git.openssl.org Git - openssl.git/commit

author	Emilia Kasper <emilia@openssl.org>
	Wed, 24 Feb 2016 11:59:59 +0000 (12:59 +0100)
committer	Emilia Kasper <emilia@openssl.org>
	Thu, 25 Feb 2016 14:42:48 +0000 (15:42 +0100)
commit	380f18ed5f140e0ae1b68f3ab8f4f7c395658d9e
tree	83e686e480f176176595a3b2f388be366b774b08	tree \| snapshot
parent	37529928faa8456e85a9c5ad9255517da8dd0c61	commit \| diff

CVE-2016-0798: avoid memory leak in SRP

The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>

CHANGES		diff \| blob \| history
apps/s_server.c		diff \| blob \| history
crypto/srp/srp_vfy.c		diff \| blob \| history
include/openssl/srp.h		diff \| blob \| history
util/libeay.num		diff \| blob \| history