diff options
| author | tedu <> | 2014-12-29 16:12:59 +0000 |
|---|---|---|
| committer | tedu <> | 2014-12-29 16:12:59 +0000 |
| commit | 91106b4c90b48b9064630173be7bc0822d7c8043 (patch) | |
| tree | a2c18c6c3329f18637e0be843cec170757390714 | |
| parent | 44a4c9b1a7df6686d39c7a10ac9bc7b96226ab2e (diff) | |
| download | openbsd-91106b4c90b48b9064630173be7bc0822d7c8043.tar.gz openbsd-91106b4c90b48b9064630173be7bc0822d7c8043.tar.bz2 openbsd-91106b4c90b48b9064630173be7bc0822d7c8043.zip | |
don't leak timing info about padding errors by generating a fake key
afterwards. openssl has a more complicated fix, but it's less intrusive
for now to simply hoist the expensive part (fake key generation) up without
sweating a branch or two.
ok bcook jsing
| -rw-r--r-- | src/lib/libssl/s3_srvr.c | 15 | ||||
| -rw-r--r-- | src/lib/libssl/src/ssl/s3_srvr.c | 15 |
2 files changed, 20 insertions, 10 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 5e4a605c60..fd8f9aabab 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.95 2014/12/15 00:46:53 doug Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.96 2014/12/29 16:12:59 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1822,6 +1822,12 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1822 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 1822 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 1823 | 1823 | ||
| 1824 | if (alg_k & SSL_kRSA) { | 1824 | if (alg_k & SSL_kRSA) { |
| 1825 | char fakekey[SSL_MAX_MASTER_KEY_LENGTH]; | ||
| 1826 | |||
| 1827 | arc4random_buf(fakekey, sizeof(fakekey)); | ||
| 1828 | fakekey[0] = s->client_version >> 8; | ||
| 1829 | fakekey[1] = s->client_version & 0xff; | ||
| 1830 | |||
| 1825 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; | 1831 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; |
| 1826 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || | 1832 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || |
| 1827 | (pkey->pkey.rsa == NULL)) { | 1833 | (pkey->pkey.rsa == NULL)) { |
| @@ -1851,6 +1857,8 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1851 | 1857 | ||
| 1852 | i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); | 1858 | i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); |
| 1853 | 1859 | ||
| 1860 | ERR_clear_error(); | ||
| 1861 | |||
| 1854 | al = -1; | 1862 | al = -1; |
| 1855 | 1863 | ||
| 1856 | if (i != SSL_MAX_MASTER_KEY_LENGTH) { | 1864 | if (i != SSL_MAX_MASTER_KEY_LENGTH) { |
| @@ -1902,11 +1910,8 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1902 | * on PKCS #1 v1.5 RSA padding (see RFC 2246, | 1910 | * on PKCS #1 v1.5 RSA padding (see RFC 2246, |
| 1903 | * section 7.4.7.1). | 1911 | * section 7.4.7.1). |
| 1904 | */ | 1912 | */ |
| 1905 | ERR_clear_error(); | ||
| 1906 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1913 | i = SSL_MAX_MASTER_KEY_LENGTH; |
| 1907 | p[0] = s->client_version >> 8; | 1914 | p = fakekey; |
| 1908 | p[1] = s->client_version & 0xff; | ||
| 1909 | arc4random_buf(p + 2, i - 2); | ||
| 1910 | } | 1915 | } |
| 1911 | 1916 | ||
| 1912 | s->session->master_key_length = | 1917 | s->session->master_key_length = |
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c index 5e4a605c60..fd8f9aabab 100644 --- a/src/lib/libssl/src/ssl/s3_srvr.c +++ b/src/lib/libssl/src/ssl/s3_srvr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_srvr.c,v 1.95 2014/12/15 00:46:53 doug Exp $ */ | 1 | /* $OpenBSD: s3_srvr.c,v 1.96 2014/12/29 16:12:59 tedu Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1822,6 +1822,12 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1822 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; | 1822 | alg_k = s->s3->tmp.new_cipher->algorithm_mkey; |
| 1823 | 1823 | ||
| 1824 | if (alg_k & SSL_kRSA) { | 1824 | if (alg_k & SSL_kRSA) { |
| 1825 | char fakekey[SSL_MAX_MASTER_KEY_LENGTH]; | ||
| 1826 | |||
| 1827 | arc4random_buf(fakekey, sizeof(fakekey)); | ||
| 1828 | fakekey[0] = s->client_version >> 8; | ||
| 1829 | fakekey[1] = s->client_version & 0xff; | ||
| 1830 | |||
| 1825 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; | 1831 | pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; |
| 1826 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || | 1832 | if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || |
| 1827 | (pkey->pkey.rsa == NULL)) { | 1833 | (pkey->pkey.rsa == NULL)) { |
| @@ -1851,6 +1857,8 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1851 | 1857 | ||
| 1852 | i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); | 1858 | i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); |
| 1853 | 1859 | ||
| 1860 | ERR_clear_error(); | ||
| 1861 | |||
| 1854 | al = -1; | 1862 | al = -1; |
| 1855 | 1863 | ||
| 1856 | if (i != SSL_MAX_MASTER_KEY_LENGTH) { | 1864 | if (i != SSL_MAX_MASTER_KEY_LENGTH) { |
| @@ -1902,11 +1910,8 @@ ssl3_get_client_key_exchange(SSL *s) | |||
| 1902 | * on PKCS #1 v1.5 RSA padding (see RFC 2246, | 1910 | * on PKCS #1 v1.5 RSA padding (see RFC 2246, |
| 1903 | * section 7.4.7.1). | 1911 | * section 7.4.7.1). |
| 1904 | */ | 1912 | */ |
| 1905 | ERR_clear_error(); | ||
| 1906 | i = SSL_MAX_MASTER_KEY_LENGTH; | 1913 | i = SSL_MAX_MASTER_KEY_LENGTH; |
| 1907 | p[0] = s->client_version >> 8; | 1914 | p = fakekey; |
| 1908 | p[1] = s->client_version & 0xff; | ||
| 1909 | arc4random_buf(p + 2, i - 2); | ||
| 1910 | } | 1915 | } |
| 1911 | 1916 | ||
| 1912 | s->session->master_key_length = | 1917 | s->session->master_key_length = |