TLS/SSL and crypto library
Find a file
Matt Caswell 2020068123 Prevent DTLS Finished message injection
Follow on from CVE-2016-2179

The investigation and analysis of CVE-2016-2179 highlighted a related flaw.

This commit fixes a security "near miss" in the buffered message handling
code. Ultimately this is not currently believed to be exploitable due to
the reasons outlined below, and therefore there is no CVE for this on its
own.

The issue this commit fixes is a MITM attack where the attacker can inject
a Finished message into the handshake. In the description below it is
assumed that the attacker injects the Finished message for the server to
receive it. The attack could work equally well the other way around (i.e
where the client receives the injected Finished message).

The MITM requires the following capabilities:
- The ability to manipulate the MTU that the client selects such that it
is small enough for the client to fragment Finished messages.
- The ability to selectively drop and modify records sent from the client
- The ability to inject its own records and send them to the server

The MITM forces the client to select a small MTU such that the client
will fragment the Finished message. Ideally for the attacker the first
fragment will contain all but the last byte of the Finished message,
with the second fragment containing the final byte.

During the handshake and prior to the client sending the CCS the MITM
injects a plaintext Finished message fragment to the server containing
all but the final byte of the Finished message. The message sequence
number should be the one expected to be used for the real Finished message.

OpenSSL will recognise that the received fragment is for the future and
will buffer it for later use.

After the client sends the CCS it then sends its own Finished message in
two fragments. The MITM causes the first of these fragments to be
dropped. The OpenSSL server will then receive the second of the fragments
and reassemble the complete Finished message consisting of the MITM
fragment and the final byte from the real client.

The advantage to the attacker in injecting a Finished message is that
this provides the capability to modify other handshake messages (e.g.
the ClientHello) undetected. A difficulty for the attacker is knowing in
advance what impact any of those changes might have on the final byte of
the handshake hash that is going to be sent in the "real" Finished
message. In the worst case for the attacker this means that only 1 in
256 of such injection attempts will succeed.

It may be possible in some situations for the attacker to improve this such
that all attempts succeed. For example if the handshake includes client
authentication then the final message flight sent by the client will
include a Certificate. Certificates are ASN.1 objects where the signed
portion is DER encoded. The non-signed portion could be BER encoded and so
the attacker could re-encode the certificate such that the hash for the
whole handshake comes to a different value. The certificate re-encoding
would not be detectable because only the non-signed portion is changed. As
this is the final flight of messages sent from the client the attacker
knows what the complete hanshake hash value will be that the client will
send - and therefore knows what the final byte will be. Through a process
of trial and error the attacker can re-encode the certificate until the
modified handhshake also has a hash with the same final byte. This means
that when the Finished message is verified by the server it will be
correct in all cases.

In practice the MITM would need to be able to perform the same attack
against both the client and the server. If the attack is only performed
against the server (say) then the server will not detect the modified
handshake, but the client will and will abort the connection.
Fortunately, although OpenSSL is vulnerable to Finished message
injection, it is not vulnerable if *both* client and server are OpenSSL.
The reason is that OpenSSL has a hard "floor" for a minimum MTU size
that it will never go below. This minimum means that a Finished message
will never be sent in a fragmented form and therefore the MITM does not
have one of its pre-requisites. Therefore this could only be exploited
if using OpenSSL and some other DTLS peer that had its own and separate
Finished message injection flaw.

The fix is to ensure buffered messages are cleared on epoch change.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 10:59:41 +01:00
apps Fix pointer/alloc prob from previous commit 2016-08-21 13:39:11 -04:00
bugs Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
certs grammar 2008-05-27 18:43:20 +00:00
crypto ec/ecp_nistz256.c: get is_one on 32-bit platforms right. 2016-08-21 22:18:18 +02:00
demos Fix more URLs mangled by reformat 2015-12-19 14:44:03 +00:00
doc RT3940: For now, just document the issue. 2016-08-19 11:45:45 -04:00
engines Fix NULL-return checks in 1.0.2 2016-08-19 10:44:32 -04:00
MacOS Run util/openssl-format-source -v -c . 2015-01-22 09:31:38 +00:00
ms Revert "RT4526: Call TerminateProcess, not ExitProcess" 2016-06-16 16:21:05 +01:00
Netware Update netware to use new SHA2 assembly language modules. 2008-01-04 13:18:09 +00:00
os2 Make a number of changes to the OS/2 build. Submitter's comment below. 2003-11-28 14:51:30 +00:00
shlib Apply mingw patches as supplied by Roumen Petrov an Alon Bar-Lev 2008-04-17 10:19:16 +00:00
ssl Prevent DTLS Finished message injection 2016-08-22 10:59:41 +01:00
test Have dtlstest run on VMS as well 2016-08-19 14:19:00 +01:00
tools RT4044: Remove .cvsignore files. 2015-09-15 11:58:27 -04:00
util Fix util/mkerr.pl 2016-05-18 22:32:13 +02:00
VMS Teach mkshared.com to have a look for disabled algorithms in opensslconf.h 2011-10-30 11:40:56 +00:00
.gitignore Back port ssltestlib code to 1.0.2 2016-08-19 13:50:27 +01:00
.travis-create-release.sh Adapt the OS X build to use the OS X tar 2015-12-08 21:06:18 +01:00
.travis.yml Adapt the OS X build to use the OS X tar 2015-12-08 21:06:18 +01:00
ACKNOWLEDGMENTS Refer to website for acknowledgements. 2015-12-08 16:07:59 -05:00
appveyor.yml Add initial AppVeyor configuration 2015-11-21 20:15:36 +01:00
CHANGES Prepare for 1.0.2i-dev 2016-05-03 14:47:32 +01:00
CHANGES.SSLeay PR: 1894 2009-04-16 17:22:51 +00:00
config Recognise Cygwin-x86_64 in config 2016-02-22 15:44:10 +01:00
Configure Add support for RC / WINDRES env variables 2016-05-17 17:18:25 +02:00
CONTRIBUTING Update CONTRIBUTING 2016-06-03 17:12:08 +01:00
e_os.h Use both sun and __sun 2015-11-24 23:44:05 +01:00
e_os2.h Add the macro OPENSSL_SYS_WIN64 2015-06-02 18:03:36 +02:00
FAQ Move FAQ to the web. 2015-08-16 19:03:25 -04:00
GitConfigure Backport single makefile from master. 2013-06-13 15:09:48 +01:00
GitMake Backport single makefile from master. 2013-06-13 15:09:48 +01:00
INSTALL RT4202: Update rt URL's. 2015-12-28 16:41:10 -05:00
install.com Apply all the changes submitted by Steven M. Schweda <sms@antinode.info> 2011-03-19 09:47:47 +00:00
INSTALL.DJGPP INSTALL.DJGPP sync. 2005-01-14 16:25:36 +00:00
INSTALL.MacOS Typos (Chris Pepper <pepper@mail.reppep.com>) 2001-10-01 14:43:47 +00:00
INSTALL.NW Netware support. 2008-01-03 22:43:04 +00:00
INSTALL.OS2 Add support for shared libraries with OS/2. 2002-07-17 13:27:43 +00:00
INSTALL.VMS Change INSTALL.VMS to reflect the changes done on the build and 2011-03-19 09:48:15 +00:00
INSTALL.W32 Windows: Add CRYPT32.LIB to the libraries to link your app with 2016-05-16 17:47:20 +02:00
INSTALL.W64 Pull up Win64 support from 0.9.8. 2005-07-05 11:44:45 +00:00
INSTALL.WCE First draft for WCE PortSDK support. Once again! It's *draft* which requires 2005-11-06 20:52:26 +00:00
LICENSE Update license year range to 2016 2016-01-19 10:24:35 -05:00
Makefile.org Add support for RC / WINDRES env variables 2016-05-17 17:18:25 +02:00
Makefile.shared Add support for RC / WINDRES env variables 2016-05-17 17:18:25 +02:00
makevms.com Define CFLAGS as cflags on VMS as well 2015-01-14 00:14:20 +01:00
NEWS Prepare for 1.0.2i-dev 2016-05-03 14:47:32 +01:00
openssl.doxy
openssl.spec Use RPMBUILD macros rather than hard coded paths in openssl.spec 2016-05-12 17:43:58 +02:00
PROBLEMS ./Configure: libcrypto.a can grow to many GB on Solaris 10, because of ar bug 2012-08-13 16:16:24 +00:00
README Prepare for 1.0.2i-dev 2016-05-03 14:47:32 +01:00
README.ASN1
README.ENGINE oops, there were other cases of "ENGINE_ID" to change too. 2002-07-08 15:16:10 +00:00
TABLE Housekeeping 'make TABLE' update. 2015-05-26 10:23:21 +02:00

 OpenSSL 1.0.2i-dev

 Copyright (c) 1998-2015 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.

 DESCRIPTION
 -----------

 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, fully featured, and Open Source toolkit implementing the
 Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
 well as a full-strength general purpose cryptograpic library. The project is
 managed by a worldwide community of volunteers that use the Internet to
 communicate, plan, and develop the OpenSSL toolkit and its related
 documentation.

 OpenSSL is descended from the SSLeay library developed by Eric A. Young
 and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
 OpenSSL license plus the SSLeay license), which means that you are free to
 get and use it for commercial and non-commercial purposes as long as you
 fulfill the conditions of both licenses.

 OVERVIEW
 --------

 The OpenSSL toolkit includes:

 libssl.a:
     Provides the client and server-side implementations for SSLv3 and TLS.

 libcrypto.a:
     Provides general cryptographic and X.509 support needed by SSL/TLS but
     not logically part of it.

 openssl:
     A command line tool that can be used for:
        Creation of key parameters
        Creation of X.509 certificates, CSRs and CRLs
        Calculation of message digests
        Encryption and decryption
        SSL/TLS client and server tests
        Handling of S/MIME signed or encrypted mail
        And more...

 INSTALLATION
 ------------

 See the appropriate file:
        INSTALL         Linux, Unix, etc.
        INSTALL.DJGPP   DOS platform with DJGPP
        INSTALL.NW      Netware
        INSTALL.OS2     OS/2
        INSTALL.VMS     VMS
        INSTALL.W32     Windows (32bit)
        INSTALL.W64     Windows (64bit)
        INSTALL.WCE     Windows CE

 SUPPORT
 -------

 See the OpenSSL website www.openssl.org for details on how to obtain
 commercial technical support.

 If you have any problems with OpenSSL then please take the following steps
 first:

    - Download the current snapshot from ftp://ftp.openssl.org/snapshot/
      to see if the problem has already been addressed
    - Remove ASM versions of libraries
    - Remove compiler optimisation flags

 If you wish to report a bug then please include the following information in
 any bug report:

    - On Unix systems:
        Self-test report generated by 'make report'
    - On other systems:
        OpenSSL version: output of 'openssl version -a'
        OS Name, Version, Hardware platform
        Compiler Details (name, version)
    - Application Details (name, version)
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)

 Email the report to:

    rt@openssl.org

 In order to avoid spam, this is a moderated mailing list, and it might
 take a day for the ticket to show up.  (We also scan posts to make sure
 that security disclosures aren't publically posted by mistake.) Mail
 to this address is recorded in the public RT (request tracker) database
 (see https://www.openssl.org/community/index.html#bugs for details) and
 also forwarded the public openssl-dev mailing list.  Confidential mail
 may be sent to openssl-security@openssl.org (PGP key available from the
 key servers).

 Please do NOT use this for general assistance or support queries.
 Just because something doesn't work the way you expect does not mean it
 is necessarily a bug in OpenSSL.

 You can also make GitHub pull requests. If you do this, please also send
 mail to rt@openssl.org with a link to the PR so that we can more easily
 keep track of it.

 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------

 See CONTRIBUTING

 LEGALITIES
 ----------

 A number of nations, in particular the U.S., restrict the use or export
 of cryptography. If you are potentially subject to such restrictions
 you should seek competent professional legal advice before attempting to
 develop or distribute cryptographic code.