summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorseb <seb@pkgsrc.org>2003-03-21 18:40:48 +0000
committerseb <seb@pkgsrc.org>2003-03-21 18:40:48 +0000
commitc387ecacba08b8ddbd4b99d16cba9722e003eac5 (patch)
treedd37a0d662540b8c57df914560632f94b2753644
parentab9ad38a329c83e994d9db7d2560c5229b164a14 (diff)
downloadpkgsrc-c387ecacba08b8ddbd4b99d16cba9722e003eac5.tar.gz
* Add patch from http://www.openssl.org/news/secadv_20030317.txt:
Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. * Add patch from http://www.openssl.org/news/secadv_20030319.txt: Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack; the server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. * Bump PKGREVISION.
-rw-r--r--security/openssl/Makefile4
-rw-r--r--security/openssl/distinfo5
-rw-r--r--security/openssl/patches/patch-ah55
-rw-r--r--security/openssl/patches/patch-ai52
-rw-r--r--security/openssl/patches/patch-aj19
5 files changed, 132 insertions, 3 deletions
diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 9a3eb706ccd..814c36832c9 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.66 2003/02/20 07:59:24 wiz Exp $
+# $NetBSD: Makefile,v 1.67 2003/03/21 18:40:48 seb Exp $
DISTNAME= openssl-0.9.6g
-PKGREVISION= 1
+PKGREVISION= 2
SVR4_PKGNAME= ossl
CATEGORIES= security
MASTER_SITES= ftp://ftp.openssl.org/source/
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index d9cc91cdcc7..7bba0e1b0af 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17 2003/02/28 08:08:22 grant Exp $
+$NetBSD: distinfo,v 1.18 2003/03/21 18:40:49 seb Exp $
SHA1 (openssl-0.9.6g.tar.gz) = 5b3cdad1d33134c97f659a8ad5dbf4ca4cf3d9c8
Size (openssl-0.9.6g.tar.gz) = 2170570 bytes
@@ -11,3 +11,6 @@ SHA1 (patch-ad) = ee8283d5537edce1bb60470c616ebabfda0aa084
SHA1 (patch-ae) = f4bf6ae5aa41b55d9978376e4e50ee10c10dd288
SHA1 (patch-af) = fd470396c5f54ea2d333df44504c03e7c6c8dc96
SHA1 (patch-ag) = d470c7da2cff7ba37ac38d6ceb79751a7d21d432
+SHA1 (patch-ah) = f8a6522c5e00605c47e149f8c70878960257c65a
+SHA1 (patch-ai) = 9d2e1dae0882450b7c10cdd2ea8156dced550c4a
+SHA1 (patch-aj) = 8c71a29e8f2cbbe9c105f9bec27f4dc1835f5338
diff --git a/security/openssl/patches/patch-ah b/security/openssl/patches/patch-ah
new file mode 100644
index 00000000000..ede9af6ae95
--- /dev/null
+++ b/security/openssl/patches/patch-ah
@@ -0,0 +1,55 @@
+$NetBSD: patch-ah,v 1.4 2003/03/21 18:40:49 seb Exp $
+
+--- ssl/s3_srvr.c.orig 2002-08-08 21:17:58.000000000 +0000
++++ ssl/s3_srvr.c
+@@ -1418,7 +1418,7 @@ static int ssl3_get_client_key_exchange(
+ if (i != SSL_MAX_MASTER_KEY_LENGTH)
+ {
+ al=SSL_AD_DECODE_ERROR;
+- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
++ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
+ }
+
+ if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+@@ -1434,30 +1434,29 @@ static int ssl3_get_client_key_exchange(
+ (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+ {
+ al=SSL_AD_DECODE_ERROR;
+- SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+- goto f_err;
++ /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
++
++ /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
++ * (http://eprint.iacr.org/2003/052/) exploits the version
++ * number check as a "bad version oracle" -- an alert would
++ * reveal that the plaintext corresponding to some ciphertext
++ * made up by the adversary is properly formatted except
++ * that the version number is wrong. To avoid such attacks,
++ * we should treat this just like any other decryption error. */
++ p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
+ }
+ }
+
+ if (al != -1)
+ {
+-#if 0
+- goto f_err;
+-#else
+ /* Some decryption failure -- use random value instead as countermeasure
+ * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
+- * (see RFC 2246, section 7.4.7.1).
+- * But note that due to length and protocol version checking, the
+- * attack is impractical anyway (see section 5 in D. Bleichenbacher:
+- * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
+- * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
+- */
++ * (see RFC 2246, section 7.4.7.1). */
+ ERR_clear_error();
+ i = SSL_MAX_MASTER_KEY_LENGTH;
+ p[0] = s->client_version >> 8;
+ p[1] = s->client_version & 0xff;
+ RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+-#endif
+ }
+
+ s->session->master_key_length=
diff --git a/security/openssl/patches/patch-ai b/security/openssl/patches/patch-ai
new file mode 100644
index 00000000000..fc70fa6dd87
--- /dev/null
+++ b/security/openssl/patches/patch-ai
@@ -0,0 +1,52 @@
+$NetBSD: patch-ai,v 1.4 2003/03/21 18:40:49 seb Exp $
+
+--- crypto/rsa/rsa_eay.c.orig 2002-08-08 21:16:29.000000000 +0000
++++ crypto/rsa/rsa_eay.c
+@@ -190,6 +190,25 @@ err:
+ return(r);
+ }
+
++static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
++ {
++ int ret = 1;
++ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
++ /* Check again inside the lock - the macro's check is racey */
++ if(rsa->blinding == NULL)
++ ret = RSA_blinding_on(rsa, ctx);
++ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
++ return ret;
++ }
++
++#define BLINDING_HELPER(rsa, ctx, err_instr) \
++ do { \
++ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
++ ((rsa)->blinding == NULL) && \
++ !rsa_eay_blinding(rsa, ctx)) \
++ err_instr \
++ } while(0)
++
+ /* signing */
+ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
+ unsigned char *to, RSA *rsa, int padding)
+@@ -234,8 +253,8 @@ static int RSA_eay_private_encrypt(int f
+ goto err;
+ }
+
+- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+- RSA_blinding_on(rsa,ctx);
++ BLINDING_HELPER(rsa, ctx, goto err;);
++
+ if (rsa->flags & RSA_FLAG_BLINDING)
+ if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+
+@@ -313,8 +332,8 @@ static int RSA_eay_private_decrypt(int f
+ goto err;
+ }
+
+- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+- RSA_blinding_on(rsa,ctx);
++ BLINDING_HELPER(rsa, ctx, goto err;);
++
+ if (rsa->flags & RSA_FLAG_BLINDING)
+ if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+
diff --git a/security/openssl/patches/patch-aj b/security/openssl/patches/patch-aj
new file mode 100644
index 00000000000..608156bdf2e
--- /dev/null
+++ b/security/openssl/patches/patch-aj
@@ -0,0 +1,19 @@
+$NetBSD: patch-aj,v 1.7 2003/03/21 18:40:49 seb Exp $
+
+--- crypto/rsa/rsa_lib.c.orig 2001-02-24 17:32:30.000000000 +0000
++++ crypto/rsa/rsa_lib.c
+@@ -71,7 +71,13 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *r
+
+ RSA *RSA_new(void)
+ {
+- return(RSA_new_method(NULL));
++ RSA *r=RSA_new_method(NULL);
++
++#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
++ r->flags|=RSA_FLAG_BLINDING;
++#endif
++
++ return r;
+ }
+
+ void RSA_set_default_method(RSA_METHOD *meth)