projects / openssl.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7ad132b) | patch
Make CBC decoding constant time.
authorBen Laurie <ben@links.org>
Mon, 28 Jan 2013 17:31:49 +0000 (17:31 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Tue, 5 Feb 2013 16:50:32 +0000 (16:50 +0000)
commit35a65e814beb899fa1c69a7673a8956c6059dce7
tree9c17f5efd8e81b7fee9a5d403a2371ad5f2e3af2tree | snapshot
parent7ad132b1335807d0017e2546b3a869ca77f111c3commit | diff
Make CBC decoding constant time.

This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
(cherry picked from commit e130841bccfc0bb9da254dc84e23bc6a1c78a64e)

Conflicts:
crypto/evp/c_allc.c
ssl/ssl_algs.c
ssl/ssl_locl.h
ssl/t1_enc.c
(cherry picked from commit 3622239826698a0e534dcf0473204c724bb9b4b4)

Conflicts:
ssl/d1_enc.c
ssl/s3_enc.c
ssl/s3_pkt.c
ssl/ssl3.h
ssl/ssl_algs.c
ssl/t1_enc.c
crypto/evp/c_allc.c diff | blob | history
ssl/Makefile diff | blob | history
ssl/d1_enc.c diff | blob | history
ssl/s3_enc.c diff | blob | history
ssl/s3_pkt.c diff | blob | history
ssl/ssl3.h diff | blob | history
ssl/ssl_locl.h diff | blob | history
ssl/t1_enc.c diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.