[PATCH] Fix XMM register clobbering in crypto/aes/asm/aesni-x86_64:aesni_ecb_encrypt() under Win64

[Mikhail Kupchik]

This patch fixes clobbering of XMM6-XMM9 registers by the assembler 
implementation of aesni_ecb_encrypt().
Windows x86_64 ABI requires XMM6-XMM15 registers to be preserved by 
callee, unlike System V x86_64 ABI.


--- a/crypto/aes/asm/aesni-x86_64.pl2014-09-25 22:02:56.0 +0300
+++ b/crypto/aes/asm/aesni-x86_64.pl2014-10-14 13:00:42.085931400 +0300
@@ -584,6 +584,15 @@
 .typeaesni_ecb_encrypt,\@function,5
 .align16
 aesni_ecb_encrypt:
+___
+$code.=___ if ($win64);
+lea-0x48(%rsp),%rsp# 4*16 bytes for XMM regs + 8 bytes 
for stack alignment

+movdqa%xmm6,(%rsp)
+movdqa%xmm7,0x10(%rsp)
+movdqa%xmm8,0x20(%rsp)
+movdqa%xmm9,0x30(%rsp)
+___
+$code.=___;
 and\$-16,$len
 jz.Lecb_ret

@@ -862,6 +871,15 @@
 movups$inout5,0x50($out)

 .Lecb_ret:
+___
+$code.=___ if ($win64);
+movdqa(%rsp),%xmm6
+movdqa0x10(%rsp),%xmm7
+movdqa0x20(%rsp),%xmm8
+movdqa0x30(%rsp),%xmm9
+lea0x48(%rsp),%rsp
+___
+$code.=___;
 ret
 .sizeaesni_ecb_encrypt,.-aesni_ecb_encrypt
 ___

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: CIPHER STRINGS

[Hubert Kario]

- Original Message -
 From: dE de.tec...@gmail.com
 To: openssl-dev@openssl.org
 Sent: Tuesday, 14 October, 2014 6:39:11 AM
 Subject: Re: CIPHER STRINGS
 
 On 10/13/14 17:09, Hubert Kario wrote:
  - Original Message -
  From: dE de.tec...@gmail.com
  To: openssl-dev@openssl.org
  Sent: Monday, 13 October, 2014 5:38:28 AM
  Subject: Re: CIPHER STRINGS
 
  On 10/13/14 01:13, Viktor Dukhovni wrote:
  On Sun, Oct 12, 2014 at 11:36:01PM +0530, dE wrote:
 
  A command line tool. Like openssl list-ciphersuits
  My own preference in this case is complete and accurate documentation.
 
  This'll also avoid updating the man page with long descriptive text.
  Even if a command-line tool is created, complete and accurate
  documentation is not optional.
 
  Problem with the documentation is that it's not complete. Many of these
  don't specify what does the algo do (auth, digest etc...).
 
  They're basically just writing the obvious with some notices about
  openSSL specific implementation.
 
  So if you dont know about the algo, you've to google it anyway.
  backporting documentation fixes is much easier that code fixes (some
  distributions even have mechanisms to update just the man pages
  without need of issuing a new binary package)
 
  speaking of which, I did recently update ciphers man page on 1.0.1
  branch with the intended goal to make it aligned with code
  actually shipping and more explicit with what different options do.
  If you think that it still has some unclear parts I'll gladly hear
  about them.
 
  See here for the current version:
  https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod
 
  If the man page in your distro doesn't include those changes, open
  a bug report against the distro, we can't help much with this though.
 
 Thanks for the contribution.
 
 For suggest the kind of algorithm the cipher string targets to be placed
 somewhere.
 
 e.g. kRSA, RSA, ADH, AECDH should have --
 
 Category:Kx
 
 Many of these dont specify that these are Kx algorithms.
 
 Similarly, AES128, AES256, AES should have
 
 Category:Enc

It is sorted more or less this way, first key exchanges, then authentication
algorithms, encryption algorithms and finally HMACs/PRFs.

The exception being FORTEZZA, which is unsupported and you shouldn't use it
and GOST algorithms which have very specific and limited use.

Problem is that some of those aliases don't have one specific meaning.
For example 'ECDH' will match the regular ECDHE key exchange, but it
will also match aECDH ciphers, similarly with 'DH'. So you can't assign them
to single category.
-- 
Regards,
Hubert Kario
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Vuln in SSL 3.0

[Krzysztof Kwiatkowski]

Hi,

Any idea what this is about? Is it a threat for OpenSSL users:

http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

Regards,
Kris
__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: CIPHER STRINGS

[dE]

On 10/14/14 16:47, Hubert Kario wrote:

- Original Message -

From: dE de.tec...@gmail.com
To: openssl-dev@openssl.org
Sent: Tuesday, 14 October, 2014 6:39:11 AM
Subject: Re: CIPHER STRINGS

On 10/13/14 17:09, Hubert Kario wrote:

- Original Message -

From: dE de.tec...@gmail.com
To: openssl-dev@openssl.org
Sent: Monday, 13 October, 2014 5:38:28 AM
Subject: Re: CIPHER STRINGS

On 10/13/14 01:13, Viktor Dukhovni wrote:

On Sun, Oct 12, 2014 at 11:36:01PM +0530, dE wrote:


A command line tool. Like openssl list-ciphersuits

My own preference in this case is complete and accurate documentation.


This'll also avoid updating the man page with long descriptive text.

Even if a command-line tool is created, complete and accurate
documentation is not optional.


Problem with the documentation is that it's not complete. Many of these
don't specify what does the algo do (auth, digest etc...).

They're basically just writing the obvious with some notices about
openSSL specific implementation.

So if you dont know about the algo, you've to google it anyway.

backporting documentation fixes is much easier that code fixes (some
distributions even have mechanisms to update just the man pages
without need of issuing a new binary package)

speaking of which, I did recently update ciphers man page on 1.0.1
branch with the intended goal to make it aligned with code
actually shipping and more explicit with what different options do.
If you think that it still has some unclear parts I'll gladly hear
about them.

See here for the current version:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_1-stable/doc/apps/ciphers.pod

If the man page in your distro doesn't include those changes, open
a bug report against the distro, we can't help much with this though.

Thanks for the contribution.

For suggest the kind of algorithm the cipher string targets to be placed
somewhere.

e.g. kRSA, RSA, ADH, AECDH should have --

Category:Kx

Many of these dont specify that these are Kx algorithms.

Similarly, AES128, AES256, AES should have

Category:Enc

It is sorted more or less this way, first key exchanges, then authentication
algorithms, encryption algorithms and finally HMACs/PRFs.

The exception being FORTEZZA, which is unsupported and you shouldn't use it
and GOST algorithms which have very specific and limited use.

Problem is that some of those aliases don't have one specific meaning.
For example 'ECDH' will match the regular ECDHE key exchange, but it
will also match aECDH ciphers, similarly with 'DH'. So you can't assign them
to single category.


You can make an 'others' category that way, or make duplicate entries.

I would suggest a table so you can map duplicate entries too. Hope the 
man page allows tables.


You know these strings are used in programs like Apache so they must be 
clear.

__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Re: Vuln in SSL 3.0

[Dominyk Tiller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

If there is a threat in SSLv3 it seems almost certain to affect OpenSSL.

The upstream dev team not commenting on this is probably fairly
standard protocol; I believe they don't comment on anything critical
that could be exploited before patches are imminent or available.

I guess the situation is Watch this space.

Sent from Thunderbird for OS X. My PGP public key is automatically
attached to this email.

On 14/10/2014 15:19, Krzysztof Kwiatkowski wrote:
 Hi,
 
 Any idea what this is about? Is it a threat for OpenSSL users:
 
 http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

 
 
 Regards, Kris 
 __

 
OpenSSL Project http://www.openssl.org
 Development Mailing List
 openssl-dev@openssl.org Automated List Manager
 majord...@openssl.org
-BEGIN PGP SIGNATURE-
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJUPU0UAAoJEIclJNuddDJsNYUP/A00vuZ/PUsoIG/rORgw9yvj
Gg9IIfybSodxdVpeQeI98z1wxEh4+6p99MYmZTvJ3RnRATrMn2ymjrYbJz4Jj43q
0d3kg3QQCPnPimFkgCo2IwdT/K2TCZl2pAwIOJn5Mo25nGnVL7WpH62PXjtBLpvz
Im7WME5W8qzhZ+cHQJA3A+P5ow9q+aS++/bNk/dq80EON4/gyxRvu/BNl+/DmCfw
2SKP57k8huHj5F0voziNPKLPd2RBtgxS9iAEVZ9bmWLLTxdfTfTs19+VZRm2yyXw
KFM2DbeWJORrWkxO0yDPS5FNVv54brkmvu8Iu7Ge3fbYNXSAe5SKJMhmwiXone7S
XZFLY9KceZjj1jrX9JLDE8Ivp/gp+9W2LrafguZhYnSeZ2SRtx/vDloPDKrv1V/N
ny2EudnX+vN6KRMqfpcGc/NR3/ODfkHkXfKVuZ056oPxsSBCFJSzlVl2gDfMTCDV
fH+emZEN2lN9okRIbZadNlGy8Ef34ZvX52CzBonA1u30YI/PiSjiC+8l8HxjEDJv
VhZSJb2dwMJX/7AtXGcEL9C9avRmfzjFullbaCM5HDnKlwvUC/04HkYuydft66XW
VrILhscdrGiBOIiQTaJuiJPBavSQEt8LCYpZOS74icvlB5RzI8Mk8I6V976XzBoS
QAGulIxAp/+CYisBYr6j
=3vi3
-END PGP SIGNATURE-


0x9D74326C.asc
Description: application/pgp-keys


0x9D74326C.asc.sig
Description: Binary data

RE: [openssl.org #3564]

[Mangino, Nicholas @ CSG - CSE via RT]

Have attempted another build using Win 32 option
perl  Configure  VC-WIN32  no-asm  no-hw

ms\do_ms completes without error or warnings.

Running   nmake -f ms\ntdll.mak  compiles all C code but generates the 
following error on linking
rc /fotmp32dll\libeay32.res /d CRYPTO ms\version32.rc
Microsoft (R) Windows (R) Resource Compiler Version 6.2.9200.16384
Copyright (C) Microsoft Corporation.  All rights reserved.

link /nologo /subsystem:console /opt:ref /debug /dll 
/out:out32dll\libeay32.dll /def:ms/LIBEAY32.def 
@C:\Users\nmangino\AppData\Local\Temp\nm9D07.tmp
   Creating library out32dll\libeay32.lib and object out32dll\libeay32.exp
bss_fd.obj : error LNK2001: unresolved external symbol _OPENSSL_UplinkTable
bss_file.obj : error LNK2019: unresolved external symbol _OPENSSL_UplinkTable 
referenced in function
 _BIO_new_file
b_dump.obj : error LNK2001: unresolved external symbol _OPENSSL_UplinkTable
out32dll\libeay32.dll : fatal error LNK1120: 1 unresolved externals
NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual Studio 
11.0\VC\BIN\link.EXE' :
 return code '0x460'
Stop.

Better now but can't get away from this uplink error.
Again, I appreciate any help you can give.


-Original Message-
From: The default queue via RT [mailto:r...@openssl.org] 
Sent: Tuesday, October 14, 2014 1:49 AM
To: Mangino, Nicholas @ CSG - CSE
Subject: [openssl.org #3564] AutoReply: Build error OpenSSL 1.0.1i 


Greetings,

This message has been automatically generated in response to the creation of a 
trouble ticket regarding:
Build error OpenSSL 1.0.1i,
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been 
assigned an ID of [openssl.org #3564].

Please include the string:

 [openssl.org #3564]

in the subject line of all future correspondence about this issue. To do so, 
you may reply to this message.

Thank you,
r...@openssl.org

-
I am attempting to build Open SSL 1.0.1.i on  Intel 64,  Windows 7,  using 
Visual Studio Professional 2012.
I configured the build with
perl  Configure  debug-VC-WIN64I  no-asm  no-hw

ms\do_win64i complains about not finding ias but continues.

Running   nmake -f ms\ntdll.mak  generates the following errors
ml  /c ms\uptable.asm
Microsoft (R) Macro Assembler Version 11.00.50727.1 Copyright (C) Microsoft 
Corporation.  All rights reserved.

Assembling: ms\uptable.asm
ms\uptable.asm(1) : error A2008:syntax error : .
ms\uptable.asm(2) : error A2044:invalid character in file
ms\uptable.asm(3) : error A2044:invalid character in file
ms\uptable.asm(5) : error A2044:invalid character in file
ms\uptable.asm(6) : error A2034:must be in segment block
ms\uptable.asm(7) : error A2008:syntax error : .
ms\uptable.asm(8) : error A2045:missing angle bracket or brace in literal
ms\uptable.asm(9) : error A2008:syntax error : loc0
ms\uptable.asm(10) : error A2008:syntax error : .
ms\uptable.asm(11) : error A2008:syntax error
ms\uptable.asm(12) : error A2044:invalid character in file
ms\uptable.asm(13) : error A2008:syntax error : .
ms\uptable.asm(14) : error A2045:missing angle bracket or brace in literal
ms\uptable.asm(15) : error A2045:missing angle bracket or brace in literal
ms\uptable.asm(16) : error A2045:missing angle bracket or brace in literal
ms\uptable.asm(17) : error A2044:invalid character in file
ms\uptable.asm(18) : error A2045:missing angle bracket or brace in literal
ms\uptable.asm(19) : error A2045:missing angle bracket or brace in literal ...
ms\uptable.asm(104) : error A2045:missing angle bracket or brace in literal
ms\uptable.asm(105) : error A2044:invalid character in file
ms\uptable.asm(106) : fatal error A1012:error count exceeds 100; stopping 
assembly NMAKE : fatal error U1077: 'C:\Program Files (x86)\Microsoft Visual 
Studio 11.0\VC\BIN\ml.EXE' : r eturn code '0x1'
Stop.

I configured for no assembler code but nmake is attempting to assemble this 
code.

How can I gert around this error and complete the build?

Appreciate any help you can give.


__
OpenSSL Project http://www.openssl.org
Development Mailing List   openssl-dev@openssl.org
Automated List Manager   majord...@openssl.org

Patch to mitigate CVE-2014-3566 (POODLE)

[Bodo Moeller]

Here's a patch for the OpenSSL 1.0.1 branch that adds support for
TLS_FALLBACK_SCSV, which can be used to counter the POODLE attack
(CVE-2014-3566; https://www.openssl.org/~bodo/ssl-poodle.pdf).

Note well that this is not about a bug in OpenSSL -- it's a protocol issue.
If SSL 3.0 is disabled in either the client or in the server, that is
completely sufficient to avoid the POODLE attack. (Also, there's only a
vulnerability if the client actively falls back to SSL 3.0 in case that TLS
connections don't work -- but many browsers still do that to ensure
interoperability with broken legacy servers.) If you can't yet disable SSL
3.0 entirely, TLS_FALLBACK_SCSV can help avoid the attack, if both the
client and the server support it.

Server-side TLS_FALLBACK_SCSV support is automatically provided if you use
the patch. Clients that do fallback connections downgrading the protocol
version should use SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV) for such
downgraded connections.

The OpenSSL team will follow up with official releases that will include
TLS_FALLBACK_SCSV support. Meanwhile, if you can't simply disable SSL 3.0,
you may want to use this patch.

Bodo
diff --git a/apps/s_client.c b/apps/s_client.c
index 4625467..c2e160c 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -337,6 +337,7 @@ static void sc_usage(void)
BIO_printf(bio_err, -tls1_1   - just use TLSv1.1\n);
BIO_printf(bio_err, -tls1 - just use TLSv1\n);
BIO_printf(bio_err, -dtls1- just use DTLSv1\n);
+   BIO_printf(bio_err, -fallback_scsv - send TLS_FALLBACK_SCSV\n);
BIO_printf(bio_err, -mtu  - set the link layer MTU\n);
BIO_printf(bio_err, -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - 
turn off that protocol\n);
BIO_printf(bio_err, -bugs - Switch on all SSL implementation 
bug workarounds\n);
@@ -617,6 +618,7 @@ int MAIN(int argc, char **argv)
char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
+   int fallback_scsv = 0;
int enable_timeouts = 0 ;
long socket_mtu = 0;
 #ifndef OPENSSL_NO_JPAKE
@@ -823,6 +825,10 @@ int MAIN(int argc, char **argv)
meth=DTLSv1_client_method();
socket_type=SOCK_DGRAM;
}
+   else if (strcmp(*argv,-fallback_scsv) == 0)
+   {
+   fallback_scsv = 1;
+   }
else if (strcmp(*argv,-timeout) == 0)
enable_timeouts=1;
else if (strcmp(*argv,-mtu) == 0)
@@ -1235,6 +1241,10 @@ bad:
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
+
+   if (fallback_scsv)
+   SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
+
 #ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
diff --git a/crypto/err/openssl.ec b/crypto/err/openssl.ec
index e0554b4..34754e5 100644
--- a/crypto/err/openssl.ec
+++ b/crypto/err/openssl.ec
@@ -71,6 +71,7 @@ R SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION1060
 R SSL_R_TLSV1_ALERT_PROTOCOL_VERSION   1070
 R SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY  1071
 R SSL_R_TLSV1_ALERT_INTERNAL_ERROR 1080
+R SSL_R_SSLV3_ALERT_INAPPROPRIATE_FALLBACK 1086
 R SSL_R_TLSV1_ALERT_USER_CANCELLED 1090
 R SSL_R_TLSV1_ALERT_NO_RENEGOTIATION   1100
 R SSL_R_TLSV1_UNSUPPORTED_EXTENSION1110
diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c
index 6bde16f..82ca653 100644
--- a/ssl/d1_lib.c
+++ b/ssl/d1_lib.c
@@ -266,6 +266,16 @@ long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg)
case DTLS_CTRL_LISTEN:
ret = dtls1_listen(s, parg);
break;
+   case SSL_CTRL_CHECK_PROTO_VERSION:
+   /* For library-internal use; checks that the current protocol
+* is the highest enabled version (according to s-ctx-method,
+* as version negotiation may have changed s-method). */
+#if DTLS_MAX_VERSION != DTLS1_VERSION
+#  error Code needs update for DTLS_method() support beyond DTLS1_VERSION.
+#endif
+   /* Just one protocol version is supported so far;
+* fail closed if the version is not as expected. */
+   return s-version == DTLS_MAX_VERSION;
 
default:
ret = ssl3_ctrl(s, cmd, larg, parg);
diff --git a/ssl/dtls1.h b/ssl/dtls1.h
index e65d501..192c5de 100644
--- a/ssl/dtls1.h
+++ b/ssl/dtls1.h
@@ -84,6 +84,8 @@ extern C {
 #endif
 
 #define DTLS1_VERSION  0xFEFF
+#define DTLS_MAX_VERSION   DTLS1_VERSION
+
 #define DTLS1_BAD_VER  0x0100
 
 #if 0
@@ -284,4 +286,3 @@ typedef struct dtls1_record_data_st
 }
 #endif
 #endif
-
diff --git a/ssl/s23_clnt.c b/ssl/s23_clnt.c
index 2b93c63..d4e43c3 100644
--- a/ssl/s23_clnt.c
+++ b/ssl/s23_clnt.c
@@ -736,6 +736,9 @@ static 

Re: Patch to mitigate CVE-2014-3566 (POODLE)

[mancha]

On Wed, Oct 15, 2014 at 01:46:40AM +0200, Bodo Moeller wrote:
 Here's a patch for the OpenSSL 1.0.1 branch that adds support for
 TLS_FALLBACK_SCSV, which can be used to counter the POODLE attack
 (CVE-2014-3566; https://www.openssl.org/~bodo/ssl-poodle.pdf).

Hi Bodo. Many thanks for the OOB patch that I just saw commited to git.
Any reason for the s_client -fallback_scsv option check to be within an
#ifndef OPENSSL_NO_DTLS1 block?  

Thanks.

--mancha


pgpQP0dloJSeZ.pgp
Description: PGP signature