The branch OpenSSL_1_0_2-stable has been updated via f24fcf291219ebb839218f5ce65b0faabdf41eb4 (commit) via 081314d07705aa58912845c213a48414d8f616a9 (commit) via 06f87e9685bb2faa033f682aa66b70059e398f71 (commit) via 918d8eadb35746456fd1a9d4e219c63ff706173e (commit) via 760d04342a495ee86bf5adc71a91d126af64397f (commit) via 51d009043670a627d6abe66894126851cf3690e9 (commit) from 8957adda165f77589090627d6563796331c0c94b (commit)
- Log ----------------------------------------------------------------- commit f24fcf291219ebb839218f5ce65b0faabdf41eb4 Author: Matt Caswell <m...@openssl.org> Date: Thu Jan 26 13:23:37 2017 +0000 Prepare for 1.0.2l-dev Reviewed-by: Richard Levitte <levi...@openssl.org> commit 081314d07705aa58912845c213a48414d8f616a9 Author: Matt Caswell <m...@openssl.org> Date: Thu Jan 26 13:22:36 2017 +0000 Prepare for 1.0.2k release Reviewed-by: Richard Levitte <levi...@openssl.org> commit 06f87e9685bb2faa033f682aa66b70059e398f71 Author: Matt Caswell <m...@openssl.org> Date: Tue Jan 24 16:34:40 2017 +0000 Update CHANGES and NEWS for new release Reviewed-by: Richard Levitte <levi...@openssl.org> commit 918d8eadb35746456fd1a9d4e219c63ff706173e Author: Richard Levitte <levi...@openssl.org> Date: Thu Jan 26 11:47:36 2017 +0100 Better check of DH parameters in TLS data When the client reads DH parameters from the TLS stream, we only checked that they all are non-zero. This change updates the check as follows: check that p is odd check that 1 < g < p - 1 Reviewed-by: Matt Caswell <m...@openssl.org> commit 760d04342a495ee86bf5adc71a91d126af64397f Author: Andy Polyakov <ap...@openssl.org> Date: Sat Jan 21 21:30:49 2017 +0100 bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal. CVE-2017-3732 Reviewed-by: Rich Salz <rs...@openssl.org> commit 51d009043670a627d6abe66894126851cf3690e9 Author: Andy Polyakov <ap...@openssl.org> Date: Thu Jan 19 00:17:30 2017 +0100 crypto/evp: harden RC4_MD5 cipher. Originally a crash in 32-bit build was reported CHACHA20-POLY1305 cipher. The crash is triggered by truncated packet and is result of excessive hashing to the edge of accessible memory (or bogus MAC value is produced if x86 MD5 assembly module is involved). Since hash operation is read-only it is not considered to be exploitable beyond a DoS condition. Thanks to Robert Święcki for report. CVE-2017-3731 Reviewed-by: Rich Salz <rs...@openssl.org> ----------------------------------------------------------------------- Summary of changes: CHANGES | 36 ++++++++++++++++++++++++++++++++++- NEWS | 8 +++++++- README | 2 +- crypto/bn/asm/x86_64-mont5.pl | 16 +++++++--------- crypto/evp/e_rc4_hmac_md5.c | 2 ++ crypto/opensslv.h | 6 +++--- openssl.spec | 2 +- ssl/s3_clnt.c | 44 ++++++++++++++++++++++++++++++++----------- 8 files changed, 89 insertions(+), 27 deletions(-) diff --git a/CHANGES b/CHANGES index 15c9277..1c5c288 100644 --- a/CHANGES +++ b/CHANGES @@ -2,7 +2,41 @@ OpenSSL CHANGES _______________ - Changes between 1.0.2j and 1.0.2k [xx XXX xxxx] + Changes between 1.0.2k and 1.0.2l [xx XXX xxxx] + + *) + + Changes between 1.0.2j and 1.0.2k [26 Jan 2017] + + *) Truncated packet could crash via OOB read + + If one side of an SSL/TLS path is running on a 32-bit host and a specific + cipher is being used, then a truncated packet can cause that host to + perform an out-of-bounds read, usually resulting in a crash. + + This issue was reported to OpenSSL by Robert Święcki of Google. + (CVE-2017-3731) + [Andy Polyakov] + + *) BN_mod_exp may produce incorrect results on x86_64 + + There is a carry propagating bug in the x86_64 Montgomery squaring + procedure. No EC algorithms are affected. Analysis suggests that attacks + against RSA and DSA as a result of this defect would be very difficult to + perform and are not believed likely. Attacks against DH are considered just + feasible (although very difficult) because most of the work necessary to + deduce information about a private key may be performed offline. The amount + of resources required for such an attack would be very significant and + likely only accessible to a limited number of attackers. An attacker would + additionally need online access to an unpatched system using the target + private key in a scenario with persistent DH parameters and a private + key that is shared between multiple clients. For example this can occur by + default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very + similar to CVE-2015-3193 but must be treated as a separate problem. + + This issue was reported to OpenSSL by the OSS-Fuzz project. + (CVE-2017-3732) + [Andy Polyakov] *) Montgomery multiplication may produce incorrect results diff --git a/NEWS b/NEWS index efd2dbf..d73ca63 100644 --- a/NEWS +++ b/NEWS @@ -5,8 +5,14 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. - Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [under development] + Major changes between OpenSSL 1.0.2k and OpenSSL 1.0.2l [under development] + o + + Major changes between OpenSSL 1.0.2j and OpenSSL 1.0.2k [26 Jan 2017] + + o Truncated packet could crash via OOB read (CVE-2017-3731) + o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732) o Montgomery multiplication may produce incorrect results (CVE-2016-7055) Major changes between OpenSSL 1.0.2i and OpenSSL 1.0.2j [26 Sep 2016] diff --git a/README b/README index 75abf2d..2d11796 100644 --- a/README +++ b/README @@ -1,5 +1,5 @@ - OpenSSL 1.0.2k-dev + OpenSSL 1.0.2l-dev Copyright (c) 1998-2015 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl index f1fbb45..3bb0cdf 100755 --- a/crypto/bn/asm/x86_64-mont5.pl +++ b/crypto/bn/asm/x86_64-mont5.pl @@ -1925,6 +1925,7 @@ __bn_sqr8x_reduction: .align 32 .L8x_tail_done: + xor %rax,%rax add (%rdx),%r8 # can this overflow? adc \$0,%r9 adc \$0,%r10 @@ -1932,10 +1933,8 @@ __bn_sqr8x_reduction: adc \$0,%r12 adc \$0,%r13 adc \$0,%r14 - adc \$0,%r15 # can't overflow, because we - # started with "overhung" part - # of multiplication - xor %rax,%rax + adc \$0,%r15 + adc \$0,%rax neg $carry .L8x_no_tail: @@ -3375,6 +3374,7 @@ __bn_sqrx8x_reduction: .align 32 .Lsqrx8x_tail_done: + xor %rax,%rax add 24+8(%rsp),%r8 # can this overflow? adc \$0,%r9 adc \$0,%r10 @@ -3382,10 +3382,8 @@ __bn_sqrx8x_reduction: adc \$0,%r12 adc \$0,%r13 adc \$0,%r14 - adc \$0,%r15 # can't overflow, because we - # started with "overhung" part - # of multiplication - mov $carry,%rax # xor %rax,%rax + adc \$0,%r15 + adc \$0,%rax sub 16+8(%rsp),$carry # mov 16(%rsp),%cf .Lsqrx8x_no_tail: # %cf is 0 if jumped here @@ -3400,7 +3398,7 @@ __bn_sqrx8x_reduction: adc 8*5($tptr),%r13 adc 8*6($tptr),%r14 adc 8*7($tptr),%r15 - adc %rax,%rax # top-most carry + adc \$0,%rax # top-most carry mov 32+8(%rsp),%rbx # n0 mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8" diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index 5e92855..93cfe3f 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -269,6 +269,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, len = p[arg - 2] << 8 | p[arg - 1]; if (!ctx->encrypt) { + if (len < MD5_DIGEST_LENGTH) + return -1; len -= MD5_DIGEST_LENGTH; p[arg - 2] = len >> 8; p[arg - 1] = len; diff --git a/crypto/opensslv.h b/crypto/opensslv.h index 0f4251f..0847510 100644 --- a/crypto/opensslv.h +++ b/crypto/opensslv.h @@ -30,11 +30,11 @@ extern "C" { * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -# define OPENSSL_VERSION_NUMBER 0x100020b0L +# define OPENSSL_VERSION_NUMBER 0x100020c0L # ifdef OPENSSL_FIPS -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2k-fips-dev xx XXX xxxx" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2l-fips-dev xx XXX xxxx" # else -# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2k-dev xx XXX xxxx" +# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2l-dev xx XXX xxxx" # endif # define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT diff --git a/openssl.spec b/openssl.spec index 7bbcdf6..add18a4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -7,7 +7,7 @@ Release: 1 Summary: Secure Sockets Layer and cryptography libraries and tools Name: openssl -Version: 1.0.2k +Version: 1.0.2l Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz License: OpenSSL Group: System Environment/Libraries diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c index 2185347..32f2f1a 100644 --- a/ssl/s3_clnt.c +++ b/ssl/s3_clnt.c @@ -1710,12 +1710,6 @@ int ssl3_get_key_exchange(SSL *s) } p += i; - if (BN_is_zero(dh->p)) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE); - goto f_err; - } - - if (2 > n - param_len) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; @@ -1736,11 +1730,6 @@ int ssl3_get_key_exchange(SSL *s) } p += i; - if (BN_is_zero(dh->g)) { - SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE); - goto f_err; - } - if (2 > n - param_len) { SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_LENGTH_TOO_SHORT); goto f_err; @@ -1767,6 +1756,39 @@ int ssl3_get_key_exchange(SSL *s) goto f_err; } + /*- + * Check that p and g are suitable enough + * + * p is odd + * 1 < g < p - 1 + */ + { + BIGNUM *tmp = NULL; + + if (!BN_is_odd(dh->p)) { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_P_VALUE); + goto f_err; + } + if (BN_is_negative(dh->g) || BN_is_zero(dh->g) + || BN_is_one(dh->g)) { + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE); + goto f_err; + } + if ((tmp = BN_new()) == NULL + || BN_copy(tmp, dh->p) == NULL + || !BN_sub_word(tmp, 1)) { + BN_free(tmp); + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, ERR_R_BN_LIB); + goto err; + } + if (BN_cmp(dh->g, tmp) >= 0) { + BN_free(tmp); + SSLerr(SSL_F_SSL3_GET_KEY_EXCHANGE, SSL_R_BAD_DH_G_VALUE); + goto f_err; + } + BN_free(tmp); + } + # ifndef OPENSSL_NO_RSA if (alg_a & SSL_aRSA) pkey = _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits