15th Mar 2003 [SBWID-6066]
COMMAND
	OpenSSL and other crypto library timming attack vulenrability
SYSTEMS AFFECTED
	OpenSSL, Crypto++ and others
PROBLEM
	David Brumley says :
	Dan Boneh and I have been researching timing  attacks  against  software
	crypto libraries.  Timing  attacks  are  usually  used  to  attack  weak
	computing devices such as smartcards. We've successfully  developed  and
	mounted timing attacks against  software  crypto  libraries  running  on
	general purpose PC's.
	We found that we can recover an RSA secret from OpenSSL  using  anywhere
	from only 300,000 to 1.4 million queries.  We  demonstrated  our  attack
	was pratical by  successfully  launching  an  attack  against  Apache  +
	mod_SSL and stunnel on the local network. Our results show  that  timing
	attacks are practical  against  widely-deploy  servers  running  on  the
	network.
	To our knowledge, OpenSSL and derived crypto libraries  are  vulnerable.
	Mozilla's  NSS  is  not  vulnerable,  as  it  implements  RSA  blinding.
	Crypto++ is not vulnerable in  practice  due  to  it's  sliding  windows
	implementation  (least   to   most   significant..most   to   least   is
	vulnerable).
	The results indicate  that  all  crypto  implementations  should  defend
	against timing attacks.
	This paper was submitted to Usenix security 03. The link  to  the  paper
	is here:
	 
	 http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
	
SOLUTION
	see recommandations in white paper
	 Update (17 March 2003)
	 ======
	Ben Laurie [[email protected]] comments :
	Researchers have discovered a  timing  attack  on  RSA  keys,  to  which
	OpenSSL is generally vulnerable, unless RSA  blinding  has  been  turned
	on.
	Typically, it will not have been, because it is not easily  possible  to
	do so when using OpenSSL to provide SSL or TLS.
	The enclosed patch switches blinding on by  default.  Applications  that
	wish to can remove the blinding with  RSA_blinding_off(),  but  this  is
	not generally advised. It is also possible to disable it  completely  by
	defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.
	The performance impact of blinding appears to be small (a few percent).
	This problem affects many applications  using  OpenSSL,  in  particular,
	almost  all  SSL-enabled  Apaches.  You  should  rebuild  and  reinstall
	OpenSSL, and all affected applications.
	The Common Vulnerabilities and  Exposures  project  (cve.mitre.org)  has
	assigned the name CAN-2003-0147 to this issue.
	We strongly advise upgrading OpenSSL in all cases, as a precaution.
	
	--------------040106040608010805070104
	Content-Type: text/plain;
	 name="openssl-sec3.patch"
	Content-Transfer-Encoding: 7bit
	Content-Disposition: inline;
	 filename="openssl-sec3.patch"
	Index: crypto/rsa/rsa_eay.c
	===================================================================
	RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
	retrieving revision 1.28.2.3
	diff -u -r1.28.2.3 rsa_eay.c
	--- crypto/rsa/rsa_eay.c	30 Jan 2003 17:37:46 -0000	1.28.2.3
	+++ crypto/rsa/rsa_eay.c	16 Mar 2003 10:34:13 -0000
	@@ -195,6 +195,25 @@
	 	return(r);
	 	}
	+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
	+	{
	+	int ret = 1;
	+	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
	+	/* Check again inside the lock - the macro's check is racey */
	+	if(rsa->blinding == NULL)
	+		ret = RSA_blinding_on(rsa, ctx);
	+	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
	+	return ret;
	+	}
	+
	+#define BLINDING_HELPER(rsa, ctx, err_instr) \
	+	do { \
	+		if(((rsa)->flags & RSA_FLAG_BLINDING) && \
	+				((rsa)->blinding == NULL) && \
	+				!rsa_eay_blinding(rsa, ctx)) \
	+			err_instr \
	+	} while(0)
	+
	 /* signing */
	 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
	 	     unsigned char *to, RSA *rsa, int padding)
	@@ -239,8 +258,8 @@
	 		goto err;
	 		}
	-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	-		RSA_blinding_on(rsa,ctx);
	+	BLINDING_HELPER(rsa, ctx, goto err;);
	+
	 	if (rsa->flags & RSA_FLAG_BLINDING)
	 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
	@@ -318,8 +337,8 @@
	 		goto err;
	 		}
	-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
	-		RSA_blinding_on(rsa,ctx);
	+	BLINDING_HELPER(rsa, ctx, goto err;);
	+
	 	if (rsa->flags & RSA_FLAG_BLINDING)
	 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
	Index: crypto/rsa/rsa_lib.c
	===================================================================
	RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
	retrieving revision 1.30.2.2
	diff -u -r1.30.2.2 rsa_lib.c
	--- crypto/rsa/rsa_lib.c	30 Jan 2003 17:37:46 -0000	1.30.2.2
	+++ crypto/rsa/rsa_lib.c	16 Mar 2003 10:34:13 -0000
	@@ -72,7 +72,13 @@
	 RSA *RSA_new(void)
	 	{
	-	return(RSA_new_method(NULL));
	+	RSA *r=RSA_new_method(NULL);
	+
	+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
	+	r->flags|=RSA_FLAG_BLINDING;
	+#endif
	+
	+	return r;
	 	}
	 void RSA_set_default_method(const RSA_METHOD *meth)
	--------------040106040608010805070104--