3571e53040
patches for easier mirroring, to eliminate a special copy, to make www.freebsd.org/security a full copy of security.freebsd.org and be eventually be the same. For now files are just sitting there. The symlinks are missing. Discussed on: www (repository location) Discussed with: simon (so)
135 lines
4.5 KiB
Diff
135 lines
4.5 KiB
Diff
Index: crypto/openssl/crypto/rsa/rsa_eay.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_eay.c,v
|
|
retrieving revision 1.10
|
|
diff -u -r1.10 rsa_eay.c
|
|
--- crypto/openssl/crypto/rsa/rsa_eay.c 19 Feb 2003 23:24:16 -0000 1.10
|
|
+++ crypto/openssl/crypto/rsa/rsa_eay.c 20 Mar 2003 14:01:30 -0000
|
|
@@ -195,6 +195,25 @@
|
|
return(r);
|
|
}
|
|
|
|
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
|
|
+ {
|
|
+ int ret = 1;
|
|
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
|
|
+ /* Check again inside the lock - the macro's check is racey */
|
|
+ if(rsa->blinding == NULL)
|
|
+ ret = RSA_blinding_on(rsa, ctx);
|
|
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
|
|
+ return ret;
|
|
+ }
|
|
+
|
|
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
|
|
+ do { \
|
|
+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
|
|
+ ((rsa)->blinding == NULL) && \
|
|
+ !rsa_eay_blinding(rsa, ctx)) \
|
|
+ err_instr \
|
|
+ } while(0)
|
|
+
|
|
/* signing */
|
|
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
|
|
unsigned char *to, RSA *rsa, int padding)
|
|
@@ -239,8 +258,8 @@
|
|
goto err;
|
|
}
|
|
|
|
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
|
- RSA_blinding_on(rsa,ctx);
|
|
+ BLINDING_HELPER(rsa, ctx, goto err;);
|
|
+
|
|
if (rsa->flags & RSA_FLAG_BLINDING)
|
|
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
|
|
|
@@ -318,8 +337,8 @@
|
|
goto err;
|
|
}
|
|
|
|
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
|
|
- RSA_blinding_on(rsa,ctx);
|
|
+ BLINDING_HELPER(rsa, ctx, goto err;);
|
|
+
|
|
if (rsa->flags & RSA_FLAG_BLINDING)
|
|
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
|
|
|
|
Index: crypto/openssl/crypto/rsa/rsa_lib.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/crypto/rsa/rsa_lib.c,v
|
|
retrieving revision 1.8
|
|
diff -u -r1.8 rsa_lib.c
|
|
--- crypto/openssl/crypto/rsa/rsa_lib.c 19 Feb 2003 23:24:16 -0000 1.8
|
|
+++ crypto/openssl/crypto/rsa/rsa_lib.c 20 Mar 2003 14:01:30 -0000
|
|
@@ -72,7 +72,13 @@
|
|
|
|
RSA *RSA_new(void)
|
|
{
|
|
- return(RSA_new_method(NULL));
|
|
+ RSA *r=RSA_new_method(NULL);
|
|
+
|
|
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
|
|
+ r->flags|=RSA_FLAG_BLINDING;
|
|
+#endif
|
|
+
|
|
+ return r;
|
|
}
|
|
|
|
void RSA_set_default_method(const RSA_METHOD *meth)
|
|
Index: crypto/openssl/ssl/s3_srvr.c
|
|
===================================================================
|
|
RCS file: /home/ncvs/src/crypto/openssl/ssl/s3_srvr.c,v
|
|
retrieving revision 1.1.1.10
|
|
diff -u -r1.1.1.10 s3_srvr.c
|
|
--- crypto/openssl/ssl/s3_srvr.c 28 Jan 2003 21:38:47 -0000 1.1.1.10
|
|
+++ crypto/openssl/ssl/s3_srvr.c 20 Mar 2003 14:01:31 -0000
|
|
@@ -1447,7 +1447,7 @@
|
|
if (i != SSL_MAX_MASTER_KEY_LENGTH)
|
|
{
|
|
al=SSL_AD_DECODE_ERROR;
|
|
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
|
|
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
|
|
}
|
|
|
|
if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
|
|
@@ -1463,30 +1463,29 @@
|
|
(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
|
|
{
|
|
al=SSL_AD_DECODE_ERROR;
|
|
- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
|
|
- goto f_err;
|
|
+ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
|
|
+
|
|
+ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
|
|
+ * (http://eprint.iacr.org/2003/052/) exploits the version
|
|
+ * number check as a "bad version oracle" -- an alert would
|
|
+ * reveal that the plaintext corresponding to some ciphertext
|
|
+ * made up by the adversary is properly formatted except
|
|
+ * that the version number is wrong. To avoid such attacks,
|
|
+ * we should treat this just like any other decryption error. */
|
|
+ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
|
|
}
|
|
}
|
|
|
|
if (al != -1)
|
|
{
|
|
-#if 0
|
|
- goto f_err;
|
|
-#else
|
|
/* Some decryption failure -- use random value instead as countermeasure
|
|
* against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
|
|
- * (see RFC 2246, section 7.4.7.1).
|
|
- * But note that due to length and protocol version checking, the
|
|
- * attack is impractical anyway (see section 5 in D. Bleichenbacher:
|
|
- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
|
|
- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
|
|
- */
|
|
+ * (see RFC 2246, section 7.4.7.1). */
|
|
ERR_clear_error();
|
|
i = SSL_MAX_MASTER_KEY_LENGTH;
|
|
p[0] = s->client_version >> 8;
|
|
p[1] = s->client_version & 0xff;
|
|
RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
|
|
-#endif
|
|
}
|
|
|
|
s->session->master_key_length=
|