Blinding fix.
This commit is contained in:
Ben Laurie
6
CHANGES
6
CHANGES
@@ -10,6 +10,12 @@
|
|||||||
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
|
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
|
||||||
[Bodo Moeller]
|
[Bodo Moeller]
|
||||||
|
|
||||||
|
*) Turn on RSA blinding by default, to avoid a timing attack. Applications
|
||||||
|
that don't want it can call RSA_blinding_off(). They would be ill-advised
|
||||||
|
to do so in most cases. The automatic enabling can also be turned off
|
||||||
|
by defining OPENSSL_FORCE_NO_RSA_BLINDING at compile-time.
|
||||||
|
[Ben Laurie, Steve Henson, Geoff Thorpe]
|
||||||
|
|
||||||
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
|
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]
|
||||||
|
|
||||||
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
|
*) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
|
||||||
|
|||||||
@@ -190,6 +190,25 @@ err:
|
|||||||
return(r);
|
return(r);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
|
||||||
|
{
|
||||||
|
int ret = 1;
|
||||||
|
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
|
||||||
|
/* Check again inside the lock - the macro's check is racey */
|
||||||
|
if(rsa->blinding == NULL)
|
||||||
|
ret = RSA_blinding_on(rsa, ctx);
|
||||||
|
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
#define BLINDING_HELPER(rsa, ctx, err_instr) \
|
||||||
|
do { \
|
||||||
|
if(((rsa)->flags & RSA_FLAG_BLINDING) && \
|
||||||
|
((rsa)->blinding == NULL) && \
|
||||||
|
!rsa_eay_blinding(rsa, ctx)) \
|
||||||
|
err_instr \
|
||||||
|
} while(0)
|
||||||
|
|
||||||
/* signing */
|
/* signing */
|
||||||
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
|
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
|
||||||
unsigned char *to, RSA *rsa, int padding)
|
unsigned char *to, RSA *rsa, int padding)
|
||||||
@@ -234,8 +253,8 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
BLINDING_HELPER(rsa, ctx, goto err;);
|
||||||
RSA_blinding_on(rsa,ctx);
|
|
||||||
if (rsa->flags & RSA_FLAG_BLINDING)
|
if (rsa->flags & RSA_FLAG_BLINDING)
|
||||||
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
||||||
|
|
||||||
@@ -313,8 +332,8 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
|
|||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
BLINDING_HELPER(rsa, ctx, goto err;);
|
||||||
RSA_blinding_on(rsa,ctx);
|
|
||||||
if (rsa->flags & RSA_FLAG_BLINDING)
|
if (rsa->flags & RSA_FLAG_BLINDING)
|
||||||
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
||||||
|
|
||||||
|
|||||||
@@ -71,7 +71,13 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
|
|||||||
|
|
||||||
RSA *RSA_new(void)
|
RSA *RSA_new(void)
|
||||||
{
|
{
|
||||||
return(RSA_new_method(NULL));
|
RSA *r=RSA_new_method(NULL);
|
||||||
|
|
||||||
|
#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
|
||||||
|
r->flags|=RSA_FLAG_BLINDING;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return r;
|
||||||
}
|
}
|
||||||
|
|
||||||
void RSA_set_default_method(RSA_METHOD *meth)
|
void RSA_set_default_method(RSA_METHOD *meth)
|
||||||
|
|||||||
Reference in New Issue
Block a user