Date: Tue, 13 Jan 2009 21:19:28 +0000 (UTC) From: "Simon L. Nielsen" <simon@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r187194 - head/contrib/ntp/ntpd releng/6.3 releng/6.3/contrib/bind9/lib/dns releng/6.3/contrib/ntp/ntpd releng/6.3/sys/conf releng/6.4 releng/6.4/contrib/bind9/lib/dns releng/6.4/contri... Message-ID: <200901132119.n0DLJSnW016447@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: simon Date: Tue Jan 13 21:19:27 2009 New Revision: 187194 URL: http://svn.freebsd.org/changeset/base/187194 Log: Correct ntpd(8) cryptographic signature bypass [SA-09:04]. Correct BIND DNSSEC incorrect checks for malformed signatures [SA-09:04]. Security: FreeBSD-SA-09:03.ntpd Security: FreeBSD-SA-09:04.bind Obtained from: ISC [SA-09:04] Approved by: so (simon) Modified: releng/6.3/UPDATING releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c releng/6.3/contrib/ntp/ntpd/ntp_crypto.c releng/6.3/sys/conf/newvers.sh releng/6.4/UPDATING releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c releng/6.4/contrib/ntp/ntpd/ntp_crypto.c releng/6.4/sys/conf/newvers.sh releng/7.0/UPDATING releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c releng/7.0/contrib/ntp/ntpd/ntp_crypto.c releng/7.0/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c releng/7.1/contrib/ntp/ntpd/ntp_crypto.c releng/7.1/sys/conf/newvers.sh Changes in other areas also in this revision: Modified: head/contrib/ntp/ntpd/ntp_crypto.c stable/6/contrib/ntp/ntpd/ntp_crypto.c stable/7/contrib/ntp/ntpd/ntp_crypto.c Modified: releng/6.3/UPDATING ============================================================================== --- releng/6.3/UPDATING Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.3/UPDATING Tue Jan 13 21:19:27 2009 (r187194) @@ -8,6 +8,12 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind + Correct ntpd cryptographic signature bypass. [09:03] + + Correct BIND DNSSEC incorrect checks for malformed + signatures. [09:04] + 20090107: p8 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl Prevent cross-site forgery attacks on lukemftpd(8) due to splitting long commands into multiple requests. [09:01] Modified: releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c ============================================================================== --- releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); DSA_SIG_free(dsasig); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c ============================================================================== --- releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c status = RSA_verify(type, digest, digestlen, sig->base, RSA_size(rsa), rsa); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/6.3/contrib/ntp/ntpd/ntp_crypto.c ============================================================================== --- releng/6.3/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.3/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009 (r187194) @@ -1536,7 +1536,7 @@ crypto_verify( EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12); if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, - pkey)) { + pkey) == 1) { if (peer->crypto & CRYPTO_FLAG_VRFY) peer->crypto |= CRYPTO_FLAG_PROV; } else { Modified: releng/6.3/sys/conf/newvers.sh ============================================================================== --- releng/6.3/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.3/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009 (r187194) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.3" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/6.4/UPDATING ============================================================================== --- releng/6.4/UPDATING Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.4/UPDATING Tue Jan 13 21:19:27 2009 (r187194) @@ -8,6 +8,12 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind + Correct ntpd cryptographic signature bypass. [09:03] + + Correct BIND DNSSEC incorrect checks for malformed + signatures. [09:04] + 20090107: p2 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl Prevent cross-site forgery attacks on lukemftpd(8) due to splitting long commands into multiple requests. [09:01] Modified: releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c ============================================================================== --- releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); DSA_SIG_free(dsasig); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c ============================================================================== --- releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c status = RSA_verify(type, digest, digestlen, sig->base, RSA_size(rsa), rsa); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/6.4/contrib/ntp/ntpd/ntp_crypto.c ============================================================================== --- releng/6.4/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.4/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009 (r187194) @@ -1612,7 +1612,7 @@ crypto_verify( */ EVP_VerifyInit(&ctx, peer->digest); EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12); - if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey)) + if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0) return (XEVNT_SIG); if (peer->crypto & CRYPTO_FLAG_VRFY) { Modified: releng/6.4/sys/conf/newvers.sh ============================================================================== --- releng/6.4/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009 (r187193) +++ releng/6.4/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009 (r187194) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.4" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.0/UPDATING ============================================================================== --- releng/7.0/UPDATING Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.0/UPDATING Tue Jan 13 21:19:27 2009 (r187194) @@ -8,6 +8,12 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090113: p9 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind + Correct ntpd cryptographic signature bypass. [09:03] + + Correct BIND DNSSEC incorrect checks for malformed + signatures. [09:04] + 20090107: p8 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl Prevent cross-site forgery attacks on lukemftpd(8) due to splitting long commands into multiple requests. [09:01] Modified: releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c ============================================================================== --- releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); DSA_SIG_free(dsasig); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c ============================================================================== --- releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c status = RSA_verify(type, digest, digestlen, sig->base, RSA_size(rsa), rsa); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/7.0/contrib/ntp/ntpd/ntp_crypto.c ============================================================================== --- releng/7.0/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.0/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009 (r187194) @@ -1536,7 +1536,7 @@ crypto_verify( EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12); if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, - pkey)) { + pkey) == 1) { if (peer->crypto & CRYPTO_FLAG_VRFY) peer->crypto |= CRYPTO_FLAG_PROV; } else { Modified: releng/7.0/sys/conf/newvers.sh ============================================================================== --- releng/7.0/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.0/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009 (r187194) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.0" -BRANCH="RELEASE-p8" +BRANCH="RELEASE-p9" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.1/UPDATING ============================================================================== --- releng/7.1/UPDATING Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.1/UPDATING Tue Jan 13 21:19:27 2009 (r187194) @@ -8,6 +8,12 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20090113: p2 FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind + Correct ntpd cryptographic signature bypass. [09:03] + + Correct BIND DNSSEC incorrect checks for malformed + signatures. [09:04] + 20090107: p1 FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl Prevent cross-site forgery attacks on lukemftpd(8) due to splitting long commands into multiple requests. [09:01] Modified: releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c ============================================================================== --- releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); DSA_SIG_free(dsasig); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c ============================================================================== --- releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c Tue Jan 13 21:19:27 2009 (r187194) @@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c status = RSA_verify(type, digest, digestlen, sig->base, RSA_size(rsa), rsa); - if (status == 0) + if (status != 1) return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); return (ISC_R_SUCCESS); Modified: releng/7.1/contrib/ntp/ntpd/ntp_crypto.c ============================================================================== --- releng/7.1/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.1/contrib/ntp/ntpd/ntp_crypto.c Tue Jan 13 21:19:27 2009 (r187194) @@ -1612,7 +1612,7 @@ crypto_verify( */ EVP_VerifyInit(&ctx, peer->digest); EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12); - if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey)) + if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0) return (XEVNT_SIG); if (peer->crypto & CRYPTO_FLAG_VRFY) { Modified: releng/7.1/sys/conf/newvers.sh ============================================================================== --- releng/7.1/sys/conf/newvers.sh Tue Jan 13 21:19:02 2009 (r187193) +++ releng/7.1/sys/conf/newvers.sh Tue Jan 13 21:19:27 2009 (r187194) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.1" -BRANCH="RELEASE-p1" +BRANCH="RELEASE-p2" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200901132119.n0DLJSnW016447>