[web] master update
The branch master has been updated via 420fb543c12b2a4a18aae85315f8eaefefcd1c33 (commit) via af80178dcbad3919595cbbf7b7c1837c6ef68d67 (commit) from 4139e6e2815280bdd6fe1618a793918c1c7156f2 (commit) - Log - commit 420fb543c12b2a4a18aae85315f8eaefefcd1c33 Author: Matt Caswell Date: Fri Dec 6 14:33:26 2019 + Update newsflash for security advisory Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/144) commit af80178dcbad3919595cbbf7b7c1837c6ef68d67 Author: Matt Caswell Date: Fri Dec 6 14:26:44 2019 + Add security advisory for CVE-2019-1551 Reviewed-by: Mark J. Cox (Merged from https://github.com/openssl/web/pull/144) --- Summary of changes: news/newsflash.txt | 1 + news/secadv/20191206.txt | 49 + news/vulnerabilities.xml | 52 +++- 3 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 news/secadv/20191206.txt diff --git a/news/newsflash.txt b/news/newsflash.txt index 896266b..0b6d94f 100644 --- a/news/newsflash.txt +++ b/news/newsflash.txt @@ -4,6 +4,7 @@ # Format is two fields, colon-separated; the first line is the column # headings. URL paths must all be absolute. Date: Item +06-Dec-2019: Security Advisory: one low severity fix 07-Nov-2019: New Blog post: https://www.openssl.org/blog/blog/2019/11/07/3.0-update/;>Update on 3.0 Development, FIPS and 1.0.2 EOL 10-Sep-2019: Security Advisory: three low severity fixes 10-Sep-2019: OpenSSL 1.1.1d is now available, including bug and security fixes diff --git a/news/secadv/20191206.txt b/news/secadv/20191206.txt new file mode 100644 index 000..3141f78 --- /dev/null +++ b/news/secadv/20191206.txt @@ -0,0 +1,49 @@ +OpenSSL Security Advisory [6 December 2019] +=== + +rsaz_512_sqr overflow bug on x86_64 (CVE-2019-1551) +=== + +Severity: Low + +There is an overflow bug in the x64_64 Montgomery squaring procedure used in +exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis +suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a +result of this defect would be very difficult to perform and are not believed +likely. Attacks against DH512 are considered just feasible. However, for an +attack the target would have to re-use the DH512 private key, which is not +recommended anyway. Also applications directly using the low level API +BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. + +OpenSSL versions 1.1.1 and 1.0.2 are affected by this issue. However due to the +low severity of this issue we are not creating new releases at this time. The +1.1.1 mitigation for this issue can be found in commit 419102400. The 1.0.2 +mitigation for this issue can be found in commit f1c5eea8a. + +This issue was found by OSS-Fuzz and Guido Vranken and reported to OpenSSL on +12th September 2019. The fix was developed by Andy Polyakov with additional +analysis by Bernd Edlinger. + +Note += + +OpenSSL 1.0.2 is currently only receiving security updates. Support for 1.0.2 +will end on 31st December 2019. Extended support is available for premium +support customers: https://www.openssl.org/support/contracts.html + +OpenSSL 1.1.0 is out of support and no longer receiving updates. It is unknown +whether issues in this advisory affect it. + +Users of these versions should upgrade to OpenSSL 1.1.1. + +References +== + +URL for this Security Advisory: +https://www.openssl.org/news/secadv/20191206.txt + +Note: the online version of the advisory may be updated with additional details +over time. + +For details of OpenSSL severity classifications please see: +https://www.openssl.org/policies/secpolicy.html diff --git a/news/vulnerabilities.xml b/news/vulnerabilities.xml index c3532a5..7409a4d 100644 --- a/news/vulnerabilities.xml +++ b/news/vulnerabilities.xml @@ -7,7 +7,57 @@ - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Integer overflow bug +rsaz_512_sqr overflow bug on x86_64 + + There is an overflow bug in the x64_64 Montgomery squaring procedure used in + exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis + suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a + result of this defect would be very difficult to perform and are not believed + likely. Attacks against DH512 are considered just feasible. However, for an + attack the target would have to re-use the DH512 private key, which is not + recommended any
Build completed: openssl OpenSSL_1_1_1-stable.30002
Build openssl OpenSSL_1_1_1-stable.30002 completed Commit 580b8db8b4 by Bernd Edlinger on 12/6/2019 12:36 PM: Add a CHANGES entry for CVE-2019-1551 Configure your notification preferences
Build failed: openssl master.30001
Build openssl master.30001 failed Commit 4c3f748d7c by Bernd Edlinger on 12/6/2019 12:31 PM: Add a CHANGES entry for CVE-2019-1551 Configure your notification preferences
Still Failing: openssl/openssl#30573 (OpenSSL_1_1_1-stable - 580b8db)
Build Update for openssl/openssl - Build: #30573 Status: Still Failing Duration: 24 mins and 22 secs Commit: 580b8db (OpenSSL_1_1_1-stable) Author: Bernd Edlinger Message: Add a CHANGES entry for CVE-2019-1551 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10575) View the changeset: https://github.com/openssl/openssl/compare/7a4d39f0d176...580b8db8b4f1 View the full build log and details: https://travis-ci.org/openssl/openssl/builds/621575894?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
Still Failing: openssl/openssl#30572 (master - 4c3f748)
Build Update for openssl/openssl - Build: #30572 Status: Still Failing Duration: 28 mins and 4 secs Commit: 4c3f748 (master) Author: Bernd Edlinger Message: Add a CHANGES entry for CVE-2019-1551 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10574) View the changeset: https://github.com/openssl/openssl/compare/350c92351705...4c3f748d7cff View the full build log and details: https://travis-ci.org/openssl/openssl/builds/621574951?utm_medium=notification_source=email -- You can unsubscribe from build emails from the openssl/openssl repository going to https://travis-ci.org/account/preferences/unsubscribe?repository=5849220_medium=notification_source=email. Or unsubscribe from *all* email updating your settings at https://travis-ci.org/account/preferences/unsubscribe?utm_medium=notification_source=email. Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.
[openssl] OpenSSL_1_0_2-stable update
The branch OpenSSL_1_0_2-stable has been updated via 4975571a5dee8957f43aff70272dd9ab89f582cf (commit) via ec8fcae925cca769cfdae4e4dd5ec62d32110982 (commit) via f1c5eea8a817075d31e43f5876993c6710238c98 (commit) from b39c0475a671879e2dd6c7a29de1127139f2dc0d (commit) - Log - commit 4975571a5dee8957f43aff70272dd9ab89f582cf Author: Bernd Edlinger Date: Thu Dec 5 01:20:14 2019 +0100 Add a CHANGES entry for CVE-2019-1551 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10576) commit ec8fcae925cca769cfdae4e4dd5ec62d32110982 Author: Bernd Edlinger Date: Wed Dec 4 12:57:41 2019 +0100 Improve the overflow handling in rsaz_512_sqr We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10576) commit f1c5eea8a817075d31e43f5876993c6710238c98 Author: Andy Polyakov Date: Wed Dec 4 12:48:21 2019 +0100 Fix an overflow bug in rsaz_512_sqr There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/10576) --- Summary of changes: CHANGES | 12 +- crypto/bn/asm/rsaz-x86_64.pl | 401 ++- 2 files changed, 218 insertions(+), 195 deletions(-) diff --git a/CHANGES b/CHANGES index df613740a9..f28ff6eab6 100644 --- a/CHANGES +++ b/CHANGES @@ -9,7 +9,17 @@ Changes between 1.0.2t and 1.0.2u [xx XXX ] - *) + *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli. No EC algorithms are + affected. Analysis suggests that attacks against 2-prime RSA1024, + 3-prime RSA1536, and DSA1024 as a result of this defect would be very + difficult to perform and are not believed likely. Attacks against DH512 + are considered just feasible. However, for an attack the target would + have to re-use the DH512 private key, which is not recommended anyway. + Also applications directly using the low level API BN_mod_exp may be + affected if they use BN_FLG_CONSTTIME. + (CVE-2019-1551) + [Andy Polyakov] Changes between 1.0.2s and 1.0.2t [10 Sep 2019] diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl index 87ce2c34d9..faa9083ce7 100755 --- a/crypto/bn/asm/rsaz-x86_64.pl +++ b/crypto/bn/asm/rsaz-x86_64.pl @@ -140,7 +140,7 @@ rsaz_512_sqr: # 25-29% faster than rsaz_512_mul subq\$128+24, %rsp .Lsqr_body: - movq$mod, %rbp # common argument + movq$mod, %xmm1 # common off-load movq($inp), %rdx movq8($inp), %rax movq$n0, 128(%rsp) @@ -158,7 +158,8 @@ $code.=<<___; .Loop_sqr: movl$times,128+8(%rsp) #first iteration - movq%rdx, %rbx + movq%rdx, %rbx # 0($inp) + mov %rax, %rbp # 8($inp) mulq%rdx movq%rax, %r8 movq16($inp), %rax @@ -197,31 +198,29 @@ $code.=<<___; mulq%rbx addq%rax, %r14 movq%rbx, %rax - movq%rdx, %r15 - adcq\$0, %r15 + adcq\$0, %rdx - addq%r8, %r8#shlq \$1, %r8 - movq%r9, %rcx - adcq%r9, %r9#shld \$1, %r8, %r9 + xorq%rcx,%rcx # rcx:r8 = r8 << 1 + addq%r8, %r8 +movq %rdx, %r15 + adcq\$0, %rcx mulq%rax - movq%rax, (%rsp) - addq%rdx, %r8 - adcq\$0, %r9 + addq%r8, %rdx + adcq\$0, %rcx - movq%r8, 8(%rsp) - shrq\$63, %rcx + movq%rax, (%rsp) + movq%rdx, 8(%rsp) #second
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated via 580b8db8b4f1290ec879bfd0bb772012695ac370 (commit) via 08fb832377cd90c08a2d233b3230b95a9b9f6e24 (commit) via 46ac489a1369f6d938adda356accab83acf2987a (commit) via 419102400a2811582a7a3d4a4e317d72e5ce0a8f (commit) from 7a4d39f0d176f0d17f2de15672e1869b22f3e1d8 (commit) - Log - commit 580b8db8b4f1290ec879bfd0bb772012695ac370 Author: Bernd Edlinger Date: Thu Dec 5 01:20:14 2019 +0100 Add a CHANGES entry for CVE-2019-1551 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10575) commit 08fb832377cd90c08a2d233b3230b95a9b9f6e24 Author: Bernd Edlinger Date: Wed Dec 4 22:38:19 2019 +0100 Add a test case for rsaz_512_sqr overflow handling [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10575) commit 46ac489a1369f6d938adda356accab83acf2987a Author: Bernd Edlinger Date: Wed Dec 4 12:57:41 2019 +0100 Improve the overflow handling in rsaz_512_sqr We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10575) commit 419102400a2811582a7a3d4a4e317d72e5ce0a8f Author: Andy Polyakov Date: Wed Dec 4 12:48:21 2019 +0100 Fix an overflow bug in rsaz_512_sqr There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/10575) --- Summary of changes: CHANGES | 12 ++ crypto/bn/asm/rsaz-x86_64.pl | 383 ++- test/bntest.c| 284 3 files changed, 494 insertions(+), 185 deletions(-) diff --git a/CHANGES b/CHANGES index 58e98dd391..42382fd031 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,18 @@ Changes between 1.1.1d and 1.1.1e [xx XXX ] + *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli. No EC algorithms are + affected. Analysis suggests that attacks against 2-prime RSA1024, + 3-prime RSA1536, and DSA1024 as a result of this defect would be very + difficult to perform and are not believed likely. Attacks against DH512 + are considered just feasible. However, for an attack the target would + have to re-use the DH512 private key, which is not recommended anyway. + Also applications directly using the low level API BN_mod_exp may be + affected if they use BN_FLG_CONSTTIME. + (CVE-2019-1551) + [Andy Polyakov] + *) Added a new method to gather entropy on VMS, based on SYS$GET_ENTROPY. The presence of this system service is determined at run-time. [Richard Levitte] diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl index b1797b649f..f4d9c9b129 100755 --- a/crypto/bn/asm/rsaz-x86_64.pl +++ b/crypto/bn/asm/rsaz-x86_64.pl @@ -116,7 +116,7 @@ rsaz_512_sqr: # 25-29% faster than rsaz_512_mul subq\$128+24, %rsp .cfi_adjust_cfa_offset 128+24 .Lsqr_body: - movq$mod, %rbp # common argument + movq$mod, %xmm1 # common off-load movq($inp), %rdx movq8($inp), %rax movq$n0, 128(%rsp) @@ -134,7 +134,8 @@ $code.=<<___; .Loop_sqr: movl$times,128+8(%rsp) #first iteration - movq%rdx, %rbx + movq%rdx, %rbx # 0($inp) + mov %rax, %rbp # 8($inp) mulq%rdx movq%rax, %r8 movq16($inp), %rax @@ -173,31 +174,29 @@ $code.=<<___; mulq%rbx addq%rax, %r14 movq%rbx, %rax - movq%rdx, %r15 - adcq\$0, %r15 + adcq\$0, %rdx -
[openssl] master update
The branch master has been updated via 4c3f748d7cfffb3309451c6bfdd686f89ec290b2 (commit) via 18d42d8d56352b81510d87dd12d1ac93d1d408d3 (commit) via 8736f9538121443cdb2e21951a85e465b8f7f790 (commit) via 8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba (commit) from 350c92351705aa5916ffdf07fd7b81c1cbcb178b (commit) - Log - commit 4c3f748d7cfffb3309451c6bfdd686f89ec290b2 Author: Bernd Edlinger Date: Thu Dec 5 01:20:14 2019 +0100 Add a CHANGES entry for CVE-2019-1551 Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10574) commit 18d42d8d56352b81510d87dd12d1ac93d1d408d3 Author: Bernd Edlinger Date: Wed Dec 4 22:38:19 2019 +0100 Add a test case for rsaz_512_sqr overflow handling [extended tests] Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10574) commit 8736f9538121443cdb2e21951a85e465b8f7f790 Author: Bernd Edlinger Date: Wed Dec 4 12:57:41 2019 +0100 Improve the overflow handling in rsaz_512_sqr We have always a carry in %rcx or %rbx in range 0..2 from the previous stage, that is added to the result of the 64-bit square, but the low nibble of any square can only be 0, 1, 4, 9. Therefore one "adcq $0, %rdx" can be removed. Likewise in the ADX code we can remove one "adcx %rbp, $out" since %rbp is always 0, and carry is also zero, therefore that is a no-op. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10574) commit 8c6f86c7c5350fadf22d32d6cd4712e2ad4447ba Author: Andy Polyakov Date: Wed Dec 4 12:48:21 2019 +0100 Fix an overflow bug in rsaz_512_sqr There is an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against 2-prime RSA1024, 3-prime RSA1536, and DSA1024 as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH512 are considered just feasible. However, for an attack the target would have to re-use the DH512 private key, which is not recommended anyway. Also applications directly using the low level API BN_mod_exp may be affected if they use BN_FLG_CONSTTIME. CVE-2019-1551 Reviewed-by: Paul Dale Reviewed-by: Bernd Edlinger (Merged from https://github.com/openssl/openssl/pull/10574) --- Summary of changes: CHANGES | 12 ++ crypto/bn/asm/rsaz-x86_64.pl | 383 ++- test/bntest.c| 284 3 files changed, 494 insertions(+), 185 deletions(-) diff --git a/CHANGES b/CHANGES index 208780e9c9..e0b15b35f6 100644 --- a/CHANGES +++ b/CHANGES @@ -9,6 +9,18 @@ Changes between 1.1.1 and 3.0.0 [xx XXX ] + *) Fixed an an overflow bug in the x64_64 Montgomery squaring procedure + used in exponentiation with 512-bit moduli. No EC algorithms are + affected. Analysis suggests that attacks against 2-prime RSA1024, + 3-prime RSA1536, and DSA1024 as a result of this defect would be very + difficult to perform and are not believed likely. Attacks against DH512 + are considered just feasible. However, for an attack the target would + have to re-use the DH512 private key, which is not recommended anyway. + Also applications directly using the low level API BN_mod_exp may be + affected if they use BN_FLG_CONSTTIME. + (CVE-2019-1551) + [Andy Polyakov] + *) Introduced a new method type and API, OSSL_SERIALIZER, to represent generic serializers. An implementation is expected to be able to serialize an object associated with a given name (such diff --git a/crypto/bn/asm/rsaz-x86_64.pl b/crypto/bn/asm/rsaz-x86_64.pl index c41d8e521e..d1aa84b86e 100755 --- a/crypto/bn/asm/rsaz-x86_64.pl +++ b/crypto/bn/asm/rsaz-x86_64.pl @@ -118,7 +118,7 @@ rsaz_512_sqr: # 25-29% faster than rsaz_512_mul subq\$128+24, %rsp .cfi_adjust_cfa_offset 128+24 .Lsqr_body: - movq$mod, %rbp # common argument + movq$mod, %xmm1 # common off-load movq($inp), %rdx movq8($inp), %rax movq$n0, 128(%rsp) @@ -136,7 +136,8 @@ $code.=<<___; .Loop_sqr: movl$times,128+8(%rsp) #first iteration - movq%rdx, %rbx + movq%rdx, %rbx # 0($inp) + mov %rax, %rbp # 8($inp) mulq%rdx movq%rax, %r8 movq16($inp), %rax @@ -175,31 +176,29 @@ $code.=<<___; mulq%rbx addq%rax, %r14 movq%rbx, %rax - movq%rdx, %r15 - adcq\$0, %r15 +