From owner-freebsd-stable  Tue Mar 18  8:51:26 2003
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E832237B401
	for <stable@freebsd.org>; Tue, 18 Mar 2003 08:51:23 -0800 (PST)
Received: from beck.quonix.net (beck.quonix.net [64.239.136.146])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4BD2F43F85
	for <stable@freebsd.org>; Tue, 18 Mar 2003 08:51:23 -0800 (PST)
	(envelope-from essenz@essenz.com)
Received: from beck.quonix.net (localhost.quonix.net [127.0.0.1])
	by beck.quonix.net (8.12.8/8.11.6) with ESMTP id h2IGdKvP071841
	for <stable@freebsd.org>; Tue, 18 Mar 2003 08:39:20 -0800 (PST)
	(envelope-from essenz@essenz.com)
Received: from localhost (essenz@localhost)
	by beck.quonix.net (8.12.8/8.12.8/Submit) with ESMTP id h2IGdK4g071838
	for <stable@freebsd.org>; Tue, 18 Mar 2003 08:39:20 -0800 (PST)
	(envelope-from essenz@essenz.com)
X-Authentication-Warning: beck.quonix.net: essenz owned process doing -bs
Date: Tue, 18 Mar 2003 08:39:20 -0800 (PST)
From: John Von Essen <essenz@essenz.com>
X-X-Sender:  <essenz@beck.quonix.net>
To: <stable@freebsd.org>
Subject: OpennSSL Security Patch in RELENG_4
Message-ID: <20030318083154.N71774-100000@beck.quonix.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

I just did a cvsup to RELENG_4 and did not see the application
of openssl.org's security patch for v0.9.7a. There is also no bug report
for it.

See: http://www.openssl.org/news/secadv_20030317.txt (for patch info)

I applied the patch manually, I did a make world. Everything compiled
fine. It is only a few lines effecting two files.

John


Index: crypto/rsa/rsa_eay.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
retrieving revision 1.28.2.3
diff -u -r1.28.2.3 rsa_eay.c
--- crypto/rsa/rsa_eay.c	30 Jan 2003 17:37:46 -0000	1.28.2.3
+++ crypto/rsa/rsa_eay.c	16 Mar 2003 10:34:13 -0000
@@ -195,6 +195,25 @@
 	return(r);
 	}

+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+	{
+	int ret = 1;
+	CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+	/* Check again inside the lock - the macro's check is racey */
+	if(rsa->blinding == NULL)
+		ret = RSA_blinding_on(rsa, ctx);
+	CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+	return ret;
+	}
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+	do { \
+		if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+				((rsa)->blinding == NULL) && \
+				!rsa_eay_blinding(rsa, ctx)) \
+			err_instr \
+	} while(0)
+
 /* signing */
 static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
 	     unsigned char *to, RSA *rsa, int padding)
@@ -239,8 +258,8 @@
 		goto err;
 		}

-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-		RSA_blinding_on(rsa,ctx);
+	BLINDING_HELPER(rsa, ctx, goto err;);
+
 	if (rsa->flags & RSA_FLAG_BLINDING)
 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

@@ -318,8 +337,8 @@
 		goto err;
 		}

-	if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
-		RSA_blinding_on(rsa,ctx);
+	BLINDING_HELPER(rsa, ctx, goto err;);
+
 	if (rsa->flags & RSA_FLAG_BLINDING)
 		if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

Index: crypto/rsa/rsa_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
retrieving revision 1.30.2.2
diff -u -r1.30.2.2 rsa_lib.c
--- crypto/rsa/rsa_lib.c	30 Jan 2003 17:37:46 -0000	1.30.2.2
+++ crypto/rsa/rsa_lib.c	16 Mar 2003 10:34:13 -0000
@@ -72,7 +72,13 @@

 RSA *RSA_new(void)
 	{
-	return(RSA_new_method(NULL));
+	RSA *r=RSA_new_method(NULL);
+
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
+	r->flags|=RSA_FLAG_BLINDING;
+#endif
+
+	return r;
 	}

 void RSA_set_default_method(const RSA_METHOD *meth)





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message