OpenSSL_version…()functions and constants like
OCSP_basic_verifythat verifies the signer certificate on an OCSP response. The bug caused the function in the case where the (non-default) flag
OCSP_NOCHECKSis used to return a postivie response (meaning a successful verification) even in the case where the response signing certificate fails to verify.
OPENSSL_LH_flushfunction that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time.
BN_mod_sqrtfunction that can cause it to loop forever for non-prime moduli (CVE-2022-0778). Vulnerable situations include:
BN_mod_sqrtwhere the attacker can control the parameter values are vulnerable to this DoS issue.
PEM_write_bio_PKCS8PrivateKeyto make it possible to use empty passphrase strings.
OSSL_HTTP_get. They allow to obtain data from HTTP or secure HTTPS using just YuOpenSSL-3 and no additional 3-rd party Internet components. See
YuOpenSSL_HTTP_get.dprdemo for usage.
X509_verify_certinternal errors (CVE-2021-4044).
EVP_PKEY_eqto make it possible to use it with strictly private keys.
OSSL_PARAM_INTEGER_data type and return error on negative numbers used with the
OSSL_PARAM_UNSIGNED_INTEGER_data type. Make
OSSL_PARAM_BLD_push_BN_padreturn an error on negative numbers.