diff options
author | miod <> | 2003-03-19 23:25:41 +0000 |
---|---|---|
committer | miod <> | 2003-03-19 23:25:41 +0000 |
commit | 64e4102ac6144c763a33eac43888cd0eb7e96d05 (patch) | |
tree | 0c71e0879742b2f9b1908f436b695de162f1bda7 | |
parent | 3ca583df3c5813f2054dd9b42ad879000865c88d (diff) | |
download | openbsd-64e4102ac6144c763a33eac43888cd0eb7e96d05.tar.gz openbsd-64e4102ac6144c763a33eac43888cd0eb7e96d05.tar.bz2 openbsd-64e4102ac6144c763a33eac43888cd0eb7e96d05.zip |
Errata #025 (markus):
Fix for Klima-Pokorny-Rosa attack on RSA in SSL/TLS
-rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 26 |
1 files changed, 12 insertions, 14 deletions
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 20a6f5cd3f..20a014919a 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
@@ -69,7 +69,6 @@ | |||
69 | #include <openssl/evp.h> | 69 | #include <openssl/evp.h> |
70 | #include <openssl/x509.h> | 70 | #include <openssl/x509.h> |
71 | #include "ssl_locl.h" | 71 | #include "ssl_locl.h" |
72 | #include "ssl_locl.h" | ||
73 | 72 | ||
74 | static SSL_METHOD *ssl3_get_server_method(int ver); | 73 | static SSL_METHOD *ssl3_get_server_method(int ver); |
75 | static int ssl3_get_client_hello(SSL *s); | 74 | static int ssl3_get_client_hello(SSL *s); |
@@ -1329,7 +1328,7 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
1329 | if (i != SSL_MAX_MASTER_KEY_LENGTH) | 1328 | if (i != SSL_MAX_MASTER_KEY_LENGTH) |
1330 | { | 1329 | { |
1331 | al=SSL_AD_DECODE_ERROR; | 1330 | al=SSL_AD_DECODE_ERROR; |
1332 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); | 1331 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ |
1333 | } | 1332 | } |
1334 | 1333 | ||
1335 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) | 1334 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) |
@@ -1345,30 +1344,29 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
1345 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) | 1344 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) |
1346 | { | 1345 | { |
1347 | al=SSL_AD_DECODE_ERROR; | 1346 | al=SSL_AD_DECODE_ERROR; |
1348 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); | 1347 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ |
1349 | goto f_err; | 1348 | |
1349 | /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack | ||
1350 | * (http://eprint.iacr.org/2003/052/) exploits the version | ||
1351 | * number check as a "bad version oracle" -- an alert would | ||
1352 | * reveal that the plaintext corresponding to some ciphertext | ||
1353 | * made up by the adversary is properly formatted except | ||
1354 | * that the version number is wrong. To avoid such attacks, | ||
1355 | * we should treat this just like any other decryption error. */ | ||
1356 | p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-20"; | ||
1350 | } | 1357 | } |
1351 | } | 1358 | } |
1352 | 1359 | ||
1353 | if (al != -1) | 1360 | if (al != -1) |
1354 | { | 1361 | { |
1355 | #if 0 | ||
1356 | goto f_err; | ||
1357 | #else | ||
1358 | /* Some decryption failure -- use random value instead as countermeasure | 1362 | /* Some decryption failure -- use random value instead as countermeasure |
1359 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding | 1363 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding |
1360 | * (see RFC 2246, section 7.4.7.1). | 1364 | * (see RFC 2246, section 7.4.7.1). */ |
1361 | * But note that due to length and protocol version checking, the | ||
1362 | * attack is impractical anyway (see section 5 in D. Bleichenbacher: | ||
1363 | * "Chosen Ciphertext Attacks Against Protocols Based on the RSA | ||
1364 | * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). | ||
1365 | */ | ||
1366 | ERR_clear_error(); | 1365 | ERR_clear_error(); |
1367 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1366 | i = SSL_MAX_MASTER_KEY_LENGTH; |
1368 | p[0] = s->client_version >> 8; | 1367 | p[0] = s->client_version >> 8; |
1369 | p[1] = s->client_version & 0xff; | 1368 | p[1] = s->client_version & 0xff; |
1370 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ | 1369 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ |
1371 | #endif | ||
1372 | } | 1370 | } |
1373 | 1371 | ||
1374 | s->session->master_key_length= | 1372 | s->session->master_key_length= |