summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authormiod <>2003-03-19 23:25:41 +0000
committermiod <>2003-03-19 23:25:41 +0000
commit64e4102ac6144c763a33eac43888cd0eb7e96d05 (patch)
tree0c71e0879742b2f9b1908f436b695de162f1bda7
parent3ca583df3c5813f2054dd9b42ad879000865c88d (diff)
downloadopenbsd-64e4102ac6144c763a33eac43888cd0eb7e96d05.tar.gz
openbsd-64e4102ac6144c763a33eac43888cd0eb7e96d05.tar.bz2
openbsd-64e4102ac6144c763a33eac43888cd0eb7e96d05.zip
Errata #025 (markus):
Fix for Klima-Pokorny-Rosa attack on RSA in SSL/TLS
-rw-r--r--src/lib/libssl/src/ssl/s3_srvr.c26
1 files changed, 12 insertions, 14 deletions
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 20a6f5cd3f..20a014919a 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -69,7 +69,6 @@
69#include <openssl/evp.h> 69#include <openssl/evp.h>
70#include <openssl/x509.h> 70#include <openssl/x509.h>
71#include "ssl_locl.h" 71#include "ssl_locl.h"
72#include "ssl_locl.h"
73 72
74static SSL_METHOD *ssl3_get_server_method(int ver); 73static SSL_METHOD *ssl3_get_server_method(int ver);
75static int ssl3_get_client_hello(SSL *s); 74static int ssl3_get_client_hello(SSL *s);
@@ -1329,7 +1328,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1329 if (i != SSL_MAX_MASTER_KEY_LENGTH) 1328 if (i != SSL_MAX_MASTER_KEY_LENGTH)
1330 { 1329 {
1331 al=SSL_AD_DECODE_ERROR; 1330 al=SSL_AD_DECODE_ERROR;
1332 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); 1331 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
1333 } 1332 }
1334 1333
1335 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) 1334 if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@@ -1345,30 +1344,29 @@ static int ssl3_get_client_key_exchange(SSL *s)
1345 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) 1344 (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
1346 { 1345 {
1347 al=SSL_AD_DECODE_ERROR; 1346 al=SSL_AD_DECODE_ERROR;
1348 SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); 1347 /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1349 goto f_err; 1348
1349 /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
1350 * (http://eprint.iacr.org/2003/052/) exploits the version
1351 * number check as a "bad version oracle" -- an alert would
1352 * reveal that the plaintext corresponding to some ciphertext
1353 * made up by the adversary is properly formatted except
1354 * that the version number is wrong. To avoid such attacks,
1355 * we should treat this just like any other decryption error. */
1356 p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-20";
1350 } 1357 }
1351 } 1358 }
1352 1359
1353 if (al != -1) 1360 if (al != -1)
1354 { 1361 {
1355#if 0
1356 goto f_err;
1357#else
1358 /* Some decryption failure -- use random value instead as countermeasure 1362 /* Some decryption failure -- use random value instead as countermeasure
1359 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding 1363 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
1360 * (see RFC 2246, section 7.4.7.1). 1364 * (see RFC 2246, section 7.4.7.1). */
1361 * But note that due to length and protocol version checking, the
1362 * attack is impractical anyway (see section 5 in D. Bleichenbacher:
1363 * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
1364 * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
1365 */
1366 ERR_clear_error(); 1365 ERR_clear_error();
1367 i = SSL_MAX_MASTER_KEY_LENGTH; 1366 i = SSL_MAX_MASTER_KEY_LENGTH;
1368 p[0] = s->client_version >> 8; 1367 p[0] = s->client_version >> 8;
1369 p[1] = s->client_version & 0xff; 1368 p[1] = s->client_version & 0xff;
1370 RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ 1369 RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
1371#endif
1372 } 1370 }
1373 1371
1374 s->session->master_key_length= 1372 s->session->master_key_length=