Commits · 4d8da30fc1e83ce85a3f7ceec6624121d40efb89 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Feb 09, 2013
- ssl/s3_[clnt|srvr].c: fix warnings. · 4d8da30f
  Andy Polyakov authored Feb 09, 2013
  
  4d8da30f
Feb 08, 2013
- s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal. · 579f3a63
  Andy Polyakov authored Feb 08, 2013
```
(cherry picked from commit f93a4187)
```
  579f3a63
- s3_cbc.c: get rid of expensive divisions [from master]. · 47061af1
  Andy Polyakov authored Feb 08, 2013
```
(cherry picked from commit e9baceab)
```
  47061af1
- e_aes_cbc_hmac_sha1.c: fine-tune cache line alignment. · 13e22530
  Andy Polyakov authored Feb 08, 2013
```
With previous commit it also ensures that valgrind is happy.
```
  13e22530
- Add clang target. · 26bc56d0
  Ben Laurie authored Jan 26, 2013
  
  26bc56d0
- Remove extraneous brackets (clang doesn't like them). · 496681cd
  Ben Laurie authored Jan 19, 2013
  
  496681cd
Feb 07, 2013
- e_aes_cbc_hmac_sha1.c: align calculated MAC at cache line. · 746c6f3a
  Andy Polyakov authored Feb 07, 2013
  
  746c6f3a
- ssl/[d1|s3]_pkt.c: harmomize orig_len handling. · 8545f73b
  Andy Polyakov authored Feb 07, 2013
  
  8545f73b
- Fix IV check and padding removal. · 32cc2479
  Dr. Stephen Henson authored Feb 07, 2013
```
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)

For AEAD remove the correct number of padding bytes (by Andy)
```
  32cc2479
Feb 06, 2013

Adam Langley authored Feb 06, 2013

MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.

f306b87d

prepare for next version · 41cf07f0
Dr. Stephen Henson authored Feb 06, 2013

41cf07f0

Feb 04, 2013
- typo · 62f40333
  Dr. Stephen Henson authored Feb 04, 2013
  
  OpenSSL_1_0_1d
  
  62f40333
- Prepare for release. · f9f6a8f9
  Dr. Stephen Henson authored Feb 04, 2013
  
  f9f6a8f9
- typo · df0d9356
  Dr. Stephen Henson authored Feb 04, 2013
  
  df0d9356
- make update · 0d589ac1
  Dr. Stephen Henson authored Feb 04, 2013
  
  0d589ac1
- Fix error codes. · 35d732fc
  Dr. Stephen Henson authored Feb 04, 2013
  
  35d732fc
- Reword NEWS entry. · 896ddb98
  Dr. Stephen Henson authored Feb 04, 2013
  
  896ddb98
- Update NEWS · e630b3c2
  Dr. Stephen Henson authored Feb 04, 2013
  
  e630b3c2
- Add CHANGES entries. · f1ca56a6
  Dr. Stephen Henson authored Feb 04, 2013
  
  f1ca56a6
Feb 03, 2013
- e_aes_cbc_hmac_sha1.c: cleanse temporary copy of HMAC secret. · 529d27ea
  Andy Polyakov authored Feb 03, 2013
  
  529d27ea
Feb 02, 2013
- bn_word.c: fix overflow bug in BN_add_word. · b2226c6c
  Andy Polyakov authored Nov 09, 2012
```
(cherry picked from commit 134c0065)
```
  b2226c6c
- x86_64 assembly pack: keep making Windows build more robust. · 024de217
  Andy Polyakov authored Feb 02, 2013
```
PR: 2963 and a number of others
(cherry picked from commit 4568182a)
```
  024de217
- e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues. · 125093b5
  Andy Polyakov authored Feb 02, 2013
```
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
```
  125093b5
Feb 01, 2013
- Merge remote-tracking branch 'origin/OpenSSL_1_0_1-stable' into OpenSSL_1_0_1-stable · f3e99ea0
  Ben Laurie authored Feb 01, 2013
  
  f3e99ea0
- ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. · 8bfd4c65
  Andy Polyakov authored Feb 01, 2013
```
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
```
  8bfd4c65
- ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. · ec07246a
  Andy Polyakov authored Feb 01, 2013
  
  ec07246a
- Don't access EVP_MD_CTX internals directly. · 04e45b52
  Dr. Stephen Henson authored Feb 01, 2013
  
  04e45b52
- s3/s3_cbc.c: allow for compilations with NO_SHA256|512. · d5371324
  Andy Polyakov authored Feb 01, 2013
  
  d5371324
- ssl/s3_cbc.c: md_state alignment portability fix. · 36260233
  Andy Polyakov authored Feb 01, 2013
```
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
```
  36260233
- ssl/s3_cbc.c: uint64_t portability fix. · cab13fc8
  Andy Polyakov authored Feb 01, 2013
```
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
```
  cab13fc8
Jan 31, 2013
- typo. · 34ab3c8c
  Dr. Stephen Henson authored Jan 31, 2013
  
  34ab3c8c
- Merge branch 'ben/timing-1.0.1' into OpenSSL_1_0_1-stable · 25c93fd2
  Dr. Stephen Henson authored Jan 31, 2013
  
  25c93fd2
- Update NEWS · 428c1064
  Dr. Stephen Henson authored Jan 31, 2013
  
  428c1064
- Add ordinal for CRYPTO_memcmp: since this will affect multiple · 81ce0e14
  Dr. Stephen Henson authored Jan 31, 2013
```
branches it needs to be in a "gap".
```
  81ce0e14
- Timing fix mitigation for FIPS mode. · b908e88e
  Dr. Stephen Henson authored Jan 29, 2013
```
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
```
  b908e88e
Jan 29, 2013
- Don't try and verify signatures if key is NULL (CVE-2013-0166) · 62e4506a
  Dr. Stephen Henson authored Jan 24, 2013
```
Add additional check to catch this in ASN1_item_verify too.
```
  62e4506a
Jan 28, 2013

Oops. Add missing file. · 014265eb
Ben Laurie authored Jan 28, 2013

014265eb
Update DTLS code to match CBC decoding in TLS. · 9f27de17
Ben Laurie authored Jan 28, 2013
```
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
```
9f27de17

Don't crash when processing a zero-length, TLS >= 1.1 record. · 6cb19b76

Ben Laurie authored Jan 28, 2013

The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.

6cb19b76

Make CBC decoding constant time. · e130841b

Ben Laurie authored Jan 28, 2013

This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.

e130841b