spec

@@ -1,7 +1,7 @@
 %define libmaj 0
 %define libmin 9
 %define librel 6
-%define librev l
+%define librev m
 Release: 1
 
 %define openssldir /var/ssl

ssl/s3_pkt.c

@@ -1079,6 +1079,14 @@ start:
 			goto err;
 			}
 
+		/* Check we have a cipher to change to */
+		if (s->s3->tmp.new_cipher == NULL)
+			{
+			i=SSL_AD_UNEXPECTED_MESSAGE;
+			SSLerr(SSL_F_SSL3_GET_CERT_VERIFY,SSL_R_CCS_RECEIVED_EARLY);
+			goto err;
+			}
+
 		rr->length=0;
 		s->s3->change_cipher_spec=1;
 		if (!do_change_cipher_spec(s))