[openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Mon Dec 7 05:26:11 UTC 2015

I have to do some testing tomorrow and I'll post my results and a packet capture .. N
________________________________
From: openssl-users [openssl-users-bounces at openssl.org] on behalf of Jayalakshmi bhat [bhat.jayalakshmi at gmail.com]
Sent: December 6, 2015 9:18 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] CBC ciphers + TLS 1.0 protocol does not work in OpenSSL 1.0.2d

Hi All,

Is there inputs or suggestions.

Thanks and Regards
Jaya

On Fri, Dec 4, 2015 at 11:37 AM, Jayalakshmi bhat <bhat.jayalakshmi at gmail.com<mailto:bhat.jayalakshmi at gmail.com>> wrote:
Hi Matt,

s3_cbc.c uses the function constant_time_eq_8. I pulled only this function definition from OpenSSL 1.0.1e into OpenSSL 1.0.2d. I renamed this function as constant_time_eq_8_local and used it in s3_cbc.c instead of constant_time_eq_8. This renaming was just to avoid multiple definitions.

OpenSSL 1.0.1e has the function constant_time_eq_8 defined as below:

#define DUPLICATE_MSB_TO_ALL(x) ( (unsigned)( (int)(x) >> (sizeof(int)*8-1) ) )
#define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x)))

static unsigned char constant_time_eq_8(unsigned a, unsigned b)
{
unsigned c = a ^ b;
c--;
return DUPLICATE_MSB_TO_ALL_8(c);
}

OpenSSL 1.0.2d has the function constant_time_eq_8 defined as below.

static inline unsigned int constant_time_msb(unsigned int a)
{
    return 0 - (a >> (sizeof(a) * 8 - 1));
}

static inline unsigned int constant_time_is_zero(unsigned int a)
{
    return constant_time_msb(~a & (a - 1));
}

static inline unsigned int constant_time_eq(unsigned int a, unsigned int b)
{
    return constant_time_is_zero(a ^ b);
}

static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b)
{
    return (unsigned char)(constant_time_eq(a, b));
}

Regards
Jaya

On Fri, Dec 4, 2015 at 7:04 PM, Matt Caswell <matt at openssl.org<mailto:matt at openssl.org>> wrote:

On 04/12/15 11:31, Jayalakshmi bhat wrote:
> Hi Matt,
>
> Thanks a lot for the response.
>
> Is your application a client or a server? Are both ends using
> OpenSSL 1.0.2d? If not, what is the other end using?
>>>Our device has both TLS client,server apps. As client, device communicates with radius server, LDAP server etc.As
> server device is accessed using various web browsers.
> Hence both the end will not be OpenSSL 1.0.2d.
>
> How exactly are you doing that? Which specific cipher are you seeing fail?
>>> We have provided user option to select TLS protocol versions similar to the browsers. Depending upon the user configurations we set the protocol flags (SSL_OP_NO_TLSv1,SSL_OP_NO_TLSv1_1, SSL_OP_NO_TLSv1_2) in the SSL context using SSL_CTX_clear_options/SSL_CTX_set_options.
>>> We have provided user option to chose ciphers as well.
> All these are in the application space,no changes have been done and
> they have been working good with OpenSSL 1.0.1c. Only the library is
> upgraded to OpenSSL 1.0.2d.I have used AES256-CBC and AES128 CBC ciphers
> and with both the ciphers issue is seen.
>
> Are you able to provide a packet capture?
>>> Please find the attached traces for server mode.
> What O/S is this on?
>>>This is built for WinCE and Vxworks

Thanks. Please could you also send the exact patch that you applied that
resolved the issue?

Matt
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151207/9b1985af/attachment.html>