From 91106b4c90b48b9064630173be7bc0822d7c8043 Mon Sep 17 00:00:00 2001
From: tedu <>
Date: Mon, 29 Dec 2014 16:12:59 +0000
Subject: don't leak timing info about padding errors by generating a fake key
afterwards. openssl has a more complicated fix, but it's less intrusive for
now to simply hoist the expensive part (fake key generation) up without
sweating a branch or two. ok bcook jsing
---
src/lib/libssl/s3_srvr.c | 15 ++++++++++-----
src/lib/libssl/src/ssl/s3_srvr.c | 15 ++++++++++-----
2 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/src/lib/libssl/s3_srvr.c b/src/lib/libssl/s3_srvr.c
index 5e4a605c60..fd8f9aabab 100644
--- a/src/lib/libssl/s3_srvr.c
+++ b/src/lib/libssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.95 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.96 2014/12/29 16:12:59 tedu Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1822,6 +1822,12 @@ ssl3_get_client_key_exchange(SSL *s)
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
if (alg_k & SSL_kRSA) {
+ char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
+
+ arc4random_buf(fakekey, sizeof(fakekey));
+ fakekey[0] = s->client_version >> 8;
+ fakekey[1] = s->client_version & 0xff;
+
pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
(pkey->pkey.rsa == NULL)) {
@@ -1851,6 +1857,8 @@ ssl3_get_client_key_exchange(SSL *s)
i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
+ ERR_clear_error();
+
al = -1;
if (i != SSL_MAX_MASTER_KEY_LENGTH) {
@@ -1902,11 +1910,8 @@ ssl3_get_client_key_exchange(SSL *s)
* on PKCS #1 v1.5 RSA padding (see RFC 2246,
* section 7.4.7.1).
*/
- ERR_clear_error();
i = SSL_MAX_MASTER_KEY_LENGTH;
- p[0] = s->client_version >> 8;
- p[1] = s->client_version & 0xff;
- arc4random_buf(p + 2, i - 2);
+ p = fakekey;
}
s->session->master_key_length =
diff --git a/src/lib/libssl/src/ssl/s3_srvr.c b/src/lib/libssl/src/ssl/s3_srvr.c
index 5e4a605c60..fd8f9aabab 100644
--- a/src/lib/libssl/src/ssl/s3_srvr.c
+++ b/src/lib/libssl/src/ssl/s3_srvr.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_srvr.c,v 1.95 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: s3_srvr.c,v 1.96 2014/12/29 16:12:59 tedu Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1822,6 +1822,12 @@ ssl3_get_client_key_exchange(SSL *s)
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
if (alg_k & SSL_kRSA) {
+ char fakekey[SSL_MAX_MASTER_KEY_LENGTH];
+
+ arc4random_buf(fakekey, sizeof(fakekey));
+ fakekey[0] = s->client_version >> 8;
+ fakekey[1] = s->client_version & 0xff;
+
pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey;
if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) ||
(pkey->pkey.rsa == NULL)) {
@@ -1851,6 +1857,8 @@ ssl3_get_client_key_exchange(SSL *s)
i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING);
+ ERR_clear_error();
+
al = -1;
if (i != SSL_MAX_MASTER_KEY_LENGTH) {
@@ -1902,11 +1910,8 @@ ssl3_get_client_key_exchange(SSL *s)
* on PKCS #1 v1.5 RSA padding (see RFC 2246,
* section 7.4.7.1).
*/
- ERR_clear_error();
i = SSL_MAX_MASTER_KEY_LENGTH;
- p[0] = s->client_version >> 8;
- p[1] = s->client_version & 0xff;
- arc4random_buf(p + 2, i - 2);
+ p = fakekey;
}
s->session->master_key_length =
--
cgit v1.2.3-55-g6feb