[openssl-commits] [openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Thu Dec 3 15:34:49 UTC 2015
The branch OpenSSL_1_0_2-stable has been updated
via 8a27243c7bca665cf940acd66ee9bf578ee8e8a9 (commit)
via bfe07df40c13ea2564bb4577620180e3f4849e23 (commit)
via 33223e733a3765a779feb82497a0bdc9d9321209 (commit)
via 9330fbd07f8f544d978465cc9f6390037a87c16a (commit)
via 00456fded43eadd4bb94bf675ae4ea5d158a764f (commit)
via c394a488942387246653833359a5c94b5832674e (commit)
via d73cc256c8e256c32ed959456101b73ba9842f72 (commit)
via cc598f321fbac9c04da5766243ed55d55948637d (commit)
from fb4f46763fed3c600db21974577061b611b6fa46 (commit)
- Log -----------------------------------------------------------------
commit 8a27243c7bca665cf940acd66ee9bf578ee8e8a9
Author: Matt Caswell <matt at openssl.org>
Date: Thu Dec 3 14:45:41 2015 +0000
Prepare for 1.0.2f-dev
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit bfe07df40c13ea2564bb4577620180e3f4849e23
Author: Matt Caswell <matt at openssl.org>
Date: Thu Dec 3 14:44:31 2015 +0000
Prepare for 1.0.2e release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 33223e733a3765a779feb82497a0bdc9d9321209
Author: Matt Caswell <matt at openssl.org>
Date: Thu Dec 3 14:44:31 2015 +0000
make update
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 9330fbd07f8f544d978465cc9f6390037a87c16a
Author: Matt Caswell <matt at openssl.org>
Date: Tue Dec 1 14:39:47 2015 +0000
Update CHANGES and NEWS
Update the CHANGES and NEWS files for the new release.
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 00456fded43eadd4bb94bf675ae4ea5d158a764f
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Wed Nov 4 13:30:03 2015 +0000
Add test for CVE-2015-3194
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit c394a488942387246653833359a5c94b5832674e
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Oct 2 12:35:19 2015 +0100
Add PSS parameter check.
Avoid seg fault by checking mgf1 parameter is not NULL. This can be
triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.
Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.
CVE-2015-3194
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit d73cc256c8e256c32ed959456101b73ba9842f72
Author: Andy Polyakov <appro at openssl.org>
Date: Tue Dec 1 09:00:32 2015 +0100
bn/asm/x86_64-mont5.pl: fix carry propagating bug (CVE-2015-3193).
Reviewed-by: Richard Levitte <levitte at openssl.org>
(cherry picked from commit e7c078db57908cbf16074c68034977565ffaf107)
commit cc598f321fbac9c04da5766243ed55d55948637d
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Nov 10 19:03:07 2015 +0000
Fix leak with ASN.1 combine.
When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.
This can leak memory in any application parsing PKCS#7 or CMS structures.
CVE-2015-3195.
Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.
PR#4131
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 62 ++++++++++++++++++++++++++++++++++++++++++-
NEWS | 12 ++++++++-
README | 2 +-
crypto/asn1/tasn_dec.c | 7 +++--
crypto/bn/asm/x86_64-mont5.pl | 22 ++++++++++++---
crypto/bn/bntest.c | 18 +++++++++++++
crypto/opensslv.h | 6 ++---
crypto/rsa/rsa_ameth.c | 2 +-
openssl.spec | 2 +-
test/Makefile | 7 ++---
test/certs/pss1.pem | 21 +++++++++++++++
test/tx509 | 7 +++++
12 files changed, 152 insertions(+), 16 deletions(-)
create mode 100644 test/certs/pss1.pem
diff --git a/CHANGES b/CHANGES
index 1dc6dc6..32bd5c5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,57 @@
OpenSSL CHANGES
_______________
- Changes between 1.0.2d and 1.0.2e [xx XXX xxxx]
+ Changes between 1.0.2e and 1.0.2f [xx XXX xxxx]
+
+ *)
+
+ Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
+
+ *) BN_mod_exp may produce incorrect results on x86_64
+
+ There is a carry propagating bug in the x86_64 Montgomery squaring
+ procedure. No EC algorithms are affected. Analysis suggests that attacks
+ against RSA and DSA as a result of this defect would be very difficult to
+ perform and are not believed likely. Attacks against DH are considered just
+ feasible (although very difficult) because most of the work necessary to
+ deduce information about a private key may be performed offline. The amount
+ of resources required for such an attack would be very significant and
+ likely only accessible to a limited number of attackers. An attacker would
+ additionally need online access to an unpatched system using the target
+ private key in a scenario with persistent DH parameters and a private
+ key that is shared between multiple clients. For example this can occur by
+ default in OpenSSL DHE based SSL/TLS ciphersuites.
+
+ This issue was reported to OpenSSL by Hanno Böck.
+ (CVE-2015-3193)
+ [Andy Polyakov]
+
+ *) Certificate verify crash with missing PSS parameter
+
+ The signature verification routines will crash with a NULL pointer
+ dereference if presented with an ASN.1 signature using the RSA PSS
+ algorithm and absent mask generation function parameter. Since these
+ routines are used to verify certificate signature algorithms this can be
+ used to crash any certificate verification operation and exploited in a
+ DoS attack. Any application which performs certificate verification is
+ vulnerable including OpenSSL clients and servers which enable client
+ authentication.
+
+ This issue was reported to OpenSSL by Loïc Jonas Etienne (Qnective AG).
+ (CVE-2015-3194)
+ [Stephen Henson]
+
+ *) X509_ATTRIBUTE memory leak
+
+ When presented with a malformed X509_ATTRIBUTE structure OpenSSL will leak
+ memory. This structure is used by the PKCS#7 and CMS routines so any
+ application which reads PKCS#7 or CMS data from untrusted sources is
+ affected. SSL/TLS is not affected.
+
+ This issue was reported to OpenSSL by Adam Langley (Google/BoringSSL) using
+ libFuzzer.
+ (CVE-2015-3195)
+ [Stephen Henson]
*) Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs.
This changes the decoding behaviour for some invalid messages,
@@ -27,8 +77,18 @@
This issue was reported to OpenSSL by Adam Langley/David Benjamin
(Google/BoringSSL).
+ (CVE-2015-1793)
[Matt Caswell]
+ *) Race condition handling PSK identify hint
+
+ If PSK identity hints are received by a multi-threaded client then
+ the values are wrongly updated in the parent SSL_CTX structure. This can
+ result in a race condition potentially leading to a double free of the
+ identify hint data.
+ (CVE-2015-3196)
+ [Stephen Henson]
+
Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
diff --git a/NEWS b/NEWS
index cb5674b..6d32f75 100644
--- a/NEWS
+++ b/NEWS
@@ -5,13 +5,23 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [under development]
+ Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [under development]
o
+ Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
+
+ o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
+ o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
+ o X509_ATTRIBUTE memory leak (CVE-2015-3195)
+ o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
+ o In DSA_generate_parameters_ex, if the provided seed is too short,
+ return an error
+
Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
o Alternate chains certificate forgery (CVE-2015-1793)
+ o Race condition handling PSK identify hint (CVE-2015-3196)
Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
diff --git a/README b/README
index ddc3dd1..4198f72 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.0.2e-dev
+ OpenSSL 1.0.2f-dev
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index febf605..9256049 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -180,6 +180,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
int otag;
int ret = 0;
ASN1_VALUE **pchptr, *ptmpval;
+ int combine = aclass & ASN1_TFLG_COMBINE;
+ aclass &= ~ASN1_TFLG_COMBINE;
if (!pval)
return 0;
if (aux && aux->asn1_cb)
@@ -500,7 +502,8 @@ int ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len,
auxerr:
ASN1err(ASN1_F_ASN1_ITEM_EX_D2I, ASN1_R_AUX_ERROR);
err:
- ASN1_item_ex_free(pval, it);
+ if (combine == 0)
+ ASN1_item_ex_free(pval, it);
if (errtt)
ERR_add_error_data(4, "Field=", errtt->field_name,
", Type=", it->sname);
@@ -689,7 +692,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
} else {
/* Nothing special */
ret = ASN1_item_ex_d2i(val, &p, len, ASN1_ITEM_ptr(tt->item),
- -1, 0, opt, ctx);
+ -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx);
if (!ret) {
ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ERR_R_NESTED_ASN1_ERROR);
goto err;
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 388e3c6..64e668f 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -1784,6 +1784,15 @@ sqr8x_reduction:
.align 32
.L8x_tail_done:
add (%rdx),%r8 # can this overflow?
+ adc \$0,%r9
+ adc \$0,%r10
+ adc \$0,%r11
+ adc \$0,%r12
+ adc \$0,%r13
+ adc \$0,%r14
+ adc \$0,%r15 # can't overflow, because we
+ # started with "overhung" part
+ # of multiplication
xor %rax,%rax
neg $carry
@@ -3130,6 +3139,15 @@ sqrx8x_reduction:
.align 32
.Lsqrx8x_tail_done:
add 24+8(%rsp),%r8 # can this overflow?
+ adc \$0,%r9
+ adc \$0,%r10
+ adc \$0,%r11
+ adc \$0,%r12
+ adc \$0,%r13
+ adc \$0,%r14
+ adc \$0,%r15 # can't overflow, because we
+ # started with "overhung" part
+ # of multiplication
mov $carry,%rax # xor %rax,%rax
sub 16+8(%rsp),$carry # mov 16(%rsp),%cf
@@ -3173,13 +3191,11 @@ my ($rptr,$nptr)=("%rdx","%rbp");
my @ri=map("%r$_",(10..13));
my @ni=map("%r$_",(14..15));
$code.=<<___;
- xor %rbx,%rbx
+ xor %ebx,%ebx
sub %r15,%rsi # compare top-most words
adc %rbx,%rbx
mov %rcx,%r10 # -$num
- .byte 0x67
or %rbx,%rax
- .byte 0x67
mov %rcx,%r9 # -$num
xor \$1,%rax
sar \$3+2,%rcx # cf=0
diff --git a/crypto/bn/bntest.c b/crypto/bn/bntest.c
index 8b8a152..1e35988 100644
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -1016,6 +1016,24 @@ int test_mod_exp(BIO *bp, BN_CTX *ctx)
return 0;
}
}
+
+ /* Regression test for carry propagation bug in sqr8x_reduction */
+ BN_hex2bn(&a, "050505050505");
+ BN_hex2bn(&b, "02");
+ BN_hex2bn(&c,
+ "4141414141414141414141274141414141414141414141414141414141414141"
+ "4141414141414141414141414141414141414141414141414141414141414141"
+ "4141414141414141414141800000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000001");
+ BN_mod_exp(d, a, b, c, ctx);
+ BN_mul(e, a, a, ctx);
+ if (BN_cmp(d, e)) {
+ fprintf(stderr, "BN_mod_exp and BN_mul produce different results!\n");
+ return 0;
+ }
+
BN_free(a);
BN_free(b);
BN_free(c);
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index faaf63f..f4931f5 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x10002050L
+# define OPENSSL_VERSION_NUMBER 0x10002060L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e-fips-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f-fips-dev xx XXX xxxx"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2e-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2f-dev xx XXX xxxx"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index ca3922e..4e06218 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -268,7 +268,7 @@ static X509_ALGOR *rsa_mgf1_decode(X509_ALGOR *alg)
{
const unsigned char *p;
int plen;
- if (alg == NULL)
+ if (alg == NULL || alg->parameter == NULL)
return NULL;
if (OBJ_obj2nid(alg->algorithm) != NID_mgf1)
return NULL;
diff --git a/openssl.spec b/openssl.spec
index 45e737a..72ace12 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -6,7 +6,7 @@ Release: 1
Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl
-Version: 1.0.2e
+Version: 1.0.2f
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL
Group: System Environment/Libraries
diff --git a/test/Makefile b/test/Makefile
index 8cbb5ad..b180971 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -588,9 +588,10 @@ clienthellotest.o: ../include/openssl/buffer.h ../include/openssl/comp.h
clienthellotest.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
clienthellotest.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
clienthellotest.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
-clienthellotest.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-clienthellotest.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-clienthellotest.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+clienthellotest.o: ../include/openssl/err.h ../include/openssl/evp.h
+clienthellotest.o: ../include/openssl/hmac.h ../include/openssl/kssl.h
+clienthellotest.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+clienthellotest.o: ../include/openssl/objects.h
clienthellotest.o: ../include/openssl/opensslconf.h
clienthellotest.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
clienthellotest.o: ../include/openssl/pem.h ../include/openssl/pem2.h
diff --git a/test/certs/pss1.pem b/test/certs/pss1.pem
new file mode 100644
index 0000000..29da71d
--- /dev/null
+++ b/test/certs/pss1.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDdjCCAjqgAwIBAgIJANcwZLyfEv7DMD4GCSqGSIb3DQEBCjAxoA0wCwYJYIZI
+AWUDBAIBoRowGAYJKoZIhvcNAQEIMAsGCWCGSAFlAwQCAaIEAgIA3jAnMSUwIwYD
+VQQDDBxUZXN0IEludmFsaWQgUFNTIGNlcnRpZmljYXRlMB4XDTE1MTEwNDE2MDIz
+NVoXDTE1MTIwNDE2MDIzNVowJzElMCMGA1UEAwwcVGVzdCBJbnZhbGlkIFBTUyBj
+ZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMTaM7WH
+qVCAGAIA+zL1KWvvASTrhlq+1ePdO7wsrWX2KiYoTYrJYTnxhLnn0wrHqApt79nL
+IBG7cfShyZqFHOY/IzlYPMVt+gPo293gw96Fds5JBsjhjkyGnOyr9OUntFqvxDbT
+IIFU7o9IdxD4edaqjRv+fegVE+B79pDk4s0ujsk6dULtCg9Rst0ucGFo19mr+b7k
+dbfn8pZ72ZNDJPueVdrUAWw9oll61UcYfk75XdrLk6JlL41GrYHc8KlfXf43gGQq
+QfrpHkg4Ih2cI6Wt2nhFGAzrlcorzLliQIUJRIhM8h4IgDfpBpaPdVQLqS2pFbXa
+5eQjqiyJwak2vJ8CAwEAAaNQME4wHQYDVR0OBBYEFCt180N4oGUt5LbzBwQ4Ia+2
+4V97MB8GA1UdIwQYMBaAFCt180N4oGUt5LbzBwQ4Ia+24V97MAwGA1UdEwQFMAMB
+Af8wMQYJKoZIhvcNAQEKMCSgDTALBglghkgBZQMEAgGhDTALBgkqhkiG9w0BAQii
+BAICAN4DggEBAAjBtm90lGxgddjc4Xu/nbXXFHVs2zVcHv/mqOZoQkGB9r/BVgLb
+xhHrFZ2pHGElbUYPfifdS9ztB73e1d4J+P29o0yBqfd4/wGAc/JA8qgn6AAEO/Xn
+plhFeTRJQtLZVl75CkHXgUGUd3h+ADvKtcBuW9dSUncaUrgNKR8u/h/2sMG38RWY
+DzBddC/66YTa3r7KkVUfW7yqRQfELiGKdcm+bjlTEMsvS+EhHup9CzbpoCx2Fx9p
+NPtFY3yEObQhmL1JyoCRWqBE75GzFPbRaiux5UpEkns+i3trkGssZzsOuVqHNTNZ
+lC9+9hPHIoc9UMmAQNo1vGIW3NWVoeGbaJ8=
+-----END CERTIFICATE-----
diff --git a/test/tx509 b/test/tx509
index 0ce3b52..77f5cac 100644
--- a/test/tx509
+++ b/test/tx509
@@ -74,5 +74,12 @@ if [ $? != 0 ]; then exit 1; fi
cmp x509-f.p x509-ff.p3
if [ $? != 0 ]; then exit 1; fi
+echo "Parsing test certificates"
+
+$cmd -in certs/pss1.pem -text -noout >/dev/null
+if [ $? != 0 ]; then exit 1; fi
+
+echo OK
+
/bin/rm -f x509-f.* x509-ff.* x509-fff.*
exit 0
More information about the openssl-commits
mailing list