From owner-openssl-announce@openssl.org Wed Feb 13 21:39:18 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id VAA28810; Wed, 13 Feb 2002 21:38:42 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id VAA28738; Wed, 13 Feb 2002 21:37:10 +0100 (MET) Received: by visp.engelschall.com (Postfix, from userid 1005) id 2A7414CE74F; Wed, 13 Feb 2002 21:37:08 +0100 (CET) Received: by en1.engelschall.com (Sendmail 8.11.0+) for openssl-announce@openssl.org id g1DKVwv08140; Wed, 13 Feb 2002 21:31:58 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP from brev.stacken.kth.se id SAA19683; Wed, 13 Feb 2002 18:50:27 +0100 (MET) Received: from localhost (chicken.stacken.kth.se [130.237.234.71]) by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id SAA09461; Wed, 13 Feb 2002 18:50:25 +0100 (MET) Date: Wed, 13 Feb 2002 18:50:24 +0100 (MET) Message-Id: <20020213.185024.128888993.levitte@stacken.kth.se> To: openssl-dev@openssl.org, openssl-announce@openssl.org Subject: 0.9.7 approaching From: Richard Levitte - VMS Whacker X-Mailer: Mew version 2.0 pre4 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-URL: http://www.stacken.kth.se/~levitte/ X-mailhacking1: I do not send mail using QP. I use 8bit instead. However, some X-mailhacking2: mail servers on the way might find pleasure in converting my X-Mailhacking3: messages to QP anyway. I will not be responsible for that. X-mailhacking4: See =?iso-8859-1?Q?http://www.lysator.liu.se/=E5ttabitars/?= to see the reasons. X-Waved: dead chicken, GNU Emacs 20.6.1, Mew version 2.0 pre4 X-Mew: See http://www.mew.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Richard Levitte - VMS Whacker X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce The OpenSSL 0.9.7 release cycle has started. Be at ease, we're still a bit away from making betas, there are a couple of rather serious bugs to fix. However, this means that a few changes have been made: 1) In the CVS repository, there's now a branch tagged with the name OpenSSL_0_9_7-stable. 2) The main trunk is now 0.9.8-dev. 3) In the snapshot directory, the 0.9.7-dev snapshots are now called openssl-0.9.6-stable-SNAP-{YYYYMMDD}.tar.gz, where {YYYYMMDD} is replaced with the datestamp of the snapshot. 4) openssl-SNAP-{YYYYMMDD}.tar.gz are now snapshots of 0.9.8-dev. Please test the 0.9.7-dev snapshots and report any problems that you found, even if they have been reported before (it's a good reminder for us), or even better, send us patches! The 0.9.7 branch should have very few (preferably no) features added. If you want a feature added, you'll have to wait for the release of 0.9.8 or release a patch kit on your own. Happy testing, happy hacking! -- Richard Levitte \ Spannvägen 38, II \ LeViMS@stacken.kth.se Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- poei@bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Thu Feb 14 09:10:06 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id JAA00533; Thu, 14 Feb 2002 09:09:08 +0100 (MET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id JAA00498; Thu, 14 Feb 2002 09:08:19 +0100 (MET) Received: by visp.engelschall.com (Postfix, from userid 1005) id DD6B84CE73C; Thu, 14 Feb 2002 09:08:18 +0100 (CET) Received: by en1.engelschall.com (Sendmail 8.11.0+) for openssl-announce@openssl.org id g1E7sK419905; Thu, 14 Feb 2002 08:54:20 +0100 (CET) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP from brev.stacken.kth.se id XAA05289; Wed, 13 Feb 2002 23:47:39 +0100 (MET) Received: from localhost (chicken.stacken.kth.se [130.237.234.71]) by brev.stacken.kth.se (8.9.3/8.9.3) with ESMTP id XAA16520; Wed, 13 Feb 2002 23:47:37 +0100 (MET) Date: Wed, 13 Feb 2002 23:47:33 +0100 (MET) Message-Id: <20020213.234733.36852250.levitte@stacken.kth.se> To: openssl-dev@openssl.org, openssl-announce@openssl.org Subject: Re: 0.9.7 approaching From: Richard Levitte - VMS Whacker In-Reply-To: <20020213.185024.128888993.levitte@stacken.kth.se> References: <20020213.185024.128888993.levitte@stacken.kth.se> X-Mailer: Mew version 2.0 pre4 on Emacs 20.6 / Mule 4.0 (HANANOEN) X-URL: http://www.stacken.kth.se/~levitte/ X-mailhacking1: I do not send mail using QP. I use 8bit instead. However, some X-mailhacking2: mail servers on the way might find pleasure in converting my X-Mailhacking3: messages to QP anyway. I will not be responsible for that. X-mailhacking4: See =?iso-8859-1?Q?http://www.lysator.liu.se/=E5ttabitars/?= to see the reasons. X-Waved: dead chicken, GNU Emacs 20.6.1, Mew version 2.0 pre4 X-Mew: See http://www.mew.org/ Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Richard Levitte - VMS Whacker X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce From: Richard Levitte - VMS Whacker levitte> 3) In the snapshot directory, the 0.9.7-dev snapshots are now called levitte> openssl-0.9.6-stable-SNAP-{YYYYMMDD}.tar.gz, where {YYYYMMDD} is levitte> replaced with the datestamp of the snapshot. That was supposed to say openssl-0.9.7-stable-SNAP-{YYYYMMDD}.tar.gz -- Richard Levitte \ Spannvägen 38, II \ LeViMS@stacken.kth.se Redakteur@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-733-72 88 11 Procurator Odiosus Ex Infernis -- poei@bofh.se Member of the OpenSSL development team: http://www.openssl.org/ Software Engineer, GemPlus: http://www.gemplus.com/ Unsolicited commercial email is subject to an archival fee of $400. See for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Wed Apr 17 08:29:08 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id IAA02882; Wed, 17 Apr 2002 08:09:15 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id IAA02360; Wed, 17 Apr 2002 08:04:37 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 62E2A4CE791; Tue, 16 Apr 2002 21:46:49 +0200 (CEST) Received: by en1.engelschall.com (Sendmail 8.11.0+) for openssl-announce@openssl.org id g3GIdCv60621; Tue, 16 Apr 2002 20:39:12 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) id QAA07663; Tue, 16 Apr 2002 16:56:53 +0200 (MET DST) Date: Tue, 16 Apr 2002 16:56:50 +0200 From: Lutz Jaenicke To: openssl-announce@openssl.org, openssl-dev@openssl.org, openssl-users@openssl.org Subject: Announcement of OpenSSL 0.9.6d and 0.9.7 Release Plan and Schedule Message-ID: <20020416165649.A7455@openssl.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 0.95i Organization: OpenSSL Project X-Web-Homepage: http://www.openssl.org/~jaenicke/ Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Lutz Jaenicke X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce Announcement of OpenSSL 0.9.6d and 0.9.7 Release Plan and Schedule ================================================================== The OpenSSL developers team is pleased to announce the upcoming release of OpenSSL 0.9.7. OpenSSL 0.9.7 contains several changes and enhancements in many fields; please check out the NEWS and CHANGES files for details. Some of the changes made break compatibility, so that application developers and distribution providers may need a transition period. We have therefore decided for a 2-step strategy: * Release 0.9.6d: OpenSSL 0.9.6d will be the last release of the 0.9.6 series, containing all of the latest bugfixes while maintaining compatibility. * Release 0.9.7: OpenSSL 0.9.7 contains many enhancements and some incompatible changes. It also includes the bugfixes found in 0.9.6d (except for those obsoleted by other changes). We intend to provide releases according to the following schedule: 16 Apr 2002: 0.9.6d-beta1 30 Apr 2002: 0.9.6d The changes between 0.9.6c and 0.9.6d are quite small so that we do not expect too many problems. Therefore only one beta release is planned. 30 Apr 2002: 0.9.7-beta1 13 May 2002: 0.9.7-beta2 ... As the changes between 0.9.6x and 0.9.7 are numerous, we are prepared to handle more beta releases. The number of beta releases may change with error reports coming in. If no more errors are found after beta2, the final release will be made. If more errors are found in beta2, beta3 will be introduced and so on. Testing 0.9.7-beta... does not only mean to download and call "make install" and/or "make test" on different platforms. We explicitely ask application developers and users to test out the functionality of applications and/or integrate new functionality or adjust to the API changes. If these checks are not done in the beta phase and applications are only tested once 0.9.7 is released, bug fixes may be delayed until the release of 0.9.7a, if required. Be reminded that changes are also available via the daily snapshots. Incompatible Changes with 0.9.7: ================================ - List will be provided with the 0.9.7-beta releases. Known Problems with 0.9.7: ========================== >From the OpenSSL STATUS file: o BIGNUM library failures on 64-bit platforms (0.9.7-dev): - BN_mod_mul verificiation (bc) fails for solaris64-sparcv9-cc and other 64-bit platforms Checked on Result alpha-cc (Tru64 version 4.0) works linux-alpha+bwx-gcc doesn't work. Reported by Sean O'Riordain OpenBSD-sparc64 doesn't work. BN_mod_mul breaks. Needs checked on [add platforms here] - BN_mod_mul verification fails for mips3-sgi-irix unless configured with no-asm Bug reports: ============ - Bug reports should be sent to openssl-bugs@openssl.org, reports are copied to openssl-dev. - Success reports may be sent to openssl-bugs too, to indicate successfull operation and help other people to narrow their problems down. Downloads: ========== - Files will be made available at the usual locations at OpenSSL.org. - Seperate announcements will be made for each beta and release. Yours, The OpenSSL Project Team... Mark J. Cox Richard Levitte Andy Polyakov Ralf S. Engelschall Bodo Möller Holger Reif Dr. Stephen Henson Ulf Möller Geoff Thorpe Ben Laurie Lutz Jänicke ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Thu Apr 18 17:56:26 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id RAA25570; Thu, 18 Apr 2002 17:55:18 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id RAA25200; Thu, 18 Apr 2002 17:50:16 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 20FEA4CE773; Thu, 18 Apr 2002 17:50:10 +0200 (CEST) Received: by en1.engelschall.com (Sendmail 8.11.0+) for openssl-announce@openssl.org id g3IFePE32514; Thu, 18 Apr 2002 17:40:25 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP from localhost id QAA06085; Wed, 17 Apr 2002 16:43:19 +0200 (MET DST) Date: Wed, 17 Apr 2002 16:43:37 +0200 (CEST) Message-Id: <20020417.164337.104040410.levitte@openssl.org> To: openssl-announce@openssl.org, openssl-users@openssl.org, openssl-dev@openssl.org, coderpunks@toad.com, cypherpunks@openpgp.net, cryptography@wasabisystems.com, INFO-VAX@MVB.SAIC.COM, INFO-WASD@VSM.COM.AU, VMS-SSH@ALPHA.SGGW.WAW.PL, VMS-WEB-DAEMON@KJSL.COM Subject: [ANNOUNCE] OpenSSL 0.9.6d beta 1 released From: Richard Levitte - VMS Whacker X-URL: http://www.openssl.org/~levitte/ X-Waved: dead chicken, GNU emacs 21.2.1, Mew version 2.2 X-Mew: See http://www.mew.org/ X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Richard Levitte - VMS Whacker X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce The first beta release of OpenSSL 0.9.6d is now available from the OpenSSL FTP site . This is planned to be the only beta, as we believe that the snapshots have been tested quite thoroughly tested by a number of people. If everything works as planned, the release won't differ except for the version number. The release of OpenSSL 0.9.6d is scheduled for Tuesday 2002-04-30. To make sure that it will work correctly, please test this version (especially on less common platforms), and report any problems to . Changes between 0.9.6c and 0.9.6d include: o Various SSL/TLS library bugfixes. o Fix DH parameter generation for 'non-standard' generators. -- Richard Levitte levitte@openssl.org OpenSSL Project http://www.openssl.org/~levitte/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Wed Apr 24 00:30:18 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id AAA26976; Wed, 24 Apr 2002 00:29:16 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP from localhost1127.com id AAA26960; Wed, 24 Apr 2002 00:28:20 +0200 (MET DST) Message-Id: <200204232228.AAA26960@opensource.ee.ethz.ch> From: "mark" To: mark@openssl.org CC: openssl@openssl.org, openssl-announce@openssl.org, openssl-users@openssl.org, openssl-cvs@openssl.org, rse@openssl.org, openssl-dev@openssl.org, paul@openssl.org Date: Tue, 23 Apr 2002 18:30:09 -0400 Subject: Important Message Concerning Your Membership Account. 4/23/2002 6:30:09 PM X-Mailer: Microsoft Outlook Express 5.00.2919.1990 MIME-Version: 1.0 X-Precedence-Ref: 12 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "mark" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce =3CHTML=3E =3CHEAD=3E =3CTITLE=3ECyberShops - 50% Off Membership &=3B Free Vacation Offer - =281001=29=3C=2FTITLE=3E =3C=2FHEAD=3E =3CBODY BGCOLOR=3D=22#ffffff=22=3E =3CP ALIGN=3DCENTER=3E=3CB=3E=3CFONT COLOR=3D=22#ED181E=22 SIZE=3D+2=3ESAVE UP TO 85% ON NAME BRAND PRODUCTS!=3C=2FFONT=3E=3C=2FB=3E=3C=2FP=3E =3CP ALIGN=3DCENTER=3E=3CIMG SRC=3D=22http=3A=2F=2Fwww=2Ecyberusa1=2Einfo=2Fcybershops=2Fads=2Fsignup=5Fimages=2Fget=5Fready=5Fsplash=2Egif=22 ALIGN=3D=22BOTTOM=22=3E=3C=2FP=3E =3CP ALIGN=3DCENTER=3E=3CTABLE WIDTH=3D=22600=22 BORDER=3D=220=22 CELLSPACING=3D=220=22 CELLPADDING=3D =220=22=3E =3CTR=3E =3CTD WIDTH=3D=22599%=22=3E=3CP ALIGN=3DCENTER=3E=3CB=3E =3B=3CFONT SIZE=3D+2=3ESee What's In Store For YOU! =3C=2FFONT=3E=3C=2FB=3E=3C=2FP=3E =3CP=3ECyberShops is a collection of the finest stores and services from around the corner and around the world assembled to bring our Members the best money saving purchase opportunities available=2E As a Member of CyberShops=2C you will have access to the best deals on the products and brands you buy most=2E Plus=2C you'll even save money on those hard to find items too! Club Membership can pay for itself with the savings from your very first purchase!=3C=2FP=3E =3CP=3ECyberShops connects you with the best deals on thousands of name brand products from brand name stores=2E It's all in store for you with Members Only Club Shopping=2E Here are just a few of the thousands of deals that await you inside the CyberShops Club=3A=3C=2FP=3E =3CUL=3E =3CLI=3E=3CB=3ESAVE up to 80%=3C=2FB=3E on Reebok=2C Nike=2C Adidas and other famous footwear=2E =3CLI=3E=3CB=3ESAVE 50% to 70%=3C=2FB=3E on Gucci=2C Fendi=2C and Prada =3CLI=3E=3CB=3ESAVE 60% to 75% =3C=2FB=3Eon Sports &=3B Fitness equipment =3CLI=3E=3CB=3ESAVE 50% to 90% =3C=2FB=3Eoff the cover price of new books! =3CLI=3E=3CB=3ESAVE $1=2C000 =3C=2FB=3Eon Groceries every month! =3CLI=3E=3CB=3ESAVE up to 70%=3C=2FB=3E on Hotels and travel related services =3CLI=3E=3CB=3ESAVE up to 50%=3C=2FB=3E on Insurance =3CLI=3E=3CB=3ESAVE up to 80%=3C=2FB=3E on Home &=3B Garden supplies =3CLI=3E=3CB=3ESAVE up to 85%=3C=2FB=3E on Video Games=2C Games and Toys =3CLI=3E=3CB=3EFREE=3C=2FB=3E =3CB=3ECD=3C=2FB=3Es=2C =3CB=3EDVD=3C=2FB=3Es=2C and =3CB=3EVideos=3C=2FB=3E! =3CLI=3E=3CB=3EFREE=3C=2FB=3E =3CB=3ECamera =3C=2FB=3Eoffers=2C =3CB=3EFree Computer=3C=2FB=3E offers and =3CB=3EYes=3C=2FB=3E=2C you can even save on Ice Cream! =3CLI=3E=3CB=3EAND MUCH=2C MUCH MORE!!!=3C=2FB=3E =3C=2FUL=3E =3CP ALIGN=3DCENTER=3E=3CB=3E=3CFONT SIZE=3D+2=3EWant More=3F - Join the Club!=3C=2FFONT=3E=3C=2FB=3E=3C=2FP=3E =3CP=3ECyberShops has over =3CB=3E642=3C=2FB=3E*=3CB=3E FREE offers=3C=2FB=3E=2C over =3CB=3E883=3C=2FB=3E*=3CB=3E Discount offers=3C=2FB=3E=2C and over =3CB=3E784=3C=2FB=3E*=3CB=3E Special offers=3C=2FB=3E for our Members=2E Total overall estimated =3CB=3EMember savings in CyberShop's Club is over $87=2C000=2E00!=3C=2FB=3E* CyberShops is the largest members only shopping club on the Internet totaling 1=2C310* participating stores that offer incredible discounted and special offers along with hundreds FREE offers too!=3C=2FTD=3E=3C=2FTR=3E =3C=2FTABLE=3E =3Cp=3E=3C=2FP=3E =3CP ALIGN=3DCENTER=3E=3CTABLE WIDTH=3D=22600=22 BORDER=3D=220=22 CELLSPACING=3D=220=22 CELLPADDING=3D =220=22=3E =3CTR=3E =3CTD WIDTH=3D=22100%=22=3E=3CP=3E=3CIMG SRC=3D=22http=3A=2F=2Fwww=2Ecyberusa1=2Einfo=2Fcybershops=2Fads=2Fsignup=5Fimages=2Fbeach1=2Ejpg=22 ALIGN=3D=22RIGHT=22=3E=3C=2FP=3E =3CP=3E =3B=3C=2FP=3E =3CP ALIGN=3DRIGHT=3E=3CB=3E=3CFONT SIZE=3D+1=3EJoin Today- SAVE 50% OFF Club Membership=3C=2FFONT=3E=3C=2FB=3E=3C=2FP=3E =3CP ALIGN=3DRIGHT=3E=3CB=3E=3CFONT SIZE=3D+1=3EAnd Get A =3C=2FFONT=3E=3CFONT COLOR=3D=22#FF0000=22 SIZE=3D+1=3EFREE 3 Day=2C 2 Night Vacation Offer=2E=3C=2FFONT=3E=3C=2FB=3E=3C=2FP=3E =3CP ALIGN=3DRIGHT=3ETo Cancun=2C Las Vegas or Miami=2E=3C=2FP=3E =3CP ALIGN=3DRIGHT=3E=3CB=3EDon't Delay=2C This Incredible Membership Offer Ends Soon!=3C=2FB=3E=3C=2FP=3E =3CP ALIGN=3DRIGHT=3E=3CA HREF=3D=22http=3A=2F=2Fwww=2Ecyberusa1=2Einfo=2Fcybershops=2Fads=2F1001=5Fsplash=2Ehtml=22=3E=3CIMG SRC=3D=22http=3A=2F=2Fwww=2Ecyberusa1=2Einfo=2Fcybershops=2Fads=2Fsignup=5Fimages=2Fmore=5Finfo=5Fbutton=2Egif=22 ALIGN=3D=22BOTTOM=22 BORDER=3D=220=22=3E=3C=2FA=3E=3C=2FP=3E =3CP ALIGN=3DRIGHT=3E =3B=3C=2FTD=3E=3C=2FTR=3E =3C=2FTABLE=3E =3Cp=3E=3C=2FP=3E =3CUL=3E =3CDL=3E =3CDT=3E=3CP ALIGN=3DCENTER=3E=3CHR=3E =3CDT=3E=3CB=3E=3CFONT COLOR=3D=22#5B87F2=22 SIZE=3D+1=3EWhy are you receiving this email=3F=3C=2FFONT=3E=3C=2FB=3E =3CDT=3E=3CB=3EAnswer=3A =3C=2FB=3E=3CFONT SIZE=3D-1=3EYou registered at a Web site and expressed interest in receiving 3rd party online offers=2E The Web site where you registered may entrust select partners to email valuable offers and promotions to you=2E CyberShops is one of those entrusted partners=2E You are receiving this special offer because you have provided permission to receive third party email communications regarding special online promotions or offers=2E If you wish to unsubscribe from this list=2C please =3CA HREF=3D=22mailto=3Acyberusanetwork=40email=2Eit=22=3Eclick here=3C=2FA=3E=2C reply to this email with "=3Bremove"=3B as the subject and you will be promptly removed=2E If you have received this email in error=2C please accept our apologies=2E=3C=2FFONT=3E =3CDT=3E =3B =3CDT=3E=3CFONT SIZE=3D-1=3EAll Trade Names Found Within This Page Are Registered Trademarks of Respective Stores=2C Brands=2C and Manufacturers Listed=2E=3C=2FFONT=3E =3CDT=3E=3CFONT SIZE=3D-1=3E©=3B 2002 CyberShops=2C A CyberUSA Network Company=2C A Division of Graley Communications=2C Inc=2E All rights reserved=2E=3C=2FFONT=3E =3CDT=3E=3CFONT SIZE=3D-1=3E*Participating stores are constantly updating their offers and these totals are subject to change without notice=2E=3C=2FFONT=3E =3CDT=3E =3B =3CDT=3E=3CFONT SIZE=3D-2=3E=281001=29=3C=2FFONT=3E =3B =3C=2FDL=3E =3C=2FUL=3E =3C=2FBODY=3E =3C=2FHTML=3E ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Wed Apr 24 06:00:28 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id FAA06714; Wed, 24 Apr 2002 05:59:09 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via SMTP from okey6303.com id FAA06682; Wed, 24 Apr 2002 05:57:57 +0200 (MET DST) Message-Id: <200204240357.FAA06682@opensource.ee.ethz.ch> From: "mark" To: mark@openssl.org CC: openssl-announce@openssl.org, openssl-users@openssl.org, rse@openssl.org, openssl-dev@openssl.org Date: Tue, 23 Apr 2002 23:59:51 -0400 Subject: 4/23/2002 11:59:51 PM X-Mailer: Microsoft Outlook Express 5.00.2919.1990 MIME-Version: 1.0 X-Precedence-Ref: 1234 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: "mark" X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce =3Chtml=3E =3Chead=3E =3Cmeta http-equiv=3D=22Content-Type=22 content=3D=22text=2Fhtml=3B charset=3Diso-8859-1=22=3E =3Cstyle=3E =3C!-- td=2Ebodytext=09{ font-family=3A Verdana=2C Arial=2C Helvetica=2C sans-serif=3B font-size=3A 10px=3B font-style=3A normal=3B color=3Ablack=3B } td=2Enavtext=09{ font-family=3A Verdana=2C Arial=2C Helvetica=2C sans-serif=3B font-size=3A 10px=3B font-style=3A normal=3B color=3Ablack=3B } a=09{ font-family=3A Verdana=2C Arial=2C Helvetica=2C sans-serif=3B font-size=3A 10px=3B font-style=3A normal=3B color=3A#000000=3B text-decoration=3A underline=3B hover=3B } =2Enav=09{ font-family=3A Verdana=2C Arial=2C Helvetica=2C sans-serif=3B font-size=3A 10px=3B font-style=3A normal=3B color=3A#000000=3B text-decoration=3A none=3B hover=3B } font=2Ebodytext=09{ font-family=3A Verdana=2C Arial=2C Helvetica=2C sans-serif=3B font-size=3A 10px=3B font-style=3A normal=3B color=3Ablack=3B } font=2Enavtext=09{ font-family=3A Verdana=2C Arial=2C Helvetica=2C sans-serif=3B font-size=3A 10px=3B font-style=3A normal=3B color=3A#000000=3B text-decoration=3A none} a=3Ahover=09{ font-family=3A Verdana=2C Arial=2C Helvetica=2C sans-serif=3B font-size=3A 10px=3B font-style=3A normal=3B font-weight=3A normal=3B color=3A #993366=3B } --=3E =3C=2Fstyle=3E =3C=2Fhead=3E =3Cbody bgcolor=3D=22#FFFFFF=22 leftmargin=3D=220=22 topmargin=3D=220=22 marginwidth=3D=220=22 marginheight=3D=220=22 text=3D=22#000000=22 link=3D=22#000000=22 vlink=3D=22#000000=22 alink=3D=22#000000=22=3E =3Ctable width=3D=22810=22 border=3D=220=22 cellspacing=3D=220=22 cellpadding=3D=220=22 height=3D=22874=22 bgcolor=3D=22#CCCC99=22=3E =3Ctr bgcolor=3D=22#cccc99=22 align=3D=22left=22 valign=3D=22top=22=3E =3Ctd height=3D=2251=22=3E =3B=3C=2Ftd=3E =3Ctd height=3D=2251=22=3E =3Ctable width=3D=22827=22 border=3D=220=22 cellspacing=3D=220=22 cellpadding=3D=220=22 height=3D=2228=22 bgcolor=3D=22#CCCC66=22=3E =3Ctr=3E =3Ctd align=3D=22left=22 valign=3D=22top=22 width=3D=22329=22=3E =3Cdiv align=3D=22center=22=3E =3Chr=3E =3Cfont face=3D=22Geneva=2C Arial=2C Helvetica=2C san-serif=22=3E=3Cfont color=3D=22#993399=22 face=3D=22Times New Roman=2C Times=2C serif=22 size=3D=224=22=3E=3Cb=3ETarget Emailing &=3B Creative Services=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3Cfont color=3D=22#993399=22 size=3D=222=22=3E=3Cfont size=3D=221=22 face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 color=3D=22#993399=22=3E=3Cbr=3E =3C=2Ffont=3E=3C=2Ffont=3E =3Chr=3E =3Cfont color=3D=22#993399=22 size=3D=222=22=3E=3Cfont size=3D=221=22 face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 color=3D=22#993399=22=3E =3C=2Ffont=3E=3C=2Ffont=3E=3Cfont color=3D=22#993399=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 size=3D=221=22=3E=3Cfont size=3D=222=22=3E=3Cb=3E=3Cfont face=3D=22Times New Roman=2C Times=2C serif=22 color=3D=22#660099=22=3EHome of 'EMail-IT' True Stealth System=3Cbr=3E =3C=2Ffont=3E=3Cfont color=3D=22#660099=22 size=3D=223=22=3E=3Cfont face=3D=22Times New Roman=2C Times=2C serif=22 size=3D=224=22=3EPh=3A 407-539-0615=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Ffont=3E =3C=2Fdiv=3E =3C=2Ftd=3E =3Ctd align=3D=22center=22 width=3D=22498=22 valign=3D=22top=22=3E =3Cfont size=3D=222=22 color=3D=22#660099=22=3E=3Cb=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 color=3D=22#0000FF=22 size=3D=223=22=3E=3Ca href=3D=22mailto=3Aremoval=5Flist4864=40email=2Eit=3Fsubject=3DPleaseRemoveAddress-3578786=22=3E=3Cfont size=3D=224=22=3ECLICK HERE TO BE REMOVED=3C=2Ffont=3E=3C=2Fa=3E=3C=2Ffont=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E=3Cbr=3E =3C=2Ffont=3E=3C=2Fb=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E=3Cfont face=3D=22Times New Roman=2C Times=2C serif=22=3E=3Cbr=3E FAST! FAST! FAST!=3Cbr=3E Use your CABLE or DSL connection for unbelievable SPEEDS!=3C=2Ffont=3E=3C=2Ffont=3E=3Cb=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E=3Cfont face=3D=22Times New Roman=2C Times=2C serif=22=3E=3Cbr=3E =3C=2Ffont=3E=3C=2Ffont=3E=3C=2Fb=3E=3C=2Ffont=3E=3Cfont size=3D=222=22 color=3D=22#000000=22 face=3D=22Times New Roman=2C Times=2C serif=22=3E"=3BFinally=2E=2E=2EFreedom to e-mail safely and never lose your ISP again!"=3B =3C=2Ffont=3E =3C=2Ftd=3E =3C=2Ftr=3E =3C=2Ftable=3E =3Cdiv align=3D=22left=22=3E =3Ctable width=3D=2231%=22 border=3D=220=22 bgcolor=3D=22#FFFFCC=22 height=3D=220%=22 cellpadding=3D=2210=22 align=3D=22center=22=3E =3Ctr=3E =3Ctd width=3D=2224%=22 align=3D=22left=22 valign=3D=22top=22=3E =3Ctable width=3D=22100%=22 border=3D=220=22 cellspacing=3D=223=22 cellpadding=3D=225=22 height=3D=220%=22 align=3D=22center=22=3E =3Ctr=3E =3Ctd bgcolor=3D=22#000000=22 nowrap valign=3D=22top=22 align=3D=22center=22 height=3D=224=22=3E=3Cfont size=3D=222=22 face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E =3B=3Cfont color=3D=22#FFFFFF=22=3E=3Cb=3ETargeted Opt-In Mailings=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Ftd=3E =3C=2Ftr=3E =3Ctr=3E =3Ctd valign=3D=22top=22 width=3D=2224%=22=3E =3Cdiv align=3D=22justify=22=3E =3Cp=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3ETailored for your individual needs=2E Highly targeted E-mail "=3BOpt-In"=3B and Postal Mail campaigns=2E=3Cbr=3E =3C=2Ffont=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3E=3C=2Ffont=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22 face=3D=22Georgia=2C Times New Roman=2C Times=2C serif=22=3E=3Cbr=3E =3C=2Ffont=3E=3Cfont size=3D=222=22=3EIncluded in every campaign at no extra cost=3A =3C=2Ffont=3E=3C=2Fp=3E =3Cp align=3D=22left=22=3E=3Cfont size=3D=221=22 face=3D=22Georgia=2C Times New Roman=2C Times=2C serif=22=3E=3Cb=3EDesign of your broadcast message including Graphics=2C=3Cbr=3E =3C=2Fb=3E=3Cbr=3E =3Cb=3EConversion to HTML and Hosting=2E=3C=2Fb=3E=3C=2Ffont=3E=3Cfont size=3D=221=22 face=3D=22Georgia=2C Times New Roman=2C Times=2C serif=22=3E=3Cbr=3E =3Cbr=3E =3Cb=3EOpt-In List Generation=2FManagement=3A =3C=2Fb=3EWe can help you generate your own opt-in lists or manage your current lists for a fraction of what you would pay a broker=2E=3Cbr=3E =3Cb=3E 100% List "=3BOWNERSHIP"=3B !=3C=2Fb=3E=3C=2Ffont=3E=3C=2Fp=3E =3Cp align=3D=22center=22=3E=3Cfont size=3D=221=22 face=3D=22Georgia=2C Times New Roman=2C Times=2C serif=22=3EWeb Site Design=3A Let us design your private marketing site=2E =3C=2Ffont=3E=3C=2Fp=3E =3Cp align=3D=22center=22=3E=3Cfont size=3D=221=22 face=3D=22Georgia=2C Times New Roman=2C Times=2C serif=22=3ENews Letter Promotions=3A Promote your company through monthly newsletters=2E =3C=2Ffont=3E=3C=2Fp=3E =3Cp align=3D=22center=22=3E=3Cfont size=3D=221=22 face=3D=22Georgia=2C Times New Roman=2C Times=2C serif=22=3ERECEIVE THE GREATEST RETURN ON YOUR MARKETING DOLLAR=3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont size=3D=222=22 face=3D=22Georgia=2C Times New Roman=2C Times=2C serif=22=3ETargeted Messages Delivered=3Cbr=3E Base Price=3C=2Ffont=3E=3Cfont size=3D=222=22=3E=3Cbr=3E =3Cbr=3E 500=2C000 Messages $1=2C750 =3Cbr=3E 1 Million Messages $3=2C399 =3Cbr=3E 2 Million Messages $4=2C499 =3Cbr=3E 3 Million Messages $7=2C799 =3Cbr=3E 5 Million Messages $12=2C299 =3Cbr=3E 10 Million Messages $16=2C899 =3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont size=3D=222=22=3E=3Cfont color=3D=22#660099=22=3E"=3BCompanies who outsource their e-mail marketing operations actually have a better conversion rate =286%=29 than companies that do not =281=2E4%=29=2E"=3B =3C=2Ffont=3E=3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont color=3D=22#993399=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 size=3D=221=22=3E=3Cfont size=3D=222=22=3E=3Cb=3EMore info=3A 407-539-0615=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Ffont=3E =3C=2Fp=3E =3C=2Fdiv=3E =3C=2Ftd=3E =3C=2Ftr=3E =3C=2Ftable=3E =3C=2Ftd=3E =3Ctd width=3D=2224%=22 align=3D=22left=22 valign=3D=22top=22=3E =3Ctable width=3D=2236%=22 border=3D=220=22 cellspacing=3D=223=22 cellpadding=3D=225=22 align=3D=22center=22 height=3D=22454=22=3E =3Ctr=3E =3Ctd bgcolor=3D=22#CCCC66=22 nowrap valign=3D=22top=22=3E=3Cfont face=3D=22Verdana=2C Arial=2C Helvetica=2C sans-serif=22 size=3D=222=22 color=3D=22#FFFFFF=22=3E=3Cb=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3EFresh Email Addresses=3C=2Ffont=3E=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ftd=3E =3C=2Ftr=3E =3Ctr=3E =3Ctd valign=3D=22top=22 align=3D=22left=22 width=3D=2224%=22 height=3D=22378=22=3E =3Cdiv align=3D=22justify=22=3E =3Cp=3E=3Cfont size=3D=222=22=3EThe key to a good return on your email campaign is NEW addresses=2E Our automated servers harvest new addresses around the clock=2E We offer lists as a direct purchase or as a monthly service=2E=3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont size=3D=222=22=3E250=2C000 e-mails $100=2E00=3Cbr=3E 500=2C000 e-mails $125=2E00=3Cbr=3E 1=2C000=2C000 e-mails $200=2E00=3Cbr=3E 5=2C000=2C000 e-mails $400=2E00=3Cbr=3E =3C=2Ffont=3E=3Cfont color=3D=22#993399=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 size=3D=221=22=3E=3Cfont size=3D=222=22=3E=3Cb=3E=3Cbr=3E =3C=2Fb=3E=3C=2Ffont=3E=3Cfont color=3D=22#993399=22 size=3D=223=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E=3Cb=3E407-539-0615=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E =3C=2Ffont=3E=3C=2Ffont=3E=3Cfont size=3D=223=22=3E =3C=2Ffont=3E=3C=2Fp=3E =3Cp align=3D=22left=22=3E=3Cfont size=3D=222=22 face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3EMonthly Service 150=2E00*=3Cbr=3E Includes=3A =3Cbr=3E 4=2C000=2C000 e-mails=2Fmonth=3Cbr=3E 'E-Mail-IT' Cloaking Software Updates=3Cbr=3E FTP Access=3Cbr=3E URL Cloaking Software =3C=2Ffont=3E=3C=2Fp=3E =3C=2Fdiv=3E =3Cdiv align=3D=22justify=22=3E =3Cp align=3D=22center=22=3E=3Cfont size=3D=222=22 face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E*Three months required=2C lists and software download from our FTP server=2E=3C=2Ffont=3E=3C=2Fp=3E =3C=2Fdiv=3E =3C=2Ftd=3E =3C=2Ftr=3E =3C=2Ftable=3E =3C=2Ftd=3E =3Ctd width=3D=2224%=22 align=3D=22center=22 valign=3D=22top=22=3E =3Ctable width=3D=2226%=22 border=3D=220=22 cellspacing=3D=223=22 cellpadding=3D=225=22 height=3D=22417=22 align=3D=22center=22=3E =3Ctr=3E =3Ctd bgcolor=3D=22#660099=22 nowrap height=3D=2219=22 valign=3D=22top=22=3E=3Cb=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 size=3D=222=22 color=3D=22#FFFFFF=22=3EEmail-IT CSC Proxy Service=3C=2Ffont=3E=3C=2Fb=3E=3C=2Ftd=3E =3C=2Ftr=3E =3Ctr=3E =3Ctd valign=3D=22top=22 width=3D=2224%=22 align=3D=22center=22 height=3D=22386=22=3E =3Cdiv align=3D=22justify=22=3E =3Cp=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3E=3Cb=3ESend your e-mails directly through our servers=2E =3C=2Fb=3E=3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont size=3D=222=22=3EOur in house =3Cb=3E'Email-IT' True Stealth System=3C=2Fb=3E is based on Unix know-how sending technology=2C providing real anonymous instant delivery=2E =3Cbr=3E =3Cbr=3E Forget problems with ISP 's your IP address will never be shown in our e-mail headers=2E =3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont size=3D=222=22=3EYou send directly into OUR servers which then send your mail out to the world=2C FAST!=3C=2Ffont=3E =3C=2Fp=3E =3Cp align=3D=22center=22=3E=3Cfont size=3D=222=22=3EFAST! FAST! FAST!=3Cbr=3E Use your CABLE or DSL connection for mind blowing SPEEDS!=3Cbr=3E =3C=2Ffont=3E=3C=2Fp=3E =3Cp align=3D=22center=22=3E=3Cfont size=3D=222=22=3E'Email-IT' Pricing is based on number of e-mails you can send monthly=2E You only pay for what you send successfully!=3Cbr=3E =3Cbr=3E Priced from $400=3Cbr=3E =3C=2Ffont=3E=3Cfont color=3D=22#993399=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 size=3D=221=22=3E=3Cfont size=3D=222=22=3E=3Cb=3E=3Cfont size=3D=223=22=3EInfo=3A=3C=2Ffont=3E=3C=2Fb=3E=3Cfont color=3D=22#993399=22 size=3D=223=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E=3Cb=3E407-539-0615=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Ffont=3E =3C=2Ffont=3E=3C=2Ffont=3E=3C=2Fp=3E =3C=2Fdiv=3E =3C=2Ftd=3E =3C=2Ftr=3E =3C=2Ftable=3E =3C=2Ftd=3E =3Ctd width=3D=2224%=22 align=3D=22center=22 valign=3D=22top=22=3E =3Ctable width=3D=2289%=22 border=3D=220=22 cellspacing=3D=223=22 cellpadding=3D=225=22 height=3D=22365=22=3E =3Ctr=3E =3Ctd bgcolor=3D=22#993399=22 nowrap valign=3D=22top=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E =3B=3Cfont size=3D=222=22 color=3D=22#FFFFFF=22=3E=3Cb=3ESafe Bulk Email Software=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Ftd=3E =3C=2Ftr=3E =3Ctr=3E =3Ctd valign=3D=22top=22 width=3D=2224%=22 height=3D=22390=22=3E =3Cdiv align=3D=22justify=22=3E =3Cp=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3EDon't worry about losing your ISP again=2E Our NEW software system goes beyond open relays and desktop servers=2E This is NEW and it is the ONLY software of it's kind=2E=3Cbr=3E =3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3E'EMail-IT' Home &=3B Office Kit Includes=3A=3Cbr=3E =3Cfont color=3D=22#333333=22=3E=3Cb=3EStealth System Software=3Cbr=3E Bulk Mailer=3Cbr=3E List Manager=3Cbr=3E Email Extractor=3Cbr=3E =3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3Cb=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22 color=3D=22#333333=22=3EDaisy Chain Connector=3Cbr=3E WWW URL Cloaking Device=3Cbr=3E 1 User License and Key=3C=2Ffont=3E=3C=2Fb=3E=3Cb=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22 color=3D=22#333333=22=3E=3Cbr=3E 2 Instructional Cd's =3Cbr=3E 1 =3C=2Ffont=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3E'EMail-IT' =3C=2Ffont=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22 color=3D=22#333333=22=3EOwners=3C=2Ffont=3E =3Cfont class=3D=22textblack10=22 size=3D=222=22 color=3D=22#333333=22=3EManual=3Cbr=3E 1 Full hour walk through =3C=2Ffont=3E=3Cfont size=3D=222=22 color=3D=22#333333=22=3Eof your installation and set up!=3C=2Ffont=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22 color=3D=22#333333=22=3E=3Cbr=3E =3C=2Ffont=3E=3C=2Fb=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3E=3Cbr=3E Also includes=3A =3Cbr=3E Complete How To Files &=3B=3Cbr=3E Telephone Support*=3C=2Ffont=3E=3C=2Fp=3E =3Cp=3E=3Cfont size=3D=222=22=3E=3Cfont class=3D=22textblack10=22=3EPrice=3A $475=3Cbr=3E =3C=2Ffont=3E Fedex=3Cfont class=3D=22textblack10=22=3E shipping included!=3Cbr=3E =3C=2Ffont=3E=3C=2Ffont=3E=3Cfont color=3D=22#993399=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22 size=3D=221=22=3E=3Cbr=3E =3Cfont color=3D=22#993399=22 size=3D=223=22=3E=3Cfont face=3D=22Tahoma=2C Verdana=2C Georgia=2C Arial=22=3E=3Cb=3E407-539-0615=3C=2Fb=3E=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Ffont=3E=3C=2Ffont=3E=3Cfont class=3D=22textblack10=22 size=3D=222=22=3E=3Cbr=3E =3C=2Ffont=3E=3Cfont size=3D=222=22=3E=3Cfont class=3D=22textblack10=22=3E =3C=2Ffont=3E=3Cbr=3E =3Cb=3EO=3C=2Fb=3Erder now and we will start you off with 100=2C000=3C=2Ffont=3E fresh email addresses=2E=3Cbr=3E =3C=2Fp=3E =3Cp=3E=3Cfont size=3D=222=22=3E*Telephone Support Free for first 30 days only=2E=3C=2Ffont=3E=3C=2Fp=3E =3C=2Fdiv=3E =3C=2Ftd=3E =3C=2Ftr=3E =3C=2Ftable=3E =3C=2Ftd=3E =3C=2Ftr=3E =3C=2Ftable=3E =3C=2Fdiv=3E =3C=2Ftd=3E =3C=2Ftr=3E =3C=2Ftable=3E =3Cbr=3E =3C=2Fbody=3E =3C=2Fhtml=3E ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Wed Apr 24 06:10:27 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id GAA09085; Wed, 24 Apr 2002 06:09:42 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP from relay11.austria.eu.net id GAA08590; Wed, 24 Apr 2002 06:08:09 +0200 (MET DST) Received: from sisyphus.openssl.org (vogelsinger.at [193.154.189.26] (may be forged)) by relay11.austria.eu.net (8.12.1/8.12.0.Beta10) with ESMTP id g3O487AF008528; Wed, 24 Apr 2002 06:08:08 +0200 Message-Id: <5.1.0.14.2.20020424060714.02726eb0@mail.oneatweb.at> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 24 Apr 2002 06:08:01 +0200 To: openssl-users@openssl.org From: mark@openssl.org Subject: Re: 4/23/2002 11:59:51 PM Cc: mark@openssl.org, openssl-announce@openssl.org, openssl-users@openssl.org, rse@openssl.org, openssl-dev@openssl.org In-Reply-To: <200204240357.FAA06682@opensource.ee.ethz.ch> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="=====================_137258707==_.ALT" Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: mark@openssl.org X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce --=====================_137258707==_.ALT Content-Type: text/plain; charset="us-ascii" ??? WOULD SOMEONE PLEASE STOP THIS SPAM ??? >O Ernest E. Vogelsinger (\) ICQ# 13394035 ^ --=====================_137258707==_.ALT Content-Type: text/html; charset="us-ascii" ??? WOULD SOMEONE PLEASE STOP THIS SPAM ???

   >O     Ernest E. Vogelsinger
   (\)    ICQ#   13394035
    ^    
--=====================_137258707==_.ALT-- ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Fri May 10 23:45:45 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id XAA28859; Fri, 10 May 2002 23:43:50 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id XAA28703; Fri, 10 May 2002 23:42:08 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 4FD774CE776; Fri, 10 May 2002 23:42:03 +0200 (CEST) Received: by en1.engelschall.com (Sendmail 8.11.0+) for openssl-announce@openssl.org id g4ALdcL25868; Fri, 10 May 2002 23:39:38 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP from localhost id CAA01825; Fri, 10 May 2002 02:01:00 +0200 (MET DST) Date: Fri, 10 May 2002 02:00:20 +0200 (CEST) Message-Id: <20020510.020020.85815556.levitte@openssl.org> To: openssl-announce@openssl.org, openssl-users@openssl.org, openssl-dev@openssl.org, coderpunks@toad.com, cypherpunks@openpgp.net, cryptography@wasabisystems.com, INFO-VAX@MVB.SAIC.COM, INFO-WASD@VSM.COM.AU, VMS-SSH@ALPHA.SGGW.WAW.PL, VMS-WEB-DAEMON@KJSL.COM Subject: [ANNOUNCE] OpenSSL 0.9.6d beta 1 released From: Richard Levitte - VMS Whacker X-URL: http://www.openssl.org/~levitte/ X-Waved: dead chicken, GNU emacs 21.2.1, Mew version 2.2 X-Mew: See http://www.mew.org/ X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Richard Levitte - VMS Whacker X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce OpenSSL version 0.9.6d released =============================== OpenSSL - The Open Source toolkit for SSL/TLS http://www.openssl.org/ The OpenSSL project team is pleased to announce the release of version 0.9.6d of our open source toolkit for SSL/TLS. This new OpenSSL version is mostly a bugfix release and incorporates at least 23 changes to the toolkit (for a complete list see http://www.openssl.org/source/exp/CHANGES). The most significant changes are: o Various SSL/TLS library bugfixes. o Fix DH parameter generation for 'non-standard' generators. We consider OpenSSL 0.9.6d to be the best version of OpenSSL available and we strongly recommend that users of older versions upgrade as soon as possible. OpenSSL 0.9.6d is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): o http://www.openssl.org/source/ o ftp://ftp.openssl.org/source/ [1] OpenSSL comes in the form of two distributions this time. The reasons for this is that we want to deploy the external crypto device support but don't want to have it part of the "normal" distribution just yet. The distribution containing the external crypto device support is popularly called "engine", and is considered experimental. It's been fairly well tested on Unix and flavors thereof. If run on a system with no external crypto device, it will work just like the "normal" distribution. The distribution file names are: o openssl-0.9.6d.tar.gz [normal] o openssl-engine-0.9.6d.tar.gz [engine] Yours, The OpenSSL Project Team... Mark J. Cox Richard Levitte Andy Polyakov Ralf S. Engelschall Bodo Möller Holger Reif Dr. Stephen Henson Ulf Möller Geoff Thorpe Ben Laurie Lutz Jänicke ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Mon Jun 3 08:06:22 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id IAA05328; Mon, 3 Jun 2002 08:05:37 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id IAA05045; Mon, 3 Jun 2002 08:04:32 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 2C3A24CE74C; Mon, 3 Jun 2002 07:00:17 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id 912EC2873D; Mon, 3 Jun 2002 06:59:46 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) id XAA27418; Sun, 2 Jun 2002 23:46:26 +0200 (MET DST) Date: Sun, 2 Jun 2002 23:46:25 +0200 From: Lutz Jaenicke To: openssl-announce@openssl.org, openssl-users@openssl.org, openssl-dev@openssl.org, coderpunks@toad.com, cypherpunks@openpgp.net, cryptography@wasabisystems.com Subject: [ANNOUNCE] OpenSSL 0.9.1 beta 1 released Message-ID: <20020602234625.A27046@openssl.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i Organization: OpenSSL Project X-Web-Homepage: http://www.openssl.org/~jaenicke/ Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Lutz Jaenicke X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce The first beta release of OpenSSL 0.9.7 is now available from the OpenSSL FTP site . Quite a lot of code changed between the 0.9.6 release and the 0.9.7 release, so a series of 3 or 4 beta releases is planned before the final release. To make sure that it will work correctly, please test this version (especially on less common platforms), and report any problems to . Application developers that use OpenSSL to provide cryptographic routines or SSL/TLS support are kindly requested to test their software against this new release to make sure that necessary adaptions can be made. Changes between 0.9.6x and 0.9.7 include: o New library section OCSP. o Complete rewrite of ASN1 code. o CRL checking in verify code and openssl utility. o Extension copying in 'ca' utility. o Flexible display options in 'ca' utility. o Provisional support for international characters with UTF8. o Support for external crypto devices ('engine') is no longer a separate distribution. o New elliptic curve library section. o New AES (Rijndael) library section. o Change DES API to clean up the namespace (some applications link also against libdes providing similar functions having the same name). Provide macros for backward compatibility (will be removed in the future). o Unifiy handling of cryptographic algorithms (software and engine) to be available via EVP routines for asymmetric and symmetric ciphers. o NCONF: new configuration handling routines. o Change API to use more 'const' modifiers to improve error checking and help optimizers. o Finally remove references to RSAref. o Reworked parts of the BIGNUM code. o Support for new engines: Broadcom ubsec, Accelerated Encryption Processing, IBM 4758. o PRNG: query at more locations for a random device, automatic query for EGD style random sources at several locations. o SSL/TLS: allow optional cipher choice according to server's preference. o SSL/TLS: allow server to explicitly set new session ids. o SSL/TLS: support Kerberos cipher suites (RFC2712). o SSL/TLS: allow more precise control of renegotiations and sessions. o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested). -- Lutz Jaenicke jaenicke@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Mon Jun 3 13:56:44 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id NAA25533; Mon, 3 Jun 2002 13:55:19 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id NAA25477; Mon, 3 Jun 2002 13:54:26 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id B73044CE748; Mon, 3 Jun 2002 13:54:25 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id 89EC62873D; Mon, 3 Jun 2002 13:26:33 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) id KAA14437; Mon, 3 Jun 2002 10:49:46 +0200 (MET DST) Date: Mon, 3 Jun 2002 10:49:46 +0200 From: Lutz Jaenicke To: openssl-announce@openssl.org, openssl-users@openssl.org, openssl-dev@openssl.org, coderpunks@toad.com, cypherpunks@openpgp.net, cryptography@wasabisystems.com Subject: [ANNOUNCE] OpenSSL 0.9.7 beta 1 released Message-ID: <20020603104945.B14202@openssl.org> References: <20020602234625.A27046@openssl.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <20020602234625.A27046@openssl.org>; from Lutz Jaenicke on Sun, Jun 02, 2002 at 11:46:25PM +0200 Organization: OpenSSL Project X-Web-Homepage: http://www.openssl.org/~jaenicke/ Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Lutz Jaenicke X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce On Sun, Jun 02, 2002, Lutz Jaenicke wrote: > The first beta release of OpenSSL 0.9.7 is now available from the > OpenSSL FTP site . Quite a lot > of code changed between the 0.9.6 release and the 0.9.7 release, so > a series of 3 or 4 beta releases is planned before the final release. ... Of course, OpenSSL 0.9.7-beta1 has been released (not 0.9.1-beta1). Please excuse any confusion caused by the typo in the Subject: line. Best regards, Lutz -- Lutz Jaenicke jaenicke@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Sun Jun 16 18:44:16 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id SAA17350; Sun, 16 Jun 2002 18:43:14 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id SAA17328; Sun, 16 Jun 2002 18:42:57 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 87B274CE694; Sun, 16 Jun 2002 18:42:56 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id 6B7FB286B3; Sun, 16 Jun 2002 18:42:17 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) id NAA04025; Sun, 16 Jun 2002 13:55:49 +0200 (MET DST) Date: Sun, 16 Jun 2002 13:55:48 +0200 From: Lutz Jaenicke To: openssl-announce@openssl.org, openssl-users@openssl.org, openssl-dev@openssl.org, coderpunks@toad.com, cypherpunks@openpgp.net, cryptography@wasabisystems.com Subject: [ANNOUNCE] OpenSSL 0.9.7 beta 2 released Message-ID: <20020616135547.A3908@openssl.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i Organization: OpenSSL Project X-Web-Homepage: http://www.openssl.org/~jaenicke/ Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Lutz Jaenicke X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce The second beta release of OpenSSL 0.9.7 is now available from the OpenSSL FTP site . Quite a lot of code changed between the 0.9.6 release and the 0.9.7 release, so a series of 3 or 4 beta releases is planned before the final release. To make sure that it will work correctly, please test this version (especially on less common platforms), and report any problems to . Application developers that use OpenSSL to provide cryptographic routines or SSL/TLS support are kindly requested to test their software against this new release to make sure that necessary adaptions can be made. Changes between 0.9.6x and 0.9.7 include: o New library section OCSP. o Complete rewrite of ASN1 code. o CRL checking in verify code and openssl utility. o Extension copying in 'ca' utility. o Flexible display options in 'ca' utility. o Provisional support for international characters with UTF8. o Support for external crypto devices ('engine') is no longer a separate distribution. o New elliptic curve library section. o New AES (Rijndael) library section. o Change DES API to clean up the namespace (some applications link also against libdes providing similar functions having the same name). Provide macros for backward compatibility (will be removed in the future). o Unifiy handling of cryptographic algorithms (software and engine) to be available via EVP routines for asymmetric and symmetric ciphers. o NCONF: new configuration handling routines. o Change API to use more 'const' modifiers to improve error checking and help optimizers. o Finally remove references to RSAref. o Reworked parts of the BIGNUM code. o Support for new engines: Broadcom ubsec, Accelerated Encryption Processing, IBM 4758. o Extended and corrected OID (object identifier) table. o PRNG: query at more locations for a random device, automatic query for EGD style random sources at several locations. o SSL/TLS: allow optional cipher choice according to server's preference. o SSL/TLS: allow server to explicitly set new session ids. o SSL/TLS: support Kerberos cipher suites (RFC2712). o SSL/TLS: allow more precise control of renegotiations and sessions. o SSL/TLS: add callback to retrieve SSL/TLS messages. o SSL/TLS: add draft AES ciphersuites (disabled unless explicitly requested). -- Lutz Jaenicke jaenicke@openssl.org OpenSSL Project http://www.openssl.org/~jaenicke/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Tue Jul 30 13:09:51 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id NAA28294; Tue, 30 Jul 2002 13:06:33 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id NAA28013; Tue, 30 Jul 2002 13:00:53 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 12FD34CE747; Tue, 30 Jul 2002 13:00:52 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id AE38D28672; Tue, 30 Jul 2002 12:59:29 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from scuzzy.ben.algroup.co.uk id LAA22711; Tue, 30 Jul 2002 11:58:13 +0200 (MET DST) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id E65BF8BC25; Tue, 30 Jul 2002 09:58:10 +0000 (GMT) Message-ID: <3D46633B.80403@algroup.co.uk> Date: Tue, 30 Jul 2002 10:58:19 +0100 From: Ben Laurie User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530 X-Accept-Language: en-us, en MIME-Version: 1.0 To: OpenSSL Announce , Bugtraq , Apache SSL Announce Subject: OpenSSL Security Altert - Remote Buffer Overflows Content-Type: multipart/mixed; boundary="------------030300050205020202020806" Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Ben Laurie X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce This is a multi-part message in MIME format. --------------030300050205020202020806 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit OpenSSL Security Advisory [30 July 2002] This advisory consists of two independent advisories, merged, and is an official OpenSSL advisory. Advisory 1 ========== A.L. Digital Ltd and The Bunker (http://www.thebunker.net/) are conducting a security review of OpenSSL, under the DARPA program CHATS. Vulnerabilities --------------- All four of these are potentially remotely exploitable. 1. The client master key in SSL2 could be oversized and overrun a buffer. This vulnerability was also independently discovered by consultants at Neohapsis (http://www.neohapsis.com/) who have also demonstrated that the vulerability is exploitable. Exploit code is NOT available at this time. 2. The session ID supplied to a client in SSL3 could be oversized and overrun a buffer. 3. The master key supplied to an SSL3 server could be oversized and overrun a stack-based buffer. This issues only affects OpenSSL 0.9.7 before 0.9.7-beta3 with Kerberos enabled. 4. Various buffers for ASCII representations of integers were too small on 64 bit platforms. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0656 to issues 1-2, CAN-2002-0657 to issue 3, and CAN-2002-0655 to issue 4. In addition various potential buffer overflows not known to be exploitable have had assertions added to defend against them. Who is affected? ---------------- Everyone using OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable. SSLeay is probably also affected. Recommendations --------------- Apply the attached patch to OpenSSL 0.9.6d, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL to provide SSL or TLS. A patch for 0.9.7 is available from the OpenSSL website (http://www.openssl.org/). Servers can disable SSL2, alternatively disable all applications using SSL or TLS until the patches are applied. Users of 0.9.7 pre-release versions with Kerberos enabled will also have to disable Kerberos. Client should be disabled altogether until the patches are applied. Known Exploits -------------- There are no know exploits available for these vulnerabilities. As noted above, Neohapsis have demonstrated internally that an exploit is possible, but have not released the exploit code. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0655 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0656 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0657 Acknowledgements ---------------- The project leading to this advisory is sponsored by the Defense Advanced Research Projects Agency (DARPA) and Air Force Research Laboratory, Air Force Materiel Command, USAF, under agreement number F30602-01-2-0537. The patch and advisory were prepared by Ben Laurie. Advisory 2 ========== Vulnerabilities --------------- The ASN1 parser can be confused by supplying it with certain invalid encodings. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0659 to this issue. Who is affected? ---------------- Any OpenSSL program which uses the ASN1 library to parse untrusted data. This includes all SSL or TLS applications, those using S/MIME (PKCS#7) or certificate generation routines. Recommendations --------------- Apply the patch to OpenSSL, or upgrade to OpenSSL 0.9.6e. Recompile all applications using OpenSSL. Users of 0.9.7 pre-release versions should apply the patch or upgrade to 0.9.7-beta3 or later. Recompile all applications using OpenSSL. Exploits -------- There are no known exploits for this vulnerability. References ---------- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0659 Acknowledgements ---------------- This vulnerability was discovered by Adi Stav and James Yonan independently. The patch is partly based on a version by Adi Stav. The patch and advisory were prepared by Dr. Stephen Henson. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------030300050205020202020806 Content-Type: text/plain; name="openssl-0.9.6d-sec.patch" Content-Disposition: inline; filename="openssl-0.9.6d-sec.patch" Content-Transfer-Encoding: 7bit Index: CHANGES =================================================================== RCS file: /e/openssl/cvs/openssl/CHANGES,v retrieving revision 1.618.2.158 diff -u -r1.618.2.158 CHANGES --- CHANGES 2002/05/09 22:40:31 1.618.2.158 +++ CHANGES 2002/07/30 09:14:15 @@ -2,6 +2,35 @@ OpenSSL CHANGES _______________ + Changes in security patch + +Changes marked "(CHATS)" were sponsored by the Defense Advanced +Research Projects Agency (DARPA) and Air Force Research Laboratory, +Air Force Materiel Command, USAF, under agreement number +F30602-01-2-0537. + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. (CAN-2002-0659) + [Steve Henson, Adi Stav , James Yonan ] + + *) Assertions for various potential buffer overflows, not known to + happen in practice. + [Ben Laurie (CHATS)] + + *) Various temporary buffers to hold ASCII versions of integers were + too small for 64 bit platforms. (CAN-2002-0655) + [Matthew Byng-Maddick and Ben Laurie (CHATS)> + + *) Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized session ID to a client. (CAN-2002-0656) + [Ben Laurie (CHATS)] + + *) Remote buffer overflow in SSL2 protocol - an attacker could + supply an oversized client master key. (CAN-2002-0656) + [Ben Laurie (CHATS)] + Changes between 0.9.6c and 0.9.6d [9 May 2002] *) Fix crypto/asn1/a_sign.c so that 'parameters' is omitted (not Index: crypto/cryptlib.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.c,v retrieving revision 1.20.2.4 diff -u -r1.20.2.4 cryptlib.c --- crypto/cryptlib.c 2001/11/23 20:57:59 1.20.2.4 +++ crypto/cryptlib.c 2002/07/30 09:14:15 @@ -491,3 +491,11 @@ #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } + Index: crypto/cryptlib.h =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.h,v retrieving revision 1.8 diff -u -r1.8 cryptlib.h --- crypto/cryptlib.h 2000/05/02 12:35:04 1.8 +++ crypto/cryptlib.h 2002/07/30 09:14:16 @@ -89,6 +89,14 @@ #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" +/* size of string represenations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) ((sizeof(type)*2) + +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) + #ifdef __cplusplus } #endif Index: crypto/asn1/asn1_lib.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/asn1/asn1_lib.c,v retrieving revision 1.19.2.1 diff -u -r1.19.2.1 asn1_lib.c --- crypto/asn1/asn1_lib.c 2001/03/30 13:42:32 1.19.2.1 +++ crypto/asn1/asn1_lib.c 2002/07/30 09:14:17 @@ -124,15 +124,13 @@ (int)(omax+ *pp)); #endif -#if 0 - if ((p+ *plength) > (omax+ *pp)) + if (*plength > (omax - (*pp - p))) { ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); /* Set this so that even if things are not long enough * the values are set correctly */ ret|=0x80; } -#endif *pp=p; return(ret|inf); err: @@ -159,6 +157,8 @@ i= *p&0x7f; if (*(p++) & 0x80) { + if (i > sizeof(long)) + return 0; if (max-- == 0) return(0); while (i-- > 0) { @@ -170,6 +170,8 @@ else ret=i; } + if (ret < 0) + return 0; *pp=p; *rl=ret; return(1); @@ -407,7 +409,7 @@ void asn1_add_error(unsigned char *address, int offset) { - char buf1[16],buf2[16]; + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; sprintf(buf1,"%lu",(unsigned long)address); sprintf(buf2,"%d",offset); Index: crypto/conf/conf_def.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/conf/conf_def.c,v retrieving revision 1.3 diff -u -r1.3 conf_def.c --- crypto/conf/conf_def.c 2000/06/06 15:21:12 1.3 +++ crypto/conf/conf_def.c 2002/07/30 09:14:18 @@ -67,6 +67,7 @@ #include "conf_def.h" #include #include +#include "cryptlib.h" static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); @@ -180,12 +181,12 @@ static int def_load(CONF *conf, BIO *in, long *line) { #define BUFSIZE 512 - char btmp[16]; int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; + char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; Index: crypto/objects/obj_dat.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/objects/obj_dat.c,v retrieving revision 1.16.2.2 diff -u -r1.16.2.2 obj_dat.c --- crypto/objects/obj_dat.c 2002/04/18 11:52:28 1.16.2.2 +++ crypto/objects/obj_dat.c 2002/07/30 09:14:19 @@ -428,7 +428,7 @@ unsigned long l; unsigned char *p; const char *s; - char tbuf[32]; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; if (buf_len <= 0) return(0); Index: ssl/s2_clnt.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/s2_clnt.c,v retrieving revision 1.27.2.4 diff -u -r1.27.2.4 s2_clnt.c --- ssl/s2_clnt.c 2001/11/10 10:43:51 1.27.2.4 +++ ssl/s2_clnt.c 2002/07/30 09:14:25 @@ -116,6 +116,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_client_method(int ver); static int get_server_finished(SSL *s); @@ -517,6 +518,7 @@ } s->s2->conn_id_length=s->s2->tmp.conn_id_length; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); return(1); } @@ -618,6 +620,7 @@ /* make key_arg data */ i=EVP_CIPHER_iv_length(c); sess->key_arg_length=i; + die(i <= SSL_MAX_KEY_ARG_LENGTH); if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); /* make a master key */ @@ -625,6 +628,7 @@ sess->master_key_length=i; if (i > 0) { + die(i <= sizeof sess->master_key); if (RAND_bytes(sess->master_key,i) <= 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); @@ -668,6 +672,7 @@ d+=enc; karg=sess->key_arg_length; s2n(karg,p); /* key arg size */ + die(karg <= sizeof sess->key_arg); memcpy(d,sess->key_arg,(unsigned int)karg); d+=karg; @@ -688,6 +693,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_CLIENT_FINISHED; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; @@ -944,6 +950,8 @@ { if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) { + die(s->session->session_id_length + <= sizeof s->session->session_id); if (memcmp(buf,s->session->session_id, (unsigned int)s->session->session_id_length) != 0) { Index: ssl/s2_lib.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/s2_lib.c,v retrieving revision 1.29.2.2 diff -u -r1.29.2.2 s2_lib.c --- ssl/s2_lib.c 2000/12/26 12:06:47 1.29.2.2 +++ ssl/s2_lib.c 2002/07/30 09:14:25 @@ -62,6 +62,7 @@ #include #include #include +#include "cryptlib.h" static long ssl2_default_timeout(void ); const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; @@ -425,10 +426,14 @@ #endif km=s->s2->key_material; + die(s->s2->key_material_length <= sizeof s->s2->key_material); for (i=0; is2->key_material_length; i+=MD5_DIGEST_LENGTH) { MD5_Init(&ctx); + die(s->session->master_key_length >= 0 + && s->session->master_key_length + < sizeof s->session->master_key); MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); MD5_Update(&ctx,&c,1); c++; @@ -463,6 +468,7 @@ /* state=s->rwstate;*/ error=s->error; s->error=0; + die(error >= 0 && error <= 3); i=ssl2_write(s,&(buf[3-error]),error); /* if (i == error) s->rwstate=state; */ Index: ssl/s2_srvr.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/s2_srvr.c,v retrieving revision 1.25.2.5 diff -u -r1.25.2.5 s2_srvr.c --- ssl/s2_srvr.c 2001/11/14 21:19:47 1.25.2.5 +++ ssl/s2_srvr.c 2002/07/30 09:14:26 @@ -116,6 +116,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_server_method(int ver); static int get_client_master_key(SSL *s); @@ -417,11 +418,18 @@ n2s(p,i); s->s2->tmp.clear=i; n2s(p,i); s->s2->tmp.enc=i; n2s(p,i); s->session->key_arg_length=i; + if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) + { + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, + SSL_R_KEY_ARG_TOO_LONG); + return -1; + } s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; } /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ p=(unsigned char *)s->init_buf->data; + die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER); keya=s->session->key_arg_length; len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) @@ -502,6 +510,7 @@ #endif if (is_export) i+=s->s2->tmp.clear; + die(i <= SSL_MAX_MASTER_KEY_LENGTH); s->session->master_key_length=i; memcpy(s->session->master_key,p,(unsigned int)i); return(1); @@ -649,6 +658,7 @@ p+=s->s2->tmp.session_id_length; /* challenge */ + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); return(1); mem_err: @@ -800,6 +810,7 @@ } /* SSL2_ST_GET_CLIENT_FINISHED_B */ + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); len = 1 + (unsigned long)s->s2->conn_id_length; n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); @@ -825,6 +836,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_VERIFY; + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); /* p+=s->s2->challenge_length; */ @@ -844,6 +856,8 @@ p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_FINISHED; + die(s->session->session_id_length + <= sizeof s->session->session_id); memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); /* p+=s->session->session_id_length; */ Index: ssl/s3_clnt.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v retrieving revision 1.31.2.6 diff -u -r1.31.2.6 s3_clnt.c --- ssl/s3_clnt.c 2002/01/14 23:42:35 1.31.2.6 +++ ssl/s3_clnt.c 2002/07/30 09:14:27 @@ -117,6 +117,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -545,6 +546,7 @@ *(p++)=i; if (i != 0) { + die(i <= sizeof s->session->session_id); memcpy(p,s->session->session_id,i); p+=i; } @@ -625,6 +627,14 @@ /* get the session-id */ j= *(p++); + + if(j > sizeof s->session->session_id) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { Index: ssl/s3_srvr.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/s3_srvr.c,v retrieving revision 1.49.2.14 diff -u -r1.49.2.14 s3_srvr.c --- ssl/s3_srvr.c 2002/04/13 22:49:26 1.49.2.14 +++ ssl/s3_srvr.c 2002/07/30 09:14:28 @@ -122,6 +122,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -948,6 +949,7 @@ s->session->session_id_length=0; sl=s->session->session_id_length; + die(sl <= sizeof s->session->session_id); *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; Index: ssl/ssl.h =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v retrieving revision 1.85.2.12 diff -u -r1.85.2.12 ssl.h --- ssl/ssl.h 2002/01/14 23:42:42 1.85.2.12 +++ ssl/ssl.h 2002/07/30 09:14:29 @@ -1478,6 +1478,7 @@ #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 +#define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 @@ -1546,6 +1547,7 @@ #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 Index: ssl/ssl_asn1.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/ssl_asn1.c,v retrieving revision 1.8 diff -u -r1.8 ssl_asn1.c --- ssl/ssl_asn1.c 2000/06/01 22:19:19 1.8 +++ ssl/ssl_asn1.c 2002/07/30 09:14:29 @@ -62,6 +62,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" typedef struct ssl_session_asn1_st { @@ -275,6 +276,7 @@ os.length=i; ret->session_id_length=os.length; + die(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); Index: ssl/ssl_err.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/ssl_err.c,v retrieving revision 1.28.2.6 diff -u -r1.28.2.6 ssl_err.c --- ssl/ssl_err.c 2001/11/10 01:15:29 1.28.2.6 +++ ssl/ssl_err.c 2002/07/30 09:14:30 @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -275,6 +275,7 @@ {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, @@ -343,6 +344,7 @@ {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, Index: ssl/ssl_sess.c =================================================================== RCS file: /e/openssl/cvs/openssl/ssl/ssl_sess.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 ssl_sess.c --- ssl/ssl_sess.c 2002/02/10 12:52:57 1.30.2.2 +++ ssl/ssl_sess.c 2002/07/30 09:14:30 @@ -60,6 +60,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); @@ -199,6 +200,7 @@ ss->session_id_length=0; } + die(s->sid_ctx_length <= sizeof ss->sid_ctx); memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; --------------030300050205020202020806-- ______________________________________________________________________ OpenSSL Project http://www.openssl.org Announcement Mailing List openssl-announce@openssl.org Automated List Manager majordomo@openssl.org From owner-openssl-announce@openssl.org Tue Jul 30 13:10:00 2002 Received: by en5.engelschall.com (Sendmail 8.9.2) for openssl-announce-L id NAA28427; Tue, 30 Jul 2002 13:08:44 +0200 (MET DST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP for from visp.engelschall.com id NAA28016; Tue, 30 Jul 2002 13:00:54 +0200 (MET DST) Received: by visp.engelschall.com (Postfix, from userid 1005) id 387BB4CE752; Tue, 30 Jul 2002 13:00:52 +0200 (CEST) Received: by en1.engelschall.com (Postfix, from userid 10000) id 10FF228672; Tue, 30 Jul 2002 12:59:56 +0200 (CEST) Received: by en5.engelschall.com (Sendmail 8.9.2) via ESMTP from scuzzy.ben.algroup.co.uk id MAA24924; Tue, 30 Jul 2002 12:14:57 +0200 (MET DST) Received: from algroup.co.uk (wiese.ben.algroup.co.uk [193.133.15.150]) by scuzzy.ben.algroup.co.uk (Postfix) with ESMTP id 642388BC25; Tue, 30 Jul 2002 10:14:51 +0000 (GMT) Message-ID: <3D466724.7060809@algroup.co.uk> Date: Tue, 30 Jul 2002 11:15:00 +0100 From: Ben Laurie User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0) Gecko/20020530 X-Accept-Language: en-us, en MIME-Version: 1.0 To: OpenSSL Announce , Bugtraq , OpenSSL Dev , openssl-users@openssl.org Subject: OpenSSL patches for other versions Content-Type: multipart/mixed; boundary="------------040702070909050702020402" Sender: owner-openssl-announce@openssl.org Precedence: bulk Reply-To: openssl-users@openssl.org X-Sender: Ben Laurie X-List-Manager: OpenSSL Majordomo [version 1.94.4] X-List-Name: openssl-announce This is a multi-part message in MIME format. --------------040702070909050702020402 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Enclosed are patches for today's OpenSSL security alert which apply to other versions. The patch for 0.9.7 is supplied by Ben Laurie and the remainder by Vincent Danen (email not supplied). Patches are for 0.9.5a, 0.9.6 (use 0.9.6b patch), 0.9.6b, 0.9.6c, 0.9.7-dev. These patches are known to apply correctly but have not been thoroughly tested. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------040702070909050702020402 Content-Type: text/plain; name="openssl-0.9.5a-security.patch" Content-Disposition: inline; filename="openssl-0.9.5a-security.patch" Content-Transfer-Encoding: 7bit --- crypto/cryptlib.c.orig Fri Nov 23 13:57:59 2001 +++ crypto/cryptlib.c Fri Jul 26 10:43:56 2002 @@ -491,3 +491,11 @@ #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } + --- crypto/cryptlib.h.orig Tue May 2 06:35:04 2000 +++ crypto/cryptlib.h Fri Jul 26 10:43:56 2002 @@ -89,6 +89,14 @@ #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" +/* size of string represenations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) ((sizeof(type)*2) + +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) + #ifdef __cplusplus } #endif --- crypto/asn1/asn1_lib.c.orig Fri Mar 30 06:42:32 2001 +++ crypto/asn1/asn1_lib.c Fri Jul 26 10:43:56 2002 @@ -407,7 +407,7 @@ void asn1_add_error(unsigned char *address, int offset) { - char buf1[16],buf2[16]; + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; sprintf(buf1,"%lu",(unsigned long)address); sprintf(buf2,"%d",offset); --- crypto/conf/conf.c.orig Sun Jan 30 15:19:51 2000 +++ crypto/conf/conf.c Fri Jul 26 13:17:49 2002 @@ -64,7 +64,7 @@ #include #include #include - +#include "cryptlib.h" #include "conf_lcl.h" static void value_free_hash(CONF_VALUE *a, LHASH *conf); @@ -123,12 +123,12 @@ { LHASH *ret=NULL; #define BUFSIZE 512 - char btmp[16]; int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; + char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*vv,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; --- crypto/objects/obj_dat.c.orig Mon Sep 4 09:34:35 2000 +++ crypto/objects/obj_dat.c Fri Jul 26 10:43:56 2002 @@ -428,7 +428,7 @@ unsigned long l; unsigned char *p; const char *s; - char tbuf[32]; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; if (buf_len <= 0) return(0); --- ssl/s2_clnt.c.orig Sat Nov 10 03:43:51 2001 +++ ssl/s2_clnt.c Fri Jul 26 10:43:56 2002 @@ -116,6 +116,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_client_method(int ver); static int get_server_finished(SSL *s); @@ -517,6 +518,7 @@ } s->s2->conn_id_length=s->s2->tmp.conn_id_length; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); return(1); } @@ -618,6 +620,7 @@ /* make key_arg data */ i=EVP_CIPHER_iv_length(c); sess->key_arg_length=i; + die(i <= SSL_MAX_KEY_ARG_LENGTH); if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); /* make a master key */ @@ -625,6 +628,7 @@ sess->master_key_length=i; if (i > 0) { + die(i <= sizeof sess->master_key); if (RAND_bytes(sess->master_key,i) <= 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); @@ -668,6 +672,7 @@ d+=enc; karg=sess->key_arg_length; s2n(karg,p); /* key arg size */ + die(karg <= sizeof sess->key_arg); memcpy(d,sess->key_arg,(unsigned int)karg); d+=karg; @@ -688,6 +693,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_CLIENT_FINISHED; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; @@ -944,6 +950,8 @@ { if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) { + die(s->session->session_id_length + <= sizeof s->session->session_id); if (memcmp(buf,s->session->session_id, (unsigned int)s->session->session_id_length) != 0) { --- ssl/s2_lib.c.orig Tue Dec 26 05:06:47 2000 +++ ssl/s2_lib.c Fri Jul 26 10:52:20 2002 @@ -62,6 +62,7 @@ #include #include #include +#include "cryptlib.h" static long ssl2_default_timeout(void ); const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; @@ -425,10 +426,14 @@ #endif km=s->s2->key_material; + die(s->s2->key_material_length <= sizeof s->s2->key_material); for (i=0; is2->key_material_length; i+=MD5_DIGEST_LENGTH) { MD5_Init(&ctx); - + + die(s->session->master_key_length >= 0 + && s->session->master_key_length + < sizeof s->session->master_key); MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); MD5_Update(&ctx,&c,1); c++; @@ -463,6 +468,7 @@ /* state=s->rwstate;*/ error=s->error; s->error=0; + die(error >= 0 && error <= 3); i=ssl2_write(s,&(buf[3-error]),error); /* if (i == error) s->rwstate=state; */ --- ssl/s2_srvr.c.orig Mon Jul 9 08:11:04 2001 +++ ssl/s2_srvr.c Fri Jul 26 12:11:39 2002 @@ -63,6 +63,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_server_method(int ver); static int get_client_master_key(SSL *s); @@ -361,12 +362,19 @@ n2s(p,i); s->s2->tmp.clear=i; n2s(p,i); s->s2->tmp.enc=i; n2s(p,i); s->session->key_arg_length=i; + if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) + { + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, + SSL_R_KEY_ARG_TOO_LONG); + return -1; + } s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; s->init_num=0; } /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ p=(unsigned char *)s->init_buf->data; + die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER); keya=s->session->key_arg_length; n=s->s2->tmp.clear+s->s2->tmp.enc+keya - s->init_num; i=ssl2_read(s,(char *)&(p[s->init_num]),n); @@ -440,6 +448,7 @@ #endif if (is_export) i+=s->s2->tmp.clear; + die(i <= SSL_MAX_MASTER_KEY_LENGTH); s->session->master_key_length=i; memcpy(s->session->master_key,p,(unsigned int)i); return(1); @@ -580,6 +589,7 @@ p+=s->s2->tmp.session_id_length; /* challenge */ + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); return(1); mem_err: @@ -730,6 +740,7 @@ } /* SSL2_ST_GET_CLIENT_FINISHED_B */ + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); i=ssl2_read(s,(char *)&(p[s->init_num]),s->s2->conn_id_length-s->init_num); if (i < (int)s->s2->conn_id_length-s->init_num) { @@ -752,6 +763,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_VERIFY; + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); /* p+=s->s2->challenge_length; */ @@ -771,6 +783,8 @@ p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_FINISHED; + die(s->session->session_id_length + <= sizeof s->session->session_id); memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); /* p+=s->session->session_id_length; */ --- ssl/s3_clnt.c.orig Thu Oct 25 02:18:54 2001 +++ ssl/s3_clnt.c Fri Jul 26 10:56:23 2002 @@ -64,6 +64,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -492,6 +493,7 @@ *(p++)=i; if (i != 0) { + die(i <= sizeof s->session->session_id); memcpy(p,s->session->session_id,i); p+=i; } @@ -572,6 +574,14 @@ /* get the session-id */ j= *(p++); + + if(j > sizeof s->session->session_id) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { --- ssl/ssl.h.orig Mon Dec 17 12:24:39 2001 +++ ssl/ssl.h Fri Jul 26 11:36:19 2002 @@ -1423,6 +1423,7 @@ #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 +#define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 @@ -1491,6 +1492,7 @@ #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 --- ssl/ssl_asn1.c.orig Thu Jun 1 16:19:19 2000 +++ ssl/ssl_asn1.c Fri Jul 26 11:37:53 2002 @@ -62,6 +62,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" typedef struct ssl_session_asn1_st { @@ -275,6 +276,7 @@ os.length=i; ret->session_id_length=os.length; + die(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); --- ssl/ssl_err.c.orig Fri Nov 9 18:15:29 2001 +++ ssl/ssl_err.c Fri Jul 26 11:39:21 2002 @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -275,6 +275,7 @@ {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, @@ -343,6 +344,7 @@ {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, --- ssl/ssl_sess.c.orig Wed Nov 29 11:12:32 2000 +++ ssl/ssl_sess.c Fri Jul 26 10:43:56 2002 @@ -60,6 +60,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); @@ -199,6 +200,7 @@ ss->session_id_length=0; } + die(s->sid_ctx_length <= sizeof ss->sid_ctx); memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; --- ssl/s3_srvr.c.orig Thu Oct 25 02:18:56 2001 +++ ssl/s3_srvr.c Fri Jul 26 11:27:08 2002 @@ -122,6 +122,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -942,6 +943,7 @@ s->session->session_id_length=0; sl=s->session->session_id_length; + die(sl <= sizeof s->session->session_id); *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; --------------040702070909050702020402 Content-Type: text/plain; name="openssl-0.9.6b-security.patch" Content-Disposition: inline; filename="openssl-0.9.6b-security.patch" Content-Transfer-Encoding: 7bit --- crypto/cryptlib.c.orig Fri Nov 23 13:57:59 2001 +++ crypto/cryptlib.c Fri Jul 26 10:43:56 2002 @@ -491,3 +491,11 @@ #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } + --- crypto/cryptlib.h.orig Tue May 2 06:35:04 2000 +++ crypto/cryptlib.h Fri Jul 26 10:43:56 2002 @@ -89,6 +89,14 @@ #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" +/* size of string represenations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) ((sizeof(type)*2) + +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) + #ifdef __cplusplus } #endif --- crypto/asn1/asn1_lib.c.orig Fri Mar 30 06:42:32 2001 +++ crypto/asn1/asn1_lib.c Fri Jul 26 10:43:56 2002 @@ -407,7 +407,7 @@ void asn1_add_error(unsigned char *address, int offset) { - char buf1[16],buf2[16]; + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; sprintf(buf1,"%lu",(unsigned long)address); sprintf(buf2,"%d",offset); --- crypto/conf/conf_def.c.orig Tue Jun 6 09:21:12 2000 +++ crypto/conf/conf_def.c Fri Jul 26 10:43:56 2002 @@ -67,6 +67,7 @@ #include "conf_def.h" #include #include +#include "cryptlib.h" static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); @@ -180,12 +181,12 @@ static int def_load(CONF *conf, BIO *in, long *line) { #define BUFSIZE 512 - char btmp[16]; int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; + char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; --- crypto/objects/obj_dat.c.orig Mon Sep 4 09:34:35 2000 +++ crypto/objects/obj_dat.c Fri Jul 26 10:43:56 2002 @@ -428,7 +428,7 @@ unsigned long l; unsigned char *p; const char *s; - char tbuf[32]; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; if (buf_len <= 0) return(0); --- ssl/s2_clnt.c.orig Sat Nov 10 03:43:51 2001 +++ ssl/s2_clnt.c Fri Jul 26 10:43:56 2002 @@ -116,6 +116,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_client_method(int ver); static int get_server_finished(SSL *s); @@ -517,6 +518,7 @@ } s->s2->conn_id_length=s->s2->tmp.conn_id_length; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); return(1); } @@ -618,6 +620,7 @@ /* make key_arg data */ i=EVP_CIPHER_iv_length(c); sess->key_arg_length=i; + die(i <= SSL_MAX_KEY_ARG_LENGTH); if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); /* make a master key */ @@ -625,6 +628,7 @@ sess->master_key_length=i; if (i > 0) { + die(i <= sizeof sess->master_key); if (RAND_bytes(sess->master_key,i) <= 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); @@ -668,6 +672,7 @@ d+=enc; karg=sess->key_arg_length; s2n(karg,p); /* key arg size */ + die(karg <= sizeof sess->key_arg); memcpy(d,sess->key_arg,(unsigned int)karg); d+=karg; @@ -688,6 +693,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_CLIENT_FINISHED; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; @@ -944,6 +950,8 @@ { if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) { + die(s->session->session_id_length + <= sizeof s->session->session_id); if (memcmp(buf,s->session->session_id, (unsigned int)s->session->session_id_length) != 0) { --- ssl/s2_lib.c.orig Tue Dec 26 05:06:47 2000 +++ ssl/s2_lib.c Fri Jul 26 10:52:20 2002 @@ -62,6 +62,7 @@ #include #include #include +#include "cryptlib.h" static long ssl2_default_timeout(void ); const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; @@ -425,10 +426,14 @@ #endif km=s->s2->key_material; + die(s->s2->key_material_length <= sizeof s->s2->key_material); for (i=0; is2->key_material_length; i+=MD5_DIGEST_LENGTH) { MD5_Init(&ctx); - + + die(s->session->master_key_length >= 0 + && s->session->master_key_length + < sizeof s->session->master_key); MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); MD5_Update(&ctx,&c,1); c++; @@ -463,6 +468,7 @@ /* state=s->rwstate;*/ error=s->error; s->error=0; + die(error >= 0 && error <= 3); i=ssl2_write(s,&(buf[3-error]),error); /* if (i == error) s->rwstate=state; */ --- ssl/s2_srvr.c.orig Mon Jul 9 08:11:04 2001 +++ ssl/s2_srvr.c Fri Jul 26 12:11:39 2002 @@ -63,6 +63,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_server_method(int ver); static int get_client_master_key(SSL *s); @@ -361,12 +362,19 @@ n2s(p,i); s->s2->tmp.clear=i; n2s(p,i); s->s2->tmp.enc=i; n2s(p,i); s->session->key_arg_length=i; + if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) + { + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, + SSL_R_KEY_ARG_TOO_LONG); + return -1; + } s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; s->init_num=0; } /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ p=(unsigned char *)s->init_buf->data; + die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER); keya=s->session->key_arg_length; n=s->s2->tmp.clear+s->s2->tmp.enc+keya - s->init_num; i=ssl2_read(s,(char *)&(p[s->init_num]),n); @@ -440,6 +448,7 @@ #endif if (is_export) i+=s->s2->tmp.clear; + die(i <= SSL_MAX_MASTER_KEY_LENGTH); s->session->master_key_length=i; memcpy(s->session->master_key,p,(unsigned int)i); return(1); @@ -580,6 +589,7 @@ p+=s->s2->tmp.session_id_length; /* challenge */ + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); return(1); mem_err: @@ -730,6 +740,7 @@ } /* SSL2_ST_GET_CLIENT_FINISHED_B */ + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); i=ssl2_read(s,(char *)&(p[s->init_num]),s->s2->conn_id_length-s->init_num); if (i < (int)s->s2->conn_id_length-s->init_num) { @@ -752,6 +763,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_VERIFY; + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); /* p+=s->s2->challenge_length; */ @@ -771,6 +783,8 @@ p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_FINISHED; + die(s->session->session_id_length + <= sizeof s->session->session_id); memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); /* p+=s->session->session_id_length; */ --- ssl/s3_clnt.c.orig Thu Oct 25 02:18:54 2001 +++ ssl/s3_clnt.c Fri Jul 26 10:56:23 2002 @@ -64,6 +64,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -492,6 +493,7 @@ *(p++)=i; if (i != 0) { + die(i <= sizeof s->session->session_id); memcpy(p,s->session->session_id,i); p+=i; } @@ -572,6 +574,14 @@ /* get the session-id */ j= *(p++); + + if(j > sizeof s->session->session_id) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { --- ssl/ssl.h.orig Mon Dec 17 12:24:39 2001 +++ ssl/ssl.h Fri Jul 26 11:36:19 2002 @@ -1423,6 +1423,7 @@ #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 +#define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 @@ -1491,6 +1492,7 @@ #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 --- ssl/ssl_asn1.c.orig Thu Jun 1 16:19:19 2000 +++ ssl/ssl_asn1.c Fri Jul 26 11:37:53 2002 @@ -62,6 +62,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" typedef struct ssl_session_asn1_st { @@ -275,6 +276,7 @@ os.length=i; ret->session_id_length=os.length; + die(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); --- ssl/ssl_err.c.orig Fri Nov 9 18:15:29 2001 +++ ssl/ssl_err.c Fri Jul 26 11:39:21 2002 @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -275,6 +275,7 @@ {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, @@ -343,6 +344,7 @@ {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, --- ssl/ssl_sess.c.orig Wed Nov 29 11:12:32 2000 +++ ssl/ssl_sess.c Fri Jul 26 10:43:56 2002 @@ -60,6 +60,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); @@ -199,6 +200,7 @@ ss->session_id_length=0; } + die(s->sid_ctx_length <= sizeof ss->sid_ctx); memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; --- ssl/s3_srvr.c.orig Thu Oct 25 02:18:56 2001 +++ ssl/s3_srvr.c Fri Jul 26 11:27:08 2002 @@ -122,6 +122,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -942,6 +943,7 @@ s->session->session_id_length=0; sl=s->session->session_id_length; + die(sl <= sizeof s->session->session_id); *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; --------------040702070909050702020402 Content-Type: text/plain; name="openssl-0.9.6c-security.patch" Content-Disposition: inline; filename="openssl-0.9.6c-security.patch" Content-Transfer-Encoding: 7bit --- crypto/cryptlib.c.orig Fri Nov 23 13:57:59 2001 +++ crypto/cryptlib.c Fri Jul 26 10:43:56 2002 @@ -491,3 +491,11 @@ #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } + --- crypto/cryptlib.h.orig Tue May 2 06:35:04 2000 +++ crypto/cryptlib.h Fri Jul 26 10:43:56 2002 @@ -89,6 +89,14 @@ #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" +/* size of string represenations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) ((sizeof(type)*2) + +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) + #ifdef __cplusplus } #endif --- crypto/asn1/asn1_lib.c.orig Fri Mar 30 06:42:32 2001 +++ crypto/asn1/asn1_lib.c Fri Jul 26 10:43:56 2002 @@ -407,7 +407,7 @@ void asn1_add_error(unsigned char *address, int offset) { - char buf1[16],buf2[16]; + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; sprintf(buf1,"%lu",(unsigned long)address); sprintf(buf2,"%d",offset); --- crypto/conf/conf_def.c.orig Tue Jun 6 09:21:12 2000 +++ crypto/conf/conf_def.c Fri Jul 26 10:43:56 2002 @@ -67,6 +67,7 @@ #include "conf_def.h" #include #include +#include "cryptlib.h" static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); @@ -180,12 +181,12 @@ static int def_load(CONF *conf, BIO *in, long *line) { #define BUFSIZE 512 - char btmp[16]; int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; + char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; --- crypto/objects/obj_dat.c.orig Mon Sep 4 09:34:35 2000 +++ crypto/objects/obj_dat.c Fri Jul 26 10:43:56 2002 @@ -428,7 +428,7 @@ unsigned long l; unsigned char *p; const char *s; - char tbuf[32]; + char tbuf[DECIMAL_SIZE(i)+DECIMAL_SIZE(l)+2]; if (buf_len <= 0) return(0); --- ssl/s2_clnt.c.orig Sat Nov 10 03:43:51 2001 +++ ssl/s2_clnt.c Fri Jul 26 10:43:56 2002 @@ -116,6 +116,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_client_method(int ver); static int get_server_finished(SSL *s); @@ -517,6 +518,7 @@ } s->s2->conn_id_length=s->s2->tmp.conn_id_length; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(s->s2->conn_id,p,s->s2->tmp.conn_id_length); return(1); } @@ -618,6 +620,7 @@ /* make key_arg data */ i=EVP_CIPHER_iv_length(c); sess->key_arg_length=i; + die(i <= SSL_MAX_KEY_ARG_LENGTH); if (i > 0) RAND_pseudo_bytes(sess->key_arg,i); /* make a master key */ @@ -625,6 +628,7 @@ sess->master_key_length=i; if (i > 0) { + die(i <= sizeof sess->master_key); if (RAND_bytes(sess->master_key,i) <= 0) { ssl2_return_error(s,SSL2_PE_UNDEFINED_ERROR); @@ -668,6 +672,7 @@ d+=enc; karg=sess->key_arg_length; s2n(karg,p); /* key arg size */ + die(karg <= sizeof sess->key_arg); memcpy(d,sess->key_arg,(unsigned int)karg); d+=karg; @@ -688,6 +693,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_CLIENT_FINISHED; + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); memcpy(p,s->s2->conn_id,(unsigned int)s->s2->conn_id_length); s->state=SSL2_ST_SEND_CLIENT_FINISHED_B; @@ -944,6 +950,8 @@ { if (!(s->options & SSL_OP_MICROSOFT_SESS_ID_BUG)) { + die(s->session->session_id_length + <= sizeof s->session->session_id); if (memcmp(buf,s->session->session_id, (unsigned int)s->session->session_id_length) != 0) { --- ssl/s2_lib.c.orig Tue Dec 26 05:06:47 2000 +++ ssl/s2_lib.c Fri Jul 26 10:52:20 2002 @@ -62,6 +62,7 @@ #include #include #include +#include "cryptlib.h" static long ssl2_default_timeout(void ); const char *ssl2_version_str="SSLv2" OPENSSL_VERSION_PTEXT; @@ -425,10 +426,14 @@ #endif km=s->s2->key_material; + die(s->s2->key_material_length <= sizeof s->s2->key_material); for (i=0; is2->key_material_length; i+=MD5_DIGEST_LENGTH) { MD5_Init(&ctx); - + + die(s->session->master_key_length >= 0 + && s->session->master_key_length + < sizeof s->session->master_key); MD5_Update(&ctx,s->session->master_key,s->session->master_key_length); MD5_Update(&ctx,&c,1); c++; @@ -463,6 +468,7 @@ /* state=s->rwstate;*/ error=s->error; s->error=0; + die(error >= 0 && error <= 3); i=ssl2_write(s,&(buf[3-error]),error); /* if (i == error) s->rwstate=state; */ --- ssl/s2_srvr.c.orig Wed Nov 14 14:19:47 2001 +++ ssl/s2_srvr.c Fri Jul 26 10:43:56 2002 @@ -116,6 +116,7 @@ #include #include #include +#include "cryptlib.h" static SSL_METHOD *ssl2_get_server_method(int ver); static int get_client_master_key(SSL *s); @@ -417,11 +418,18 @@ n2s(p,i); s->s2->tmp.clear=i; n2s(p,i); s->s2->tmp.enc=i; n2s(p,i); s->session->key_arg_length=i; + if(s->session->key_arg_length > SSL_MAX_KEY_ARG_LENGTH) + { + SSLerr(SSL_F_GET_CLIENT_MASTER_KEY, + SSL_R_KEY_ARG_TOO_LONG); + return -1; + } s->state=SSL2_ST_GET_CLIENT_MASTER_KEY_B; } /* SSL2_ST_GET_CLIENT_MASTER_KEY_B */ p=(unsigned char *)s->init_buf->data; + die(s->init_buf->length >= SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER); keya=s->session->key_arg_length; len = 10 + (unsigned long)s->s2->tmp.clear + (unsigned long)s->s2->tmp.enc + (unsigned long)keya; if (len > SSL2_MAX_RECORD_LENGTH_3_BYTE_HEADER) @@ -502,6 +510,7 @@ #endif if (is_export) i+=s->s2->tmp.clear; + die(i <= SSL_MAX_MASTER_KEY_LENGTH); s->session->master_key_length=i; memcpy(s->session->master_key,p,(unsigned int)i); return(1); @@ -649,6 +658,7 @@ p+=s->s2->tmp.session_id_length; /* challenge */ + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(s->s2->challenge,p,(unsigned int)s->s2->challenge_length); return(1); mem_err: @@ -800,6 +810,7 @@ } /* SSL2_ST_GET_CLIENT_FINISHED_B */ + die(s->s2->conn_id_length <= sizeof s->s2->conn_id); len = 1 + (unsigned long)s->s2->conn_id_length; n = (int)len - s->init_num; i = ssl2_read(s,(char *)&(p[s->init_num]),n); @@ -825,6 +836,7 @@ { p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_VERIFY; + die(s->s2->challenge_length <= sizeof s->s2->challenge); memcpy(p,s->s2->challenge,(unsigned int)s->s2->challenge_length); /* p+=s->s2->challenge_length; */ @@ -844,6 +856,8 @@ p=(unsigned char *)s->init_buf->data; *(p++)=SSL2_MT_SERVER_FINISHED; + die(s->session->session_id_length + <= sizeof s->session->session_id); memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length); /* p+=s->session->session_id_length; */ --- ssl/s3_clnt.c.orig Thu Oct 25 02:18:54 2001 +++ ssl/s3_clnt.c Fri Jul 26 10:56:23 2002 @@ -64,6 +64,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_client_method(int ver); static int ssl3_client_hello(SSL *s); @@ -492,6 +493,7 @@ *(p++)=i; if (i != 0) { + die(i <= sizeof s->session->session_id); memcpy(p,s->session->session_id,i); p+=i; } @@ -572,6 +574,14 @@ /* get the session-id */ j= *(p++); + + if(j > sizeof s->session->session_id) + { + al=SSL_AD_ILLEGAL_PARAMETER; + SSLerr(SSL_F_SSL3_GET_SERVER_HELLO, + SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } if ((j != 0) && (j != SSL3_SESSION_ID_SIZE)) { --- ssl/ssl.h.orig Mon Dec 17 12:24:39 2001 +++ ssl/ssl.h Fri Jul 26 11:36:19 2002 @@ -1423,6 +1423,7 @@ #define SSL_R_INVALID_COMMAND 280 #define SSL_R_INVALID_PURPOSE 278 #define SSL_R_INVALID_TRUST 279 +#define SSL_R_KEY_ARG_TOO_LONG 1112 #define SSL_R_LENGTH_MISMATCH 159 #define SSL_R_LENGTH_TOO_SHORT 160 #define SSL_R_LIBRARY_BUG 274 @@ -1491,6 +1492,7 @@ #define SSL_R_SHORT_READ 219 #define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220 #define SSL_R_SSL23_DOING_SESSION_ID_REUSE 221 +#define SSL_R_SSL3_SESSION_ID_TOO_LONG 1113 #define SSL_R_SSL3_SESSION_ID_TOO_SHORT 222 #define SSL_R_SSLV3_ALERT_BAD_CERTIFICATE 1042 #define SSL_R_SSLV3_ALERT_BAD_RECORD_MAC 1020 --- ssl/ssl_asn1.c.orig Thu Jun 1 16:19:19 2000 +++ ssl/ssl_asn1.c Fri Jul 26 11:37:53 2002 @@ -62,6 +62,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" typedef struct ssl_session_asn1_st { @@ -275,6 +276,7 @@ os.length=i; ret->session_id_length=os.length; + die(os.length <= sizeof ret->session_id); memcpy(ret->session_id,os.data,os.length); M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING); --- ssl/ssl_err.c.orig Fri Nov 9 18:15:29 2001 +++ ssl/ssl_err.c Fri Jul 26 11:39:21 2002 @@ -1,6 +1,6 @@ /* ssl/ssl_err.c */ /* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2002 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -275,6 +275,7 @@ {SSL_R_INVALID_COMMAND ,"invalid command"}, {SSL_R_INVALID_PURPOSE ,"invalid purpose"}, {SSL_R_INVALID_TRUST ,"invalid trust"}, +{SSL_R_KEY_ARG_TOO_LONG ,"key arg too long"}, {SSL_R_LENGTH_MISMATCH ,"length mismatch"}, {SSL_R_LENGTH_TOO_SHORT ,"length too short"}, {SSL_R_LIBRARY_BUG ,"library bug"}, @@ -343,6 +344,7 @@ {SSL_R_SHORT_READ ,"short read"}, {SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE,"signature for non signing certificate"}, {SSL_R_SSL23_DOING_SESSION_ID_REUSE ,"ssl23 doing session id reuse"}, +{SSL_R_SSL3_SESSION_ID_TOO_LONG ,"ssl3 session id too long"}, {SSL_R_SSL3_SESSION_ID_TOO_SHORT ,"ssl3 session id too short"}, {SSL_R_SSLV3_ALERT_BAD_CERTIFICATE ,"sslv3 alert bad certificate"}, {SSL_R_SSLV3_ALERT_BAD_RECORD_MAC ,"sslv3 alert bad record mac"}, --- ssl/ssl_sess.c.orig Wed Nov 29 11:12:32 2000 +++ ssl/ssl_sess.c Fri Jul 26 10:43:56 2002 @@ -60,6 +60,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s); @@ -199,6 +200,7 @@ ss->session_id_length=0; } + die(s->sid_ctx_length <= sizeof ss->sid_ctx); memcpy(ss->sid_ctx,s->sid_ctx,s->sid_ctx_length); ss->sid_ctx_length=s->sid_ctx_length; s->session=ss; --- ssl/s3_srvr.c.orig Thu Oct 25 02:18:56 2001 +++ ssl/s3_srvr.c Fri Jul 26 11:27:08 2002 @@ -122,6 +122,7 @@ #include #include #include "ssl_locl.h" +#include "cryptlib.h" static SSL_METHOD *ssl3_get_server_method(int ver); static int ssl3_get_client_hello(SSL *s); @@ -942,6 +943,7 @@ s->session->session_id_length=0; sl=s->session->session_id_length; + die(sl <= sizeof s->session->session_id); *(p++)=sl; memcpy(p,s->session->session_id,sl); p+=sl; --------------040702070909050702020402 Content-Type: text/plain; name="openssl-0.9.7-sec.patch" Content-Disposition: inline; filename="openssl-0.9.7-sec.patch" Content-Transfer-Encoding: 7bit Index: CHANGES =================================================================== RCS file: /e/openssl/cvs/openssl/CHANGES,v retrieving revision 1.977.2.42 diff -u -r1.977.2.42 CHANGES --- CHANGES 2002/07/16 09:18:25 1.977.2.42 +++ CHANGES 2002/07/30 09:54:48 @@ -4,6 +4,38 @@ Changes between 0.9.6e and 0.9.7 [XX xxx 2002] +Changes marked "(CHATS)" were sponsored by the Defense Advanced +Research Projects Agency (DARPA) and Air Force Research Laboratory, +Air Force Materiel Command, USAF, under agreement number +F30602-01-2-0537. + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. (CAN-2002-0659) + [Steve Henson, Adi Stav , James Yonan ] + + *) Assertions for various potential buffer overflows, not known to + happen in practice. + [Ben Laurie (CHATS)] + + *) Various temporary buffers to hold ASCII versions of integers were + too small for 64 bit platforms. (CAN-2002-0655) + [Matthew Byng-Maddick and Ben Laurie (CHATS)> + + *) Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized master key in Kerberos-enabled versions. + (CAN-2002-0657) + [Ben Laurie (CHATS)] + + *) Remote buffer overflow in SSL3 protocol - an attacker could + supply an oversized session ID to a client. (CAN-2002-0656) + [Ben Laurie (CHATS)] + + *) Remote buffer overflow in SSL2 protocol - an attacker could + supply an oversized client master key. (CAN-2002-0656) + [Ben Laurie (CHATS)] + *) Add appropriate support for separate platform-dependent build directories. The recommended way to make a platform-dependent build directory is the following (tested on Linux), maybe with @@ -1654,6 +1686,12 @@ [Richard Levitte] Changes between 0.9.6d and 0.9.6e [XX xxx XXXX] + + *) Add various sanity checks to asn1_get_length() to reject + the ASN1 length bytes if they exceed sizeof(long), will appear + negative or the content length exceeds the length of the + supplied buffer. + [Steve Henson, Adi Stav , James Yonan ] *) Fix cipher selection routines: ciphers without encryption had no flags for the cipher strength set and where therefore not handled correctly Index: crypto/cryptlib.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.c,v retrieving revision 1.32 diff -u -r1.32 cryptlib.c --- crypto/cryptlib.c 2001/11/24 04:02:42 1.32 +++ crypto/cryptlib.c 2002/07/30 09:54:50 @@ -492,3 +492,11 @@ #endif #endif + +void OpenSSLDie(const char *file,int line,const char *assertion) + { + fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n", + file,line,assertion); + abort(); + } + Index: crypto/cryptlib.h =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/cryptlib.h,v retrieving revision 1.10 diff -u -r1.10 cryptlib.h --- crypto/cryptlib.h 2001/02/22 14:44:54 1.10 +++ crypto/cryptlib.h 2002/07/30 09:54:50 @@ -89,6 +89,14 @@ #define X509_CERT_DIR_EVP "SSL_CERT_DIR" #define X509_CERT_FILE_EVP "SSL_CERT_FILE" +/* size of string represenations */ +#define DECIMAL_SIZE(type) ((sizeof(type)*8+2)/3+1) +#define HEX_SIZE(type) ((sizeof(type)*2) + +/* die if we have to */ +void OpenSSLDie(const char *file,int line,const char *assertion); +#define die(e) ((e) ? (void)0 : OpenSSLDie(__FILE__, __LINE__, #e)) + #ifdef __cplusplus } #endif Index: crypto/asn1/asn1_lib.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/asn1/asn1_lib.c,v retrieving revision 1.20.2.1 diff -u -r1.20.2.1 asn1_lib.c --- crypto/asn1/asn1_lib.c 2002/06/13 17:38:46 1.20.2.1 +++ crypto/asn1/asn1_lib.c 2002/07/30 09:54:51 @@ -124,15 +124,13 @@ (int)(omax+ *pp)); #endif -#if 0 - if ((p+ *plength) > (omax+ *pp)) + if (*plength > (omax - (*pp - p))) { ASN1err(ASN1_F_ASN1_GET_OBJECT,ASN1_R_TOO_LONG); /* Set this so that even if things are not long enough * the values are set correctly */ ret|=0x80; } -#endif *pp=p; return(ret|inf); err: @@ -159,6 +157,8 @@ i= *p&0x7f; if (*(p++) & 0x80) { + if (i > sizeof(long)) + return 0; if (max-- == 0) return(0); while (i-- > 0) { @@ -170,6 +170,8 @@ else ret=i; } + if (ret < 0) + return 0; *pp=p; *rl=ret; return(1); @@ -407,7 +409,7 @@ void asn1_add_error(unsigned char *address, int offset) { - char buf1[16],buf2[16]; + char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1]; sprintf(buf1,"%lu",(unsigned long)address); sprintf(buf2,"%d",offset); Index: crypto/conf/conf_def.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/conf/conf_def.c,v retrieving revision 1.12 diff -u -r1.12 conf_def.c --- crypto/conf/conf_def.c 2002/01/24 16:15:17 1.12 +++ crypto/conf/conf_def.c 2002/07/30 09:54:51 @@ -67,6 +67,7 @@ #include "conf_def.h" #include #include +#include "cryptlib.h" static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); @@ -208,12 +209,12 @@ static int def_load_bio(CONF *conf, BIO *in, long *line) { #define BUFSIZE 512 - char btmp[16]; int bufnum=0,i,ii; BUF_MEM *buff=NULL; char *s,*p,*end; int again,n; long eline=0; + char btmp[DECIMAL_SIZE(eline)+1]; CONF_VALUE *v=NULL,*tv; CONF_VALUE *sv=NULL; char *section=NULL,*buf; Index: crypto/conf/conf_mod.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/conf/conf_mod.c,v retrieving revision 1.8.2.6 diff -u -r1.8.2.6 conf_mod.c --- crypto/conf/conf_mod.c 2002/05/08 15:13:24 1.8.2.6 +++ crypto/conf/conf_mod.c 2002/07/30 09:54:52 @@ -230,7 +230,7 @@ { if (!(flags & CONF_MFLAGS_SILENT)) { - char rcode[10]; + char rcode[DECIMAL_SIZE(ret)+1]; CONFerr(CONF_F_CONF_MODULES_LOAD, CONF_R_MODULE_INITIALIZATION_ERROR); sprintf(rcode, "%-8d", ret); ERR_add_error_data(6, "module=", name, ", value=", value, ", retcode=", rcode); Index: crypto/engine/hw_cswift.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/engine/hw_cswift.c,v retrieving revision 1.17.2.1 diff -u -r1.17.2.1 hw_cswift.c --- crypto/engine/hw_cswift.c 2002/06/21 02:48:52 1.17.2.1 +++ crypto/engine/hw_cswift.c 2002/07/30 09:54:53 @@ -501,7 +501,7 @@ goto err; default: { - char tmpbuf[20]; + char tmpbuf[DECIMAL_SIZE(sw_status)+1]; CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED); sprintf(tmpbuf, "%ld", sw_status); ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf); @@ -518,7 +518,7 @@ if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP, &arg, 1, &res, 1)) != SW_OK) { - char tmpbuf[20]; + char tmpbuf[DECIMAL_SIZE(sw_status)+1]; CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP,CSWIFT_R_REQUEST_FAILED); sprintf(tmpbuf, "%ld", sw_status); ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf); @@ -608,7 +608,7 @@ goto err; default: { - char tmpbuf[20]; + char tmpbuf[DECIMAL_SIZE(sw_status)+1]; CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED); sprintf(tmpbuf, "%ld", sw_status); ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf); @@ -625,7 +625,7 @@ if((sw_status = p_CSwift_SimpleRequest(hac, SW_CMD_MODEXP_CRT, &arg, 1, &res, 1)) != SW_OK) { - char tmpbuf[20]; + char tmpbuf[DECIMAL_SIZE(sw_status)+1]; CSWIFTerr(CSWIFT_F_CSWIFT_MOD_EXP_CRT,CSWIFT_R_REQUEST_FAILED); sprintf(tmpbuf, "%ld", sw_status); ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf); @@ -740,7 +740,7 @@ goto err; default: { - char tmpbuf[20]; + char tmpbuf[DECIMAL_SIZE(sw_status)+1]; CSWIFTerr(CSWIFT_F_CSWIFT_DSA_SIGN,CSWIFT_R_REQUEST_FAILED); sprintf(tmpbuf, "%ld", sw_status); ERR_add_error_data(2, "CryptoSwift error number is ",tmpbuf); @@ -758,7 +758,7 @@ &res, 1); if(sw_status != SW_OK) { - char tmpbuf[20]; + char tmpbuf[D