Andy Polyakov
579f3a631e
s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal.
...
(cherry picked from commit f93a41877d8d7a287debb7c63d7b646abaaf269c)
2013-02-08 21:37:07 +01:00
Andy Polyakov
47061af106
s3_cbc.c: get rid of expensive divisions [from master].
...
(cherry picked from commit e9baceab5a385e570706ca98dec768b2d89d1ac6)
2013-02-08 17:00:46 +01:00
Andy Polyakov
13e225300f
e_aes_cbc_hmac_sha1.c: fine-tune cache line alignment.
...
With previous commit it also ensures that valgrind is happy.
2013-02-08 09:45:09 +01:00
Ben Laurie
26bc56d014
Add clang target.
2013-02-07 16:17:43 -08:00
Ben Laurie
496681cd51
Remove extraneous brackets (clang doesn't like them).
2013-02-07 16:17:43 -08:00
Andy Polyakov
746c6f3a53
e_aes_cbc_hmac_sha1.c: align calculated MAC at cache line.
2013-02-07 23:04:31 +01:00
Andy Polyakov
8545f73b89
ssl/[d1|s3]_pkt.c: harmomize orig_len handling.
2013-02-07 22:47:05 +01:00
Dr. Stephen Henson
32cc2479b4
Fix IV check and padding removal.
...
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)
For AEAD remove the correct number of padding bytes (by Andy)
2013-02-07 21:06:37 +00:00
Adam Langley
f306b87d76
Fix for EXP-RC2-CBC-MD5
...
MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
2013-02-06 16:05:40 +00:00
Dr. Stephen Henson
41cf07f0ec
prepare for next version
2013-02-06 02:26:24 +00:00
Dr. Stephen Henson
62f4033381
typo
OpenSSL_1_0_1d
2013-02-04 23:12:58 +00:00
Dr. Stephen Henson
f9f6a8f96c
Prepare for release.
2013-02-04 22:40:10 +00:00
Dr. Stephen Henson
df0d93564e
typo
2013-02-04 22:39:37 +00:00
Dr. Stephen Henson
0d589ac150
make update
2013-02-04 21:29:41 +00:00
Dr. Stephen Henson
35d732fc2e
Fix error codes.
2013-02-04 21:13:18 +00:00
Dr. Stephen Henson
896ddb9851
Reword NEWS entry.
2013-02-04 20:48:45 +00:00
Dr. Stephen Henson
e630b3c218
Update NEWS
2013-02-04 20:47:36 +00:00
Dr. Stephen Henson
f1ca56a69f
Add CHANGES entries.
2013-02-04 20:37:46 +00:00
Andy Polyakov
529d27ea47
e_aes_cbc_hmac_sha1.c: cleanse temporary copy of HMAC secret.
2013-02-03 20:04:39 +01:00
Andy Polyakov
b2226c6c83
bn_word.c: fix overflow bug in BN_add_word.
...
(cherry picked from commit 134c00659a1bc67ad35a1e4620e16bc4315e6e37)
2013-02-02 22:39:00 +01:00
Andy Polyakov
024de2174b
x86_64 assembly pack: keep making Windows build more robust.
...
PR: 2963 and a number of others
(cherry picked from commit 4568182a8b8cbfd15cbc175189029ac547bd1762)
2013-02-02 22:26:20 +01:00
Andy Polyakov
125093b59f
e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
...
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
2013-02-02 19:35:09 +01:00
Ben Laurie
f3e99ea072
Merge remote-tracking branch 'origin/OpenSSL_1_0_1-stable' into OpenSSL_1_0_1-stable
2013-02-01 19:04:26 +00:00
Andy Polyakov
8bfd4c659f
ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
...
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
2013-02-01 15:54:37 +01:00
Andy Polyakov
ec07246a08
ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
2013-02-01 15:34:09 +01:00
Dr. Stephen Henson
04e45b52ee
Don't access EVP_MD_CTX internals directly.
2013-02-01 14:12:27 +00:00
Andy Polyakov
d5371324d9
s3/s3_cbc.c: allow for compilations with NO_SHA256|512.
2013-02-01 10:31:59 +01:00
Andy Polyakov
36260233e7
ssl/s3_cbc.c: md_state alignment portability fix.
...
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
2013-02-01 10:31:52 +01:00
Andy Polyakov
cab13fc847
ssl/s3_cbc.c: uint64_t portability fix.
...
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
2013-02-01 10:31:23 +01:00
Dr. Stephen Henson
34ab3c8c71
typo.
2013-01-31 23:04:39 +00:00
Dr. Stephen Henson
25c93fd240
Merge branch 'ben/timing-1.0.1' into OpenSSL_1_0_1-stable
2013-01-31 17:04:41 +00:00
Dr. Stephen Henson
428c1064c3
Update NEWS
2013-01-31 16:39:40 +00:00
Dr. Stephen Henson
81ce0e14e7
Add ordinal for CRYPTO_memcmp: since this will affect multiple
...
branches it needs to be in a "gap".
2013-01-31 15:31:57 +00:00
Dr. Stephen Henson
b908e88ec1
Timing fix mitigation for FIPS mode.
...
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.
Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
2013-01-31 12:34:10 +00:00
Dr. Stephen Henson
62e4506a7d
Don't try and verify signatures if key is NULL (CVE-2013-0166)
...
Add additional check to catch this in ASN1_item_verify too.
2013-01-29 16:49:24 +00:00
Ben Laurie
014265eb02
Oops. Add missing file.
2013-01-28 18:24:55 +00:00
Ben Laurie
9f27de170d
Update DTLS code to match CBC decoding in TLS.
...
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
2013-01-28 17:34:33 +00:00
Ben Laurie
6cb19b7681
Don't crash when processing a zero-length, TLS >= 1.1 record.
...
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
2013-01-28 17:33:18 +00:00
Ben Laurie
e130841bcc
Make CBC decoding constant time.
...
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.
This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.
In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
2013-01-28 17:31:49 +00:00
Ben Laurie
2ee798880a
Add and use a constant-time memcmp.
...
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
2013-01-28 17:30:38 +00:00
Dr. Stephen Henson
ffcf4c6164
Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set
2013-01-23 01:07:23 +00:00
Andy Polyakov
b286a96811
x86_64 assembly pack: make Windows build more robust [from master].
...
PR: 2963 and a number of others
2013-01-22 22:54:04 +01:00
Andy Polyakov
2a2df2e9f2
bn/asm/mips.pl: hardwire local call to bn_div_words.
2013-01-22 21:16:51 +01:00
Dr. Stephen Henson
15481c5e42
Don't include comp.h if no-comp set.
2013-01-20 01:10:52 +00:00
Andy Polyakov
366b60b9da
engines/ccgost: GOST fixes [from master].
...
Submitted by: Dmitry Belyavsky, Seguei Leontiev
PR: 2821
2013-01-19 18:26:54 +01:00
Andy Polyakov
4782444a35
.gitignore adjustments
2013-01-19 13:33:04 +01:00
Dr. Stephen Henson
8a17e161d1
Merge branch 'OpenSSL_1_0_1-stable' of /home/steve/src/git/openssl into OpenSSL_1_0_1-stable
2013-01-14 00:24:34 +00:00
Ben Laurie
72f27cd2df
Fix some clang warnings.
2013-01-14 00:22:28 +00:00
Dr. Stephen Henson
3b3674ae58
Merge branch 'OpenSSL_1_0_1-stable' of openssl.net:openssl into OpenSSL_1_0_1-stable
2013-01-13 23:01:43 +00:00
Ben Laurie
9d75e765bc
Correct EVP_PKEY_verifyrecover to EVP_PKEY_verify_recover (RT 2955).
2013-01-13 23:00:46 +00:00