diff options
author | Dr. Stephen Henson <steve@openssl.org> | 2012-01-05 00:52:26 +0100 |
---|---|---|
committer | Dr. Stephen Henson <steve@openssl.org> | 2012-01-05 00:52:26 +0100 |
commit | e7455724938818eac8bef43f535d148dd4670d06 (patch) | |
tree | 6a3651bc4496c46030a2128d8aff3009a9b3647f | |
parent | Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) (diff) | |
download | openssl-e7455724938818eac8bef43f535d148dd4670d06.tar.xz openssl-e7455724938818eac8bef43f535d148dd4670d06.zip |
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de>
Reviewed by: steve
Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
-rw-r--r-- | CHANGES | 14 | ||||
-rw-r--r-- | ssl/d1_pkt.c | 26 |
2 files changed, 30 insertions, 10 deletions
@@ -523,6 +523,20 @@ Changes between 1.0.0e and 1.0.0f [xx XXX xxxx] + *) Nadhem Alfardan and Kenny Paterson have discovered an extension + of the Vaudenay padding oracle attack on CBC mode encryption + which enables an efficient plaintext recovery attack against + the OpenSSL implementation of DTLS. Their attack exploits timing + differences arising during decryption processing. A research + paper describing this attack can be found at: + http://www.isg.rhul.ac.uk/~kp/dtls.pdf + Thanks go to Nadhem Alfardan and Kenny Paterson of the Information + Security Group at Royal Holloway, University of London + (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann + <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de> + for preparing the fix. (CVE-2011-4108) + [Robin Seggelmann, Michael Tuexen] + *) Clear bytes used for block padding of SSL 3.0 records. (CVE-2011-4576) [Adam Langley (Google)] diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index f66f33cf63..fdeaac8804 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -383,6 +383,7 @@ dtls1_process_record(SSL *s) SSL3_RECORD *rr; unsigned int mac_size; unsigned char md[EVP_MAX_MD_SIZE]; + int decryption_failed_or_bad_record_mac = 0; rr= &(s->s3->rrec); @@ -417,13 +418,10 @@ dtls1_process_record(SSL *s) enc_err = s->method->ssl3_enc->enc(s,0); if (enc_err <= 0) { - /* decryption failed, silently discard message */ - if (enc_err < 0) - { - rr->length = 0; - s->packet_length = 0; - } - goto err; + /* To minimize information leaked via timing, we will always + * perform all computations before discarding the message. + */ + decryption_failed_or_bad_record_mac = 1; } #ifdef TLS_DEBUG @@ -453,7 +451,7 @@ printf("\n"); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG); goto f_err; #else - goto err; + decryption_failed_or_bad_record_mac = 1; #endif } /* check the MAC for rr->input (it's in mac_size bytes at the tail) */ @@ -464,17 +462,25 @@ printf("\n"); SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT); goto f_err; #else - goto err; + decryption_failed_or_bad_record_mac = 1; #endif } rr->length-=mac_size; i=s->method->ssl3_enc->mac(s,md,0); if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0) { - goto err; + decryption_failed_or_bad_record_mac = 1; } } + if (decryption_failed_or_bad_record_mac) + { + /* decryption failed, silently discard message */ + rr->length = 0; + s->packet_length = 0; + goto err; + } + /* r->length is now just compressed */ if (s->expand != NULL) { |