Hi!
I patched my exim to detect heartbleed attacks/checks. The patch is quick and
dirty and not intended for HEAD or inexperienced users. That's why I post it
only here. Don't know the impact of setting a tls_msg_callback on the
performance yet.
Maybe somebody is interested. Try at your own risk;-)
It works with patched OpenSSL versions as well as with unpatched ones.
Patch will most likely apply with some fuzz, since I've other patches in place
as well.
Greetings, Wolfgang
--
Wolfgang Breyha <[email protected]> | http://www.blafasel.at/
Vienna University Computer Center | Austria
--- src/tls-openssl.c.prehb 2014-04-09 13:16:19.000000000 +0200
+++ src/tls-openssl.c 2014-04-09 14:14:01.000000000 +0200
@@ -330,6 +330,29 @@
return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
}
+void tls_msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
+{
+ if (content_type == TLS1_RT_HEARTBEAT)
+ {
+ if (len >= 3)
+ {
+ unsigned short hbtype;
+ unsigned int payll;
+ const unsigned char *p = buf;
+ hbtype = *p++;
+ payll = (((unsigned int)(*p++))<< 8)|(((unsigned int)(*p++)));
+ if (hbtype == TLS1_HB_REQUEST)
+ if (payll > len - 3)
+ {
+ DEBUG(D_tls) debug_printf("TLS heartbleed attack detected: %d < %d\n", len - 3, payll);
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "TLS heartbleed attack detected: %d < %d", len - 3, payll);
+ } else {
+ DEBUG(D_tls) debug_printf("TLS valid heartbeat req received\n");
+ }
+ }
+ }
+}
/*************************************************
@@ -1160,6 +1183,8 @@
SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);
+SSL_CTX_set_msg_callback(*ctxp, tls_msg_cb);
+
/* Finally, set the timeout, and we are done */
SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim
details at http://www.exim.org/ ##
