[openssl] OpenSSL_1_1_1-stable update

Matt Caswell matt at openssl.org
Tue Feb 26 14:37:22 UTC 2019 

The branch OpenSSL_1_1_1-stable has been updated
       via  69fc126cfdc0171eaf57a91959beda548247b94b (commit)
       via  50eaac9f3337667259de725451f201e784599687 (commit)
       via  ab874dfd3e22a7c6ea3d45bc352294546af5afff (commit)
      from  72a7a7021fa8bc82a11bc08bac1b0241a92143d0 (commit)


- Log -----------------------------------------------------------------
commit 69fc126cfdc0171eaf57a91959beda548247b94b
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Feb 26 14:17:50 2019 +0000

    Prepare for 1.1.1c-dev
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 50eaac9f3337667259de725451f201e784599687
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Feb 26 14:15:30 2019 +0000

    Prepare for 1.1.1b release
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit ab874dfd3e22a7c6ea3d45bc352294546af5afff
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Feb 20 14:21:36 2019 +0000

    Clarify that SSL_shutdown() must not be called after a fatal error
    
    Follow on from CVE-2019-1559
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                    |  6 +++++-
 NEWS                       |  6 +++++-
 README                     |  2 +-
 doc/man3/SSL_get_error.pod | 13 ++++++++-----
 doc/man3/SSL_shutdown.pod  |  4 ++++
 include/openssl/opensslv.h |  4 ++--
 6 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index cc7502d..f58022b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,11 @@
  https://github.com/openssl/openssl/commits/ and pick the appropriate
  release branch.
 
- Changes between 1.1.1a and 1.1.1b [xx XXX xxxx]
+ Changes between 1.1.1b and 1.1.1c [xx XXX xxxx]
+
+  *)
+
+ Changes between 1.1.1a and 1.1.1b [26 Feb 2019]
 
   *) Added SCA hardening for modular field inversion in EC_GROUP through
      a new dedicated field_inv() pointer in EC_METHOD.
diff --git a/NEWS b/NEWS
index 33ab03e..2baab79 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,11 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [under development]
+  Major changes between OpenSSL 1.1.1b and OpenSSL 1.1.1c [under development]
+
+      o
+
+  Major changes between OpenSSL 1.1.1a and OpenSSL 1.1.1b [26 Feb 2019]
 
       o Change the info callback signals for the start and end of a post-handshake
         message exchange in TLSv1.3.
diff --git a/README b/README
index 5b614cb..fb98b88 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.1.1b-dev
+ OpenSSL 1.1.1c-dev
 
  Copyright (c) 1998-2018 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/doc/man3/SSL_get_error.pod b/doc/man3/SSL_get_error.pod
index a8dd7c1..5a7a4b7 100644
--- a/doc/man3/SSL_get_error.pod
+++ b/doc/man3/SSL_get_error.pod
@@ -138,17 +138,20 @@ Details depend on the application.
 
 =item SSL_ERROR_SYSCALL
 
-Some non-recoverable I/O error occurred.
-The OpenSSL error queue may contain more information on the error.
-For socket I/O on Unix systems, consult B<errno> for details.
+Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
+contain more information on the error. For socket I/O on Unix systems, consult
+B<errno> for details. If this error occurs then no further I/O operations should
+be performed on the connection and SSL_shutdown() must not be called.
 
 This value can also be returned for other errors, check the error queue for
 details.
 
 =item SSL_ERROR_SSL
 
-A failure in the SSL library occurred, usually a protocol error.  The
-OpenSSL error queue contains more information on the error.
+A non-recoverable, fatal error in the SSL library occurred, usually a protocol
+error.  The OpenSSL error queue contains more information on the error. If this
+error occurs then no further I/O operations should be performed on the
+connection and SSL_shutdown() must not be called.
 
 =back
 
diff --git a/doc/man3/SSL_shutdown.pod b/doc/man3/SSL_shutdown.pod
index 0a3d6d3..551fff6 100644
--- a/doc/man3/SSL_shutdown.pod
+++ b/doc/man3/SSL_shutdown.pod
@@ -22,6 +22,10 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
 a currently open session is considered closed and good and will be kept in the
 session cache for further reuse.
 
+Note that SSL_shutdown() must not be called if a previous fatal error has
+occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL
+or SSL_ERROR_SSL.
+
 The shutdown procedure consists of two steps: sending of the close_notify
 shutdown alert, and reception of the peer's close_notify shutdown alert.
 The order of those two steps depends on the application.
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 308091f..b4b255a 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x10101020L
-# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1b-dev  xx XXX xxxx"
+# define OPENSSL_VERSION_NUMBER  0x10101030L
+# define OPENSSL_VERSION_TEXT    "OpenSSL 1.1.1c-dev  xx XXX xxxx"
 
 /*-
  * The macros below are to be used for shared library (.so, .dll, ...)

More information about the openssl-commits mailing list