openssl/crypto
Ben Laurie 2acc020b77 Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bcc)
2013-02-06 14:19:07 +00:00
..
aes x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
asn1 Make "make depend" work on MacOS out of the box. 2013-01-19 14:14:30 +00:00
bf Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
bio Improve WINCE support. 2013-01-19 21:23:13 +01:00
bn x86_64 assembly pack: keep making Windows build more robust. 2013-02-02 19:54:59 +01:00
buffer correct error code 2012-04-22 13:31:09 +00:00
camellia x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
cast Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
cmac fix reset fix 2012-04-11 15:05:07 +00:00
cms Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set 2013-01-23 01:09:38 +00:00
comp Assorted bugfixes: 2011-02-03 12:03:51 +00:00
conf New config module for string tables. This can be used to add new 2012-10-22 13:05:54 +00:00
des Update support for Intel compiler: add linux-x86_64-icc and fix problems. 2012-11-28 13:05:13 +00:00
dh Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
dsa Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
dso dso/dso_win32.c: fix compiler warning. 2012-12-18 18:19:54 +00:00
ec Fix EC_KEY initialization race. 2012-10-05 20:50:11 +00:00
ecdh Fix EC_KEY initialization race. 2012-10-05 20:50:11 +00:00
ecdsa Fix EC_KEY initialization race. 2012-10-05 20:50:11 +00:00
engine make depend 2012-11-19 13:18:09 +00:00
err Don't include comp.h if no-comp set. 2013-01-20 02:34:25 +00:00
evp Make CBC decoding constant time. 2013-02-06 14:19:07 +00:00
hmac Fix some warnings caused by __owur. Temporarily (I hope) remove the more 2011-11-14 00:36:10 +00:00
idea Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
jpake Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
krb5 Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
lhash Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
md2 Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
md4 Fix some clang warnings. 2013-01-13 21:04:39 +00:00
md5 x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
mdc2 Update dependencies. 2011-02-21 17:51:59 +00:00
modes x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
objects Fix some clang warnings. 2013-01-13 21:04:39 +00:00
ocsp revert OCSP_basic_verify changes: they aren't needed now we support partial chain verification and can pass verify options to ocsp utility 2012-12-20 18:51:00 +00:00
pem make update 2011-12-27 14:46:03 +00:00
perlasm AES for SPARC T4: add XTS, reorder subroutines to improve TLB locality. 2012-11-24 21:55:23 +00:00
pkcs7 Submitted by: Markus Friedl <mfriedl@gmail.com> 2012-03-22 15:44:51 +00:00
pkcs12 Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
pqueue Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
rand PR: 2786 2012-08-22 22:43:23 +00:00
rc2 Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
rc4 x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
rc5 Update support for Intel compiler: add linux-x86_64-icc and fix problems. 2012-11-28 13:05:13 +00:00
ripemd Fix some clang warnings. 2013-01-13 21:04:39 +00:00
rsa Add and use a constant-time memcmp. 2013-02-06 14:16:55 +00:00
seed seed.c: incredibly enough seed.c can fail to compile on Solaris with certain 2012-02-26 21:52:43 +00:00
sha x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
srp Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
stack Add DTLS-SRTP. 2011-11-15 22:59:20 +00:00
store Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
threads Functional VMS changes submitted by sms@antinode.info (Steven M. Schweda). 2009-05-15 16:36:56 +00:00
ts Rename Suite B functions for consistency. 2012-08-03 15:58:15 +00:00
txt_db Change AR to ARX to allow exclusion of fips object modules 2011-01-26 16:08:08 +00:00
ui PR: 2717 2012-02-11 23:41:19 +00:00
whrlpool x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
x509 Make "make depend" work on MacOS out of the box. 2013-01-19 14:14:30 +00:00
x509v3 Portability fix: use BIO_snprintf and pick up strcasecmp alternative 2012-12-26 23:51:56 +00:00
.cvsignore Apply mingw patches as supplied by Roumen Petrov an Alon Bar-Lev 2008-04-17 10:19:16 +00:00
alphacpuid.pl alphacpuid.pl: fix alignment bug. 2011-08-12 12:28:52 +00:00
arm_arch.h arm_arch.h: allow to specify __ARM_ARCH__ elsewhere. 2011-11-09 20:08:44 +00:00
armcap.c typo 2011-10-24 13:23:51 +00:00
armv4cpuid.S armv4cpuid.S, armv4-gf2m.pl: make newest code compilable by older assembler. 2011-11-05 13:07:18 +00:00
c64xpluscpuid.pl C64x+ assembly pack: improve EABI support. 2012-11-28 13:19:10 +00:00
cpt_err.c Implement FIPS_mode and FIPS_mode_set 2011-05-19 18:09:02 +00:00
cryptlib.c Add and use a constant-time memcmp. 2013-02-06 14:16:55 +00:00
cryptlib.h Add a symbol for the first parameter to OPENSSL_showfatal(). 2011-06-23 09:46:27 +00:00
crypto-lib.com Add the missing modules for Camellia, as well as dh_rfc5114 and evp_cnf. 2012-07-05 13:19:06 +00:00
crypto.h Add and use a constant-time memcmp. 2013-02-06 14:16:55 +00:00
cversion.c (oops) Apologies all, that last header-cleanup commit was from the wrong 2004-04-19 18:09:28 +00:00
ebcdic.c Oops, this file already had the "empty source file" workaround but it 2003-10-29 22:25:04 +00:00
ebcdic.h EBCDIC support. 2000-02-01 02:21:16 +00:00
ex_data.c Avoid warnings with -pedantic, specifically: 2008-07-04 23:12:52 +00:00
fips_err.h Check for selftest failure in various places. 2011-10-22 17:24:27 +00:00
fips_ers.c Rename crypto/fips_err.c to fips_ers.c to avoid clash with other fips_err.c 2011-02-03 16:16:30 +00:00
ia64cpuid.S IA-64 assembler pack: fix typos and make it work on HP-UX. 2011-05-07 20:36:05 +00:00
install-crypto.com After some adjustments, apply the changes OpenSSL 1.0.0d on OpenVMS 2011-03-19 10:58:14 +00:00
lock.c Include support for an add_lock callback to tiny FIPS locking API. 2011-02-14 17:05:42 +00:00
LPdir_nyi.c Copy a few files from LPlib (a new project of mine), add a wrapper. 2004-07-10 13:16:02 +00:00
LPdir_unix.c Import changed files from LPlib. The changes are logged as follows 2004-09-23 22:11:39 +00:00
LPdir_vms.c After some adjustments, apply the changes OpenSSL 1.0.0d on OpenVMS 2011-03-19 10:58:14 +00:00
LPdir_win32.c Import changed files from LPlib. The changes are logged as follows 2004-09-23 22:11:39 +00:00
LPdir_win.c Fix mingw warnings. 2006-10-23 07:41:05 +00:00
LPdir_wince.c Import changed files from LPlib. The changes are logged as follows 2004-09-23 22:11:39 +00:00
Makefile Remove o_init.o special case from Makefile: this doesn't work. 2011-10-12 17:27:08 +00:00
md32_common.h Update support for Intel compiler: add linux-x86_64-icc and fix problems. 2012-11-28 13:05:13 +00:00
mem_clr.c Fix warning. 2007-06-23 18:47:51 +00:00
mem_dbg.c Updates from 1.0.0-stable branch. 2009-04-20 11:33:12 +00:00
mem.c Version skew reduction: trivia (I hope). 2012-06-03 22:00:21 +00:00
o_dir_test.c Copy a few files from LPlib (a new project of mine), add a wrapper. 2004-07-10 13:16:02 +00:00
o_dir.c DJGPP has opendir() and friends, according to Gisle Vanem <giva@bgnett.no>. 2004-08-03 19:15:21 +00:00
o_dir.h Copy a few files from LPlib (a new project of mine), add a wrapper. 2004-07-10 13:16:02 +00:00
o_fips.c Implement FIPS_mode and FIPS_mode_set 2011-05-19 18:09:02 +00:00
o_init.c remove unnecessary attempt to automatically call OPENSSL_init 2012-07-01 22:25:04 +00:00
o_str.c Improve WINCE support. 2013-01-19 21:23:13 +01:00
o_str.h "Overload" SunOS 4.x memcmp, which ruins ASN1_OBJECT table lookups. 2005-09-20 20:19:07 +00:00
o_time.c Reorganise parameters for OPENSSL_gmtime_diff. 2012-11-21 14:13:20 +00:00
o_time.h Reorganise parameters for OPENSSL_gmtime_diff. 2012-11-21 14:13:20 +00:00
opensslconf.h.in Eliminate warning induced by http://cvs.openssl.org/chngview?cn=14690 and 2005-12-16 10:37:24 +00:00
opensslv.h HEAD is now 1.1.0 2009-03-31 10:38:37 +00:00
ossl_typ.h Support routines for ASN1 scanning function, doesn't do much yet. 2010-12-13 18:15:28 +00:00
pariscid.pl Multiple assembler packs: add experimental memory bus instrumentation. 2011-04-17 12:46:00 +00:00
ppccap.c ppccap.c: fix typo. 2012-11-10 20:27:18 +00:00
ppccpuid.pl ppccpuid.pl: branch hints in OPENSSL_cleanse impact small block performance 2012-04-27 20:17:45 +00:00
s390xcap.c s390x assembler pack: extend OPENSSL_s390xcap_P to 128 bits. 2010-09-18 08:46:53 +00:00
s390xcpuid.S Multiple assembler packs: add experimental memory bus instrumentation. 2011-04-17 12:46:00 +00:00
sparc_arch.h Support for SPARC T4 MONT[MUL|SQR] instructions. 2012-11-17 10:34:11 +00:00
sparccpuid.S sparcv9cap.c: add SPARC-T4 feature detection. 2012-09-23 20:29:03 +00:00
sparcv9cap.c Support for SPARC T4 MONT[MUL|SQR] instructions. 2012-11-17 10:34:11 +00:00
symhacks.h Harmonise symhacks.h in this branch with lower versions. 2012-07-05 13:17:44 +00:00
thr_id.c Fix warning. 2012-09-17 17:21:58 +00:00
uid.c Netware-specific changes, 2003-11-28 13:10:58 +00:00
vms_rms.h After some adjustments, apply the changes OpenSSL 1.0.0d on OpenVMS 2011-03-19 10:58:14 +00:00
x86_64cpuid.pl x86_64 assembly pack: make Windows build more robust. 2013-01-22 22:27:28 +01:00
x86cpuid.pl Extend OPENSSL_ia32cap_P with extra word to accomodate AVX2 capability. 2012-11-17 19:04:15 +00:00