diff options
author | Emilia Kasper <emilia@openssl.org> | 2016-02-24 12:59:59 +0100 |
---|---|---|
committer | Emilia Kasper <emilia@openssl.org> | 2016-02-25 15:42:48 +0100 |
commit | 380f18ed5f140e0ae1b68f3ab8f4f7c395658d9e (patch) | |
tree | 83e686e480f176176595a3b2f388be366b774b08 /include | |
parent | 37529928faa8456e85a9c5ad9255517da8dd0c61 (diff) |
CVE-2016-0798: avoid memory leak in SRP
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.
Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.
Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.
In Apache, the seed directive is known as SSLSRPUnknownUserSeed.
To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.
Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/openssl/srp.h | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/include/openssl/srp.h b/include/openssl/srp.h index 83a3293f7c..4111d51827 100644 --- a/include/openssl/srp.h +++ b/include/openssl/srp.h @@ -85,14 +85,19 @@ typedef struct SRP_gN_cache_st { DEFINE_STACK_OF(SRP_gN_cache) typedef struct SRP_user_pwd_st { + /* Owned by us. */ char *id; BIGNUM *s; BIGNUM *v; + /* Not owned by us. */ const BIGNUM *g; const BIGNUM *N; + /* Owned by us. */ char *info; } SRP_user_pwd; +void SRP_user_pwd_free(SRP_user_pwd *user_pwd); + DEFINE_STACK_OF(SRP_user_pwd) typedef struct SRP_VBASE_st { @@ -118,7 +123,12 @@ DEFINE_STACK_OF(SRP_gN) SRP_VBASE *SRP_VBASE_new(char *seed_key); void SRP_VBASE_free(SRP_VBASE *vb); int SRP_VBASE_init(SRP_VBASE *vb, char *verifier_file); -SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username); + +/* This method ignores the configured seed and fails for an unknown user. */ +DEPRECATEDIN_1_1_0(SRP_user_pwd *SRP_VBASE_get_by_user(SRP_VBASE *vb, char *username)) +/* NOTE: unlike in SRP_VBASE_get_by_user, caller owns the returned pointer.*/ +SRP_user_pwd *SRP_VBASE_get1_by_user(SRP_VBASE *vb, char *username); + char *SRP_create_verifier(const char *user, const char *pass, char **salt, char **verifier, const char *N, const char *g); int SRP_create_verifier_BN(const char *user, const char *pass, BIGNUM **salt, |