Commits · 0462eedf5ee2273647010955a92d962ce109c6af · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Feb 08, 2013

Adam Langley authored Feb 06, 2013

MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
(cherry picked from commit f306b87d)

0462eedf

e_aes_cbc_hmac_sha1.c: align calculated MAC at cache line. · 82425f2c
Andy Polyakov authored Feb 08, 2013
```
It also ensures that valgring is happy.
(cherry picked from commit 2141e6f3)
```
82425f2c

Feb 06, 2013

e_aes_cbc_hmac_sha1.c: cleanse temporary copy of HMAC secret. · af010edd
Andy Polyakov authored Feb 03, 2013
```
(cherry picked from commit 529d27ea)
```
af010edd
e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues. · 5966f4d9
Andy Polyakov authored Feb 02, 2013
```
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
(cherry picked from commit 125093b5)
```
5966f4d9

ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. · eeb486a5

Andy Polyakov authored Feb 01, 2013

Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 8bfd4c65)

eeb486a5

Don't access EVP_MD_CTX internals directly. · d7f55e76
Dr. Stephen Henson authored Feb 01, 2013
```
(cherry picked from commit 04e45b52)
```
d7f55e76
s3/s3_cbc.c: allow for compilations with NO_SHA256|512. · 7d9e781a
Andy Polyakov authored Feb 01, 2013
```
(cherry picked from commit d5371324)
```
7d9e781a

ssl/s3_cbc.c: md_state alignment portability fix. · e0c21a0b

Andy Polyakov authored Feb 01, 2013

RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
(cherry picked from commit 36260233)

e0c21a0b

ssl/s3_cbc.c: uint64_t portability fix. · 1dfb4b94

Andy Polyakov authored Feb 01, 2013

Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
(cherry picked from commit cab13fc8)

1dfb4b94

typo. · e5cb7743
Dr. Stephen Henson authored Jan 31, 2013
```
(cherry picked from commit 34ab3c8c)
```
e5cb7743
Add ordinal for CRYPTO_memcmp: since this will affect multiple · 73390e6b
Dr. Stephen Henson authored Jan 31, 2013
```
branches it needs to be in a "gap".
(cherry picked from commit 81ce0e14)
```
73390e6b

Timing fix mitigation for FIPS mode. · d91d9acc

Dr. Stephen Henson authored Jan 29, 2013

We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
(cherry picked from commit b908e88e)

d91d9acc

Oops. Add missing file. · 820988a0
Ben Laurie authored Jan 28, 2013
```
(cherry picked from commit 014265eb)
```
820988a0

Update DTLS code to match CBC decoding in TLS. · 1326a64a

Ben Laurie authored Jan 28, 2013

This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
(cherry picked from commit 9f27de17)

1326a64a

Don't crash when processing a zero-length, TLS >= 1.1 record. · e0da2c2e

Ben Laurie authored Jan 28, 2013

The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b76)

e0da2c2e

Make CBC decoding constant time. · fb0a59cc

Ben Laurie authored Jan 28, 2013

This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841b)

fb0a59cc

Add and use a constant-time memcmp. · f5cd3561

Ben Laurie authored Jan 28, 2013

This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee79888)

f5cd3561

Feb 04, 2013
- Merge branch 'OpenSSL_1_0_2-stable' of /home/steve/src/git/openssl into OpenSSL_1_0_2-stable · 115f7fa5
  Dr. Stephen Henson authored Feb 04, 2013
  
  115f7fa5
- Fix for trace code: SSL3 doesn't include a length value for · c867d871
  Dr. Stephen Henson authored Feb 04, 2013
```
encrypted premaster secret value.
(cherry picked from commit ea34a583)
```
  c867d871
Feb 02, 2013
- bn_word.c: fix overflow bug in BN_add_word. · 2a713ead
  Andy Polyakov authored Nov 09, 2012
```
(cherry picked from commit 134c0065)
```
  2a713ead
- x86_64 assembly pack: keep making Windows build more robust. · 2e7900b6
  Andy Polyakov authored Feb 02, 2013
```
PR: 2963 and a number of others
(cherry picked from commit 4568182a)
```
  2e7900b6
Jan 24, 2013
- Fix warning: lenmax isn't used any more. · f8435919
  Dr. Stephen Henson authored Jan 24, 2013
  
  f8435919
Jan 23, 2013
- Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set · 1db4354b
  Dr. Stephen Henson authored Jan 23, 2013
  
  1db4354b
Jan 22, 2013
- x86_64 assembly pack: make Windows build more robust [from master]. · 3f233a1e
  Andy Polyakov authored Jan 22, 2013
```
PR: 2963 and a number of others
```
  3f233a1e
- TABLE update. · 25917e97
  Andy Polyakov authored Jan 22, 2013
  
  25917e97
- Configure: update linux-mips* lines [from master]. · 8812a81b
  Andy Polyakov authored Jan 22, 2013
  
  8812a81b
- bn/asm/mips.pl: hardwire local call to bn_div_words. · b17ffba9
  Andy Polyakov authored Jan 22, 2013
  
  b17ffba9
Jan 20, 2013
- Don't include comp.h if no-comp set. · 3619e34f
  Dr. Stephen Henson authored Jan 20, 2013
  
  3619e34f
Jan 19, 2013
- Merge branch 'OpenSSL_1_0_2-stable' of openssl.net:openssl into OpenSSL_1_0_2-stable · 6924686b
  Ben Laurie authored Jan 19, 2013
  
  6924686b
- Remove extraneous brackets (clang doesn't like them). · 92745f81
  Ben Laurie authored Jan 19, 2013
  
  92745f81
- Add MacOS 64-bit debug target. · 17cf9864
  Ben Laurie authored Jan 19, 2013
  
  17cf9864
- engines/ccgost: GOST fixes [from master]. · 5cfefd3c
  Andy Polyakov authored Jan 19, 2013
```
Submitted by: Dmitry Belyavsky, Seguei Leontiev
PR: 2821
```
  5cfefd3c
- Can't check a size_t for < 0. · 9ccc6f43
  Ben Laurie authored Jan 19, 2013
  
  9ccc6f43
- .gitignore adjustments · 3c924717
  Andy Polyakov authored Jan 19, 2013
  
  3c924717
Jan 18, 2013
- -named_curve option handled automatically now. · 1a932ae0
  Dr. Stephen Henson authored Jan 18, 2013
  
  1a932ae0
- Add code to download CRLs based on CRLDP extension. · 57912ed3
  Dr. Stephen Henson authored Dec 06, 2012
```
Just a sample, real world applications would have to be cleverer.
```
  57912ed3
- cipher is not used in s_server any more. · e998f8ae
  Dr. Stephen Henson authored Jan 18, 2013
  
  e998f8ae
- New option to add CRLs for s_client and s_server. · e318431e
  Dr. Stephen Henson authored Dec 02, 2012
  
  e318431e
Jan 17, 2013
- initial support for delta CRL generations by diffing two full CRLs · 6a10f38d
  Dr. Stephen Henson authored Dec 04, 2012
  
  6a10f38d
- Typo (PR2959). · c0950788
  Dr. Stephen Henson authored Jan 17, 2013
  
  c0950788