Commit e7455724 authored by Dr. Stephen Henson's avatar Dr. Stephen Henson
Browse files

Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael Tuexen <tuexen@fh-muenster.de> 

Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
parent 27dfffd5

CHANGES

+14 −0
Original line number Diff line number Diff line
@@ -523,6 +523,20 @@ 


 Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]



  *) Nadhem Alfardan and Kenny Paterson have discovered an extension

     of the Vaudenay padding oracle attack on CBC mode encryption

     which enables an efficient plaintext recovery attack against

     the OpenSSL implementation of DTLS. Their attack exploits timing

     differences arising during decryption processing. A research

     paper describing this attack can be found at:

                  http://www.isg.rhul.ac.uk/~kp/dtls.pdf

     Thanks go to Nadhem Alfardan and Kenny Paterson of the Information

     Security Group at Royal Holloway, University of London

     (www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann

     <seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>

     for preparing the fix. (CVE-2011-4108)

     [Robin Seggelmann, Michael Tuexen]



  *) Clear bytes used for block padding of SSL 3.0 records.

     (CVE-2011-4576)

     [Adam Langley (Google)]

ssl/d1_pkt.c

+16 −10
Original line number Diff line number Diff line
@@ -383,6 +383,7 @@ dtls1_process_record(SSL *s) 
	SSL3_RECORD *rr;

	unsigned int mac_size;

	unsigned char md[EVP_MAX_MD_SIZE];

	int decryption_failed_or_bad_record_mac = 0;





	rr= &(s->s3->rrec);
@@ -417,13 +418,10 @@ dtls1_process_record(SSL *s) 
	enc_err = s->method->ssl3_enc->enc(s,0);

	if (enc_err <= 0)

		{

		/* decryption failed, silently discard message */

		if (enc_err < 0)

			{

			rr->length = 0;

			s->packet_length = 0;

			}

		goto err;

		/* To minimize information leaked via timing, we will always

		 * perform all computations before discarding the message.

		 */

		decryption_failed_or_bad_record_mac = 1;

		}



#ifdef TLS_DEBUG
@@ -453,7 +451,7 @@ printf("\n"); 
			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);

			goto f_err;

#else

			goto err;

			decryption_failed_or_bad_record_mac = 1;

#endif			

			}

		/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
@@ -464,15 +462,23 @@ printf("\n"); 
			SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);

			goto f_err;

#else

			goto err;

			decryption_failed_or_bad_record_mac = 1;

#endif

			}

		rr->length-=mac_size;

		i=s->method->ssl3_enc->mac(s,md,0);

		if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)

			{

			goto err;

			decryption_failed_or_bad_record_mac = 1;

			}

		}



	if (decryption_failed_or_bad_record_mac)

		{

		/* decryption failed, silently discard message */

		rr->length = 0;

		s->packet_length = 0;

		goto err;

		}



	/* r->length is now just compressed */