OpenSSL v0.9.8.h Release Notes

Release Date: 2008-09-15 // almost 13 years ago
    • Fix NULL pointer dereference if a DTLS server received ChangeCipherSpec as first record [CVE-2009-1386][].

    PR #1679

    • Fix a state transition in s3_srvr.c and d1_srvr.c (was using SSL3_ST_CW_CLNT_HELLO_B, should be ...ST_SW_SRVR...).

    Nagendra Modadugu

    • The fix in 0.9.8c that supposedly got rid of unsafe double-checked locking was incomplete for RSA blinding, addressing just one layer of what turns out to have been doubly unsafe triple-checked locking.

    So now fix this for real by retiring the MONT_HELPER macro in crypto/rsa/rsa_eay.c.

    Bodo Moeller; problem pointed out by Marius Schilder

    • Various precautionary measures:

      • Avoid size_t integer overflow in HASH_UPDATE (md32_common.h).
      • Avoid a buffer overflow in d2i_SSL_SESSION() (ssl_asn1.c). (NB: This would require knowledge of the secret session ticket key to exploit, in which case you'd be SOL either way.)
      • Change bn_nist.c so that it will properly handle input BIGNUMs outside the expected range.
      • Enforce the 'num' check in BN_div() (bn_div.c) for non-BN_DEBUG builds.

    Neel Mehta, Bodo Moeller

    • Allow engines to be "soft loaded" - i.e. optionally don't die if the load fails. Useful for distros.

    Ben Laurie and the FreeBSD team

    • Add support for Local Machine Keyset attribute in PKCS#12 files.

    Steve Henson

    • Fix BN_GF2m_mod_arr() top-bit cleanup code.

    Huang Ying

    • Expand ENGINE to support engine supplied SSL client certificate functions.

    This work was sponsored by Logica.

    Steve Henson

    • Add CryptoAPI ENGINE to support use of RSA and DSA keys held in Windows keystores. Support for SSL/TLS client authentication too. Not compiled unless enable-capieng specified to Configure.

    This work was sponsored by Logica.

    Steve Henson

    • Fix bug in X509_ATTRIBUTE creation: don't set attribute using ASN1_TYPE_set1 if MBSTRING flag set. This bug would crash certain attribute creation routines such as certificate requests and PKCS#12 files.

    Steve Henson