Re: GnuTLS 2.2.4 - Security release [GNUTLS-SA-2008-1]

[Simon Josefsson]

Andreas Metzler <address@hidden> writes:

> On 2008-05-19 Simon Josefsson <address@hidden> wrote:
>> Andreas Metzler <address@hidden> writes:
>> > The fix for this one (gnutls_cipher.c) breaks clean end of session:
>
>> Sigh!  If you add -d 4711 what does it say?  I'm trying to reproduce
>> this now.
>
> Hello,
>
> I am attaching logs for both 2.2.3 and 2.2.4 for easy comparison.

Thanks!

> |<7>| RB: Have 5 bytes into buffer. Adding 32 bytes.
> |<7>| RB: Requested 37 bytes
> |<4>| REC[8073cb8]: Short record length 32 < 16 + 20 (under attack?)
> |<2>| ASSERT: gnutls_cipher.c:461
> |<2>| ASSERT: gnutls_record.c:999

Ok, the debug message printing check was incorrect.  Sigh...

The patch below still catch the exploit but works with a proper server
that sends a short reply.  Can you test this?

Thanks,
/Simon

diff --git a/lib/gnutls_cipher.c b/lib/gnutls_cipher.c
index f071710..e16ad1f 100644
--- a/lib/gnutls_cipher.c
+++ b/lib/gnutls_cipher.c
@@ -453,15 +453,6 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
       return GNUTLS_E_INTERNAL_ERROR;
     }
 
-  if (ciphertext.size < (unsigned) blocksize + hash_size)
-    {
-      _gnutls_record_log
-       ("REC[%x]: Short record length %d < %d + %d (under attack?)\n",
-        session, ciphertext.size, blocksize, hash_size);
-      gnutls_assert ();
-      return GNUTLS_E_DECRYPTION_FAILED;
-    }
-
   /* actual decryption (inplace)
    */
   switch (_gnutls_cipher_is_block
@@ -515,6 +506,9 @@ _gnutls_ciphertext2compressed (gnutls_session_t session,
       if ((int)pad > (int)ciphertext.size - hash_size)
        {
          gnutls_assert ();
+         _gnutls_record_log
+           ("REC[%x]: Short record length %d > %d - %d (under attack?)\n",
+            session, pad, ciphertext.size, hash_size);
          /* We do not fail here. We check below for the
           * the pad_failed. If zero means success.
           */

pgpkmslY0oGYv.pgp
Description: PGP signature