generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
8bc643efc8
openssl/ssl
History
Matt Caswell 8bc643efc8 Always generate DH keys for ephemeral DH cipher suites 
Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.

This is a follow on from CVE-2016-0701. This branch is not impacted by
that CVE because it does not support X9.42 style parameters. It is still
possible to generate parameters based on primes that are not "safe",
although by default OpenSSL does not do this. The documentation does
sign post that using such parameters is unsafe if the private DH key is
reused. However to avoid accidental problems or future attacks this commit
has been backported to this branch.

Issue reported by Antonio Sanso

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-28 10:27:55 +00:00
..
bio_ssl.c Handle SSL_ERROR_WANT_X509_LOOKUP 2015-09-20 14:22:52 +01:00
clienthellotest.c Add test for SSL_set_session_ticket_ext 2015-07-27 16:14:02 +01:00
d1_both.c Ensure |rwstate| is set correctly on BIO_flush 2015-12-10 12:50:56 +00:00
d1_clnt.c Only call ssl3_init_finished_mac once for DTLS 2015-11-10 18:47:57 +00:00
d1_enc.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
d1_lib.c Clear state in DTLSv1_listen 2015-06-02 09:12:39 +01:00
d1_meth.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
d1_pkt.c Lost alert in DTLS 2015-05-22 10:24:49 +01:00
d1_srtp.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
d1_srvr.c Stop DTLS servers asking for unsafe legacy renegotiation 2015-11-10 19:27:25 +00:00
dtls1.h Fix d2i_SSL_SESSION for DTLS1_BAD_VER 2015-02-27 20:32:49 +00:00
heartbeat_test.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
install-ssl.com Don't forget to install srtp.h as well 2012-05-10 15:01:22 +00:00
kssl_lcl.h Remove the "eay" c-file-style indicators 2015-12-18 13:13:31 +01:00
kssl.c Remove the "eay" c-file-style indicators 2015-12-18 13:13:31 +01:00
kssl.h Remove the "eay" c-file-style indicators 2015-12-18 13:13:31 +01:00
Makefile Add test for SSL_set_session_ticket_ext 2015-07-27 16:14:02 +01:00
s2_clnt.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
s2_enc.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
s2_lib.c Fix reachable assert in SSLv2 servers. 2015-03-19 12:59:31 +00:00
s2_meth.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
s2_pkt.c Add length sanity check in SSLv2 n_do_ssl_write() 2015-04-29 17:44:02 +01:00
s2_srvr.c Validate ClientHello session_id field length and send alert on failure 2016-01-19 15:42:23 +00:00
s3_both.c Sanity check the return from final_finish_mac 2015-04-30 23:27:05 +01:00
s3_cbc.c Ensure all EVP calls have their returns checked where appropriate 2015-11-20 15:56:42 +00:00
s3_clnt.c Change minimum DH size from 768 to 1024 2016-01-11 00:13:54 +01:00
s3_enc.c Ensure all EVP calls have their returns checked where appropriate 2015-11-20 15:56:42 +00:00
s3_lib.c Always generate DH keys for ephemeral DH cipher suites 2016-01-28 10:27:55 +00:00
s3_meth.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
s3_pkt.c Don't send an alert if we've just received one 2015-05-25 23:11:02 +01:00
s3_srvr.c Always generate DH keys for ephemeral DH cipher suites 2016-01-28 10:27:55 +00:00
s23_clnt.c Fix session resumption 2015-09-02 00:31:33 +01:00
s23_lib.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
s23_meth.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
s23_pkt.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
s23_srvr.c Re-align some comments after running the reformat script. 2015-01-22 09:39:01 +00:00
srtp.h Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
ssl2.h Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
ssl3.h Add test for SSL_set_session_ticket_ext 2015-07-27 16:14:02 +01:00
ssl23.h Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
ssl_algs.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
ssl_asn1.c Make no-psk compile without warnings. 2015-09-16 18:12:04 +01:00
ssl_cert.c Set reference count earlier 2015-11-24 21:53:40 +01:00
ssl_ciph.c Ensure all EVP calls have their returns checked where appropriate 2015-11-20 15:56:42 +00:00
ssl_err2.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
ssl_err.c Ensure all EVP calls have their returns checked where appropriate 2015-11-20 15:56:42 +00:00
ssl_lib.c Set reference count earlier 2015-11-24 21:53:40 +01:00
ssl_locl.h Ensure all EVP calls have their returns checked where appropriate 2015-11-20 15:56:42 +00:00
ssl_rsa.c Ensure all EVP calls have their returns checked where appropriate 2015-11-20 15:56:42 +00:00
ssl_sess.c Validate ClientHello session_id field length and send alert on failure 2016-01-19 15:42:23 +00:00
ssl_stat.c Add Error state 2015-05-05 20:07:48 +01:00
ssl_task.c Re-align some comments after running the reformat script. 2015-01-22 09:39:01 +00:00
ssl_txt.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
ssl_utst.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
ssl-lib.com Spaces were added in some strings for better readability. However, those spaces do not belong in file names, so when picking out the individual parts, remove the spaces 2014-10-15 10:49:24 +02:00
ssl.h Always generate DH keys for ephemeral DH cipher suites 2016-01-28 10:27:55 +00:00
ssltest.c _BSD_SOURCE is deprecated, use _DEFAULT_SOURCE instead 2015-12-02 18:49:57 +01:00
t1_clnt.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
t1_enc.c Fix more URLs mangled by reformat 2015-12-19 20:40:39 +00:00
t1_lib.c Ensure we don't call the OCSP callback if resuming a session 2015-12-27 22:05:36 +00:00
t1_meth.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
t1_reneg.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
t1_srvr.c Run util/openssl-format-source -v -c . 2015-01-22 09:38:39 +00:00
tls1.h Fix references to various RFCs 2015-10-23 20:43:09 +02:00
tls_srp.c Code style: space after 'if' 2015-04-16 13:51:51 -04:00