aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChris D. Faulhaber <jedgar@FreeBSD.org>2003-03-21 16:13:07 +0000
committerChris D. Faulhaber <jedgar@FreeBSD.org>2003-03-21 16:13:07 +0000
commit07bfbcd1ccdd006a8890f604ed5c0a7b6826c76e (patch)
tree3e9183f86952f6d2e96a546326fd3d8396a6c335
parentee099ec4d665c3123ef01bb8e99667bbc597a351 (diff)
downloadsrc-07bfbcd1ccdd006a8890f604ed5c0a7b6826c76e.tar.gz
src-07bfbcd1ccdd006a8890f604ed5c0a7b6826c76e.zip
MFC: crypto/openssl/ssl/s3_srvr.c 1.1.1.11
Import of PKCS #1 security fix. http://www.openssl.org/news/secadv_20030319.txt MFC: crypto/openssl/crypto/rsa/rsa_eay.c 1.11 crypto/openssl/crypto/rsa/rsa_lib.c 1.9 Enable RSA blinding by default. http://www.openssl.org/news/secadv_20030317.txt
Notes
Notes: svn path=/releng/4.6/; revision=112466
-rw-r--r--UPDATING4
-rw-r--r--crypto/openssl/crypto/rsa/rsa_eay.c27
-rw-r--r--crypto/openssl/crypto/rsa/rsa_lib.c8
-rw-r--r--crypto/openssl/ssl/s3_srvr.c25
-rw-r--r--sys/conf/newvers.sh2
5 files changed, 47 insertions, 19 deletions
diff --git a/UPDATING b/UPDATING
index 05e39b9ee8c4..271877c8049b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,10 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20030321: p12 FreeBSD-SA-03:06.openssl
+ enable RSA blinding by default
+ fix PKCS #1 v1.5 padding vulnerability
+
20030320: p11 FreeBSD-SA-03:05.xdr
integer overflow errors in the Sun XDR library.
diff --git a/crypto/openssl/crypto/rsa/rsa_eay.c b/crypto/openssl/crypto/rsa/rsa_eay.c
index c49abe6e3eed..444111fc394e 100644
--- a/crypto/openssl/crypto/rsa/rsa_eay.c
+++ b/crypto/openssl/crypto/rsa/rsa_eay.c
@@ -190,6 +190,25 @@ err:
return(r);
}
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+ {
+ int ret = 1;
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ /* Check again inside the lock - the macro's check is racey */
+ if(rsa->blinding == NULL)
+ ret = RSA_blinding_on(rsa, ctx);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ return ret;
+ }
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+ do { \
+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+ ((rsa)->blinding == NULL) && \
+ !rsa_eay_blinding(rsa, ctx)) \
+ err_instr \
+ } while(0)
+
/* signing */
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
@@ -234,8 +253,8 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
goto err;
}
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
- RSA_blinding_on(rsa,ctx);
+ BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
@@ -313,8 +332,8 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
goto err;
}
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
- RSA_blinding_on(rsa,ctx);
+ BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
diff --git a/crypto/openssl/crypto/rsa/rsa_lib.c b/crypto/openssl/crypto/rsa/rsa_lib.c
index 422643e9f2e8..0aeefae7db9d 100644
--- a/crypto/openssl/crypto/rsa/rsa_lib.c
+++ b/crypto/openssl/crypto/rsa/rsa_lib.c
@@ -71,7 +71,13 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
RSA *RSA_new(void)
{
- return(RSA_new_method(NULL));
+ RSA *r=RSA_new_method(NULL);
+
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
+ r->flags|=RSA_FLAG_BLINDING;
+#endif
+
+ return r;
}
void RSA_set_default_method(RSA_METHOD *meth)
diff --git a/crypto/openssl/ssl/s3_srvr.c b/crypto/openssl/ssl/s3_srvr.c
index 6b414cfa5c8b..88168dfcc455 100644
--- a/crypto/openssl/ssl/s3_srvr.c
+++ b/crypto/openssl/ssl/s3_srvr.c
@@ -1425,7 +1425,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
if (i != SSL_MAX_MASTER_KEY_LENGTH)
{
al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
}
if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@@ -1441,30 +1441,29 @@ static int ssl3_get_client_key_exchange(SSL *s)
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
{
al=SSL_AD_DECODE_ERROR;
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
- goto f_err;
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
+
+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
+ * (http://eprint.iacr.org/2003/052/) exploits the version
+ * number check as a "bad version oracle" -- an alert would
+ * reveal that the plaintext corresponding to some ciphertext
+ * made up by the adversary is properly formatted except
+ * that the version number is wrong. To avoid such attacks,
+ * we should treat this just like any other decryption error. */
+ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
}
}
if (al != -1)
{
-#if 0
- goto f_err;
-#else
/* Some decryption failure -- use random value instead as countermeasure
* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
- * (see RFC 2246, section 7.4.7.1).
- * But note that due to length and protocol version checking, the
- * attack is impractical anyway (see section 5 in D. Bleichenbacher:
- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
- */
+ * (see RFC 2246, section 7.4.7.1). */
ERR_clear_error();
i = SSL_MAX_MASTER_KEY_LENGTH;
p[0] = s->client_version >> 8;
p[1] = s->client_version & 0xff;
RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
-#endif
}
s->session->master_key_length=
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 6fd2024e53e8..5dcc956dab30 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.6.2"
-BRANCH="RELEASE-p11"
+BRANCH="RELEASE-p12"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"