[exim-dev] heartbleed detection

Top Page
Delete this message
Reply to this message
Author: Wolfgang Breyha
Date:  
To: exim-dev
Subject: [exim-dev] heartbleed detection
Hi!

I patched my exim to detect heartbleed attacks/checks. The patch is quick and
dirty and not intended for HEAD or inexperienced users. That's why I post it
only here. Don't know the impact of setting a tls_msg_callback on the
performance yet.

Maybe somebody is interested. Try at your own risk;-)

It works with patched OpenSSL versions as well as with unpatched ones.

Patch will most likely apply with some fuzz, since I've other patches in place
as well.

Greetings, Wolfgang
--
Wolfgang Breyha <wbreyha@???> | http://www.blafasel.at/
Vienna University Computer Center | Austria

--- src/tls-openssl.c.prehb    2014-04-09 13:16:19.000000000 +0200
+++ src/tls-openssl.c    2014-04-09 14:14:01.000000000 +0200
@@ -330,6 +330,29 @@
 return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, &server_verify_optional);
 }


+void tls_msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
+{
+    if (content_type == TLS1_RT_HEARTBEAT)
+    {
+        if (len >= 3)
+        {
+            unsigned short hbtype;
+            unsigned int payll;
+            const unsigned char *p = buf;
+            hbtype = *p++;
+            payll = (((unsigned int)(*p++))<< 8)|(((unsigned int)(*p++)));
+            if (hbtype == TLS1_HB_REQUEST)
+                if (payll > len - 3)
+                {
+                    DEBUG(D_tls) debug_printf("TLS heartbleed attack detected: %d < %d\n", len - 3, payll);
+                        log_write(0, LOG_MAIN|LOG_PANIC,
+                          "TLS heartbleed attack detected: %d < %d", len - 3, payll);
+                } else {
+                    DEBUG(D_tls) debug_printf("TLS valid heartbeat req received\n");
+                }
+        }
+    }
+}



/*************************************************
@@ -1160,6 +1183,8 @@

SSL_CTX_set_tmp_rsa_callback(*ctxp, rsa_callback);

+SSL_CTX_set_msg_callback(*ctxp, tls_msg_cb);
+
/* Finally, set the timeout, and we are done */

SSL_CTX_set_timeout(*ctxp, ssl_session_timeout);