lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1047910652.7556.0.camel@cfowler.outpostsentinel.com>
From: cfowler at outpostsentinel.com (Christopher Fowler)
Subject: Re: [ADVISORY] Timing Attack on OpenSSL

Is this a new advisory.  I've patched for a previous timing attack 2
weeks ago.
On Mon, 2003-03-17 at 03:47, Ben Laurie wrote:
> I expect a release to follow shortly.
> 
> -- 
> http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
> 
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
> ----
> 

> OpenSSL v0.9.7a and 0.9.6i vulnerability
> ----------------------------------------
> 
> Researchers have discovered a timing attack on RSA keys, to which
> OpenSSL is generally vulnerable, unless RSA blinding has been turned
> on.
> 
> Typically, it will not have been, because it is not easily possible to
> do so when using OpenSSL to provide SSL or TLS.
> 
> The enclosed patch switches blinding on by default. Applications that
> wish to can remove the blinding with RSA_blinding_off(), but this is
> not generally advised. It is also possible to disable it completely by
> defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.
> 
> The performance impact of blinding appears to be small (a few
> percent).
> 
> This problem affects many applications using OpenSSL, in particular,
> almost all SSL-enabled Apaches. You should rebuild and reinstall
> OpenSSL, and all affected applications.
> 
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the name CAN-2003-0147 to this issue.
> 
> We strongly advise upgrading OpenSSL in all cases, as a precaution.
> ----
> 

> Index: crypto/rsa/rsa_eay.c
> ===================================================================
> RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
> retrieving revision 1.28.2.3
> diff -u -r1.28.2.3 rsa_eay.c
> --- crypto/rsa/rsa_eay.c	30 Jan 2003 17:37:46 -0000	1.28.2.3
> +++ crypto/rsa/rsa_eay.c	16 Mar 2003 10:34:13 -0000
> @@ -195,6 +195,25 @@
>  	return(r);
>  	}
>  
> +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
> +	{
> +	int ret = 1;
> +	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
> +	/* Check again inside the lock - the macro's check is racey */
> +	if(rsa->blinding == NULL)
> +		ret = RSA_blinding_on(rsa, ctx);
> +	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
> +	return ret;
> +	}
> +
> +#define BLINDING_HELPER(rsa, ctx, err_instr) \
> +	do { \
> +		if(((rsa)->flags & RSA_FLAG_BLINDING) && \
> +				((rsa)->blinding == NULL) && \
> +				!rsa_eay_blinding(rsa, ctx)) \
> +			err_instr \
> +	} while(0)
> +
>  /* signing */
>  static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
>  	     unsigned char *to, RSA *rsa, int padding)
> @@ -239,8 +258,8 @@
>  		goto err;
>  		}
>  
> -	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
> -		RSA_blinding_on(rsa,ctx);
> +	BLINDING_HELPER(rsa, ctx, goto err;);
> +
>  	if (rsa->flags & RSA_FLAG_BLINDING)
>  		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
>  
> @@ -318,8 +337,8 @@
>  		goto err;
>  		}
>  
> -	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
> -		RSA_blinding_on(rsa,ctx);
> +	BLINDING_HELPER(rsa, ctx, goto err;);
> +
>  	if (rsa->flags & RSA_FLAG_BLINDING)
>  		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
>  
> Index: crypto/rsa/rsa_lib.c
> ===================================================================
> RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
> retrieving revision 1.30.2.2
> diff -u -r1.30.2.2 rsa_lib.c
> --- crypto/rsa/rsa_lib.c	30 Jan 2003 17:37:46 -0000	1.30.2.2
> +++ crypto/rsa/rsa_lib.c	16 Mar 2003 10:34:13 -0000
> @@ -72,7 +72,13 @@
>  
>  RSA *RSA_new(void)
>  	{
> -	return(RSA_new_method(NULL));
> +	RSA *r=RSA_new_method(NULL);
> +
> +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
> +	r->flags|=RSA_FLAG_BLINDING;
> +#endif
> +
> +	return r;
>  	}
>  
>  void RSA_set_default_method(const RSA_METHOD *meth)



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ