[openssl-dev] Fwd: CVE-2014-8730 TLS CBC Incorrect Padding Abuse Vulnerability

Shyamal Bhowmik shyamal.nirmal at gmail.com
Wed Feb 3 11:41:34 UTC 2016 

Hello,

I am using OpenSSL 1.0.1i 6 Aug 2014 version...

Following is my understanding of the issue:

This is an implementation specific issue and there is no general patch
available. The vulnerability depends on how the padding bytes in TLS data
are handled in CBC mode and is more specific to TLS v1.0. If the padding
bytes in the TLS data received, are handled in the same way as SSLv3 i.e.
they are ignored then this issue can arise. If the TLS data padding bytes
are handled as per standard i.e. every byte in the padding data should be
filled with the total padding length value, then this vulnerability does
not occur.

I have tested this with a TLS v1.0 browser connecting to my server, and the
code flow and debug statements show that during decryption of cipher,
function tls1_cbc_remove_padding() in file libssl/ssl/s3_cbc.c is invoked
which handles padding data. This function checks for validity of every pad
byte value with the last pad byte which holds the total pad length and
returns success or failure as per the validation.
In file libssl/ssl/s3_pkt.c, function ssl3_get_record is called to decrypt
the cipher. Below is a code snippet of this function:

    /* decrypt in place in 'rr->input' */
    rr->data=rr->input;
    enc_err = s->method->ssl3_enc->enc(s,0); // Calls TLS decrypt function
i.e. invoke tls1_enc function in file t1_enc.c that calls
tls1_cbc_remove_padding
    /* enc_err is:
     * 0: (in non-constant time) if the record is publically invalid.
     * 1: if the padding is valid
     * -1: if the padding is invalid */
    if (enc_err == 0)
        {
        al=SSL_AD_DECRYPTION_FAILED;
        SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_BLOCK_CIPHER_PAD_IS_WRONG);
        goto f_err;
        }

As seen from above, error is thrown only for 0 return value and -1 return
value is not handled. So if i change the code  if (enc_err == 0)  to  if
(enc_err <= 0) will solve my problem?
There was no specific way to reproduce this issue and it was seen very
sporadically.

- Shyamal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160203/49ab20d8/attachment.html>

More information about the openssl-dev mailing list