[Pkg-openssl-changes] r667 - in openssl/branches/squeeze/debian: . patches
Kurt Roeckx
kroeckx at moszumanska.debian.org
Thu Jun 5 18:14:07 UTC 2014
Author: kroeckx
Date: 2014-06-05 18:14:07 +0000 (Thu, 05 Jun 2014)
New Revision: 667
Added:
openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch
openssl/branches/squeeze/debian/patches/CVE-2014-0195.patch
openssl/branches/squeeze/debian/patches/CVE-2014-0221.patch
openssl/branches/squeeze/debian/patches/CVE-2014-0224.patch
openssl/branches/squeeze/debian/patches/CVE-2014-3470.patch
Modified:
openssl/branches/squeeze/debian/changelog
openssl/branches/squeeze/debian/patches/series
Log:
Fix various CVEs
Modified: openssl/branches/squeeze/debian/changelog
===================================================================
--- openssl/branches/squeeze/debian/changelog 2014-06-05 17:10:43 UTC (rev 666)
+++ openssl/branches/squeeze/debian/changelog 2014-06-05 18:14:07 UTC (rev 667)
@@ -1,3 +1,14 @@
+openssl (0.9.8o-4squeeze15) squeeze-security; urgency=medium
+
+ * Fix CVE-2014-0076.patch
+ * Fix CVE-2014-0195.patch
+ * Fix CVE-2014-0221.patch
+ * Fix CVE-2014-3470.patch
+ * Fix CVE-2014-0224.patch
+ * Fix CVE-2013-0169.patch
+
+ -- Kurt Roeckx <kurt at roeckx.be> Thu, 05 Jun 2014 20:12:34 +0200
+
openssl (0.9.8o-4squeeze14) squeeze-security; urgency=low
* Fix CVE-2013-0166 and CVE-2013-0169
Added: openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-0076.patch 2014-06-05 18:14:07 UTC (rev 667)
@@ -0,0 +1,170 @@
+diff --git a/CHANGES b/CHANGES
+index 58ac884..99aeefb 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -4,6 +4,15 @@
+
+ Changes between 1.0.1f and 1.0.1g [xx XXX xxxx]
+
++ *) Fix for the attack described in the paper "Recovering OpenSSL
++ ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
++ by Yuval Yarom and Naomi Benger. Details can be obtained from:
++ http://eprint.iacr.org/2014/140
++
++ Thanks to Yuval Yarom and Naomi Benger for discovering this
++ flaw and to Yuval Yarom for supplying a fix (CVE-2014-0076)
++ [Yuval Yarom and Naomi Benger]
++
+ *) TLS pad extension: draft-agl-tls-padding-02
+
+ Workaround for the "TLS hang bug" (see FAQ and PR#2771): if the
+diff --git a/crypto/bn/bn.h b/crypto/bn/bn.h
+index f34248e..21a1a3f 100644
+--- a/crypto/bn/bn.h
++++ b/crypto/bn/bn.h
+@@ -538,6 +538,8 @@ BIGNUM *BN_mod_inverse(BIGNUM *ret,
+ BIGNUM *BN_mod_sqrt(BIGNUM *ret,
+ const BIGNUM *a, const BIGNUM *n,BN_CTX *ctx);
+
++void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords);
++
+ /* Deprecated versions */
+ #ifndef OPENSSL_NO_DEPRECATED
+ BIGNUM *BN_generate_prime(BIGNUM *ret,int bits,int safe,
+@@ -774,11 +776,20 @@ int RAND_pseudo_bytes(unsigned char *buf,int num);
+
+ #define bn_fix_top(a) bn_check_top(a)
+
++#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2)
++#define bn_wcheck_size(bn, words) \
++ do { \
++ const BIGNUM *_bnum2 = (bn); \
++ assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \
++ } while(0)
++
+ #else /* !BN_DEBUG */
+
+ #define bn_pollute(a)
+ #define bn_check_top(a)
+ #define bn_fix_top(a) bn_correct_top(a)
++#define bn_check_size(bn, bits)
++#define bn_wcheck_size(bn, words)
+
+ #endif
+
+diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c
+index 7a5676d..5461e6e 100644
+--- a/crypto/bn/bn_lib.c
++++ b/crypto/bn/bn_lib.c
+@@ -824,3 +824,55 @@ int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
+ }
+ return bn_cmp_words(a,b,cl);
+ }
++
++/*
++ * Constant-time conditional swap of a and b.
++ * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set.
++ * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b,
++ * and that no more than nwords are used by either a or b.
++ * a and b cannot be the same number
++ */
++void BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords)
++ {
++ BN_ULONG t;
++ int i;
++
++ bn_wcheck_size(a, nwords);
++ bn_wcheck_size(b, nwords);
++
++ assert(a != b);
++ assert((condition & (condition - 1)) == 0);
++ assert(sizeof(BN_ULONG) >= sizeof(int));
++
++ condition = ((condition - 1) >> (BN_BITS2 - 1)) - 1;
++
++ t = (a->top^b->top) & condition;
++ a->top ^= t;
++ b->top ^= t;
++
++#define BN_CONSTTIME_SWAP(ind) \
++ do { \
++ t = (a->d[ind] ^ b->d[ind]) & condition; \
++ a->d[ind] ^= t; \
++ b->d[ind] ^= t; \
++ } while (0)
++
++
++ switch (nwords) {
++ default:
++ for (i = 10; i < nwords; i++)
++ BN_CONSTTIME_SWAP(i);
++ /* Fallthrough */
++ case 10: BN_CONSTTIME_SWAP(9); /* Fallthrough */
++ case 9: BN_CONSTTIME_SWAP(8); /* Fallthrough */
++ case 8: BN_CONSTTIME_SWAP(7); /* Fallthrough */
++ case 7: BN_CONSTTIME_SWAP(6); /* Fallthrough */
++ case 6: BN_CONSTTIME_SWAP(5); /* Fallthrough */
++ case 5: BN_CONSTTIME_SWAP(4); /* Fallthrough */
++ case 4: BN_CONSTTIME_SWAP(3); /* Fallthrough */
++ case 3: BN_CONSTTIME_SWAP(2); /* Fallthrough */
++ case 2: BN_CONSTTIME_SWAP(1); /* Fallthrough */
++ case 1: BN_CONSTTIME_SWAP(0);
++ }
++#undef BN_CONSTTIME_SWAP
++}
+diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c
+index 26f4a78..1c575dc 100644
+--- a/crypto/ec/ec2_mult.c
++++ b/crypto/ec/ec2_mult.c
+@@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG
+ return ret;
+ }
+
++
+ /* Computes scalar*point and stores the result in r.
+ * point can not equal r.
+- * Uses algorithm 2P of
++ * Uses a modified algorithm 2P of
+ * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over
+ * GF(2^m) without precomputation" (CHES '99, LNCS 1717).
++ *
++ * To protect against side-channel attack the function uses constant time swap,
++ * avoiding conditional branches.
+ */
+ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar,
+ const EC_POINT *point, BN_CTX *ctx)
+@@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
+ x2 = &r->X;
+ z2 = &r->Y;
+
++ bn_wexpand(x1, group->field.top);
++ bn_wexpand(z1, group->field.top);
++ bn_wexpand(x2, group->field.top);
++ bn_wexpand(z2, group->field.top);
++
+ if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */
+ if (!BN_one(z1)) goto err; /* z1 = 1 */
+ if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */
+@@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r,
+ word = scalar->d[i];
+ while (mask)
+ {
+- if (word & mask)
+- {
+- if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err;
+- if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err;
+- }
+- else
+- {
+- if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
+- if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
+- }
++ BN_consttime_swap(word & mask, x1, x2, group->field.top);
++ BN_consttime_swap(word & mask, z1, z2, group->field.top);
++ if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err;
++ if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err;
++ BN_consttime_swap(word & mask, x1, x2, group->field.top);
++ BN_consttime_swap(word & mask, z1, z2, group->field.top);
+ mask >>= 1;
+ }
+ mask = BN_TBIT;
Added: openssl/branches/squeeze/debian/patches/CVE-2014-0195.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-0195.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-0195.patch 2014-06-05 18:14:07 UTC (rev 667)
@@ -0,0 +1,83 @@
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index a6b3c01..c99a4c4 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
+ case SSL3_ST_CR_FINISHED_A:
+ case SSL3_ST_CR_FINISHED_B:
+
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+ SSL3_ST_CR_FINISHED_B);
+ if (ret <= 0) goto end;
+@@ -915,6 +916,7 @@ int ssl3_get_server_hello(SSL *s)
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+ goto f_err;
+ }
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ s->hit=1;
+ }
+ else /* a miss or crap from the other end */
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index 6bc8bf9..98c36e6 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -1316,6 +1316,15 @@ start:
+ goto f_err;
+ }
+
++ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
++ {
++ al=SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
++ goto f_err;
++ }
++
++ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
++
+ rr->length=0;
+
+ if (s->msg_callback)
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index 5ac4119..503bed3 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
+ case SSL3_ST_SR_CERT_VRFY_A:
+ case SSL3_ST_SR_CERT_VRFY_B:
+
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ /* we should decide if we expected this one */
+ ret=ssl3_get_cert_verify(s);
+ if (ret <= 0) goto end;
+@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
+
+ case SSL3_ST_SR_FINISHED_A:
+ case SSL3_ST_SR_FINISHED_B:
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
+ SSL3_ST_SR_FINISHED_B);
+ if (ret <= 0) goto end;
+@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
+ s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #else
+ if (s->s3->next_proto_neg_seen)
++ {
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
++ }
+ else
+ s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #endif
+diff --git a/ssl/ssl3.h b/ssl/ssl3.h
+index cb8b249..37f19e3 100644
+--- a/ssl/ssl3.h
++++ b/ssl/ssl3.h
+@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
+ #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
+ #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
+ #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
++#define SSL3_FLAGS_CCS_OK 0x0080
+
+ /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
Added: openssl/branches/squeeze/debian/patches/CVE-2014-0221.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-0221.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-0221.patch 2014-06-05 18:14:07 UTC (rev 667)
@@ -0,0 +1,22 @@
+diff --git a/ssl/d1_both.c b/ssl/d1_both.c
+index 7de9ae4..04aa231 100644
+--- a/ssl/d1_both.c
++++ b/ssl/d1_both.c
+@@ -793,6 +793,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+ int i,al;
+ struct hm_header_st msg_hdr;
+
++ redo:
+ /* see if we have the required fragment already */
+ if ((frag_len = dtls1_retrieve_buffered_fragment(s,max,ok)) || *ok)
+ {
+@@ -851,8 +852,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok)
+ s->msg_callback_arg);
+
+ s->init_num = 0;
+- return dtls1_get_message_fragment(s, st1, stn,
+- max, ok);
++ goto redo;
+ }
+ else /* Incorrectly formated Hello request */
+ {
Added: openssl/branches/squeeze/debian/patches/CVE-2014-0224.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-0224.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-0224.patch 2014-06-05 18:14:07 UTC (rev 667)
@@ -0,0 +1,83 @@
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index a6b3c01..c99a4c4 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -559,6 +559,7 @@ int ssl3_connect(SSL *s)
+ case SSL3_ST_CR_FINISHED_A:
+ case SSL3_ST_CR_FINISHED_B:
+
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ ret=ssl3_get_finished(s,SSL3_ST_CR_FINISHED_A,
+ SSL3_ST_CR_FINISHED_B);
+ if (ret <= 0) goto end;
+@@ -915,6 +916,7 @@ int ssl3_get_server_hello(SSL *s)
+ SSLerr(SSL_F_SSL3_GET_SERVER_HELLO,SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT);
+ goto f_err;
+ }
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ s->hit=1;
+ }
+ else /* a miss or crap from the other end */
+diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
+index 6bc8bf9..98c36e6 100644
+--- a/ssl/s3_pkt.c
++++ b/ssl/s3_pkt.c
+@@ -1316,6 +1316,15 @@ start:
+ goto f_err;
+ }
+
++ if (!(s->s3->flags & SSL3_FLAGS_CCS_OK))
++ {
++ al=SSL_AD_UNEXPECTED_MESSAGE;
++ SSLerr(SSL_F_SSL3_READ_BYTES,SSL_R_CCS_RECEIVED_EARLY);
++ goto f_err;
++ }
++
++ s->s3->flags &= ~SSL3_FLAGS_CCS_OK;
++
+ rr->length=0;
+
+ if (s->msg_callback)
+diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
+index 5ac4119..503bed3 100644
+--- a/ssl/s3_srvr.c
++++ b/ssl/s3_srvr.c
+@@ -673,6 +673,7 @@ int ssl3_accept(SSL *s)
+ case SSL3_ST_SR_CERT_VRFY_A:
+ case SSL3_ST_SR_CERT_VRFY_B:
+
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ /* we should decide if we expected this one */
+ ret=ssl3_get_cert_verify(s);
+ if (ret <= 0) goto end;
+@@ -700,6 +701,7 @@ int ssl3_accept(SSL *s)
+
+ case SSL3_ST_SR_FINISHED_A:
+ case SSL3_ST_SR_FINISHED_B:
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
+ SSL3_ST_SR_FINISHED_B);
+ if (ret <= 0) goto end;
+@@ -770,7 +772,10 @@ int ssl3_accept(SSL *s)
+ s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #else
+ if (s->s3->next_proto_neg_seen)
++ {
++ s->s3->flags |= SSL3_FLAGS_CCS_OK;
+ s->s3->tmp.next_state=SSL3_ST_SR_NEXT_PROTO_A;
++ }
+ else
+ s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
+ #endif
+diff --git a/ssl/ssl3.h b/ssl/ssl3.h
+index cb8b249..37f19e3 100644
+--- a/ssl/ssl3.h
++++ b/ssl/ssl3.h
+@@ -388,6 +388,7 @@ typedef struct ssl3_buffer_st
+ #define TLS1_FLAGS_TLS_PADDING_BUG 0x0008
+ #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010
+ #define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020
++#define SSL3_FLAGS_CCS_OK 0x0080
+
+ /* SSL3_FLAGS_SGC_RESTART_DONE is set when we
+ * restart a handshake because of MS SGC and so prevents us
Added: openssl/branches/squeeze/debian/patches/CVE-2014-3470.patch
===================================================================
--- openssl/branches/squeeze/debian/patches/CVE-2014-3470.patch (rev 0)
+++ openssl/branches/squeeze/debian/patches/CVE-2014-3470.patch 2014-06-05 18:14:07 UTC (rev 667)
@@ -0,0 +1,18 @@
+diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c
+index c99a4c4..0457af8 100644
+--- a/ssl/s3_clnt.c
++++ b/ssl/s3_clnt.c
+@@ -2512,6 +2512,13 @@ int ssl3_send_client_key_exchange(SSL *s)
+ int ecdh_clnt_cert = 0;
+ int field_size = 0;
+
++ if (s->session->sess_cert == NULL)
++ {
++ ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
++ SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
++ goto err;
++ }
++
+ /* Did we send out the client's
+ * ECDH share for use in premaster
+ * computation as part of client certificate?
Modified: openssl/branches/squeeze/debian/patches/series
===================================================================
--- openssl/branches/squeeze/debian/patches/series 2014-06-05 17:10:43 UTC (rev 666)
+++ openssl/branches/squeeze/debian/patches/series 2014-06-05 18:14:07 UTC (rev 667)
@@ -40,3 +40,10 @@
CVE-2012-2333.patch
CVE-2013-0169.patch
CVE-2013-0166.patch
+CVE-2014-0076.patch
+CVE-2014-0195.patch
+CVE-2014-0221.patch
+CVE-2014-3470.patch
+CVE-2014-0224.patch
+CVE-2013-0169.patch
+
More information about the Pkg-openssl-changes
mailing list