[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue May 3 13:58:14 UTC 2016
The branch master has been updated
via 6ac8377901b6cb9d5da8953d090e2ab43d65e8b5 (commit)
via 70428eada9bc4cf31424d723d1f992baffeb0dfb (commit)
via 2c7fe4dc9ae0c84d2c398d57143983800cc3f18d (commit)
via 1b96ec100226e24c2969ff586aabf4dcd942c694 (commit)
via 106cb9505746ddb69dc07ef45232084e620940ec (commit)
via d7ab691bc479d3cf2eea07329db6ce0e2589f0b9 (commit)
from d202a602e07b7090e3e5d75216b47cc7eb6fd4b6 (commit)
- Log -----------------------------------------------------------------
commit 6ac8377901b6cb9d5da8953d090e2ab43d65e8b5
Author: Matt Caswell <matt at openssl.org>
Date: Tue May 3 09:49:13 2016 +0100
Update CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 70428eada9bc4cf31424d723d1f992baffeb0dfb
Author: Kurt Roeckx <kurt at roeckx.be>
Date: Sat Apr 16 23:08:56 2016 +0200
Check that we have enough padding characters.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
CVE-2016-2107
MR: #2572
commit 2c7fe4dc9ae0c84d2c398d57143983800cc3f18d
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Apr 26 12:12:40 2016 +0100
Add ASN.1 INTEGER tests.
Add tests for ASN.1 INTEGER: invalid tag, valid 0, 1, -1 and 0, -1 with
illegal padding.
Also add ASN1_ANY tests for 0, 1 and -1.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 1b96ec100226e24c2969ff586aabf4dcd942c694
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Apr 26 12:04:42 2016 +0100
add ASN1_INTEGER type to d2i_test
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit 106cb9505746ddb69dc07ef45232084e620940ec
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Sat Apr 23 13:52:43 2016 +0100
Add test for CVE-2016-2018
Reviewed-by: Emilia Käsper <emilia at openssl.org>
commit d7ab691bc479d3cf2eea07329db6ce0e2589f0b9
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Fri Apr 15 02:37:09 2016 +0100
Fix ASN1_INTEGER handling.
Only treat an ASN1_ANY type as an integer if it has the V_ASN1_INTEGER
tag: V_ASN1_NEG_INTEGER is an internal only value which is never used
for on the wire encoding.
Thanks to David Benjamin <davidben at google.com> for reporting this bug.
This was found using libFuzzer.
RT#4364 (part)CVE-2016-2108.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 97 +++++++++++++++++++++++++++++++++++
NEWS | 15 +++++-
crypto/asn1/a_type.c | 2 -
crypto/asn1/tasn_dec.c | 2 -
crypto/asn1/tasn_enc.c | 2 -
crypto/evp/e_aes_cbc_hmac_sha1.c | 3 ++
crypto/evp/e_aes_cbc_hmac_sha256.c | 3 ++
test/d2i-tests/bad-int-pad0.der | Bin 0 -> 4 bytes
test/d2i-tests/bad-int-padminus1.der | 1 +
test/d2i-tests/high_tag.der | Bin 0 -> 6 bytes
test/d2i-tests/int0.der | Bin 0 -> 3 bytes
test/d2i-tests/int1.der | 1 +
test/d2i-tests/intminus1.der | 1 +
test/d2i_test.c | 3 +-
test/recipes/25-test_d2i.t | 53 ++++++++++++++++++-
15 files changed, 174 insertions(+), 9 deletions(-)
create mode 100644 test/d2i-tests/bad-int-pad0.der
create mode 100644 test/d2i-tests/bad-int-padminus1.der
create mode 100644 test/d2i-tests/high_tag.der
create mode 100644 test/d2i-tests/int0.der
create mode 100644 test/d2i-tests/int1.der
create mode 100644 test/d2i-tests/intminus1.der
diff --git a/CHANGES b/CHANGES
index 41bc9a4..fe16b0b 100644
--- a/CHANGES
+++ b/CHANGES
@@ -995,6 +995,103 @@
validated when establishing a connection.
[Rob Percival <robpercival at google.com>]
+ Changes between 1.0.2g and 1.0.2h [3 May 2016]
+
+ *) Prevent padding oracle in AES-NI CBC MAC check
+
+ A MITM attacker can use a padding oracle attack to decrypt traffic
+ when the connection uses an AES CBC cipher and the server support
+ AES-NI.
+
+ This issue was introduced as part of the fix for Lucky 13 padding
+ attack (CVE-2013-0169). The padding check was rewritten to be in
+ constant time by making sure that always the same bytes are read and
+ compared against either the MAC or padding bytes. But it no longer
+ checked that there was enough data to have both the MAC and padding
+ bytes.
+
+ This issue was reported by Juraj Somorovsky using TLS-Attacker.
+ (CVE-2016-2107)
+ [Kurt Roeckx]
+
+ *) Fix EVP_EncodeUpdate overflow
+
+ An overflow can occur in the EVP_EncodeUpdate() function which is used for
+ Base64 encoding of binary data. If an attacker is able to supply very large
+ amounts of input data then a length check can overflow resulting in a heap
+ corruption.
+
+ Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+ the PEM_write_bio* family of functions. These are mainly used within the
+ OpenSSL command line applications, so any application which processes data
+ from an untrusted source and outputs it as a PEM file should be considered
+ vulnerable to this issue. User applications that call these APIs directly
+ with large amounts of untrusted data may also be vulnerable.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2105)
+ [Matt Caswell]
+
+ *) Fix EVP_EncryptUpdate overflow
+
+ An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+ is able to supply very large amounts of input data after a previous call to
+ EVP_EncryptUpdate() with a partial block then a length check can overflow
+ resulting in a heap corruption. Following an analysis of all OpenSSL
+ internal usage of the EVP_EncryptUpdate() function all usage is one of two
+ forms. The first form is where the EVP_EncryptUpdate() call is known to be
+ the first called function after an EVP_EncryptInit(), and therefore that
+ specific call must be safe. The second form is where the length passed to
+ EVP_EncryptUpdate() can be seen from the code to be some small value and
+ therefore there is no possibility of an overflow. Since all instances are
+ one of these two forms, it is believed that there can be no overflows in
+ internal code due to this problem. It should be noted that
+ EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+ Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+ of these calls have also been analysed too and it is believed there are no
+ instances in internal usage where an overflow could occur.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2106)
+ [Matt Caswell]
+
+ *) Prevent ASN.1 BIO excessive memory allocation
+
+ When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+ a short invalid encoding can casuse allocation of large amounts of memory
+ potentially consuming excessive resources or exhausting memory.
+
+ Any application parsing untrusted data through d2i BIO functions is
+ affected. The memory based functions such as d2i_X509() are *not* affected.
+ Since the memory based functions are used by the TLS library, TLS
+ applications are not affected.
+
+ This issue was reported by Brian Carpenter.
+ (CVE-2016-2109)
+ [Stephen Henson]
+
+ *) EBCDIC overread
+
+ ASN1 Strings that are over 1024 bytes can cause an overread in applications
+ using the X509_NAME_oneline() function on EBCDIC systems. This could result
+ in arbitrary stack data being returned in the buffer.
+
+ This issue was reported by Guido Vranken.
+ (CVE-2016-2176)
+ [Matt Caswell]
+
+ *) Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ [Todd Short]
+
+ *) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
+ default.
+ [Kurt Roeckx]
+
+ *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+ methods are enabled and ssl2 is disabled the methods return NULL.
+ [Kurt Roeckx]
+
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
diff --git a/NEWS b/NEWS
index 90336bc..dd7e141 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,7 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.0.2g and OpenSSL 1.1.0 [in pre-release]
+ Major changes between OpenSSL 1.0.2h and OpenSSL 1.1.0 [in pre-release]
o "shared" builds are now the default when possible
o Added support for "pipelining"
@@ -46,6 +46,19 @@
o Support for Certificate Transparency
o HKDF support.
+ Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016]
+
+ o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+ o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
+ o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
+ o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
+ o EBCDIC overread (CVE-2016-2176)
+ o Modify behavior of ALPN to invoke callback after SNI/servername
+ callback, such that updates to the SSL_CTX affect ALPN.
+ o Remove LOW from the DEFAULT cipher list. This removes singles DES from
+ the default.
+ o Only remove the SSLv2 methods with the no-ssl2-method option.
+
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c
index 8dea2e0..e132b0c 100644
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -122,9 +122,7 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b)
result = 0; /* They do not have content. */
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
case V_ASN1_BIT_STRING:
case V_ASN1_OCTET_STRING:
case V_ASN1_SEQUENCE:
diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 5715921..dd96daf 100644
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -858,9 +858,7 @@ static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
break;
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
tint = (ASN1_INTEGER **)pval;
if (!c2i_ASN1_INTEGER(tint, &cont, len))
goto err;
diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c
index 0d25cf9..ae00a61 100644
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -600,9 +600,7 @@ static int asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype,
cout ? &cout : NULL);
case V_ASN1_INTEGER:
- case V_ASN1_NEG_INTEGER:
case V_ASN1_ENUMERATED:
- case V_ASN1_NEG_ENUMERATED:
/*
* These are all have the same content format as ASN1_INTEGER
*/
diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c
index 394a380..2d5131f 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
@@ -59,6 +59,7 @@
#include <openssl/rand.h>
#include "modes_lcl.h"
#include "internal/evp_int.h"
+#include "internal/constant_time_locl.h"
#ifndef EVP_CIPH_FLAG_AEAD_CIPHER
# define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000
@@ -583,6 +584,8 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
+ ret &= constant_time_ge(maxpad, pad);
+
inp_len = len - (SHA_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask;
diff --git a/crypto/evp/e_aes_cbc_hmac_sha256.c b/crypto/evp/e_aes_cbc_hmac_sha256.c
index 956cd58..3ac59ab 100644
--- a/crypto/evp/e_aes_cbc_hmac_sha256.c
+++ b/crypto/evp/e_aes_cbc_hmac_sha256.c
@@ -59,6 +59,7 @@
#include <openssl/sha.h>
#include <openssl/rand.h>
#include "modes_lcl.h"
+#include "internal/constant_time_locl.h"
#include "internal/evp_int.h"
#ifndef EVP_CIPH_FLAG_AEAD_CIPHER
@@ -594,6 +595,8 @@ static int aesni_cbc_hmac_sha256_cipher(EVP_CIPHER_CTX *ctx,
maxpad |= (255 - maxpad) >> (sizeof(maxpad) * 8 - 8);
maxpad &= 255;
+ ret &= constant_time_ge(maxpad, pad);
+
inp_len = len - (SHA256_DIGEST_LENGTH + pad + 1);
mask = (0 - ((inp_len - len) >> (sizeof(inp_len) * 8 - 1)));
inp_len &= mask;
diff --git a/test/d2i-tests/bad-int-pad0.der b/test/d2i-tests/bad-int-pad0.der
new file mode 100644
index 0000000..46f6092
Binary files /dev/null and b/test/d2i-tests/bad-int-pad0.der differ
diff --git a/test/d2i-tests/bad-int-padminus1.der b/test/d2i-tests/bad-int-padminus1.der
new file mode 100644
index 0000000..a4b6bb9
--- /dev/null
+++ b/test/d2i-tests/bad-int-padminus1.der
@@ -0,0 +1 @@
+��ÿÿ
\ No newline at end of file
diff --git a/test/d2i-tests/high_tag.der b/test/d2i-tests/high_tag.der
new file mode 100644
index 0000000..5c523ec
Binary files /dev/null and b/test/d2i-tests/high_tag.der differ
diff --git a/test/d2i-tests/int0.der b/test/d2i-tests/int0.der
new file mode 100644
index 0000000..bbfb76b
Binary files /dev/null and b/test/d2i-tests/int0.der differ
diff --git a/test/d2i-tests/int1.der b/test/d2i-tests/int1.der
new file mode 100644
index 0000000..26dd6b1
--- /dev/null
+++ b/test/d2i-tests/int1.der
@@ -0,0 +1 @@
+���
\ No newline at end of file
diff --git a/test/d2i-tests/intminus1.der b/test/d2i-tests/intminus1.der
new file mode 100644
index 0000000..e7c1cea
--- /dev/null
+++ b/test/d2i-tests/intminus1.der
@@ -0,0 +1 @@
+��ÿ
\ No newline at end of file
diff --git a/test/d2i_test.c b/test/d2i_test.c
index 78adf48..19bf4a6 100644
--- a/test/d2i_test.c
+++ b/test/d2i_test.c
@@ -148,7 +148,8 @@ int main(int argc, char **argv)
static ASN1_ITEM_EXP *items[] = {
ASN1_ITEM_ref(ASN1_ANY),
ASN1_ITEM_ref(X509),
- ASN1_ITEM_ref(GENERAL_NAME)
+ ASN1_ITEM_ref(GENERAL_NAME),
+ ASN1_ITEM_ref(ASN1_INTEGER)
};
static error_enum expected_errors[] = {
diff --git a/test/recipes/25-test_d2i.t b/test/recipes/25-test_d2i.t
index 9e1a643..77afe3f 100644
--- a/test/recipes/25-test_d2i.t
+++ b/test/recipes/25-test_d2i.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_d2i");
-plan tests => 3;
+plan tests => 13;
ok(run(test(["d2i_test", "X509", "decode",
srctop_file('test','d2i-tests','bad_cert.der')])),
@@ -28,3 +28,54 @@ ok(run(test(["d2i_test", "GENERAL_NAME", "decode",
ok(run(test(["d2i_test", "ASN1_ANY", "BIO",
srctop_file('test','d2i-tests','bad_bio.der')])),
"Running d2i_test bad_bio.der");
+# This test checks CVE-2016-2108. The data consists of an tag 258 and
+# two zero content octets. This is parsed as an ASN1_ANY type. If the
+# type is incorrectly interpreted as an ASN.1 INTEGER the two zero content
+# octets will be reject as invalid padding and this test will fail.
+# If the type is correctly interpreted it will by treated as an ASN1_STRING
+# type and the content octets copied verbatim.
+ok(run(test(["d2i_test", "ASN1_ANY", "OK",
+ srctop_file('test','d2i-tests','high_tag.der')])),
+ "Running d2i_test high_tag.der");
+
+# Above test data but interpeted as ASN.1 INTEGER: this will be rejected
+# because the tag is invalid.
+ok(run(test(["d2i_test", "ASN1_INTEGER", "decode",
+ srctop_file('test','d2i-tests','high_tag.der')])),
+ "Running d2i_test high_tag.der INTEGER");
+
+# Parse valid 0, 1 and -1 ASN.1 INTEGER as INTEGER or ANY.
+
+ok(run(test(["d2i_test", "ASN1_INTEGER", "OK",
+ srctop_file('test','d2i-tests','int0.der')])),
+ "Running d2i_test int0.der INTEGER");
+
+ok(run(test(["d2i_test", "ASN1_INTEGER", "OK",
+ srctop_file('test','d2i-tests','int1.der')])),
+ "Running d2i_test int1.der INTEGER");
+
+ok(run(test(["d2i_test", "ASN1_INTEGER", "OK",
+ srctop_file('test','d2i-tests','intminus1.der')])),
+ "Running d2i_test intminus1.der INTEGER");
+
+ok(run(test(["d2i_test", "ASN1_ANY", "OK",
+ srctop_file('test','d2i-tests','int0.der')])),
+ "Running d2i_test int0.der ANY");
+
+ok(run(test(["d2i_test", "ASN1_ANY", "OK",
+ srctop_file('test','d2i-tests','int1.der')])),
+ "Running d2i_test int1.der ANY");
+
+ok(run(test(["d2i_test", "ASN1_ANY", "OK",
+ srctop_file('test','d2i-tests','intminus1.der')])),
+ "Running d2i_test intminus1.der ANY");
+
+# Integers with illegal additional padding.
+
+ok(run(test(["d2i_test", "ASN1_INTEGER", "decode",
+ srctop_file('test','d2i-tests','bad-int-pad0.der')])),
+ "Running d2i_test bad-int-pad0.der INTEGER");
+
+ok(run(test(["d2i_test", "ASN1_INTEGER", "decode",
+ srctop_file('test','d2i-tests','bad-int-padminus1.der')])),
+ "Running d2i_test bad-int-padminus1.der INTEGER");
More information about the openssl-commits
mailing list