API tools faq
paste
Guest User

http://git.openssl.org HeartBeat HeartBleed OpenSSL

a guest
Apr 8th, 2014
157
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.26 KB | None | 0 0
raw download clone embed print report
  1. just in case this project page changes again, here is the last capture we could get.
  2.  
  3. projects / openssl.git / commitdiff
  4. summary | shortlog | log | commit | commitdiff | tree
  5. raw | patch | inline | side by side (parent: 0d7717f)
  6. Add heartbeat extension bounds check.
  7. author Dr. Stephen Henson <[email protected]>
  8. Sat, 5 Apr 2014 19:51:06 -0400 (00:51 +0100)
  9. committer Dr. Stephen Henson <[email protected]>
  10. Mon, 7 Apr 2014 12:53:31 -0400 (17:53 +0100)
  11. A missing bounds check in the handling of the TLS heartbeat extension
  12. can be used to reveal up to 64k of memory to a connected client or
  13. server.
  14. Thanks for Neel Mehta of Google Security for discovering this bug and to
  15. Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for
  16. preparing the fix (CVE-2014-0160)
  17. CHANGES patch | blob | history
  18. ssl/d1_both.c patch | blob | history
  19. ssl/t1_lib.c patch | blob | history
  20. diff --git a/CHANGES b/CHANGES
  21. index 0484456..08abe8d 100644 (file)
  22. --- a/CHANGES
  23. +++ b/CHANGES
  24. @@ -4,6 +4,15 @@
  25. Changes between 1.0.1f and 1.0.1g [xx XXX xxxx]
  26. + *) A missing bounds check in the handling of the TLS heartbeat extension
  27. + can be used to reveal up to 64k of memory to a connected client or
  28. + server.
  29. ++
  30. Thanks for Neel Mehta of Google Security for discovering this bug and to
  31. + Adam Langley <[email protected]> and Bodo Moeller <[email protected]> for
  32. + preparing the fix (CVE-2014-0160)
  33. + [Adam Langley, Bodo Moeller]
  34. +
  35. *) Fix for the attack described in the paper "Recovering OpenSSL
  36. ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
  37. Do you need professional PDFs? Try PDFmyURL!
  38. by Yuval Yarom and Naomi Benger. Details can be obtained from:
  39. diff --git a/ssl/d1_both.c b/ssl/d1_both.c
  40. index 7a5596a..2e8cf68 100644 (file)
  41. --- a/ssl/d1_both.c
  42. +++ b/ssl/d1_both.c
  43. @@ -1459,26 +1459,36 @@ dtls1_process_heartbeat(SSL *s)
  44. unsigned int payload;
  45. unsigned int padding = 16; /* Use minimum padding */
  46. - /* Read type and payload length first */
  47. - hbtype = *p++;
  48. - n2s(p, payload);
  49. - pl = p;
  50. -
  51. if (s->msg_callback)
  52. s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
  53. &s->s3->rrec.data[0], s->s3->rrec.length,
  54. s, s->msg_callback_arg);
  55. + /* Read type and payload length first */
  56. + if (1 + 2 + 16 > s->s3->rrec.length)
  57. + return 0; /* silently discard */
  58. + hbtype = *p++;
  59. + n2s(p, payload);
  60. + if (1 + 2 + payload + 16 > s->s3->rrec.length)
  61. + return 0; /* silently discard per RFC 6520 sec. 4 */
  62. + pl = p;
  63. +
  64. if (hbtype == TLS1_HB_REQUEST)
  65. {
  66. unsigned char *buffer, *bp;
  67. + unsigned int write_length = 1 /* heartbeat type */ +
  68. + 2 /* heartbeat length */ +
  69. + payload + padding;
  70. int r;
  71. + if (write_length > SSL3_RT_MAX_PLAIN_LENGTH)
  72. + return 0;
  73. +
  74. /* Allocate memory for the response, size is 1 byte
  75. * message type, plus 2 bytes payload length, plus
  76. * payload, plus padding
  77. */
  78. - buffer = OPENSSL_malloc(1 + 2 + payload + padding);
  79. + buffer = OPENSSL_malloc(write_length);
  80. bp = buffer;
  81. /* Enter response type, length and copy payload */
  82. @@ -1489,11 +1499,11 @@ dtls1_process_heartbeat(SSL *s)
  83. /* Random padding */
  84. RAND_pseudo_bytes(bp, padding);
  85. Do you need professional PDFs? Try PDFmyURL!
  86. OpenSSL source code Atom RSS
  87. - r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);
  88. + r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, write_length);
  89. if (r >= 0 && s->msg_callback)
  90. s->msg_callback(1, s->version, TLS1_RT_HEARTBEAT,
  91. - buffer, 3 + payload + padding,
  92. + buffer, write_length,
  93. s, s->msg_callback_arg);
  94. OPENSSL_free(buffer);
  95. diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
  96. index b82fada..bddffd9 100644 (file)
  97. --- a/ssl/t1_lib.c
  98. +++ b/ssl/t1_lib.c
  99. @@ -2588,16 +2588,20 @@ tls1_process_heartbeat(SSL *s)
  100. unsigned int payload;
  101. unsigned int padding = 16; /* Use minimum padding */
  102. - /* Read type and payload length first */
  103. - hbtype = *p++;
  104. - n2s(p, payload);
  105. - pl = p;
  106. -
  107. if (s->msg_callback)
  108. s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT,
  109. &s->s3->rrec.data[0], s->s3->rrec.length,
  110. s, s->msg_callback_arg);
  111. + /* Read type and payload length first */
  112. + if (1 + 2 + 16 > s->s3->rrec.length)
  113. + return 0; /* silently discard */
  114. + hbtype = *p++;
  115. + n2s(p, payload);
  116. + if (1 + 2 + payload + 16 > s->s3->rrec.length)
  117. + return 0; /* silently discard per RFC 6520 sec. 4 */
  118. + pl = p;
  119. +
  120. if (hbtype == TLS1_HB_REQUEST)
  121. {
  122. unsigned char *buffer, *bp;
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!