[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Thu Nov 2 14:54:36 UTC 2017 

The branch master has been updated
       via  de8c19cddd5c08b95f3872f6ce694dcd0f7ca58d (commit)
       via  420b88cec8c6f7c67fad07bf508dcccab094f134 (commit)
       via  668a709a8d7ea374ee72ad2d43ac72ec60a80eee (commit)
      from  bd6eba79d70677f891f1bb55b6f5bc5602c47cbc (commit)


- Log -----------------------------------------------------------------
commit de8c19cddd5c08b95f3872f6ce694dcd0f7ca58d
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Nov 2 11:23:17 2017 +0000

    Update CHANGES and NEWS for new release
    
    Reviewed-by: Andy Polyakov <appro at openssl.org>

commit 420b88cec8c6f7c67fad07bf508dcccab094f134
Author: Andy Polyakov <appro at openssl.org>
Date:   Fri Aug 18 00:06:57 2017 +0200

    test/bntest.c: add bn_sqrx8x_internal regression test.
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 668a709a8d7ea374ee72ad2d43ac72ec60a80eee
Author: Andy Polyakov <appro at openssl.org>
Date:   Thu Aug 17 21:08:57 2017 +0200

    bn/asm/x86_64-mont5.pl: fix carry bug in bn_sqrx8x_internal.
    
    Credit to OSS-Fuzz for finding this.
    
    CVE-2017-3736
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 CHANGES                       | 34 ++++++++++++++++++++++++++++++
 NEWS                          |  5 +++++
 crypto/bn/asm/x86_64-mont5.pl | 12 +++++++++--
 test/bntest.c                 | 48 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 97 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 9ef85d6..392bceb 100644
--- a/CHANGES
+++ b/CHANGES
@@ -177,6 +177,40 @@
      issues, has been replaced to always returns NULL.
      [Rich Salz]
 
+
+ Changes between 1.1.0f and 1.1.0g [2 Nov 2017]
+
+  *) bn_sqrx8x_internal carry bug on x86_64
+
+     There is a carry propagating bug in the x86_64 Montgomery squaring
+     procedure. No EC algorithms are affected. Analysis suggests that attacks
+     against RSA and DSA as a result of this defect would be very difficult to
+     perform and are not believed likely. Attacks against DH are considered just
+     feasible (although very difficult) because most of the work necessary to
+     deduce information about a private key may be performed offline. The amount
+     of resources required for such an attack would be very significant and
+     likely only accessible to a limited number of attackers. An attacker would
+     additionally need online access to an unpatched system using the target
+     private key in a scenario with persistent DH parameters and a private
+     key that is shared between multiple clients.
+
+     This only affects processors that support the BMI1, BMI2 and ADX extensions
+     like Intel Broadwell (5th generation) and later or AMD Ryzen.
+
+     This issue was reported to OpenSSL by the OSS-Fuzz project.
+     (CVE-2017-3736)
+     [Andy Polyakov]
+
+  *) Malformed X.509 IPAddressFamily could cause OOB read
+
+     If an X.509 certificate has a malformed IPAddressFamily extension,
+     OpenSSL could do a one-byte buffer overread. The most likely result
+     would be an erroneous display of the certificate in text format.
+
+     This issue was reported to OpenSSL by the OSS-Fuzz project.
+     (CVE-2017-3735)
+     [Rich Salz]
+
  Changes between 1.1.0e and 1.1.0f [25 May 2017]
 
   *) Have 'config' recognise 64-bit mingw and choose 'mingw64' as the target
diff --git a/NEWS b/NEWS
index 846ca1d..e04a7f4 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,11 @@
       o Add a STORE module (OSSL_STORE)
       o Claim the namespaces OSSL and OPENSSL, represented as symbol prefixes
 
+  Major changes between OpenSSL 1.1.0f and OpenSSL 1.1.0g [2 Nov 2017]
+
+      o bn_sqrx8x_internal carry bug on x86_64 (CVE-2017-3736)
+      o Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)
+
   Major changes between OpenSSL 1.1.0e and OpenSSL 1.1.0f [25 May 2017]
 
       o config now recognises 64-bit mingw and chooses mingw64 instead of mingw
diff --git a/crypto/bn/asm/x86_64-mont5.pl b/crypto/bn/asm/x86_64-mont5.pl
index 9c77642..1666fbd 100755
--- a/crypto/bn/asm/x86_64-mont5.pl
+++ b/crypto/bn/asm/x86_64-mont5.pl
@@ -3206,11 +3206,19 @@ $code.=<<___;
 
 .align	32
 .Lsqrx8x_break:
-	sub	16+8(%rsp),%r8		# consume last carry
+	xor	$zero,$zero
+	sub	16+8(%rsp),%rbx		# mov 16(%rsp),%cf
+	adcx	$zero,%r8
 	mov	24+8(%rsp),$carry	# initial $tptr, borrow $carry
+	adcx	$zero,%r9
 	mov	0*8($aptr),%rdx		# a[8], modulo-scheduled
-	xor	%ebp,%ebp		# xor	$zero,$zero
+	adc	\$0,%r10
 	mov	%r8,0*8($tptr)
+	adc	\$0,%r11
+	adc	\$0,%r12
+	adc	\$0,%r13
+	adc	\$0,%r14
+	adc	\$0,%r15
 	cmp	$carry,$tptr		# cf=0, of=0
 	je	.Lsqrx8x_outer_loop
 
diff --git a/test/bntest.c b/test/bntest.c
index 6f1f5d7..96b1638 100644
--- a/test/bntest.c
+++ b/test/bntest.c
@@ -389,6 +389,54 @@ static int test_modexp_mont5(void)
     if (!TEST_BN_eq(c, d))
         goto err;
 
+    /* Regression test for carry bug in bn_sqrx8x_internal */
+    {
+        static const char *ahex[] = {
+                      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FFEADBCFC4DAE7FFF908E92820306B",
+            "9544D954000000006C0000000000000000000000000000000000000000000000",
+            "00000000000000000000FF030202FFFFF8FFEBDBCFC4DAE7FFF908E92820306B",
+            "9544D954000000006C000000FF0302030000000000FFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF01FC00FF02FFFFFFFF",
+            "00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FCFD",
+            "FCFFFFFFFFFF000000000000000000FF0302030000000000FFFFFFFFFFFFFFFF",
+            "FF00FCFDFDFF030202FF00000000FFFFFFFFFFFFFFFFFF00FCFDFCFFFFFFFFFF",
+            NULL
+	};
+        static const char *nhex[] = {
+                      "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8F8F8F8000000",
+            "00000010000000006C0000000000000000000000000000000000000000000000",
+            "00000000000000000000000000000000000000FFFFFFFFFFFFF8F8F8F8000000",
+            "00000010000000006C000000000000000000000000FFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "00FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFF000000000000000000000000000000000000FFFFFFFFFFFFFFFF",
+            "FFFFFFFFFFFFFFFFFFFF00000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+            NULL
+	};
+
+        bigstring = glue(ahex);
+        BN_hex2bn(&a, bigstring);
+        OPENSSL_free(bigstring);
+        bigstring = glue(nhex);
+        BN_hex2bn(&n, bigstring);
+        OPENSSL_free(bigstring);
+    }
+    BN_free(b);
+    b = BN_dup(a);
+    BN_MONT_CTX_set(mont, n, ctx);
+    BN_mod_mul_montgomery(c, a, a, mont, ctx);
+    BN_mod_mul_montgomery(d, a, b, mont, ctx);
+    if (!TEST_BN_eq(c, d))
+        goto err;
+
     /* Zero input */
     BN_bntest_rand(p, 1024, 0, 0);
     BN_zero(a);

More information about the openssl-commits mailing list