Discussion:
[openssl.org #3425] Potential padding oracle in evp_enc.c
noloader@gmail.com via RT
2014-07-03 07:16:27 UTC
Permalink
Around line 519 in evp_enc.c:

// Line 519 below
if (b > 1)
{
if (ctx->buf_len || !ctx->final_used)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_WRONG_FINAL_BLOCK_LENGTH);
return(0);
}
OPENSSL_assert(b <= sizeof ctx->final);
n=ctx->final[b-1];
// Line 528 below
if (n == 0 || n > (int)b)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
return(0);
}
for (i=0; i<n; i++)
{
// Line 535 below
if (ctx->final[--b] != n)
{
EVPerr(EVP_F_EVP_DECRYPTFINAL_EX,EVP_R_BAD_DECRYPT);
return(0);
}
}
n=ctx->cipher->block_size-n;
for (i=0; i<n; i++)
out[i]=ctx->final[i];
*outl=n;
}

The line at 535 looks like it could leak information.

And to some extent, it looks like the line at 528 could also leak. The
528 leak looks equivalent to ctx->final[b-1] != n (i.e., the first
test of Line 535).

**********
$ git pull
Already up-to-date.
$ git log --name-status HEAD^..HEAD
commit a5a317872869255ab61565f487cd4467a3756fc7
Author: Rich Salz <***@akamai.com>
Date: Wed Jul 2 23:18:39 2014 -0400

RT3408; fix some (not all suggested) typo's in openssl.cnf

M apps/openssl.cnf

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Rich Salz via RT
2014-07-07 01:57:36 UTC
Permalink
Not sure what you're pointing out. That there are different return values? This
is a local API, so warning users to not expose detail errors would address
this, right?

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Billy Brumley
2014-07-07 13:18:27 UTC
Permalink
Its timing too. Not just return values. Early exit.

BBB
Not sure what you're pointing out. That there are different return values?
This
is a local API, so warning users to not expose detail errors would address
this, right?

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Matt Caswell via RT
2014-07-07 22:44:10 UTC
Permalink
Emilia is looking at this - assigning this ticket to her.

Matt

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Emilia Käsper via RT
2014-09-24 14:58:45 UTC
Permalink
Thanks for reporting!

The leak would only be meaningful if the caller is doing mac-then-encrypt and
is attempting to proceed with the mac-check in constant-time following a call
to EVP_DecryptInit_ex. It also doesn't affect TLS mac-then-encrypt because TLS
uses a different padding scheme, and a different, constant-time code path in
OpenSSL.

We also don't have evidence that the leak is large enough to be exploitable.
However, it's best to be careful so I've rewritten the code to do the padding
check in constant time. See commit

4aac102f75b517bdb56b1bcfd0a856052d559f6e

______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org
Loading...