OpenSSL CHANGES
_______________
- Changes between 0.9.6h and 0.9.6i [xx XXX xxxx]
+ Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
- *)
+ *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
+ via timing by performing a MAC computation even if incorrrect
+ block cipher padding has been found. This is a countermeasure
+ against active attacks where the attacker has to distinguish
+ between bad padding and a MAC verification error. (CAN-2003-0078)
- Changes between 0.9.6g and 0.9.6h [21 Dec 2002]
+ [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
+ Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
+ Martin Vuagnoux (EPFL, Ilion)]
+
+ Changes between 0.9.6g and 0.9.6h [5 Dec 2002]
*) New function OPENSSL_cleanse(), which is used to cleanse a section of
memory from it's contents. This is done with a counter that will
Cryptographic software needs a source of unpredictable data to work
correctly. Many open source operating systems provide a "randomness
-device" that serves this purpose. On other systems, applications have
-to call the RAND_add() or RAND_seed() function with appropriate data
-before generating keys or performing public key encryption.
-(These functions initialize the pseudo-random number generator, PRNG.)
-
-Some broken applications do not do this. As of version 0.9.5, the
-OpenSSL functions that need randomness report an error if the random
-number generator has not been seeded with at least 128 bits of
-randomness. If this error occurs, please contact the author of the
-application you are using. It is likely that it never worked
-correctly. OpenSSL 0.9.5 and later make the error visible by refusing
-to perform potentially insecure encryption.
+device" (/dev/urandom or /dev/random) that serves this purpose.
+All OpenSSL versions try to use /dev/urandom by default; starting with
+version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
+available.
+
+On other systems, applications have to call the RAND_add() or
+RAND_seed() function with appropriate data before generating keys or
+performing public key encryption. (These functions initialize the
+pseudo-random number generator, PRNG.) Some broken applications do
+not do this. As of version 0.9.5, the OpenSSL functions that need
+randomness report an error if the random number generator has not been
+seeded with at least 128 bits of randomness. If this error occurs and
+is not discussed in the documentation of the application you are
+using, please contact the author of that application; it is likely
+that it never worked correctly. OpenSSL 0.9.5 and later make the
+error visible by refusing to perform potentially insecure encryption.
+
+If you are using Solaris 8, you can add /dev/urandom and /dev/random
+devices by installing patch 112438 (Sparc) or 112439 (x86), which are
+available via the Patchfinder at <URL: http://sunsolve.sun.com>
+(Solaris 9 includes these devices by default). For /dev/random support
+for earlier Solaris versions, see Sun's statement at
+<URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
+(the SUNWski package is available in patch 105710).
On systems without /dev/urandom and /dev/random, it is a good idea to
use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
provide their own configuration options to specify the entropy source,
please check out the documentation coming the with application.
-For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
-installing the SUNski package from Sun patch 105710-01 (Sparc) which
-adds a /dev/random device and make sure it gets used, usually through
-$RANDFILE. There are probably similar patches for the other Solaris
-versions. An official statement from Sun with respect to /dev/random
-support can be found at
- http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
-However, be warned that /dev/random is usually a blocking device, which
-may have some effects on OpenSSL.
-A third party /dev/random solution for Solaris is available at
- http://www.cosy.sbg.ac.at/~andi/
-
* Why do I get an "unable to write 'random state'" error message?
long (_far *ctrl)();
int (_far *create)();
int (_far *destroy)();
- long (_fat *callback_ctrl)();
+ long (_far *callback_ctrl)();
} BIO_METHOD;
#endif
void *ret = NULL;
extern unsigned char cleanse_ctr;
+ if (num < 0) return NULL;
+
allow_customize = 0;
if (malloc_debug_func != NULL)
{
void *ret = NULL;
extern unsigned char cleanse_ctr;
+ if (num < 0) return NULL;
+
allow_customize = 0;
if (malloc_debug_func != NULL)
{
if (str == NULL)
return CRYPTO_malloc(num, file, line);
+ if (num < 0) return NULL;
+
if (realloc_debug_func != NULL)
realloc_debug_func(str, NULL, num, file, line, 0);
ret = realloc_func(str,num);
Set a certificate to be trusted for SSL client use and change set its alias to
"Steve's Class 1 CA"
- openssl x509 -in cert.pem -addtrust sslclient \
- -alias "Steve's Class 1 CA" -out trust.pem
+ openssl x509 -in cert.pem -addtrust clientAuth \
+ -setalias "Steve's Class 1 CA" -out trust.pem
=head1 NOTES
Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin
probabilistic primality test with B<checks> iterations. If
-B<checks == BN_prime_check>, a number of iterations is used that
+B<checks == BN_prime_checks>, a number of iterations is used that
yields a false positive rate of at most 2^-80 for random input.
If B<callback> is not B<NULL>, B<callback(1, j, cb_arg)> is called
ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED);
return 0;
}
+ /* otherwise, rec->length >= bs */
}
EVP_Cipher(ds,rec->data,rec->input,l);
{
i=rec->data[l-1]+1;
/* SSL 3.0 bounds the number of padding bytes by the block size;
- * padding bytes (except that last) are arbitrary */
+ * padding bytes (except the last one) are arbitrary */
if (i > bs)
{
/* Incorrect padding. SSLerr() and ssl3_alert are done
* (see http://www.openssl.org/~bodo/tls-cbc.txt) */
return -1;
}
+ /* now i <= bs <= rec->length */
rec->length-=i;
}
}
unsigned int mac_size;
int clear=0;
size_t extra;
+ int decryption_failed_or_bad_record_mac = 0;
+ unsigned char *mac = NULL;
rr= &(s->s3->rrec);
sess=s->session;
/* SSLerr() and ssl3_send_alert() have been called */
goto err;
- /* otherwise enc_err == -1 */
- goto decryption_failed_or_bad_record_mac;
+ /* Otherwise enc_err == -1, which indicates bad padding
+ * (rec->length has not been changed in this case).
+ * To minimize information leaked via timing, we will perform
+ * the MAC computation anyway. */
+ decryption_failed_or_bad_record_mac = 1;
}
#ifdef TLS_DEBUG
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
- if (rr->length < mac_size)
+ if (rr->length >= mac_size)
{
+ rr->length -= mac_size;
+ mac = &rr->data[rr->length];
+ }
+ else
+ {
+ /* record (minus padding) is too short to contain a MAC */
#if 0 /* OK only for stream ciphers */
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
#else
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
+ rr->length = 0;
#endif
}
- rr->length-=mac_size;
i=s->method->ssl3_enc->mac(s,md,0);
- if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
+ if (mac == NULL || memcmp(md, mac, mac_size) != 0)
{
- goto decryption_failed_or_bad_record_mac;
+ decryption_failed_or_bad_record_mac = 1;
}
}
+ if (decryption_failed_or_bad_record_mac)
+ {
+ /* A separate 'decryption_failed' alert was introduced with TLS 1.0,
+ * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
+ * failure is directly visible from the ciphertext anyway,
+ * we should not reveal which kind of error occured -- this
+ * might become visible to an attacker (e.g. via a logfile) */
+ al=SSL_AD_BAD_RECORD_MAC;
+ SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
+ goto f_err;
+ }
+
/* r->length is now just compressed */
if (s->expand != NULL)
{
return(1);
-decryption_failed_or_bad_record_mac:
- /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
- * SSL 3.0 only has 'bad_record_mac'. But unless a decryption
- * failure is directly visible from the ciphertext anyway,
- * we should not reveal which kind of error occured -- this
- * might become visible to an attacker (e.g. via logfile) */
- al=SSL_AD_BAD_RECORD_MAC;
- SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
f_err:
ssl3_send_alert(s,SSL3_AL_FATAL,al);
err:
$cflags.=" -DNO_MD5" if $no_md5;
$cflags.=" -DNO_SHA" if $no_sha;
$cflags.=" -DNO_SHA1" if $no_sha1;
-$cflags.=" -DNO_RIPEMD" if $no_rmd160;
+$cflags.=" -DNO_RIPEMD" if $no_ripemd;
$cflags.=" -DNO_MDC2" if $no_mdc2;
$cflags.=" -DNO_BF" if $no_bf;
$cflags.=" -DNO_CAST" if $no_cast;
@a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2;
@a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4;
@a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5;
- @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160;
+ @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd;
@a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa;
@a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa;
elsif (/^just-ssl$/) { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1;
$no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1;
- $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; }
+ $no_ssl2=$no_err=$no_ripemd=$no_rc5=1; }
elsif (/^rsaref$/) { $rsaref=1; }
elsif (/^gcc$/) { $gcc=1; }
projects / oweals / openssl.git / commitdiff