989d921f5d
I'm very pleased to announce the release of our new website and documentation using the new toolchain with Hugo and AsciiDoctor. To get more information about the new toolchain please read the FreeBSD Documentation Project Primer[1], Hugo docs[2] and AsciiDoctor docs[3]. Acknowledgment: Benedict Reuschling <bcr@> Glen Barber <gjb@> Hiroki Sato <hrs@> Li-Wen Hsu <lwhsu@> Sean Chittenden <seanc@> The FreeBSD Foundation [1] https://docs.FreeBSD.org/en/books/fdp-primer/ [2] https://gohugo.io/documentation/ [3] https://docs.asciidoctor.org/home/ Approved by: doceng, core
135 lines
4.5 KiB
Diff
135 lines
4.5 KiB
Diff
Index: crypto/openssl/crypto/rsa/rsa_eay.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_eay.c,v
|
|
retrieving revision 1.10
|
|
diff -u -r1.10 rsa_eay.c
|
|
--- crypto/openssl/crypto/rsa/rsa_eay.c 19 Feb 2003 23:24:16 -0000 1.10
|
|
+++ crypto/openssl/crypto/rsa/rsa_eay.c 20 Mar 2003 14:01:30 -0000
|
|
@@ -195,6 +195,25 @@
|
|
return(r);
|
|
}
|
|
|
|
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
|
|
+ {
|
|
+ int ret = 1;
|
|
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
|
|
+ /* Check again inside the lock - the macro's check is racey */
|
|
+ if(rsa->blinding == NULL)
|
|
+ ret = RSA_blinding_on(rsa, ctx);
|
|
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
|
|
+ do { \
|
|
+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
|
|
+ ((rsa)->blinding == NULL) && \
|
|
+ !rsa_eay_blinding(rsa, ctx)) \
|
|
+ err_instr \
|
|
+ } while(0)
|
|
+
|
|
/* signing */
|
|
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
|
unsigned char *to, RSA *rsa, int padding)
|
|
@@ -239,8 +258,8 @@
|
|
goto err;
|
|
}
|
|
|
|
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
|
- RSA_blinding_on(rsa,ctx);
|
|
+ BLINDING_HELPER(rsa, ctx, goto err;);
|
|
+
|
|
if (rsa->flags & RSA_FLAG_BLINDING)
|
|
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
|
|
|
@@ -318,8 +337,8 @@
|
|
goto err;
|
|
}
|
|
|
|
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
|
- RSA_blinding_on(rsa,ctx);
|
|
+ BLINDING_HELPER(rsa, ctx, goto err;);
|
|
+
|
|
if (rsa->flags & RSA_FLAG_BLINDING)
|
|
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
|
|
|
Index: crypto/openssl/crypto/rsa/rsa_lib.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_lib.c,v
|
|
retrieving revision 1.8
|
|
diff -u -r1.8 rsa_lib.c
|
|
--- crypto/openssl/crypto/rsa/rsa_lib.c 19 Feb 2003 23:24:16 -0000 1.8
|
|
+++ crypto/openssl/crypto/rsa/rsa_lib.c 20 Mar 2003 14:01:30 -0000
|
|
@@ -72,7 +72,13 @@
|
|
|
|
RSA *RSA_new(void)
|
|
{
|
|
- return(RSA_new_method(NULL));
|
|
+ RSA *r=RSA_new_method(NULL);
|
|
+
|
|
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
|
|
+ r->flags|=RSA_FLAG_BLINDING;
|
|
+#endif
|
|
+
|
|
+ return r;
|
|
}
|
|
|
|
void RSA_set_default_method(const RSA_METHOD *meth)
|
|
Index: crypto/openssl/ssl/s3_srvr.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/s3_srvr.c,v
|
|
retrieving revision 1.1.1.10
|
|
diff -u -r1.1.1.10 s3_srvr.c
|
|
--- crypto/openssl/ssl/s3_srvr.c 28 Jan 2003 21:38:47 -0000 1.1.1.10
|
|
+++ crypto/openssl/ssl/s3_srvr.c 20 Mar 2003 14:01:31 -0000
|
|
@@ -1447,7 +1447,7 @@
|
|
if (i != SSL_MAX_MASTER_KEY_LENGTH)
|
|
{
|
|
al=SSL_AD_DECODE_ERROR;
|
|
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
|
|
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
|
|
}
|
|
|
|
if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
|
|
@@ -1463,30 +1463,29 @@
|
|
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
|
|
{
|
|
al=SSL_AD_DECODE_ERROR;
|
|
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
|
|
- goto f_err;
|
|
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
|
|
+
|
|
+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
|
|
+ * (http://eprint.iacr.org/2003/052/) exploits the version
|
|
+ * number check as a "bad version oracle" -- an alert would
|
|
+ * reveal that the plaintext corresponding to some ciphertext
|
|
+ * made up by the adversary is properly formatted except
|
|
+ * that the version number is wrong. To avoid such attacks,
|
|
+ * we should treat this just like any other decryption error. */
|
|
+ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
|
|
}
|
|
}
|
|
|
|
if (al != -1)
|
|
{
|
|
-#if 0
|
|
- goto f_err;
|
|
-#else
|
|
/* Some decryption failure -- use random value instead as countermeasure
|
|
* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
|
|
- * (see RFC 2246, section 7.4.7.1).
|
|
- * But note that due to length and protocol version checking, the
|
|
- * attack is impractical anyway (see section 5 in D. Bleichenbacher:
|
|
- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
|
|
- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
|
|
- */
|
|
+ * (see RFC 2246, section 7.4.7.1). */
|
|
ERR_clear_error();
|
|
i = SSL_MAX_MASTER_KEY_LENGTH;
|
|
p[0] = s->client_version >> 8;
|
|
p[1] = s->client_version & 0xff;
|
|
RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
|
|
-#endif
|
|
}
|
|
|
|
s->session->master_key_length=
|