Yunqa • The Delphi Inspiration

Delphi Components and Applications

User Tools

Site Tools


products:openssl:history_3

YuOpenSSL: Version History

YuOpenSSL is a Delphi port of the OpenSSL cryptography and SSL/TSL library. All code is statically compiled into applications. OpenSSL DLLs are not needed. Over 5000 functions, procedures, constants, and types are ready to use in a single Delphi unit.

YuOpenSSL-3 v1.2.4 – 5 Jul 2022

  • Update OpenSSL to 3.0.5.
    • Fix BN_gcd to check return value when calling BN_one.
    • Add a check for the return of i2s_ASN1_INTEGER.
    • Fix X509v3_addr_add_range, X509v3_addr_canonize, and X509v3_addr_is_canonical to return the correct result.
    • Fix memory leak in EC_GROUP_new_from_ecparameters.
    • Add and improve various checks.

YuOpenSSL-3 v1.2.3 – 21 Jun 2022

  • Update OpenSSL to 3.0.4.
    • Minor bug fixes.
    • Add some constants and functions, mainly related to EVP_KEYEXCH… and X509v3_addr….

YuOpenSSL-3 v1.2.2 – 6 May 2022

  • Fix OpenSSL version reported by OpenSSL_version…() functions and constants like OPENSSL_FULL_VERSION_STR.

YuOpenSSL-3 v1.2.1 – 3 May 2022

  • Update OpenSSL to 3.0.3.
    • Fixed a bug in the function OCSP_basic_verify that verifies the signer certificate on an OCSP response. The bug caused the function in the case where the (non-default) flag OCSP_NOCHECKS is used to return a postivie response (meaning a successful verification) even in the case where the response signing certificate fails to verify.
    • Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key. This made the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check.
    • Fix a bug in the OPENSSL_LH_flush function that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time.

YuOpenSSL-3 v1.2.0 – 15 Mar 2022

  • Update OpenSSL to 3.0.2:
    • Fixed a bug in the BN_mod_sqrt function that can cause it to loop forever for non-prime moduli (CVE-2022-0778). Vulnerable situations include:
      • TLS clients consuming server certificates
      • TLS servers consuming client certificates
      • Hosting providers taking certificates or private keys from customers
      • Certificate authorities parsing certification requests from subscribers
      • Anything else which parses ASN.1 elliptic curve parameters
      • Also any other applications that use the BN_mod_sqrt where the attacker can control the parameter values are vulnerable to this DoS issue.
    • Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3.
    • Fixed PEM_write_bio_PKCS8PrivateKey to make it possible to use empty passphrase strings.
    • The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify function.
  • Add OCSP API functions for Internet Component Suite (ICS).

YuOpenSSL-3 v1.1.0 – 4 Feb 2022

  • Add HTTP APIs like OSSL_HTTP_get. They allow to obtain data from HTTP or secure HTTPS using just YuOpenSSL-3 and no additional 3-rd party Internet components. See YuOpenSSL_HTTP_get.dpr demo for usage.
  • Add APIs required for YuXMLSec.

YuOpenSSL-3 v1.0.1 – 14 Dec 2021

  • Update to OpenSSL 3.0.1:
    • Fixed invalid handling of X509_verify_cert internal errors (CVE-2021-4044).
    • Fixed EVP_PKEY_eq to make it possible to use it with strictly private keys.
    • Fixed PVK encoder to properly query for the passphrase.
    • Multiple fixes in the OSSL_HTTP API functions.
    • Allow sign extension in OSSL_PARAM_allocate_from_text for the OSSL_PARAM_INTEGER_ data type and return error on negative numbers used with the OSSL_PARAM_UNSIGNED_INTEGER_ data type. Make OSSL_PARAM_BLD_push_BN and OSSL_PARAM_BLD_push_BN_pad return an error on negative numbers.
    • Allow copying uninitialized digest contexts with EVP_MD_CTX_copy_ex.
    • Multiple threading fixes.
    • Added NULL digest implementation to keep compatibility with 1.1.1 version.
    • Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query.
  • Update Indy IOHandler with latest new features and bug fixes.

YuOpenSSL-3 v1.0.0 – 17 Nov 2021

  • Initial release, based on OpenSSL 3.0.0.
products/openssl/history_3.txt · Last modified: 2022/07/05 16:41 (external edit)