Attachment #7510 for bug #40189





 Changes between 1.0.1r and 1.0.1s [xx XXX xxxx]

  *) Disable SRP fake user seed to address a server memory leak.

     Add a new method SRP_VBASE_get1_by_user that handles the seed properly.

     SRP_VBASE_get_by_user had inconsistent memory management behaviour.
     In order to fix an unavoidable memory leak, SRP_VBASE_get_by_user
     was changed to ignore the "fake user" SRP seed, even if the seed
     is configured.

     Users should use SRP_VBASE_get1_by_user instead. Note that in
     SRP_VBASE_get1_by_user, caller must free the returned value. Note
     also that even though configuring the SRP seed attempts to hide
     invalid usernames by continuing the handshake with fake
     credentials, this behaviour is not constant time and no strong
     guarantees are made that the handshake is indistinguishable from
     that of a valid user.
     (CVE-2016-0798)
     [Emilia Käsper]

 Changes between 1.0.1q and 1.0.1r [28 Jan 2016]


(-)a/apps/s_server.c (-14 / +25 lines)

Lines 416-421 typedef struct srpsrvparm_st {	Link Here

416

static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)

416

static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)

417

418

    srpsrvparm *p = (srpsrvparm *) arg;

418

    srpsrvparm *p = (srpsrvparm *) arg;

419

    int ret = SSL3_AL_FATAL;

420

419

    if (p->login == NULL && p->user == NULL) {

421

    if (p->login == NULL && p->user == NULL) {

420

        p->login = SSL_get_srp_username(s);

422

        p->login = SSL_get_srp_username(s);

421

        BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);

423

        BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);

Lines 424-444 static int MS_CALLBACK ssl_srp_server_param_cb(SSL s, int ad, void *arg)	Link Here

424

426

425

    if (p->user == NULL) {

427

    if (p->user == NULL) {

426

        BIO_printf(bio_err, "User %s doesn't exist\n", p->login);

428

        BIO_printf(bio_err, "User %s doesn't exist\n", p->login);

427

        return SSL3_AL_FATAL;

429

        goto err;

428

430

431

429

    if (SSL_set_srp_server_param

432

    if (SSL_set_srp_server_param

430

        (s, p->user->N, p->user->g, p->user->s, p->user->v,

433

        (s, p->user->N, p->user->g, p->user->s, p->user->v,

431

         p->user->info) < 0) {

434

         p->user->info) < 0) {

432

        *ad = SSL_AD_INTERNAL_ERROR;

435

        *ad = SSL_AD_INTERNAL_ERROR;

433

        return SSL3_AL_FATAL;

436

        goto err;

434

437

435

    BIO_printf(bio_err,

438

    BIO_printf(bio_err,

436

               "SRP parameters set: username = \"%s\" info=\"%s\" \n",

439

               "SRP parameters set: username = \"%s\" info=\"%s\" \n",

437

               p->login, p->user->info);

440

               p->login, p->user->info);

438

    /* need to check whether there are memory leaks */

441

    ret = SSL_ERROR_NONE;

442

443

err:

444

    SRP_user_pwd_free(p->user);

439

    p->user = NULL;

445

    p->user = NULL;

440

    p->login = NULL;

446

    p->login = NULL;

441

    return SSL_ERROR_NONE;

447

    return ret;

442

448

443

449

444

#endif

450

#endif

Lines 2244-2252 static int sv_body(char hostname, int s, unsigned char context)	Link Here

2244

#ifndef OPENSSL_NO_SRP

2250

#ifndef OPENSSL_NO_SRP

2245

                while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {

2251

                while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {

2246

                    BIO_printf(bio_s_out, "LOOKUP renego during write\n");

2252

                    BIO_printf(bio_s_out, "LOOKUP renego during write\n");

2253

                    SRP_user_pwd_free(srp_callback_parm.user);

2247

                    srp_callback_parm.user =

2254

                    srp_callback_parm.user =

2248

                        SRP_VBASE_get_by_user(srp_callback_parm.vb,

2255

                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,

2249

                                              srp_callback_parm.login);

2256

                                               srp_callback_parm.login);

2250

                    if (srp_callback_parm.user)

2257

                    if (srp_callback_parm.user)

2251

                        BIO_printf(bio_s_out, "LOOKUP done %s\n",

2258

                        BIO_printf(bio_s_out, "LOOKUP done %s\n",

2252

                                   srp_callback_parm.user->info);

2259

                                   srp_callback_parm.user->info);

Lines 2300-2308 static int sv_body(char hostname, int s, unsigned char context)	Link Here

2300

#ifndef OPENSSL_NO_SRP

2307

#ifndef OPENSSL_NO_SRP

2301

                while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {

2308

                while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {

2302

                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");

2309

                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");

2310

                    SRP_user_pwd_free(srp_callback_parm.user);

2303

                    srp_callback_parm.user =

2311

                    srp_callback_parm.user =

2304

                        SRP_VBASE_get_by_user(srp_callback_parm.vb,

2312

                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,

2305

                                              srp_callback_parm.login);

2313

                                               srp_callback_parm.login);

2306

                    if (srp_callback_parm.user)

2314

                    if (srp_callback_parm.user)

2307

                        BIO_printf(bio_s_out, "LOOKUP done %s\n",

2315

                        BIO_printf(bio_s_out, "LOOKUP done %s\n",

2308

                                   srp_callback_parm.user->info);

2316

                                   srp_callback_parm.user->info);

Lines 2387-2395 static int init_ssl_connection(SSL *con)	Link Here

2387

    while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {

2395

    while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {

2388

        BIO_printf(bio_s_out, "LOOKUP during accept %s\n",

2396

        BIO_printf(bio_s_out, "LOOKUP during accept %s\n",

2389

                   srp_callback_parm.login);

2397

                   srp_callback_parm.login);

2398

        SRP_user_pwd_free(srp_callback_parm.user);

2390

        srp_callback_parm.user =

2399

        srp_callback_parm.user =

2391

            SRP_VBASE_get_by_user(srp_callback_parm.vb,

2400

            SRP_VBASE_get1_by_user(srp_callback_parm.vb,

2392

                                  srp_callback_parm.login);

2401

                                   srp_callback_parm.login);

2393

        if (srp_callback_parm.user)

2402

        if (srp_callback_parm.user)

2394

            BIO_printf(bio_s_out, "LOOKUP done %s\n",

2403

            BIO_printf(bio_s_out, "LOOKUP done %s\n",

2395

                       srp_callback_parm.user->info);

2404

                       srp_callback_parm.user->info);

Lines 2616-2624 static int www_body(char hostname, int s, unsigned char context)	Link Here

2616

                   && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {

2625

                   && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {

2617

                BIO_printf(bio_s_out, "LOOKUP during accept %s\n",

2626

                BIO_printf(bio_s_out, "LOOKUP during accept %s\n",

2618

                           srp_callback_parm.login);

2627

                           srp_callback_parm.login);

2628

                SRP_user_pwd_free(srp_callback_parm.user);

2619

                srp_callback_parm.user =

2629

                srp_callback_parm.user =

2620

                    SRP_VBASE_get_by_user(srp_callback_parm.vb,

2630

                    SRP_VBASE_get1_by_user(srp_callback_parm.vb,

2621

                                          srp_callback_parm.login);

2631

                                           srp_callback_parm.login);

2622

                if (srp_callback_parm.user)

2632

                if (srp_callback_parm.user)

2623

                    BIO_printf(bio_s_out, "LOOKUP done %s\n",

2633

                    BIO_printf(bio_s_out, "LOOKUP done %s\n",

2624

                               srp_callback_parm.user->info);

2634

                               srp_callback_parm.user->info);

Lines 2658-2666 static int www_body(char hostname, int s, unsigned char context)	Link Here

2658

                if (BIO_should_io_special(io)

2668

                if (BIO_should_io_special(io)

2659

                    && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {

2669

                    && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {

2660

                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");

2670

                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");

2671

                    SRP_user_pwd_free(srp_callback_parm.user);

2661

                    srp_callback_parm.user =

2672

                    srp_callback_parm.user =

2662

                        SRP_VBASE_get_by_user(srp_callback_parm.vb,

2673

                        SRP_VBASE_get1_by_user(srp_callback_parm.vb,

2663

                                              srp_callback_parm.login);

2674

                                               srp_callback_parm.login);

2664

                    if (srp_callback_parm.user)

2675

                    if (srp_callback_parm.user)

2665

                        BIO_printf(bio_s_out, "LOOKUP done %s\n",

2676

                        BIO_printf(bio_s_out, "LOOKUP done %s\n",

2666

                                   srp_callback_parm.user->info);

2677

                                   srp_callback_parm.user->info);

(-)a/crypto/srp/srp.h (+10 lines)

Lines 82-97 typedef struct SRP_gN_cache_st {	Link Here

DECLARE_STACK_OF(SRP_gN_cache)

DECLARE_STACK_OF(SRP_gN_cache)

typedef struct SRP_user_pwd_st {

typedef struct SRP_user_pwd_st {

    /* Owned by us. */

    char *id;

    char *id;

    BIGNUM *s;

    BIGNUM *s;

    BIGNUM *v;

    BIGNUM *v;

    /* Not owned by us. */

    const BIGNUM *g;

    const BIGNUM *g;

    const BIGNUM *N;

    const BIGNUM *N;

    /* Owned by us. */

    char *info;

    char *info;

} SRP_user_pwd;

} SRP_user_pwd;

DECLARE_STACK_OF(SRP_user_pwd)

DECLARE_STACK_OF(SRP_user_pwd)

void SRP_user_pwd_free(SRP_user_pwd *user_pwd);

typedef struct SRP_VBASE_st {

100

typedef struct SRP_VBASE_st {

    STACK_OF(SRP_user_pwd) *users_pwd;

101

    STACK_OF(SRP_user_pwd) *users_pwd;

    STACK_OF(SRP_gN_cache) *gN_cache;

102

    STACK_OF(SRP_gN_cache) *gN_cache;

Lines 115-121 DECLARE_STACK_OF(SRP_gN)	Link Here

115

SRP_VBASE *SRP_VBASE_new(char *seed_key);

120

SRP_VBASE *SRP_VBASE_new(char *seed_key);

116

int SRP_VBASE_free(SRP_VBASE *vb);

121

int SRP_VBASE_free(SRP_VBASE *vb);

117

int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);

122

int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file);

123

124

/* This method ignores the configured seed and fails for an unknown user. */

118

SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);

125

SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username);

126

/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/

127

SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username);

128

119

char *SRP_create_verifier(const char *user, const char *pass, char **salt,

129

char *SRP_create_verifier(const char *user, const char *pass, char **salt,

120

                          char **verifier, const char *N, const char *g);

130

                          char **verifier, const char *N, const char *g);

121

int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,

131

int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt,




    return olddst;
}

void SRP_user_pwd_free(SRP_user_pwd *user_pwd)
{
    if (user_pwd == NULL)
        return;

    return (vinfo->s != NULL && vinfo->v != NULL);
}

static SRP_user_pwd *srp_user_pwd_dup(SRP_user_pwd *src)
{
    SRP_user_pwd *ret;

    if (src == NULL)
        return NULL;
    if ((ret = SRP_user_pwd_new()) == NULL)
        return NULL;

    SRP_user_pwd_set_gN(ret, src->g, src->N);
    if (!SRP_user_pwd_set_ids(ret, src->id, src->info)
        || !SRP_user_pwd_set_sv_BN(ret, BN_dup(src->s), BN_dup(src->v))) {
            SRP_user_pwd_free(ret);
            return NULL;
    }
    return ret;
}

SRP_VBASE *SRP_VBASE_new(char *seed_key)
{
    SRP_VBASE *vb = (SRP_VBASE *)OPENSSL_malloc(sizeof(SRP_VBASE));


}

static SRP_user_pwd *find_user(SRP_VBASE *vb, char *username)
{
    int i;
    SRP_user_pwd *user;
    unsigned char digv[SHA_DIGEST_LENGTH];
    unsigned char digs[SHA_DIGEST_LENGTH];
    EVP_MD_CTX ctxt;

    if (vb == NULL)
        return NULL;

    for (i = 0; i < sk_SRP_user_pwd_num(vb->users_pwd); i++) {
        user = sk_SRP_user_pwd_value(vb->users_pwd, i);
        if (strcmp(user->id, username) == 0)
            return user;
    }

    return NULL;
}

/*
 * This method ignores the configured seed and fails for an unknown user.
 * Ownership of the returned pointer is not released to the caller.
 * In other words, caller must not free the result.
 */
SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username)
{
    return find_user(vb, username);
}

/*
 * Ownership of the returned pointer is released to the caller.
 * In other words, caller must free the result once done.
 */
SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username)
{
    SRP_user_pwd *user;
    unsigned char digv[SHA_DIGEST_LENGTH];
    unsigned char digs[SHA_DIGEST_LENGTH];
    EVP_MD_CTX ctxt;

    if (vb == NULL)
        return NULL;

    if ((user = find_user(vb, username)) != NULL)
        return srp_user_pwd_dup(user);

    if ((vb->seed_key == NULL) ||
        (vb->default_g == NULL) || (vb->default_N == NULL))
        return NULL;

(-)a/util/libeay.num (+2 lines)

Lines 1807-1812 ASN1_UTCTIME_get 2350 NOEXIST::FUNCTION:	Link Here

1807

X509_REQ_digest                         2362	EXIST::FUNCTION:EVP

1807

X509_REQ_digest                         2362	EXIST::FUNCTION:EVP

1808

X509_CRL_digest                         2391	EXIST::FUNCTION:EVP

1808

X509_CRL_digest                         2391	EXIST::FUNCTION:EVP

1809

ASN1_STRING_clear_free                  2392	EXIST::FUNCTION:

1809

ASN1_STRING_clear_free                  2392	EXIST::FUNCTION:

1810

SRP_VBASE_get1_by_user                  2393	EXIST::FUNCTION:SRP

1811

SRP_user_pwd_free                       2394	EXIST::FUNCTION:SRP

1810

d2i_ASN1_SET_OF_PKCS7                   2397	NOEXIST::FUNCTION:

1812

d2i_ASN1_SET_OF_PKCS7                   2397	NOEXIST::FUNCTION:

1811

X509_ALGOR_cmp                          2398	EXIST::FUNCTION:

1813

X509_ALGOR_cmp                          2398	EXIST::FUNCTION:

1812

EVP_CIPHER_CTX_set_key_length           2399	EXIST::FUNCTION:

1814

EVP_CIPHER_CTX_set_key_length           2399	EXIST::FUNCTION:

Return to bug 40189