From owner-svn-src-all@FreeBSD.ORG  Tue Jan 13 21:19:30 2009
Return-Path: <owner-svn-src-all@FreeBSD.ORG>
Delivered-To: svn-src-all@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4FF741065686;
	Tue, 13 Jan 2009 21:19:29 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c])
	by mx1.freebsd.org (Postfix) with ESMTP id 37B468FC16;
	Tue, 13 Jan 2009 21:19:29 +0000 (UTC)
	(envelope-from simon@FreeBSD.org)
Received: from svn.freebsd.org (localhost [127.0.0.1])
	by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n0DLJTLD016467;
	Tue, 13 Jan 2009 21:19:29 GMT (envelope-from simon@svn.freebsd.org)
Received: (from simon@localhost)
	by svn.freebsd.org (8.14.3/8.14.3/Submit) id n0DLJSnW016447;
	Tue, 13 Jan 2009 21:19:28 GMT (envelope-from simon@svn.freebsd.org)
Message-Id: <200901132119.n0DLJSnW016447@svn.freebsd.org>
From: "Simon L. Nielsen" <simon@FreeBSD.org>
Date: Tue, 13 Jan 2009 21:19:28 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
	svn-src-releng@freebsd.org
X-SVN-Group: releng
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Cc: 
Subject: svn commit: r187194 - head/contrib/ntp/ntpd releng/6.3
	releng/6.3/contrib/bind9/lib/dns releng/6.3/contrib/ntp/ntpd
	releng/6.3/sys/conf releng/6.4
	releng/6.4/contrib/bind9/lib/dns releng/6.4/contri...
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
	user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-src-all>,
	<mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jan 2009 21:19:31 -0000

Author: simon
Date: Tue Jan 13 21:19:27 2009
New Revision: 187194
URL: http://svn.freebsd.org/changeset/base/187194

Log:
  Correct ntpd(8) cryptographic signature bypass [SA-09:04].
  
  Correct BIND DNSSEC incorrect checks for malformed signatures
  [SA-09:04].
  
  Security:	FreeBSD-SA-09:03.ntpd
  Security:	FreeBSD-SA-09:04.bind
  Obtained from:	ISC [SA-09:04]
  Approved by:	so (simon)

Modified:
  releng/6.3/UPDATING
  releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c
  releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/6.3/contrib/ntp/ntpd/ntp_crypto.c
  releng/6.3/sys/conf/newvers.sh
  releng/6.4/UPDATING
  releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c
  releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/6.4/contrib/ntp/ntpd/ntp_crypto.c
  releng/6.4/sys/conf/newvers.sh
  releng/7.0/UPDATING
  releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c
  releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/7.0/contrib/ntp/ntpd/ntp_crypto.c
  releng/7.0/sys/conf/newvers.sh
  releng/7.1/UPDATING
  releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c
  releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c
  releng/7.1/contrib/ntp/ntpd/ntp_crypto.c
  releng/7.1/sys/conf/newvers.sh

Changes in other areas also in this revision:
Modified:
  head/contrib/ntp/ntpd/ntp_crypto.c
  stable/6/contrib/ntp/ntpd/ntp_crypto.c
  stable/7/contrib/ntp/ntpd/ntp_crypto.c

Modified: releng/6.3/UPDATING
==============================================================================
--- releng/6.3/UPDATING	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.3/UPDATING	Tue Jan 13 21:19:27 2009	(r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20090113:	p9	FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+	Correct ntpd cryptographic signature bypass. [09:03]
+
+	Correct BIND DNSSEC incorrect checks for malformed
+	signatures. [09:04]
+
 20090107:	p8	FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
 	Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
 	long commands into multiple requests. [09:01]

Modified: releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.3/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
 
 	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
 	DSA_SIG_free(dsasig);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.3/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
 
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			    RSA_size(rsa), rsa);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/6.3/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/6.3/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.3/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -1536,7 +1536,7 @@ crypto_verify(
 		EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen +
 		    12);
 		if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
-		    pkey)) {
+		    pkey) == 1) {
 			if (peer->crypto & CRYPTO_FLAG_VRFY)
 				peer->crypto |= CRYPTO_FLAG_PROV;
 		} else {

Modified: releng/6.3/sys/conf/newvers.sh
==============================================================================
--- releng/6.3/sys/conf/newvers.sh	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.3/sys/conf/newvers.sh	Tue Jan 13 21:19:27 2009	(r187194)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="6.3"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/6.4/UPDATING
==============================================================================
--- releng/6.4/UPDATING	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.4/UPDATING	Tue Jan 13 21:19:27 2009	(r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20090113:	p9	FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+	Correct ntpd cryptographic signature bypass. [09:03]
+
+	Correct BIND DNSSEC incorrect checks for malformed
+	signatures. [09:04]
+
 20090107:	p2	FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
 	Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
 	long commands into multiple requests. [09:01]

Modified: releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.4/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
 
 	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
 	DSA_SIG_free(dsasig);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.4/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
 
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			    RSA_size(rsa), rsa);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/6.4/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/6.4/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.4/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -1612,7 +1612,7 @@ crypto_verify(
 	 */
 	EVP_VerifyInit(&ctx, peer->digest);
 	EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
-	if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey))
+	if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
 		return (XEVNT_SIG);
 
 	if (peer->crypto & CRYPTO_FLAG_VRFY) {

Modified: releng/6.4/sys/conf/newvers.sh
==============================================================================
--- releng/6.4/sys/conf/newvers.sh	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/6.4/sys/conf/newvers.sh	Tue Jan 13 21:19:27 2009	(r187194)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="6.4"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/7.0/UPDATING
==============================================================================
--- releng/7.0/UPDATING	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.0/UPDATING	Tue Jan 13 21:19:27 2009	(r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20090113:	p9	FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+	Correct ntpd cryptographic signature bypass. [09:03]
+
+	Correct BIND DNSSEC incorrect checks for malformed
+	signatures. [09:04]
+
 20090107:	p8	FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
 	Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
 	long commands into multiple requests. [09:01]

Modified: releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.0/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
 
 	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
 	DSA_SIG_free(dsasig);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.0/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
 
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			    RSA_size(rsa), rsa);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/7.0/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/7.0/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.0/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -1536,7 +1536,7 @@ crypto_verify(
 		EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen +
 		    12);
 		if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen,
-		    pkey)) {
+		    pkey) == 1) {
 			if (peer->crypto & CRYPTO_FLAG_VRFY)
 				peer->crypto |= CRYPTO_FLAG_PROV;
 		} else {

Modified: releng/7.0/sys/conf/newvers.sh
==============================================================================
--- releng/7.0/sys/conf/newvers.sh	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.0/sys/conf/newvers.sh	Tue Jan 13 21:19:27 2009	(r187194)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.0"
-BRANCH="RELEASE-p8"
+BRANCH="RELEASE-p9"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.1/UPDATING	Tue Jan 13 21:19:27 2009	(r187194)
@@ -8,6 +8,12 @@ Items affecting the ports and packages s
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20090113:	p2	FreeBSD-SA-09:03.ntpd, FreeBSD-SA-09:04.bind
+	Correct ntpd cryptographic signature bypass. [09:03]
+
+	Correct BIND DNSSEC incorrect checks for malformed
+	signatures. [09:04]
+
 20090107:	p1	FreeBSD-SA-09:01.lukemftpd, FreeBSD-SA-09:02.openssl
 	Prevent cross-site forgery attacks on lukemftpd(8) due to splitting
 	long commands into multiple requests. [09:01]

Modified: releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.1/contrib/bind9/lib/dns/openssldsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -133,7 +133,7 @@ openssldsa_verify(dst_context_t *dctx, c
 
 	status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
 	DSA_SIG_free(dsasig);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c
==============================================================================
--- releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.1/contrib/bind9/lib/dns/opensslrsa_link.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -246,7 +246,7 @@ opensslrsa_verify(dst_context_t *dctx, c
 
 	status = RSA_verify(type, digest, digestlen, sig->base,
 			    RSA_size(rsa), rsa);
-	if (status == 0)
+	if (status != 1)
 		return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
 
 	return (ISC_R_SUCCESS);

Modified: releng/7.1/contrib/ntp/ntpd/ntp_crypto.c
==============================================================================
--- releng/7.1/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.1/contrib/ntp/ntpd/ntp_crypto.c	Tue Jan 13 21:19:27 2009	(r187194)
@@ -1612,7 +1612,7 @@ crypto_verify(
 	 */
 	EVP_VerifyInit(&ctx, peer->digest);
 	EVP_VerifyUpdate(&ctx, (u_char *)&ep->tstamp, vallen + 12);
-	if (!EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey))
+	if (EVP_VerifyFinal(&ctx, (u_char *)&ep->pkt[i], siglen, pkey) <= 0)
 		return (XEVNT_SIG);
 
 	if (peer->crypto & CRYPTO_FLAG_VRFY) {

Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh	Tue Jan 13 21:19:02 2009	(r187193)
+++ releng/7.1/sys/conf/newvers.sh	Tue Jan 13 21:19:27 2009	(r187194)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="7.1"
-BRANCH="RELEASE-p1"
+BRANCH="RELEASE-p2"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi