Ben Laurie e5420be6cd Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)

Conflicts:
	crypto/evp/c_allc.c
	ssl/ssl_algs.c
	ssl/ssl_locl.h
	ssl/t1_enc.c
2013-02-05 16:46:16 +00:00
..
2012-04-16 17:43:28 +00:00
2012-03-06 13:46:52 +00:00
2012-03-06 13:22:57 +00:00
2013-02-05 16:46:16 +00:00
2012-03-12 14:32:54 +00:00
2013-02-05 16:46:15 +00:00
2012-03-31 18:02:35 +00:00
2010-04-14 00:17:29 +00:00
2009-04-21 22:20:12 +00:00
2013-02-05 16:46:16 +00:00
2013-02-05 16:46:15 +00:00
2013-02-05 16:46:15 +00:00
2011-02-03 12:04:40 +00:00
2013-02-05 16:46:15 +00:00
2012-12-10 16:45:19 +00:00
2013-02-05 16:46:16 +00:00
2013-02-05 16:46:16 +00:00
2012-10-04 15:16:12 +00:00
2010-02-16 14:20:40 +00:00
2002-07-10 07:01:54 +00:00
2010-02-16 14:20:40 +00:00
2001-11-10 01:16:28 +00:00
2013-02-05 16:46:16 +00:00
2013-02-05 16:46:16 +00:00
2010-03-24 23:16:49 +00:00
2012-03-12 14:32:54 +00:00
2012-10-05 13:00:18 +00:00
2013-02-05 16:46:16 +00:00
2009-09-12 23:09:26 +00:00
2010-02-01 16:49:42 +00:00
2010-01-16 19:20:38 +00:00
2009-06-30 22:26:28 +00:00
2012-03-12 14:32:54 +00:00
2013-02-05 16:46:16 +00:00
2013-02-05 16:46:15 +00:00
2009-12-27 22:59:09 +00:00