Two possible vulnerabilities in OpenSSL?
Peter Malone
peter at petermalone.org
Thu Apr 10 03:40:38 PDT 2014
Hey there,
I was auditing OpenSSL last night. I looked at several files and found
the following:
https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893
/* Determine if we need to see RI. Strictly speaking if we want to
* avoid an attack we should *always* see RI even on initial server
* hello because the client doesn't see any renegotiation during an
* attack. However this would mean we could not connect to any server
* which doesn't support RI so for the immediate future tolerate RI
* absence on initial connect only.
*/
Well that's awful coding.
Unless I'm mistaken, the following memcmp is vulnerable to a remote
timing attack.
https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974
static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
{
if (a->ssl_version != b->ssl_version)
return(1);
if (a->session_id_length != b->session_id_length)
return(1);
return(memcmp(a->session_id,b->session_id,a->session_id_length));
}
I posted both of these findings to the full disclosure list last night.
I figured someone on this list might find it interesting as well.
Cheers,
Peter.
More information about the cypherpunks
mailing list