Commit graph

17 commits

Author SHA1 Message Date
Emilia Kasper
9bed73adaa RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
	crypto/rsa/rsa_pk1.c
	ssl/s3_cbc.c
2014-09-24 12:47:19 +02:00
Emilia Kasper
9a9b0c0401 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 5a3d21c058)

Conflicts:
	ssl/s3_cbc.c
	test/Makefile
2014-08-28 16:26:01 +02:00
Dr. Stephen Henson
1b6ab411d3 Use enc_flags when deciding protocol variations.
Use the enc_flags field to determine whether we should use explicit IV,
signature algorithms or SHA256 default PRF instead of hard coding which
versions support each requirement.
(cherry picked from commit cbd64894ec)

Conflicts:

	ssl/ssl_locl.h
2013-09-18 13:46:02 +01:00
David Woodhouse
3a3a1af1da Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb22e)
2013-02-12 15:15:32 +00:00
Andy Polyakov
919eab8a8b s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal.
(cherry picked from commit f93a41877d)
2013-02-08 21:36:06 +01:00
Andy Polyakov
e9baceab5a s3_cbc.c: get rid of expensive divisions [from master]. 2013-02-08 16:59:26 +01:00
Dr. Stephen Henson
b7355af421 Fix IV check and padding removal.
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)

For AEAD remove the correct number of padding bytes (by Andy)
(cherry picked from commit 32cc2479b4)
2013-02-08 10:40:39 +01:00
Adam Langley
0462eedf5e Fix for EXP-RC2-CBC-MD5
MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
(cherry picked from commit f306b87d76)
2013-02-08 10:40:13 +01:00
Andy Polyakov
5966f4d973 e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
(cherry picked from commit 125093b59f)
2013-02-06 13:56:15 +00:00
Andy Polyakov
eeb486a5f4 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
(cherry picked from commit 8bfd4c659f)
2013-02-06 13:56:15 +00:00
Dr. Stephen Henson
d7f55e76f2 Don't access EVP_MD_CTX internals directly.
(cherry picked from commit 04e45b52ee)
2013-02-06 13:56:14 +00:00
Andy Polyakov
7d9e781a1d s3/s3_cbc.c: allow for compilations with NO_SHA256|512.
(cherry picked from commit d5371324d9)
2013-02-06 13:56:14 +00:00
Andy Polyakov
e0c21a0b6b ssl/s3_cbc.c: md_state alignment portability fix.
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
(cherry picked from commit 36260233e7)
2013-02-06 13:56:14 +00:00
Andy Polyakov
1dfb4b9400 ssl/s3_cbc.c: uint64_t portability fix.
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
(cherry picked from commit cab13fc847)
2013-02-06 13:56:14 +00:00
Dr. Stephen Henson
e5cb774323 typo.
(cherry picked from commit 34ab3c8c71)
2013-02-06 13:56:14 +00:00
Dr. Stephen Henson
d91d9acc58 Timing fix mitigation for FIPS mode.
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
(cherry picked from commit b908e88ec1)
2013-02-06 13:56:13 +00:00
Ben Laurie
820988a0c0 Oops. Add missing file.
(cherry picked from commit 014265eb02)
2013-02-06 13:56:13 +00:00