Re: OpenSSL Security Advisory

Wed, 06 Feb 2013 15:58:48 -0800 

On Tue, Feb 05, 2013 at 03:18:28PM +0100, OpenSSL wrote:
> OpenSSL Security Advisory [05 Feb 2013]
> ========================================
> 
> SSL, TLS and DTLS Plaintext Recovery Attack (CVE-2013-0169)
> ============================================================
> 
> Nadhem Alfardan and Kenny Paterson have discovered a weakness in the handling
> of CBC ciphersuites in SSL, TLS and DTLS. Their attack exploits timing
> differences arising during MAC processing. Details of this attack can be
> found at: http://www.isg.rhul.ac.uk/tls/
> 
> All versions of OpenSSL are affected including 1.0.1c, 1.0.0j and 0.9.8x
> 
> Note: this vulnerability is only partially mitigated when OpenSSL is used
> in conjuction with the OpenSSL FIPS Object Module and the FIPS mode of
> operation is enabled.
> 
> Thanks go to Nadhem J. AlFardan and Kenneth G. Paterson of the Information
> Security Group Royal Holloway, University of London for discovering this flaw.
> 
> An initial fix was prepared by Adam Langley <a...@chromium.org> and Emilia
> K??sper <ekas...@google.com> of Google. Additional refinements were added by
> Ben Laurie, Andy Polyakov and Stephen Henson of the OpenSSL group.
> 
> Affected users should upgrade to OpenSSL 1.0.1d, 1.0.0k or 0.9.8y

Looking at the diff for 1.0.0k it seems to be missing commits from
the 1.0.1d version:
I believe the following commits in the 1.0.1 branch are part of the fix:
2ee798880a246d648ecddadc5b91367bee4a5d98
e130841bccfc0bb9da254dc84e23bc6a1c78a64e
6cb19b7681f600b2f165e4adc57547b097b475fd
9f27de170d1b7bef3d46d41382dc4dafde8b3900
014265eb02e26f35c8db58e2ccbf100b0b2f0072
b908e88ec15aa0a74805e3f2236fc4f83f2789c2
81ce0e14e72e8e255ad1bd9c7cfaa47a6291919c
34ab3c8c711ff79c2b768f0b17e4b2a78fd1df5d
cab13fc8473856a43556d41d8dac5605f4ba1f91
36260233e7e3396feed884d3f501283e0453c04f
d5371324d978e4096bf99b9d0fe71b2cb65d9dc8
04e45b52ee3be81121359cc1198fd01e38096e9f
8bfd4c659f180a6ce34f21c0e62956b362067fba / 
ec07246a0835a36af9d892f1e28b594018be6da1

The 1.0.0 branch has those commits:
9c00a950604aca819cee977f1dcb4b45f2af3aa6 (from 
2ee798880a246d648ecddadc5b91367bee4a5d98)
e5420be6cd09af2550b128575a675490cfba0483 (from 
e130841bccfc0bb9da254dc84e23bc6a1c78a64e)
f852b60797dc68aa86c99c4f7b905488d1538d99 (from 
014265eb02e26f35c8db58e2ccbf100b0b2f0072)
080f39539295d2c7c932e79dd670526b90a215a8
610dfc3ef4c4019394534023115226f4ed0e7204 (from 
6cb19b7681f600b2f165e4adc57547b097b475fd)
b23da2919b332fd83fa6de87caacb0651f64a3f5 (from 
9f27de170d1b7bef3d46d41382dc4dafde8b3900)
3cdaca2436643908863c6a62918b0d9703477655 (from 
cab13fc8473856a43556d41d8dac5605f4ba1f91)
11c48a0fd20d2ec091fde218449f3ba0ff1cf672 (from 
36260233e7e3396feed884d3f501283e0453c04f)
33f44acbbe83ab718ae15c0d2c6a57e802705a36 (from 
d5371324d978e4096bf99b9d0fe71b2cb65d9dc8)
c6b82f7ee9434d81ccbb30d4cf3126a23398d6c7 (from 
81ce0e14e72e8e255ad1bd9c7cfaa47a6291919c)

That would mean the following aren't in the 1.0.0 branch:
commit b908e88ec15aa0a74805e3f2236fc4f83f2789c2
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Tue Jan 29 14:44:36 2013 +0000

    Timing fix mitigation for FIPS mode.
    We have to use EVP in FIPS mode so we can only partially mitigate
    timing differences.

    Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
    to cover any timing differences caused by removal of padding.

commit 34ab3c8c711ff79c2b768f0b17e4b2a78fd1df5d
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Thu Jan 31 23:04:39 2013 +0000

    typo.

commit 04e45b52ee3be81121359cc1198fd01e38096e9f
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Feb 1 13:53:43 2013 +0000

    Don't access EVP_MD_CTX internals directly.

commit 8bfd4c659f180a6ce34f21c0e62956b362067fba
Author: Andy Polyakov <ap...@openssl.org>
Date:   Fri Feb 1 15:31:50 2013 +0100

    ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.

    Kludge alert. This is arranged by passing padding length in unused
    bits of SSL3_RECORD->type, so that orig_len can be reconstructed.


(The RedHat bug fails to mention c6b82f7ee9434d81ccbb30d4cf3126a23398d6c7
for the 1.0.0 branch, but it's not going to build without that.)

I think the first 2 just don't apply to the 1.0.0 branch, the 3rd isn't 
important,
but I'm worried about the last commit since it talks about binary compatibility.


Kurt

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to