diff options
author | Chris D. Faulhaber <jedgar@FreeBSD.org> | 2003-03-21 16:13:07 +0000 |
---|---|---|
committer | Chris D. Faulhaber <jedgar@FreeBSD.org> | 2003-03-21 16:13:07 +0000 |
commit | f8bf448616afe936884fe770757cc09c5c035312 (patch) | |
tree | 80d28b3705de862e76a8cd050e74d913a6d66546 | |
parent | 1aa5093e0c270549412dbc7c125643e0d8e89e9e (diff) | |
download | src-f8bf448616afe936884fe770757cc09c5c035312.tar.gz src-f8bf448616afe936884fe770757cc09c5c035312.zip |
MFC: crypto/openssl/ssl/s3_srvr.c 1.1.1.11
Import of PKCS #1 security fix.
http://www.openssl.org/news/secadv_20030319.txt
MFC: crypto/openssl/crypto/rsa/rsa_eay.c 1.11
crypto/openssl/crypto/rsa/rsa_lib.c 1.9
Enable RSA blinding by default.
http://www.openssl.org/news/secadv_20030317.txt
Notes
Notes:
svn path=/releng/5.0/; revision=112466
-rw-r--r-- | UPDATING | 4 | ||||
-rw-r--r-- | crypto/openssl/crypto/rsa/rsa_eay.c | 27 | ||||
-rw-r--r-- | crypto/openssl/crypto/rsa/rsa_lib.c | 8 | ||||
-rw-r--r-- | crypto/openssl/ssl/s3_srvr.c | 25 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
5 files changed, 47 insertions, 19 deletions
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch. For those updates that don't have an advisory, or to be safe, you can do a full build and install as described in the COMMON ITEMS section. +20030321: p6 FreeBSD-SA-03:06.openssl + enable RSA blinding by default + fix PKCS #1 v1.5 padding vulnerability + 20030320: p5 FreeBSD-SA-03:05.xdr integer overflow errors in the Sun XDR library. diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c index c49abe6e3eed..444111fc394e 100644 --- a/crypto/openssl/crypto/rsa/rsa_eay.c +++ b/crypto/openssl/crypto/rsa/rsa_eay.c @@ -190,6 +190,25 @@ err: return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)->flags & RSA_FLAG_BLINDING) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -234,8 +253,8 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; @@ -313,8 +332,8 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c index 422643e9f2e8..0aeefae7db9d 100644 --- a/crypto/openssl/crypto/rsa/rsa_lib.c +++ b/crypto/openssl/crypto/rsa/rsa_lib.c @@ -71,7 +71,13 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL; RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r->flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(RSA_METHOD *meth) diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c index 6b414cfa5c8b..88168dfcc455 100644 --- a/crypto/openssl/ssl/s3_srvr.c +++ b/crypto/openssl/ssl/s3_srvr.c @@ -1425,7 +1425,7 @@ static int ssl3_get_client_key_exchange(SSL *s) if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) @@ -1441,30 +1441,29 @@ static int ssl3_get_client_key_exchange(SSL *s) (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + + /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except + * that the version number is wrong. To avoid such attacks, + * we should treat this just like any other decryption error. */ + p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19"; } } if (al != -1) { -#if 0 - goto f_err; -#else /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). - * But note that due to length and protocol version checking, the - * attack is impractical anyway (see section 5 in D. Bleichenbacher: - * "Chosen Ciphertext Attacks Against Protocols Based on the RSA - * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). - */ + * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ -#endif } s->session->master_key_length= diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 2137f9be21a4..0d5d98d8fb02 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -36,7 +36,7 @@ TYPE="FreeBSD" REVISION="5.0" -BRANCH="RELEASE-p5" +BRANCH="RELEASE-p6" RELEASE="${REVISION}-${BRANCH}" VERSION="${TYPE} ${RELEASE}" |