Re: Hardening request: aes_cbc_enc/aes_cbc_dec sample converters lack authentication, enable padding-oracle class when chained with untrusted input

Sun, 26 Apr 2026 21:27:15 -0700 

Thanks William.

Fair points on both. The cipher is what it is, and admins picking aes_cbc_*
explicitly are on the hook for using it correctly — that's a defensible
position and I'll drop the report on those grounds.

If a one-line note next to the aes_cbc_* entries in doc/configuration.txt
("unauthenticated; prefer aes_gcm_* for any attacker-influenced ciphertext")
would be welcome, I can post a small patch on the dev list. Otherwise this
can rest.

On the channel: my mistake on treating this list as security-private — I
misread the project's CONTRIBUTING file. Glad to hear it's the right venue
for the topic regardless.

Regards,
Andrey Vasilevsky


On Fri, Apr 24, 2026 at 4:51 AM William Lallemand <[email protected]>
wrote:

> On Thu, Apr 23, 2026 at 04:49:06PM -0700, Andrey Vasilevsky wrote:
> > Hi HAProxy security team,
> >
> > This is a hardening / documentation-clarity report, not a claim of active
> > exploitation against a default configuration. Flagging for your
> threat-model
> > review.
> > Finding
> >
> > HAProxy registers four AES sample converters in src/ssl_sample.c (around
> > lines 2846-2851):
> >
> > { "aes_gcm_enc",        sample_conv_aes,  ... },  /* authenticated (GCM)
> */
> > { "aes_gcm_dec",        sample_conv_aes,  ... },  /* authenticated (GCM)
> */
> > { "aes_cbc_enc",        sample_conv_aes,  ... },  /* unauthenticated CBC
> */
> > { "aes_cbc_dec",        sample_conv_aes,  ... },  /* unauthenticated CBC
> */
> >
> > The GCM variants include an AEAD tag; the CBC variants do not.
>
> Because AES-CBC is not a cipher using AEAD. We only provide the mean to
> encrypt
> and decrypt with this cipher, people are suppose to know what they are
> doing if
> they put explicitely this keyword in the configuration.
>
> > No external disclosure is planned before hearing the team's position.
> Happy
> > to draft a doc patch for option (a) if that is the direction the team
> > prefers, or to file a public issue/PR if the team considers this out of
> > security-list scope.
> >
>
> You are sending this to a public mailing-list anyway. But this look like an
> AI-generated mail.
>
> --
> William Lallemand
>

Reply via email to