search

apple / HomeKitADK

Apache License 2.0
2.55k stars 232 forks source link

Vulnerability in SRP #87

Closed sabtmoha closed 3 years ago

sabtmoha commented 3 years ago

Sorry to write this in public issues, but I did not find how submit a vulnerability report!

First of all, Happy New Year !

We would like to report a vulnerability of the SRP implementation (PAL/Crypto/OpenSSL/HAPOpenSSL.c) Indeed, the implementation relies on OpenSSL Big Number implementations. More importantly, it relies on the OpenSSL function BN_mod_exp without setting the BN_FLG_CONSTTIME. The consequence is that the function BN_mod_exp (in OpenSSL crypto/bn/bn_exp.c) calls the function BN_mod_exp_mont_word (in OpenSSL crypto/bn/bn_exp.c)

Roughly speaking, the vulnerability is caused by the nature non constant-time of the function BN_mod_exp_mont_word. The attack was tested on OpenSSL 1.1.1h, but should work on other versions too.

We show the attack by exploiting SRP. By design, SRP is supposed to resist offline dictionary attacks. However, we show that such attacks are still possible to recover the used password efficiently, by exploiting some data leakage during an insecure modular exponentiation.

A PoC is available here (it shows SRP in OpenSSL, but it works perfectly fine on Erlang also): https://gitlab.inria.fr/ddealmei/poc-openssl-srp We contacted OpenSSL, and they are fixing only the part concerning OpenSSL in crypto/srp/srp_lib.c.

Apple HomeKit should include its own fix by setting the flag BN_FLG_CONSTTIME on the exponent variable of bn_mod_exp.

We will be glad to provide further information if needed. This is my email if you would like more private discussion: mohamed.sabt@irisa.fr

Best regards, Mohamed SABT, Associate Professor at the University of Rennes 1 and Researcher at IRISA in France

aajain-com commented 3 years ago

Thanks for reporting this issue @sabtmoha.

sabtmoha commented 3 years ago

Do you have any intention to patch it?

I would like to publish an article about this vulnerability.

aajain-com commented 3 years ago

Do you have any intention to patch it?

I would like to publish an article about this vulnerability.

Yes and PR welcomed.

sabtmoha commented 3 years ago

I will start working on the patch next week. Thank you for your interest.