Loading CHANGES +51 −0 Original line number Diff line number Diff line Loading @@ -211,6 +211,57 @@ [Matthew D Wood (Intel Corp)] *) Add the Korean symmetric 128-bit cipher SEED (see http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and add SEED ciphersuites from RFC 4162: TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" To minimize changes between patchlevels in the OpenSSL 0.9.8 series, SEED remains excluded from compilation unless OpenSSL is configured with 'enable-seed'. [KISA, Bodo Moeller] *) Mitigate branch prediction attacks, which can be practical if a single processor is shared, allowing a spy process to extract information. For detailed background information, see http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures"). The core of the change are new versions BN_div_no_branch() and BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), respectively, which are slower, but avoid the security-relevant conditional branches. These are automatically called by BN_div() and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one of the input BIGNUMs. Also, BN_is_bit_set() has been changed to remove a conditional branch. BN_FLG_CONSTTIME is the new name for the previous BN_FLG_EXP_CONSTTIME flag, since it now affects more than just modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag in the exponent causes BN_mod_exp_mont() to use the alternative implementation in BN_mod_exp_mont_consttime().) The old name remains as a deprecated alias. Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses constant-time implementations for more than just exponentiation. Here too the old name is kept as a deprecated alias. BN_BLINDING_new() will now use BN_dup() for the modulus so that the BN_BLINDING structure gets an independent copy of the modulus. This means that the previous "BIGNUM *m" argument to BN_BLINDING_new() and to BN_BLINDING_create_param() now essentially becomes "const BIGNUM *m", although we can't actually change this in the header file before 0.9.9. It allows RSA_setup_blinding() to use BN_with_flags() on the modulus to enable BN_FLG_CONSTTIME. [Matthew D Wood (Intel Corp)] *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, Loading doc/apps/ciphers.pod +1 −2 Original line number Diff line number Diff line Loading @@ -105,8 +105,7 @@ The following is a list of all permitted cipher strings and their meanings. =item B<DEFAULT> the default cipher list. This is determined at compile time and is normally B<ALL:!aNULL:!eNULL:+RC4:@STRENGTH> or B<AES:CAMELLIA:ALL!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string B<AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string specified. =item B<COMPLEMENTOFDEFAULT> Loading ssl/ssl.h +1 −5 Original line number Diff line number Diff line Loading @@ -318,11 +318,7 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ #ifdef OPENSSL_NO_CAMELLIA # define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ #else # define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ #endif #define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 Loading Loading
CHANGES +51 −0 Original line number Diff line number Diff line Loading @@ -211,6 +211,57 @@ [Matthew D Wood (Intel Corp)] *) Add the Korean symmetric 128-bit cipher SEED (see http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and add SEED ciphersuites from RFC 4162: TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" To minimize changes between patchlevels in the OpenSSL 0.9.8 series, SEED remains excluded from compilation unless OpenSSL is configured with 'enable-seed'. [KISA, Bodo Moeller] *) Mitigate branch prediction attacks, which can be practical if a single processor is shared, allowing a spy process to extract information. For detailed background information, see http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL and Necessary Software Countermeasures"). The core of the change are new versions BN_div_no_branch() and BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), respectively, which are slower, but avoid the security-relevant conditional branches. These are automatically called by BN_div() and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one of the input BIGNUMs. Also, BN_is_bit_set() has been changed to remove a conditional branch. BN_FLG_CONSTTIME is the new name for the previous BN_FLG_EXP_CONSTTIME flag, since it now affects more than just modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag in the exponent causes BN_mod_exp_mont() to use the alternative implementation in BN_mod_exp_mont_consttime().) The old name remains as a deprecated alias. Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses constant-time implementations for more than just exponentiation. Here too the old name is kept as a deprecated alias. BN_BLINDING_new() will now use BN_dup() for the modulus so that the BN_BLINDING structure gets an independent copy of the modulus. This means that the previous "BIGNUM *m" argument to BN_BLINDING_new() and to BN_BLINDING_create_param() now essentially becomes "const BIGNUM *m", although we can't actually change this in the header file before 0.9.9. It allows RSA_setup_blinding() to use BN_with_flags() on the modulus to enable BN_FLG_CONSTTIME. [Matthew D Wood (Intel Corp)] *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, Loading
doc/apps/ciphers.pod +1 −2 Original line number Diff line number Diff line Loading @@ -105,8 +105,7 @@ The following is a list of all permitted cipher strings and their meanings. =item B<DEFAULT> the default cipher list. This is determined at compile time and is normally B<ALL:!aNULL:!eNULL:+RC4:@STRENGTH> or B<AES:CAMELLIA:ALL!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string B<AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH>. This must be the first cipher string specified. =item B<COMPLEMENTOFDEFAULT> Loading
ssl/ssl.h +1 −5 Original line number Diff line number Diff line Loading @@ -318,11 +318,7 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ #ifdef OPENSSL_NO_CAMELLIA # define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ #else # define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ #endif #define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 Loading
