[ADVISORY] Timing Attack on OpenSSL From: Ben Laurie <ben@algroup.co.uk> To: Bugtraq <BUGTRAQ@securityfocus.com> Date: Yesterday 09.47.01 I expect a release to follow shortly. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff OpenSSL v0.9.7a and 0.9.6i vulnerability ---------------------------------------- Researchers have discovered a timing attack on RSA keys, to which OpenSSL is generally vulnerable, unless RSA blinding has been turned on. Typically, it will not have been, because it is not easily possible to do so when using OpenSSL to provide SSL or TLS. The enclosed patch switches blinding on by default. Applications that wish to can remove the blinding with RSA_blinding_off(), but this is not generally advised. It is also possible to disable it completely by defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. The performance impact of blinding appears to be small (a few percent). This problem affects many applications using OpenSSL, in particular, almost all SSL-enabled Apaches. You should rebuild and reinstall OpenSSL, and all affected applications. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0147 to this issue. We strongly advise upgrading OpenSSL in all cases, as a precaution. Index: crypto/rsa/rsa_eay.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v retrieving revision 1.28.2.3 diff -u -r1.28.2.3 rsa_eay.c --- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 -0000 1.28.2.3 +++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000 @@ -195,6 +195,25 @@ return(r); } +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) + { + int ret = 1; + CRYPTO_w_lock(CRYPTO_LOCK_RSA); + /* Check again inside the lock - the macro's check is racey */ + if(rsa->blinding == NULL) + ret = RSA_blinding_on(rsa, ctx); + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); + return ret; + } + +#define BLINDING_HELPER(rsa, ctx, err_instr) \ + do { \ + if(((rsa)->flags & RSA_FLAG_BLINDING) && \ + ((rsa)->blinding == NULL) && \ + !rsa_eay_blinding(rsa, ctx)) \ + err_instr \ + } while(0) + /* signing */ static int RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -239,8 +258,8 @@ goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; @@ -318,8 +337,8 @@ goto err; } - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) - RSA_blinding_on(rsa,ctx); + BLINDING_HELPER(rsa, ctx, goto err;); + if (rsa->flags & RSA_FLAG_BLINDING) if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; Index: crypto/rsa/rsa_lib.c =================================================================== RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v retrieving revision 1.30.2.2 diff -u -r1.30.2.2 rsa_lib.c --- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 -0000 1.30.2.2 +++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000 @@ -72,7 +72,13 @@ RSA *RSA_new(void) { - return(RSA_new_method(NULL)); + RSA *r=RSA_new_method(NULL); + +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING + r->flags|=RSA_FLAG_BLINDING; +#endif + + return r; } void RSA_set_default_method(const RSA_METHOD *meth)
Created attachment 9600 [details, diff] openssl-timing-attack-rsa.patch the patch from above
Created attachment 9601 [details] openssl-0.9.6i.ebuild ebuild applying the security patch. Patches/compiles fine here.
Created attachment 9602 [details] openssl-0.9.7a.ebuild ebuild applying the security patch. Patches/compiles fine here.
[OpenSSL Advisory] Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding From: Bodo Moeller <bodo@openssl.org> (OpenSSL Project) To: openssl-announce@openssl.org, openssl-users@openssl.org, openssl-dev@openssl.org, BUGTRAQ@securityfocus.com, full-disclosure@lists.netsys.com Date: Yesterday 20.36.19 OpenSSL Security Advisory [19 March 2003] Klima-Pokorny-Rosa attack on RSA in SSL/TLS =========================================== Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have come up with an extension of the "Bleichenbacher attack" on RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0. Their attack requires the attacker to open millions of SSL/TLS connections to the server under attack; the server's behaviour when faced with specially made-up RSA ciphertexts can reveal information that in effect allows the attacker to perform a single RSA private key operation on a ciphertext of its choice using the server's RSA key. Note that the server's RSA key is not compromised in this attack. This problem affects all applications using the OpenSSL SSL/TLS library. OpenSSL releases up to 0.9.6i and 0.9.7a are vulnerable. The enclosed patch modifies SSL/TLS server behaviour to avoid the vulnerability. Security Patch -------------- The following patch can be applied to OpenSSL releases 0.9.6b up to 0.9.6i, 0.9.7, and 0.9.7a. --- s3_srvr.c 29 Nov 2002 11:31:51 -0000 1.85.2.14 +++ s3_srvr.c 19 Mar 2003 18:00:00 -0000 @@ -1447,7 +1447,7 @@ if (i != SSL_MAX_MASTER_KEY_LENGTH) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_RSA_DECRYPT); */ } if ((al == -1) && !((p[0] == (s->client_version>>8)) && (p[1] == (s->client_version & 0xff)))) @@ -1463,30 +1463,29 @@ (p[0] == (s->version>>8)) && (p[1] == (s->version & 0xff)))) { al=SSL_AD_DECODE_ERROR; - SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); - goto f_err; + /* SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ + + /* The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except + * that the version number is wrong. To avoid such attacks, + * we should treat this just like any other decryption error. */ + p[0] = (char)(int) "CAN-2003-0131 patch 2003-03-19"; } } if (al != -1) { -#if 0 - goto f_err; -#else /* Some decryption failure -- use random value instead as countermeasure * against Bleichenbacher's attack on PKCS #1 v1.5 RSA padding - * (see RFC 2246, section 7.4.7.1). - * But note that due to length and protocol version checking, the - * attack is impractical anyway (see section 5 in D. Bleichenbacher: - * "Chosen Ciphertext Attacks Against Protocols Based on the RSA - * Encryption Standard PKCS #1", CRYPTO '98, LNCS 1462, pp. 1-12). - */ + * (see RFC 2246, section 7.4.7.1). */ ERR_clear_error(); i = SSL_MAX_MASTER_KEY_LENGTH; p[0] = s->client_version >> 8; p[1] = s->client_version & 0xff; RAND_pseudo_bytes(p+2, i-2); /* should be RAND_bytes, but we cannot work around a failure */ -#endif } s->session->master_key_length= References ---------- Report "Attacking RSA-based Sessions in SSL/TLS" by V. Klima, O. Pokorny, and T. Rosa: http://eprint.iacr.org/2003/052/ The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0131 to this issue. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 URL for this Security Advisory: http://www.openssl.org/news/secadv_20030319.txt
glsa sent