Skip to content

Commit

Permalink
Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de>, Michael T…
Browse files Browse the repository at this point in the history 
…uexen <tuexen@fh-muenster.de>

Reviewed by: steve

Fix for DTLS plaintext recovery attack discovered by Nadhem Alfardan and
Kenny Paterson.
  • Loading branch information
@snhenson
snhenson committed Jan 4, 2012
1 parent 27dfffd commit e745572
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 10 deletions.
14 changes: 14 additions & 0 deletions CHANGES
View file
Original file line number Diff line number Diff line change
Expand Up @@ -523,6 +523,20 @@

Changes between 1.0.0e and 1.0.0f [xx XXX xxxx]

*) Nadhem Alfardan and Kenny Paterson have discovered an extension
of the Vaudenay padding oracle attack on CBC mode encryption
which enables an efficient plaintext recovery attack against
the OpenSSL implementation of DTLS. Their attack exploits timing
differences arising during decryption processing. A research
paper describing this attack can be found at:
http://www.isg.rhul.ac.uk/~kp/dtls.pdf
Thanks go to Nadhem Alfardan and Kenny Paterson of the Information
Security Group at Royal Holloway, University of London
(www.isg.rhul.ac.uk) for discovering this flaw and to Robin Seggelmann
<seggelmann@fh-muenster.de> and Michael Tuexen <tuexen@fh-muenster.de>
for preparing the fix. (CVE-2011-4108)
[Robin Seggelmann, Michael Tuexen]

*) Clear bytes used for block padding of SSL 3.0 records.
(CVE-2011-4576)
[Adam Langley (Google)]
Expand Down
26 changes: 16 additions & 10 deletions ssl/d1_pkt.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -383,6 +383,7 @@ dtls1_process_record(SSL *s)
SSL3_RECORD *rr;
unsigned int mac_size;
unsigned char md[EVP_MAX_MD_SIZE];
int decryption_failed_or_bad_record_mac = 0;


rr= &(s->s3->rrec);
Expand Down Expand Up @@ -417,13 +418,10 @@ dtls1_process_record(SSL *s)
enc_err = s->method->ssl3_enc->enc(s,0);
if (enc_err <= 0)
{
/* decryption failed, silently discard message */
if (enc_err < 0)
{
rr->length = 0;
s->packet_length = 0;
}
goto err;
/* To minimize information leaked via timing, we will always
* perform all computations before discarding the message.
*/
decryption_failed_or_bad_record_mac = 1;
}

#ifdef TLS_DEBUG
Expand Down Expand Up @@ -453,7 +451,7 @@ printf("\n");
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
goto f_err;
#else
goto err;
decryption_failed_or_bad_record_mac = 1;
#endif
}
/* check the MAC for rr->input (it's in mac_size bytes at the tail) */
Expand All @@ -464,17 +462,25 @@ printf("\n");
SSLerr(SSL_F_DTLS1_PROCESS_RECORD,SSL_R_LENGTH_TOO_SHORT);
goto f_err;
#else
goto err;
decryption_failed_or_bad_record_mac = 1;
#endif
}
rr->length-=mac_size;
i=s->method->ssl3_enc->mac(s,md,0);
if (i < 0 || memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
{
goto err;
decryption_failed_or_bad_record_mac = 1;
}
}

if (decryption_failed_or_bad_record_mac)
{
/* decryption failed, silently discard message */
rr->length = 0;
s->packet_length = 0;
goto err;
}

/* r->length is now just compressed */
if (s->expand != NULL)
{
Expand Down

0 comments on commit e745572

Please sign in to comment.