diff options
author | Bodo Möller <bodo@openssl.org> | 2005-05-16 01:43:31 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2005-05-16 01:43:31 +0000 |
commit | 46a643763de6d8e39ecf6f76fa79b4d04885aa59 (patch) | |
tree | e1f3cfc98bddba797b5300977dbf3223f008fc4a /CHANGES | |
parent | 92c44685724c0d993ea8920577680f3c0a1d79c8 (diff) |
Implement fixed-window exponentiation to mitigate hyper-threading
timing attacks.
BN_FLG_EXP_CONSTTIME requests this algorithm, and this done by default for
RSA/DSA/DH private key computations unless
RSA_FLAG_NO_EXP_CONSTTIME/DSA_FLAG_NO_EXP_CONSTTIME/
DH_FLAG_NO_EXP_CONSTTIME is set.
Submitted by: Matthew D Wood
Reviewed by: Bodo Moeller
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 15 |
1 files changed, 15 insertions, 0 deletions
@@ -799,6 +799,21 @@ Changes between 0.9.7g and 0.9.7h [XX xxx XXXX] + *) Make a new fixed-window mod_exp implementation the default for + RSA, DSA, and DH private-key operations to mitigate the + hyper-threading timing attacks pointed out by Colin Percival + (http://www.daemonology.net/hyperthreading-considered-harmful/), + and potential related attacks. + + BN_mod_exp_mont_consttime() is the new exponentiation implementation, + and this is automatically used by BN_mod_exp_mont() if the new flag + BN_FLG_EXP_CONSTTIME is set for the exponent. RSA, DSA, and DH + will use this BN flag for private exponents unless the flag + RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or + DH_FLAG_NO_EXP_CONSTTIME, respectively, is set. + + [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller] + *) Change the client implementation for SSLv23_method() and SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0 Client Hello message format if the SSL_OP_NO_SSLv2 option is set. |