Re: OpenBSD CARP Hash Vulnerability

From: Jeffrey Walton <>
To: Sam Banks <>
Subject: Re: OpenBSD CARP Hash Vulnerability

On Fri, Dec 17, 2010 at 10:08 PM, Sam Banks <> wrote:
> Hello Bugtraq,
> I disclosed this bug to the BSDs and no one is interested in fixing it
> so here you go. The two files attached are as follows:
> [SNIP]
> The OpenBSD CARP implementation (and all derivatives, such as FreeBSD
> and NetBSD) fails to include all fields contained in the "carp_header"
> structure[1] when calculating the SHA1 HMAC hash of the packet in the
> function carp_proto_input_c[2]. The two 8-bit fields not included in
> the hash generation are "carp_advskew" and "carp_advbase". Among other
> functions, the fields are both set to 255 by the master CARP node to
> indicate that it wants to step down from the master role.
"Analysis of the SSL 3.0 Protocol" by Schneier and Wagner comes to mind.

3.6 The Horton principle

Let\u2019s recall the ultimate goal of message authentication. SSL provides
message integrity protection just when the data passed up from the
receiver\u2019s SSL record layer to the protected application exactly
matches the data uttered by the sender\u2019s protected application to the
sender\u2019s SSL record layer. This means, approximately, that it is not
enough to ap- ply a secure MAC to just application data as it is
transmitted over the wire\u2014one must also authenti- cate any context
that the SSL mechanism depends upon to interpret inbound network data.
For lack of a better name, let\u2019s call this \u201cthe Horton principle\u201d
(with apologies to Dr. Seuss) of semantic authentication: roughly
speaking we want SSL to
    \u201cauthenticate what was meant, not what was said.\u201d
To phrase it another way,
    Eschew unauthenticated security-critical context.

This design principle is hardly original; Abadi and Needham [AN96]
gave a version of it in the context of building secure protocols. The
Horton principle is essentially a restatement of their Principle 1 in
terms of requirements for record-layer message authentication.


Copyright © 1995-2018 All rights reserved.