PolarSSL Security Advisory 2011-01
Title |
Possible man in the middle in Diffie Hellman key exchange |
---|---|
CVE |
CVE-2011-1923 |
Date |
25th of February 2011 ( Updated on 12th of July 2013 ) |
Affects |
PolarSSL library 0.14.0 and earlier and PolarSSL 0.99-pre1 |
Not affected |
Instances not using ciphersuites that are based on Diffie- |
Impact |
Possible man in the middle |
Exploit |
Withheld |
Solution |
Upgrade to PolarSSL 0.14.2 or PolarSSL 0.99-pre3 |
Workaround |
Disable ciphersuites using Diffie-Hellman key exchange, |
Credits |
Larry Highsmith, Subreption LLS |
By posing as a man in the middle and modifying packets as the secure communication is set-up it is possible for an attacker to force the calculation of a fully predictable Diffie Hellman secret.
The cipher suites that may be affected (depending on other variables) are:
SSL_EDH_RSA_DES_168_SHA
SSL_EDH_RSA_AES_128_SHA
SSL_EDH_RSA_AES_256_SHA
SSL_EDH_RSA_CAMELLIA_128_SHA
SSL_EDH_RSA_CAMELLIA_256_SHA
In case full authentication (client and server certificates) is used, no man in the middle attack seems possible.
The patch for PolarSSL version 0.14.0 is as follows:
Index: dhm.c
===================================================================
--- dhm.c (revision 950)
+++ dhm.c (working copy)
@@ -63,6 +63,35 @@
}
/*
+ * Verify sanity of public parameter with regards to P
+ *
+ * Public parameter should be: 2 <= public_param <= P - 2
+ *
+ * For more information on the attack, see:
+ * <http://www.cl.cam.ac.uk/~rja14/Papers/psandqs.pdf>
+ * <http://web.nvd.nist.gov/view/vuln/detail>?vulnId=CVE-2005-2643
+ */
+static int dhm_check_range( const mpi *public_param, const mpi *P )
+{
+ mpi L, U;
+ int ret = POLARSSL_ERR_DHM_BAD_INPUT_DATA;
+
+ mpi_init( &L, &U, NULL );
+ mpi_lset( &L, 2 );
+ mpi_sub_int( &U, P, 2 );
+
+ if( mpi_cmp_mpi( public_param, &L ) >= 0 &&
+ mpi_cmp_mpi( public_param, &U ) <= 0 )
+ {
+ ret = 0;
+ }
+
+ mpi_free( &L, &U, NULL );
+
+ return( ret );
+}
+
+/*
* Parse the ServerKeyExchange parameters
*/
int dhm_read_params( dhm_context *ctx,
@@ -78,6 +107,9 @@
( ret = dhm_read_bignum( &ctx->GY, p, end ) ) != 0 )
return( ret );
+ if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+ return( ret );
+
ctx->len = mpi_size( &ctx->P );
if( end - *p < 2 )
@@ -122,6 +154,9 @@
MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
&ctx->P , &ctx->RP ) );
+ if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+ return( ret );
+
/*
* export P, G, GX
*/
@@ -199,6 +233,9 @@
MPI_CHK( mpi_exp_mod( &ctx->GX, &ctx->G, &ctx->X,
&ctx->P , &ctx->RP ) );
+ if( ( ret = dhm_check_range( &ctx->GX, &ctx->P ) ) != 0 )
+ return( ret );
+
MPI_CHK( mpi_write_binary( &ctx->GX, output, olen ) );
cleanup:
@@ -223,6 +260,9 @@
MPI_CHK( mpi_exp_mod( &ctx->K, &ctx->GY, &ctx->X,
&ctx->P, &ctx->RP ) );
+ if( ( ret = dhm_check_range( &ctx->GY, &ctx->P ) ) != 0 )
+ return( ret );
+
*olen = mpi_size( &ctx->K );
MPI_CHK( mpi_write_binary( &ctx->K, output, *olen ) );