> [
nectar@... - Mi. 04. Jun. 2008, 08:08:00]:
>
> We have addressed the following issue in Mac OS X:
>
> RSA_padding_check_SSLv23 has a bug in the loop that verifies the
> presence of eight consecutive 0x03 padding bytes just before the null
> marker signifying the end of the padding. The problem is that at the
> start of the for loop (for (k= -8; k<0; k++)), p points at the byte
> *after* the NULL terminator. The eight 0x03 bytes are actually from
> p[-9] to p[-2] inclusive. The byte at p[-1] is the NULL. As a result,
> if an SSLv2-only client is extraordinarily unlucky, an OpenSSL server
> with SSLv2 enabled may erroneously detect a rollback attack. Well,
> this could have happened anyway with a probability of 1 in 2^64, but
> with this bug the probability was increased to 1 in 2^56.
Thank you very much for your report! I have just checked in the fix
into the OpenSSL CVS (i.e., it will be in the next snapshots, both for
the main development branch and the 0.9.8 stable branch).
Note that your proposed patch isn't quite right, though. The loop is
correct, but the error should still be raised in the case that k == -1,
meaning that p[-9] through p[-2] each had the value 0x03.
Bodo
>
> diff -Naur /var/tmp/OpenSSL.roots/OpenSSL/openssl/crypto/rsa/
> rsa_ssl.c ./crypto/rsa/rsa_ssl.c
> --- /var/tmp/OpenSSL.roots/OpenSSL/openssl/crypto/rsa/rsa_ssl.c
> 2000-11-06 14:34:16.000000000 -0800
> +++ ./crypto/rsa/rsa_ssl.c 2006-10-11 16:40:48.000000000 -0700
> @@ -130,11 +130,11 @@
>
> RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
> return(-1);
> }
> - for (k= -8; k<0; k++)
> + for (k= -9; k<-1; k++)
> {
> if (p[k] != 0x03) break;
> }
> - if (k == -1)
> + if (k != -1)
> {
> RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
> return(-1);
______________________________________________________________________
OpenSSL Project
http://www.openssl.orgDevelopment Mailing List
openssl-dev@...
Automated List Manager
majordomo@...
