rpms/openssl097a/FC-4 openssl-0.9.7a-can-2005-2969.patch, NONE, 1.1 openssl-0.9.7a-dsa-consttime.patch, NONE, 1.1
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Oct 11 20:18:49 UTC 2005
- Previous message (by thread): rpms/selinux-policy-strict/FC-4 policy-20050916.patch, 1.3, 1.4 selinux-policy-strict.spec, 1.320, 1.321
- Next message (by thread): rpms/firstboot/devel .cvsignore, 1.34, 1.35 firstboot.spec, 1.51, 1.52 sources, 1.49, 1.50
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: tmraz
Update of /cvs/dist/rpms/openssl097a/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv5289
Added Files:
openssl-0.9.7a-can-2005-2969.patch
openssl-0.9.7a-dsa-consttime.patch
Log Message:
* Tue Oct 11 2005 Tomas Mraz <tmraz at redhat.com> 0.9.7a-3.1
- fix CAN-2005-2969 - remove SSL_OP_MSIE_SSLV2_RSA_PADDING which
disables the countermeasure against man in the middle attack in SSLv2
(#169863)
- more fixes for constant time/memory access for DSA signature algorithm
- updated ICA engine patch
openssl-0.9.7a-can-2005-2969.patch:
doc/ssl/SSL_CTX_set_options.pod | 2 +-
ssl/s23_srvr.c | 7 +------
ssl/ssl.h | 2 +-
3 files changed, 3 insertions(+), 8 deletions(-)
--- NEW FILE openssl-0.9.7a-can-2005-2969.patch ---
Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
(part of SSL_OP_ALL). This option used to disable the
countermeasure against man-in-the-middle protocol-version
rollback in the SSL 2.0 server implementation, which is a bad
idea.
Index: doc/ssl/SSL_CTX_set_options.pod
===================================================================
RCS file: /e/openssl/cvs/openssl/doc/ssl/SSL_CTX_set_options.pod,v
retrieving revision 1.9.2.4
diff -u -r1.9.2.4 SSL_CTX_set_options.pod
--- doc/ssl/SSL_CTX_set_options.pod 22 Mar 2005 17:54:13 -0000 1.9.2.4
+++ doc/ssl/SSL_CTX_set_options.pod 23 Sep 2005 03:38:43 -0000
@@ -86,7 +86,7 @@
=item SSL_OP_MSIE_SSLV2_RSA_PADDING
-...
+This option has no effect now.
=item SSL_OP_SSLEAY_080_CLIENT_DH_BUG
Index: ssl/s23_srvr.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/s23_srvr.c,v
retrieving revision 1.41.2.6
diff -u -r1.41.2.6 s23_srvr.c
--- ssl/s23_srvr.c 31 Jan 2005 01:33:35 -0000 1.41.2.6
+++ ssl/s23_srvr.c 23 Sep 2005 03:38:44 -0000
@@ -268,9 +268,6 @@
int n=0,j;
int type=0;
int v[2];
-#ifndef OPENSSL_NO_RSA
- int use_sslv2_strong=0;
-#endif
if (s->state == SSL23_ST_SR_CLNT_HELLO_A)
{
@@ -528,9 +525,7 @@
}
s->state=SSL2_ST_GET_CLIENT_HELLO_A;
- if ((s->options & SSL_OP_MSIE_SSLV2_RSA_PADDING) ||
- use_sslv2_strong ||
- (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3))
+ if (s->options & SSL_OP_NO_TLSv1 && s->options & SSL_OP_NO_SSLv3)
s->s2->ssl2_rollback=0;
else
/* reject SSL 2.0 session if client supports SSL 3.0 or TLS 1.0
Index: ssl/ssl.h
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/ssl.h,v
retrieving revision 1.126.2.23
diff -u -r1.126.2.23 ssl.h
--- ssl/ssl.h 10 Jun 2005 20:00:39 -0000 1.126.2.23
+++ ssl/ssl.h 23 Sep 2005 03:38:47 -0000
@@ -467,7 +467,7 @@
#define SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG 0x00000008L
#define SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG 0x00000010L
#define SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER 0x00000020L
-#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L
+#define SSL_OP_MSIE_SSLV2_RSA_PADDING 0x00000040L /* no effect due to CAN-2005-2969 */
#define SSL_OP_SSLEAY_080_CLIENT_DH_BUG 0x00000080L
#define SSL_OP_TLS_D5_BUG 0x00000100L
#define SSL_OP_TLS_BLOCK_PADDING_BUG 0x00000200L
openssl-0.9.7a-dsa-consttime.patch:
dsa_ossl.c | 30 +++++++++++++++++++++++++++---
1 files changed, 27 insertions(+), 3 deletions(-)
--- NEW FILE openssl-0.9.7a-dsa-consttime.patch ---
openssl/crypto/dsa/dsa_ossl.c 1.12.2.9 -> 1.12.2.10
--- openssl/crypto/dsa/dsa_ossl.c 2005/05/16 01:26:04 1.12.2.9
+++ openssl/crypto/dsa/dsa_ossl.c 2005/05/26 04:40:42 1.12.2.10
@@ -172,7 +172,7 @@
static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp)
{
BN_CTX *ctx;
- BIGNUM k,*kinv=NULL,*r=NULL;
+ BIGNUM k,kq,*K,*kinv=NULL,*r=NULL;
int ret=0;
if (!dsa->p || !dsa->q || !dsa->g)
@@ -182,6 +182,7 @@
}
BN_init(&k);
+ BN_init(&kq);
if (ctx_in == NULL)
{
@@ -191,7 +192,6 @@
ctx=ctx_in;
if ((r=BN_new()) == NULL) goto err;
- kinv=NULL;
/* Get random k */
do
@@ -211,7 +211,30 @@
}
/* Compute r = (g^k mod p) mod q */
- if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,&k,dsa->p,ctx,
+
+ if ((dsa->flags & DSA_FLAG_NO_EXP_CONSTTIME) == 0)
+ {
+ if (!BN_copy(&kq, &k)) goto err;
+
+ /* We do not want timing information to leak the length of k,
+ * so we compute g^k using an equivalent exponent of fixed length.
+ *
+ * (This is a kludge that we need because the BN_mod_exp_mont()
+ * does not let us specify the desired timing behaviour.) */
+
+ if (!BN_add(&kq, &kq, dsa->q)) goto err;
+ if (BN_num_bits(&kq) <= BN_num_bits(dsa->q))
+ {
+ if (!BN_add(&kq, &kq, dsa->q)) goto err;
+ }
+
+ K = &kq;
+ }
+ else
+ {
+ K = &k;
+ }
+ if (!dsa->meth->bn_mod_exp(dsa, r,dsa->g,K,dsa->p,ctx,
(BN_MONT_CTX *)dsa->method_mont_p)) goto err;
if (!BN_mod(r,r,dsa->q,ctx)) goto err;
@@ -234,6 +257,7 @@
if (ctx_in == NULL) BN_CTX_free(ctx);
if (kinv != NULL) BN_clear_free(kinv);
BN_clear_free(&k);
+ BN_clear_free(&kq);
return(ret);
}
- Previous message (by thread): rpms/selinux-policy-strict/FC-4 policy-20050916.patch, 1.3, 1.4 selinux-policy-strict.spec, 1.320, 1.321
- Next message (by thread): rpms/firstboot/devel .cvsignore, 1.34, 1.35 firstboot.spec, 1.51, 1.52 sources, 1.49, 1.50
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-cvs-commits
mailing list