[openssl] OpenSSL_1_0_2-stable update
Matt Caswell
matt at openssl.org
Tue Feb 26 14:38:27 UTC 2019
The branch OpenSSL_1_0_2-stable has been updated
via 56ff0f643482b19f7b2d7ed532dfb94ed3a4e294 (commit)
via b34cf4eb616446a1ee7bd0db0a625edf25047342 (commit)
via 28c43df9288c50be6e03ee5b52dfc0e261d9eb60 (commit)
via 48c8bcf5bca0ce7751f49599381e143de1b61786 (commit)
via e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e (commit)
from c81f16952bca7793074ac926b17aed3364db2c84 (commit)
- Log -----------------------------------------------------------------
commit 56ff0f643482b19f7b2d7ed532dfb94ed3a4e294
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 26 14:21:45 2019 +0000
Prepare for 1.0.2s-dev
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit b34cf4eb616446a1ee7bd0db0a625edf25047342
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 26 14:20:55 2019 +0000
Prepare for 1.0.2r release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 28c43df9288c50be6e03ee5b52dfc0e261d9eb60
Author: Matt Caswell <matt at openssl.org>
Date: Tue Feb 26 10:21:24 2019 +0000
Updates CHANGES and NEWS for the new release
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit 48c8bcf5bca0ce7751f49599381e143de1b61786
Author: Matt Caswell <matt at openssl.org>
Date: Wed Feb 20 14:21:36 2019 +0000
Clarify that SSL_shutdown() must not be called after a fatal error
Follow on from CVE-2019-1559
Reviewed-by: Richard Levitte <levitte at openssl.org>
commit e9bbefbf0f24c57645e7ad6a5a71ae649d18ac8e
Author: Matt Caswell <matt at openssl.org>
Date: Fri Dec 14 07:28:30 2018 +0000
Go into the error state if a fatal alert is sent or received
If an application calls SSL_shutdown after a fatal alert has occured and
then behaves different based on error codes from that function then the
application may be vulnerable to a padding oracle.
CVE-2019-1559
Reviewed-by: Richard Levitte <levitte at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
CHANGES | 28 +++++++++++++++++++++++++++-
NEWS | 6 +++++-
README | 2 +-
crypto/opensslv.h | 6 +++---
doc/ssl/SSL_get_error.pod | 13 ++++++++-----
doc/ssl/SSL_shutdown.pod | 4 ++++
openssl.spec | 2 +-
ssl/d1_pkt.c | 1 +
ssl/s3_pkt.c | 10 +++++++---
9 files changed, 57 insertions(+), 15 deletions(-)
diff --git a/CHANGES b/CHANGES
index bc805bf..7080ac2 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,7 +7,33 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
- Changes between 1.0.2q and 1.0.2r [xx XXX xxxx]
+ Changes between 1.0.2r and 1.0.2s [xx XXX xxxx]
+
+ *)
+
+ Changes between 1.0.2q and 1.0.2r [26 Feb 2019]
+
+ *) 0-byte record padding oracle
+
+ If an application encounters a fatal protocol error and then calls
+ SSL_shutdown() twice (once to send a close_notify, and once to receive one)
+ then OpenSSL can respond differently to the calling application if a 0 byte
+ record is received with invalid padding compared to if a 0 byte record is
+ received with an invalid MAC. If the application then behaves differently
+ based on that in a way that is detectable to the remote peer, then this
+ amounts to a padding oracle that could be used to decrypt data.
+
+ In order for this to be exploitable "non-stitched" ciphersuites must be in
+ use. Stitched ciphersuites are optimised implementations of certain
+ commonly used ciphersuites. Also the application must call SSL_shutdown()
+ twice even if a protocol error has occurred (applications should not do
+ this but some do anyway).
+
+ This issue was discovered by Juraj Somorovsky, Robert Merget and Nimrod
+ Aviram, with additional investigation by Steven Collison and Andrew
+ Hourselt. It was reported to OpenSSL on 10th December 2018.
+ (CVE-2019-1559)
+ [Matt Caswell]
*) Move strictness check from EVP_PKEY_asn1_new() to EVP_PKEY_asn1_add0().
[Richard Levitte]
diff --git a/NEWS b/NEWS
index 566ce43..a92af92 100644
--- a/NEWS
+++ b/NEWS
@@ -5,10 +5,14 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
- Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [under development]
+ Major changes between OpenSSL 1.0.2r and OpenSSL 1.0.2s [under development]
o
+ Major changes between OpenSSL 1.0.2q and OpenSSL 1.0.2r [26 Feb 2019]
+
+ o 0-byte record padding oracle (CVE-2019-1559)
+
Major changes between OpenSSL 1.0.2p and OpenSSL 1.0.2q [20 Nov 2018]
o Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
diff --git a/README b/README
index a288fd6..93d66d7 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.0.2r-dev
+ OpenSSL 1.0.2s-dev
Copyright (c) 1998-2018 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/opensslv.h b/crypto/opensslv.h
index f808f1e..752c66d 100644
--- a/crypto/opensslv.h
+++ b/crypto/opensslv.h
@@ -30,11 +30,11 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x10002120L
+# define OPENSSL_VERSION_NUMBER 0x10002130L
# ifdef OPENSSL_FIPS
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-fips-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s-fips-dev xx XXX xxxx"
# else
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2r-dev xx XXX xxxx"
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.0.2s-dev xx XXX xxxx"
# endif
# define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT
diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod
index 2a93894..7537616 100644
--- a/doc/ssl/SSL_get_error.pod
+++ b/doc/ssl/SSL_get_error.pod
@@ -90,14 +90,17 @@ Details depend on the application.
=item SSL_ERROR_SYSCALL
-Some non-recoverable I/O error occurred.
-The OpenSSL error queue may contain more information on the error.
-For socket I/O on Unix systems, consult B<errno> for details.
+Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
+contain more information on the error. For socket I/O on Unix systems, consult
+B<errno> for details. If this error occurs then no further I/O operations should
+be performed on the connection and SSL_shutdown() must not be called.
=item SSL_ERROR_SSL
-A failure in the SSL library occurred, usually a protocol error. The
-OpenSSL error queue contains more information on the error.
+A non-recoverable, fatal error in the SSL library occurred, usually a protocol
+error. The OpenSSL error queue contains more information on the error. If this
+error occurs then no further I/O operations should be performed on the
+connection and SSL_shutdown() must not be called.
=back
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
index efbff5a..e2a776c 100644
--- a/doc/ssl/SSL_shutdown.pod
+++ b/doc/ssl/SSL_shutdown.pod
@@ -22,6 +22,10 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
a currently open session is considered closed and good and will be kept in the
session cache for further reuse.
+Note that SSL_shutdown() must not be called if a previous fatal error has
+occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL
+or SSL_ERROR_SSL.
+
The shutdown procedure consists of 2 steps: the sending of the "close notify"
shutdown alert and the reception of the peer's "close notify" shutdown
alert. According to the TLS standard, it is acceptable for an application
diff --git a/openssl.spec b/openssl.spec
index b42b739..7e94a22 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -7,7 +7,7 @@ Release: 1
Summary: Secure Sockets Layer and cryptography libraries and tools
Name: openssl
-Version: 1.0.2r
+Version: 1.0.2s
Source0: ftp://ftp.openssl.org/source/%{name}-%{version}.tar.gz
License: OpenSSL
Group: System Environment/Libraries
diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c
index 23aa9db..c7fe977 100644
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@@ -1309,6 +1309,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->session_ctx, s->session);
+ s->state = SSL_ST_ERR;
return (0);
} else {
al = SSL_AD_ILLEGAL_PARAMETER;
diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 6527df8..830b723 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
ERR_add_error_data(2, "SSL alert number ", tmp);
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
SSL_CTX_remove_session(s->session_ctx, s->session);
+ s->state = SSL_ST_ERR;
return (0);
} else {
al = SSL_AD_ILLEGAL_PARAMETER;
@@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, int desc)
* protocol_version alerts */
if (desc < 0)
return -1;
- /* If a fatal one, remove from cache */
- if ((level == 2) && (s->session != NULL))
- SSL_CTX_remove_session(s->session_ctx, s->session);
+ /* If a fatal one, remove from cache and go into the error state */
+ if (level == SSL3_AL_FATAL) {
+ if (s->session != NULL)
+ SSL_CTX_remove_session(s->session_ctx, s->session);
+ s->state = SSL_ST_ERR;
+ }
s->s3->alert_dispatch = 1;
s->s3->send_alert[0] = level;
More information about the openssl-commits
mailing list