On Thu, Feb 07, 2013, Kurt Roeckx wrote: > > That would mean the following aren't in the 1.0.0 branch: > commit b908e88ec15aa0a74805e3f2236fc4f83f2789c2 > Author: Dr. Stephen Henson <st...@openssl.org> > Date: Tue Jan 29 14:44:36 2013 +0000 > > Timing fix mitigation for FIPS mode. > We have to use EVP in FIPS mode so we can only partially mitigate > timing differences. > > Make an extra call to EVP_DigestSignUpdate to hash additonal blocks > to cover any timing differences caused by removal of padding. > > commit 34ab3c8c711ff79c2b768f0b17e4b2a78fd1df5d > Author: Dr. Stephen Henson <st...@openssl.org> > Date: Thu Jan 31 23:04:39 2013 +0000 > > typo. > > commit 04e45b52ee3be81121359cc1198fd01e38096e9f > Author: Dr. Stephen Henson <st...@openssl.org> > Date: Fri Feb 1 13:53:43 2013 +0000 > > Don't access EVP_MD_CTX internals directly. > > commit 8bfd4c659f180a6ce34f21c0e62956b362067fba > Author: Andy Polyakov <ap...@openssl.org> > Date: Fri Feb 1 15:31:50 2013 +0100 > > ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. > > Kludge alert. This is arranged by passing padding length in unused > bits of SSL3_RECORD->type, so that orig_len can be reconstructed. > > > (The RedHat bug fails to mention c6b82f7ee9434d81ccbb30d4cf3126a23398d6c7 > for the 1.0.0 branch, but it's not going to build without that.) > > I think the first 2 just don't apply to the 1.0.0 branch, the 3rd isn't > important, > but I'm worried about the last commit since it talks about binary > compatibility. >
Thanks for looking through these. Yes the first two are for FIPS only and OpenSSL 1.0.0 isn't FIPS capable so these don't apply. The c6b82f7ee9434d81ccbb30d4cf3126a23398d6c7 commit only affects builds which use libeay.num such as Windows. The last commit 8bfd4c659f180a6ce34f21c0e62956b362067fba does address a (admittedly remote) chance of binary incompatibility. The structure being modified is the SSL3_STATE structure which applications shouldn't be messing with directly but nervertheless this should've been included. I'll add the commit so it appears in the subsequent releases. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
