when checking OAEP, signal just a single kind of 'decoding error'

[openssl.git] / CHANGES

diff --git a/CHANGES b/CHANGES
index ccc991b959070306a15dace9d7183cb245787eec..6cea57be1d7b829d0130a32da3e4a6ca56197eb9 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -11,6 +11,31 @@
          *) applies to 0.9.6a (/0.9.6b) and 0.9.7
          +) applies to 0.9.7 only
 
+  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
+     RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
+     when fixing the server behaviour for backwards-compatible 'client
+     hello' messages.  (Note that the attack is impractical against
+     SSL 3.0 and TLS 1.0 anyway because length and version checking
+     means that the probability of guessing a valid ciphertext is
+     around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
+     paper.)
+
+     Before 0.9.5, the countermeasure (hide the error by generating a
+     random 'decryption result') did not work properly because
+     ERR_clear_error() was missing, meaning that SSL_get_error() would
+     detect the supposedly ignored error.
+
+     Both problems are now fixed.
+     [Bodo Moeller]
+
+  *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
+     (previously it was 1024).
+     [Bodo Moeller]
+
+  +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
+     tidy up some unecessarily weird code in 'sk_new()').
+     [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
+
   +) Change the key loading routines for ENGINEs to use the same kind
      callback (pem_password_cb) as all other routines that need this
      kind of callback.