Re: Another security bug, this time in MAC verification...

Wed, 11 Jun 2014 00:25:27 -0700 

On 11 June 2014 06:47, Otto Moerbeek <o...@drijf.net> wrote:
> On Tue, Jun 10, 2014 at 11:35:06PM +0100, Matt Caswell wrote:
>
>> On 10 June 2014 21:52, Kurt Roeckx <k...@roeckx.be> wrote:
>> >> As far as I can see this is SSLv3 only, and only about the Finish
>> >> message.
>> >>
>> >> So it seems that function return the length of the digest, and in
>> >> some error cases 0.  We'll end up with a wrong value in
>> >> (peer_)finish_md_len.
>> >>
>> >> It should then result in this error:
>> >>         if (i != n)
>> >>                 {
>> >>                 al=SSL_AD_DECODE_ERROR;
>> >>                 SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_BAD_DIGEST_LENGTH);
>> >>                 goto f_err;
>> >>                 }
>> >>
>> >> So at first look there doesn't seem to be anything wrong with the
>> >> current code.  But their patch doesn't do anything wrong either.
>> >
>> > So to clarify this a little more.  ssl3_final_finish_mac() returns
>> > 0 on an internal error, or the length of the digest.  In case of SSLv3
>> > it's both an MD5 and SHA1.  In ssl3_final_finish_mac() they only
>> > get calculated and the length is returned.  The check that they
>> > are correct happens just after the if I quoted above.
>>
>> I can't see a way that this could be exploited. It is a bug though.
>>
>> I've just pushed a fix:
>> https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2f1dffa88e1b120add4f0b3a794fbca65aa7768d
>>
>> Matt
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> Development Mailing List                       openssl-dev@openssl.org
>> Automated List Manager                           majord...@openssl.org
>
> It's common courtecy to attribute fixes to the original author or at
> least the project.

Well the fix itself was mine, although admittedly it is very similar
to the original fix (there are only so many ways you can write that),
and differs only in variable names etc. My apologies. I probably
should have at least acknowledged the original source.

Sorry

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to