From 9b8038c6f08ed6f189a3bf8e2c8ba13b3c8e9afe Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Wed, 9 Apr 2014 11:54:42 -0400 Subject: [PATCH] Check for invalid TLS handshake If the system has a vulnerable version of OpenSSL, and the admin has told us to allow it, we want to catch and stop the problem. --- src/modules/rlm_eap/libeap/cb.c | 18 ++++++++++++++++++ src/modules/rlm_eap/libeap/eap_tls.h | 2 ++ src/modules/rlm_eap/libeap/tls.c | 2 ++ 3 files changed, 22 insertions(+) diff --git a/src/modules/rlm_eap/libeap/cb.c b/src/modules/rlm_eap/libeap/cb.c index f7a0beb..7048f6e 100644 --- a/src/modules/rlm_eap/libeap/cb.c +++ b/src/modules/rlm_eap/libeap/cb.c @@ -118,7 +118,25 @@ void cbtls_msg(int write_p, int msg_version, int content_type, state->info.handshake_type = ((const unsigned char*)buf)[0]; state->info.alert_level = 0x00; state->info.alert_description = 0x00; + +#ifdef SSL3_RT_HEARTBEAT + } else if (content_type == TLS1_RT_HEARTBEAT) { + uint8_t *p = buf; + + if ((len >= 3) && (p[0] == 1)) { + size_t payload_len; + + payload_len = (p[1] << 8) | p[2]; + + if ((payload_len + 3) > len) { + state->invalid_hb_used = TRUE; + ERROR("OpenSSL Heartbeat attack detected. Closing connection"); + return; + } + } +#endif } + tls_session_information(state); } diff --git a/src/modules/rlm_eap/libeap/eap_tls.h b/src/modules/rlm_eap/libeap/eap_tls.h index a32f232..48c2333 100644 --- a/src/modules/rlm_eap/libeap/eap_tls.h +++ b/src/modules/rlm_eap/libeap/eap_tls.h @@ -158,6 +158,8 @@ typedef struct _tls_session_t { unsigned int size); + int invalid_hb_used; + /* * Framed-MTU attribute in RADIUS, * if present, can also be used to set this diff --git a/src/modules/rlm_eap/libeap/tls.c b/src/modules/rlm_eap/libeap/tls.c index 88530ac..da73230 100644 --- a/src/modules/rlm_eap/libeap/tls.c +++ b/src/modules/rlm_eap/libeap/tls.c @@ -183,6 +183,8 @@ int tls_handshake_recv(REQUEST *request, tls_session_t *ssn) { int err; + if (ssn->invalid_hb_used) return 0; + BIO_write(ssn->into_ssl, ssn->dirty_in.data, ssn->dirty_in.used); err = SSL_read(ssn->ssl, ssn->clean_out.data + ssn->clean_out.used, -- 2.1.4