The branch OpenSSL_1_0_2-stable has been updated
       via  8a27243c7bca665cf940acd66ee9bf578ee8e8a9 (commit)
       via  bfe07df40c13ea2564bb4577620180e3f4849e23 (commit)
       via  33223e733a3765a779feb82497a0bdc9d9321209 (commit)
       via  9330fbd07f8f544d978465cc9f6390037a87c16a (commit)
       via  00456fded43eadd4bb94bf675ae4ea5d158a764f (commit)
       via  c394a488942387246653833359a5c94b5832674e (commit)
       via  d73cc256c8e256c32ed959456101b73ba9842f72 (commit)
       via  cc598f321fbac9c04da5766243ed55d55948637d (commit)
      from  fb4f46763fed3c600db21974577061b611b6fa46 (commit)


- Log -----------------------------------------------------------------
commit 8a27243c7bca665cf940acd66ee9bf578ee8e8a9
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Dec 3 14:45:41 2015 +0000

    Prepare for 1.0.2f-dev
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

commit bfe07df40c13ea2564bb4577620180e3f4849e23
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Dec 3 14:44:31 2015 +0000

    Prepare for 1.0.2e release
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 33223e733a3765a779feb82497a0bdc9d9321209
Author: Matt Caswell <m...@openssl.org>
Date:   Thu Dec 3 14:44:31 2015 +0000

    make update
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 9330fbd07f8f544d978465cc9f6390037a87c16a
Author: Matt Caswell <m...@openssl.org>
Date:   Tue Dec 1 14:39:47 2015 +0000

    Update CHANGES and NEWS
    
    Update the CHANGES and NEWS files for the new release.
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

commit 00456fded43eadd4bb94bf675ae4ea5d158a764f
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Wed Nov 4 13:30:03 2015 +0000

    Add test for CVE-2015-3194
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

commit c394a488942387246653833359a5c94b5832674e
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Fri Oct 2 12:35:19 2015 +0100

    Add PSS parameter check.
    
    Avoid seg fault by checking mgf1 parameter is not NULL. This can be
    triggered during certificate verification so could be a DoS attack
    against a client or a server enabling client authentication.
    
    Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
    
    CVE-2015-3194
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

commit d73cc256c8e256c32ed959456101b73ba9842f72
Author: Andy Polyakov <ap...@openssl.org>
Date:   Tue Dec 1 09:00:32 2015 +0100

    bn/asm/x86_64-mont5.pl: fix carry propagating bug (CVE-2015-3193).
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>
    (cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)

commit cc598f321fbac9c04da5766243ed55d55948637d
Author: Dr. Stephen Henson <st...@openssl.org>
Date:   Tue Nov 10 19:03:07 2015 +0000

    Fix leak with ASN.1 combine.
    
    When parsing a combined structure pass a flag to the decode routine
    so on error a pointer to the parent structure is not zeroed as
    this will leak any additional components in the parent.
    
    This can leak memory in any application parsing PKCS#7 or CMS structures.
    
    CVE-2015-3195.
    
    Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
    libFuzzer.
    
    PR#4131
    
    Reviewed-by: Richard Levitte <levi...@openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                       | 62 ++++++++++++++++++++++++++++++++++++++++++-
 NEWS                          | 12 ++++++++-
 README                        |  2 +-
 crypto/asn1/tasn_dec.c        |  7 +++--
 crypto/bn/asm/x86_64-mont5.pl | 22 ++++++++++++---
 crypto/bn/bntest.c            | 18 +++++++++++++
 crypto/opensslv.h             |  6 ++---
 crypto/rsa/rsa_ameth.c        |  2 +-
 openssl.spec                  |  2 +-
 test/Makefile                 |  7 ++---
 test/certs/pss1.pem           | 21 +++++++++++++++
 test/tx509                    |  7 +++++
 12 files changed, 152 insertions(+), 16 deletions(-)
 create mode 100644 test/certs/pss1.pem

diff --git a/CHANGES b/CHANGES
index 1dc6dc6..32bd5c5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,57 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.2d and 1.0.2e [xx XXX xxxx]
+ Changes between 1.0.2e and 1.0.2f [xx XXX xxxx]
+
+  *)
+
+ Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
+
+  *) BN_mod_exp may produce incorrect results on x86_64
+
+     There is a carry propagating bug in the x86_64 Montgomery squaring
+     procedure. No EC algorithms are affected. Analysis suggests that attacks
+     against RSA and DSA as a result of this defect would be very difficult to
+     perform and are not believed likely. Attacks against DH are considered 
just
+     feasible (although very difficult) because most of the work necessary to
+     deduce information about a private key may be performed offline. The 
amount
+     of resources required for such an attack would be very significant and
+     likely only accessible to a limited number of attackers. An attacker would
+     additionally need online access to an unpatched system using the target
+     private key in a scenario with persistent DH parameters and a private
+     key that is shared between multiple clients. For example this can occur by
+     default in OpenSSL DHE based SSL/TLS ciphersuites.
+
+     This issue was reported to OpenSSL by Hanno Böck.
+     (CVE-2015-3193)
+     [Andy Polyakov]
+
+  *) Certificate verify crash with missing PSS parameter
+
+     The signature verification routines will crash with a NULL pointer
+     dereference if presented with an ASN.1 signature using the RSA PSS
+     algorithm and absent mask generation function parameter. Since these
+     routines are used to verify certificate signature algorithms this can be
+     used to crash any certificate verification operation and exploited in a
+     DoS attack. Any application which performs certificate verification is
+     vulnerable including OpenSSL clients and servers which enable client
+     authentication.
+
+     This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+     (CVE-2015-3194)
+     [Stephen Henson]
+
+  *) X509_ATTRIBUTE memory leak
+
+     When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+     memory. This structure is used by the PKCS#7 and CMS routines so any
+     application which reads PKCS#7 or CMS data from untrusted sources is
+     affected. SSL/TLS is not affected.
+
+     This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) 
using
+     libFuzzer.
+     (CVE-2015-3195)
+     [Stephen Henson]
 
   *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
      This changes the decoding behaviour for some invalid messages,
@@ -27,8 +77,18 @@
 
      This issue was reported to OpenSSL by Adam Langley/David Benjamin
      (Google/BoringSSL).
+     (CVE-2015-1793)
      [Matt Caswell]
 
+  *) Race condition handling PSK identify hint
+
+     If PSK identity hints are received by a multi-threaded client then
+     the values are wrongly updated in the parent SSL_CTX structure. This can
+     result in a race condition potentially leading to a double free of the
+     identify hint data.
+     (CVE-2015-3196)
+     [Stephen Henson]
+
  Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
 
   *) Fix HMAC ABI incompatibility. The previous version introduced an ABI
diff --git a/NEWS b/NEWS
index cb5674b..6d32f75 100644
--- a/NEWS
+++ b/NEWS
@@ -5,13 +5,23 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [under development]
+  Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [under development]
 
       o
 
+  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
+
+      o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
+      o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
+      o X509_ATTRIBUTE memory leak (CVE-2015-3195)
+      o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
+      o In DSA_generate_parameters_ex, if the provided seed is too short,
+        return an error
+
   Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
 
       o Alternate chains certificate forgery (CVE-2015-1793)
+      o Race condition handling PSK identify hint (CVE-2015-3196)
 
   Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
 
diff --git a/README b/README
index ddc3dd1..4198f72 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.2e-dev
+ OpenSSL 1.0.2f-dev
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index febf605..9256049 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char 
**in, long len,
     int otag;
     int ret = 0;
     ASN1_VALUE **pchptr, *ptmpval;
+    int combine = aclass & ASN1_TFLG_COMBINE;
+    aclass &= ~ASN1_TFLG_COMBINE;
     if (!pval)
         return 0;
     if (aux && aux->asn1_cb)
@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char 
**in, long len,
  auxerr:
     ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
  err:
-    ASN1_item_ex_free(pval, it);
+    if (combine == 0)
+        ASN1_item_ex_free(pval, it);
     if (errtt)
         ERR_add_error_data(4, "Field=", errtt->field_name,
                            ", Type=", it->sname);
@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
     } else {
         /* Nothing special */
         ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
-                               -1, 0, opt, ctx);
+                               -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
         if (!ret) {
             ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
             goto err;
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 388e3c6..64e668f 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -1784,6 +1784,15 @@ sqr8x_reduction:
 .align 32
 .L8x_tail_done:
        add     (%rdx),%r8              # can this overflow?
+       adc     \$0,%r9
+       adc     \$0,%r10
+       adc     \$0,%r11
+       adc     \$0,%r12
+       adc     \$0,%r13
+       adc     \$0,%r14
+       adc     \$0,%r15                # can't overflow, because we
+                                       # started with "overhung" part
+                                       # of multiplication
        xor     %rax,%rax
 
        neg     $carry
@@ -3130,6 +3139,15 @@ sqrx8x_reduction:
 .align 32
 .Lsqrx8x_tail_done:
        add     24+8(%rsp),%r8          # can this overflow?
+       adc     \$0,%r9
+       adc     \$0,%r10
+       adc     \$0,%r11
+       adc     \$0,%r12
+       adc     \$0,%r13
+       adc     \$0,%r14
+       adc     \$0,%r15                # can't overflow, because we
+                                       # started with "overhung" part
+                                       # of multiplication
        mov     $carry,%rax             # xor   %rax,%rax
 
        sub     16+8(%rsp),$carry       # mov 16(%rsp),%cf
@@ -3173,13 +3191,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
 my @ri=map("%r$_",(10..13));
 my @ni=map("%r$_",(14..15));
 $code.=<<___;
-       xor     %rbx,%rbx
+       xor     %ebx,%ebx
        sub     %r15,%rsi               # compare top-most words
        adc     %rbx,%rbx
        mov     %rcx,%r10               # -$num
-       .byte   0x67
        or      %rbx,%rax
-       .byte   0x67
        mov     %rcx,%r9                # -$num
        xor     \$1,%rax
        sar     \$3+2,%rcx              # cf=0
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 8b8a152..1e35988 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -1016,6 +1016,24 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
             return 0;
         }
     }
+
+    /* Regression test for carry propagation bug in sqr8x_reduction */
+    BN_hex2bn(&a, "050505050505");
+    BN_hex2bn(&b, "02");
+    BN_hex2bn(&c,
+        "4141414141414141414141274141414141414141414141414141414141414141"
+        "4141414141414141414141414141414141414141414141414141414141414141"
+        "4141414141414141414141800000000000000000000000000000000000000000"
+        "0000000000000000000000000000000000000000000000000000000000000000"
+        "0000000000000000000000000000000000000000000000000000000000000000"
+        "0000000000000000000000000000000000000000000000000000000001");
+    BN_mod_exp(d, a, b, c, ctx);
+    BN_mul(e, a, a, ctx);
+    if (BN_cmp(d, e)) {
+        fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
+        return 0;
+    }
+
     BN_free(a);
     BN_free(b);
     BN_free(c);
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index faaf63f..f4931f5 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)
  */
-# define OPENSSL_VERSION_NUMBER  0x10002050L
+# define OPENSSL_VERSION_NUMBER  0x10002060L
 # ifdef OPENSSL_FIPS
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2e-fips-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2f-fips-dev xx XXX xxxx"
 # else
-#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2e-dev xx XXX xxxx"
+#  define OPENSSL_VERSION_TEXT    "OpenSSL 1.0.2f-dev xx XXX xxxx"
 # endif
 # define OPENSSL_VERSION_PTEXT   " part of " OPENSSL_VERSION_TEXT
 
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index ca3922e..4e06218 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -268,7 +268,7 @@ static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
 {
     const unsigned char *p;
     int plen;
-    if (alg == NULL)
+    if (alg == NULL || alg->parameter == NULL)
         return NULL;
     if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
         return NULL;
diff --git a/openssl.spec b/openssl.spec
index 45e737a..72ace12 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -6,7 +6,7 @@ Release: 1
 
 Summary: Secure Sockets Layer and cryptography libraries and tools
 Name: openssl
-Version: 1.0.2e
+Version: 1.0.2f
 Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
 License: OpenSSL
 Group: System Environment/Libraries
diff --git a/test/Makefile b/test/Makefile
index 8cbb5ad..b180971 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -588,9 +588,10 @@ clienthellotest.o: ../include/openssl/buffer.h 
../include/openssl/comp.h
 clienthellotest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
 clienthellotest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
 clienthellotest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-clienthellotest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-clienthellotest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-clienthellotest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+clienthellotest.o: ../include/openssl/err.h ../include/openssl/evp.h
+clienthellotest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+clienthellotest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+clienthellotest.o: ../include/openssl/objects.h
 clienthellotest.o: ../include/openssl/opensslconf.h
 clienthellotest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 clienthellotest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
diff --git a/test/certs/pss1.pem b/test/certs/pss1.pem
new file mode 100644
index 0000000..29da71d
--- /dev/null
+++ b/test/certs/pss1.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI
+AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD
+VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz
+NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj
+ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH
+qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL
+IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT
+IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k
+dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq
+QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa
+5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2
+4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB
+Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii
+BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb
+xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn
+plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY
+DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p
+NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ
+lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=
+-----END CERTIFICATE-----
diff --git a/test/tx509 b/test/tx509
index 0ce3b52..77f5cac 100644
--- a/test/tx509
+++ b/test/tx509
@@ -74,5 +74,12 @@ if [ $? != 0 ]; then exit 1; fi
 cmp x509-f.p x509-ff.p3
 if [ $? != 0 ]; then exit 1; fi
 
+echo "Parsing test certificates"
+
+$cmd -in certs/pss1.pem -text -noout >/dev/null
+if [ $? != 0 ]; then exit 1; fi
+
+echo OK
+
 /bin/rm -f x509-f.* x509-ff.* x509-fff.*
 exit 0
_____
openssl-commits mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits

Reply via email to