How to test POODLE over TLS?

Question

I would like to be able to test for POODLE vulnerability over TLS.

There are already several ways to do this like Qualys SSLLabs for instance, but it is too restrictive (only TCP port 443 of servers available on the Internet). There is also this link, but I got a lot false positives/negatives when tested: http://www.exploresecurity.com/testing-for-poodle_tls-manually/

So now I am trying to modify TLS implementation of OpenSSL 1.0.2d to be able to send invalid packets (using openssl s_client ...) and to see the behavior of servers.

Even if I am not really familiar with C, I could find interesting code implementing the padding for AES-CBC-SHA (according to RFC 2246) in OpenSSL in crypto/evp/e_aes_cbc_hmac_sha1.c on line 518:

/* pad the payload|hmac */
plen += SHA_DIGEST_LENGTH;
for (l = len - plen - 1; plen < len; plen++)
  out[plen] = l;

I modified it into this in order to change the first padding byte to make it incorrect according to RFC:

/* pad the payload|hmac */
plen += SHA_DIGEST_LENGTH;
for (l = len - plen - 1; plen < len; plen++) {
  if (plen == len - l - 1)
    out[plen] = (l + 1) % 256;
  else
    out[plen] = l;
}

Then compile and test:

./config
make
./apps/openssl s_client -connect www.google.com:443 -servername www.google.com -tls1 -cipher AES128-SHA

And I could connect and make an HTTP request which got response...

So my question is: wasn't it the good file I modified or is this something else?

Thank you a lot for your help.

Answer 1

I had the same problem, answered here. Basically, you need to modify ssl3_enc function (in s3_enc.c file) and replace

memset(&rec->input[rec->length], 0, i);

with

for(size_t j = 0; j < i; ++j) {
    rec->input[rec->length + j] = rand() % 256;
}

and also it's best to increase padding size for the cases when block aligns well and there is no padding. To do that just add:

i += bs;

right before these lines

/* we need to add 'i-1' padding bytes */
l += i;