Re: [ADVISORY] Timing Attack on OpenSSL
Hi, is it recommended to apply the below patch to 0.9.6i as well? We're still releasing both versions, 0.9.6i and 0.9.7a in the Cygwin net distro. Corinna On Mon, Mar 17, 2003 at 08:47:01AM +, Ben Laurie wrote: I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability [...] We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) -- Corinna Vinschen Cygwin Developer Red Hat, Inc. mailto:[EMAIL PROTECTED] __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ADVISORY] Timing Attack on OpenSSL
Corinna Vinschen wrote: Hi, is it recommended to apply the below patch to 0.9.6i as well? We're still releasing both versions, 0.9.6i and 0.9.7a in the Cygwin net distro. Yes. Corinna On Mon, Mar 17, 2003 at 08:47:01AM +, Ben Laurie wrote: I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability [...] We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ADVISORY] Timing Attack on OpenSSL
Is this a new advisory. I've patched for a previous timing attack 2 weeks ago. On Mon, 2003-03-17 at 03:47, Ben Laurie wrote: I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth) __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: [ADVISORY] Timing Attack on OpenSSL
This is a different vulnerability. The one you patched two weeks ago was caused by a failure to decrypt messages when the MAC comparison failed. This vulnerability is a timing attack against the RSA algorithms. The Slashdot discussion is here: http://slashdot.org/article.pl?sid=03/03/14/0012214mode=threadtid=172 The paper is here: http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html Christopher Fowler wrote: Is this a new advisory. I've patched for a previous timing attack 2 weeks ago. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
[ADVISORY] Timing Attack on OpenSSL
I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c30 Jan 2003 17:37:46 - 1.28.2.3 +++ crypto/rsa/rsa_eay.c16 Mar 2003 10:34:13 - @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa-blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)-flags RSA_FLAG_BLINDING) \ + ((rsa)-blinding == NULL) \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa-flags RSA_FLAG_BLINDING) (rsa-blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa-flags RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(f,rsa-blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c === RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c30 Jan 2003 17:37:46 - 1.30.2.2 +++ crypto/rsa/rsa_lib.c16 Mar 2003 10:34:13 - @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r-flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth)