Is this a new advisory. I've patched for a previous timing attack 2 weeks ago. On Mon, 2003-03-17 at 03:47, Ben Laurie wrote: > I expect a release to follow shortly. > > -- > http://www.apache-ssl.org/ben.html http://www.thebunker.net/ > > "There is no limit to what a man can do or how far he can go if he > doesn't mind who gets the credit." - Robert Woodruff > ---- > > OpenSSL v0.9.7a and 0.9.6i vulnerability > ---------------------------------------- > > Researchers have discovered a timing attack on RSA keys, to which > OpenSSL is generally vulnerable, unless RSA blinding has been turned > on. > > Typically, it will not have been, because it is not easily possible to > do so when using OpenSSL to provide SSL or TLS. > > The enclosed patch switches blinding on by default. Applications that > wish to can remove the blinding with RSA_blinding_off(), but this is > not generally advised. It is also possible to disable it completely by > defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time. > > The performance impact of blinding appears to be small (a few > percent). > > This problem affects many applications using OpenSSL, in particular, > almost all SSL-enabled Apaches. You should rebuild and reinstall > OpenSSL, and all affected applications. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2003-0147 to this issue. > > We strongly advise upgrading OpenSSL in all cases, as a precaution. > ---- > > Index: crypto/rsa/rsa_eay.c > =================================================================== > RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v > retrieving revision 1.28.2.3 > diff -u -r1.28.2.3 rsa_eay.c > --- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 -0000 1.28.2.3 > +++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000 > @@ -195,6 +195,25 @@ > return(r); > } > > +static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx) > + { > + int ret = 1; > + CRYPTO_w_lock(CRYPTO_LOCK_RSA); > + /* Check again inside the lock - the macro's check is racey */ > + if(rsa->blinding == NULL) > + ret = RSA_blinding_on(rsa, ctx); > + CRYPTO_w_unlock(CRYPTO_LOCK_RSA); > + return ret; > + } > + > +#define BLINDING_HELPER(rsa, ctx, err_instr) \ > + do { \ > + if(((rsa)->flags & RSA_FLAG_BLINDING) && \ > + ((rsa)->blinding == NULL) && \ > + !rsa_eay_blinding(rsa, ctx)) \ > + err_instr \ > + } while(0) > + > /* signing */ > static int RSA_eay_private_encrypt(int flen, const unsigned char *from, > unsigned char *to, RSA *rsa, int padding) > @@ -239,8 +258,8 @@ > goto err; > } > > - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) > - RSA_blinding_on(rsa,ctx); > + BLINDING_HELPER(rsa, ctx, goto err;); > + > if (rsa->flags & RSA_FLAG_BLINDING) > if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; > > @@ -318,8 +337,8 @@ > goto err; > } > > - if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL)) > - RSA_blinding_on(rsa,ctx); > + BLINDING_HELPER(rsa, ctx, goto err;); > + > if (rsa->flags & RSA_FLAG_BLINDING) > if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err; > > Index: crypto/rsa/rsa_lib.c > =================================================================== > RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v > retrieving revision 1.30.2.2 > diff -u -r1.30.2.2 rsa_lib.c > --- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 -0000 1.30.2.2 > +++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000 > @@ -72,7 +72,13 @@ > > RSA *RSA_new(void) > { > - return(RSA_new_method(NULL)); > + RSA *r=RSA_new_method(NULL); > + > +#ifndef OPENSSL_NO_FORCE_RSA_BLINDING > + r->flags|=RSA_FLAG_BLINDING; > +#endif > + > + return r; > } > > void RSA_set_default_method(const RSA_METHOD *meth) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Mar 17 2003 - 07:43:10 PST