[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Thu Jan 28 14:41:47 UTC 2016


The branch master has been updated
       via  502bed22a940598bad27555d2b5c5c27a1f2edf1 (commit)
       via  e729aac19de7b41169be82e6e55c4c898de9470a (commit)
       via  b128abc3437600c3143cb2145185ab87ba3156a2 (commit)
      from  3444c36ab489b7084832254723a356e3c2eb023a (commit)


- Log -----------------------------------------------------------------
commit 502bed22a940598bad27555d2b5c5c27a1f2edf1
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jan 27 13:41:16 2016 +0000

    CHANGES and NEWS updates for release
    
    Add details about the latest issues fixed in the forthcoming release.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit e729aac19de7b41169be82e6e55c4c898de9470a
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Jan 20 11:56:28 2016 +0000

    Add a test for small subgroup attacks on DH/DHE
    
    Following on from the previous commit, add a test to ensure that
    DH_compute_key correctly fails if passed a bad y such that:
    
    y^q (mod p) != 1
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

commit b128abc3437600c3143cb2145185ab87ba3156a2
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Jan 18 11:31:58 2016 +0000

    Prevent small subgroup attacks on DH/DHE
    
    Historically OpenSSL only ever generated DH parameters based on "safe"
    primes. More recently (in version 1.0.2) support was provided for
    generating X9.42 style parameter files such as those required for RFC
    5114 support. The primes used in such files may not be "safe". Where an
    application is using DH configured with parameters based on primes that
    are not "safe" then an attacker could use this fact to find a peer's
    private DH exponent. This attack requires that the attacker complete
    multiple handshakes in which the peer uses the same DH exponent.
    
    A simple mitigation is to ensure that y^q (mod p) == 1
    
    CVE-2016-0701
    
    Issue reported by Antonio Sanso.
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES              | 46 ++++++++++++++++++++++++++++++++++-
 NEWS                 |  7 +++++-
 crypto/dh/dh_check.c | 34 +++++++++++++++++++-------
 include/openssl/dh.h |  1 +
 test/dhtest.c        | 69 +++++++++++++++++++++++++++++++++++++++++++++++++---
 5 files changed, 142 insertions(+), 15 deletions(-)

diff --git a/CHANGES b/CHANGES
index 75ddadc..4f8fff5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,7 +2,7 @@
  OpenSSL CHANGES
  _______________
 
- Changes between 1.0.2e and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
 
   *) Removed many obsolete configuration items, including
         DES_PTR, DES_RISC1, DES_RISC2, DES_INT
@@ -720,6 +720,50 @@
      whose return value is often ignored. 
      [Steve Henson]
 
+ Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
+  *) DH small subgroups
+
+     Historically OpenSSL only ever generated DH parameters based on "safe"
+     primes. More recently (in version 1.0.2) support was provided for
+     generating X9.42 style parameter files such as those required for RFC 5114
+     support. The primes used in such files may not be "safe". Where an
+     application is using DH configured with parameters based on primes that are
+     not "safe" then an attacker could use this fact to find a peer's private
+     DH exponent. This attack requires that the attacker complete multiple
+     handshakes in which the peer uses the same private DH exponent. For example
+     this could be used to discover a TLS server's private DH exponent if it's
+     reusing the private DH exponent or it's using a static DH ciphersuite.
+
+     OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
+     TLS. It is not on by default. If the option is not set then the server
+     reuses the same private DH exponent for the life of the server process and
+     would be vulnerable to this attack. It is believed that many popular
+     applications do set this option and would therefore not be at risk.
+
+     The fix for this issue adds an additional check where a "q" parameter is
+     available (as is the case in X9.42 based parameters). This detects the
+     only known attack, and is the only possible defense for static DH
+     ciphersuites. This could have some performance impact.
+
+     Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
+     default and cannot be disabled. This could have some performance impact.
+
+     This issue was reported to OpenSSL by Antonio Sanso (Adobe).
+     (CVE-2016-0701)
+     [Matt Caswell]
+
+  *) SSLv2 doesn't block disabled ciphers
+
+     A malicious client can negotiate SSLv2 ciphers that have been disabled on
+     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+     been disabled, provided that the SSLv2 protocol was not also disabled via
+     SSL_OP_NO_SSLv2.
+
+     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+     and Sebastian Schinzel.
+     (CVE-2015-3197)
+     [Viktor Dukhovni]
+
  Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
 
   *) BN_mod_exp may produce incorrect results on x86_64
diff --git a/NEWS b/NEWS
index 76f7fde..5fc6b6c 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,7 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
-  Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release]
+  Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]
 
       o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
       o Support for extended master secret
@@ -33,6 +33,11 @@
         directory location rather than --openssldir.  The latter becomes
         the directory for certs, private key and openssl.cnf exclusively.
 
+  Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
+
+      o DH small subgroups (CVE-2016-0701)
+      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
+
   Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
 
       o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
index d85696b..3f9e90e 100644
--- a/crypto/dh/dh_check.c
+++ b/crypto/dh/dh_check.c
@@ -142,22 +142,38 @@ int DH_check(const DH *dh, int *ret)
 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
 {
     int ok = 0;
-    BIGNUM *q = NULL;
+    BIGNUM *tmp = NULL;
+    BN_CTX *ctx = NULL;
 
     *ret = 0;
-    q = BN_new();
-    if (q == NULL)
+    ctx = BN_CTX_new();
+    if (ctx == NULL)
         goto err;
-    BN_set_word(q, 1);
-    if (BN_cmp(pub_key, q) <= 0)
+    BN_CTX_start(ctx);
+    tmp = BN_CTX_get(ctx);
+    if (tmp == NULL)
+        goto err;
+    BN_set_word(tmp, 1);
+    if (BN_cmp(pub_key, tmp) <= 0)
         *ret |= DH_CHECK_PUBKEY_TOO_SMALL;
-    BN_copy(q, dh->p);
-    BN_sub_word(q, 1);
-    if (BN_cmp(pub_key, q) >= 0)
+    BN_copy(tmp, dh->p);
+    BN_sub_word(tmp, 1);
+    if (BN_cmp(pub_key, tmp) >= 0)
         *ret |= DH_CHECK_PUBKEY_TOO_LARGE;
 
+    if (dh->q != NULL) {
+        /* Check pub_key^q == 1 mod p */
+        if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx))
+            goto err;
+        if (!BN_is_one(tmp))
+            *ret |= DH_CHECK_PUBKEY_INVALID;
+    }
+
     ok = 1;
  err:
-    BN_free(q);
+    if (ctx != NULL) {
+        BN_CTX_end(ctx);
+        BN_CTX_free(ctx);
+    }
     return (ok);
 }
diff --git a/include/openssl/dh.h b/include/openssl/dh.h
index 528f527..90cfb82 100644
--- a/include/openssl/dh.h
+++ b/include/openssl/dh.h
@@ -174,6 +174,7 @@ struct dh_st {
 /* DH_check_pub_key error codes */
 # define DH_CHECK_PUBKEY_TOO_SMALL       0x01
 # define DH_CHECK_PUBKEY_TOO_LARGE       0x02
+# define DH_CHECK_PUBKEY_INVALID         0x03
 
 /*
  * primes p where (p-1)/2 is prime too are called "safe"; we define this for
diff --git a/test/dhtest.c b/test/dhtest.c
index 36bac32..224b1fd 100644
--- a/test/dhtest.c
+++ b/test/dhtest.c
@@ -454,6 +454,31 @@ static const unsigned char dhtest_2048_256_Z[] = {
     0xC2, 0x6C, 0x5D, 0x7C
 };
 
+static const unsigned char dhtest_rfc5114_2048_224_bad_y[] = {
+    0x45, 0x32, 0x5F, 0x51, 0x07, 0xE5, 0xDF, 0x1C, 0xD6, 0x02, 0x82, 0xB3,
+    0x32, 0x8F, 0xA4, 0x0F, 0x87, 0xB8, 0x41, 0xFE, 0xB9, 0x35, 0xDE, 0xAD,
+    0xC6, 0x26, 0x85, 0xB4, 0xFF, 0x94, 0x8C, 0x12, 0x4C, 0xBF, 0x5B, 0x20,
+    0xC4, 0x46, 0xA3, 0x26, 0xEB, 0xA4, 0x25, 0xB7, 0x68, 0x8E, 0xCC, 0x67,
+    0xBA, 0xEA, 0x58, 0xD0, 0xF2, 0xE9, 0xD2, 0x24, 0x72, 0x60, 0xDA, 0x88,
+    0x18, 0x9C, 0xE0, 0x31, 0x6A, 0xAD, 0x50, 0x6D, 0x94, 0x35, 0x8B, 0x83,
+    0x4A, 0x6E, 0xFA, 0x48, 0x73, 0x0F, 0x83, 0x87, 0xFF, 0x6B, 0x66, 0x1F,
+    0xA8, 0x82, 0xC6, 0x01, 0xE5, 0x80, 0xB5, 0xB0, 0x52, 0xD0, 0xE9, 0xD8,
+    0x72, 0xF9, 0x7D, 0x5B, 0x8B, 0xA5, 0x4C, 0xA5, 0x25, 0x95, 0x74, 0xE2,
+    0x7A, 0x61, 0x4E, 0xA7, 0x8F, 0x12, 0xE2, 0xD2, 0x9D, 0x8C, 0x02, 0x70,
+    0x34, 0x44, 0x32, 0xC7, 0xB2, 0xF3, 0xB9, 0xFE, 0x17, 0x2B, 0xD6, 0x1F,
+    0x8B, 0x7E, 0x4A, 0xFA, 0xA3, 0xB5, 0x3E, 0x7A, 0x81, 0x9A, 0x33, 0x66,
+    0x62, 0xA4, 0x50, 0x18, 0x3E, 0xA2, 0x5F, 0x00, 0x07, 0xD8, 0x9B, 0x22,
+    0xE4, 0xEC, 0x84, 0xD5, 0xEB, 0x5A, 0xF3, 0x2A, 0x31, 0x23, 0xD8, 0x44,
+    0x22, 0x2A, 0x8B, 0x37, 0x44, 0xCC, 0xC6, 0x87, 0x4B, 0xBE, 0x50, 0x9D,
+    0x4A, 0xC4, 0x8E, 0x45, 0xCF, 0x72, 0x4D, 0xC0, 0x89, 0xB3, 0x72, 0xED,
+    0x33, 0x2C, 0xBC, 0x7F, 0x16, 0x39, 0x3B, 0xEB, 0xD2, 0xDD, 0xA8, 0x01,
+    0x73, 0x84, 0x62, 0xB9, 0x29, 0xD2, 0xC9, 0x51, 0x32, 0x9E, 0x7A, 0x6A,
+    0xCF, 0xC1, 0x0A, 0xDB, 0x0E, 0xE0, 0x62, 0x77, 0x6F, 0x59, 0x62, 0x72,
+    0x5A, 0x69, 0xA6, 0x5B, 0x70, 0xCA, 0x65, 0xC4, 0x95, 0x6F, 0x9A, 0xC2,
+    0xDF, 0x72, 0x6D, 0xB1, 0x1E, 0x54, 0x7B, 0x51, 0xB4, 0xEF, 0x7F, 0x89,
+    0x93, 0x74, 0x89, 0x59
+};
+
 typedef struct {
     DH *(*get_param) (void);
     const unsigned char *xA;
@@ -491,12 +516,9 @@ static int run_rfc5114_tests(void)
     unsigned char *Z1 = NULL;
     unsigned char *Z2 = NULL;
     const rfc5114_td *td = NULL;
+    BIGNUM *bady = NULL;
 
     for (i = 0; i < (int)OSSL_NELEM(rfctd); i++) {
-        dhA = NULL;
-        dhB = NULL;
-        Z1 = NULL;
-        Z2 = NULL;
         td = rfctd + i;
         /* Set up DH structures setting key components */
         dhA = td->get_param();
@@ -542,10 +564,48 @@ static int run_rfc5114_tests(void)
         DH_free(dhB);
         OPENSSL_free(Z1);
         OPENSSL_free(Z2);
+        dhA = NULL;
+        dhB = NULL;
+        Z1 = NULL;
+        Z2 = NULL;
+    }
 
+    /* Now i == OSSL_NELEM(rfctd) */
+    /* RFC5114 uses unsafe primes, so now test an invalid y value */
+    dhA = DH_get_2048_224();
+    if (dhA == NULL)
+        goto bad_err;
+    Z1 = OPENSSL_malloc(DH_size(dhA));
+    if (Z1 == NULL)
+        goto bad_err;
+
+    bady = BN_bin2bn(dhtest_rfc5114_2048_224_bad_y,
+                     sizeof(dhtest_rfc5114_2048_224_bad_y), NULL);
+    if (bady == NULL)
+        goto bad_err;
+
+    if (!DH_generate_key(dhA))
+        goto bad_err;
+
+    if (DH_compute_key(Z1, bady, dhA) != -1) {
+        /*
+         * DH_compute_key should fail with -1. If we get here we unexpectedly
+         * allowed an invalid y value
+         */
+        goto err;
     }
+    /* We'll have a stale error on the queue from the above test so clear it */
+    ERR_clear_error();
+
+    printf("RFC5114 parameter test %d OK\n", i + 1);
+
+    BN_free(bady);
+    DH_free(dhA);
+    OPENSSL_free(Z1);
+
     return 1;
  bad_err:
+    BN_free(bady);
     DH_free(dhA);
     DH_free(dhB);
     OPENSSL_free(Z1);
@@ -555,6 +615,7 @@ static int run_rfc5114_tests(void)
     ERR_print_errors_fp(stderr);
     return 0;
  err:
+    BN_free(bady);
     DH_free(dhA);
     DH_free(dhB);
     OPENSSL_free(Z1);


More information about the openssl-commits mailing list