Fix Bleichenbacher PKCS #1 1.5 countermeasure.
authorBodo Möller <bodo@openssl.org>
Fri, 1 Jun 2001 09:43:23 +0000 (09:43 +0000)
committerBodo Möller <bodo@openssl.org>
Fri, 1 Jun 2001 09:43:23 +0000 (09:43 +0000)
(The attack against SSL 3.1 and TLS 1.0 is impractical anyway,
otherwise this would be a security relevant patch.)

CHANGES
ssl/s2_srvr.c
ssl/s3_srvr.c

diff --git a/CHANGES b/CHANGES
index 1ff891caf77be151574514cddb81eba3b0fe3aa3..db225ce569b3a1c85504d2e738db7153eab084a2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,27 @@
 
  Changes between 0.9.6a and 0.9.6b  [XX xxx XXXX]
 
+  *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5
+     RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5
+     when fixing the server behaviour for backwards-compatible 'client
+     hello' messages.  (Note that the attack is impractical against
+     SSL 3.0 and TLS 1.0 anyway because length and version checking
+     means that the probability of guessing a valid ciphertext is
+     around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98
+     paper.)
+
+     Before 0.9.5, the countermeasure (hide the error by generating a
+     random 'decryption result') did not work properly because
+     ERR_clear_error() was missing, meaning that SSL_get_error() would
+     detect the supposedly ignored error.
+
+     Both problems are now fixed.
+     [Bodo Moeller]
+
+  *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096
+     (previously it was 1024).
+     [Bodo Moeller]
+
   *) Fix for compatibility mode trust settings: ignore trust settings
      unless some valid trust or reject settings are present.
      [Steve Henson]
index 1ed02540aec4d7bdc6521c501801370fbf6a8bd3..2fa2f310a8eded974e762d1d00222a10b96df485 100644 (file)
@@ -405,12 +405,13 @@ static int get_client_master_key(SSL *s)
        /* bad decrypt */
 #if 1
        /* If a bad decrypt, continue with protocol but with a
-        * dud master secret */
+        * random master secret (Bleichenbacher attack) */
        if ((i < 0) ||
                ((!is_export && (i != EVP_CIPHER_key_length(c)))
                || (is_export && ((i != ek) || (s->s2->tmp.clear+i !=
                        EVP_CIPHER_key_length(c))))))
                {
+               ERR_clear_error();
                if (is_export)
                        i=ek;
                else
index d04232960e30728ae41b9d923b9c0529f07f94b5..258af84867adc4ce9ccc9aae5e74ac5491c9f869 100644 (file)
@@ -1322,14 +1322,15 @@ static int ssl3_get_client_key_exchange(SSL *s)
 
                i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING);
 
+               al = -1;
+               
                if (i != SSL_MAX_MASTER_KEY_LENGTH)
                        {
                        al=SSL_AD_DECODE_ERROR;
                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
-                       goto f_err;
                        }
 
-               if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+               if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
                        {
                        /* The premaster secret must contain the same version number as the
                         * ClientHello to detect version rollback attacks (strangely, the
@@ -1347,6 +1348,27 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                }
                        }
 
+               if (al != -1)
+                       {
+#if 0
+                       goto f_err;
+#else
+                       /* Some decryption failure -- use random value instead as countermeasure
+                        * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
+                        * (see RFC 2246, section 7.4.7.1).
+                        * But note that due to length and protocol version checking, the
+                        * attack is impractical anyway (see section 5 in D. Bleichenbacher:
+                        * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
+                        * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
+                        */
+                       ERR_clear_error();
+                       i = SSL_MAX_MASTER_KEY_LENGTH;
+                       p[0] = s->client_version >> 8;
+                       p[1] = s->client_version & 0xff;
+                       RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+#endif
+                       }
+       
                s->session->master_key_length=
                        s->method->ssl3_enc->generate_master_secret(s,
                                s->session->master_key,