generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Recent changes from 0.9.6-stable.

Browse Source
This commit is contained in:
Richard Levitte
2003-03-25 01:26:54 +00:00
parent 4ff15ba5e9
commit 8aac6ad0f2
7 changed files with 81 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
CHANGES
View File

@@ -4,7 +4,23 @@
Changes between 0.9.6i and 0.9.6j [xx XXX 2003]
*)
*) Countermeasure against the Klima-Pokorny-Rosa extension of
Bleichbacher's attack on PKCS #1 v1.5 padding: treat
a protocol version number mismatch like a decryption error
in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
[Bodo Moeller]
*) Turn on RSA blinding by default in the default implementation
to avoid a timing attack. Applications that don't want it can call
RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
They would be ill-advised to do so in most cases.
[Ben Laurie, Steve Henson, Geoff Thorpe]
*) Change RSA blinding code so that it works when the PRNG is not
seeded (in this case, the secret RSA exponent is abused as
an unpredictable seed -- if it is not unpredictable, there
is no point in blinding anyway).
[Bodo Moeller]
Changes between 0.9.6h and 0.9.6i [19 Feb 2003]

1
FAQ
View File

@@ -674,6 +674,7 @@ The general answer is to check the config.log file generated when running
the OpenSSH configure script. It should contain the detailed information
on why the OpenSSL library was not detected or considered incompatible.
* Can I use OpenSSL's SSL library with non-blocking I/O?
Yes; make sure to read the SSL_get_error(3) manual page!

2
LICENSE
View File

@@ -12,7 +12,7 @@
---------------
/* ====================================================================
* Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved.
* Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions

7
crypto/rsa/rsa.h
View File

@@ -156,6 +156,11 @@ struct rsa_st
#define RSA_FLAG_CACHE_PUBLIC 0x02
#define RSA_FLAG_CACHE_PRIVATE 0x04
#define RSA_FLAG_BLINDING 0x08
#define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in
* RSA implementation now uses blinding by
* default (ignoring RSA_FLAG_BLINDING),
* but other engines might not need it
*/
#define RSA_FLAG_THREAD_SAFE 0x10
/* This flag means the private key operations will be handled by rsa_mod_exp
* and that they do not depend on the private key components being present:
@@ -168,6 +173,8 @@ struct rsa_st
*/
#define RSA_FLAG_SIGN_VER 0x40
#define RSA_FLAG_NO_BLINDING 0x80
#define RSA_PKCS1_PADDING 1
#define RSA_SSLV23_PADDING 2
#define RSA_NO_PADDING 3

35
crypto/rsa/rsa_eay.c
View File

@@ -193,6 +193,25 @@ err:
return(r);
}
static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
{
int ret = 1;
CRYPTO_w_lock(CRYPTO_LOCK_RSA);
/* Check again inside the lock - the macro's check is racey */
if(rsa->blinding == NULL)
ret = RSA_blinding_on(rsa, ctx);
CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
return ret;
}
#define BLINDING_HELPER(rsa, ctx, err_instr) \
do { \
if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \
((rsa)->blinding == NULL) && \
!rsa_eay_blinding(rsa, ctx)) \
err_instr \
} while(0)
/* signing */
static int RSA_eay_private_encrypt(int flen, unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
@@ -239,9 +258,9 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
goto err;
}
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
RSA_blinding_on(rsa,ctx);
if (rsa->flags & RSA_FLAG_BLINDING)
BLINDING_HELPER(rsa, ctx, goto err;);
if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
if ( (rsa->flags & RSA_FLAG_EXT_PKEY) ||
@@ -256,7 +275,7 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err;
}
if (rsa->flags & RSA_FLAG_BLINDING)
if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
/* put in leading 0 bytes if the number is less than the
@@ -320,9 +339,9 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
goto err;
}
if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
RSA_blinding_on(rsa,ctx);
if (rsa->flags & RSA_FLAG_BLINDING)
BLINDING_HELPER(rsa, ctx, goto err;);
if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
/* do the decrypt */
@@ -339,7 +358,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from,
goto err;
}
if (rsa->flags & RSA_FLAG_BLINDING)
if (!(rsa->flags & RSA_FLAG_NO_BLINDING))
if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err;
p=buf;

15
crypto/rsa/rsa_lib.c
View File

@@ -72,7 +72,9 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
RSA *RSA_new(void)
{
return(RSA_new_method(NULL));
RSA *r=RSA_new_method(NULL);
return r;
}
void RSA_set_default_openssl_method(RSA_METHOD *meth)
@@ -305,6 +307,7 @@ void RSA_blinding_off(RSA *rsa)
rsa->blinding=NULL;
}
rsa->flags &= ~RSA_FLAG_BLINDING;
rsa->flags |= RSA_FLAG_NO_BLINDING;
}
int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
@@ -325,7 +328,16 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
if ((RAND_status() == 0) && rsa->d != NULL && rsa->d->d != NULL)
{
/* if PRNG is not properly seeded, resort to secret exponent as unpredictable seed */
RAND_add(rsa->d->d, rsa->d->dmax * sizeof rsa->d->d[0], 0);
if (!BN_pseudo_rand_range(A,rsa->n)) goto err;
}
else
{
if (!BN_rand_range(A,rsa->n)) goto err;
}
if ((Ai=BN_mod_inverse(NULL,A,rsa->n,ctx)) == NULL) goto err;
if (!ENGINE_get_RSA(rsa->engine)->bn_mod_exp(A,A,
@@ -333,6 +345,7 @@ int RSA_blinding_on(RSA *rsa, BN_CTX *p_ctx)
goto err;
rsa->blinding=BN_BLINDING_new(A,Ai,rsa->n);
rsa->flags |= RSA_FLAG_BLINDING;
rsa->flags &= ~RSA_FLAG_NO_BLINDING;
BN_free(Ai);
ret=1;
err:

24
ssl/s3_srvr.c
View File

@@ -1425,7 +1425,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
if (i != SSL_MAX_MASTER_KEY_LENGTH)
{
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
}
if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@@ -1441,30 +1441,28 @@ static int ssl3_get_client_key_exchange(SSL *s)
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
{
al=SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
goto f_err;
/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
/* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
* (http://eprint.iacr.org/2003/052/) exploits the version
* number check as a "bad version oracle" -- an alert would
* reveal that the plaintext corresponding to some ciphertext
* made up by the adversary is properly formatted except
* that the version number is wrong. To avoid such attacks,
* we should treat this just like any other decryption error. */
}
}
if (al != -1)
{
#if 0
goto f_err;
#else
/* Some decryption failure -- use random value instead as countermeasure
* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
* (see RFC 2246, section 7.4.7.1).
* But note that due to length and protocol version checking, the
* attack is impractical anyway (see section 5 in D. Bleichenbacher:
* "Chosen Ciphertext Attacks Against Protocols Based on the RSA
* Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
*/
* (see RFC 2246, section 7.4.7.1). */
ERR_clear_error();
i = SSL_MAX_MASTER_KEY_LENGTH;
p[0] = s->client_version >> 8;
p[1] = s->client_version & 0xff;
RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
#endif
}
s->session->master_key_length=