[gnutls-dev] Variant of Bleichenbacher's crypto 06 rump session attack

Simon Josefsson jas at extundo.com
Fri Sep 8 17:44:13 CEST 2006 

The GNUTLS-SA-2006-4 security problem (fixed in 1.4.3) is a variant of
Bleichenbacher's latest attack:

http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html

The difference is that it uses the digestAlgorithm.parameters field to
store "garbage" instead of after the ASN.1 blob.  The optional
parameters field is not used for MD5/SHA1, but instead of verifying
that the field is not present, GnuTLS just ignored it.  Therefor, it
can be used to store garbage data in.

This problem was reported to us by Yutaka Oiwa, Kazukuni Kobara,
Hajime Watanabe and hopefully their original report with more
background will be available soon.

The patch that fixes this is for lib/x509/verify.c, see below.

This has been installed on the GnuTLS 1.5 branch, but I don't intend
to release 1.5.1 soon.  Try the nightly snapshots, or 1.4.3 instead.

/Simon

Update of /cvs/gnutls/gnutls/lib/x509
In directory trithemius:/tmp/cvs-serv3577

Modified Files:
      Tag: gnutls_1_4_x
	verify.c 
Log Message:
Make sure the digestAlgorithm.parameters field is empty, which it has
to be for the hashes we support.  Otherwise, the field can encode
"garbage" that might be used to make the signature be a perfect cube,
similar (but not identical) to Bleichenbacher's Crypto 06 rump session
attack.

--- /cvs/gnutls/gnutls/lib/x509/verify.c	2005/11/07 23:28:02	1.52
+++ /cvs/gnutls/gnutls/lib/x509/verify.c	2006/09/08 13:38:55	1.52.2.1
 <at>  <at>  -1,5 +1,5  <at>  <at> 
 /*
- * Copyright (C) 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation
  *
  * Author: Nikos Mavroyanopoulos
  *
 <at>  <at>  -505,6 +505,15  <at>  <at> 
       return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
     }

+  len = sizeof (str) - 1;
+  result = asn1_read_value (dinfo, "digestAlgorithm.parameters", NULL, &len);
+  if (result != ASN1_ELEMENT_NOT_FOUND)
+    {
+      gnutls_assert ();
+      asn1_delete_structure (&dinfo);
+      return _gnutls_asn2err (result);
+    }
+
   result = asn1_read_value (dinfo, "digest", digest, digest_size);
   if (result != ASN1_SUCCESS)
     {

More information about the Gnutls-devel mailing list