From a416ca47ac90379fda5674ba96d51c16b633161b Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 25 Apr 2007 13:15:51 +0000 Subject: [PATCH] Merge from 0.9.8-stable. --- CHANGES | 51 ++++++++++++++++++++++++++++++++++++++++++++ doc/apps/ciphers.pod | 3 +-- ssl/ssl.h | 6 +----- 3 files changed, 53 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 21247508e7..5656df1bfb 100644 --- a/CHANGES +++ b/CHANGES @@ -211,6 +211,57 @@ [Matthew D Wood (Intel Corp)] + *) Add the Korean symmetric 128-bit cipher SEED (see + http://www.kisa.or.kr/kisa/seed/jsp/seed_eng.jsp) and + add SEED ciphersuites from RFC 4162: + + TLS_RSA_WITH_SEED_CBC_SHA = "SEED-SHA" + TLS_DHE_DSS_WITH_SEED_CBC_SHA = "DHE-DSS-SEED-SHA" + TLS_DHE_RSA_WITH_SEED_CBC_SHA = "DHE-RSA-SEED-SHA" + TLS_DH_anon_WITH_SEED_CBC_SHA = "ADH-SEED-SHA" + + To minimize changes between patchlevels in the OpenSSL 0.9.8 + series, SEED remains excluded from compilation unless OpenSSL + is configured with 'enable-seed'. + [KISA, Bodo Moeller] + + *) Mitigate branch prediction attacks, which can be practical if a + single processor is shared, allowing a spy process to extract + information. For detailed background information, see + http://eprint.iacr.org/2007/039 (O. Aciicmez, S. Gueron, + J.-P. Seifert, "New Branch Prediction Vulnerabilities in OpenSSL + and Necessary Software Countermeasures"). The core of the change + are new versions BN_div_no_branch() and + BN_mod_inverse_no_branch() of BN_div() and BN_mod_inverse(), + respectively, which are slower, but avoid the security-relevant + conditional branches. These are automatically called by BN_div() + and BN_mod_inverse() if the flag BN_FLG_CONSTTIME is set for one + of the input BIGNUMs. Also, BN_is_bit_set() has been changed to + remove a conditional branch. + + BN_FLG_CONSTTIME is the new name for the previous + BN_FLG_EXP_CONSTTIME flag, since it now affects more than just + modular exponentiation. (Since OpenSSL 0.9.7h, setting this flag + in the exponent causes BN_mod_exp_mont() to use the alternative + implementation in BN_mod_exp_mont_consttime().) The old name + remains as a deprecated alias. + + Similary, RSA_FLAG_NO_EXP_CONSTTIME is replaced by a more general + RSA_FLAG_NO_CONSTTIME flag since the RSA implementation now uses + constant-time implementations for more than just exponentiation. + Here too the old name is kept as a deprecated alias. + + BN_BLINDING_new() will now use BN_dup() for the modulus so that + the BN_BLINDING structure gets an independent copy of the + modulus. This means that the previous "BIGNUM *m" argument to + BN_BLINDING_new() and to BN_BLINDING_create_param() now + essentially becomes "const BIGNUM *m", although we can't actually + change this in the header file before 0.9.9. It allows + RSA_setup_blinding() to use BN_with_flags() on the modulus to + enable BN_FLG_CONSTTIME. + + [Matthew D Wood (Intel Corp)] + *) In the SSL/TLS server implementation, be strict about session ID context matching (which matters if an application uses a single external cache for different purposes). Previously, diff --git a/doc/apps/ciphers.pod b/doc/apps/ciphers.pod index acafdb105e..694e433ef3 100644 --- a/doc/apps/ciphers.pod +++ b/doc/apps/ciphers.pod @@ -105,8 +105,7 @@ The following is a list of all permitted cipher strings and their meanings. =item B the default cipher list. This is determined at compile time and is normally -B or -B. This must be the first cipher string +B. This must be the first cipher string specified. =item B diff --git a/ssl/ssl.h b/ssl/ssl.h index c30ef18257..3e4c103f17 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -318,11 +318,7 @@ extern "C" { /* The following cipher list is used by default. * It also is substituted when an application-defined cipher list string * starts with 'DEFAULT'. */ -#ifdef OPENSSL_NO_CAMELLIA -# define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ -#else -# define SSL_DEFAULT_CIPHER_LIST "AES:CAMELLIA:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ -#endif +#define SSL_DEFAULT_CIPHER_LIST "AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH" /* low priority for RC4 */ /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ #define SSL_SENT_SHUTDOWN 1 -- 2.25.1