generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de>

Browse Source 
Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
This commit is contained in:
Dr. Stephen Henson 2012-01-04 23:52:26 +00:00
parent 27dfffd5b7
commit e745572493
2 changed files with 30 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
CHANGES
View File

@ -523,6 +523,20 @@
Changes between 1.0.0e and 1.0.0f [xx XXX xxxx] Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]
*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]
*) Clear bytes used for block padding of SSL 3.0 records. *) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576) (CVE-2011-4576)
[Adam Langley (Google)] [Adam Langley (Google)]

26
ssl/d1_pkt.c
View File

@ -383,6 +383,7 @@ dtls1_process_record(SSL *s)
SSL3_RECORD *rr; SSL3_RECORD *rr;
unsigned int mac_size; unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE]; unsigned char md[EVP_MAX_MD_SIZE];
int decryption_failed_or_bad_record_mac = 0;
rr= &(s->s3->rrec); rr= &(s->s3->rrec);
@ -417,13 +418,10 @@ dtls1_process_record(SSL *s)
enc_err = s->method->ssl3_enc->enc(s,0); enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0) if (enc_err <= 0)
{ {
/* decryption failed, silently discard message */ /* To minimize information leaked via timing, we will always
if (enc_err < 0) * perform all computations before discarding the message.
{ */
rr->length = 0; decryption_failed_or_bad_record_mac = 1;
s->packet_length = 0;
}
goto err;
} }
#ifdef TLS_DEBUG #ifdef TLS_DEBUG
@ -453,7 +451,7 @@ printf("\n");
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err; goto f_err;
#else #else
goto err; decryption_failed_or_bad_record_mac = 1;
#endif #endif
} }
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */ /* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@ -464,17 +462,25 @@ printf("\n");
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err; goto f_err;
#else #else
goto err; decryption_failed_or_bad_record_mac = 1;
#endif #endif
} }
rr->length-=mac_size; rr->length-=mac_size;
i=s->method->ssl3_enc->mac(s,md,0); i=s->method->ssl3_enc->mac(s,md,0);
if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
{ {
goto err; decryption_failed_or_bad_record_mac = 1;
} }
} }
if (decryption_failed_or_bad_record_mac)
{
/* decryption failed, silently discard message */
rr->length = 0;
s->packet_length = 0;
goto err;
}
/* r->length is now just compressed */ /* r->length is now just compressed */
if (s->expand != NULL) if (s->expand != NULL)
{ {