Filippo Valsorda FiloSottile

## gist:d3839775bda8e6649372a6e5efea7c38
facebook.com
baidu.com
yahoo.com
amazon.com
linkedin.com
weibo.com
yandex.ru
instagram.com
amazon.co.jp
pinterest.com

## aesni_cbc_hmac_sha1_cipher.c
// clang -L/usr/local/opt/openssl/lib -I/usr/local/opt/openssl/include -lssl -lcrypto -O0 -g aesni_cbc_hmac_sha1_cipher.c && ./a.out

#include <stdio.h>
#include <string.h>

#include <openssl/evp.h>
#include <openssl/objects.h>
#include <openssl/aes.h>
#include <openssl/sha.h>
#include <openssl/rand.h>

## 20160503.txt
OpenSSL Security Advisory [3rd May 2016]
========================================

Memory corruption in the ASN.1 encoder (CVE-2016-2108)
======================================================

Severity: High

This issue affected versions of OpenSSL prior to April 2015. The bug
causing the vulnerability was fixed on April 18th 2015, and released

## build.sh
#! /bin/sh

GOOS=linux go build -o $2 "$1"
GOOS=linux go build -ldflags="-s -w" -o $2.-sw "$1"
upx -f --brute -o $2.upx $2
upx -f --brute -o $2.-sw.upx $2.-sw

GOOS=linux gotip build -o $2.tip "$1"
GOOS=linux gotip build -ldflags="-s -w" -o $2.tip.-sw "$1"
upx -f --brute -o $2.tip.upx $2.tip

## gist:d308789cc7a8f1de8f36a127ecfbff19
$ pip freeze
argcomplete==1.1.1
argh==0.25.0
cffi==1.5.2
coverage==4.0.3
cryptography==1.3.1
docker-py==1.8.0
enum34==1.1.2
funcsigs==1.0.0
idna==2.1

## gist:9326dbcd7dfe73431961
$ tail -n +210868 whosthere/log.jsonl | while read line; do echo "$line" | jq -r .ClientVersion | xxd -r -p; echo; done | sort | uniq -c | sort -n
      1 SSH-2.0-dropbear_2015.67
      1 SSH-2.0-nsssh2_5.0.0029 NetSarang Computer, Inc.
      1 SSH-2.0-OpenSSH_3.9p1
      1 SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
      1 SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7.1
      1 SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
      1 SSH-2.0-OpenSSH_5.8
      1 SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
      1 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1

## TestHMACTotalTiming.go
func TestHMACTotalTiming(t *testing.T) {
	sumData := make(plotter.XYs, 256)
	constData := make(plotter.XYs, 256)
	naiveData := make(plotter.XYs, 256)

	data := []byte("0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789")
	sumBuf := make([]byte, 0, 100)
	for n := 0; n < 256; n++ {
		var res1, res2 []byte
		ns := testing.Benchmark(func(b *testing.B) {

## cipher_suites_test.go
// Copyright 2010 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package tls

import (
	"bytes"
	"crypto/hmac"
	"crypto/sha1"

## python-rsa verify BB'06.ipynb

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                FiloSottile
                / python-rsa verify BB'06.ipynb
            
            
              Last active
              December 13, 2015 19:02
            
          
      Sorry, something went wrong. Reload?
      Sorry, we cannot display this file.
      Sorry, this file is invalid so it cannot be displayed.
      
          Viewer requires iframe.
      
    
## 0001-crypto-tls-support-SSLv2-compatibility-handshakes.patch
From 6ec6e3f7b176547783b2c464d54bc1a1f7d884f7 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@cloudflare.com>
Date: Mon, 7 Dec 2015 15:44:34 +0000
Subject: [PATCH] crypto/tls: support SSLv2 compatibility handshakes

---
 src/crypto/tls/conn.go             | 103 ++++++++++++++++++++++++++++++++++++-
 src/crypto/tls/handshake_server.go |   7 ++-
 2 files changed, 107 insertions(+), 3 deletions(-)
	facebook.com
	baidu.com
	yahoo.com
	amazon.com
	linkedin.com
	weibo.com
	yandex.ru
	instagram.com
	amazon.co.jp
	pinterest.com
	// clang -L/usr/local/opt/openssl/lib -I/usr/local/opt/openssl/include -lssl -lcrypto -O0 -g aesni_cbc_hmac_sha1_cipher.c && ./a.out

	#include <stdio.h>
	#include <string.h>

	#include <openssl/evp.h>
	#include <openssl/objects.h>
	#include <openssl/aes.h>
	#include <openssl/sha.h>
	#include <openssl/rand.h>
	OpenSSL Security Advisory [3rd May 2016]
	========================================

	Memory corruption in the ASN.1 encoder (CVE-2016-2108)
	======================================================

	Severity: High

	This issue affected versions of OpenSSL prior to April 2015. The bug
	causing the vulnerability was fixed on April 18th 2015, and released
	#! /bin/sh

	GOOS=linux go build -o $2 "$1"
	GOOS=linux go build -ldflags="-s -w" -o $2.-sw "$1"
	upx -f --brute -o $2.upx $2
	upx -f --brute -o $2.-sw.upx $2.-sw

	GOOS=linux gotip build -o $2.tip "$1"
	GOOS=linux gotip build -ldflags="-s -w" -o $2.tip.-sw "$1"
	upx -f --brute -o $2.tip.upx $2.tip
	$ pip freeze
	argcomplete==1.1.1
	argh==0.25.0
	cffi==1.5.2
	coverage==4.0.3
	cryptography==1.3.1
	docker-py==1.8.0
	enum34==1.1.2
	funcsigs==1.0.0
	idna==2.1
	$ tail -n +210868 whosthere/log.jsonl \| while read line; do echo "$line" \| jq -r .ClientVersion \| xxd -r -p; echo; done \| sort \| uniq -c \| sort -n
	1 SSH-2.0-dropbear_2015.67
	1 SSH-2.0-nsssh2_5.0.0029 NetSarang Computer, Inc.
	1 SSH-2.0-OpenSSH_3.9p1
	1 SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7
	1 SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu7.1
	1 SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
	1 SSH-2.0-OpenSSH_5.8
	1 SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
	1 SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
	func TestHMACTotalTiming(t *testing.T) {
	sumData := make(plotter.XYs, 256)
	constData := make(plotter.XYs, 256)
	naiveData := make(plotter.XYs, 256)

	data := []byte("0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789")
	sumBuf := make([]byte, 0, 100)
	for n := 0; n < 256; n++ {
	var res1, res2 []byte
	ns := testing.Benchmark(func(b *testing.B) {
	// Copyright 2010 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	package tls

	import (
	"bytes"
	"crypto/hmac"
	"crypto/sha1"
	From 6ec6e3f7b176547783b2c464d54bc1a1f7d884f7 Mon Sep 17 00:00:00 2001
	From: Filippo Valsorda <filippo@cloudflare.com>
	Date: Mon, 7 Dec 2015 15:44:34 +0000
	Subject: [PATCH] crypto/tls: support SSLv2 compatibility handshakes

	---
	src/crypto/tls/conn.go \| 103 ++++++++++++++++++++++++++++++++++++-
	src/crypto/tls/handshake_server.go \| 7 ++-
	2 files changed, 107 insertions(+), 3 deletions(-)