On Tue, Jun 10, 2014 at 11:35:06PM +0100, Matt Caswell wrote: > On 10 June 2014 21:52, Kurt Roeckx <k...@roeckx.be> wrote: > >> As far as I can see this is SSLv3 only, and only about the Finish > >> message. > >> > >> So it seems that function return the length of the digest, and in > >> some error cases 0. We'll end up with a wrong value in > >> (peer_)finish_md_len. > >> > >> It should then result in this error: > >> if (i != n) > >> { > >> al=SSL_AD_DECODE_ERROR; > >> SSLerr(SSL_F_SSL3_GET_FINISHED,SSL_R_BAD_DIGEST_LENGTH); > >> goto f_err; > >> } > >> > >> So at first look there doesn't seem to be anything wrong with the > >> current code. But their patch doesn't do anything wrong either. > > > > So to clarify this a little more. ssl3_final_finish_mac() returns > > 0 on an internal error, or the length of the digest. In case of SSLv3 > > it's both an MD5 and SHA1. In ssl3_final_finish_mac() they only > > get calculated and the length is returned. The check that they > > are correct happens just after the if I quoted above. > > I can't see a way that this could be exploited. It is a bug though. > > I've just pushed a fix: > https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2f1dffa88e1b120add4f0b3a794fbca65aa7768d > > Matt > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org
It's common courtecy to attribute fixes to the original author or at least the project. -Otto ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org