[openssl.org #3060] [PATCH] empty_record_limit
Limit the number of empty records that will be processed consecutively in order to prevent ssl3_get_record from never returning. Reported by oftc_must_be_destroyed and George Kadianakis. 0004-empty_record_limit.patch Description: Binary data
[openssl.org #3061] [PATCH] dsa_crash
Don't SEGFAULT when trying to export a public DSA key as a private key. 0005-dsa_crash.patch Description: Binary data
[openssl.org #3062] [PATCH] asm_volatile
Add volatile qualifications to two blocks of inline asm to stop GCC from eliminating them as dead code. Both volatile and memory are used because of some concern that the compiler may still cache values across the asm block without it, and because this was such a painful debugging session that I wanted to ensure that it's never repeated. 0006-asm_volatile.patch Description: Binary data
[openssl.org #3063] [PATCH] exp_zero_mod_one
Ensure that x**0 mod 1 = 0. 0007-exp_zero_mod_one.patch Description: Binary data
[openssl.org #3064] [PATCH] small_prime_generation
Ensure that, when generating small primes, the result is actually of the requested size. Fixes OpenSSL #2701. This change does not address the cases of generating safe primes, or where the |add| parameter is non-NULL. 0008-small_prime_generation.patch Description: Binary data
[openssl.org #3065] [PATCH] ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is missing a public key. The public key is optional in the EC private key format and, without this patch, running the following through `openssl ec` causes a crash: -BEGIN EC PRIVATE KEY- MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH -END EC PRIVATE KEY- 0009-ec_private_key_dont_crash.patch Description: Binary data
[openssl.org #3066] [PATCH] constant_time_rsa_padding
This patch tweaks the OAEP padding check to be slightly more constant time and rewrites the PKCS#1 v1.5 padding check to the same end. 0010-constant_time_rsa_padding.patch Description: Binary data
[openssl.org #3067] [PATCH] premaster_constant_time
This change alters the processing of invalid, RSA pre-master secrets so that bad encryptions are treated like random session keys in constant time. 0011-premaster_constant_time.patch Description: Binary data
[openssl.org #3068] [PATCH] Safari broken ECDHE-ECDSA workaround
The Safari browser on OSX versions 10.8 to 10.8.3 advertises support for
several ECDHE-ECDSA ciphers but fails to negotiate them.
When a Safari client connects to an OpenSSL-based server that has the
attached patch (against the master branch) applied, the server will
prefer other mutually supported ciphers above ECDHE-ECDSA ciphers.
This patch enables a webserver to have an ECC certificate together with
an RSA and/or DSA certificate, and to offer ECDHE-ECDSA ciphers without
fear of breaking compatibility with Safari clients.
The ssl_check_for_safari() function, which fingerprints Safari clients
based on the TLS Extensions used, was written by Adam Langley.
A representative from Apple has told me that the Safari bug will be
fixed in OSX 10.8.4. However, since OSX users won't be forced to
upgrade, I believe that a significant number of users will still be
using affected Safari versions a few years from now.
--
Rob Stradling
Senior Research Development Scientist
COMODO - Creating Trust Online
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 7ad8a54..fff73eb 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3076,7 +3076,10 @@ void ssl3_clear(SSL *s)
OPENSSL_free(s-s3-tlsext_authz_client_types);
s-s3-tlsext_authz_client_types = NULL;
}
-#endif
+#ifndef OPENSSL_NO_EC
+ s-s3-is_probably_safari = 0;
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_TLSEXT */
rp = s-s3-rbuf.buf;
wp = s-s3-wbuf.buf;
@@ -4145,8 +4148,15 @@ SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
ii=sk_SSL_CIPHER_find(allow,c);
if (ii = 0)
{
- ret=sk_SSL_CIPHER_value(allow,ii);
- break;
+ if ((alg_k SSL_kEECDH) (alg_a SSL_aECDSA) s-s3-is_probably_safari)
+{
+if (!ret) ret=sk_SSL_CIPHER_value(allow,ii);
+}
+ else
+{
+ret=sk_SSL_CIPHER_value(allow,ii);
+break;
+}
}
}
return(ret);
diff --git a/ssl/ssl.h b/ssl/ssl.h
index e14a8d4..dd62578 100644
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@@ -568,6 +568,7 @@ struct ssl_session_st
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x0080L
#define SSL_OP_TLS_D5_BUG0x0100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0200L
+#define SSL_OP_SAFARI_ECDHE_ECDSA_BUG 0x0400L
/* Disable SSL 3.0/TLS 1.0 CBC vulnerability workaround that was added
* in OpenSSL 0.9.6d. Usually (depending on the application protocol)
@@ -578,7 +579,7 @@ struct ssl_session_st
/* SSL_OP_ALL: various bug workarounds that should be rather harmless.
* This used to be 0x000FL before 0.9.7. */
-#define SSL_OP_ALL 0x8BFFL
+#define SSL_OP_ALL 0x8FFFL
/* DTLS options */
#define SSL_OP_NO_QUERY_MTU 0x1000L
diff --git a/ssl/ssl3.h b/ssl/ssl3.h
index d8ed725..0b900b5 100644
--- a/ssl/ssl3.h
+++ b/ssl/ssl3.h
@@ -577,7 +577,14 @@ typedef struct ssl3_state_st
* server echoed our server_authz extension and therefore must send us
* a supplemental data handshake message. */
char tlsext_authz_server_promised;
-#endif
+
+#ifndef OPENSSL_NO_EC
+ /* This is set to true if we believe that this is a version of Safari
+ * running on OS X 10.6 .. 10.8. We wish to know this because Safari
+ * on 10.8 has broken ECDHE-ECDSA support. */
+ char is_probably_safari;
+#endif /* OPENSSL_NO_EC */
+#endif /* OPENSSL_NO_TLSEXT */
} SSL3_STATE;
#endif
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 31daa50..c5e2b85 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -1716,6 +1716,89 @@ unsigned char *ssl_add_serverhello_tlsext(SSL *s, unsigned char *p, unsigned cha
return ret;
}
+#ifndef OPENSSL_NO_EC
+/* ssl_check_for_safari attempts to fingerprint Safari using OS X
+ * SecureTransport using the TLS extension block in |d|, of length |n|.
+ * Safari, since 10.6, sends exactly these extensions, in this order:
+ * SNI,
+ * elliptic_curves
+ * ec_point_formats
+ *
+ * We wish to fingerprint Safari because they broke ECDHE-ECDSA support in 10.8,
+ * but they advertise support. So enabling ECDHE-ECDSA ciphers breaks them.
+ * Sadly we cannot differentiate 10.6 and 10.7 (which work), from 10.8 (which
+ * doesn't).
+ */
+static void ssl_check_for_safari(SSL *s, const unsigned char *data, const unsigned char *d, int n) {
+ unsigned short type, size;
+ static const unsigned char kSafariExtensionsBlock[] = {
+ 0x00, 0x0a, /* elliptic_curves extension */
+ 0x00, 0x08, /* 8 bytes */
+ 0x00, 0x06, /* 6 bytes of curve ids */
+ 0x00, 0x17, /* P-256 */
+ 0x00, 0x18, /* P-384 */
+ 0x00, 0x19, /* P-521 */
+
+ 0x00, 0x0b, /* ec_point_formats */
+ 0x00, 0x02, /* 2 bytes */
+ 0x01,/* 1 point format */
+ 0x00,/* uncompressed */
+ };
+
+ /* The following is only present in TLS 1.2 */
+ static const unsigned char kSafariTLS12ExtensionsBlock[] = {
+ 0x00, 0x0d, /* signature_algorithms */
+ 0x00, 0x0c, /* 12 bytes */
+ 0x00, 0x0a, /* 10 bytes */
+ 0x05, 0x01, /* SHA-384/RSA */
+ 0x04, 0x01, /* SHA-256/RSA */
+ 0x02, 0x01, /* SHA-1/RSA */
+ 0x04, 0x03,
[openssl.org #2701] BN_generate_prime_ex can generate too large primes
On Wed Feb 01 14:02:51 2012, dominik.oe...@informatik.hu-berlin.de wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi BN_generate_prime_ex can generate prime numbers larger than the specified bitsize. The problem can be reproduced using the following commands: [do@trinity tmp]$ openssl genrsa -out rsa.key 1 Generating RSA private key, 1 bit long modulus .+++ Fixed in master at 96a4c31be3344cb08994a9d460c0ebd55939cc5b. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [openssl.org #3065] [PATCH] ec_private_key_dont_crash
On 4 June 2013 13:49, Adam Langley via RT r...@openssl.org wrote: This change saves several EC routines from crashing when an EC_KEY is missing a public key. The public key is optional in the EC private key format and, without this patch, running the following through `openssl ec` causes a crash: -BEGIN EC PRIVATE KEY- MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH -END EC PRIVATE KEY- Interesting...I'm not sure though that fixing some of the functions in the ec library to handle missing public keys is the correct approach. I believe that the ec library extensively assumes that a public key is mandatory, whilst a private key is optional. Really I think the underlying problem is that the EC_KEY is not being constructed properly in the first place. I propose an alternative fix. If the public key is missing then it should be derived. Here is my patch. Matt ec-privkey-fix.patch Description: Binary data
Re: [openssl.org #3065] [PATCH] ec_private_key_dont_crash
On 4 June 2013 13:49, Adam Langley via RT r...@openssl.org wrote: This change saves several EC routines from crashing when an EC_KEY is missing a public key. The public key is optional in the EC private key format and, without this patch, running the following through `openssl ec` causes a crash: -BEGIN EC PRIVATE KEY- MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH -END EC PRIVATE KEY- Interesting...I'm not sure though that fixing some of the functions in the ec library to handle missing public keys is the correct approach. I believe that the ec library extensively assumes that a public key is mandatory, whilst a private key is optional. Really I think the underlying problem is that the EC_KEY is not being constructed properly in the first place. I propose an alternative fix. If the public key is missing then it should be derived. Here is my patch. Matt ec-privkey-fix.patch Description: Binary data
[openssl.org #3069] An enhancement to EC key generation to enable compact point representation
A tweak to generate keys in a way that will enable the efficient point
compression, described in
http://tools.ietf.org/html/draft-jivsov-ecc-compact.
This request doesn't change any format/API, doesn't introduce
compression, and doesn't lower security.
However, because the method to generate compact ECC representation
depends on compliant key generation and keys migrate across software
packages, this change enables thus generated keys to be efficiently
represented, if and when the efficient representation is implemented and
supported.
The patch is for the openssl-1.0.1e; in a single function
EC_KEY_generate_key, file crypto/ec/ec_key.c.
diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index 7fa2475..3a403a9 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -284,6 +284,46 @@ int EC_KEY_generate_key(EC_KEY *eckey)
if (!EC_POINT_mul(eckey-group, pub_key, priv_key, NULL, NULL, ctx))
goto err;
+ {
+ /* We want the Q=(x,y) be a compliant key in terms of the http://tools.ietf.org/html/draft-jivsov-ecc-compact,
+ * which simply means that we choose either Q=(x,y) or -Q=(x,p-y) such that we end up with the min(y,p-y) as the y coordinate.
+ * Such a public key allows the most efficient compression: y can simply be dropped because without any loss of security.
+ * Given the x, we know that the y is a minimum of the two possibilities.
+ */
+ const EC_METHOD *meth = EC_GROUP_method_of(eckey-group);
+ const int is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
+
+ if( is_prime ) {
+ BIGNUM *ec_p, *ec_a, *ec_b, *ec_p_y, *ec_x, *ec_y;
+
+ ec_p = BN_CTX_get(ctx);
+ ec_a = BN_CTX_get(ctx);
+ ec_b = BN_CTX_get(ctx);
+ ec_p_y = BN_CTX_get(ctx);
+ ec_x = BN_CTX_get(ctx);
+ ec_y = BN_CTX_get(ctx);
+
+ if ( ec_p == NULL || ec_a == NULL || ec_b == NULL || ec_p_y == NULL)
+{
+goto err;
+}
+ if (!EC_GROUP_get_curve_GFp(eckey-group, ec_p, ec_a, ec_b, NULL)) {
+goto err;
+ }
+ if (!EC_POINT_get_affine_coordinates_GFp(eckey-group, pub_key, ec_x, ec_y, ctx)) {
+goto err;
+ }
+ BN_sub( ec_p_y, ec_p, ec_y );
+
+ if( BN_cmp( ec_p_y, ec_y ) 0 ) {
+/* will need conversion, 50% of the time */
+BN_sub( priv_key, order, priv_key );
+if (!EC_POINT_set_affine_coordinates_GFp(eckey-group, pub_key, ec_x, ec_p_y, ctx))
+ goto err;
+ }
+ }
+ }
+
eckey-priv_key = priv_key;
eckey-pub_key = pub_key;
