fragattacks

mirror of https://github.com/vanhoefm/fragattacks.git synced 2025-02-26 13:49:35 -05:00

History

Jouni Malinen d42c477cc7 OpenSSL: Use constant time operations for private bignums

This helps in reducing measurable timing differences in operations
involving private information. BoringSSL has removed BN_FLG_CONSTTIME
and expects specific constant time functions to be called instead, so a
bit different approach is needed depending on which library is used.

The main operation that needs protection against side channel attacks is
BN_mod_exp() that depends on private keys (the public key validation
step in crypto_dh_derive_secret() is an exception that can use the
faster version since it does not depend on private keys).

crypto_bignum_div() is currently used only in SAE FFC case with not
safe-prime groups and only with values that do not depend on private
keys, so it is not critical to protect it.

crypto_bignum_inverse() is currently used only in SAE FFC PWE
derivation. The additional protection here is targeting only OpenSSL.
BoringSSL may need conversion to using BN_mod_inverse_blinded().

This is related to CVE-2019-9494 and CVE-2019-9495.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

2019-04-09 17:11:15 +03:00

.gitignore

Add rules for building src/crypto as a library

2009-12-05 22:03:46 +02:00

aes_i.h

Add support for using 192-bit and 256-bit keys with AES-GCM

2012-09-09 13:30:51 +03:00

aes_siv.h

Extend AES-SIV implementation to support different key lengths

2016-10-10 19:40:59 +03:00

aes_wrap.h

Extend AES-SIV implementation to support different key lengths

2016-10-10 19:40:59 +03:00

aes-cbc.c

Add TEST_FAIL() condition to aes_128_cbc_encrypt/decrypt()

2015-11-28 20:46:36 +02:00

aes-ccm.c

AES-CCM: Use os_memcmp_const() for hash/password comparisons

2014-07-02 12:38:47 +03:00

aes-ctr.c

Extend AES-SIV implementation to support different key lengths

2016-10-10 19:40:59 +03:00

aes-eax.c

crypto: Clear temporary heap allocations before freeing

2015-01-06 02:49:13 +02:00

aes-encblock.c

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

aes-gcm.c

AES-GCM: Use os_memcmp_const() for hash/password comparisons

2014-07-02 12:38:47 +03:00

aes-internal-dec.c

crypto: Add return value to DES and AES encrypt/decrypt

2017-02-28 11:23:54 +02:00

aes-internal-enc.c

Add TEST_FAIL() to aes_encrypt_init() with internal crypto

2019-03-16 18:52:09 +02:00

aes-internal.c

Add support for using 192-bit and 256-bit keys with AES-GCM

2012-09-09 13:30:51 +03:00

aes-omac1.c

tests: Add TEST_FAIL() condition to omac1_aes_vector()

2015-10-17 20:40:36 +03:00

aes-siv.c

Use os_memdup()

2017-03-07 13:19:10 +02:00

aes-unwrap.c

AES: Extend key wrap implementation to support longer data

2014-10-07 14:57:10 +03:00

aes-wrap.c

AES: Extend key wrap implementation to support longer data

2014-10-07 14:57:10 +03:00

aes.h

crypto: Add return value to DES and AES encrypt/decrypt

2017-02-28 11:23:54 +02:00

crypto_gnutls.c

Add explicit checks for peer's DH public key

2019-03-05 17:05:03 +02:00

crypto_internal-cipher.c

Fix AES block size handling for internal cipher

2012-09-09 14:12:59 +03:00

crypto_internal-modexp.c

Add explicit checks for peer's DH public key

2019-03-05 17:05:03 +02:00

crypto_internal-rsa.c

Add function for building RSA public key from n and e parameters

2014-05-19 23:27:30 +03:00

crypto_internal.c

crypto: Add CRYPTO_HASH_ALG_SHA384 and CRYPTO_HASH_ALG_SHA512

2015-11-29 18:21:08 +02:00

crypto_libtomcrypt.c

Add explicit checks for peer's DH public key

2019-03-05 17:05:03 +02:00

crypto_linux.c

af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG)

2017-02-28 11:24:15 +02:00

crypto_module_tests.c

tests: Extract-and-Expand HKDF (RFC 5869)

2017-03-11 22:40:31 +02:00

crypto_nettle.c

Add explicit checks for peer's DH public key

2019-03-05 17:05:03 +02:00

crypto_none.c

crypto: Add return value to DES and AES encrypt/decrypt

2017-02-28 11:23:54 +02:00

crypto_openssl.c

OpenSSL: Use constant time operations for private bignums

2019-04-09 17:11:15 +03:00

crypto_wolfssl.c

Add explicit checks for peer's DH public key

2019-03-05 17:05:03 +02:00

crypto.h

Add explicit checks for peer's DH public key

2019-03-05 17:05:03 +02:00

des_i.h

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

des-internal.c

crypto: Add return value to DES and AES encrypt/decrypt

2017-02-28 11:23:54 +02:00

dh_group5.c

Fix memory leak on NFC DH generation error path

2015-11-29 20:53:20 +02:00

dh_group5.h

Add dh5_init_fixed() to allow fixed DH parameters to be used

2012-06-27 21:22:12 +03:00

dh_groups.c

Add explicit checks for peer's DH public key

2019-03-05 17:05:03 +02:00

dh_groups.h

Add Diffie-Hellman group definitions for MODP groups in RFC 5114

2013-01-12 17:51:54 +02:00

fips_prf_internal.c

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

fips_prf_openssl.c

OpenSSL: Silence sparse warnings in fips186_2_prf()

2016-06-24 19:02:58 +03:00

fips_prf_wolfssl.c

wolfSSL: Use new digest namespace

2018-05-02 12:04:46 +03:00

Makefile

tests: TLS fuzzing tool

2019-02-11 02:35:29 +02:00

md4-internal.c

crypto internal: Make MD4 PADDING array const

2019-01-02 17:26:57 +02:00

md5_i.h

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

md5-internal.c

Add TEST_FAIL() support for internal hash functions

2015-11-29 21:01:33 +02:00

md5.c

crypto: Clear temporary stack buffers after use

2015-01-06 02:49:13 +02:00

md5.h

FIPS: Remove md5-non-fips.c

2012-08-19 16:53:15 +03:00

milenage.c

Milenage: Use os_memcmp_const() for hash/password comparisons

2014-07-02 12:38:47 +03:00

milenage.h

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

ms_funcs.c

crypto: Process des_encrypt() error returns in callers

2017-02-28 11:24:05 +02:00

ms_funcs.h

crypto: Process des_encrypt() error returns in callers

2017-02-28 11:24:05 +02:00

random.c

crypto: Add option to use getrandom()

2019-01-02 01:24:18 +02:00

random.h

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

rc4.c

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

sha1_i.h

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

sha1-internal.c

Remove trailing whitespace

2016-12-28 14:31:42 +02:00

sha1-pbkdf2.c

Convert remaining SSID routines from char* to u8*

2012-08-07 16:07:25 +03:00

sha1-prf.c

crypto: Clear temporary stack buffers after use

2015-01-06 02:49:13 +02:00

sha1-tlsprf.c

crypto: Fix unreachable code in tls_prf_sha1_md5()

2019-04-06 17:00:07 +03:00

sha1-tprf.c

Explicitly clear temporary stack buffer in sha1_t_prf()

2015-03-29 16:40:55 +03:00

sha1.c

crypto: Clear temporary stack buffers after use

2015-01-06 02:49:13 +02:00

sha1.h

Convert remaining SSID routines from char* to u8*

2012-08-07 16:07:25 +03:00

sha256_i.h

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

sha256-internal.c

Remove trailing whitespace

2016-12-28 14:31:42 +02:00

sha256-kdf.c

Extend hmac_sha256_kdf() to support HKDF-Expand() as defined in RFC 5869

2017-03-11 22:40:10 +02:00

sha256-prf.c

SAE: Check SHA256-PRF operation result

2016-03-27 21:44:49 +03:00

sha256-tlsprf.c

Remove the GPL notification from files contributed by Jouni Malinen

2012-02-11 19:39:36 +02:00

sha256.c

OpenSSL: Implement SHA256 HMAC functions using HMAC API

2012-08-16 22:34:35 +03:00

sha256.h

SAE: Check SHA256-PRF operation result

2016-03-27 21:44:49 +03:00

sha384_i.h

Add SHA384 and SHA512 implementations from LibTomCrypt library

2015-11-29 18:19:32 +02:00

sha384-internal.c

Add SHA384 and SHA512 implementations from LibTomCrypt library

2015-11-29 18:19:32 +02:00

sha384-kdf.c

Extend SHA-384 and SHA-512 support to match SHA-256

2017-06-17 18:04:12 +03:00

sha384-prf.c

Return success/failure result from sha384_prf()

2017-03-12 20:43:06 +02:00

sha384.c

Add HMAC-SHA384 with internal crypto

2017-02-16 22:15:29 +02:00

sha384.h

Extend SHA-384 and SHA-512 support to match SHA-256

2017-06-17 18:04:12 +03:00

sha512_i.h

Add SHA384 and SHA512 implementations from LibTomCrypt library

2015-11-29 18:19:32 +02:00

sha512-internal.c

crypto: Reduce the size of sha512_compress() stack frame

2019-01-02 16:31:19 +02:00

sha512-kdf.c

Extend SHA-384 and SHA-512 support to match SHA-256

2017-06-17 18:04:12 +03:00

sha512-prf.c

Extend SHA-384 and SHA-512 support to match SHA-256

2017-06-17 18:04:12 +03:00

sha512.c

Add internal HMAC-SHA512 implementation to fix NEED_SHA512 builds

2018-12-31 11:57:37 +02:00

sha512.h

Extend SHA-384 and SHA-512 support to match SHA-256

2017-06-17 18:04:12 +03:00

tls_gnutls.c

Extend domain_match and domain_suffix_match to allow list of values

2019-04-09 16:24:38 +03:00

tls_internal.c

TLS: Add support for RFC 5705 TLS exporter context with internal TLS

2019-03-16 18:52:09 +02:00

tls_none.c

Add support for an optional context parameter to TLS exporter

2019-03-16 18:52:09 +02:00

tls_openssl_ocsp.c

BoringSSL: Keep static analyzers happier with X509_get0_pubkey_bitstr()

2016-03-16 21:34:01 +02:00

tls_openssl.c

Extend domain_match and domain_suffix_match to allow list of values

2019-04-09 16:24:38 +03:00

tls_openssl.h

BoringSSL: Move OCSP implementation into a separate file

2015-12-04 20:08:31 +02:00

tls_wolfssl.c

Extend domain_match and domain_suffix_match to allow list of values

2019-04-09 16:24:38 +03:00

tls.h

Extend domain_match and domain_suffix_match to allow list of values

2019-04-09 16:24:38 +03:00