diff options
author | Bodo Möller <bodo@openssl.org> | 2003-04-11 19:01:42 +0400 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2003-04-11 19:01:42 +0400 |
commit | 4e7566579ebbb9a1c5d67045d4d211f42a5f21a8 (patch) | |
tree | 41c0bd8e78e5e16c7c1919ae8724a417e9cb0141 /CHANGES | |
parent | fba1cfa06d338962468b1e271a394903a355216f (diff) |
include 'Changes between 0.9.6i and 0.9.6j'
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 25 |
1 files changed, 25 insertions, 0 deletions
@@ -1942,6 +1942,31 @@ des-cbc 3624.96k 5258.21k 5530.91k 5624.30k 5628.26k *) Clean old EAY MD5 hack from e_os.h. [Richard Levitte] + Changes between 0.9.6i and 0.9.6j [10 Apr 2003] + + *) Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). + [Bodo Moeller] + + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. + [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller] + + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). Make RSA blinding thread-safe + by remembering the creator's thread ID in rsa->blinding and + having all other threads use local one-time blinding factors + (this requires more computation than sharing rsa->blinding, but + avoids excessive locking; and if an RSA object is not shared + between threads, blinding will still be very fast). + [Bodo Moeller] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked |