| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
|
|
using EVP_AEAD. Also provide an EVP_AEAD-only equivalent of
ssl_cipher_get_evp().
|
|
magic numbers around.
ok deraadt@
|
|
do some other clean up while here.
ok deraadt@
|
|
check, so do not duplicate it here. Make the error handling consistent
by always using 'goto err' rather than returning in certain cases. Also
add a missing BIO_free(ssl) in BIO_new_ssl_connect().
ok deraadt@
|
|
|
|
discussed with tedu, ok jsing
|
|
switching cipher states using an EVP_CIPHER. This will facilitate the
addition of cipher state changes for EVP_AEAD. No functional change.
Based on Adam Langley's chromium patches.
|
|
|
|
In the past, time_t's type was underspecified. But a floating point type
would not have worked in practice. Newer specifications effectively forbid it.
While cleaning this up, get partly ready for Y2038.
ok miod
|
|
c30718b5e7480add42598158
Don't know the full story, but it looks like a "can't do random
perfectly, so do it god awful" problem was found in 2013, and
replaced with "only do it badly if a flag is set". New flags
(SSL_MODE_SEND_SERVERHELLO_TIME and SSL_MODE_SEND_SERVERHELLO_TIME)
were added [Ben Laurie?] to support the old scheme of "use time_t
for first 4 bytes of the random buffer".
Nothing uses these flags [ecosystem scan by sthen]
Fully discourage use of these flags in the future by removing
support & definition of them. The buflen < 4 check is also interesting,
because no entropy would be returned. No callers passed such small
buffers.
ok miod sthen
|
|
Based on Adam Langley's chromium patches.
|
|
While this is not strictly correct (since the presence of SSL3_CC_READ does
not guarantee the absence of SSL3_CC_WRITE), in practice only one of these
flags is set at a time and there is existing logic which already relies on
this behaviour.
|
|
this is the only place where these variables are used.
|
|
|
|
code. Additionally, these need to be cleaned in the export case.
Based on Adam Langley's chromium patches.
|
|
Rather than doing a complex dance to figure out if we should reuse the
cipher context and clean it later on, just free it and allocate a new one.
This simplifies the code path, especially in the write case where special
handling is required for DTLS.
Also, calling EVP_CIPHER_CTX_init() for a newly created cipher context is
unnecessary, since EVP_CIPHER_CTX_new() already does this (not to mention
that it was already missing from the write case).
|
|
and others to the regress framework. These remaining ones just
muddle us up when re-reading code repeatedly.
ok jsing
|
|
|
|
ok miod
|
|
|
|
|
|
before calling it.
|
|
so do not bother checking before calling.
|
|
implicit NULL checks, so there is no point ensuring that the pointer is
non-NULL before calling them.
|
|
|
|
|
|
encouraged by deraadt and miod
|
|
hackathon, just saying 'ass ember' was enough to start giggles.
Unfortunately far more offensive stuff remains in here...
|
|
DTLS fragments. A stream of 'Hello Request' messages will result in
infinite recursion, eventually crashing the DTLS client or server.
Fixes CVE-2014-0221, from OpenSSL.
Reported to OpenSSL by Imre Rad.
|
|
Fixes CVE-2014-3470, from OpenSSL.
ok deraadt@
|
|
DTLS fragments.
Fix for CVE-2014-0195, from OpenSSL.
Reported to OpenSSL by Juri Aedla.
ok deraadt@ beck@
|
|
is unchecked, which would result in a later null pointer dereference.
While here, RSA_free, DH_free and EC_KEY_free all have implicit NULL
checks, so avoid repeating them here.
ok beck@
|
|
secret. This is an additional safeguard against early ChangeCipherSpec
handling.
From OpenSSL.
ok deraadt@
|
|
Without this an early ChangeCipherSpec message would result in session
keys being generated, along with the Finished hash for the handshake,
using an empty master secret.
For a detailed analysis see:
https://www.imperialviolet.org/2014/06/05/earlyccs.html
This is a fix for CVE-2014-0224, from OpenSSL.
This issue was reported to OpenSSL by KIKUCHI Masashi. Unfortunately the
recent OpenSSL commit was the first we were made aware of the issue.
ok deraadt@ sthen@
|
|
|
|
free()ing it, rather than in conditional code.
Also do not bother setting server_opaque_prf_input (server, not client) to
NULL in conditional code 10 lines after explicitely free()ing it and setting
it to NULL (were the developers afraid of zombie pointers?)
ok guenther@
|
|
(From Frantisek Boranek)
OK from miod@
|
|
where it is feasible to do so. better safe than sorry.
|
|
(From Martin Brejcha)
OK from tedu@, miod@ and deraadt@
|
|
|
|
|
|
|
|
The underlying code has long been removed, making this a no-op.
If your random subsystem actually requires that you seed it from a file,
then you really should go and buy a new random subsystem that was built
after 1990.
Diff from Brent Cook.
ok deraadt@
|
|
of the intel RDRAND instruction. Consensus was RDRAND should probably
only be used as an additional source of entropy in a mixer.
Guess which library bends over backwards to provide easy access to
RDRAND? Yep. Guess which applications are using this support? Not
even one... but still, this is being placed as a trap for someone.
Send this support straight to the abyss.
ok kettenis
|
|
|
|
|
