Loading CHANGES +17 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,23 @@ Changes between 0.9.6i and 0.9.6j [xx XXX 2003] *) *) Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). [Bodo Moeller] Changes between 0.9.6h and 0.9.6i [19 Feb 2003] Loading FAQ +1 −0 Original line number Diff line number Diff line Loading @@ -674,6 +674,7 @@ The general answer is to check the config.log file generated when running the OpenSSH configure script. It should contain the detailed information on why the OpenSSL library was not detected or considered incompatible. * Can I use OpenSSL's SSL library with non-blocking I/O? Yes; make sure to read the SSL_get_error(3) manual page! Loading LICENSE +1 −1 Original line number Diff line number Diff line Loading @@ -12,7 +12,7 @@ --------------- /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions Loading crypto/rsa/rsa.h +7 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 #define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in * RSA implementation now uses blinding by * default (ignoring RSA_FLAG_BLINDING), * but other engines might not need it */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: Loading @@ -168,6 +173,8 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 #define RSA_FLAG_NO_BLINDING 0x80 #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 Loading crypto/rsa/rsa_eay.c +27 −8 Original line number Diff line number Diff line Loading @@ -193,6 +193,25 @@ err: return(r); } static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) { int ret = 1; CRYPTO_w_lock(CRYPTO_LOCK_RSA); /* Check again inside the lock - the macro's check is racey */ if(rsa->blinding == NULL) ret = RSA_blinding_on(rsa, ctx); CRYPTO_w_unlock(CRYPTO_LOCK_RSA); return ret; } #define BLINDING_HELPER(rsa, ctx, err_instr) \ do { \ if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ ((rsa)->blinding == NULL) && \ !rsa_eay_blinding(rsa, ctx)) \ err_instr \ } while(0) /* signing */ static int RSA_eay_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) Loading Loading @@ -239,9 +258,9 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || Loading @@ -256,7 +275,7 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; /* put in leading 0 bytes if the number is less than the Loading Loading @@ -320,9 +339,9 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; /* do the decrypt */ Loading @@ -339,7 +358,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; p=buf; Loading Loading
CHANGES +17 −1 Original line number Diff line number Diff line Loading @@ -4,7 +4,23 @@ Changes between 0.9.6i and 0.9.6j [xx XXX 2003] *) *) Countermeasure against the Klima-Pokorny-Rosa extension of Bleichbacher's attack on PKCS #1 v1.5 padding: treat a protocol version number mismatch like a decryption error in ssl3_get_client_key_exchange (ssl/s3_srvr.c). [Bodo Moeller] *) Turn on RSA blinding by default in the default implementation to avoid a timing attack. Applications that don't want it can call RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING. They would be ill-advised to do so in most cases. [Ben Laurie, Steve Henson, Geoff Thorpe] *) Change RSA blinding code so that it works when the PRNG is not seeded (in this case, the secret RSA exponent is abused as an unpredictable seed -- if it is not unpredictable, there is no point in blinding anyway). [Bodo Moeller] Changes between 0.9.6h and 0.9.6i [19 Feb 2003] Loading
FAQ +1 −0 Original line number Diff line number Diff line Loading @@ -674,6 +674,7 @@ The general answer is to check the config.log file generated when running the OpenSSH configure script. It should contain the detailed information on why the OpenSSL library was not detected or considered incompatible. * Can I use OpenSSL's SSL library with non-blocking I/O? Yes; make sure to read the SSL_get_error(3) manual page! Loading
LICENSE +1 −1 Original line number Diff line number Diff line Loading @@ -12,7 +12,7 @@ --------------- /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions Loading
crypto/rsa/rsa.h +7 −0 Original line number Diff line number Diff line Loading @@ -156,6 +156,11 @@ struct rsa_st #define RSA_FLAG_CACHE_PUBLIC 0x02 #define RSA_FLAG_CACHE_PRIVATE 0x04 #define RSA_FLAG_BLINDING 0x08 #define RSA_FLAG_NO_BLINDING 0x80 /* new with 0.9.6j and 0.9.7b; the built-in * RSA implementation now uses blinding by * default (ignoring RSA_FLAG_BLINDING), * but other engines might not need it */ #define RSA_FLAG_THREAD_SAFE 0x10 /* This flag means the private key operations will be handled by rsa_mod_exp * and that they do not depend on the private key components being present: Loading @@ -168,6 +173,8 @@ struct rsa_st */ #define RSA_FLAG_SIGN_VER 0x40 #define RSA_FLAG_NO_BLINDING 0x80 #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 Loading
crypto/rsa/rsa_eay.c +27 −8 Original line number Diff line number Diff line Loading @@ -193,6 +193,25 @@ err: return(r); } static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) { int ret = 1; CRYPTO_w_lock(CRYPTO_LOCK_RSA); /* Check again inside the lock - the macro's check is racey */ if(rsa->blinding == NULL) ret = RSA_blinding_on(rsa, ctx); CRYPTO_w_unlock(CRYPTO_LOCK_RSA); return ret; } #define BLINDING_HELPER(rsa, ctx, err_instr) \ do { \ if((!((rsa)->flags & RSA_FLAG_NO_BLINDING)) && \ ((rsa)->blinding == NULL) && \ !rsa_eay_blinding(rsa, ctx)) \ err_instr \ } while(0) /* signing */ static int RSA_eay_private_encrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding) Loading Loading @@ -239,9 +258,9 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; if ( (rsa->flags & RSA_FLAG_EXT_PKEY) || Loading @@ -256,7 +275,7 @@ static int RSA_eay_private_encrypt(int flen, unsigned char *from, if (!meth->bn_mod_exp(&ret,&f,rsa->d,rsa->n,ctx,NULL)) goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; /* put in leading 0 bytes if the number is less than the Loading Loading @@ -320,9 +339,9 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) RSA_blinding_on(rsa,ctx); if (rsa->flags & RSA_FLAG_BLINDING) BLINDING_HELPER(rsa, ctx, goto err;); if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; /* do the decrypt */ Loading @@ -339,7 +358,7 @@ static int RSA_eay_private_decrypt(int flen, unsigned char *from, goto err; } if (rsa->flags & RSA_FLAG_BLINDING) if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) if (!BN_BLINDING_invert(&ret,rsa->blinding,ctx)) goto err; p=buf; Loading
