| CHANGES (76866) | CHANGES (79998) |
|---|---|
| 1 2 OpenSSL CHANGES 3 _______________ 4 | 1 2 OpenSSL CHANGES 3 _______________ 4 |
| 5 Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 6 7 *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) 8 to avoid a SSLeay/OpenSSL PRNG weakness pointed out by 9 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 10 PRNG state recovery was possible based on the output of 11 one PRNG request appropriately sized to gain knowledge on 12 'md' followed by enough consecutive 1-byte PRNG requests 13 to traverse all of 'state'. 14 15 1. When updating 'md_local' (the current thread's copy of 'md') 16 during PRNG output generation, hash all of the previous 17 'md_local' value, not just the half used for PRNG output. 18 19 2. Make the number of bytes from 'state' included into the hash 20 independent from the number of PRNG bytes requested. 21 22 The first measure alone would be sufficient to avoid 23 Markku-Juhani's attack. (Actually it had never occurred 24 to me that the half of 'md_local' used for chaining was the 25 half from which PRNG output bytes were taken -- I had always 26 assumed that the secret half would be used.) The second 27 measure makes sure that additional data from 'state' is never 28 mixed into 'md_local' in small portions; this heuristically 29 further strengthens the PRNG. 30 [Bodo Moeller] 31 32 *) Fix crypto/bn/asm/mips3.s. 33 [Andy Polyakov] 34 35 *) When only the key is given to "enc", the IV is undefined. Print out 36 an error message in this case. 37 [Lutz Jaenicke] 38 39 *) Handle special case when X509_NAME is empty in X509 printing routines. 40 [Steve Henson] 41 42 *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are 43 positive and less than q. 44 [Bodo Moeller] 45 46 *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is 47 used: it isn't thread safe and the add_lock_callback should handle 48 that itself. 49 [Paul Rose <Paul.Rose@bridge.com>] 50 51 *) Verify that incoming data obeys the block size in 52 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 53 [Bodo Moeller] 54 55 *) Fix OAEP check. 56 [Ulf M�ller, Bodo M�ller] 57 58 *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 59 RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 60 when fixing the server behaviour for backwards-compatible 'client 61 hello' messages. (Note that the attack is impractical against 62 SSL 3.0 and TLS 1.0 anyway because length and version checking 63 means that the probability of guessing a valid ciphertext is 64 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 65 paper.) 66 67 Before 0.9.5, the countermeasure (hide the error by generating a 68 random 'decryption result') did not work properly because 69 ERR_clear_error() was missing, meaning that SSL_get_error() would 70 detect the supposedly ignored error. 71 72 Both problems are now fixed. 73 [Bodo Moeller] 74 75 *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 76 (previously it was 1024). 77 [Bodo Moeller] 78 79 *) Fix for compatibility mode trust settings: ignore trust settings 80 unless some valid trust or reject settings are present. 81 [Steve Henson] 82 83 *) Fix for blowfish EVP: its a variable length cipher. 84 [Steve Henson] 85 86 *) Fix various bugs related to DSA S/MIME verification. Handle missing 87 parameters in DSA public key structures and return an error in the 88 DSA routines if parameters are absent. 89 [Steve Henson] 90 91 *) In versions up to 0.9.6, RAND_file_name() resorted to file ".rnd" 92 in the current directory if neither $RANDFILE nor $HOME was set. 93 RAND_file_name() in 0.9.6a returned NULL in this case. This has 94 caused some confusion to Windows users who haven't defined $HOME. 95 Thus RAND_file_name() is changed again: e_os.h can define a 96 DEFAULT_HOME, which will be used if $HOME is not set. 97 For Windows, we use "C:"; on other platforms, we still require 98 environment variables. 99 100 *) Move 'if (!initialized) RAND_poll()' into regions protected by 101 CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 102 having multiple threads call RAND_poll() concurrently. 103 [Bodo Moeller] 104 105 *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 106 combination of a flag and a thread ID variable. 107 Otherwise while one thread is in ssleay_rand_bytes (which sets the 108 flag), *other* threads can enter ssleay_add_bytes without obeying 109 the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock 110 that they do not hold after the first thread unsets add_do_not_lock). 111 [Bodo Moeller] 112 113 *) Change bctest again: '-x' expressions are not available in all 114 versions of 'test'. 115 [Bodo Moeller] 116 |
|
| 5 Changes between 0.9.6 and 0.9.6a [5 Apr 2001] 6 7 *) Fix a couple of memory leaks in PKCS7_dataDecode() 8 [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] 9 10 *) Change Configure and Makefiles to provide EXE_EXT, which will contain 11 the default extension for executables, if any. Also, make the perl 12 scripts that use symlink() to test if it really exists and use "cp" --- 2345 unchanged lines hidden (view full) --- 2358 SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when 2359 a single record has been written. 2360 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write 2361 retries use the same buffer location. 2362 (But all of the contents must be 2363 copied!) 2364 [Bodo Moeller] 2365 | 117 Changes between 0.9.6 and 0.9.6a [5 Apr 2001] 118 119 *) Fix a couple of memory leaks in PKCS7_dataDecode() 120 [Steve Henson, reported by Heyun Zheng <hzheng@atdsprint.com>] 121 122 *) Change Configure and Makefiles to provide EXE_EXT, which will contain 123 the default extension for executables, if any. Also, make the perl 124 scripts that use symlink() to test if it really exists and use "cp" --- 2345 unchanged lines hidden (view full) --- 2470 SSL_MODE_ENABLE_PARTIAL_WRITE Allow SSL_write to report success when 2471 a single record has been written. 2472 SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER Don't insist that SSL_write 2473 retries use the same buffer location. 2474 (But all of the contents must be 2475 copied!) 2476 [Bodo Moeller] 2477 |
| 2366 *) Bugfix: SSL_set_mode ignored its parameter, only SSL_CTX_set_mode | 2478 *) Bugfix: SSL_set_options ignored its parameter, only SSL_CTX_set_options |
| 2367 worked. 2368 2369 *) Fix problems with no-hmac etc. 2370 [Ulf M�ller, pointed out by Brian Wellington <bwelling@tislabs.com>] 2371 2372 *) New functions RSA_get_default_method(), RSA_set_method() and 2373 RSA_get_method(). These allows replacement of RSA_METHODs without having 2374 to mess around with the internals of an RSA structure. --- 1438 unchanged lines hidden --- | 2479 worked. 2480 2481 *) Fix problems with no-hmac etc. 2482 [Ulf M�ller, pointed out by Brian Wellington <bwelling@tislabs.com>] 2483 2484 *) New functions RSA_get_default_method(), RSA_set_method() and 2485 RSA_get_method(). These allows replacement of RSA_METHODs without having 2486 to mess around with the internals of an RSA structure. --- 1438 unchanged lines hidden --- |