diff options
author | Matt Caswell <matt@openssl.org> | 2021-09-01 01:57:12 +0000 |
---|---|---|
committer | Jung-uk Kim <jkim@FreeBSD.org> | 2021-09-01 02:00:02 +0000 |
commit | 0ad812e6cda6c0138b821902b53cf070b79ddd5b (patch) | |
tree | 77e6fc367dcbad1485adf8c9743404aaa41aa868 | |
parent | c40b21a7e2a030434d6850c28a4217c46b33577b (diff) | |
download | src-0ad812e6cda6c0138b821902b53cf070b79ddd5b.tar.gz src-0ad812e6cda6c0138b821902b53cf070b79ddd5b.zip |
OpenSSL: Fix the RSA_SSLV23_PADDING padding type
This also fixes the public function RSA_padding_check_SSLv23.
Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
so that padding is rejected if the nul delimiter byte is not immediately
preceded by at least 8 bytes containing 0x03. Prior to that commit the
padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.
Presumably this change was made to be consistent with what it says in
appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
original behaviour was correct. This is fixed in later errata issued for
that RFC.
Applications that use SSLv2 or call RSA_paddin_check_SSLv23 directly, or
use the RSA_SSLV23_PADDING mode may be impacted. The effect of the original
error is that an RSA message encrypted by an SSLv2 only client will fail to
be decrypted properly by a TLS capable server, or a message encrypted by a
TLS capable client will fail to decrypt on an SSLv2 only server. Most
significantly an RSA message encrypted by a TLS capable client will be
successfully decrypted by a TLS capable server. This last case should fail
due to a rollback being detected.
Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
this issue.
CVE-2021-23839
https://github.com/openssl/openssl/commit/30919ab80a478f2d81f2e9acdcca3fa4740cd547
-rw-r--r-- | crypto/openssl/crypto/rsa/rsa_ssl.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/crypto/openssl/crypto/rsa/rsa_ssl.c b/crypto/openssl/crypto/rsa/rsa_ssl.c index 6f25acdac47a..bdc20c16c00a 100644 --- a/crypto/openssl/crypto/rsa/rsa_ssl.c +++ b/crypto/openssl/crypto/rsa/rsa_ssl.c @@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen, /* * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding - * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also + * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also * preserves error code reporting for backward compatibility. */ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, @@ -171,7 +171,13 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen, RSA_R_NULL_BEFORE_BLOCK_MISSING); mask = ~good; - good &= constant_time_ge(threes_in_row, 8); + /* + * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note + * that RFC5246 incorrectly states this the other way around, i.e. reject + * if it is not preceded by 8 consecutive 0x03 bytes. However this is + * corrected in subsequent errata for that RFC. + */ + good &= constant_time_lt(threes_in_row, 8); err = constant_time_select_int(mask | good, err, RSA_R_SSLV3_ROLLBACK_ATTACK); mask = ~good; |