Recent changes from 0.9.6-stable.

CHANGES

@@ -4,7 +4,23 @@
 
  Changes between 0.9.6i and 0.9.6j  [xx XXX 2003]
 
-  *) 
+  *) Countermeasure against the Klima-Pokorny-Rosa extension of
+     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+     a protocol version number mismatch like a decryption error
+     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+     [Bodo Moeller]
+
+  *) Turn on RSA blinding by default in the default implementation
+     to avoid a timing attack. Applications that don't want it can call
+     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+     They would be ill-advised to do so in most cases.
+     [Ben Laurie, Steve Henson, Geoff Thorpe]
+
+  *) Change RSA blinding code so that it works when the PRNG is not
+     seeded (in this case, the secret RSA exponent is abused as
+     an unpredictable seed -- if it is not unpredictable, there
+     is no point in blinding anyway).
+     [Bodo Moeller]
 
  Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
 

FAQ

@@ -674,6 +674,7 @@ The general answer is to check the config.log file generated when running
 the OpenSSH configure script. It should contain the detailed information
 on why the OpenSSL library was not detected or considered incompatible.
 
+
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 
 Yes; make sure to read the SSL_get_error(3) manual page!

LICENSE

@@ -12,7 +12,7 @@
   ---------------
 
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions

crypto/rsa/rsa.h

@@ -156,6 +156,11 @@ struct rsa_st
 #define RSA_FLAG_CACHE_PUBLIC		0x02
 #define RSA_FLAG_CACHE_PRIVATE		0x04
 #define RSA_FLAG_BLINDING		0x08
+#define RSA_FLAG_NO_BLINDING		0x80 /* new with 0.9.6j and 0.9.7b; the built-in
+                                              * RSA implementation now uses blinding by
+                                              * default (ignoring RSA_FLAG_BLINDING),
+                                              * but other engines might not need it
+                                              */
 #define RSA_FLAG_THREAD_SAFE		0x10
 /* This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
@@ -168,6 +173,8 @@ struct rsa_st
  */
 #define RSA_FLAG_SIGN_VER		0x40
 
+#define RSA_FLAG_NO_BLINDING		0x80
+
 #define RSA_PKCS1_PADDING	1
 #define RSA_SSLV23_PADDING	2
 #define RSA_NO_PADDING		3

crypto/rsa/rsa_eay.c

@@ -193,6 +193,25 @@ err:
 	return(r);
 	}
 
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+	{
+	int ret = 1;
+	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+	/* Check again inside the lock - the macro's check is racey */
+	if(rsa->blinding == NULL)
+		ret = RSA_blinding_on(rsa, ctx);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+	return ret;
+	}
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+	do { \
+		if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
+		    ((rsa)->blinding == NULL) && \
+		    !rsa_eay_blinding(rsa, ctx)) \
+			err_instr \
+	} while(0)
+
 /* signing */
 static int RSA_eay_private_encrypt(int flen, unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
@@ -239,9 +258,9 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
 		goto err;
 		}
 
-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+	BLINDING_HELPER(rsa, ctx, goto err;);
-		RSA_blinding_on(rsa,ctx);
+
-	if (rsa->flags & RSA_FLAG_BLINDING)
+	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
 
 	if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -256,7 +275,7 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
 		if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
 		}
 
-	if (rsa->flags & RSA_FLAG_BLINDING)
+	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
 		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
 
 	/* put in leading 0 bytes if the number is less than the
@@ -320,9 +339,9 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
 		goto err;
 		}
 
-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+	BLINDING_HELPER(rsa, ctx, goto err;);
-		RSA_blinding_on(rsa,ctx);
+
-	if (rsa->flags & RSA_FLAG_BLINDING)
+	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
 
 	/* do the decrypt */
@@ -339,7 +358,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
 			goto err;
 		}
 
-	if (rsa->flags & RSA_FLAG_BLINDING)
+	if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
 		if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
 
 	p=buf;

crypto/rsa/rsa_lib.c

@@ -72,7 +72,9 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
 
 RSA *RSA_new(void)
 	{
-	return(RSA_new_method(NULL));
+	RSA *r=RSA_new_method(NULL);
+
+	return r;
 	}
 
 void RSA_set_default_openssl_method(RSA_METHOD *meth)
@@ -304,7 +306,8 @@ void RSA_blinding_off(RSA *rsa)
 		BN_BLINDING_free(rsa->blinding);
 		rsa->blinding=NULL;
 		}
-	rsa->flags&= ~RSA_FLAG_BLINDING;
+	rsa->flags &= ~RSA_FLAG_BLINDING;
+	rsa->flags |= RSA_FLAG_NO_BLINDING;
 	}
 
 int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
@@ -325,14 +328,24 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
 
 	BN_CTX_start(ctx);
 	A = BN_CTX_get(ctx);
-	if (!BN_rand_range(A,rsa->n)) goto err;
+	if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
+		{
+		/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
+		RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
+		if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
+		}
+	else
+		{
+		if (!BN_rand_range(A,rsa->n)) goto err;
+		}
 	if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
 
 	if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A,
 		rsa->e,rsa->n,ctx,rsa->_method_mod_n))
 	    goto err;
 	rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
-	rsa->flags|=RSA_FLAG_BLINDING;
+	rsa->flags |= RSA_FLAG_BLINDING;
+	rsa->flags &= ~RSA_FLAG_NO_BLINDING;
 	BN_free(Ai);
 	ret=1;
 err:

ssl/s3_srvr.c

@@ -1425,7 +1425,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		if (i != SSL_MAX_MASTER_KEY_LENGTH)
 			{
 			al=SSL_AD_DECODE_ERROR;
-			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
+			/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
 			}
 
 		if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@@ -1441,30 +1441,28 @@ static int ssl3_get_client_key_exchange(SSL *s)
 				(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
 				{
 				al=SSL_AD_DECODE_ERROR;
-				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+				/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-				goto f_err;
+
+				/* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
+				 * (http://eprint.iacr.org/2003/052/) exploits the version
+				 * number check as a "bad version oracle" -- an alert would
+				 * reveal that the plaintext corresponding to some ciphertext
+				 * made up by the adversary is properly formatted except
+				 * that the version number is wrong.  To avoid such attacks,
+				 * we should treat this just like any other decryption error. */
 				}
 			}
 
 		if (al != -1)
 			{
-#if 0
-			goto f_err;
-#else
 			/* Some decryption failure -- use random value instead as countermeasure
 			 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
-			 * (see RFC 2246, section 7.4.7.1).
+			 * (see RFC 2246, section 7.4.7.1). */
-			 * But note that due to length and protocol version checking, the
-			 * attack is impractical anyway (see section 5 in D. Bleichenbacher:
-			 * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
-			 * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
-			 */
 			ERR_clear_error();
 			i = SSL_MAX_MASTER_KEY_LENGTH;
 			p[0] = s->client_version >> 8;
 			p[1] = s->client_version & 0xff;
 			RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
-#endif
 			}
 	
 		s->session->master_key_length=