[gnutls-dev] Variant of Bleichenbacher's crypto 06 rump session attack
Simon Josefsson
jas at extundo.com
Fri Sep 8 17:44:13 CEST 2006
The GNUTLS-SA-2006-4 security problem (fixed in 1.4.3) is a variant of
Bleichenbacher's latest attack:
http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html
The difference is that it uses the digestAlgorithm.parameters field to
store "garbage" instead of after the ASN.1 blob. The optional
parameters field is not used for MD5/SHA1, but instead of verifying
that the field is not present, GnuTLS just ignored it. Therefor, it
can be used to store garbage data in.
This problem was reported to us by Yutaka Oiwa, Kazukuni Kobara,
Hajime Watanabe and hopefully their original report with more
background will be available soon.
The patch that fixes this is for lib/x509/verify.c, see below.
This has been installed on the GnuTLS 1.5 branch, but I don't intend
to release 1.5.1 soon. Try the nightly snapshots, or 1.4.3 instead.
/Simon
Update of /cvs/gnutls/gnutls/lib/x509
In directory trithemius:/tmp/cvs-serv3577
Modified Files:
Tag: gnutls_1_4_x
verify.c
Log Message:
Make sure the digestAlgorithm.parameters field is empty, which it has
to be for the hashes we support. Otherwise, the field can encode
"garbage" that might be used to make the signature be a perfect cube,
similar (but not identical) to Bleichenbacher's Crypto 06 rump session
attack.
--- /cvs/gnutls/gnutls/lib/x509/verify.c 2005/11/07 23:28:02 1.52
+++ /cvs/gnutls/gnutls/lib/x509/verify.c 2006/09/08 13:38:55 1.52.2.1
<at> <at> -1,5 +1,5 <at> <at>
/*
- * Copyright (C) 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation
*
* Author: Nikos Mavroyanopoulos
*
<at> <at> -505,6 +505,15 <at> <at>
return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
}
+ len = sizeof (str) - 1;
+ result = asn1_read_value (dinfo, "digestAlgorithm.parameters", NULL, &len);
+ if (result != ASN1_ELEMENT_NOT_FOUND)
+ {
+ gnutls_assert ();
+ asn1_delete_structure (&dinfo);
+ return _gnutls_asn2err (result);
+ }
+
result = asn1_read_value (dinfo, "digest", digest, digest_size);
if (result != ASN1_SUCCESS)
{
More information about the Gnutls-devel
mailing list