Hi, On 06/02/13 11:49, Thijs Kinkhorst wrote: > Can you see to it that this issue is addressed in unstable and testing? And > are you available to create an update for stable-security?
I'm attaching (3.0 (quilt) formatted) patches, backported from upstreams changes between 1.2.4 to 1.2.5, for the versions in testing(=unstable) and stable(-security), respectively. Can you please review/comment? I can upload this to unstable and stable-security(security-master?). Thanks in advance, Roland
Description: Fix for CVE-2013-0169 This patch fixes CVE-2013-0169: Lucky 13 TLS protocol timing flaw This also refers to CVE-2013-1621 and CVE-2013-1622. It is a backport from upstreams diff between versions 1.2.4 to 1.2.5, doing only minimal changes addressing the CVE. Author: Roland Stigge <[email protected]> Bug-Debian: http://bugs.debian.org/699887 --- library/ssl_tls.c | 54 +++++++++++++++++++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 19 deletions(-) --- polarssl-1.1.4.orig/library/ssl_tls.c +++ polarssl-1.1.4/library/ssl_tls.c @@ -652,7 +652,7 @@ static int ssl_encrypt_buf( ssl_context static int ssl_decrypt_buf( ssl_context *ssl ) { - size_t i, padlen; + size_t i, padlen = 0, correct = 1; unsigned char tmp[20]; SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); @@ -667,7 +667,6 @@ static int ssl_decrypt_buf( ssl_context if( ssl->ivlen == 0 ) { #if defined(POLARSSL_ARC4_C) - padlen = 0; arc4_crypt( (arc4_context *) ssl->ctx_dec, ssl->in_msglen, ssl->in_msg, ssl->in_msg ); @@ -680,6 +679,7 @@ static int ssl_decrypt_buf( ssl_context unsigned char *dec_msg; unsigned char *dec_msg_result; size_t dec_msglen; + size_t minlen = 0, fake_padlen; /* * Decrypt and check the padding @@ -691,6 +691,17 @@ static int ssl_decrypt_buf( ssl_context return( POLARSSL_ERR_SSL_INVALID_MAC ); } + if( ssl->minor_ver >= SSL_MINOR_VERSION_2 ) + minlen += ssl->ivlen; + + if( ssl->in_msglen < minlen + ssl->ivlen || + ssl->in_msglen < minlen + ssl->maclen + 1 ) + { + SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )", + ssl->in_msglen, ssl->ivlen, ssl->maclen ) ); + return( POLARSSL_ERR_SSL_INVALID_MAC ); + } + dec_msglen = ssl->in_msglen; dec_msg = ssl->in_msg; dec_msg_result = ssl->in_msg; @@ -750,15 +761,20 @@ static int ssl_decrypt_buf( ssl_context } padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; + fake_padlen = 256 - padlen; + + if( ssl->in_msglen < ssl->maclen + padlen ) + { + padlen = 0; + fake_padlen = 256; + correct = 0; + } if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) { if( padlen > ssl->ivlen ) { - SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " - "should be no more than %d", - padlen, ssl->ivlen ) ); - padlen = 0; + correct = 0; } } else @@ -770,12 +786,19 @@ static int ssl_decrypt_buf( ssl_context { if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 ) { - SSL_DEBUG_MSG( 1, ( "bad padding byte: should be " - "%02x, but is %02x", padlen - 1, - ssl->in_msg[ssl->in_msglen - i] ) ); + correct = 0; + fake_padlen = 256 - i; padlen = 0; } } + for( i = 1; i <= fake_padlen; i++ ) + { + if( ssl->in_msg[i + 1] != fake_padlen - 1 ) + minlen = 0; + else + minlen = 1; + } + } } @@ -785,19 +808,12 @@ static int ssl_decrypt_buf( ssl_context /* * Always compute the MAC (RFC4346, CBCTIME). */ - if( ssl->in_msglen < ssl->maclen + padlen ) - { - SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)", - ssl->in_msglen, ssl->maclen, padlen ) ); - return( POLARSSL_ERR_SSL_INVALID_MAC ); - } - ssl->in_msglen -= ( ssl->maclen + padlen ); ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 ); ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen ); - memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 ); + memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->maclen ); if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) { @@ -830,14 +846,14 @@ static int ssl_decrypt_buf( ssl_context ssl->maclen ) != 0 ) { SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); - return( POLARSSL_ERR_SSL_INVALID_MAC ); + correct = 0; } /* * Finally check the padding length; bad padding * will produce the same error as an invalid MAC. */ - if( ssl->ivlen != 0 && padlen == 0 ) + if( correct == 0 ) return( POLARSSL_ERR_SSL_INVALID_MAC ); if( ssl->in_msglen == 0 )
Description: Fix for CVE-2013-0169 This patch fixes CVE-2013-0169: Lucky 13 TLS protocol timing flaw This also refers to CVE-2013-1621 and CVE-2013-1622. It is a backport from upstreams diff between versions 1.2.4 to 1.2.5, doing only minimal changes addressing the CVE. Author: Roland Stigge <[email protected]> Bug-Debian: http://bugs.debian.org/699887 --- polarssl-0.12.1.orig/library/ssl_tls.c +++ polarssl-0.12.1/library/ssl_tls.c @@ -601,7 +601,7 @@ static int ssl_decrypt_buf( ssl_context *ssl ) { - int i, padlen; + int i, padlen = 0, correct = 1; unsigned char tmp[20]; SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); @@ -616,7 +616,6 @@ if( ssl->ivlen == 0 ) { #if defined(POLARSSL_ARC4_C) - padlen = 0; arc4_crypt( (arc4_context *) ssl->ctx_dec, ssl->in_msg, ssl->in_msglen ); #else @@ -625,6 +624,7 @@ } else { + size_t minlen = 0, fake_padlen; /* * Decrypt and check the padding */ @@ -635,6 +635,17 @@ return( POLARSSL_ERR_SSL_INVALID_MAC ); } + if( ssl->minor_ver >= SSL_MINOR_VERSION_2 ) + minlen += ssl->ivlen; + + if( ssl->in_msglen < minlen + ssl->ivlen || + ssl->in_msglen < minlen + ssl->maclen + 1 ) + { + SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) + 1 ) ( + expl IV )", + ssl->in_msglen, ssl->ivlen, ssl->maclen ) ); + return( POLARSSL_ERR_SSL_INVALID_MAC ); + } + switch( ssl->ivlen ) { #if defined(POLARSSL_DES_C) @@ -676,13 +687,20 @@ padlen = 1 + ssl->in_msg[ssl->in_msglen - 1]; + fake_padlen = 256 - padlen; + + if( ssl->in_msglen < ssl->maclen + padlen ) + { + padlen = 0; + fake_padlen = 256; + correct = 0; + } + if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) { if( padlen > ssl->ivlen ) { - SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, " - "should be no more than %d", - padlen, ssl->ivlen ) ); + correct = 0; padlen = 0; } } @@ -695,12 +713,18 @@ { if( ssl->in_msg[ssl->in_msglen - i] != padlen - 1 ) { - SSL_DEBUG_MSG( 1, ( "bad padding byte: should be " - "%02x, but is %02x", padlen - 1, - ssl->in_msg[ssl->in_msglen - i] ) ); + correct = 0; + fake_padlen = 256 - i; padlen = 0; } } + for( i = 1; i <= fake_padlen; i++ ) + { + if( ssl->in_msg[i + 1] != fake_padlen - 1 ) + minlen = 0; + else + minlen = 1; + } } } @@ -715,7 +739,7 @@ ssl->in_hdr[3] = (unsigned char)( ssl->in_msglen >> 8 ); ssl->in_hdr[4] = (unsigned char)( ssl->in_msglen ); - memcpy( tmp, ssl->in_msg + ssl->in_msglen, 20 ); + memcpy( tmp, ssl->in_msg + ssl->in_msglen, ssl->maclen ); if( ssl->minor_ver == SSL_MINOR_VERSION_0 ) { @@ -748,14 +772,14 @@ ssl->maclen ) != 0 ) { SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); - return( POLARSSL_ERR_SSL_INVALID_MAC ); + correct = 0; } /* * Finally check the padding length; bad padding * will produce the same error as an invalid MAC. */ - if( ssl->ivlen != 0 && padlen == 0 ) + if( correct == 0 ) return( POLARSSL_ERR_SSL_INVALID_MAC ); if( ssl->in_msglen == 0 )
