From: Bodo Möller Date: Fri, 1 Jun 2001 09:41:25 +0000 (+0000) Subject: Fix Bleichenbacher PKCS #1 1.5 countermeasure. X-Git-Tag: OpenSSL_0_9_6c~182^2~138 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=31bc51c8cf4784f31732e5822d6fae894123a4f4 Fix Bleichenbacher PKCS #1 1.5 countermeasure. (The attack against SSL 3.1 and TLS 1.0 is impractical anyway, otherwise this would be a security relevant patch.) --- diff --git a/CHANGES b/CHANGES index 03f9d02abe..6cea57be1d 100644 --- a/CHANGES +++ b/CHANGES @@ -11,6 +11,27 @@ *) applies to 0.9.6a (/0.9.6b) and 0.9.7 +) applies to 0.9.7 only + *) The countermeasure against Bleichbacher's attack on PKCS #1 v1.5 + RSA encryption was accidentily removed in s3_srvr.c in OpenSSL 0.9.5 + when fixing the server behaviour for backwards-compatible 'client + hello' messages. (Note that the attack is impractical against + SSL 3.0 and TLS 1.0 anyway because length and version checking + means that the probability of guessing a valid ciphertext is + around 2^-40; see section 5 in Bleichenbacher's CRYPTO '98 + paper.) + + Before 0.9.5, the countermeasure (hide the error by generating a + random 'decryption result') did not work properly because + ERR_clear_error() was missing, meaning that SSL_get_error() would + detect the supposedly ignored error. + + Both problems are now fixed. + [Bodo Moeller] + + *) In crypto/bio/bf_buff.c, increase DEFAULT_BUFFER_SIZE to 4096 + (previously it was 1024). + [Bodo Moeller] + +) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also tidy up some unecessarily weird code in 'sk_new()'). [Geoff, reported by Diego Tartara ] diff --git a/ssl/s2_srvr.c b/ssl/s2_srvr.c index 10de5ec3db..cc9f591427 100644 --- a/ssl/s2_srvr.c +++ b/ssl/s2_srvr.c @@ -405,12 +405,13 @@ static int get_client_master_key(SSL *s) /* bad decrypt */ #if 1 /* If a bad decrypt, continue with protocol but with a - * dud master secret */ + * random master secret (Bleichenbacher attack) */ if ((i < 0) || ((!is_export && (i != EVP_CIPHER_key_length(c))) || (is_export && ((i != ek) || (s->s2->tmp.clear+i != EVP_CIPHER_key_length(c)))))) { + ERR_clear_error(); if (is_export) i=ek; else diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index dce89bf2bd..0b0eceedb0 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -1333,14 +1333,15 @@ static int ssl3_get_client_key_exchange(SSL *s) i=RSA_private_decrypt((int)n,p,p,rsa,RSA_PKCS1_PADDING); + al = -1; + if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); - goto f_err; } - if (!((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) + if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) { /* The premaster secret must contain the same version number as the * ClientHello to detect version rollback attacks (strangely, the @@ -1358,6 +1359,27 @@ static int ssl3_get_client_key_exchange(SSL *s) } } + if (al != -1) + { +#if 0 + goto f_err; +#else + /* Some decryption failure -- use random value instead as countermeasure + * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding + * (see RFC 2246, section 7.4.7.1). + * But note that due to length and protocol version checking, the + * attack is impractical anyway (see section 5 in D. Bleichenbacher: + * "Chosen Ciphertext Attacks Against Protocols Based on the RSA + * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). + */ + ERR_clear_error(); + i = SSL_MAX_MASTER_KEY_LENGTH; + p[0] = s->client_version >> 8; + p[1] = s->client_version & 0xff; + RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ +#endif + } + s->session->master_key_length= s->method->ssl3_enc->generate_master_secret(s, s->session->master_key,