git: 0ad812e6cda6 - stable/11 - OpenSSL: Fix the RSA_SSLV23_PADDING padding type

Jung-uk Kim jkim at FreeBSD.org
Wed Sep 1 02:00:55 UTC 2021 

The branch stable/11 has been updated by jkim:

URL: https://cgit.FreeBSD.org/src/commit/?id=0ad812e6cda6c0138b821902b53cf070b79ddd5b

commit 0ad812e6cda6c0138b821902b53cf070b79ddd5b
Author:     Matt Caswell <matt at openssl.org>
AuthorDate: 2021-09-01 01:57:12 +0000
Commit:     Jung-uk Kim <jkim at FreeBSD.org>
CommitDate: 2021-09-01 02:00:02 +0000

    OpenSSL: Fix the RSA_SSLV23_PADDING padding type
    
    This also fixes the public function RSA_padding_check_SSLv23.
    
    Commit 6555a89 changed the padding check logic in RSA_padding_check_SSLv23
    so that padding is rejected if the nul delimiter byte is not immediately
    preceded by at least 8 bytes containing 0x03. Prior to that commit the
    padding is rejected if it *is* preceded by at least 8 bytes containing 0x03.
    
    Presumably this change was made to be consistent with what it says in
    appendix E.3 of RFC 5246. Unfortunately that RFC is in error, and the
    original behaviour was correct. This is fixed in later errata issued for
    that RFC.
    
    Applications that use SSLv2 or call RSA_paddin_check_SSLv23 directly, or
    use the RSA_SSLV23_PADDING mode may be impacted. The effect of the original
    error is that an RSA message encrypted by an SSLv2 only client will fail to
    be decrypted properly by a TLS capable server, or a message encrypted by a
    TLS capable client will fail to decrypt on an SSLv2 only server. Most
    significantly an RSA message encrypted by a TLS capable client will be
    successfully decrypted by a TLS capable server. This last case should fail
    due to a rollback being detected.
    
    Thanks to D. Katz and Joel Luellwitz (both from Trustwave) for reporting
    this issue.
    
    CVE-2021-23839
    
    https://github.com/openssl/openssl/commit/30919ab80a478f2d81f2e9acdcca3fa4740cd547
---
 crypto/openssl/crypto/rsa/rsa_ssl.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/crypto/openssl/crypto/rsa/rsa_ssl.c b/crypto/openssl/crypto/rsa/rsa_ssl.c
index 6f25acdac47a..bdc20c16c00a 100644
--- a/crypto/openssl/crypto/rsa/rsa_ssl.c
+++ b/crypto/openssl/crypto/rsa/rsa_ssl.c
@@ -104,7 +104,7 @@ int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
 
 /*
  * Copy of RSA_padding_check_PKCS1_type_2 with a twist that rejects padding
- * if nul delimiter is not preceded by 8 consecutive 0x03 bytes. It also
+ * if nul delimiter is preceded by 8 consecutive 0x03 bytes. It also
  * preserves error code reporting for backward compatibility.
  */
 int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
@@ -171,7 +171,13 @@ int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
                                    RSA_R_NULL_BEFORE_BLOCK_MISSING);
     mask = ~good;
 
-    good &= constant_time_ge(threes_in_row, 8);
+    /*
+     * Reject if nul delimiter is preceded by 8 consecutive 0x03 bytes. Note
+     * that RFC5246 incorrectly states this the other way around, i.e. reject
+     * if it is not preceded by 8 consecutive 0x03 bytes. However this is
+     * corrected in subsequent errata for that RFC.
+     */
+    good &= constant_time_lt(threes_in_row, 8);
     err = constant_time_select_int(mask | good, err,
                                    RSA_R_SSLV3_ROLLBACK_ATTACK);
     mask = ~good;

More information about the dev-commits-src-branches mailing list