Skip to content
  1. Sep 07, 2019
    • Bernd Edlinger's avatar
      Remove x86/x86_64 BSAES and AES_ASM support · 87bea655
      Bernd Edlinger authored 
      

This leaves VPAES and AESNI support.
The VPAES performance is comparable but BSAES is not
completely constant time. There are table lookups
using secret key data in AES_set_encrypt/decrypt_key
and in ctr mode short data uses the non-constant
time AES_encrypt function instead of bit-slicing.
Furthermore the AES_ASM is by far outperformed
by recent GCC versions.
Since BSAES calls back to AES_ASM for short
data blocks the performance on those is also
worse than the pure software implementaion.

Fixes: #9640

Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9675)
      87bea655
  3. Aug 18, 2019
  5. Aug 08, 2019
  7. Jul 01, 2019
  9. Jun 30, 2019
  11. Jun 24, 2019
  13. May 28, 2019
  15. May 22, 2019
  17. May 21, 2019
  19. May 08, 2019
  21. Apr 10, 2019
  23. Apr 06, 2019
  25. Mar 27, 2019
  27. Mar 21, 2019
  29. Mar 06, 2019
    • Matt Caswell's avatar
      Prevent over long nonces in ChaCha20-Poly1305 · f426625b
      Matt Caswell authored 
      

ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.

It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.

Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected.

Any OpenSSL internal use of this cipher, including in SSL/TLS, is safe
because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.

CVE-2019-1543

Fixes #8345

Reviewed-by: default avatarPaul Dale <paul.dale@oracle.com>
Reviewed-by: default avatarRichard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8406)

(cherry picked from commit 2a3d0ee9)
      f426625b
  31. Dec 22, 2018
  33. Dec 10, 2018
  35. Nov 20, 2018
  37. Oct 02, 2018
  39. Sep 21, 2018
  41. Sep 13, 2018
  43. Sep 11, 2018
  45. Sep 07, 2018
  47. Sep 06, 2018
  49. Sep 05, 2018
  51. Aug 07, 2018
  53. Aug 06, 2018
  55. Aug 03, 2018
  57. Aug 01, 2018
  59. Jul 12, 2018
  61. Jul 06, 2018
  63. Jun 29, 2018
  65. Jun 20, 2018