*) applies to 0.9.6a (/0.9.6b) and 0.9.7
+) applies to 0.9.7 only
+ *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
+ RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
+ when fixing the server behaviour for backwards-compatible 'client
+ hello' messages. (Note that the attack is impractical against
+ SSL 3.0 and TLS 1.0 anyway because length and version checking
+ means that the probability of guessing a valid ciphertext is
+ around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
+ paper.)
+
+ Before 0.9.5, the countermeasure (hide the error by generating a
+ random 'decryption result') did not work properly because
+ ERR_clear_error() was missing, meaning that SSL_get_error() would
+ detect the supposedly ignored error.
+
+ Both problems are now fixed.
+ [Bodo Moeller]
+
+ *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
+ (previously it was 1024).
+ [Bodo Moeller]
+
+) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
tidy up some unecessarily weird code in 'sk_new()').
[Geoff, reported by Diego Tartara <dtartara@novamens.com>]
/* bad decrypt */
#if 1
/* If a bad decrypt, continue with protocol but with a
- * dud master secret */
+ * random master secret (Bleichenbacher attack) */
if ((i < 0) ||
((!is_export && (i != EVP_CIPHER_key_length(c)))
|| (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
EVP_CIPHER_key_length(c))))))
{
+ ERR_clear_error();
if (is_export)
i=ek;
else
i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
+ al = -1;
+
if (i != SSL_MAX_MASTER_KEY_LENGTH)
{
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
- goto f_err;
}
- if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+ if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
{
/* The premaster secret must contain the same version number as the
* ClientHello to detect version rollback attacks (strangely, the
}
}
+ if (al != -1)
+ {
+#if 0
+ goto f_err;
+#else
+ /* Some decryption failure -- use random value instead as countermeasure
+ * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
+ * (see RFC 2246, section 7.4.7.1).
+ * But note that due to length and protocol version checking, the
+ * attack is impractical anyway (see section 5 in D. Bleichenbacher:
+ * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
+ * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
+ */
+ ERR_clear_error();
+ i = SSL_MAX_MASTER_KEY_LENGTH;
+ p[0] = s->client_version >> 8;
+ p[1] = s->client_version & 0xff;
+ RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+#endif
+ }
+
s->session->master_key_length=
s->method->ssl3_enc->generate_master_secret(s,
s->session->master_key,