generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

countermeasure against new Klima-Pokorny-Rosa atack

Browse Source
This commit is contained in:
Bodo Möller 2003-03-19 19:19:53 +00:00
parent 9ed1fa4813
commit 02da5bcd83
2 changed files with 22 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
CHANGES
View File

@ -460,6 +460,16 @@
Changes between 0.9.7a and 0.9.7b [xx XXX 2003] Changes between 0.9.7a and 0.9.7b [xx XXX 2003]
*) Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
a protocol version number mismatch like a decryption error
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
[Bodo Moeller]
yet to be integrated into this CVS branch:
- RSA blinding changes
- Geoff's ENGINE_set_default() fix
*) Target "mingw" now allows native Windows code to be generated in *) Target "mingw" now allows native Windows code to be generated in
the Cygwin environment as well as with the MinGW compiler. the Cygwin environment as well as with the MinGW compiler.
[Ulf Moeller] [Ulf Moeller]

25
ssl/s3_srvr.c
View File

@ -1684,7 +1684,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
if (i != SSL_MAX_MASTER_KEY_LENGTH) if (i != SSL_MAX_MASTER_KEY_LENGTH)
{ {
al=SSL_AD_DECODE_ERROR; al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
} }
if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@ -1700,30 +1700,29 @@ static int ssl3_get_client_key_exchange(SSL *s)
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
{ {
al=SSL_AD_DECODE_ERROR; al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
goto f_err;
/* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
* (http://eprint.iacr.org/2003/052/) exploits the version
* number check as a "bad version oracle" -- an alert would
* reveal that the plaintext corresponding to some ciphertext
* made up by the adversary is properly formatted except
* that the version number is wrong. To avoid such attacks,
* we should treat this just like any other decryption error. */
p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-20";
} }
} }
if (al != -1) if (al != -1)
{ {
#if 0
goto f_err;
#else
/* Some decryption failure -- use random value instead as countermeasure /* Some decryption failure -- use random value instead as countermeasure
* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
* (see RFC 2246, section 7.4.7.1). * (see RFC 2246, section 7.4.7.1). */
* But note that due to length and protocol version checking, the
* attack is impractical anyway (see section 5 in D. Bleichenbacher:
* "Chosen Ciphertext Attacks Against Protocols Based on the RSA
* Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
*/
ERR_clear_error(); ERR_clear_error();
i = SSL_MAX_MASTER_KEY_LENGTH; i = SSL_MAX_MASTER_KEY_LENGTH;
p[0] = s->client_version >> 8; p[0] = s->client_version >> 8;
p[1] = s->client_version & 0xff; p[1] = s->client_version & 0xff;
RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
#endif
} }
s->session->master_key_length= s->session->master_key_length=