From be04673c49945d0607bb224db5cb2264fb645c7a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 10 Mar 2014 21:20:29 +0100 Subject: [PATCH] Forbid sequence number wrapping --- ChangeLog | 1 + include/polarssl/error.h | 2 +- include/polarssl/ssl.h | 1 + library/error.c | 2 ++ library/ssl_tls.c | 14 ++++++++++++++ 5 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index f1fc690fc..fcdfccca9 100644 --- a/ChangeLog +++ b/ChangeLog @@ -9,6 +9,7 @@ Security "triple handshake" attack when authentication mode is optional (the attack was already impossible when authentication is required). * Check notBefore timestamp of certificates and CRLs from the future. + * Forbid sequence number wrapping Bugfix * Fixed X.509 hostname comparison (with non-regular characters) diff --git a/include/polarssl/error.h b/include/polarssl/error.h index 94c73a8f2..8d7da0b59 100644 --- a/include/polarssl/error.h +++ b/include/polarssl/error.h @@ -80,7 +80,7 @@ * RSA 4 9 * MD 5 4 * CIPHER 6 5 - * SSL 6 2 (Started from top) + * SSL 6 3 (Started from top) * SSL 7 31 * * Module dependent error code (5 bits 0x.08.-0x.F8.) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index ad8592474..1e52229fa 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -91,6 +91,7 @@ #define POLARSSL_ERR_SSL_HW_ACCEL_FALLTHROUGH -0x6F80 /**< Hardware acceleration function skipped / left alone data */ #define POLARSSL_ERR_SSL_COMPRESSION_FAILED -0x6F00 /**< Processing of the compression / decompression failed */ #define POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION -0x6E80 /**< Handshake protocol not within min/max boundaries */ +#define POLARSSL_ERR_SSL_COUNTER_WRAPPING -0x6B80 /**< A counter would wrap (eg, too many messages exchanged). */ /* * Various constants diff --git a/library/error.c b/library/error.c index 46adb2746..9f8941612 100644 --- a/library/error.c +++ b/library/error.c @@ -339,6 +339,8 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" ); if( use_ret == -(POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION) ) snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" ); + if( use_ret == -(POLARSSL_ERR_SSL_COUNTER_WRAPPING) ) + snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" ); #endif /* POLARSSL_SSL_TLS_C */ #if defined(POLARSSL_X509_PARSE_C) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d6e9dd3e3..c42ecccf6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1191,6 +1191,13 @@ static int ssl_encrypt_buf( ssl_context *ssl ) if( ++ssl->out_ctr[i - 1] != 0 ) break; + /* The loops goes to its end iff the counter is wrapping */ + if( i == 0 ) + { + SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); + return( POLARSSL_ERR_SSL_COUNTER_WRAPPING ); + } + SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); return( 0 ); @@ -1589,6 +1596,13 @@ static int ssl_decrypt_buf( ssl_context *ssl ) if( ++ssl->in_ctr[i - 1] != 0 ) break; + /* The loops goes to its end iff the counter is wrapping */ + if( i == 0 ) + { + SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); + return( POLARSSL_ERR_SSL_COUNTER_WRAPPING ); + } + SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); return( 0 );