We have addressed the following issue in Mac OS X:
RSA_padding_check_SSLv23 has a bug in the loop that verifies the
presence of eight consecutive 0x03 padding bytes just before the null
marker signifying the end of the padding. The problem is that at the
start of the for loop (for (k= -8; k<0; k++)), p points at the byte
*after* the NULL terminator. The eight 0x03 bytes are actually from
p[-9] to p[-2] inclusive. The byte at p[-1] is the NULL. As a result,
if an SSLv2-only client is extraordinarily unlucky, an OpenSSL server
with SSLv2 enabled may erroneously detect a rollback attack. Well,
this could have happened anyway with a probability of 1 in 2^64, but
with this bug the probability was increased to 1 in 2^56.
diff -Naur /var/tmp/OpenSSL.roots/OpenSSL/openssl/crypto/rsa/
rsa_ssl.c ./crypto/rsa/rsa_ssl.c
--- /var/tmp/OpenSSL.roots/OpenSSL/openssl/crypto/rsa/rsa_ssl.c
2000-11-06 14:34:16.000000000 -0800
+++ ./crypto/rsa/rsa_ssl.c 2006-10-11 16:40:48.000000000 -0700
@@ -130,11 +130,11 @@
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
return(-1);
}
- for (k= -8; k<0; k++)
+ for (k= -9; k<-1; k++)
{
if (p[k] != 0x03) break;
}
- if (k == -1)
+ if (k != -1)
{
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
return(-1);
Cheers,
--
Jacques
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
