6729804 2001-07-10 13:03 +0200 /225 rader/ Bodo Moeller <bodo@openssl.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 17:43 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: openssl-security@openssl.org
Mottagare: Bugtraq (import) <17896>
Ärende: OpenSSL Security Advisory: PRNG weakness in versions up to 0.9.6a
------------------------------------------------------------
From: Bodo Moeller <bodo@openssl.org>
To: bugtraq@securityfocus.com
Message-ID: <20010710130317.A1949@openssl.org>
OpenSSL Security Advisory [10 July 2001]
WEAKNESS OF THE OpenSSL PRNG IN VERSIONS UP TO OpenSSL 0.9.6a
-------------------------------------------------------------
CONTENTS:
- Synopsis
- Detailed problem description
- Solution
- Impact
- Source code patch [*]
- Acknowledgement
[*] OpenSSL 0.9.6b has been corrected and does not require this patch.
The source code of OpenSSL 0.9.6b is available as file
openssl-0.9.6b.tar.gz from <URL:
ftp://ftp.openssl.org/source;type=d>. If you were previously using
the "engine" release of OpenSSL 0.9.6 or 0.9.6a, obtain file
openssl-engine-0.9.6b.tar.gz instead.
MD5 checksums:
openssl-0.9.6b.tar.gz bd8c4d8c5bafc7a4d55d152989fdb327
openssl-engine-0.9.6b.tar.gz ab5ca5b157459c49bdab06a7db8a5a47
OpenSSL source code can also be obtained from a number of mirror
sites. For a list, see <URL:
http://www.openssl.org/source/mirror.html>.
If you are using a pre-compiled OpenSSL package, please look for
update information from the respective software distributor. The
OpenSSL group itself does not distribute OpenSSL binaries.
SYNOPSIS
--------
The pseudo-random number generator (PRNG) in SSLeay/OpenSSL versions
up to 0.9.6a is weakened by a design error. Knowing the output of
specific PRNG requests (including a number of consecutive very short
PRNG requests) would allow an attacker to determine the PRNG's
internal state and thus to predict future PRNG output.
Typical applications (including applications using OpenSSL's SSL/TLS
library) are not vulnerable to this attack because PRNG requests
usually happen in larger chunks. However, we strongly recommend
upgrading to OpenSSL 0.9.6b, which includes a fixed PRNG.
If upgrading to 0.9.6b is not immediately possible, the source
code patch contained at the end of this advisory should be applied.
DETAILED PROBLEM DESCRIPTION
----------------------------
Recently a cryptographic flaw in OpenSSL's built-in pseudo-random
number generator (PRNG) was pointed out to us by Markku-Juhani
O. Saarinen <markku-juhani.saarinen@nokia.com>, who showed how an
attacker could reconstruct the PRNG's internal state from the output
of a couple of hundred 1-byte PRNG requests. This problem dates back
to SSLeay, which OpenSSL is based on, and was found in other
SSLeay-based toolkits as well. While a number of enhancements have
been done to the original PRNG during the development of OpenSSL,
this design error was overlooked so far.
The PRNG (implemented in source code file crypto/md_rand.c) uses a
hash function, by default SHA-1, to update its internal secret state
and to generate output. The secret state consists of two components:
A chaining variable 'md', sized according to the hash function's
output (160 bits for SHA-1), and a large buffer 'state'. 'md' is
always replaced by a hash function output during the PRNG's operation.
'state' is accessed circularly and is used for storing additional
entropy.
When generating output bytes, OpenSSL versions up to 0.9.6a set 'md'
to the hash of one half of its previous value and some other data,
including bytes from 'state'. The design error was that the half of
'md' input to the hash function was the same half that was also used
as PRNG output, meaning that it in general cannot be considered
secret. Also the number of bytes used from 'state' depended on the
number of bytes requested as PRNG output and could be as small as one,
allowing for easy brute-force analysis of all possible cases.
The combination of these effects made it possible to reconstruct
the complete internal PRNG state from the output of one PRNG request
appropriately sized to gain knowledge on 'md' followed by enough
consecutive 1-byte PRNG requests to traverse all of 'state'.
SOLUTION
--------
OpenSSL 0.9.6b changes the PRNG implementation as follows to give the
PRNG its intended strength:
1. When updating 'md' during PRNG output generation, all of the
previous 'md' value is hashed, including the secret half.
2. Also, the number of bytes from 'state' included into the hash is
now independent from the number of PRNG bytes requested.
The first measure alone would be sufficient to solve the problem. The
second measure makes sure that additional data from 'state' is never
mixed in in small portions; this heuristically further strengthens the
PRNG.
IMPACT
------
It is unlikely for applications to request PRNG bytes in a pattern
allowing for the attack against the OpenSSL PRNG. Typically,
applications will request PRNG bytes in larger chunks.
No applications is known to us which is actually vulnerable.
However, the PRNG design flaw is a significant weakness: The PRNG does
not provide the intended strength under all circumstances. Therefore,
we strongly recommend that all users upgrade to OpenSSL 0.9.6b as soon
as possible.
SOURCE CODE PATCH
-----------------
If upgrading to OpenSSL 0.9.6b is not immediately possible, the
following patch should be applied to file crypto/rand/md_rand.c in the
OpenSSL source code tree. (The patch is compatible with OpenSSL
versions 0.9.5 up to 0.9.6a.) This changes the PRNG in two ways, as
discussed above.
--- md_rand.c
+++ md_rand.c
@@ -313,6 +313,7 @@
{
static volatile int stirred_pool = 0;
int i,j,k,st_num,st_idx;
+ int num_ceil;
int ok;
long md_c[2];
unsigned char local_md[MD_DIGEST_LENGTH];
@@ -333,6 +334,12 @@
}
#endif
+ if (num <= 0)
+ return 1;
+
+ /* round upwards to multiple of MD_DIGEST_LENGTH/2 */
+ num_ceil = (1 + (num-1)/(MD_DIGEST_LENGTH/2)) *
(MD_DIGEST_LENGTH/2);
+
/*
* (Based on the rand(3) manpage:)
*
@@ -418,11 +425,11 @@
md_c[1] = md_count[1];
memcpy(local_md, md, sizeof md);
- state_index+=num;
+ state_index+=num_ceil;
if (state_index > state_num)
state_index %= state_num;
- /* state[st_idx], ..., state[(st_idx + num - 1) % st_num]
+ /* state[st_idx], ..., state[(st_idx + num_ceil - 1) % st_num]
* are now ours (but other threads may use them too) */
md_count[0] += 1;
@@ -434,6 +441,7 @@
while (num > 0)
{
+ /* num_ceil -= MD_DIGEST_LENGTH/2 */
j=(num >= MD_DIGEST_LENGTH/2)?MD_DIGEST_LENGTH/2:num;
num-=j;
MD_Init(&m);
@@ -444,27 +452,28 @@
curr_pid = 0;
}
#endif
- MD_Update(&m,&(local_md[MD_DIGEST_LENGTH/2]),MD_DIGEST_LENGTH/2);
+ MD_Update(&m,local_md,MD_DIGEST_LENGTH);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
#ifndef PURIFY
MD_Update(&m,buf,j); /* purify complains */
#endif
- k=(st_idx+j)-st_num;
+ k=(st_idx+MD_DIGEST_LENGTH/2)-st_num;
if (k > 0)
{
- MD_Update(&m,&(state[st_idx]),j-k);
+ MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2-k);
MD_Update(&m,&(state[0]),k);
}
else
- MD_Update(&m,&(state[st_idx]),j);
+ MD_Update(&m,&(state[st_idx]),MD_DIGEST_LENGTH/2);
MD_Final(local_md,&m);
- for (i=0; i<j; i++)
+ for (i=0; i<MD_DIGEST_LENGTH/2; i++)
{
state[st_idx++]^=local_md[i]; /* may compete with other threads */
- *(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
if (st_idx >= st_num)
st_idx=0;
+ if (i < j)
+ *(buf++)=local_md[i+MD_DIGEST_LENGTH/2];
}
}
*** END OF PATCH ***
ACKNOWLEDGEMENT
---------------
We thank Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>
for discovering the PRNG problem and bringing it to our attention.
URL for this Security Advisory:
http://www.openssl.org/news/secadv_prng.txt
(6729804) /Bodo Moeller <bodo@openssl.org>/(Ombruten)
6730875 2001-07-10 13:55 -0400 /151 rader/ EnGarde Secure Linux <security@guardiandigital.com>
Sänt av: joel@lysator.liu.se
Importerad: 2001-07-10 21:42 av Brevbäraren
Extern mottagare: engarde-security@guardiandigital.com
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17906>
Ärende: [ESA-20010709-01] OpenSSL PRNG Weakness
------------------------------------------------------------
From: EnGarde Secure Linux <security@guardiandigital.com>
To: engarde-security@guardiandigital.com, bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.10.10107101355330.17594-100000@mastermind.inside.guardiandigital.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory July 09, 2001 |
| http://www.engardelinux.org/ ESA-20010709-01 |
| |
| Package: openssl |
| Summary: There is a design weakness in OpenSSL's PRNG. |
+------------------------------------------------------------------------+
EnGarde Secure Linux is a secure distribution of Linux that
features improved access control, host and network intrusion
detection, Web based secure remote management, complete e-commerce
using AllCommerce, and integrated open source security tools.
OVERVIEW
- --------
A weakness exists in the pseudo-random number generator (PRNG) in all
version of OpenSSL up to and including 0.9.6a. Given knowledge of
past results of PRNG queries an attacker can predict future results.
DETAIL
- ------
There is a design error in OpenSSL's PRNG which can allow an attacker to
determine the internal state of the PRNG. Based on the output of
several hundered 1-byte PRNG requests an attacker can reconstruct the
PRNG's internal state and predict future PRNG output.
The impact of this vulnerability is rather small, as the OpenSSL
team has described:
"It is unlikely for applications to request PRNG bytes in a pattern
allowing for the attack against the OpenSSL PRNG. Typically,
applications will request PRNG bytes in larger chunks.
No applications is known to us which is actually vulnerable."
In any event, we highly recommend that all users upgrade to the
latest openssl packages as outlined in this advisory.
SOLUTION
- --------
All users should upgrade to the most recent version, as outlined in
this advisory.
Guardian Digital recently made available the Guardian Digital Secure
Update, a means to proactively keep systems secure and manage
system software. EnGarde users can automatically update their system
using the Guardian Digital WebTool secure interface.
If choosing to manually upgrade this package, updates can be
obtained from:
ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Before upgrading the package, the machine must either:
a) be booted into a "standard" kernel; or
b) have LIDS disabled.
To disable LIDS, execute the command:
# /sbin/lidsadm -S -- -LIDS_GLOBAL
To install the updated package, execute the command:
# rpm -Uvh <filename>
To reload the LIDS configuration, execute the command:
# /usr/sbin/config_lids.pl
To re-enable LIDS (if it was disabled), execute the command:
# /sbin/lidsadm -S -- +LIDS_GLOBAL
To verify the signature of the updated packages, execute the
command:
# rpm -Kv <filename>
UPDATED PACKAGES
- ----------------
These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).
Source Packages:
SRPMS/openssl-0.9.6-1.0.14.src.rpm
MD5 Sum: 420d7e9d0687f313059a64935be6f550
i386 Binary Packages:
i386/openssl-0.9.6-1.0.14.i386.rpm
MD5 Sum: 347000c0645194ab5feb83eb92d2355c
i386/openssl-devel-0.9.6-1.0.14.i386.rpm
MD5 Sum: 09125870402b05ad8ab75d74271893a3
i386/openssl-misc-0.9.6-1.0.14.i386.rpm
MD5 Sum: e865af2f976115e92f99a6ce7fd1cb1b
i386 Binary Packages:
i686/openssl-0.9.6-1.0.14.i686.rpm
MD5 Sum: 4d612208e3952bdb375ad36e614abf98
i686/openssl-devel-0.9.6-1.0.14.i686.rpm
MD5 Sum: 8a1b228357a1fe51a96aeb9afa3981f2
i686/openssl-misc-0.9.6-1.0.14.i686.rpm
MD5 Sum: 1e5eb36c5db32a79dbdfccb3899ae9dc
REFERENCES
- ----------
Guardian Digital's public key:
http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY
Credit for the discovery of this bug goes to:
Markku-Juhani O. Saarinen <markku-juhani.saarinen@nokia.com>
OpenSSL's Official Web Site:
http://www.openssl.org/
- --------------------------------------------------------------------------
$Id: ESA-20010709-01-openssl,v 1.2 2001/07/10 15:34:45 rwm Exp rwm $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com>
Copyright 2001, Guardian Digital, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7S0G2HD5cqd57fu0RAvYnAJ9nT8oqtjJMsQXv4r/Cl2UYv6iewACfWOJR
AR3Xr0NnQnISu9+XUS1CS/E=
=6l9n
-----END PGP SIGNATURE-----
(6730875) /EnGarde Secure Linux <security@guardiandigital.com>/(Ombruten)