From: Richard Levitte Date: Wed, 19 Feb 2003 12:32:21 +0000 (+0000) Subject: All kinds of changes from 0.9.6-stable. X-Git-Tag: OpenSSL-engine-0_9_6i~1 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=2e824f0444d87c894dd959d299c6acb0e19d5022;p=oweals%2Fopenssl.git All kinds of changes from 0.9.6-stable. --- diff --git a/CHANGES b/CHANGES index 0d9de74283..cf7444a1a9 100644 --- a/CHANGES +++ b/CHANGES @@ -2,11 +2,19 @@ OpenSSL CHANGES _______________ - Changes between 0.9.6h and 0.9.6i [xx XXX xxxx] + Changes between 0.9.6h and 0.9.6i [19 Feb 2003] - *) + *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked + via timing by performing a MAC computation even if incorrrect + block cipher padding has been found. This is a countermeasure + against active attacks where the attacker has to distinguish + between bad padding and a MAC verification error. (CAN-2003-0078) - Changes between 0.9.6g and 0.9.6h [21 Dec 2002] + [Bodo Moeller; problem pointed out by Brice Canvel (EPFL), + Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and + Martin Vuagnoux (EPFL, Ilion)] + + Changes between 0.9.6g and 0.9.6h [5 Dec 2002] *) New function OPENSSL_cleanse(), which is used to cleanse a section of memory from it's contents. This is done with a counter that will diff --git a/FAQ b/FAQ index 976f3197dd..430a8aa219 100644 --- a/FAQ +++ b/FAQ @@ -184,18 +184,30 @@ for permission to use their software with OpenSSL. Cryptographic software needs a source of unpredictable data to work correctly. Many open source operating systems provide a "randomness -device" that serves this purpose. On other systems, applications have -to call the RAND_add() or RAND_seed() function with appropriate data -before generating keys or performing public key encryption. -(These functions initialize the pseudo-random number generator, PRNG.) - -Some broken applications do not do this. As of version 0.9.5, the -OpenSSL functions that need randomness report an error if the random -number generator has not been seeded with at least 128 bits of -randomness. If this error occurs, please contact the author of the -application you are using. It is likely that it never worked -correctly. OpenSSL 0.9.5 and later make the error visible by refusing -to perform potentially insecure encryption. +device" (/dev/urandom or /dev/random) that serves this purpose. +All OpenSSL versions try to use /dev/urandom by default; starting with +version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not +available. + +On other systems, applications have to call the RAND_add() or +RAND_seed() function with appropriate data before generating keys or +performing public key encryption. (These functions initialize the +pseudo-random number generator, PRNG.) Some broken applications do +not do this. As of version 0.9.5, the OpenSSL functions that need +randomness report an error if the random number generator has not been +seeded with at least 128 bits of randomness. If this error occurs and +is not discussed in the documentation of the application you are +using, please contact the author of that application; it is likely +that it never worked correctly. OpenSSL 0.9.5 and later make the +error visible by refusing to perform potentially insecure encryption. + +If you are using Solaris 8, you can add /dev/urandom and /dev/random +devices by installing patch 112438 (Sparc) or 112439 (x86), which are +available via the Patchfinder at +(Solaris 9 includes these devices by default). For /dev/random support +for earlier Solaris versions, see Sun's statement at + +(the SUNWski package is available in patch 105710). On systems without /dev/urandom and /dev/random, it is a good idea to use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for @@ -228,18 +240,6 @@ OpenSSL command line tools. Applications using the OpenSSL library provide their own configuration options to specify the entropy source, please check out the documentation coming the with application. -For Solaris 2.6, Tim Nibbe and others have suggested -installing the SUNski package from Sun patch 105710-01 (Sparc) which -adds a /dev/random device and make sure it gets used, usually through -$RANDFILE. There are probably similar patches for the other Solaris -versions. An official statement from Sun with respect to /dev/random -support can be found at - http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski -However, be warned that /dev/random is usually a blocking device, which -may have some effects on OpenSSL. -A third party /dev/random solution for Solaris is available at - http://www.cosy.sbg.ac.at/~andi/ - * Why do I get an "unable to write 'random state'" error message? diff --git a/crypto/bio/bio.h b/crypto/bio/bio.h index fd3aaa0585..d7fc0e6456 100644 --- a/crypto/bio/bio.h +++ b/crypto/bio/bio.h @@ -241,7 +241,7 @@ typedef struct bio_method_st long (_far *ctrl)(); int (_far *create)(); int (_far *destroy)(); - long (_fat *callback_ctrl)(); + long (_far *callback_ctrl)(); } BIO_METHOD; #endif diff --git a/crypto/mem.c b/crypto/mem.c index b026fd38aa..0df0a2a549 100644 --- a/crypto/mem.c +++ b/crypto/mem.c @@ -175,6 +175,8 @@ void *CRYPTO_malloc_locked(int num, const char *file, int line) void *ret = NULL; extern unsigned char cleanse_ctr; + if (num < 0) return NULL; + allow_customize = 0; if (malloc_debug_func != NULL) { @@ -214,6 +216,8 @@ void *CRYPTO_malloc(int num, const char *file, int line) void *ret = NULL; extern unsigned char cleanse_ctr; + if (num < 0) return NULL; + allow_customize = 0; if (malloc_debug_func != NULL) { @@ -243,6 +247,8 @@ void *CRYPTO_realloc(void *str, int num, const char *file, int line) if (str == NULL) return CRYPTO_malloc(num, file, line); + if (num < 0) return NULL; + if (realloc_debug_func != NULL) realloc_debug_func(str, NULL, num, file, line, 0); ret = realloc_func(str,num); diff --git a/doc/apps/x509.pod b/doc/apps/x509.pod index 3a05fdc828..890e7b5f62 100644 --- a/doc/apps/x509.pod +++ b/doc/apps/x509.pod @@ -532,8 +532,8 @@ certificate extensions: Set a certificate to be trusted for SSL client use and change set its alias to "Steve's Class 1 CA" - openssl x509 -in cert.pem -addtrust sslclient \ - -alias "Steve's Class 1 CA" -out trust.pem + openssl x509 -in cert.pem -addtrust clientAuth \ + -setalias "Steve's Class 1 CA" -out trust.pem =head1 NOTES diff --git a/doc/crypto/BN_generate_prime.pod b/doc/crypto/BN_generate_prime.pod index 6ea23791d1..7dccacbc1e 100644 --- a/doc/crypto/BN_generate_prime.pod +++ b/doc/crypto/BN_generate_prime.pod @@ -70,7 +70,7 @@ If B, this test is skipped. Both BN_is_prime() and BN_is_prime_fasttest() perform a Miller-Rabin probabilistic primality test with B iterations. If -B, a number of iterations is used that +B, a number of iterations is used that yields a false positive rate of at most 2^-80 for random input. If B is not B, B is called diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c index e7743aba2a..bbadac0d37 100644 --- a/ssl/s3_enc.c +++ b/ssl/s3_enc.c @@ -456,6 +456,7 @@ int ssl3_enc(SSL *s, int send) ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECRYPTION_FAILED); return 0; } + /* otherwise, rec->length >= bs */ } EVP_Cipher(ds,rec->data,rec->input,l); @@ -464,7 +465,7 @@ int ssl3_enc(SSL *s, int send) { i=rec->data[l-1]+1; /* SSL 3.0 bounds the number of padding bytes by the block size; - * padding bytes (except that last) are arbitrary */ + * padding bytes (except the last one) are arbitrary */ if (i > bs) { /* Incorrect padding. SSLerr() and ssl3_alert are done @@ -473,6 +474,7 @@ int ssl3_enc(SSL *s, int send) * (see http://www.openssl.org/~bodo/tls-cbc.txt) */ return -1; } + /* now i <= bs <= rec->length */ rec->length-=i; } } diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c index f52303c7c3..caf975d688 100644 --- a/ssl/s3_pkt.c +++ b/ssl/s3_pkt.c @@ -238,6 +238,8 @@ static int ssl3_get_record(SSL *s) unsigned int mac_size; int clear=0; size_t extra; + int decryption_failed_or_bad_record_mac = 0; + unsigned char *mac = NULL; rr= &(s->s3->rrec); sess=s->session; @@ -353,8 +355,11 @@ again: /* SSLerr() and ssl3_send_alert() have been called */ goto err; - /* otherwise enc_err == -1 */ - goto decryption_failed_or_bad_record_mac; + /* Otherwise enc_err == -1, which indicates bad padding + * (rec->length has not been changed in this case). + * To minimize information leaked via timing, we will perform + * the MAC computation anyway. */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -380,28 +385,46 @@ printf("\n"); SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ - if (rr->length < mac_size) + if (rr->length >= mac_size) { + rr->length -= mac_size; + mac = &rr->data[rr->length]; + } + else + { + /* record (minus padding) is too short to contain a MAC */ #if 0 /* OK only for stream ciphers */ al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; + rr->length = 0; #endif } - rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); - if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) + if (mac == NULL || memcmp(md, mac, mac_size) != 0) { - goto decryption_failed_or_bad_record_mac; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* A separate 'decryption_failed' alert was introduced with TLS 1.0, + * SSL 3.0 only has 'bad_record_mac'. But unless a decryption + * failure is directly visible from the ciphertext anyway, + * we should not reveal which kind of error occured -- this + * might become visible to an attacker (e.g. via a logfile) */ + al=SSL_AD_BAD_RECORD_MAC; + SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); + goto f_err; + } + /* r->length is now just compressed */ if (s->expand != NULL) { @@ -443,14 +466,6 @@ printf("\n"); return(1); -decryption_failed_or_bad_record_mac: - /* Separate 'decryption_failed' alert was introduced with TLS 1.0, - * SSL 3.0 only has 'bad_record_mac'. But unless a decryption - * failure is directly visible from the ciphertext anyway, - * we should not reveal which kind of error occured -- this - * might become visible to an attacker (e.g. via logfile) */ - al=SSL_AD_BAD_RECORD_MAC; - SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC); f_err: ssl3_send_alert(s,SSL3_AL_FATAL,al); err: diff --git a/util/mk1mf.pl b/util/mk1mf.pl index 4cc7881d8d..efdf77e74f 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -206,7 +206,7 @@ $cflags.=" -DNO_MD4" if $no_md4; $cflags.=" -DNO_MD5" if $no_md5; $cflags.=" -DNO_SHA" if $no_sha; $cflags.=" -DNO_SHA1" if $no_sha1; -$cflags.=" -DNO_RIPEMD" if $no_rmd160; +$cflags.=" -DNO_RIPEMD" if $no_ripemd; $cflags.=" -DNO_MDC2" if $no_mdc2; $cflags.=" -DNO_BF" if $no_bf; $cflags.=" -DNO_CAST" if $no_cast; @@ -674,7 +674,7 @@ sub var_add @a=grep(!/(^md2)|(_md2$)/,@a) if $no_md2; @a=grep(!/(^md4)|(_md4$)/,@a) if $no_md4; @a=grep(!/(^md5)|(_md5$)/,@a) if $no_md5; - @a=grep(!/(rmd)|(ripemd)/,@a) if $no_rmd160; + @a=grep(!/(rmd)|(ripemd)/,@a) if $no_ripemd; @a=grep(!/(^d2i_r_)|(^i2d_r_)/,@a) if $no_rsa; @a=grep(!/(^p_open$)|(^p_seal$)/,@a) if $no_rsa; @@ -883,7 +883,7 @@ sub read_options elsif (/^just-ssl$/) { $no_rc2=$no_idea=$no_des=$no_bf=$no_cast=1; $no_md2=$no_sha=$no_mdc2=$no_dsa=$no_dh=1; - $no_ssl2=$no_err=$no_rmd160=$no_rc5=1; } + $no_ssl2=$no_err=$no_ripemd=$no_rc5=1; } elsif (/^rsaref$/) { $rsaref=1; } elsif (/^gcc$/) { $gcc=1; }