From de3b9cdb8521d7edd524b4e17d1e3f883f832ec0 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 7 Nov 2017 18:34:34 +0100 Subject: ssl: Countermeasurements for Bleichenbacher attack Back ported for security reasons. Remove DTLS changes as DTLS is not at all working in OTP 18. --- lib/ssl/src/ssl_connection.erl | 21 +++++++++++++++++++-- lib/ssl/src/ssl_connection.hrl | 3 ++- lib/ssl/src/tls_connection.erl | 1 + 3 files changed, 22 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 0f0072ba34..4be59501e4 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -1157,8 +1157,25 @@ server_certify_and_key_exchange(State0, Connection) -> request_client_cert(State2, Connection). certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS}, - #state{private_key = Key} = State, Connection) -> - PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key), + #state{private_key = Key, client_hello_version = {Major, Minor} = Version} = State, Connection) -> + + %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret + %% and fail handshake later.RFC 5246 section 7.4.7.1. + PremasterSecret = + try ssl_handshake:premaster_secret(EncPMS, Key) of + Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES -> + case Secret of + <> -> %% Correct + Secret; + <> -> %% Version mismatch + <> + end; + _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES + make_premaster_secret(Version, rsa) + catch + #alert{description = ?DECRYPT_ERROR} -> + make_premaster_secret(Version, rsa) + end, calculate_master_secret(PremasterSecret, State, Connection, certify, cipher); certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey}, diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl index 9a58f2b8f7..e3abc7d4aa 100644 --- a/lib/ssl/src/ssl_connection.hrl +++ b/lib/ssl/src/ssl_connection.hrl @@ -54,7 +54,8 @@ session_cache :: db_handle(), session_cache_cb :: atom(), crl_db :: term(), - negotiated_version :: ssl_record:ssl_version(), + negotiated_version :: ssl_record:ssl_version() | 'undefined', + client_hello_version :: ssl_record:ssl_version() | 'undefined', client_certificate_requested = false :: boolean(), key_algorithm :: ssl_cipher:key_algo(), hashsign_algorithm = {undefined, undefined}, diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl index 93716d31b8..5a70cf96dc 100644 --- a/lib/ssl/src/tls_connection.erl +++ b/lib/ssl/src/tls_connection.erl @@ -206,6 +206,7 @@ hello(Hello = #client_hello{client_version = ClientVersion, ssl_connection:hello({common_client_hello, Type, ServerHelloExt}, State#state{connection_states = ConnectionStates, negotiated_version = Version, + client_hello_version = ClientVersion, hashsign_algorithm = HashSign, session = Session, client_ecc = {EllipticCurves, EcPointFormats}, -- cgit v1.2.3 From 2c139dca10767353cc4836cb10157d05bea20a5c Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Thu, 9 Nov 2017 17:01:46 +0100 Subject: ssl: Prepare for release --- lib/ssl/src/ssl.appup.src | 10 ++-------- lib/ssl/vsn.mk | 2 +- 2 files changed, 3 insertions(+), 9 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src index 203a4f7d10..11728128c4 100644 --- a/lib/ssl/src/ssl.appup.src +++ b/lib/ssl/src/ssl.appup.src @@ -1,20 +1,14 @@ %% -*- erlang -*- {"%VSN%", [ - {<<"^7[.]3[.]3$">>, - [{load_module, ssl_handshake, soft_purge, soft_purge, []} - ]}, - {<<"^7[.][^.].*">>, [{restart_application, ssl}]}, + {<<"7\\..*">>, [{restart_application, ssl}]}, {<<"6\\..*">>, [{restart_application, ssl}]}, {<<"5\\..*">>, [{restart_application, ssl}]}, {<<"4\\..*">>, [{restart_application, ssl}]}, {<<"3\\..*">>, [{restart_application, ssl}]} ], [ - {<<"^7[.]3[.]3$">>, - [{load_module, ssl_handshake, soft_purge, soft_purge, []} - ]}, - {<<"^7[.][^.].*">>, [{restart_application, ssl}]}, + {<<"7\\..*">>, [{restart_application, ssl}]}, {<<"6\\..*">>, [{restart_application, ssl}]}, {<<"5\\..*">>, [{restart_application, ssl}]}, {<<"4\\..*">>, [{restart_application, ssl}]}, diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index d9391ea543..48f260f3e5 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 7.3.3.1 +SSL_VSN = 7.3.3.2 -- cgit v1.2.3 From 35dcf104061ea1d0afc30c614038c97a7cd93ddf Mon Sep 17 00:00:00 2001 From: Erlang/OTP Date: Wed, 22 Nov 2017 15:56:17 +0100 Subject: Update release notes --- lib/ssl/doc/src/notes.xml | 54 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) (limited to 'lib') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 1e8de1a8a3..ecf183846a 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -28,6 +28,60 @@

This document describes the changes made to the SSL application.

+
SSL 7.3.3.2 + +
Fixed Bugs and Malfunctions + + +

An erlang TLS server configured with cipher suites + using rsa key exchange, may be vulnerable to an Adaptive + Chosen Ciphertext attack (AKA Bleichenbacher attack) + against RSA, which when exploited, may result in + plaintext recovery of encrypted messages and/or a + Man-in-the-middle (MiTM) attack, despite the attacker not + having gained access to the server’s private key + itself. CVE-2017-1000385 +

Exploiting this vulnerability to perform + plaintext recovery of encrypted messages will, in most + practical cases, allow an attacker to read the plaintext + only after the session has completed. Only TLS sessions + established using RSA key exchange are vulnerable to this + attack.

Exploiting this vulnerability to conduct + a MiTM attack requires the attacker to complete the + initial attack, which may require thousands of server + requests, during the handshake phase of the targeted + session within the window of the configured handshake + timeout. This attack may be conducted against any TLS + session using RSA signatures, but only if cipher suites + using RSA key exchange are also enabled on the server. + The limited window of opportunity, limitations in + bandwidth, and latency make this attack significantly + more difficult to execute.

RSA key exchange is + enabled by default although least prioritized if server + order is honored. For such a cipher suite to be chosen it + must also be supported by the client and probably the + only shared cipher suite.

Captured TLS sessions + encrypted with ephemeral cipher suites (DHE or ECDHE) are + not at risk for subsequent decryption due to this + vulnerability.

As a workaround if default cipher + suite configuration was used you can configure the server + to not use vulnerable suites with the ciphers option like + this:

{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,Suite) =/= rsa]}

+ that is your code will look somethingh like this:

+ ssl:listen(Port, [{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). +

Thanks to Hanno Böck, Juraj Somorovsky and + Craig Young for reporting this vulnerability.

+

+ Own Id: OTP-14748

+
+
+
+ +
+
SSL 7.3.3.1
Fixed Bugs and Malfunctions -- cgit v1.2.3 From 3671344cf6aee0773636b98414e0c89a56939645 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 7 Nov 2017 18:34:34 +0100 Subject: ssl: Countermeasurements for Bleichenbacher attack Back ported for security reasons. Remove DTLS changes as DTLS is not at all working in OTP 18. --- lib/ssl/src/ssl_connection.erl | 21 +++++++++++++++++++-- lib/ssl/src/ssl_connection.hrl | 3 ++- lib/ssl/src/tls_connection.erl | 1 + 3 files changed, 22 insertions(+), 3 deletions(-) (limited to 'lib') diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl index 0f0072ba34..4be59501e4 100644 --- a/lib/ssl/src/ssl_connection.erl +++ b/lib/ssl/src/ssl_connection.erl @@ -1157,8 +1157,25 @@ server_certify_and_key_exchange(State0, Connection) -> request_client_cert(State2, Connection). certify_client_key_exchange(#encrypted_premaster_secret{premaster_secret= EncPMS}, - #state{private_key = Key} = State, Connection) -> - PremasterSecret = ssl_handshake:premaster_secret(EncPMS, Key), + #state{private_key = Key, client_hello_version = {Major, Minor} = Version} = State, Connection) -> + + %% Countermeasure for Bleichenbacher attack always provide some kind of premaster secret + %% and fail handshake later.RFC 5246 section 7.4.7.1. + PremasterSecret = + try ssl_handshake:premaster_secret(EncPMS, Key) of + Secret when erlang:byte_size(Secret) == ?NUM_OF_PREMASTERSECRET_BYTES -> + case Secret of + <> -> %% Correct + Secret; + <> -> %% Version mismatch + <> + end; + _ -> %% erlang:byte_size(Secret) =/= ?NUM_OF_PREMASTERSECRET_BYTES + make_premaster_secret(Version, rsa) + catch + #alert{description = ?DECRYPT_ERROR} -> + make_premaster_secret(Version, rsa) + end, calculate_master_secret(PremasterSecret, State, Connection, certify, cipher); certify_client_key_exchange(#client_diffie_hellman_public{dh_public = ClientPublicDhKey}, diff --git a/lib/ssl/src/ssl_connection.hrl b/lib/ssl/src/ssl_connection.hrl index 9a58f2b8f7..e3abc7d4aa 100644 --- a/lib/ssl/src/ssl_connection.hrl +++ b/lib/ssl/src/ssl_connection.hrl @@ -54,7 +54,8 @@ session_cache :: db_handle(), session_cache_cb :: atom(), crl_db :: term(), - negotiated_version :: ssl_record:ssl_version(), + negotiated_version :: ssl_record:ssl_version() | 'undefined', + client_hello_version :: ssl_record:ssl_version() | 'undefined', client_certificate_requested = false :: boolean(), key_algorithm :: ssl_cipher:key_algo(), hashsign_algorithm = {undefined, undefined}, diff --git a/lib/ssl/src/tls_connection.erl b/lib/ssl/src/tls_connection.erl index 93716d31b8..5a70cf96dc 100644 --- a/lib/ssl/src/tls_connection.erl +++ b/lib/ssl/src/tls_connection.erl @@ -206,6 +206,7 @@ hello(Hello = #client_hello{client_version = ClientVersion, ssl_connection:hello({common_client_hello, Type, ServerHelloExt}, State#state{connection_states = ConnectionStates, negotiated_version = Version, + client_hello_version = ClientVersion, hashsign_algorithm = HashSign, session = Session, client_ecc = {EllipticCurves, EcPointFormats}, -- cgit v1.2.3 From 4ceea4abde1438bf9e4e209e1691449bfc93fa91 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 22 Nov 2017 19:04:06 +0100 Subject: Prepare release --- lib/ssl/doc/src/notes.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++++ lib/ssl/vsn.mk | 2 +- 2 files changed, 54 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/ssl/doc/src/notes.xml b/lib/ssl/doc/src/notes.xml index 5b0b5ead20..9b58980359 100644 --- a/lib/ssl/doc/src/notes.xml +++ b/lib/ssl/doc/src/notes.xml @@ -27,6 +27,59 @@

This document describes the changes made to the SSL application.

+
SSL 7.3.3.0.1 + +
Fixed Bugs and Malfunctions + + +

An erlang TLS server configured with cipher suites + using rsa key exchange, may be vulnerable to an Adaptive + Chosen Ciphertext attack (AKA Bleichenbacher attack) + against RSA, which when exploited, may result in + plaintext recovery of encrypted messages and/or a + Man-in-the-middle (MiTM) attack, despite the attacker not + having gained access to the server’s private key + itself. CVE-2017-1000385 +

Exploiting this vulnerability to perform + plaintext recovery of encrypted messages will, in most + practical cases, allow an attacker to read the plaintext + only after the session has completed. Only TLS sessions + established using RSA key exchange are vulnerable to this + attack.

Exploiting this vulnerability to conduct + a MiTM attack requires the attacker to complete the + initial attack, which may require thousands of server + requests, during the handshake phase of the targeted + session within the window of the configured handshake + timeout. This attack may be conducted against any TLS + session using RSA signatures, but only if cipher suites + using RSA key exchange are also enabled on the server. + The limited window of opportunity, limitations in + bandwidth, and latency make this attack significantly + more difficult to execute.

RSA key exchange is + enabled by default although least prioritized if server + order is honored. For such a cipher suite to be chosen it + must also be supported by the client and probably the + only shared cipher suite.

Captured TLS sessions + encrypted with ephemeral cipher suites (DHE or ECDHE) are + not at risk for subsequent decryption due to this + vulnerability.

As a workaround if default cipher + suite configuration was used you can configure the server + to not use vulnerable suites with the ciphers option like + this:

{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,Suite) =/= rsa]}

+ that is your code will look somethingh like this:

+ ssl:listen(Port, [{ciphers, [Suite || Suite <- + ssl:cipher_suites(), element(1,S) =/= rsa]} | Options]). +

Thanks to Hanno Böck, Juraj Somorovsky and + Craig Young for reporting this vulnerability.

+

+ Own Id: OTP-14748

+
+
+
+ +
SSL 7.3.3 diff --git a/lib/ssl/vsn.mk b/lib/ssl/vsn.mk index bd6ecebbd4..be207bcd61 100644 --- a/lib/ssl/vsn.mk +++ b/lib/ssl/vsn.mk @@ -1 +1 @@ -SSL_VSN = 7.3.3 +SSL_VSN = 7.3.3.0.1 -- cgit v1.2.3