git.openssl.org Git - openssl.git/commit

author	Emilia Kasper <emilia@openssl.org>
	Wed, 24 Feb 2016 11:59:59 +0000 (12:59 +0100)
committer	Emilia Kasper <emilia@openssl.org>
	Thu, 25 Feb 2016 14:44:21 +0000 (15:44 +0100)
commit	59a908f1e8380412a81392c468b83bf6071beb2a
tree	f862d3600a81bb2d93becf1ae5528df68634ecc0	tree \| snapshot
parent	3ee48ada8ce7a57b6ff185a0388aba1ae1a21684	commit \| diff

CVE-2016-0798: avoid memory leak in SRP

The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>

CHANGES		diff \| blob \| history
apps/s_server.c		diff \| blob \| history
crypto/srp/srp.h		diff \| blob \| history
crypto/srp/srp_vfy.c		diff \| blob \| history
util/libeay.num		diff \| blob \| history