Skip to content
  1. Mar 25, 2015
    • Matt Caswell's avatar
      Deprecate RAND_pseudo_bytes · 302d38e3
      Matt Caswell authored
      
      
      The justification for RAND_pseudo_bytes is somewhat dubious, and the reality
      is that it is frequently being misused. RAND_bytes and RAND_pseudo_bytes in
      the default implementation both end up calling ssleay_rand_bytes. Both may
      return -1 in an error condition. If there is insufficient entropy then
      both will return 0, but RAND_bytes will additionally add an error to the
      error queue. They both return 1 on success.
      Therefore the fundamental difference between the two is that one will add an
      error to the error queue with insufficient entory whilst the other will not.
      Frequently there are constructions of this form:
      
      if(RAND_pseudo_bytes(...) <= 1)
      	goto err;
      
      In the above form insufficient entropy is treated as an error anyway, so
      RAND_bytes is probably the better form to use.
      
      This form is also seen:
      if(!RAND_pseudo_bytes(...))
      	goto err;
      
      This is technically not correct at all since a -1 return value is
      incorrectly handled - but this form will also treat insufficient entropy as
      an error.
      
      Within libssl it is required that you have correctly seeded your entropy
      pool and so there seems little benefit in using RAND_pseudo_bytes.
      Similarly in libcrypto many operations also require a correctly seeded
      entropy pool and so in most interesting cases you would be better off
      using RAND_bytes anyway. There is a significant risk of RAND_pseudo_bytes
      being incorrectly used in scenarios where security can be compromised by
      insufficient entropy.
      
      If you are not using the default implementation, then most engines use the
      same function to implement RAND_bytes and RAND_pseudo_bytes in any case.
      
      Given its misuse, limited benefit, and potential to compromise security,
      RAND_pseudo_bytes has been deprecated.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      302d38e3
    • Matt Caswell's avatar
      RAND_bytes updates · 266483d2
      Matt Caswell authored
      
      
      Ensure RAND_bytes return value is checked correctly, and that we no longer
      use RAND_pseudo_bytes.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      266483d2
    • Matt Caswell's avatar
      Fix return checks in GOST engine · 8817e2e0
      Matt Caswell authored
      
      
      Filled in lots of return value checks that were missing the GOST engine, and
      added appropriate error handling.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      8817e2e0
    • Matt Caswell's avatar
      Fix misc NULL derefs in sureware engine · 7b611e5f
      Matt Caswell authored
      
      
      Fix miscellaneous NULL pointer derefs in the sureware engine.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      7b611e5f
    • Matt Caswell's avatar
      Add ticket length before buffering DTLS message · 4f9fab6b
      Matt Caswell authored
      
      
      In ssl3_send_new_session_ticket the message to be sent is constructed. We
      skip adding the length of the session ticket initially, then call
      ssl_set_handshake_header, and finally go back and add in the length of the
      ticket. Unfortunately, in DTLS, ssl_set_handshake_header also has the side
      effect of buffering the message for subsequent retransmission if required.
      By adding the ticket length after the call to ssl_set_handshake_header the
      message that is buffered is incomplete, causing an invalid message to be
      sent on retransmission.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      4f9fab6b
    • Matt Caswell's avatar
      Ensure last_write_sequence is saved in DTLS1.2 · d5d0a1cb
      Matt Caswell authored
      
      
      In DTLS, immediately prior to epoch change, the write_sequence is supposed
      to be stored in s->d1->last_write_sequence. The write_sequence is then reset
      back to 00000000. In the event of retransmits of records from the previous
      epoch, the last_write_sequence is restored. This commit fixes a bug in
      DTLS1.2 where the write_sequence was being reset before last_write_sequence
      was saved, and therefore retransmits are sent with incorrect sequence
      numbers.
      
      Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
      d5d0a1cb
    • Rich Salz's avatar
      free NULL cleanup · d6407083
      Rich Salz authored
      
      
      Start ensuring all OpenSSL "free" routines allow NULL, and remove
      any if check before calling them.
      This gets DH_free, DSA_free, RSA_free
      
      Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
      d6407083
  2. Mar 24, 2015
  3. Mar 23, 2015