[EMAIL PROTECTED] - Mi. 04. Jun. 2008, 08:08:00]:
We have addressed the following issue in Mac OS X:
RSA_padding_check_SSLv23 has a bug in the loop that verifies the
presence of eight consecutive 0x03 padding bytes just before the null
marker signifying the end of the padding. The problem is that at the
start of the for loop (for (k= -8; k0; k++)), p points at the byte
*after* the NULL terminator. The eight 0x03 bytes are actually from
p[-9] to p[-2] inclusive. The byte at p[-1] is the NULL. As a result,
if an SSLv2-only client is extraordinarily unlucky, an OpenSSL server
with SSLv2 enabled may erroneously detect a rollback attack. Well,
this could have happened anyway with a probability of 1 in 2^64, but
with this bug the probability was increased to 1 in 2^56.
Thank you very much for your report! I have just checked in the fix
into the OpenSSL CVS (i.e., it will be in the next snapshots, both for
the main development branch and the 0.9.8 stable branch).
Note that your proposed patch isn't quite right, though. The loop is
correct, but the error should still be raised in the case that k == -1,
meaning that p[-9] through p[-2] each had the value 0x03.
Bodo
diff -Naur /var/tmp/OpenSSL.roots/OpenSSL/openssl/crypto/rsa/
rsa_ssl.c ./crypto/rsa/rsa_ssl.c
--- /var/tmp/OpenSSL.roots/OpenSSL/openssl/crypto/rsa/rsa_ssl.c
2000-11-06 14:34:16.0 -0800
+++ ./crypto/rsa/rsa_ssl.c2006-10-11 16:40:48.0 -0700
@@ -130,11 +130,11 @@
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_NULL_BEFORE_BLOCK_MISSING);
return(-1);
}
- for (k= -8; k0; k++)
+ for (k= -9; k-1; k++)
{
if (p[k] != 0x03) break;
}
- if (k == -1)
+ if (k != -1)
{
RSAerr(RSA_F_RSA_PADDING_CHECK_SSLV23,RSA_R_SSLV3_ROLLBACK_ATTACK);
return(-1);
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
