From owner-svn-src-all@FreeBSD.ORG Fri Dec 3 22:59:55 2010 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 203D8106566B; Fri, 3 Dec 2010 22:59:55 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 0C2C58FC17; Fri, 3 Dec 2010 22:59:55 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id oB3MxtAi044893; Fri, 3 Dec 2010 22:59:55 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id oB3MxsjT044875; Fri, 3 Dec 2010 22:59:54 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <201012032259.oB3MxsjT044875@svn.freebsd.org> From: "Simon L. Nielsen" Date: Fri, 3 Dec 2010 22:59:54 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r216166 - in head/crypto/openssl: . crypto crypto/evp crypto/jpake crypto/stack doc/ssl ssl X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2010 22:59:55 -0000 Author: simon Date: Fri Dec 3 22:59:54 2010 New Revision: 216166 URL: http://svn.freebsd.org/changeset/base/216166 Log: Merge OpenSSL 0.9.8q into head. Security: CVE-2010-4180 Security: http://www.openssl.org/news/secadv_20101202.txt MFC after: 3 days Added: head/crypto/openssl/ACKNOWLEDGMENTS - copied unchanged from r216165, vendor-crypto/openssl/dist/ACKNOWLEDGMENTS Modified: head/crypto/openssl/CHANGES head/crypto/openssl/FAQ head/crypto/openssl/Makefile head/crypto/openssl/NEWS head/crypto/openssl/README head/crypto/openssl/crypto/evp/p_sign.c head/crypto/openssl/crypto/evp/p_verify.c head/crypto/openssl/crypto/jpake/jpake.c head/crypto/openssl/crypto/jpake/jpake.h head/crypto/openssl/crypto/jpake/jpake_err.c head/crypto/openssl/crypto/opensslv.h head/crypto/openssl/crypto/stack/safestack.h head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod head/crypto/openssl/openssl.spec head/crypto/openssl/ssl/s3_clnt.c head/crypto/openssl/ssl/s3_srvr.c Directory Properties: head/crypto/openssl/ (props changed) Copied: head/crypto/openssl/ACKNOWLEDGMENTS (from r216165, vendor-crypto/openssl/dist/ACKNOWLEDGMENTS) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/crypto/openssl/ACKNOWLEDGMENTS Fri Dec 3 22:59:54 2010 (r216166, copy of r216165, vendor-crypto/openssl/dist/ACKNOWLEDGMENTS) @@ -0,0 +1,25 @@ +The OpenSSL project depends on volunteer efforts and financial support from +the end user community. That support comes in the form of donations and paid +sponsorships, software support contracts, paid consulting services +and commissioned software development. + +Since all these activities support the continued development and improvement +of OpenSSL we consider all these clients and customers as sponsors of the +OpenSSL project. + +We would like to identify and thank the following such sponsors for their past +or current significant support of the OpenSSL project: + +Very significant support: + + OpenGear: www.opengear.com + +Significant support: + + PSW Group: www.psw.net + +Please note that we ask permission to identify sponsors and that some sponsors +we consider eligible for inclusion here have requested to remain anonymous. + +Additional sponsorship or financial support is always welcome: for more +information please contact the OpenSSL Software Foundation. Modified: head/crypto/openssl/CHANGES ============================================================================== --- head/crypto/openssl/CHANGES Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/CHANGES Fri Dec 3 22:59:54 2010 (r216166) @@ -2,6 +2,18 @@ OpenSSL CHANGES _______________ + Changes between 0.9.8p and 0.9.8q [2 Dec 2010] + + *) Disable code workaround for ancient and obsolete Netscape browsers + and servers: an attacker can use it in a ciphersuite downgrade attack. + Thanks to Martin Rex for discovering this bug. CVE-2010-4180 + [Steve Henson] + + *) Fixed J-PAKE implementation error, originally discovered by + Sebastien Martini, further info and confirmation from Stefan + Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 + [Ben Laurie] + Changes between 0.9.8o and 0.9.8p [16 Nov 2010] *) Fix extension code to avoid race conditions which can result in a buffer Modified: head/crypto/openssl/FAQ ============================================================================== --- head/crypto/openssl/FAQ Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/FAQ Fri Dec 3 22:59:54 2010 (r216166) @@ -52,6 +52,9 @@ OpenSSL - Frequently Asked Questions * Why does the OpenSSL test suite fail in sha512t on x86 CPU? * Why does compiler fail to compile sha512.c? * Test suite still fails, what to do? +* I think I've found a bug, what should I do? +* I'm SURE I've found a bug, how do I report it? +* I've found a security issue, how do I report it? [PROG] Questions about programming with OpenSSL @@ -79,7 +82,7 @@ OpenSSL - Frequently Asked Questions * Which is the current version of OpenSSL? The current version is available from . -OpenSSL 1.0.0b was released on Nov 16th, 2010. +OpenSSL 1.0.0c was released on Dec 2nd, 2010. In addition to the current stable release, you can also access daily snapshots of the OpenSSL development version at . Some applications that use OpenSSL are distributed in binary form. When using such an application, you don't need to install OpenSSL @@ -463,7 +466,7 @@ administrators. Other projects do have other policies so you can for example extract the CA bundle used by Mozilla and/or modssl as described in this article: - http://www.mail-archive.com/modssl-users@modssl.org/msg16980.html + [BUILD] ======================================================================= @@ -505,7 +508,7 @@ when you run the test suite (using "make "bc: 1 not implemented". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -516,7 +519,7 @@ that the OpenSSL bntest throws at it. T test suite (using "make test"). The message returned is "bc: stack empty". The best way to deal with this is to find another implementation of bc -and compile/install it. GNU bc (see http://www.gnu.org/software/software.html +and compile/install it. GNU bc (see for download instructions) can be safely used, for example. @@ -709,6 +712,46 @@ never make sense, and tend to emerge whe to identify one, drop optimization level, e.g. by editing CFLAG line in top-level Makefile, recompile and re-run the test. +* I think I've found a bug, what should I do? + +If you are a new user then it is quite likely you haven't found a bug and +something is happening you aren't familiar with. Check this FAQ, the associated +documentation and the mailing lists for similar queries. If you are still +unsure whether it is a bug or not submit a query to the openssl-users mailing +list. + + +* I'm SURE I've found a bug, how do I report it? + +Bug reports with no security implications should be sent to the request +tracker. This can be done by mailing the report to (or its +alias ), please note that messages sent to the +request tracker also appear in the public openssl-dev mailing list. + +The report should be in plain text. Any patches should be sent as +plain text attachments because some mailers corrupt patches sent inline. +If your issue affects multiple versions of OpenSSL check any patches apply +cleanly and, if possible include patches to each affected version. + +The report should be given a meaningful subject line briefly summarising the +issue. Just "bug in OpenSSL" or "bug in OpenSSL 0.9.8n" is not very helpful. + +By sending reports to the request tracker the bug can then be given a priority +and assigned to the appropriate maintainer. The history of discussions can be +accessed and if the issue has been addressed or a reason why not. If patches +are only sent to openssl-dev they can be mislaid if a team member has to +wade through months of old messages to review the discussion. + +See also + + +* I've found a security issue, how do I report it? + +If you think your bug has security implications then please send it to +openssl-security@openssl.org if you don't get a prompt reply at least +acknowledging receipt then resend or mail it directly to one of the +more active team members (e.g. Steve). + [PROG] ======================================================================== * Is OpenSSL thread-safe? Modified: head/crypto/openssl/Makefile ============================================================================== --- head/crypto/openssl/Makefile Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/Makefile Fri Dec 3 22:59:54 2010 (r216166) @@ -4,7 +4,7 @@ ## Makefile for OpenSSL ## -VERSION=0.9.8p +VERSION=0.9.8q MAJOR=0 MINOR=9.8 SHLIB_VERSION_NUMBER=0.9.8 Modified: head/crypto/openssl/NEWS ============================================================================== --- head/crypto/openssl/NEWS Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/NEWS Fri Dec 3 22:59:54 2010 (r216166) @@ -5,6 +5,11 @@ This file gives a brief overview of the major changes between each OpenSSL release. For more details please read the CHANGES file. + Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q: + + o Fix for security issue CVE-2010-4180 + o Fix for CVE-2010-4252 + Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p: o Fix for security issue CVE-2010-3864. Modified: head/crypto/openssl/README ============================================================================== --- head/crypto/openssl/README Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/README Fri Dec 3 22:59:54 2010 (r216166) @@ -1,5 +1,5 @@ - OpenSSL 0.9.8p 16 Nov 2010 + OpenSSL 0.9.8q 2 Dec 2010 Copyright (c) 1998-2009 The OpenSSL Project Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson Modified: head/crypto/openssl/crypto/evp/p_sign.c ============================================================================== --- head/crypto/openssl/crypto/evp/p_sign.c Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/crypto/evp/p_sign.c Fri Dec 3 22:59:54 2010 (r216166) @@ -81,7 +81,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig unsigned char m[EVP_MAX_MD_SIZE]; unsigned int m_len; int i,ok=0,v; - MS_STATIC EVP_MD_CTX tmp_ctx; + EVP_MD_CTX tmp_ctx; *siglen=0; for (i=0; i<4; i++) Modified: head/crypto/openssl/crypto/evp/p_verify.c ============================================================================== --- head/crypto/openssl/crypto/evp/p_verify.c Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/crypto/evp/p_verify.c Fri Dec 3 22:59:54 2010 (r216166) @@ -68,7 +68,7 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con unsigned char m[EVP_MAX_MD_SIZE]; unsigned int m_len; int i,ok=0,v; - MS_STATIC EVP_MD_CTX tmp_ctx; + EVP_MD_CTX tmp_ctx; for (i=0; i<4; i++) { Modified: head/crypto/openssl/crypto/jpake/jpake.c ============================================================================== --- head/crypto/openssl/crypto/jpake/jpake.c Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/crypto/jpake/jpake.c Fri Dec 3 22:59:54 2010 (r216166) @@ -283,23 +283,53 @@ int JPAKE_STEP1_generate(JPAKE_STEP1 *se return 1; } +/* g^x is a legal value */ +static int is_legal(const BIGNUM *gx, const JPAKE_CTX *ctx) + { + BIGNUM *t; + int res; + + if(BN_is_negative(gx) || BN_is_zero(gx) || BN_cmp(gx, ctx->p.p) >= 0) + return 0; + + t = BN_new(); + BN_mod_exp(t, gx, ctx->p.q, ctx->p.p, ctx->ctx); + res = BN_is_one(t); + BN_free(t); + + return res; + } + int JPAKE_STEP1_process(JPAKE_CTX *ctx, const JPAKE_STEP1 *received) { - /* verify their ZKP(xc) */ + if(!is_legal(received->p1.gx, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL); + return 0; + } + + if(!is_legal(received->p2.gx, ctx)) + { + JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL); + return 0; + } + + + /* verify their ZKP(xc) */ if(!verify_zkp(&received->p1, ctx->p.g, ctx)) { JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X3_FAILED); return 0; } - /* verify their ZKP(xd) */ + /* verify their ZKP(xd) */ if(!verify_zkp(&received->p2, ctx->p.g, ctx)) { JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_VERIFY_X4_FAILED); return 0; } - /* g^xd != 1 */ + /* g^xd != 1 */ if(BN_is_one(received->p2.gx)) { JPAKEerr(JPAKE_F_JPAKE_STEP1_PROCESS, JPAKE_R_G_TO_THE_X4_IS_ONE); Modified: head/crypto/openssl/crypto/jpake/jpake.h ============================================================================== --- head/crypto/openssl/crypto/jpake/jpake.h Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/crypto/jpake/jpake.h Fri Dec 3 22:59:54 2010 (r216166) @@ -115,6 +115,8 @@ void ERR_load_JPAKE_strings(void); #define JPAKE_F_VERIFY_ZKP 100 /* Reason codes. */ +#define JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL 108 +#define JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL 109 #define JPAKE_R_G_TO_THE_X4_IS_ONE 105 #define JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH 106 #define JPAKE_R_HASH_OF_KEY_MISMATCH 107 Modified: head/crypto/openssl/crypto/jpake/jpake_err.c ============================================================================== --- head/crypto/openssl/crypto/jpake/jpake_err.c Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/crypto/jpake/jpake_err.c Fri Dec 3 22:59:54 2010 (r216166) @@ -1,6 +1,6 @@ /* crypto/jpake/jpake_err.c */ /* ==================================================================== - * Copyright (c) 1999-2008 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2010 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -80,6 +80,8 @@ static ERR_STRING_DATA JPAKE_str_functs[ static ERR_STRING_DATA JPAKE_str_reasons[]= { +{ERR_REASON(JPAKE_R_G_TO_THE_X3_IS_NOT_LEGAL),"g to the x3 is not legal"}, +{ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_NOT_LEGAL),"g to the x4 is not legal"}, {ERR_REASON(JPAKE_R_G_TO_THE_X4_IS_ONE) ,"g to the x4 is one"}, {ERR_REASON(JPAKE_R_HASH_OF_HASH_OF_KEY_MISMATCH),"hash of hash of key mismatch"}, {ERR_REASON(JPAKE_R_HASH_OF_KEY_MISMATCH),"hash of key mismatch"}, Modified: head/crypto/openssl/crypto/opensslv.h ============================================================================== --- head/crypto/openssl/crypto/opensslv.h Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/crypto/opensslv.h Fri Dec 3 22:59:54 2010 (r216166) @@ -25,11 +25,11 @@ * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for * major minor fix final patch/beta) */ -#define OPENSSL_VERSION_NUMBER 0x0090810f +#define OPENSSL_VERSION_NUMBER 0x0090811f #ifdef OPENSSL_FIPS -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8p-fips 16 Nov 2010" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8q-fips 2 Dec 2010" #else -#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8p 16 Nov 2010" +#define OPENSSL_VERSION_TEXT "OpenSSL 0.9.8q 2 Dec 2010" #endif #define OPENSSL_VERSION_PTEXT " part of " OPENSSL_VERSION_TEXT Modified: head/crypto/openssl/crypto/stack/safestack.h ============================================================================== --- head/crypto/openssl/crypto/stack/safestack.h Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/crypto/stack/safestack.h Fri Dec 3 22:59:54 2010 (r216166) @@ -127,7 +127,7 @@ STACK_OF(type) \ sk_is_sorted(CHECKED_PTR_OF(STACK_OF(type), st)) #define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - (STACK_OF(type) *)d2i_ASN1_SET(CHECKED_PTR_OF(STACK_OF(type), st), \ + (STACK_OF(type) *)d2i_ASN1_SET(CHECKED_PTR_OF(STACK_OF(type)*, st), \ pp, length, \ CHECKED_D2I_OF(type, d2i_func), \ CHECKED_SK_FREE_FUNC(type, free_func), \ Modified: head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod ============================================================================== --- head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/doc/ssl/SSL_CTX_set_options.pod Fri Dec 3 22:59:54 2010 (r216166) @@ -78,18 +78,7 @@ this breaks this server so 16 bytes is t =item SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG -ssl3.netscape.com:443, first a connection is established with RC4-MD5. -If it is then resumed, we end up using DES-CBC3-SHA. It should be -RC4-MD5 according to 7.6.1.3, 'cipher_suite'. - -Netscape-Enterprise/2.01 (https://merchant.netscape.com) has this bug. -It only really shows up when connecting via SSLv2/v3 then reconnecting -via SSLv3. The cipher list changes.... - -NEW INFORMATION. Try connecting with a cipher list of just -DES-CBC-SHA:RC4-MD5. For some weird reason, each new connection uses -RC4-MD5, but a re-connect tries to use DES-CBC-SHA. So netscape, when -doing a re-connect, always takes the first cipher in the cipher list. +As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect. =item SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG Modified: head/crypto/openssl/openssl.spec ============================================================================== --- head/crypto/openssl/openssl.spec Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/openssl.spec Fri Dec 3 22:59:54 2010 (r216166) @@ -2,7 +2,7 @@ %define libmaj 0 %define libmin 9 %define librel 8 -%define librev p +%define librev q Release: 1 %define openssldir /var/ssl Modified: head/crypto/openssl/ssl/s3_clnt.c ============================================================================== --- head/crypto/openssl/ssl/s3_clnt.c Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/ssl/s3_clnt.c Fri Dec 3 22:59:54 2010 (r216166) @@ -814,8 +814,11 @@ int ssl3_get_server_hello(SSL *s) s->session->cipher_id = s->session->cipher->id; if (s->hit && (s->session->cipher_id != c->id)) { +/* Workaround is now obsolete */ +#if 0 if (!(s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)) +#endif { al=SSL_AD_ILLEGAL_PARAMETER; SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); Modified: head/crypto/openssl/ssl/s3_srvr.c ============================================================================== --- head/crypto/openssl/ssl/s3_srvr.c Fri Dec 3 22:48:15 2010 (r216165) +++ head/crypto/openssl/ssl/s3_srvr.c Fri Dec 3 22:59:54 2010 (r216166) @@ -927,6 +927,10 @@ int ssl3_get_client_hello(SSL *s) break; } } +/* Disabled because it can be used in a ciphersuite downgrade + * attack: CVE-2010-4180. + */ +#if 0 if (j == 0 && (s->options & SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG) && (sk_SSL_CIPHER_num(ciphers) == 1)) { /* Special case as client bug workaround: the previously used cipher may @@ -941,6 +945,7 @@ int ssl3_get_client_hello(SSL *s) j = 1; } } +#endif if (j == 0) { /* we need to have the cipher in the cipher