All Versions
125
Latest Version
Avg Release Cycle
103 days
Latest Release
585 days ago

Changelog History
Page 11

  • v0.9.7.g Changes

    October 11, 2005
    • Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING (part of SSL_OP_ALL). This option used to disable the countermeasure against man-in-the-middle protocol-version rollback in the SSL 2.0 server implementation, which is a bad idea. [CVE-2005-2969][]

    Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center for Information Security, National Institute of Advanced Industrial Science and Technology [AIST, Japan)]

    • Minimal support for X9.31 signatures and PSS padding modes. This is mainly for FIPS compliance and not fully integrated at this stage.

    Steve Henson

    • For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform the exponentiation using a fixed-length exponent. (Otherwise, the information leaked through timing could expose the secret key after many signatures; cf. Bleichenbacher's attack on DSA with biased k.)

    Bodo Moeller

    • Make a new fixed-window mod_exp implementation the default for RSA, DSA, and DH private-key operations so that the sequence of squares and multiplies and the memory access pattern are independent of the particular secret key. This will mitigate cache-timing and potential related attacks.

    BN_mod_exp_mont_consttime() is the new exponentiation implementation, and this is automatically used by BN_mod_exp_mont() if the new flag BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH will use this BN flag for private exponents unless the flag RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.

    Matthew D Wood (Intel Corp), with some changes by Bodo Moeller

    • Change the client implementation for SSLv23_method() and SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 Client Hello message format if the SSL_OP_NO_SSLv2 option is set. (Previously, the SSL 2.0 backwards compatible Client Hello message format would be used even with SSL_OP_NO_SSLv2.)

    Bodo Moeller

    • Add support for smime-type MIME parameter in S/MIME messages which some clients need.

    Steve Henson

    • New function BN_MONT_CTX_set_locked() to set montgomery parameters in a threadsafe manner. Modify rsa code to use new function and add calls to dsa and dh code (which had race conditions before).

    Steve Henson

    • Include the fixed error library code in the C error file definitions instead of fixing them up at runtime. This keeps the error code structures constant.

    Steve Henson

  • v0.9.7.f Changes

    April 11, 2005

    🚀 [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after OpenSSL 0.9.8.]

    • Fixes for newer kerberos headers. NB: the casts are needed because the 'length' field is signed on one version and unsigned on another with no (?) obvious way to tell the difference, without these VC++ complains. Also the "definition" of FAR (blank) is no longer included nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up some needed definitions.

    Steve Henson

    • Undo Cygwin change.

    Ulf Möller

    • Added support for proxy certificates according to RFC 3820. Because they may be a security thread to unaware applications, they must be explicitly allowed in run-time. See docs/HOWTO/proxy_certificates.txt for further information.

    Richard Levitte

  • v0.9.7.e Changes

    March 22, 2005
    • Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating server and client random values. Previously (SSL_RANDOM_VALUE - sizeof(time_t)) would be used which would result in less random data when sizeof(time_t) > 4 (some 64 bit platforms).

    This change has negligible security impact because:

    1. Server and client random values still have 24 bytes of pseudo random data.

    2. Server and client random values are sent in the clear in the initial handshake.

    3. The master secret is derived using the premaster secret (48 bytes in size for static RSA ciphersuites) as well as client server and random values.

    The OpenSSL team would like to thank the UK NISCC for bringing this issue to our attention.

    Stephen Henson, reported by UK NISCC

    • Use Windows randomness collection on Cygwin.

    Ulf Möller

    • Fix hang in EGD/PRNGD query when communication socket is closed prematurely by EGD/PRNGD.

    Darren Tucker [email protected] via Lutz Jänicke, resolves #1014

    • Prompt for pass phrases when appropriate for PKCS12 input format.

    Steve Henson

    • Back-port of selected performance improvements from development branch, as well as improved support for PowerPC platforms.

    Andy Polyakov

    • Add lots of checks for memory allocation failure, error codes to indicate failure and freeing up memory if a failure occurs.

    Nauticus Networks SSL Team [email protected], Steve Henson

    • Add new -passin argument to dgst.

    Steve Henson

    • Perform some character comparisons of different types in X509_NAME_cmp: this is needed for some certificates that re-encode DNs into UTF8Strings (in violation of RFC3280) and can't or won't issue name rollover certificates.

    Steve Henson

    • Make an explicit check during certificate validation to see that the CA setting in each certificate on the chain is correct. As a side effect always do the following basic checks on extensions, not just when there's an associated purpose to the check:

      • if there is an unhandled critical extension (unless the user has chosen to ignore this fault)
      • if the path length has been exceeded (if one is set at all)
      • that certain extensions fit the associated purpose (if one has been given)

    Richard Levitte

  • v0.9.7.d Changes

    October 25, 2004
    • Avoid a race condition when CRLs are checked in a multi threaded environment. This would happen due to the reordering of the revoked entries during signature checking and serial number lookup. Now the encoding is cached and the serial number sort performed under a lock. Add new STACK function sk_is_sorted().

    Steve Henson

    • Add Delta CRL to the extension code.

    Steve Henson

    • Various fixes to s3_pkt.c so alerts are sent properly.

    David Holmes [email protected]

    • Reduce the chances of duplicate issuer name and serial numbers (in violation of RFC3280) using the OpenSSL certificate creation utilities. This is done by creating a random 64 bit value for the initial serial number when a serial number file is created or when a self signed certificate is created using 'openssl req -x509'. The initial serial number file is created using 'openssl x509 -next_serial' in CA.pl rather than being initialized to 1.

    Steve Henson

  • v0.9.7.c Changes

    March 17, 2004
    • Fix null-pointer assignment in do_change_cipher_spec() revealed by using the Codenomicon TLS Test Tool [CVE-2004-0079][]

    Joe Orton, Steve Henson

    • Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites [CVE-2004-0112][]

    Joe Orton, Steve Henson

    • Make it possible to have multiple active certificates with the same subject in the CA index file. This is done only if the keyword 'unique_subject' is set to 'no' in the main CA section (default if 'CA_default') of the configuration file. The value is saved with the database itself in a separate index attribute file, named like the index file with '.attr' appended to the name.

    Richard Levitte

    • X509 verify fixes. Disable broken certificate workarounds when X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if keyUsage extension present. Don't accept CRLs with unhandled critical extensions: since verify currently doesn't process CRL extensions this rejects a CRL with any critical extensions. Add new verify error codes for these cases.

    Steve Henson

    • When creating an OCSP nonce use an OCTET STRING inside the extnValue. A clarification of RFC2560 will require the use of OCTET STRINGs and some implementations cannot handle the current raw format. Since OpenSSL copies and compares OCSP nonces as opaque blobs without any attempt at parsing them this should not create any compatibility issues.

    Steve Henson

    • New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without this HMAC (and other) operations are several times slower than OpenSSL < 0.9.7.

    Steve Henson

    • Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().

    Peter Sylvester [email protected]

    • Use the correct content when signing type "other".

    Steve Henson

  • v0.9.7.b Changes

    September 30, 2003
    • Fix various bugs revealed by running the NISCC test suite:

    Stop out of bounds reads in the ASN1 code when presented with invalid tags (CVE-2003-0543 and CVE-2003-0544).

    Free up ASN1_TYPE correctly if ANY type is invalid [CVE-2003-0545][].

    If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key.

    Steve Henson

    • New -ignore_err option in ocsp application to stop the server exiting on the first error in a request.

    Steve Henson

    • In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications.

    Steve Henson

    • In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification).

    Bodo Moeller; problem pointed out by Matthias Loepfe

    • Change X509_certificate_type() to mark the key as exported/exportable when it's 512 bits long, not 512 bytes.

    Richard Levitte

    • Change AES_cbc_encrypt() so it outputs exact multiple of blocks during encryption.

    Richard Levitte

    • Various fixes to base64 BIO and non blocking I/O. On write flushes were not handled properly if the BIO retried. On read data was not being buffered properly and had various logic bugs. This also affects blocking I/O when the data being decoded is a certain size.

    Steve Henson

    • Various S/MIME bugfixes and compatibility changes: output correct application/pkcs7 MIME type if PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures. Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening of files as .eml work). Correctly handle very long lines in MIME parser.

    Steve Henson

  • v0.9.7.a Changes

    April 10, 2003
    • Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c).

    Bodo Moeller

    • Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases.

    Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller

    • Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). Make RSA blinding thread-safe by remembering the creator's thread ID in rsa->blinding and having all other threads use local one-time blinding factors (this requires more computation than sharing rsa->blinding, but avoids excessive locking; and if an RSA object is not shared between threads, blinding will still be very fast).

    Bodo Moeller

    • Fixed a typo bug that would cause ENGINE_set_default() to set an ENGINE as defaults for all supported algorithms irrespective of the 'flags' parameter. 'flags' is now honoured, so applications should make sure they are passing it correctly.

    Geoff Thorpe

    • Target "mingw" now allows native Windows code to be generated in the Cygwin environment as well as with the MinGW compiler.

    Ulf Moeller

  • v0.9.6.l Changes

    March 17, 2004
    • Fix null-pointer assignment in do_change_cipher_spec() revealed by using the Codenomicon TLS Test Tool [CVE-2004-0079][]

    Joe Orton, Steve Henson

  • v0.9.6.k Changes

    November 04, 2003
    • Fix additional bug revealed by the NISCC test suite:

    Stop bug triggering large recursion when presented with certain ASN.1 tags [CVE-2003-0851][]

    Steve Henson

  • v0.9.6.j Changes

    September 30, 2003
    • Fix various bugs revealed by running the NISCC test suite:

    Stop out of bounds reads in the ASN1 code when presented with invalid tags (CVE-2003-0543 and CVE-2003-0544).

    If verify callback ignores invalid public key errors don't try to check certificate signature with the NULL public key.

    Steve Henson

    • In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate if the server requested one: as stated in TLS 1.0 and SSL 3.0 specifications.

    Steve Henson

    • In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional extra data after the compression methods not only for TLS 1.0 but also for SSL 3.0 (as required by the specification).

    Bodo Moeller; problem pointed out by Matthias Loepfe

    • Change X509_certificate_type() to mark the key as exported/exportable when it's 512 bits long, not 512 bytes.

    Richard Levitte