Re: [PATCH] Fix IV check and padding removal.
On 11 February 2013 13:19, David Woodhouse dw...@infradead.org wrote: On Mon, 2013-02-11 at 20:59 +, David Woodhouse wrote: From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001 From: Dr. Stephen Henson st...@openssl.org Date: Thu, 7 Feb 2013 21:06:37 + Subject: [PATCH] Fix IV check and padding removal. ... + if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) That's redundant, isn't it? DTLS1_VERSION (0xfeff) is greater than TLS1_1_version (0x302) anyway. DTLS1_BAD_VER isn't though. Changing the DTLS1_VERSION to DTLS1_BAD_VER makes OpenConnect work again... diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 2e93657..1db1d8c 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -146,7 +146,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) + if (s-version = TLS1_1_VERSION || s-version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. Ah, it looks like you only moved the offending code; it was actually Ben's fault in commit 9f27de17 / 014265eb. Gah! I wish tests would pick up stuff like this! (I'm so happy you finally moved to git :) -- dwmw2 __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: [PATCH] Fix IV check and padding removal.
On Mon, 2013-02-11 at 20:59 +, David Woodhouse wrote: From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001 From: Dr. Stephen Henson st...@openssl.org Date: Thu, 7 Feb 2013 21:06:37 + Subject: [PATCH] Fix IV check and padding removal. ... + if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) That's redundant, isn't it? DTLS1_VERSION (0xfeff) is greater than TLS1_1_version (0x302) anyway. DTLS1_BAD_VER isn't though. Changing the DTLS1_VERSION to DTLS1_BAD_VER makes OpenConnect work again... diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 2e93657..1db1d8c 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -146,7 +146,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) + if (s-version = TLS1_1_VERSION || s-version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. Ah, it looks like you only moved the offending code; it was actually Ben's fault in commit 9f27de17 / 014265eb. (I'm so happy you finally moved to git :) -- dwmw2 smime.p7s Description: S/MIME cryptographic signature
Re: [PATCH] Fix IV check and padding removal.
From 32cc2479b473c49ce869e57fded7e9a77b695c0d Mon Sep 17 00:00:00 2001 From: Dr. Stephen Henson st...@openssl.org Date: Thu, 7 Feb 2013 21:06:37 + Subject: [PATCH] Fix IV check and padding removal. ... + if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) That's redundant, isn't it? DTLS1_VERSION (0xfeff) is greater than TLS1_1_version (0x302) anyway. DTLS1_BAD_VER isn't though. Changing the DTLS1_VERSION to DTLS1_BAD_VER makes OpenConnect work again... diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 2e93657..1db1d8c 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -146,7 +146,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s-version = TLS1_1_VERSION || s-version == DTLS1_VERSION) + if (s-version = TLS1_1_VERSION || s-version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature
Re: [PATCH] Fix IV check and padding removal.
On Mon, 2013-02-11 at 13:24 -0800, Ben Laurie wrote: Ah, it looks like you only moved the offending code; it was actually Ben's fault in commit 9f27de17 / 014265eb. Gah! I wish tests would pick up stuff like this! As far as I'm aware there are no tests for DTLS1_BAD_VER. Apart from my users :) We don't even have server-side support for it in OpenSSL any more. It's only kept around for compatibility with Cisco AnyConnect, and I don't think *they're* doing anything at all towards its upkeep — and although they could happily run DTLS1.0 in parallel on the server and have a migration path to sanity, they aren't doing that *either*. However, we do *only* ever use it in 'session resume' mode. The session-id and master secret are negotiated out-of-band with the authentication, over TCP. When I was introducing SSL_OP_CISCO_ANYCONNECT and subsequently hacking on stuff to find breakage, I've hard-coded those and the random number generator and have at least used basic replay techniques for sanity checking. I ended up with stuff like http://david.woodhou.se/dtls-test.c -- dwmw2 smime.p7s Description: S/MIME cryptographic signature
Re: [PATCH] Fix IV check and padding removal.
Same fix for 1.0.0 branch: diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 5b3f371..61413b8 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s, unsigned padding_length, good, to_check, i; const unsigned overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ - if (s-version == DTLS1_VERSION) + if (s-version == DTLS1_VERSION || s-version == DTLS1_BAD_VER) { /* These lengths are all public so we can test them in * non-constant time. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature