[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Two possible vulnerabilities in OpenSSL?



Hey there,

I was auditing OpenSSL last night. I looked at several files and found
the following:

 https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893
/* Determine if we need to see RI. Strictly speaking if we want to  
* avoid an attack we should *always* see RI even on initial server  
* hello because the client doesn't see any renegotiation during an  
* attack. However this would mean we could not connect to any server  
* which doesn't support RI so for the immediate future tolerate RI  
* absence on initial connect only.  
*/  

Well that's awful coding.

Unless I'm mistaken, the following memcmp is vulnerable to a remote
timing attack.
https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974
static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b)  
{  
  if (a->ssl_version != b->ssl_version)  
       return(1);  
  if (a->session_id_length != b->session_id_length)  
       return(1);  
  return(memcmp(a->session_id,b->session_id,a->session_id_length));  
}  

I posted both of these findings to the full disclosure list last night.
I figured someone on this list might find it interesting as well.

Cheers,
Peter.