Two possible vulnerabilities in OpenSSL?

yersinia yersinia.spiros at gmail.com
Thu Apr 10 06:05:59 PDT 2014


On Thu, Apr 10, 2014 at 12:40 PM, Peter Malone <peter at petermalone.org> wrote:
> Hey there,
>
> I was auditing OpenSSL last night. I looked at several files and found
> the following:
>
>  https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893
> /* Determine if we need to see RI. Strictly speaking if we want to
> * avoid an attack we should *always* see RI even on initial server
> * hello because the client doesn't see any renegotiation during an
> * attack. However this would mean we could not connect to any server
> * which doesn't support RI so for the immediate future tolerate RI
> * absence on initial connect only.
> */
>
> Well that's awful coding.
>
> Unless I'm mistaken, the following memcmp is vulnerable to a remote
> timing attack.
> https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974
> static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)
> {
>   if (a->ssl_version != b->ssl_version)
>        return(1);
>   if (a->session_id_length != b->session_id_length)
>        return(1);
>   return(memcmp(a->session_id,b->session_id,a->session_id_length));
> }
>
> I posted both of these findings to the full disclosure list last night.
> I figured someone on this list might find it interesting as well.
Yes, I had noticed your post on FD. In my opinion you are right,
the value that is compared can come from the outside.
It would be the same problem that is discussed (also) here. Perhaps
the solution might look like
the same.

https://trac.torproject.org/projects/tor/ticket/3122

thanks

Best regards
>
> Cheers,
> Peter.
>



More information about the cypherpunks mailing list