Commits · f8a69166ed1d26bf1e08ab573d021cecdb05cba5 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP OpenSSL

Feb 25, 2013

New -force_pubkey option to x509 utility to supply a different public · f8a69166

Dr. Stephen Henson authored Oct 07, 2011

key to the one in a request. This is useful for cases where the public
key cannot be used for signing e.g. DH.
(cherry picked from commit 43206a2d)

f8a69166

Feb 16, 2013
- bn_nist.c: work around clang 3.0 bug. · b9eef988
  Andy Polyakov authored Feb 14, 2013
```
(cherry picked from commit 750398ac)
```
  b9eef988
Feb 15, 2013

Fix POD errors to stop make install_docs dying with pod2man 2.5.0+ · ae5c1ca3

Nick Alcock authored Feb 15, 2013

podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.

Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
(cherry picked from commit 5cc27077)

ae5c1ca3

Feb 14, 2013
- cms-test.pl: make it work with not-so-latest perl. · 188ab7df
  Andy Polyakov authored May 16, 2011
```
(cherry picked from commit 9c437e2f)
```
  188ab7df
Feb 12, 2013

Upate FAQ. · 2e3d02fe

Dr. Stephen Henson authored Feb 12, 2013

Add description of "allocate and encode" operation for ASN1 routines.

Document how versioning will for after the letter release reaches
y.
(cherry picked from commit 2527b94f)

2e3d02fe

Check DTLS_BAD_VER for version number. · 3a3a1af1

David Woodhouse authored Feb 12, 2013

The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb2)

3a3a1af1

Feb 11, 2013
- Fix in ssltest is no-ssl2 configured · 0ced72c6
  Dr. Stephen Henson authored Feb 11, 2013
```
(cherry picked from commit cbf9b4ae)
```
  0ced72c6
- FAQ/README: we are now using Git instead of CVS · 5584a954
  Lutz Jaenicke authored Feb 11, 2013
```
(cherry picked from commit f88dbb83)
```
  5584a954
- sparccpuid.S: work around emulator bug on T1. · a3e66779
  Andy Polyakov authored Feb 11, 2013
```
(cherry picked from commit 3caeef94)
```
  a3e66779
Feb 08, 2013

s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal. · 919eab8a
Andy Polyakov authored Feb 08, 2013
```
(cherry picked from commit f93a4187)
```
919eab8a
s3_cbc.c: get rid of expensive divisions [from master]. · e9baceab
Andy Polyakov authored Feb 08, 2013

e9baceab
ssl/[d1|s3]_pkt.c: harmomize orig_len handling. · b05561c4
Andy Polyakov authored Feb 07, 2013
```
(cherry picked from commit 8545f73b)
```
b05561c4

Fix IV check and padding removal. · b7355af4

Dr. Stephen Henson authored Feb 07, 2013

Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)

For AEAD remove the correct number of padding bytes (by Andy)
(cherry picked from commit 32cc2479)

b7355af4

Fix for EXP-RC2-CBC-MD5 · 0462eedf

Adam Langley authored Feb 06, 2013

MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
(cherry picked from commit f306b87d)

0462eedf

e_aes_cbc_hmac_sha1.c: align calculated MAC at cache line. · 82425f2c
Andy Polyakov authored Feb 08, 2013
```
It also ensures that valgring is happy.
(cherry picked from commit 2141e6f3)
```
82425f2c

Feb 06, 2013

e_aes_cbc_hmac_sha1.c: cleanse temporary copy of HMAC secret. · af010edd
Andy Polyakov authored Feb 03, 2013
```
(cherry picked from commit 529d27ea)
```
af010edd
e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues. · 5966f4d9
Andy Polyakov authored Feb 02, 2013
```
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
(cherry picked from commit 125093b5)
```
5966f4d9

ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. · eeb486a5

Andy Polyakov authored Feb 01, 2013

Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 8bfd4c65)

eeb486a5

Don't access EVP_MD_CTX internals directly. · d7f55e76
Dr. Stephen Henson authored Feb 01, 2013
```
(cherry picked from commit 04e45b52)
```
d7f55e76
s3/s3_cbc.c: allow for compilations with NO_SHA256|512. · 7d9e781a
Andy Polyakov authored Feb 01, 2013
```
(cherry picked from commit d5371324)
```
7d9e781a

ssl/s3_cbc.c: md_state alignment portability fix. · e0c21a0b

Andy Polyakov authored Feb 01, 2013

RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
(cherry picked from commit 36260233)

e0c21a0b

ssl/s3_cbc.c: uint64_t portability fix. · 1dfb4b94

Andy Polyakov authored Feb 01, 2013

Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
(cherry picked from commit cab13fc8)

1dfb4b94

typo. · e5cb7743
Dr. Stephen Henson authored Jan 31, 2013
```
(cherry picked from commit 34ab3c8c)
```
e5cb7743
Add ordinal for CRYPTO_memcmp: since this will affect multiple · 73390e6b
Dr. Stephen Henson authored Jan 31, 2013
```
branches it needs to be in a "gap".
(cherry picked from commit 81ce0e14)
```
73390e6b

Timing fix mitigation for FIPS mode. · d91d9acc

Dr. Stephen Henson authored Jan 29, 2013

We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
(cherry picked from commit b908e88e)

d91d9acc

Oops. Add missing file. · 820988a0
Ben Laurie authored Jan 28, 2013
```
(cherry picked from commit 014265eb)
```
820988a0

Update DTLS code to match CBC decoding in TLS. · 1326a64a

Ben Laurie authored Jan 28, 2013

This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
(cherry picked from commit 9f27de17)

1326a64a

Don't crash when processing a zero-length, TLS >= 1.1 record. · e0da2c2e

Ben Laurie authored Jan 28, 2013

The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
(cherry picked from commit 6cb19b76)

e0da2c2e

Make CBC decoding constant time. · fb0a59cc

Ben Laurie authored Jan 28, 2013

This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841b)

fb0a59cc

Add and use a constant-time memcmp. · f5cd3561

Ben Laurie authored Jan 28, 2013

This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
(cherry picked from commit 2ee79888)

f5cd3561

Feb 04, 2013
- Merge branch 'OpenSSL_1_0_2-stable' of /home/steve/src/git/openssl into OpenSSL_1_0_2-stable · 115f7fa5
  Dr. Stephen Henson authored Feb 04, 2013
  
  115f7fa5
- Fix for trace code: SSL3 doesn't include a length value for · c867d871
  Dr. Stephen Henson authored Feb 04, 2013
```
encrypted premaster secret value.
(cherry picked from commit ea34a583)
```
  c867d871
Feb 02, 2013
- bn_word.c: fix overflow bug in BN_add_word. · 2a713ead
  Andy Polyakov authored Nov 09, 2012
```
(cherry picked from commit 134c0065)
```
  2a713ead
- x86_64 assembly pack: keep making Windows build more robust. · 2e7900b6
  Andy Polyakov authored Feb 02, 2013
```
PR: 2963 and a number of others
(cherry picked from commit 4568182a)
```
  2e7900b6
Jan 24, 2013
- Fix warning: lenmax isn't used any more. · f8435919
  Dr. Stephen Henson authored Jan 24, 2013
  
  f8435919
Jan 23, 2013
- Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set · 1db4354b
  Dr. Stephen Henson authored Jan 23, 2013
  
  1db4354b
Jan 22, 2013
- x86_64 assembly pack: make Windows build more robust [from master]. · 3f233a1e
  Andy Polyakov authored Jan 22, 2013
```
PR: 2963 and a number of others
```
  3f233a1e
- TABLE update. · 25917e97
  Andy Polyakov authored Jan 22, 2013
  
  25917e97
- Configure: update linux-mips* lines [from master]. · 8812a81b
  Andy Polyakov authored Jan 22, 2013
  
  8812a81b
- bn/asm/mips.pl: hardwire local call to bn_div_words. · b17ffba9
  Andy Polyakov authored Jan 22, 2013
  
  b17ffba9