1 files changed, 29 insertions, 24 deletions
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 20d716fb1b..58cf774967 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -152,11 +152,18 @@ SSL_METHOD *SSLv3_server_method(void)
        if (init)
                {
-                memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
-                        sizeof(SSL_METHOD));
-                SSLv3_server_data.ssl_accept=ssl3_accept;
+                if (init)
-                SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+                        {
-                init=0;
+                        memcpy((char *)&SSLv3_server_data,(char *)sslv3_base_method(),
+                                sizeof(SSL_METHOD));
+                        SSLv3_server_data.ssl_accept=ssl3_accept;
+                        SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
+                        init=0;
+                        }
+                        
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
                }
        return(&SSLv3_server_data);
        }
@@ -1171,7 +1178,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
                        kn=0;
                        }
-                if (!BUF_MEM_grow(buf,n+4+kn))
+                if (!BUF_MEM_grow_clean(buf,n+4+kn))
                        {
                        SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
                        goto err;
@@ -1298,7 +1305,7 @@ static int ssl3_send_certificate_request(SSL *s)
                                {
                                name=sk_X509_NAME_value(sk,i);
                                j=i2d_X509_NAME(name,NULL);
-                                if (!BUF_MEM_grow(buf,4+n+j+2))
+                                if (!BUF_MEM_grow_clean(buf,4+n+j+2))
                                        {
                                        SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
                                        goto err;
@@ -1440,7 +1447,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                if (i != SSL_MAX_MASTER_KEY_LENGTH)
                        {
                        al=SSL_AD_DECODE_ERROR;
-                        SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
+                        /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
                        }
                if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@@ -1456,37 +1463,35 @@ static int ssl3_get_client_key_exchange(SSL *s)
                                (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
                                {
                                al=SSL_AD_DECODE_ERROR;
-                                SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+                                /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
-                                goto f_err;
+                                /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
+                                 * (http://eprint.iacr.org/2003/052/) exploits the version
+                                 * number check as a "bad version oracle" -- an alert would
+                                 * reveal that the plaintext corresponding to some ciphertext
+                                 * made up by the adversary is properly formatted except
+                                 * that the version number is wrong.  To avoid such attacks,
+                                 * we should treat this just like any other decryption error. */
                                }
                        }
                if (al != -1)
                        {
-#if 0
-                        goto f_err;
-#else
                        /* Some decryption failure -- use random value instead as countermeasure
                         * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
-                         * (see RFC 2246, section 7.4.7.1).
+                         * (see RFC 2246, section 7.4.7.1). */
-                         * But note that due to length and protocol version checking, the
-                         * attack is impractical anyway (see section 5 in D. Bleichenbacher:
-                         * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
-                         * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
-                         */
                        ERR_clear_error();
                        i = SSL_MAX_MASTER_KEY_LENGTH;
                        p[0] = s->client_version >> 8;
                        p[1] = s->client_version & 0xff;
                        RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
-#endif
                        }
        
                s->session->master_key_length=
                        s->method->ssl3_enc->generate_master_secret(s,
                                s->session->master_key,
                                p,i);
-                memset(p,0,i);
+                OPENSSL_cleanse(p,i);
                }
        else
 #endif
@@ -1549,7 +1554,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                s->session->master_key_length=
                        s->method->ssl3_enc->generate_master_secret(s,
                                s->session->master_key,p,i);
-                memset(p,0,i);
+                OPENSSL_cleanse(p,i);
                }
        else
 #endif
@@ -1652,7 +1657,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
                if (enc == NULL)
                    goto err;
-                memset(iv, 0, EVP_MAX_IV_LENGTH);       /* per RFC 1510 */
+                memset(iv, 0, sizeof iv);       /* per RFC 1510 */
                if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
                        {
@@ -1740,7 +1745,7 @@ static int ssl3_get_cert_verify(SSL *s)
                SSL3_ST_SR_CERT_VRFY_A,
                SSL3_ST_SR_CERT_VRFY_B,
                -1,
-                512, /* 512? */
+                514, /* 514? */
                &ok);
        if (!ok) return((int)n);

diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c index 20d716fb1b..58cf774967 100644 --- a/src/lib/libssl/s3_srvr.c +++ b/src/lib/libssl/s3_srvr.c
@@ -152,11 +152,18 @@ SSL_METHOD *SSLv3_server_method(void)
152		152
153	if (init)	153	if (init)
154	{	154	{
155	memcpy((char )&SSLv3_server_data,(char )sslv3_base_method(),	155	CRYPTO_w_lock(CRYPTO_LOCK_SSL_METHOD);
156	sizeof(SSL_METHOD));	156
157	SSLv3_server_data.ssl_accept=ssl3_accept;	157	if (init)
158	SSLv3_server_data.get_ssl_method=ssl3_get_server_method;	158	{
159	init=0;	159	memcpy((char )&SSLv3_server_data,(char )sslv3_base_method(),
		160	sizeof(SSL_METHOD));
		161	SSLv3_server_data.ssl_accept=ssl3_accept;
		162	SSLv3_server_data.get_ssl_method=ssl3_get_server_method;
		163	init=0;
		164	}
		165
		166	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_METHOD);
160	}	167	}
161	return(&SSLv3_server_data);	168	return(&SSLv3_server_data);
162	}	169	}
@@ -1171,7 +1178,7 @@ static int ssl3_send_server_key_exchange(SSL *s)
1171	kn=0;	1178	kn=0;
1172	}	1179	}
1173		1180
1174	if (!BUF_MEM_grow(buf,n+4+kn))	1181	if (!BUF_MEM_grow_clean(buf,n+4+kn))
1175	{	1182	{
1176	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);	1183	SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_BUF);
1177	goto err;	1184	goto err;
@@ -1298,7 +1305,7 @@ static int ssl3_send_certificate_request(SSL *s)
1298	{	1305	{
1299	name=sk_X509_NAME_value(sk,i);	1306	name=sk_X509_NAME_value(sk,i);
1300	j=i2d_X509_NAME(name,NULL);	1307	j=i2d_X509_NAME(name,NULL);
1301	if (!BUF_MEM_grow(buf,4+n+j+2))	1308	if (!BUF_MEM_grow_clean(buf,4+n+j+2))
1302	{	1309	{
1303	SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);	1310	SSLerr(SSL_F_SSL3_SEND_CERTIFICATE_REQUEST,ERR_R_BUF_LIB);
1304	goto err;	1311	goto err;
@@ -1440,7 +1447,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1440	if (i != SSL_MAX_MASTER_KEY_LENGTH)	1447	if (i != SSL_MAX_MASTER_KEY_LENGTH)
1441	{	1448	{
1442	al=SSL_AD_DECODE_ERROR;	1449	al=SSL_AD_DECODE_ERROR;
1443	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);	1450	/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
1444	}	1451	}
1445		1452
1446	if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))	1453	if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
@@ -1456,37 +1463,35 @@ static int ssl3_get_client_key_exchange(SSL *s)
1456	(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))	1463	(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
1457	{	1464	{
1458	al=SSL_AD_DECODE_ERROR;	1465	al=SSL_AD_DECODE_ERROR;
1459	SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);	1466	/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
1460	goto f_err;	1467
		1468	/* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
		1469	* (http://eprint.iacr.org/2003/052/) exploits the version
		1470	* number check as a "bad version oracle" -- an alert would
		1471	* reveal that the plaintext corresponding to some ciphertext
		1472	* made up by the adversary is properly formatted except
		1473	* that the version number is wrong. To avoid such attacks,
		1474	* we should treat this just like any other decryption error. */
1461	}	1475	}
1462	}	1476	}
1463		1477
1464	if (al != -1)	1478	if (al != -1)
1465	{	1479	{
1466	#if 0
1467	goto f_err;
1468	#else
1469	/* Some decryption failure -- use random value instead as countermeasure	1480	/* Some decryption failure -- use random value instead as countermeasure
1470	* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding	1481	* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
1471	* (see RFC 2246, section 7.4.7.1).	1482	* (see RFC 2246, section 7.4.7.1). */
1472	* But note that due to length and protocol version checking, the
1473	* attack is impractical anyway (see section 5 in D. Bleichenbacher:
1474	* "Chosen Ciphertext Attacks Against Protocols Based on the RSA
1475	* Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
1476	*/
1477	ERR_clear_error();	1483	ERR_clear_error();
1478	i = SSL_MAX_MASTER_KEY_LENGTH;	1484	i = SSL_MAX_MASTER_KEY_LENGTH;
1479	p[0] = s->client_version >> 8;	1485	p[0] = s->client_version >> 8;
1480	p[1] = s->client_version & 0xff;	1486	p[1] = s->client_version & 0xff;
1481	RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */	1487	RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
1482	#endif
1483	}	1488	}
1484		1489
1485	s->session->master_key_length=	1490	s->session->master_key_length=
1486	s->method->ssl3_enc->generate_master_secret(s,	1491	s->method->ssl3_enc->generate_master_secret(s,
1487	s->session->master_key,	1492	s->session->master_key,
1488	p,i);	1493	p,i);
1489	memset(p,0,i);	1494	OPENSSL_cleanse(p,i);
1490	}	1495	}
1491	else	1496	else
1492	#endif	1497	#endif
@@ -1549,7 +1554,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1549	s->session->master_key_length=	1554	s->session->master_key_length=
1550	s->method->ssl3_enc->generate_master_secret(s,	1555	s->method->ssl3_enc->generate_master_secret(s,
1551	s->session->master_key,p,i);	1556	s->session->master_key,p,i);
1552	memset(p,0,i);	1557	OPENSSL_cleanse(p,i);
1553	}	1558	}
1554	else	1559	else
1555	#endif	1560	#endif
@@ -1652,7 +1657,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
1652	if (enc == NULL)	1657	if (enc == NULL)
1653	goto err;	1658	goto err;
1654		1659
1655	memset(iv, 0, EVP_MAX_IV_LENGTH); /* per RFC 1510 */	1660	memset(iv, 0, sizeof iv); /* per RFC 1510 */
1656		1661
1657	if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))	1662	if (!EVP_DecryptInit_ex(&ciph_ctx,enc,NULL,kssl_ctx->key,iv))
1658	{	1663	{
@@ -1740,7 +1745,7 @@ static int ssl3_get_cert_verify(SSL *s)
1740	SSL3_ST_SR_CERT_VRFY_A,	1745	SSL3_ST_SR_CERT_VRFY_A,
1741	SSL3_ST_SR_CERT_VRFY_B,	1746	SSL3_ST_SR_CERT_VRFY_B,
1742	-1,	1747	-1,
1743	512, /* 512? */	1748	514, /* 514? */
1744	&ok);	1749	&ok);
1745		1750
1746	if (!ok) return((int)n);	1751	if (!ok) return((int)n);