Thanks Matt, So, just the cipher+MAC matter, the authentication/key-exchange are irrelevant.
What about AEAD ciphers? Are they considered "stitched"? -- -Todd Short // tsh...@akamai.com<mailto:tsh...@akamai.com> // "One if by land, two if by sea, three if by the Internet." On Feb 26, 2019, at 10:40 AM, Matt Caswell <m...@openssl.org<mailto:m...@openssl.org>> wrote: On 26/02/2019 15:03, Short, Todd via openssl-users wrote: The latest security advisory: https://www.openssl.org/news/secadv/20190226.txt mentions stitched vs. non-stitched ciphersuites, but doesn’t really elaborate on which ciphersuites are stitched and non-stitched. The actual list in use is platform specific - the stitched ciphers are based on asm implementations. Libssl in 1.0.2 knows about these stitched ciphers: https://github.com/openssl/openssl/blob/56ff0f643482b19f7b2d7ed532dfb94ed3a4e294/ssl/ssl_ciph.c#L651-L671 Any TLS ciphersuite based on the above ciphers will use the stitched implementation if it is available on that platform. So, for example, if a stitched implementation of AES-128-CBC-HMAC-SHA1 is available on your platform then it will be used if you negotiate the AES128-SHA ciphersuite (aka TLS_RSA_WITH_AES_128_CBC_SHA). Similarly it will be used if you negotiate DH-RSA-AES128-SHA (aka TLS_DH_RSA_WITH_AES_128_CBC_SHA) The combined encrypt and mac operation will be performed in one go by the stitched implementation. If you don't have a stitched implementation then the encrypt and mac operations are performed individually. Matt "In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites." Can someone give some examples of both? -- -Todd Short // tsh...@akamai.com <mailto:tsh...@akamai.com> // "One if by land, two if by sea, three if by the Internet."
