diff options
| author | steve <steve> | 2012-01-04 19:10:15 +0000 |
|---|---|---|
| committer | steve <steve> | 2012-01-04 19:10:15 +0000 |
| commit | f86a76dd3dece99e1e1e3ec5df04f6f07b0e59d9 (patch) | |
| tree | 3b40416673a72a463c41c24feed44f969bed0050 | |
| parent | 5ac282d237c905e8964f3248ce438e56985ae4b7 (diff) | |
| download | openssl-f86a76dd3dece99e1e1e3ec5df04f6f07b0e59d9.tar.gz | |
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de>
Reviewed by: steve
Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
| -rw-r--r-- | CHANGES | 14 | ||||
| -rw-r--r-- | ssl/d1_pkt.c | 26 |
2 files changed, 30 insertions, 10 deletions
@@ -4,6 +4,20 @@ Changes between 0.9.8r and 0.9.8s [xx XXX xxxx] + *) Nadhem Alfardan and Kenny Paterson have discovered an extension + of the Vaudenay padding oracle attack on CBC mode encryption + which enables an efficient plaintext recovery attack against + the OpenSSL implementation of DTLS. Their attack exploits timing + differences arising during decryption processing. A research + paper describing this attack can be found at: + http://www.isg.rhul.ac.uk/~kp/dtls.pdf + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information + Security Group at Royal Holloway, University of London + (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann + <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> + for preparing the fix. (CVE-2011-4108) + [Robin Seggelmann, Michael Tuexen] + *) Stop policy check failure freeing same buffer twice. (CVE-2011-4109) [Ben Laurie, Kasper <ekasper@google.com>] diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index e4f47e98e..83702e530 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -335,6 +335,7 @@ dtls1_process_record(SSL *s) SSL3_RECORD *rr; unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; + int decryption_failed_or_bad_record_mac = 0; rr= &(s->s3->rrec); @@ -369,13 +370,10 @@ dtls1_process_record(SSL *s) enc_err = s->method->ssl3_enc->enc(s,0); if (enc_err <= 0) { - /* decryption failed, silently discard message */ - if (enc_err < 0) - { - rr->length = 0; - s->packet_length = 0; - } - goto err; + /* To minimize information leaked via timing, we will always + * perform all computations before discarding the message. + */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -401,7 +399,7 @@ if ( (sess == NULL) || SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto err; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ @@ -412,17 +410,25 @@ if ( (sess == NULL) || SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else - goto err; + decryption_failed_or_bad_record_mac = 1; #endif } rr->length-=mac_size; s->method->ssl3_enc->mac(s,md,0); if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0) { - goto err; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* decryption failed, silently discard message */ + rr->length = 0; + s->packet_length = 0; + goto err; + } + /* r->length is now just compressed */ if (s->expand != NULL) { |