From 8aac6ad0f21708f1cb890559d51589da111b8af6 Mon Sep 17 00:00:00 2001 From: Richard Levitte Date: Tue, 25 Mar 2003 01:26:54 +0000 Subject: [PATCH] Recent changes from 0.9.6-stable. --- CHANGES | 18 +++++++++++++++++- FAQ | 1 + LICENSE | 2 +- crypto/rsa/rsa.h | 7 +++++++ crypto/rsa/rsa_eay.c | 35 +++++++++++++++++++++++++++-------- crypto/rsa/rsa_lib.c | 21 +++++++++++++++++---- ssl/s3_srvr.c | 24 +++++++++++------------- 7 files changed, 81 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index b3f3ffb4d0..f234afa9e5 100644 --- a/CHANGES +++ b/CHANGES @@ -4,7 +4,23 @@ Changes between 0.9.6i and 0.9.6j [xx XXX 2003] - *) + *) Countermeasure against the Klima-Pokorny-Rosa extension of + Bleichbacher's attack on PKCS #1 v1.5 padding: treat + a protocol version number mismatch like a decryption error + in ssl3_get_client_key_exchange (ssl/s3_srvr.c). + [Bodo Moeller] + + *) Turn on RSA blinding by default in the default implementation + to avoid a timing attack. Applications that don't want it can call + RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. + They would be ill-advised to do so in most cases. + [Ben Laurie, Steve Henson, Geoff Thorpe] + + *) Change RSA blinding code so that it works when the PRNG is not + seeded (in this case, the secret RSA exponent is abused as + an unpredictable seed -- if it is not unpredictable, there + is no point in blinding anyway). + [Bodo Moeller] Changes between 0.9.6h and 0.9.6i [19 Feb 2003] diff --git a/FAQ b/FAQ index e2e7adf46a..e188f9a82a 100644 --- a/FAQ +++ b/FAQ @@ -674,6 +674,7 @@ The general answer is to check the config.log file generated when running the OpenSSH configure script. It should contain the detailed information on why the OpenSSL library was not detected or considered incompatible. + * Can I use OpenSSL's SSL library with non-blocking I/O? Yes; make sure to read the SSL_get_error(3) manual page! diff --git a/LICENSE b/LICENSE index 7b93e0dbce..dddb07842b 100644 --- a/LICENSE +++ b/LICENSE @@ -12,7 +12,7 @@ --------------- /* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. + * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/crypto/rsa/rsa.h b/crypto/rsa/rsa.h index 87695dafc1..7cd6d95db9 100644 --- a/crypto/rsa/rsa.h +++ b/crypto/rsa/rsa.h @@ -156,6 +156,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 +#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in + * RSA implementation now uses blinding by + * default (ignoring RSA_FLAG_BLINDING), + * but other engines might not need it + */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: @@ -168,6 +173,8 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 +#define RSA_FLAG_NO_BLINDING 0x80 + #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 385f4561d9..4b44fb92d6 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -193,6 +193,25 @@ err: return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,9 +258,9 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); - if (rsa->flags & RSA_FLAG_BLINDING) + BLINDING_HELPER(rsa, ctx, goto err;); + + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || @@ -256,7 +275,7 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; /* put in leading 0 bytes if the number is less than the @@ -320,9 +339,9 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); - if (rsa->flags & RSA_FLAG_BLINDING) + BLINDING_HELPER(rsa, ctx, goto err;); + + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; /* do the decrypt */ @@ -339,7 +358,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } - if (rsa->flags & RSA_FLAG_BLINDING) + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; p=buf; diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 94395cc22c..d157f75bb4 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -72,7 +72,9 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL; RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + + return r; } void RSA_set_default_openssl_method(RSA_METHOD *meth) @@ -304,7 +306,8 @@ void RSA_blinding_off(RSA *rsa) BN_BLINDING_free(rsa->blinding); rsa->blinding=NULL; } - rsa->flags&= ~RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_BLINDING; + rsa->flags |= RSA_FLAG_NO_BLINDING; } int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) @@ -325,14 +328,24 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx) BN_CTX_start(ctx); A = BN_CTX_get(ctx); - if (!BN_rand_range(A,rsa->n)) goto err; + if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL) + { + /* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */ + RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0); + if (!BN_pseudo_rand_range(A,rsa->n)) goto err; + } + else + { + if (!BN_rand_range(A,rsa->n)) goto err; + } if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err; if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A, rsa->e,rsa->n,ctx,rsa->_method_mod_n)) goto err; rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n); - rsa->flags|=RSA_FLAG_BLINDING; + rsa->flags |= RSA_FLAG_BLINDING; + rsa->flags &= ~RSA_FLAG_NO_BLINDING; BN_free(Ai); ret=1; err: diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 6b414cfa5c..3f4818e888 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1425,7 +1425,7 @@ static int ssl3_get_client_key_exchange(SSL *s) if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) @@ -1441,30 +1441,28 @@ static int ssl3_get_client_key_exchange(SSL *s) (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + + /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except + * that the version number is wrong. To avoid such attacks, + * we should treat this just like any other decryption error. */ } } if (al != -1) { -#if 0 - goto f_err; -#else /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). - * But note that due to length and protocol version checking, the - * attack is impractical anyway (see section 5 in D. Bleichenbacher: - * "Chosen Ciphertext Attacks Against Protocols Based on the RSA - * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). - */ + * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ -#endif } s->session->master_key_length= -- 2.25.1