* Add patch from http://www.openssl.org/news/secadv_20030317.txt:

Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.

Typically, it will not have been, because it is not easily possible to
do so when using OpenSSL to provide SSL or TLS.

The enclosed patch switches blinding on by default. Applications that
wish to can remove the blinding with RSA_blinding_off(), but this is
not generally advised. It is also possible to disable it completely by
defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.

The performance impact of blinding appears to be small (a few
percent).

This problem affects many applications using OpenSSL, in particular,
almost all SSL-enabled Apaches. You should rebuild and reinstall
OpenSSL, and all affected applications.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0147 to this issue.

* Add patch from http://www.openssl.org/news/secadv_20030319.txt:

Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
have come up with an extension of the "Bleichenbacher attack" on RSA
with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.  Their
attack requires the attacker to open millions of SSL/TLS connections
to the server under attack; the server's behaviour when faced with
specially made-up RSA ciphertexts can reveal information that in
effect allows the attacker to perform a single RSA private key
operation on a ciphertext of its choice using the server's RSA key.
Note that the server's RSA key is not compromised in this attack.

* Bump PKGREVISION.

5 files changed, 132 insertions, 3 deletions

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 9a3eb706ccd..814c36832c9 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.66 2003/02/20 07:59:24 wiz Exp $
+# $NetBSD: Makefile,v 1.67 2003/03/21 18:40:48 seb Exp $
 
 DISTNAME=		openssl-0.9.6g
-PKGREVISION=		1
+PKGREVISION=		2
 SVR4_PKGNAME=		ossl
 CATEGORIES=		security
 MASTER_SITES=		ftp://ftp.openssl.org/source/
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index d9cc91cdcc7..7bba0e1b0af 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.17 2003/02/28 08:08:22 grant Exp $
+$NetBSD: distinfo,v 1.18 2003/03/21 18:40:49 seb Exp $
 
 SHA1 (openssl-0.9.6g.tar.gz) = 5b3cdad1d33134c97f659a8ad5dbf4ca4cf3d9c8
 Size (openssl-0.9.6g.tar.gz) = 2170570 bytes
@@ -11,3 +11,6 @@ SHA1 (patch-ad) = ee8283d5537edce1bb60470c616ebabfda0aa084
 SHA1 (patch-ae) = f4bf6ae5aa41b55d9978376e4e50ee10c10dd288
 SHA1 (patch-af) = fd470396c5f54ea2d333df44504c03e7c6c8dc96
 SHA1 (patch-ag) = d470c7da2cff7ba37ac38d6ceb79751a7d21d432
+SHA1 (patch-ah) = f8a6522c5e00605c47e149f8c70878960257c65a
+SHA1 (patch-ai) = 9d2e1dae0882450b7c10cdd2ea8156dced550c4a
+SHA1 (patch-aj) = 8c71a29e8f2cbbe9c105f9bec27f4dc1835f5338
diff --git a/security/openssl/patches/patch-ah b/security/openssl/patches/patch-ah
new file mode 100644
index 00000000000..ede9af6ae95
--- /dev/null
+++ b/security/openssl/patches/patch-ah
@@ -0,0 +1,55 @@
+$NetBSD: patch-ah,v 1.4 2003/03/21 18:40:49 seb Exp $
+
+--- ssl/s3_srvr.c.orig	2002-08-08 21:17:58.000000000 +0000
++++ ssl/s3_srvr.c
+@@ -1418,7 +1418,7 @@ static int ssl3_get_client_key_exchange(
+ 		if (i != SSL_MAX_MASTER_KEY_LENGTH)
+ 			{
+ 			al=SSL_AD_DECODE_ERROR;
+-			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT);
++			/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */
+ 			}
+ 
+ 		if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff))))
+@@ -1434,30 +1434,29 @@ static int ssl3_get_client_key_exchange(
+ 				(p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff))))
+ 				{
+ 				al=SSL_AD_DECODE_ERROR;
+-				SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER);
+-				goto f_err;
++				/* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */
++
++				/* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack
++				 * (http://eprint.iacr.org/2003/052/) exploits the version
++				 * number check as a "bad version oracle" -- an alert would
++				 * reveal that the plaintext corresponding to some ciphertext
++				 * made up by the adversary is properly formatted except
++				 * that the version number is wrong.  To avoid such attacks,
++				 * we should treat this just like any other decryption error. */
++				p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19";
+ 				}
+ 			}
+ 
+ 		if (al != -1)
+ 			{
+-#if 0
+-			goto f_err;
+-#else
+ 			/* Some decryption failure -- use random value instead as countermeasure
+ 			 * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding
+-			 * (see RFC 2246, section 7.4.7.1).
+-			 * But note that due to length and protocol version checking, the
+-			 * attack is impractical anyway (see section 5 in D. Bleichenbacher:
+-			 * "Chosen Ciphertext Attacks Against Protocols Based on the RSA
+-			 * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12).
+-			 */
++			 * (see RFC 2246, section 7.4.7.1). */
+ 			ERR_clear_error();
+ 			i = SSL_MAX_MASTER_KEY_LENGTH;
+ 			p[0] = s->client_version >> 8;
+ 			p[1] = s->client_version & 0xff;
+ 			RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */
+-#endif
+ 			}
+ 	
+ 		s->session->master_key_length=
diff --git a/security/openssl/patches/patch-ai b/security/openssl/patches/patch-ai
new file mode 100644
index 00000000000..fc70fa6dd87
--- /dev/null
+++ b/security/openssl/patches/patch-ai
@@ -0,0 +1,52 @@
+$NetBSD: patch-ai,v 1.4 2003/03/21 18:40:49 seb Exp $
+
+--- crypto/rsa/rsa_eay.c.orig	2002-08-08 21:16:29.000000000 +0000
++++ crypto/rsa/rsa_eay.c
+@@ -190,6 +190,25 @@ err:
+ 	return(r);
+ 	}
+ 
++static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
++	{
++	int ret = 1;
++	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
++	/* Check again inside the lock - the macro's check is racey */
++	if(rsa->blinding == NULL)
++		ret = RSA_blinding_on(rsa, ctx);
++	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
++	return ret;
++	}
++
++#define BLINDING_HELPER(rsa, ctx, err_instr) \
++	do { \
++		if(((rsa)->flags & RSA_FLAG_BLINDING) && \
++				((rsa)->blinding == NULL) && \
++				!rsa_eay_blinding(rsa, ctx)) \
++			err_instr \
++	} while(0)
++
+ /* signing */
+ static int RSA_eay_private_encrypt(int flen, unsigned char *from,
+ 	     unsigned char *to, RSA *rsa, int padding)
+@@ -234,8 +253,8 @@ static int RSA_eay_private_encrypt(int f
+ 		goto err;
+ 		}
+ 
+-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+-		RSA_blinding_on(rsa,ctx);
++	BLINDING_HELPER(rsa, ctx, goto err;);
++
+ 	if (rsa->flags & RSA_FLAG_BLINDING)
+ 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+ 
+@@ -313,8 +332,8 @@ static int RSA_eay_private_decrypt(int f
+ 		goto err;
+ 		}
+ 
+-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
+-		RSA_blinding_on(rsa,ctx);
++	BLINDING_HELPER(rsa, ctx, goto err;);
++
+ 	if (rsa->flags & RSA_FLAG_BLINDING)
+ 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
+ 
diff --git a/security/openssl/patches/patch-aj b/security/openssl/patches/patch-aj
new file mode 100644
index 00000000000..608156bdf2e
--- /dev/null
+++ b/security/openssl/patches/patch-aj
@@ -0,0 +1,19 @@
+$NetBSD: patch-aj,v 1.7 2003/03/21 18:40:49 seb Exp $
+
+--- crypto/rsa/rsa_lib.c.orig	2001-02-24 17:32:30.000000000 +0000
++++ crypto/rsa/rsa_lib.c
+@@ -71,7 +71,13 @@ static STACK_OF(CRYPTO_EX_DATA_FUNCS) *r
+ 
+ RSA *RSA_new(void)
+ 	{
+-	return(RSA_new_method(NULL));
++	RSA *r=RSA_new_method(NULL);
++
++#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
++	r->flags|=RSA_FLAG_BLINDING;
++#endif
++
++	return r;
+ 	}
+ 
+ void RSA_set_default_method(RSA_METHOD *meth)