Commit graph

22 commits

Author SHA1 Message Date
Tim Hudson
1d97c84351 mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-30 22:10:26 +00:00
Dr. Stephen Henson
00b4ee7664 Remove some unnecessary OPENSSL_FIPS references
FIPS_mode() exists in all versions of OpenSSL but always returns 0 if OpenSSL is not FIPS
capable.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-08 13:18:43 +00:00
Emilia Kasper
294d1e36c2 RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-09-24 12:45:42 +02:00
Emilia Kasper
5a3d21c058 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
2014-08-28 15:48:45 +02:00
Veres Lajos
478b50cf67 misspellings fixes by https://github.com/vlajos/misspell_fixer 2013-09-05 21:39:42 +01:00
Dr. Stephen Henson
cbd64894ec Use enc_flags when deciding protocol variations.
Use the enc_flags field to determine whether we should use explicit IV,
signature algorithms or SHA256 default PRF instead of hard coding which
versions support each requirement.
2013-03-18 15:03:58 +00:00
Ben Laurie
0850f11855 Fix ignored return value warnings.
Not sure why I am getting these now and not before.
2013-02-21 18:30:04 +00:00
David Woodhouse
d980abb22e Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
2013-02-12 15:14:14 +00:00
Andy Polyakov
f93a41877d s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal. 2013-02-08 21:30:52 +01:00
Andy Polyakov
c98a45452b s3_cbc.c: get rid of expensive divisions. 2013-02-08 16:36:09 +01:00
Andy Polyakov
0e4f7045ea s3_cbc.c: fix warning [in Windows build]. 2013-02-08 14:22:22 +01:00
Andy Polyakov
dd7e60bd70 ssl/*: revert "remove SSL_RECORD->orig_len" and merge "fix IV".
Revert is appropriate because binary compatibility is not an issue
in 1.1.
2013-02-08 10:20:48 +01:00
Adam Langley
32620fe9d1 Fix for EXP-RC2-CBC-MD5
MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
(cherry picked from commit f306b87d76)
2013-02-06 16:11:31 +00:00
Andy Polyakov
9970308c88 e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
(cherry picked from commit 125093b59f)
2013-02-06 14:19:10 +00:00
Andy Polyakov
2aec073a52 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 8bfd4c659f)
2013-02-06 14:19:10 +00:00
Dr. Stephen Henson
b714a1fe09 Don't access EVP_MD_CTX internals directly.
(cherry picked from commit 04e45b52ee)
2013-02-06 14:19:10 +00:00
Andy Polyakov
bbb4ee8574 s3/s3_cbc.c: allow for compilations with NO_SHA256|512.
(cherry picked from commit d5371324d9)
2013-02-06 14:19:10 +00:00
Andy Polyakov
4af91ec072 ssl/s3_cbc.c: md_state alignment portability fix.
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
(cherry picked from commit 36260233e7)
2013-02-06 14:19:09 +00:00
Andy Polyakov
6b2a843970 ssl/s3_cbc.c: uint64_t portability fix.
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
(cherry picked from commit cab13fc847)
2013-02-06 14:19:09 +00:00
Dr. Stephen Henson
6b1f7beeee typo.
(cherry picked from commit 34ab3c8c71)
2013-02-06 14:19:09 +00:00
Dr. Stephen Henson
c4e6fb1524 Timing fix mitigation for FIPS mode.
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
(cherry picked from commit b908e88ec1)
2013-02-06 14:19:08 +00:00
Ben Laurie
a693ead6dc Oops. Add missing file.
(cherry picked from commit 014265eb02)
2013-02-06 14:19:08 +00:00