Hey there,
I was auditing OpenSSL last night. I looked at several files and found the following:
https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893 /* Determine if we need to see RI. Strictly speaking if we want to * avoid an attack we should *always* see RI even on initial server * hello because the client doesn't see any renegotiation during an * attack. However this would mean we could not connect to any server * which doesn't support RI so for the immediate future tolerate RI * absence on initial connect only. */
Well that's awful coding.
Unless I'm mistaken, the following memcmp is vulnerable to a remote timing attack. https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974 static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) return(1); if (a->session_id_length != b->session_id_length) return(1); return(memcmp(a->session_id,b->session_id,a->session_id_length)); }
I posted both of these findings to the full disclosure list last night. I figured someone on this list might find it interesting as well. Yes, I had noticed your post on FD. In my opinion you are right,
On Thu, Apr 10, 2014 at 12:40 PM, Peter Malone <peter@petermalone.org> wrote: the value that is compared can come from the outside. It would be the same problem that is discussed (also) here. Perhaps the solution might look like the same. https://trac.torproject.org/projects/tor/ticket/3122 thanks Best regards
Cheers, Peter.