mailing list archives
Re: OpenBSD CARP Hash Vulnerability
From: Jeffrey Walton <noloader () gmail com>
Date: Mon, 20 Dec 2010 13:14:51 -0500
On Fri, Dec 17, 2010 at 10:08 PM, Sam Banks <wolfie () ontogeny ac nz> wrote:
I disclosed this bug to the BSDs and no one is interested in fixing it
so here you go. The two files attached are as follows:
The OpenBSD CARP implementation (and all derivatives, such as FreeBSD
and NetBSD) fails to include all fields contained in the "carp_header"
structure when calculating the SHA1 HMAC hash of the packet in the
function carp_proto_input_c. The two 8-bit fields not included in
the hash generation are "carp_advskew" and "carp_advbase". Among other
functions, the fields are both set to 255 by the master CARP node to
indicate that it wants to step down from the master role.
"Analysis of the SSL 3.0 Protocol" by Schneier and Wagner comes to mind.
3.6 The Horton principle
Let’s recall the ultimate goal of message authentication. SSL provides
message integrity protection just when the data passed up from the
receiver’s SSL record layer to the protected application exactly
matches the data uttered by the sender’s protected application to the
sender’s SSL record layer. This means, approximately, that it is not
enough to ap- ply a secure MAC to just application data as it is
transmitted over the wire—one must also authenti- cate any context
that the SSL mechanism depends upon to interpret inbound network data.
For lack of a better name, let’s call this “the Horton principle”
(with apologies to Dr. Seuss) of semantic authentication: roughly
speaking we want SSL to
“authenticate what was meant, not what was said.”
To phrase it another way,
Eschew unauthenticated security-critical context.
This design principle is hardly original; Abadi and Needham [AN96]
gave a version of it in the context of building secure protocols. The
Horton principle is essentially a restatement of their Principle 1 in
terms of requirements for record-layer message authentication.