CHANGES (79998) | CHANGES (89837) |
---|---|
1 2 OpenSSL CHANGES 3 _______________ 4 | 1 2 OpenSSL CHANGES 3 _______________ 4 |
5 Changes between 0.9.6b and 0.9.6c [21 dec 2001] 6 7 *) Fix BN_rand_range bug pointed out by Dominikus Scherkl 8 <Dominikus.Scherkl@biodata.com>. (The previous implementation 9 worked incorrectly for those cases where range = 10..._2 and 10 3*range is two bits longer than range.) 11 [Bodo Moeller] 12 13 *) Only add signing time to PKCS7 structures if it is not already 14 present. 15 [Steve Henson] 16 17 *) Fix crypto/objects/objects.h: "ld-ce" should be "id-ce", 18 OBJ_ld_ce should be OBJ_id_ce. 19 Also some ip-pda OIDs in crypto/objects/objects.txt were 20 incorrect (cf. RFC 3039). 21 [Matt Cooper, Frederic Giudicelli, Bodo Moeller] 22 23 *) Release CRYPTO_LOCK_DYNLOCK when CRYPTO_destroy_dynlockid() 24 returns early because it has nothing to do. 25 [Andy Schneider <andy.schneider@bjss.co.uk>] 26 27 *) [In 0.9.6c-engine release:] 28 Fix mutex callback return values in crypto/engine/hw_ncipher.c. 29 [Andy Schneider <andy.schneider@bjss.co.uk>] 30 31 *) [In 0.9.6c-engine release:] 32 Add support for Cryptographic Appliance's keyserver technology. 33 (Use engine 'keyclient') 34 [Cryptographic Appliances and Geoff Thorpe] 35 36 *) Add a configuration entry for OS/390 Unix. The C compiler 'c89' 37 is called via tools/c89.sh because arguments have to be 38 rearranged (all '-L' options must appear before the first object 39 modules). 40 [Richard Shapiro <rshapiro@abinitio.com>] 41 42 *) [In 0.9.6c-engine release:] 43 Add support for Broadcom crypto accelerator cards, backported 44 from 0.9.7. 45 [Broadcom, Nalin Dahyabhai <nalin@redhat.com>, Mark Cox] 46 47 *) [In 0.9.6c-engine release:] 48 Add support for SureWare crypto accelerator cards from 49 Baltimore Technologies. (Use engine 'sureware') 50 [Baltimore Technologies and Mark Cox] 51 52 *) [In 0.9.6c-engine release:] 53 Add support for crypto accelerator cards from Accelerated 54 Encryption Processing, www.aep.ie. (Use engine 'aep') 55 [AEP Inc. and Mark Cox] 56 57 *) Add a configuration entry for gcc on UnixWare. 58 [Gary Benson <gbenson@redhat.com>] 59 60 *) Change ssl/s2_clnt.c and ssl/s2_srvr.c so that received handshake 61 messages are stored in a single piece (fixed-length part and 62 variable-length part combined) and fix various bugs found on the way. 63 [Bodo Moeller] 64 65 *) Disable caching in BIO_gethostbyname(), directly use gethostbyname() 66 instead. BIO_gethostbyname() does not know what timeouts are 67 appropriate, so entries would stay in cache even when they have 68 become invalid. 69 [Bodo Moeller; problem pointed out by Rich Salz <rsalz@zolera.com> 70 71 *) Change ssl23_get_client_hello (ssl/s23_srvr.c) behaviour when 72 faced with a pathologically small ClientHello fragment that does 73 not contain client_version: Instead of aborting with an error, 74 simply choose the highest available protocol version (i.e., 75 TLS 1.0 unless it is disabled). In practice, ClientHello 76 messages are never sent like this, but this change gives us 77 strictly correct behaviour at least for TLS. 78 [Bodo Moeller] 79 80 *) Fix SSL handshake functions and SSL_clear() such that SSL_clear() 81 never resets s->method to s->ctx->method when called from within 82 one of the SSL handshake functions. 83 [Bodo Moeller; problem pointed out by Niko Baric] 84 85 *) In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert 86 (sent using the client's version number) if client_version is 87 smaller than the protocol version in use. Also change 88 ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if 89 the client demanded SSL 3.0 but only TLS 1.0 is enabled; then 90 the client will at least see that alert. 91 [Bodo Moeller] 92 93 *) Fix ssl3_get_message (ssl/s3_both.c) to handle message fragmentation 94 correctly. 95 [Bodo Moeller] 96 97 *) Avoid infinite loop in ssl3_get_message (ssl/s3_both.c) if a 98 client receives HelloRequest while in a handshake. 99 [Bodo Moeller; bug noticed by Andy Schneider <andy.schneider@bjss.co.uk>] 100 101 *) Bugfix in ssl3_accept (ssl/s3_srvr.c): Case SSL3_ST_SW_HELLO_REQ_C 102 should end in 'break', not 'goto end' which circuments various 103 cleanups done in state SSL_ST_OK. But session related stuff 104 must be disabled for SSL_ST_OK in the case that we just sent a 105 HelloRequest. 106 107 Also avoid some overhead by not calling ssl_init_wbio_buffer() 108 before just sending a HelloRequest. 109 [Bodo Moeller, Eric Rescorla <ekr@rtfm.com>] 110 111 *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't 112 reveal whether illegal block cipher padding was found or a MAC 113 verification error occured. (Neither SSLerr() codes nor alerts 114 are directly visible to potential attackers, but the information 115 may leak via logfiles.) 116 117 Similar changes are not required for the SSL 2.0 implementation 118 because the number of padding bytes is sent in clear for SSL 2.0, 119 and the extra bytes are just ignored. However ssl/s2_pkt.c 120 failed to verify that the purported number of padding bytes is in 121 the legal range. 122 [Bodo Moeller] 123 124 *) Add OpenUNIX-8 support including shared libraries 125 (Boyd Lynn Gerber <gerberb@zenez.com>). 126 [Lutz Jaenicke] 127 128 *) Improve RSA_padding_check_PKCS1_OAEP() check again to avoid 129 'wristwatch attack' using huge encoding parameters (cf. 130 James H. Manger's CRYPTO 2001 paper). Note that the 131 RSA_PKCS1_OAEP_PADDING case of RSA_private_decrypt() does not use 132 encoding parameters and hence was not vulnerable. 133 [Bodo Moeller] 134 135 *) BN_sqr() bug fix. 136 [Ulf M�ller, reported by Jim Ellis <jim.ellis@cavium.com>] 137 138 *) Rabin-Miller test analyses assume uniformly distributed witnesses, 139 so use BN_pseudo_rand_range() instead of using BN_pseudo_rand() 140 followed by modular reduction. 141 [Bodo Moeller; pointed out by Adam Young <AYoung1@NCSUS.JNJ.COM>] 142 143 *) Add BN_pseudo_rand_range() with obvious functionality: BN_rand_range() 144 equivalent based on BN_pseudo_rand() instead of BN_rand(). 145 [Bodo Moeller] 146 147 *) s3_srvr.c: allow sending of large client certificate lists (> 16 kB). 148 This function was broken, as the check for a new client hello message 149 to handle SGC did not allow these large messages. 150 (Tracked down by "Douglas E. Engert" <deengert@anl.gov>.) 151 [Lutz Jaenicke] 152 153 *) Add alert descriptions for TLSv1 to SSL_alert_desc_string[_long](). 154 [Lutz Jaenicke] 155 156 *) Fix buggy behaviour of BIO_get_num_renegotiates() and BIO_ctrl() 157 for BIO_C_GET_WRITE_BUF_SIZE ("Stephen Hinton" <shinton@netopia.com>). 158 [Lutz Jaenicke] 159 160 *) Rework the configuration and shared library support for Tru64 Unix. 161 The configuration part makes use of modern compiler features and 162 still retains old compiler behavior for those that run older versions 163 of the OS. The shared library support part includes a variant that 164 uses the RPATH feature, and is available through the special 165 configuration target "alpha-cc-rpath", which will never be selected 166 automatically. 167 [Tim Mooney <mooney@dogbert.cc.ndsu.NoDak.edu> via Richard Levitte] 168 169 *) In ssl3_get_key_exchange (ssl/s3_clnt.c), call ssl3_get_message() 170 with the same message size as in ssl3_get_certificate_request(). 171 Otherwise, if no ServerKeyExchange message occurs, CertificateRequest 172 messages might inadvertently be reject as too long. 173 [Petr Lampa <lampa@fee.vutbr.cz>] 174 175 *) Enhanced support for IA-64 Unix platforms (well, Linux and HP-UX). 176 [Andy Polyakov] 177 178 *) Modified SSL library such that the verify_callback that has been set 179 specificly for an SSL object with SSL_set_verify() is actually being 180 used. Before the change, a verify_callback set with this function was 181 ignored and the verify_callback() set in the SSL_CTX at the time of 182 the call was used. New function X509_STORE_CTX_set_verify_cb() introduced 183 to allow the necessary settings. 184 [Lutz Jaenicke] 185 186 *) Initialize static variable in crypto/dsa/dsa_lib.c and crypto/dh/dh_lib.c 187 explicitly to NULL, as at least on Solaris 8 this seems not always to be 188 done automatically (in contradiction to the requirements of the C 189 standard). This made problems when used from OpenSSH. 190 [Lutz Jaenicke] 191 192 *) In OpenSSL 0.9.6a and 0.9.6b, crypto/dh/dh_key.c ignored 193 dh->length and always used 194 195 BN_rand_range(priv_key, dh->p). 196 197 BN_rand_range() is not necessary for Diffie-Hellman, and this 198 specific range makes Diffie-Hellman unnecessarily inefficient if 199 dh->length (recommended exponent length) is much smaller than the 200 length of dh->p. We could use BN_rand_range() if the order of 201 the subgroup was stored in the DH structure, but we only have 202 dh->length. 203 204 So switch back to 205 206 BN_rand(priv_key, l, ...) 207 208 where 'l' is dh->length if this is defined, or BN_num_bits(dh->p)-1 209 otherwise. 210 [Bodo Moeller] 211 212 *) In 213 214 RSA_eay_public_encrypt 215 RSA_eay_private_decrypt 216 RSA_eay_private_encrypt (signing) 217 RSA_eay_public_decrypt (signature verification) 218 219 (default implementations for RSA_public_encrypt, 220 RSA_private_decrypt, RSA_private_encrypt, RSA_public_decrypt), 221 always reject numbers >= n. 222 [Bodo Moeller] 223 224 *) In crypto/rand/md_rand.c, use a new short-time lock CRYPTO_LOCK_RAND2 225 to synchronize access to 'locking_thread'. This is necessary on 226 systems where access to 'locking_thread' (an 'unsigned long' 227 variable) is not atomic. 228 [Bodo Moeller] 229 230 *) In crypto/rand/md_rand.c, set 'locking_thread' to current thread's ID 231 *before* setting the 'crypto_lock_rand' flag. The previous code had 232 a race condition if 0 is a valid thread ID. 233 [Travis Vitek <vitek@roguewave.com>] 234 235 *) Add support for shared libraries under Irix. 236 [Albert Chin-A-Young <china@thewrittenword.com>] 237 238 *) Add configuration option to build on Linux on both big-endian and 239 little-endian MIPS. 240 [Ralf Baechle <ralf@uni-koblenz.de>] 241 242 *) Add the possibility to create shared libraries on HP-UX. 243 [Richard Levitte] 244 |
|
5 Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 6 7 *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) 8 to avoid a SSLeay/OpenSSL PRNG weakness pointed out by 9 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 10 PRNG state recovery was possible based on the output of 11 one PRNG request appropriately sized to gain knowledge on 12 'md' followed by enough consecutive 1-byte PRNG requests --- 38 unchanged lines hidden (view full) --- 51 *) Verify that incoming data obeys the block size in 52 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 53 [Bodo Moeller] 54 55 *) Fix OAEP check. 56 [Ulf M�ller, Bodo M�ller] 57 58 *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 | 245 Changes between 0.9.6a and 0.9.6b [9 Jul 2001] 246 247 *) Change ssleay_rand_bytes (crypto/rand/md_rand.c) 248 to avoid a SSLeay/OpenSSL PRNG weakness pointed out by 249 Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>: 250 PRNG state recovery was possible based on the output of 251 one PRNG request appropriately sized to gain knowledge on 252 'md' followed by enough consecutive 1-byte PRNG requests --- 38 unchanged lines hidden (view full) --- 291 *) Verify that incoming data obeys the block size in 292 ssl3_enc (ssl/s3_enc.c) and tls1_enc (ssl/t1_enc.c). 293 [Bodo Moeller] 294 295 *) Fix OAEP check. 296 [Ulf M�ller, Bodo M�ller] 297 298 *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 |
59 RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 | 299 RSA encryption was accidentally removed in s3_srvr.c in OpenSSL 0.9.5 |
60 when fixing the server behaviour for backwards-compatible 'client 61 hello' messages. (Note that the attack is impractical against 62 SSL 3.0 and TLS 1.0 anyway because length and version checking 63 means that the probability of guessing a valid ciphertext is 64 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 65 paper.) 66 67 Before 0.9.5, the countermeasure (hide the error by generating a --- 33 unchanged lines hidden (view full) --- 101 CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 102 having multiple threads call RAND_poll() concurrently. 103 [Bodo Moeller] 104 105 *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 106 combination of a flag and a thread ID variable. 107 Otherwise while one thread is in ssleay_rand_bytes (which sets the 108 flag), *other* threads can enter ssleay_add_bytes without obeying | 300 when fixing the server behaviour for backwards-compatible 'client 301 hello' messages. (Note that the attack is impractical against 302 SSL 3.0 and TLS 1.0 anyway because length and version checking 303 means that the probability of guessing a valid ciphertext is 304 around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 305 paper.) 306 307 Before 0.9.5, the countermeasure (hide the error by generating a --- 33 unchanged lines hidden (view full) --- 341 CRYPTO_LOCK_RAND. This is not strictly necessary, but avoids 342 having multiple threads call RAND_poll() concurrently. 343 [Bodo Moeller] 344 345 *) In crypto/rand/md_rand.c, replace 'add_do_not_lock' flag by a 346 combination of a flag and a thread ID variable. 347 Otherwise while one thread is in ssleay_rand_bytes (which sets the 348 flag), *other* threads can enter ssleay_add_bytes without obeying |
109 the CRYPTO_LOCK_RAND lock (and may even illegaly release the lock | 349 the CRYPTO_LOCK_RAND lock (and may even illegally release the lock |
110 that they do not hold after the first thread unsets add_do_not_lock). 111 [Bodo Moeller] 112 113 *) Change bctest again: '-x' expressions are not available in all 114 versions of 'test'. 115 [Bodo Moeller] 116 117 Changes between 0.9.6 and 0.9.6a [5 Apr 2001] --- 625 unchanged lines hidden (view full) --- 743 not read locks (CRYPTO_r_[un]lock). 744 [Bodo Moeller] 745 746 *) A first attempt at creating official support for shared 747 libraries through configuration. I've kept it so the 748 default is static libraries only, and the OpenSSL programs 749 are always statically linked for now, but there are 750 preparations for dynamic linking in place. | 350 that they do not hold after the first thread unsets add_do_not_lock). 351 [Bodo Moeller] 352 353 *) Change bctest again: '-x' expressions are not available in all 354 versions of 'test'. 355 [Bodo Moeller] 356 357 Changes between 0.9.6 and 0.9.6a [5 Apr 2001] --- 625 unchanged lines hidden (view full) --- 983 not read locks (CRYPTO_r_[un]lock). 984 [Bodo Moeller] 985 986 *) A first attempt at creating official support for shared 987 libraries through configuration. I've kept it so the 988 default is static libraries only, and the OpenSSL programs 989 are always statically linked for now, but there are 990 preparations for dynamic linking in place. |
751 This has been tested on Linux and True64. | 991 This has been tested on Linux and Tru64. |
752 [Richard Levitte] 753 754 *) Randomness polling function for Win9x, as described in: 755 Peter Gutmann, Software Generation of Practically Strong 756 Random Numbers. 757 [Ulf M�ller] 758 759 *) Fix so PRNG is seeded in req if using an already existing --- 3165 unchanged lines hidden --- | 992 [Richard Levitte] 993 994 *) Randomness polling function for Win9x, as described in: 995 Peter Gutmann, Software Generation of Practically Strong 996 Random Numbers. 997 [Ulf M�ller] 998 999 *) Fix so PRNG is seeded in req if using an already existing --- 3165 unchanged lines hidden --- |