The branch OpenSSL_1_0_2-stable has been updated via 8a27243c7bca665cf940acd66ee9bf578ee8e8a9 (commit) via bfe07df40c13ea2564bb4577620180e3f4849e23 (commit) via 33223e733a3765a779feb82497a0bdc9d9321209 (commit) via 9330fbd07f8f544d978465cc9f6390037a87c16a (commit) via 00456fded43eadd4bb94bf675ae4ea5d158a764f (commit) via c394a488942387246653833359a5c94b5832674e (commit) via d73cc256c8e256c32ed959456101b73ba9842f72 (commit) via cc598f321fbac9c04da5766243ed55d55948637d (commit) from fb4f46763fed3c600db21974577061b611b6fa46 (commit)
- Log ----------------------------------------------------------------- commit 8a27243c7bca665cf940acd66ee9bf578ee8e8a9 Author: Matt Caswell <m...@openssl.org> Date: Thu Dec 3 14:45:41 2015 +0000 Prepare for 1.0.2f-dev Reviewed-by: Richard Levitte <levi...@openssl.org> commit bfe07df40c13ea2564bb4577620180e3f4849e23 Author: Matt Caswell <m...@openssl.org> Date: Thu Dec 3 14:44:31 2015 +0000 Prepare for 1.0.2e release Reviewed-by: Richard Levitte <levi...@openssl.org> commit 33223e733a3765a779feb82497a0bdc9d9321209 Author: Matt Caswell <m...@openssl.org> Date: Thu Dec 3 14:44:31 2015 +0000 make update Reviewed-by: Richard Levitte <levi...@openssl.org> commit 9330fbd07f8f544d978465cc9f6390037a87c16a Author: Matt Caswell <m...@openssl.org> Date: Tue Dec 1 14:39:47 2015 +0000 Update CHANGES and NEWS Update the CHANGES and NEWS files for the new release. Reviewed-by: Richard Levitte <levi...@openssl.org> commit 00456fded43eadd4bb94bf675ae4ea5d158a764f Author: Dr. Stephen Henson <st...@openssl.org> Date: Wed Nov 4 13:30:03 2015 +0000 Add test for CVE-2015-3194 Reviewed-by: Richard Levitte <levi...@openssl.org> commit c394a488942387246653833359a5c94b5832674e Author: Dr. Stephen Henson <st...@openssl.org> Date: Fri Oct 2 12:35:19 2015 +0100 Add PSS parameter check. Avoid seg fault by checking mgf1 parameter is not NULL. This can be triggered during certificate verification so could be a DoS attack against a client or a server enabling client authentication. Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug. CVE-2015-3194 Reviewed-by: Richard Levitte <levi...@openssl.org> commit d73cc256c8e256c32ed959456101b73ba9842f72 Author: Andy Polyakov <ap...@openssl.org> Date: Tue Dec 1 09:00:32 2015 +0100 bn/asm/x86_64-mont5.pl: fix carry propagating bug (CVE-2015-3193). Reviewed-by: Richard Levitte <levi...@openssl.org> (cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107) commit cc598f321fbac9c04da5766243ed55d55948637d Author: Dr. Stephen Henson <st...@openssl.org> Date: Tue Nov 10 19:03:07 2015 +0000 Fix leak with ASN.1 combine. When parsing a combined structure pass a flag to the decode routine so on error a pointer to the parent structure is not zeroed as this will leak any additional components in the parent. This can leak memory in any application parsing PKCS#7 or CMS structures. CVE-2015-3195. Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using libFuzzer. PR#4131 Reviewed-by: Richard Levitte <levi...@openssl.org> ----------------------------------------------------------------------- Summary of changes: CHANGES | 62 ++++++++++++++++++++++++++++++++++++++++++- NEWS | 12 ++++++++- README | 2 +- crypto/asn1/tasn_dec.c | 7 +++-- crypto/bn/asm/x86_64-mont5.pl | 22 ++++++++++++--- crypto/bn/bntest.c | 18 +++++++++++++ crypto/opensslv.h | 6 ++--- crypto/rsa/rsa_ameth.c | 2 +- openssl.spec | 2 +- test/Makefile | 7 ++--- test/certs/pss1.pem | 21 +++++++++++++++ test/tx509 | 7 +++++ 12 files changed, 152 insertions(+), 16 deletions(-) create mode 100644 test/certs/pss1.pem diff --git a/CHANGES b/CHANGES index 1dc6dc6..32bd5c5 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,57 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2d and 1.0.2e [xx XXX xxxx] + Changes between 1.0.2e and 1.0.2f [xx XXX xxxx] + + *) + + Changes between 1.0.2d and 1.0.2e [3 Dec 2015] + + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. + + This issue was reported to OpenSSL by Hanno Böck. + (CVE-2015-3193) + [Andy Polyakov] + + *) Certificate verify crash with missing PSS parameter + + The signature verification routines will crash with a NULL pointer + dereference if presented with an ASN.1 signature using the RSA PSS + algorithm and absent mask generation function parameter. Since these + routines are used to verify certificate signature algorithms this can be + used to crash any certificate verification operation and exploited in a + DoS attack. Any application which performs certificate verification is + vulnerable including OpenSSL clients and servers which enable client + authentication. + + This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG). + (CVE-2015-3194) + [Stephen Henson] + + *) X509_ATTRIBUTE memory leak + + When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak + memory. This structure is used by the PKCS#7 and CMS routines so any + application which reads PKCS#7 or CMS data from untrusted sources is + affected. SSL/TLS is not affected. + + This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using + libFuzzer. + (CVE-2015-3195) + [Stephen Henson] *) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs. This changes the decoding behaviour for some invalid messages, @@ -27,8 +77,18 @@ This issue was reported to OpenSSL by Adam Langley/David Benjamin (Google/BoringSSL). + (CVE-2015-1793) [Matt Caswell] + *) Race condition handling PSK identify hint + + If PSK identity hints are received by a multi-threaded client then + the values are wrongly updated in the parent SSL_CTX structure. This can + result in a race condition potentially leading to a double free of the + identify hint data. + (CVE-2015-3196) + [Stephen Henson] + Changes between 1.0.2b and 1.0.2c [12 Jun 2015] *) Fix HMAC ABI incompatibility. The previous version introduced an ABI diff --git a/NEWS b/NEWS index cb5674b..6d32f75 100644 --- a/NEWS +++ b/NEWS @@ -5,13 +5,23 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [under development] + Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [under development] o + Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015] + + o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193) + o Certificate verify crash with missing PSS parameter (CVE-2015-3194) + o X509_ATTRIBUTE memory leak (CVE-2015-3195) + o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs + o In DSA_generate_parameters_ex, if the provided seed is too short, + return an error + Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015] o Alternate chains certificate forgery (CVE-2015-1793) + o Race condition handling PSK identify hint (CVE-2015-3196) Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015] diff --git a/README b/README index ddc3dd1..4198f72 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2e-dev + OpenSSL 1.0.2f-dev Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index febf605..9256049 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, int otag; int ret = 0; ASN1_VALUE **pchptr, *ptmpval; + int combine = aclass & ASN1_TFLG_COMBINE; + aclass &= ~ASN1_TFLG_COMBINE; if (!pval) return 0; if (aux && aux->asn1_cb) @@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, auxerr: ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR); err: - ASN1_item_ex_free(pval, it); + if (combine == 0) + ASN1_item_ex_free(pval, it); if (errtt) ERR_add_error_data(4, "Field=", errtt->field_name, ", Type=", it->sname); @@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val, } else { /* Nothing special */ ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item), - -1, 0, opt, ctx); + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); if (!ret) { ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR); goto err; diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl index 388e3c6..64e668f 100755 --- a/crypto/bn/asm/x86_64-mont5.pl +++ b/crypto/bn/asm/x86_64-mont5.pl @@ -1784,6 +1784,15 @@ sqr8x_reduction: .align 32 .L8x_tail_done: add (%rdx),%r8 # can this overflow? + adc \$0,%r9 + adc \$0,%r10 + adc \$0,%r11 + adc \$0,%r12 + adc \$0,%r13 + adc \$0,%r14 + adc \$0,%r15 # can't overflow, because we + # started with "overhung" part + # of multiplication xor %rax,%rax neg $carry @@ -3130,6 +3139,15 @@ sqrx8x_reduction: .align 32 .Lsqrx8x_tail_done: add 24+8(%rsp),%r8 # can this overflow? + adc \$0,%r9 + adc \$0,%r10 + adc \$0,%r11 + adc \$0,%r12 + adc \$0,%r13 + adc \$0,%r14 + adc \$0,%r15 # can't overflow, because we + # started with "overhung" part + # of multiplication mov $carry,%rax # xor %rax,%rax sub 16+8(%rsp),$carry # mov 16(%rsp),%cf @@ -3173,13 +3191,11 @@ my ($rptr,$nptr)=("%rdx","%rbp"); my @ri=map("%r$_",(10..13)); my @ni=map("%r$_",(14..15)); $code.=<<___; - xor %rbx,%rbx + xor %ebx,%ebx sub %r15,%rsi # compare top-most words adc %rbx,%rbx mov %rcx,%r10 # -$num - .byte 0x67 or %rbx,%rax - .byte 0x67 mov %rcx,%r9 # -$num xor \$1,%rax sar \$3+2,%rcx # cf=0 diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c index 8b8a152..1e35988 100644 --- a/crypto/bn/bntest.c +++ b/crypto/bn/bntest.c @@ -1016,6 +1016,24 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx) return 0; } } + + /* Regression test for carry propagation bug in sqr8x_reduction */ + BN_hex2bn(&a, "050505050505"); + BN_hex2bn(&b, "02"); + BN_hex2bn(&c, + "4141414141414141414141274141414141414141414141414141414141414141" + "4141414141414141414141414141414141414141414141414141414141414141" + "4141414141414141414141800000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000001"); + BN_mod_exp(d, a, b, c, ctx); + BN_mul(e, a, a, ctx); + if (BN_cmp(d, e)) { + fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n"); + return 0; + } + BN_free(a); BN_free(b); BN_free(c); diff --git a/crypto/opensslv.h b/crypto/opensslv.h index faaf63f..f4931f5 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x10002050L +# define OPENSSL_VERSION_NUMBER 0x10002060L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e-fips-dev xx XXX xxxx" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f-fips-dev xx XXX xxxx" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e-dev xx XXX xxxx" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f-dev xx XXX xxxx" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index ca3922e..4e06218 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -268,7 +268,7 @@ static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg) { const unsigned char *p; int plen; - if (alg == NULL) + if (alg == NULL || alg->parameter == NULL) return NULL; if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) return NULL; diff --git a/openssl.spec b/openssl.spec index 45e737a..72ace12 100644 --- a/openssl.spec +++ b/openssl.spec @@ -6,7 +6,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2e +Version: 1.0.2f Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/test/Makefile b/test/Makefile index 8cbb5ad..b180971 100644 --- a/test/Makefile +++ b/test/Makefile @@ -588,9 +588,10 @@ clienthellotest.o: ../include/openssl/buffer.h ../include/openssl/comp.h clienthellotest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h clienthellotest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h clienthellotest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h -clienthellotest.o: ../include/openssl/evp.h ../include/openssl/hmac.h -clienthellotest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h -clienthellotest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h +clienthellotest.o: ../include/openssl/err.h ../include/openssl/evp.h +clienthellotest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h +clienthellotest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h +clienthellotest.o: ../include/openssl/objects.h clienthellotest.o: ../include/openssl/opensslconf.h clienthellotest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h clienthellotest.o: ../include/openssl/pem.h ../include/openssl/pem2.h diff --git a/test/certs/pss1.pem b/test/certs/pss1.pem new file mode 100644 index 0000000..29da71d --- /dev/null +++ b/test/certs/pss1.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI +AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD +VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz +NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj +ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH +qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL +IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT +IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k +dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq +QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa +5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2 +4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB +Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii +BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb +xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn +plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY +DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p +NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ +lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8= +-----END CERTIFICATE----- diff --git a/test/tx509 b/test/tx509 index 0ce3b52..77f5cac 100644 --- a/test/tx509 +++ b/test/tx509 @@ -74,5 +74,12 @@ if [ $? != 0 ]; then exit 1; fi cmp x509-f.p x509-ff.p3 if [ $? != 0 ]; then exit 1; fi +echo "Parsing test certificates" + +$cmd -in certs/pss1.pem -text -noout >/dev/null +if [ $? != 0 ]; then exit 1; fi + +echo OK + /bin/rm -f x509-f.* x509-ff.* x509-fff.* exit 0 _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits