diff options
| author | markus <> | 2003-03-19 23:03:01 +0000 |
|---|---|---|
| committer | markus <> | 2003-03-19 23:03:01 +0000 |
| commit | 121e69a3174716503bfd88f7116dc9853b35d1e2 (patch) | |
| tree | fd5685afdf8145fbeb67949667f246bfd6e8ce35 | |
| parent | 681b86ece831df81bdecaf14f664a68371ddd002 (diff) | |
| download | openbsd-121e69a3174716503bfd88f7116dc9853b35d1e2.tar.gz openbsd-121e69a3174716503bfd88f7116dc9853b35d1e2.tar.bz2 openbsd-121e69a3174716503bfd88f7116dc9853b35d1e2.zip | |
Fix for Klima-Pokorny-Rosa attack on RSA in SSL/TLS, see
http://marc.theaimsgroup.com/?l=bugtraq&m=104811162730834&w=2
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 25 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 25 |
2 files changed, 24 insertions, 26 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 2e1b0eb892..a2c17f2950 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1441,7 +1441,7 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1441 | if (i != SSL_MAX_MASTER_KEY_LENGTH) | 1441 | if (i != SSL_MAX_MASTER_KEY_LENGTH) |
| 1442 | { | 1442 | { |
| 1443 | al=SSL_AD_DECODE_ERROR; | 1443 | al=SSL_AD_DECODE_ERROR; |
| 1444 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); | 1444 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ |
| 1445 | } | 1445 | } |
| 1446 | 1446 | ||
| 1447 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) | 1447 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) |
| @@ -1457,30 +1457,29 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1457 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) | 1457 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) |
| 1458 | { | 1458 | { |
| 1459 | al=SSL_AD_DECODE_ERROR; | 1459 | al=SSL_AD_DECODE_ERROR; |
| 1460 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); | 1460 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ |
| 1461 | goto f_err; | 1461 | |
| 1462 | /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack | ||
| 1463 | * (http://eprint.iacr.org/2003/052/) exploits the version | ||
| 1464 | * number check as a "bad version oracle" -- an alert would | ||
| 1465 | * reveal that the plaintext corresponding to some ciphertext | ||
| 1466 | * made up by the adversary is properly formatted except | ||
| 1467 | * that the version number is wrong. To avoid such attacks, | ||
| 1468 | * we should treat this just like any other decryption error. */ | ||
| 1469 | p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-20"; | ||
| 1462 | } | 1470 | } |
| 1463 | } | 1471 | } |
| 1464 | 1472 | ||
| 1465 | if (al != -1) | 1473 | if (al != -1) |
| 1466 | { | 1474 | { |
| 1467 | #if 0 | ||
| 1468 | goto f_err; | ||
| 1469 | #else | ||
| 1470 | /* Some decryption failure -- use random value instead as countermeasure | 1475 | /* Some decryption failure -- use random value instead as countermeasure |
| 1471 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding | 1476 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding |
| 1472 | * (see RFC 2246, section 7.4.7.1). | 1477 | * (see RFC 2246, section 7.4.7.1). */ |
| 1473 | * But note that due to length and protocol version checking, the | ||
| 1474 | * attack is impractical anyway (see section 5 in D. Bleichenbacher: | ||
| 1475 | * "Chosen Ciphertext Attacks Against Protocols Based on the RSA | ||
| 1476 | * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). | ||
| 1477 | */ | ||
| 1478 | ERR_clear_error(); | 1478 | ERR_clear_error(); |
| 1479 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1479 | i = SSL_MAX_MASTER_KEY_LENGTH; |
| 1480 | p[0] = s->client_version >> 8; | 1480 | p[0] = s->client_version >> 8; |
| 1481 | p[1] = s->client_version & 0xff; | 1481 | p[1] = s->client_version & 0xff; |
| 1482 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ | 1482 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ |
| 1483 | #endif | ||
| 1484 | } | 1483 | } |
| 1485 | 1484 | ||
| 1486 | s->session->master_key_length= | 1485 | s->session->master_key_length= |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 2e1b0eb892..a2c17f2950 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
| @@ -1441,7 +1441,7 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1441 | if (i != SSL_MAX_MASTER_KEY_LENGTH) | 1441 | if (i != SSL_MAX_MASTER_KEY_LENGTH) |
| 1442 | { | 1442 | { |
| 1443 | al=SSL_AD_DECODE_ERROR; | 1443 | al=SSL_AD_DECODE_ERROR; |
| 1444 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); | 1444 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ |
| 1445 | } | 1445 | } |
| 1446 | 1446 | ||
| 1447 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) | 1447 | if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) |
| @@ -1457,30 +1457,29 @@ static int ssl3_get_client_key_exchange(SSL *s) | |||
| 1457 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) | 1457 | (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) |
| 1458 | { | 1458 | { |
| 1459 | al=SSL_AD_DECODE_ERROR; | 1459 | al=SSL_AD_DECODE_ERROR; |
| 1460 | SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); | 1460 | /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ |
| 1461 | goto f_err; | 1461 | |
| 1462 | /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack | ||
| 1463 | * (http://eprint.iacr.org/2003/052/) exploits the version | ||
| 1464 | * number check as a "bad version oracle" -- an alert would | ||
| 1465 | * reveal that the plaintext corresponding to some ciphertext | ||
| 1466 | * made up by the adversary is properly formatted except | ||
| 1467 | * that the version number is wrong. To avoid such attacks, | ||
| 1468 | * we should treat this just like any other decryption error. */ | ||
| 1469 | p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-20"; | ||
| 1462 | } | 1470 | } |
| 1463 | } | 1471 | } |
| 1464 | 1472 | ||
| 1465 | if (al != -1) | 1473 | if (al != -1) |
| 1466 | { | 1474 | { |
| 1467 | #if 0 | ||
| 1468 | goto f_err; | ||
| 1469 | #else | ||
| 1470 | /* Some decryption failure -- use random value instead as countermeasure | 1475 | /* Some decryption failure -- use random value instead as countermeasure |
| 1471 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding | 1476 | * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding |
| 1472 | * (see RFC 2246, section 7.4.7.1). | 1477 | * (see RFC 2246, section 7.4.7.1). */ |
| 1473 | * But note that due to length and protocol version checking, the | ||
| 1474 | * attack is impractical anyway (see section 5 in D. Bleichenbacher: | ||
| 1475 | * "Chosen Ciphertext Attacks Against Protocols Based on the RSA | ||
| 1476 | * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). | ||
| 1477 | */ | ||
| 1478 | ERR_clear_error(); | 1478 | ERR_clear_error(); |
| 1479 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1479 | i = SSL_MAX_MASTER_KEY_LENGTH; |
| 1480 | p[0] = s->client_version >> 8; | 1480 | p[0] = s->client_version >> 8; |
| 1481 | p[1] = s->client_version & 0xff; | 1481 | p[1] = s->client_version & 0xff; |
| 1482 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ | 1482 | RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ |
| 1483 | #endif | ||
| 1484 | } | 1483 | } |
| 1485 | 1484 | ||
| 1486 | s->session->master_key_length= | 1485 | s->session->master_key_length= |