[openssl-commits] [openssl] OpenSSL_1_1_0-stable update
Matt Caswell
matt at openssl.org
Thu Jan 26 13:48:01 UTC 2017
The branch OpenSSL_1_1_0-stable has been updated
via fa7130eb6832bcdccb335dd0f6bb535fe9a3e868 (commit)
via 8a4d96ac8227f39043735faa9e9a30e22818f5e8 (commit)
via 09272c56f14bcce1ae15bd902ab395a8fc71deee (commit)
via a59b90bf491410f1f2bc4540cc21f1980fd14c5b (commit)
via 20b69f66f72e1bf76a77ca075b7d6854db25eae4 (commit)
via a39aa18644d3338087a827c6555b18bc857346fe (commit)
via 00d965474b22b54e4275232bc71ee0c699c5cd21 (commit)
via f3a7e57c92b2c9b87dc4b2997f2ebda6781300d0 (commit)
from b8552dc80a611083754493283e72d51f3015753a (commit)
- Log -----------------------------------------------------------------
commit fa7130eb6832bcdccb335dd0f6bb535fe9a3e868
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jan 26 13:11:26 2017 +0000
Prepare for 1.1.0e-dev
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 8a4d96ac8227f39043735faa9e9a30e22818f5e8
Author: Matt Caswell <matt at openssl.org>
Date: Thu Jan 26 13:10:20 2017 +0000
Prepare for 1.1.0d release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 09272c56f14bcce1ae15bd902ab395a8fc71deee
Author: Matt Caswell <matt at openssl.org>
Date: Tue Jan 24 16:34:40 2017 +0000
Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit a59b90bf491410f1f2bc4540cc21f1980fd14c5b
Author: Andy Polyakov <appro at openssl.org>
Date: Sat Jan 21 21:30:49 2017 +0100
bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqr8x_internal.
CVE-2017-3732
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 20b69f66f72e1bf76a77ca075b7d6854db25eae4
Author: Richard Levitte <levitte at openssl.org>
Date: Sun Jan 15 18:20:49 2017 +0100
Document DH_check_params()
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit a39aa18644d3338087a827c6555b18bc857346fe
Author: Richard Levitte <levitte at openssl.org>
Date: Fri Dec 30 21:57:28 2016 +0100
Better check of DH parameters in TLS data
When the client reads DH parameters from the TLS stream, we only
checked that they all are non-zero. This change updates the check to
use DH_check_params()
DH_check_params() is a new function for light weight checking of the p
and g parameters:
check that p is odd
check that 1 < g < p - 1
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit 00d965474b22b54e4275232bc71ee0c699c5cd21
Author: Andy Polyakov <appro at openssl.org>
Date: Thu Jan 19 00:20:49 2017 +0100
crypto/evp: harden AEAD ciphers.
Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory. Since hash
operation is read-only it is not considered to be exploitable
beyond a DoS condition. Other ciphers were hardened.
Thanks to Robert Święcki for report.
CVE-2017-3731
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit f3a7e57c92b2c9b87dc4b2997f2ebda6781300d0
Author: Andy Polyakov <appro at openssl.org>
Date: Thu Jan 19 00:17:30 2017 +0100
crypto/evp: harden RC4_MD5 cipher.
Originally a crash in 32-bit build was reported CHACHA20-POLY1305
cipher. The crash is triggered by truncated packet and is result
of excessive hashing to the edge of accessible memory (or bogus
MAC value is produced if x86 MD5 assembly module is involved). Since
hash operation is read-only it is not considered to be exploitable
beyond a DoS condition.
Thanks to Robert Święcki for report.
CVE-2017-3731
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 45 ++++++++++++++++++++++++++++++++++-
NEWS | 8 ++++++-
README | 2 +-
crypto/bn/asm/x86_64-mont5.pl | 16 ++++++-------
crypto/dh/dh_check.c | 40 +++++++++++++++++++++++++++++++
crypto/evp/e_aes.c | 14 +++++++++--
crypto/evp/e_chacha20_poly1305.c | 5 ++--
crypto/evp/e_rc4_hmac_md5.c | 2 ++
doc/crypto/DH_generate_parameters.pod | 34 ++++++++++++++++++++++----
include/openssl/dh.h | 1 +
include/openssl/opensslv.h | 6 ++---
ssl/statem/statem_clnt.c | 11 ++++++++-
util/libcrypto.num | 1 +
13 files changed, 161 insertions(+), 24 deletions(-)
diff --git a/CHANGES b/CHANGES
index e8b890d..d516e2c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,10 +2,53 @@
OpenSSL CHANGES
_______________
- Changes between 1.1.0c and 1.1.0d [xx XXX xxxx]
+ Changes between 1.1.0d and 1.1.0e [xx XXX xxxx]
*)
+ Changes between 1.1.0c and 1.1.0d [26 Jan 2017]
+
+ *) Truncated packet could crash via OOB read
+
+ If one side of an SSL/TLS path is running on a 32-bit host and a specific
+ cipher is being used, then a truncated packet can cause that host to
+ perform an out-of-bounds read, usually resulting in a crash.
+
+ This issue was reported to OpenSSL by Robert Święcki of Google.
+ (CVE-2017-3731)
+ [Andy Polyakov]
+
+ *) Bad (EC)DHE parameters cause a client crash
+
+ If a malicious server supplies bad parameters for a DHE or ECDHE key
+ exchange then this can result in the client attempting to dereference a
+ NULL pointer leading to a client crash. This could be exploited in a Denial
+ of Service attack.
+
+ This issue was reported to OpenSSL by Guido Vranken.
+ (CVE-2017-3730)
+ [Matt Caswell]
+
+ *) BN_mod_exp may produce incorrect results on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
+ similar to CVE-2015-3193 but must be treated as a separate problem.
+
+ This issue was reported to OpenSSL by the OSS-Fuzz project.
+ (CVE-2017-3732)
+ [Andy Polyakov]
+
Changes between 1.1.0b and 1.1.0c [10 Nov 2016]
*) ChaCha20/Poly1305 heap-buffer-overflow
diff --git a/NEWS b/NEWS
index 929794e..693bbec 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,16 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [under development]
+ Major changes between OpenSSL 1.1.0d and OpenSSL 1.1.0e [under development]
o
+ Major changes between OpenSSL 1.1.0c and OpenSSL 1.1.0d [26 Jan 2017]
+
+ o Truncated packet could crash via OOB read (CVE-2017-3731)
+ o Bad (EC)DHE parameters cause a client crash (CVE-2017-3730)
+ o BN_mod_exp may produce incorrect results on x86_64 (CVE-2017-3732)
+
Major changes between OpenSSL 1.1.0b and OpenSSL 1.1.0c [10 Nov 2016]
o ChaCha20/Poly1305 heap-buffer-overflow (CVE-2016-7054)
diff --git a/README b/README
index d38999f..03ad75c 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.0d-dev
+ OpenSSL 1.1.0e-dev
Copyright (c) 1998-2016 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 3278dc6..6807ab5 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -1934,6 +1934,7 @@ __bn_sqr8x_reduction:
.align 32
.L8x_tail_done:
+ xor %rax,%rax
add (%rdx),%r8 # can this overflow?
adc \$0,%r9
adc \$0,%r10
@@ -1941,10 +1942,8 @@ __bn_sqr8x_reduction:
adc \$0,%r12
adc \$0,%r13
adc \$0,%r14
- adc \$0,%r15 # can't overflow, because we
- # started with "overhung" part
- # of multiplication
- xor %rax,%rax
+ adc \$0,%r15
+ adc \$0,%rax
neg $carry
.L8x_no_tail:
@@ -3384,6 +3383,7 @@ __bn_sqrx8x_reduction:
.align 32
.Lsqrx8x_tail_done:
+ xor %rax,%rax
add 24+8(%rsp),%r8 # can this overflow?
adc \$0,%r9
adc \$0,%r10
@@ -3391,10 +3391,8 @@ __bn_sqrx8x_reduction:
adc \$0,%r12
adc \$0,%r13
adc \$0,%r14
- adc \$0,%r15 # can't overflow, because we
- # started with "overhung" part
- # of multiplication
- mov $carry,%rax # xor %rax,%rax
+ adc \$0,%r15
+ adc \$0,%rax
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
.Lsqrx8x_no_tail: # %cf is 0 if jumped here
@@ -3409,7 +3407,7 @@ __bn_sqrx8x_reduction:
adc 8*5($tptr),%r13
adc 8*6($tptr),%r14
adc 8*7($tptr),%r15
- adc %rax,%rax # top-most carry
+ adc \$0,%rax # top-most carry
mov 32+8(%rsp),%rbx # n0
mov 8*8($tptr,%rcx),%rdx # modulo-scheduled "%r8"
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index fcc1d99..3b0fa59 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -13,6 +13,46 @@
#include "dh_locl.h"
/*-
+ * Check that p and g are suitable enough
+ *
+ * p is odd
+ * 1 < g < p - 1
+ */
+
+int DH_check_params(const DH *dh, int *ret)
+{
+ int ok = 0;
+ BIGNUM *tmp = NULL;
+ BN_CTX *ctx = NULL;
+
+ *ret = 0;
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+ BN_CTX_start(ctx);
+ tmp = BN_CTX_get(ctx);
+ if (tmp == NULL)
+ goto err;
+
+ if (!BN_is_odd(dh->p))
+ *ret |= DH_CHECK_P_NOT_PRIME;
+ if (BN_is_negative(dh->g) || BN_is_zero(dh->g) || BN_is_one(dh->g))
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+ if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1))
+ goto err;
+ if (BN_cmp(dh->g, tmp) >= 0)
+ *ret |= DH_NOT_SUITABLE_GENERATOR;
+
+ ok = 1;
+ err:
+ if (ctx != NULL) {
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+ }
+ return (ok);
+}
+
+/*-
* Check that p is a safe prime and
* if g is 2, 3 or 5, check that it is a suitable generator
* where
diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c
index ab98150..619c6f8 100644
--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
@@ -1388,10 +1388,15 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
| EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
/* Correct length for explicit IV */
+ if (len < EVP_GCM_TLS_EXPLICIT_IV_LEN)
+ return 0;
len -= EVP_GCM_TLS_EXPLICIT_IV_LEN;
/* If decrypting correct for tag too */
- if (!EVP_CIPHER_CTX_encrypting(c))
+ if (!EVP_CIPHER_CTX_encrypting(c)) {
+ if (len < EVP_GCM_TLS_TAG_LEN)
+ return 0;
len -= EVP_GCM_TLS_TAG_LEN;
+ }
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
}
@@ -1946,10 +1951,15 @@ static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] << 8
| EVP_CIPHER_CTX_buf_noconst(c)[arg - 1];
/* Correct length for explicit IV */
+ if (len < EVP_CCM_TLS_EXPLICIT_IV_LEN)
+ return 0;
len -= EVP_CCM_TLS_EXPLICIT_IV_LEN;
/* If decrypting correct for tag too */
- if (!EVP_CIPHER_CTX_encrypting(c))
+ if (!EVP_CIPHER_CTX_encrypting(c)) {
+ if (len < cctx->M)
+ return 0;
len -= cctx->M;
+ }
EVP_CIPHER_CTX_buf_noconst(c)[arg - 2] = len >> 8;
EVP_CIPHER_CTX_buf_noconst(c)[arg - 1] = len & 0xff;
}
diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c
index befd805..46bc2cb 100644
--- a/crypto/evp/e_chacha20_poly1305.c
+++ b/crypto/evp/e_chacha20_poly1305.c
@@ -398,6 +398,8 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |
aad[EVP_AEAD_TLS1_AAD_LEN - 1];
if (!ctx->encrypt) {
+ if (len < POLY1305_BLOCK_SIZE)
+ return 0;
len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2);
aad = temp;
@@ -407,8 +409,7 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
actx->tls_payload_length = len;
/*
- * merge record sequence number as per
- * draft-ietf-tls-chacha20-poly1305-03
+ * merge record sequence number as per RFC7905
*/
actx->key.counter[1] = actx->nonce[0];
actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);
diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c
index 828ed64..8ab18c1 100644
--- a/crypto/evp/e_rc4_hmac_md5.c
+++ b/crypto/evp/e_rc4_hmac_md5.c
@@ -219,6 +219,8 @@ static int rc4_hmac_md5_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg,
len = p[arg - 2] << 8 | p[arg - 1];
if (!EVP_CIPHER_CTX_encrypting(ctx)) {
+ if (len < MD5_DIGEST_LENGTH)
+ return -1;
len -= MD5_DIGEST_LENGTH;
p[arg - 2] = len >> 8;
p[arg - 1] = len;
diff --git a/doc/crypto/DH_generate_parameters.pod b/doc/crypto/DH_generate_parameters.pod
index b71497b..ce178af 100644
--- a/doc/crypto/DH_generate_parameters.pod
+++ b/doc/crypto/DH_generate_parameters.pod
@@ -3,7 +3,8 @@
=head1 NAME
DH_generate_parameters_ex, DH_generate_parameters,
-DH_check - generate and check Diffie-Hellman parameters
+DH_check, DH_check_params - generate and check Diffie-Hellman
+parameters
=head1 SYNOPSIS
@@ -12,6 +13,7 @@ DH_check - generate and check Diffie-Hellman parameters
int DH_generate_parameters_ex(DH *dh, int prime_len, int generator, BN_GENCB *cb);
int DH_check(DH *dh, int *codes);
+ int DH_check_params(DH *dh, int *codes);
Deprecated:
@@ -37,6 +39,30 @@ number is generated, and when a prime has been found, B<BN_GENCB_call(cb, 3, 0)>
is called. See L<BN_generate_prime(3)> for information on
the BN_GENCB_call() function.
+DH_check_params() confirms that the B<p> and B<g> are likely enough to
+be valid.
+This is a lightweight check, if a more thorough check is needed, use
+DH_check().
+The value of B<*codes> is updated with any problems found.
+If B<*codes> is zero then no problems were found, otherwise the
+following bits may be set:
+
+=over 4
+
+=item DH_CHECK_P_NOT_PRIME
+
+The parameter B<p> has been determined to not being an odd prime.
+Note that the lack of this bit doesn't guarantee that B<p> is a
+prime.
+
+=item DH_NOT_SUITABLE_GENERATOR
+
+The generator B<g> is not suitable.
+Note that the lack of this bit doesn't guarantee that B<g> is
+suitable, unless B<p> is known to be a strong prime.
+
+=back
+
DH_check() confirms that the Diffie-Hellman parameters B<dh> are valid. The
value of B<*codes> is updated with any problems found. If B<*codes> is zero then
no problems were found, otherwise the following bits may be set:
@@ -75,8 +101,8 @@ The parameter B<j> is invalid.
=head1 RETURN VALUES
-DH_generate_parameters_ex() and DH_check() return 1 if the check could be
-performed, 0 otherwise.
+DH_generate_parameters_ex(), DH_check() and DH_check_params() return 1
+if the check could be performed, 0 otherwise.
DH_generate_parameters() (deprecated) returns a pointer to the DH structure, or
NULL if the parameter generation fails.
@@ -93,7 +119,7 @@ are not to be used in signature schemes.
=head1 SEE ALSO
-L<dh(3)>, L<ERR_get_error(3)>, L<rand(3)>,
+L<DH_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>,
L<DH_free(3)>
=head1 COPYRIGHT
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index ae309e7..6d149bc 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -124,6 +124,7 @@ DEPRECATEDIN_0_9_8(DH *DH_generate_parameters(int prime_len, int generator,
int DH_generate_parameters_ex(DH *dh, int prime_len, int generator,
BN_GENCB *cb);
+int DH_check_params(const DH *dh, int *ret);
int DH_check(const DH *dh, int *codes);
int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *codes);
int DH_generate_key(DH *dh);
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index 660408c..098c957 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,11 +39,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x10100040L
+# define OPENSSL_VERSION_NUMBER 0x10100050L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0d-fips-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0e-fips-dev xx XXX xxxx"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0d-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.0e-dev xx XXX xxxx"
# endif
/*-
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index a7cf227..dc6443d 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1414,6 +1414,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
DH *dh = NULL;
BIGNUM *p = NULL, *g = NULL, *bnpub_key = NULL;
+ int check_bits = 0;
+
if (!PACKET_get_length_prefixed_2(pkt, &prime)
|| !PACKET_get_length_prefixed_2(pkt, &generator)
|| !PACKET_get_length_prefixed_2(pkt, &pub_key)) {
@@ -1441,7 +1443,8 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
goto err;
}
- if (BN_is_zero(p) || BN_is_zero(g) || BN_is_zero(bnpub_key)) {
+ /* test non-zero pupkey */
+ if (BN_is_zero(bnpub_key)) {
*al = SSL_AD_DECODE_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
goto err;
@@ -1454,6 +1457,12 @@ static int tls_process_ske_dhe(SSL *s, PACKET *pkt, EVP_PKEY **pkey, int *al)
}
p = g = NULL;
+ if (DH_check_params(dh, &check_bits) == 0 || check_bits != 0) {
+ *al = SSL_AD_DECODE_ERROR;
+ SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, SSL_R_BAD_DH_VALUE);
+ goto err;
+ }
+
if (!DH_set0_key(dh, bnpub_key, NULL)) {
*al = SSL_AD_INTERNAL_ERROR;
SSLerr(SSL_F_TLS_PROCESS_SKE_DHE, ERR_R_BN_LIB);
diff --git a/util/libcrypto.num b/util/libcrypto.num
index b0de30a..c1a0945 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4213,3 +4213,4 @@ CT_POLICY_EVAL_CTX_set_time 4173 1_1_0d EXIST::FUNCTION:CT
X509_VERIFY_PARAM_set_inh_flags 4174 1_1_0d EXIST::FUNCTION:
X509_VERIFY_PARAM_get_inh_flags 4175 1_1_0d EXIST::FUNCTION:
X509_VERIFY_PARAM_get_time 4181 1_1_0d EXIST::FUNCTION:
+DH_check_params 4183 1_1_0d EXIST::FUNCTION:DH
More information about the openssl-commits
mailing list