Commit 58ab7656 authored by Jung-uk Kim's avatar Jung-uk Kim
Browse files

Import OpenSSL 1.0.1j.

parent cb686480
......@@ -2,6 +2,57 @@
OpenSSL CHANGES
_______________
Changes between 1.0.1i and 1.0.1j [15 Oct 2014]
*) SRTP Memory Leak.
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
The fix was developed by the OpenSSL team.
(CVE-2014-3513)
[OpenSSL team]
*) Session Ticket Memory Leak.
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
(CVE-2014-3567)
[Steve Henson]
*) Build option no-ssl3 is incomplete.
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
(CVE-2014-3568)
[Akamai and the OpenSSL team]
*) Add support for TLS_FALLBACK_SCSV.
Client applications doing fallback retries should call
SSL_set_mode(s, SSL_MODE_SEND_FALLBACK_SCSV).
(CVE-2014-3566)
[Adam Langley, Bodo Moeller]
*) Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original when
verifying RSA signature: this will reject any improperly encoded
DigestInfo structures.
Note: this is a precautionary measure and no attacks are currently known.
[Steve Henson]
Changes between 1.0.1h and 1.0.1i [6 Aug 2014]
*) Fix SRP buffer overrun vulnerability. Invalid parameters passed to the
......
......@@ -1767,6 +1767,9 @@ open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslcon
print OUT "/* opensslconf.h */\n";
print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
print OUT "#ifdef __cplusplus\n";
print OUT "extern \"C\" {\n";
print OUT "#endif\n";
print OUT "/* OpenSSL was configured with the following options: */\n";
my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
$openssl_experimental_defines =~ s/^\s*#\s*define\s+OPENSSL_NO_(.*)/#ifndef OPENSSL_EXPERIMENTAL_$1\n# ifndef OPENSSL_NO_$1\n# define OPENSSL_NO_$1\n# endif\n#endif/mg;
......@@ -1871,6 +1874,9 @@ while (<IN>)
{ print OUT $_; }
}
close(IN);
print OUT "#ifdef __cplusplus\n";
print OUT "}\n";
print OUT "#endif\n";
close(OUT);
rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
......
......@@ -11,8 +11,8 @@ First, read http://wiki.freebsd.org/SubversionPrimer/VendorImports
# Xlist
setenv XLIST /FreeBSD/work/openssl/svn-FREEBSD-files/FREEBSD-Xlist
setenv FSVN "svn+ssh://svn.freebsd.org/base"
setenv OSSLVER 1.0.1i
# OSSLTAG format: v1_0_1i
setenv OSSLVER 1.0.1j
# OSSLTAG format: v1_0_1j
###setenv OSSLTAG v`echo ${OSSLVER} | tr . _`
......
......@@ -4,7 +4,7 @@
## Makefile for OpenSSL
##
VERSION=1.0.1i
VERSION=1.0.1j
MAJOR=1
MINOR=0.1
SHLIB_VERSION_NUMBER=1.0.0
......
......@@ -5,6 +5,13 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
o Fix for CVE-2014-3513
o Fix for CVE-2014-3567
o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
o Fix for CVE-2014-3568
Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
o Fix for CVE-2014-3512
......
OpenSSL 1.0.1i 6 Aug 2014
OpenSSL 1.0.1j 15 Oct 2014
Copyright (c) 1998-2011 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
......
......@@ -337,6 +337,7 @@ static void sc_usage(void)
BIO_printf(bio_err," -tls1_1 - just use TLSv1.1\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -dtls1 - just use DTLSv1\n");
BIO_printf(bio_err," -fallback_scsv - send TLS_FALLBACK_SCSV\n");
BIO_printf(bio_err," -mtu - set the link layer MTU\n");
BIO_printf(bio_err," -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
BIO_printf(bio_err," -bugs - Switch on all SSL implementation bug workarounds\n");
......@@ -617,6 +618,7 @@ int MAIN(int argc, char **argv)
char *sess_out = NULL;
struct sockaddr peer;
int peerlen = sizeof(peer);
int fallback_scsv = 0;
int enable_timeouts = 0 ;
long socket_mtu = 0;
#ifndef OPENSSL_NO_JPAKE
......@@ -823,6 +825,10 @@ int MAIN(int argc, char **argv)
meth=DTLSv1_client_method();
socket_type=SOCK_DGRAM;
}
else if (strcmp(*argv,"-fallback_scsv") == 0)
{
fallback_scsv = 1;
}
else if (strcmp(*argv,"-timeout") == 0)
enable_timeouts=1;
else if (strcmp(*argv,"-mtu") == 0)
......@@ -1235,6 +1241,10 @@ int MAIN(int argc, char **argv)
SSL_set_session(con, sess);
SSL_SESSION_free(sess);
}
if (fallback_scsv)
SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
......
......@@ -31,6 +31,7 @@ CPUID_OBJ=mem_clr.o
LIBS=
GENERAL=Makefile README crypto-lib.com install.com
TEST=constant_time_test.c
LIB= $(TOP)/libcrypto.a
SHARED_LIB= libcrypto$(SHLIB_EXT)
......@@ -43,7 +44,8 @@ SRC= $(LIBSRC)
EXHEADER= crypto.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
ossl_typ.h
HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h $(EXHEADER)
HEADER= cryptlib.h buildinf.h md32_common.h o_time.h o_str.h o_dir.h \
constant_time_locl.h $(EXHEADER)
ALL= $(GENERAL) $(SRC) $(HEADER)
......
......@@ -525,6 +525,16 @@ $code.=<<___;
.type aesni_ecb_encrypt,\@function,5
.align 16
aesni_ecb_encrypt:
___
$code.=<<___ if ($win64);
lea -0x58(%rsp),%rsp
movaps %xmm6,(%rsp)
movaps %xmm7,0x10(%rsp)
movaps %xmm8,0x20(%rsp)
movaps %xmm9,0x30(%rsp)
.Lecb_enc_body:
___
$code.=<<___;
and \$-16,$len
jz .Lecb_ret
......@@ -805,6 +815,16 @@ $code.=<<___;
movups $inout5,0x50($out)
.Lecb_ret:
___
$code.=<<___ if ($win64);
movaps (%rsp),%xmm6
movaps 0x10(%rsp),%xmm7
movaps 0x20(%rsp),%xmm8
movaps 0x30(%rsp),%xmm9
lea 0x58(%rsp),%rsp
.Lecb_enc_ret:
___
$code.=<<___;
ret
.size aesni_ecb_encrypt,.-aesni_ecb_encrypt
___
......@@ -2730,28 +2750,9 @@ $code.=<<___;
.extern __imp_RtlVirtualUnwind
___
$code.=<<___ if ($PREFIX eq "aesni");
.type ecb_se_handler,\@abi-omnipotent
.align 16
ecb_se_handler:
push %rsi
push %rdi
push %rbx
push %rbp
push %r12
push %r13
push %r14
push %r15
pushfq
sub \$64,%rsp
mov 152($context),%rax # pull context->Rsp
jmp .Lcommon_seh_tail
.size ecb_se_handler,.-ecb_se_handler
.type ccm64_se_handler,\@abi-omnipotent
.type ecb_ccm64_se_handler,\@abi-omnipotent
.align 16
ccm64_se_handler:
ecb_ccm64_se_handler:
push %rsi
push %rdi
push %rbx
......@@ -2788,7 +2789,7 @@ ccm64_se_handler:
lea 0x58(%rax),%rax # adjust stack pointer
jmp .Lcommon_seh_tail
.size ccm64_se_handler,.-ccm64_se_handler
.size ecb_ccm64_se_handler,.-ecb_ccm64_se_handler
.type ctr32_se_handler,\@abi-omnipotent
.align 16
......@@ -2993,14 +2994,15 @@ ___
$code.=<<___ if ($PREFIX eq "aesni");
.LSEH_info_ecb:
.byte 9,0,0,0
.rva ecb_se_handler
.rva ecb_ccm64_se_handler
.rva .Lecb_enc_body,.Lecb_enc_ret # HandlerData[]
.LSEH_info_ccm64_enc:
.byte 9,0,0,0
.rva ccm64_se_handler
.rva ecb_ccm64_se_handler
.rva .Lccm64_enc_body,.Lccm64_enc_ret # HandlerData[]
.LSEH_info_ccm64_dec:
.byte 9,0,0,0
.rva ccm64_se_handler
.rva ecb_ccm64_se_handler
.rva .Lccm64_dec_body,.Lccm64_dec_ret # HandlerData[]
.LSEH_info_ctr32:
.byte 9,0,0,0
......
......@@ -568,6 +568,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
mbflag |= MBSTRING_FLAG;
stmp.data = NULL;
stmp.length = 0;
stmp.flags = 0;
ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
if(ret < 0) return ret;
*out = stmp.data;
......
......@@ -189,7 +189,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
if (n <= 0) return 0;
asm (
asm volatile (
" subq %2,%2 \n"
".p2align 4 \n"
"1: movq (%4,%2,8),%0 \n"
......@@ -200,7 +200,7 @@ BN_ULONG bn_add_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
" sbbq %0,%0 \n"
: "=&a"(ret),"+c"(n),"=&r"(i)
: "r"(rp),"r"(ap),"r"(bp)
: "cc"
: "cc", "memory"
);
return ret&1;
......@@ -212,7 +212,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
if (n <= 0) return 0;
asm (
asm volatile (
" subq %2,%2 \n"
".p2align 4 \n"
"1: movq (%4,%2,8),%0 \n"
......@@ -223,7 +223,7 @@ BN_ULONG bn_sub_words (BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp,int
" sbbq %0,%0 \n"
: "=&a"(ret),"+c"(n),"=&r"(i)
: "r"(rp),"r"(ap),"r"(bp)
: "cc"
: "cc", "memory"
);
return ret&1;
......
......@@ -874,7 +874,14 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
bits = BN_num_bits(p);
if (bits == 0)
{
ret = BN_one(rr);
/* x**0 mod 1 is still zero. */
if (BN_is_one(m))
{
ret = 1;
BN_zero(rr);
}
else
ret = BN_one(rr);
return ret;
}
if (a == 0)
......
......@@ -1088,9 +1088,9 @@ int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field,
/* ... and right shift */
for (val=t_d[0],i=0; i<BN_NIST_521_TOP-1; i++)
{
tmp = val>>BN_NIST_521_RSHIFT;
val = t_d[i+1];
t_d[i] = (tmp | val<<BN_NIST_521_LSHIFT) & BN_MASK2;
t_d[i] = ( val>>BN_NIST_521_RSHIFT |
(tmp=t_d[i+1])<<BN_NIST_521_LSHIFT ) & BN_MASK2;
val=tmp;
}
t_d[i] = val>>BN_NIST_521_RSHIFT;
/* lower 521 bits */
......
......@@ -71,6 +71,43 @@
static const char rnd_seed[] = "string to make the random number generator think it has entropy";
/* test_exp_mod_zero tests that x**0 mod 1 == 0. It returns zero on success. */
static int test_exp_mod_zero() {
BIGNUM a, p, m;
BIGNUM r;
BN_CTX *ctx = BN_CTX_new();
int ret = 1;
BN_init(&m);
BN_one(&m);
BN_init(&a);
BN_one(&a);
BN_init(&p);
BN_zero(&p);
BN_init(&r);
BN_mod_exp(&r, &a, &p, &m, ctx);
BN_CTX_free(ctx);
if (BN_is_zero(&r))
ret = 0;
else
{
printf("1**0 mod 1 = ");
BN_print_fp(stdout, &r);
printf(", should be 0\n");
}
BN_free(&r);
BN_free(&a);
BN_free(&p);
BN_free(&m);
return ret;
}
int main(int argc, char *argv[])
{
BN_CTX *ctx;
......@@ -190,7 +227,13 @@ int main(int argc, char *argv[])
ERR_remove_thread_state(NULL);
CRYPTO_mem_leaks(out);
BIO_free(out);
printf(" done\n");
printf("\n");
if (test_exp_mod_zero() != 0)
goto err;
printf("done\n");
EXIT(0);
err:
ERR_load_crypto_strings();
......
/* crypto/constant_time_locl.h */
/*
* Utilities for constant-time cryptography.
*
* Author: Emilia Kasper (emilia@openssl.org)
* Based on previous work by Bodo Moeller, Emilia Kasper, Adam Langley
* (Google).
* ====================================================================
* Copyright (c) 2014 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/
#ifndef HEADER_CONSTANT_TIME_LOCL_H
#define HEADER_CONSTANT_TIME_LOCL_H
#include "e_os.h" /* For 'inline' */
#ifdef __cplusplus
extern "C" {
#endif
/*
* The boolean methods return a bitmask of all ones (0xff...f) for true
* and 0 for false. This is useful for choosing a value based on the result
* of a conditional in constant time. For example,
*
* if (a < b) {
* c = a;
* } else {
* c = b;
* }
*
* can be written as
*
* unsigned int lt = constant_time_lt(a, b);
* c = constant_time_select(lt, a, b);
*/
/*
* Returns the given value with the MSB copied to all the other
* bits. Uses the fact that arithmetic shift shifts-in the sign bit.
* However, this is not ensured by the C standard so you may need to
* replace this with something else on odd CPUs.
*/
static inline unsigned int constant_time_msb(unsigned int a);
/*
* Returns 0xff..f if a < b and 0 otherwise.
*/
static inline unsigned int constant_time_lt(unsigned int a, unsigned int b);
/* Convenience method for getting an 8-bit mask. */
static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b);
/*
* Returns 0xff..f if a >= b and 0 otherwise.
*/
static inline unsigned int constant_time_ge(unsigned int a, unsigned int b);
/* Convenience method for getting an 8-bit mask. */
static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b);
/*
* Returns 0xff..f if a == 0 and 0 otherwise.
*/
static inline unsigned int constant_time_is_zero(unsigned int a);
/* Convenience method for getting an 8-bit mask. */
static inline unsigned char constant_time_is_zero_8(unsigned int a);
/*
* Returns 0xff..f if a == b and 0 otherwise.
*/
static inline unsigned int constant_time_eq(unsigned int a, unsigned int b);
/* Convenience method for getting an 8-bit mask. */
static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b);
/* Signed integers. */
static inline unsigned int constant_time_eq_int(int a, int b);
/* Convenience method for getting an 8-bit mask. */
static inline unsigned char constant_time_eq_int_8(int a, int b);
/*
* Returns (mask & a) | (~mask & b).
*
* When |mask| is all 1s or all 0s (as returned by the methods above),
* the select methods return either |a| (if |mask| is nonzero) or |b|
* (if |mask| is zero).
*/
static inline unsigned int constant_time_select(unsigned int mask,
unsigned int a, unsigned int b);
/* Convenience method for unsigned chars. */
static inline unsigned char constant_time_select_8(unsigned char mask,
unsigned char a, unsigned char b);
/* Convenience method for signed integers. */
static inline int constant_time_select_int(unsigned int mask, int a, int b);
static inline unsigned int constant_time_msb(unsigned int a)
{
return (unsigned int)((int)(a) >> (sizeof(int) * 8 - 1));
}
static inline unsigned int constant_time_lt(unsigned int a, unsigned int b)
{
unsigned int lt;
/* Case 1: msb(a) == msb(b). a < b iff the MSB of a - b is set.*/
lt = ~(a ^ b) & (a - b);
/* Case 2: msb(a) != msb(b). a < b iff the MSB of b is set. */
lt |= ~a & b;
return constant_time_msb(lt);
}
static inline unsigned char constant_time_lt_8(unsigned int a, unsigned int b)
{
return (unsigned char)(constant_time_lt(a, b));
}
static inline unsigned int constant_time_ge(unsigned int a, unsigned int b)
{
unsigned int ge;
/* Case 1: msb(a) == msb(b). a >= b iff the MSB of a - b is not set.*/
ge = ~((a ^ b) | (a - b));
/* Case 2: msb(a) != msb(b). a >= b iff the MSB of a is set. */
ge |= a & ~b;
return constant_time_msb(ge);
}
static inline unsigned char constant_time_ge_8(unsigned int a, unsigned int b)
{
return (unsigned char)(constant_time_ge(a, b));
}
static inline unsigned int constant_time_is_zero(unsigned int a)
{
return constant_time_msb(~a & (a - 1));
}
static inline unsigned char constant_time_is_zero_8(unsigned int a)
{
return (unsigned char)(constant_time_is_zero(a));
}
static inline unsigned int constant_time_eq(unsigned int a, unsigned int b)
{
return constant_time_is_zero(a ^ b);
}
static inline unsigned char constant_time_eq_8(unsigned int a, unsigned int b)
{
return (unsigned char)(constant_time_eq(a, b));
}
static inline unsigned int constant_time_eq_int(int a, int b)
{
return constant_time_eq((unsigned)(a), (unsigned)(b));
}
static inline unsigned char constant_time_eq_int_8(int a, int b)
{
return constant_time_eq_8((unsigned)(a), (unsigned)(b));
}
static inline unsigned int constant_time_select(unsigned int mask,
unsigned int a, unsigned int b)
{
return (mask & a) | (~mask & b);
}
static inline unsigned char constant_time_select_8(unsigned char mask,
unsigned char a, unsigned char b)
{
return (unsigned char)(constant_time_select(mask, a, b));
}
inline int constant_time_select_int(unsigned int mask, int a, int b)
{
return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b)));
}
#ifdef __cplusplus
}
#endif
#endif /* HEADER_CONSTANT_TIME_LOCL_H */
/* crypto/constant_time_test.c */
/*
* Utilities for constant-time cryptography.