Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/external/bsd/openssl/dist merge conflicts



details:   https://anonhg.NetBSD.org/src/rev/64a324eb76c6
branches:  trunk
changeset: 815171:64a324eb76c6
user:      christos <christos%NetBSD.org@localhost>
date:      Tue May 03 17:21:32 2016 +0000

description:
merge conflicts

diffstat:

 crypto/external/bsd/openssl/dist/CHANGES                |  97 +++++++++++++++++
 crypto/external/bsd/openssl/dist/Makefile               |   2 +-
 crypto/external/bsd/openssl/dist/NEWS                   |  13 ++
 crypto/external/bsd/openssl/dist/README                 |   2 +-
 crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c |  36 ++++-
 crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c   |   2 -
 crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c |   2 -
 crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c |   2 -
 crypto/external/bsd/openssl/dist/crypto/evp/Makefile    |   8 +-
 crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c   |   2 +-
 crypto/external/bsd/openssl/dist/crypto/opensslv.h      |   6 +-
 crypto/external/bsd/openssl/dist/openssl.spec           |   2 +-
 crypto/external/bsd/openssl/dist/ssl/d1_both.c          |   2 +
 crypto/external/bsd/openssl/dist/ssl/s2_lib.c           |  16 +-
 crypto/external/bsd/openssl/dist/ssl/s3_clnt.c          |   2 +
 crypto/external/bsd/openssl/dist/ssl/s3_lib.c           |  88 +++++++-------
 crypto/external/bsd/openssl/dist/ssl/ssl.h              |   4 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_ciph.c         |  16 +-
 crypto/external/bsd/openssl/dist/ssl/ssl_locl.h         |   3 +-
 crypto/external/bsd/openssl/dist/ssl/t1_lib.c           |   6 +-
 crypto/external/bsd/openssl/dist/util/mk1mf.pl          |   9 +-
 crypto/external/bsd/openssl/dist/util/mkdef.pl          |   6 +-
 crypto/external/bsd/openssl/dist/util/ssleay.num        |   6 +-
 23 files changed, 234 insertions(+), 98 deletions(-)

diffs (truncated from 1037 to 300 lines):

diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/CHANGES
--- a/crypto/external/bsd/openssl/dist/CHANGES  Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/CHANGES  Tue May 03 17:21:32 2016 +0000
@@ -2,6 +2,103 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 1.0.1s and 1.0.1t [3 May 2016]
+
+  *) Prevent padding oracle in AES-NI CBC MAC check
+
+     A MITM attacker can use a padding oracle attack to decrypt traffic
+     when the connection uses an AES CBC cipher and the server support
+     AES-NI.
+
+     This issue was introduced as part of the fix for Lucky 13 padding
+     attack (CVE-2013-0169). The padding check was rewritten to be in
+     constant time by making sure that always the same bytes are read and
+     compared against either the MAC or padding bytes. But it no longer
+     checked that there was enough data to have both the MAC and padding
+     bytes.
+
+     This issue was reported by Juraj Somorovsky using TLS-Attacker.
+     (CVE-2016-2107)
+     [Kurt Roeckx]
+
+  *) Fix EVP_EncodeUpdate overflow
+
+     An overflow can occur in the EVP_EncodeUpdate() function which is used for
+     Base64 encoding of binary data. If an attacker is able to supply very large
+     amounts of input data then a length check can overflow resulting in a heap
+     corruption.
+
+     Internally to OpenSSL the EVP_EncodeUpdate() function is primarly used by
+     the PEM_write_bio* family of functions. These are mainly used within the
+     OpenSSL command line applications, so any application which processes data
+     from an untrusted source and outputs it as a PEM file should be considered
+     vulnerable to this issue. User applications that call these APIs directly
+     with large amounts of untrusted data may also be vulnerable.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2105)
+     [Matt Caswell]
+
+  *) Fix EVP_EncryptUpdate overflow
+
+     An overflow can occur in the EVP_EncryptUpdate() function. If an attacker
+     is able to supply very large amounts of input data after a previous call to
+     EVP_EncryptUpdate() with a partial block then a length check can overflow
+     resulting in a heap corruption. Following an analysis of all OpenSSL
+     internal usage of the EVP_EncryptUpdate() function all usage is one of two
+     forms. The first form is where the EVP_EncryptUpdate() call is known to be
+     the first called function after an EVP_EncryptInit(), and therefore that
+     specific call must be safe. The second form is where the length passed to
+     EVP_EncryptUpdate() can be seen from the code to be some small value and
+     therefore there is no possibility of an overflow. Since all instances are
+     one of these two forms, it is believed that there can be no overflows in
+     internal code due to this problem. It should be noted that
+     EVP_DecryptUpdate() can call EVP_EncryptUpdate() in certain code paths.
+     Also EVP_CipherUpdate() is a synonym for EVP_EncryptUpdate(). All instances
+     of these calls have also been analysed too and it is believed there are no
+     instances in internal usage where an overflow could occur.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2106)
+     [Matt Caswell]
+
+  *) Prevent ASN.1 BIO excessive memory allocation
+
+     When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
+     a short invalid encoding can casuse allocation of large amounts of memory
+     potentially consuming excessive resources or exhausting memory.
+
+     Any application parsing untrusted data through d2i BIO functions is
+     affected. The memory based functions such as d2i_X509() are *not* affected.
+     Since the memory based functions are used by the TLS library, TLS
+     applications are not affected.
+
+     This issue was reported by Brian Carpenter.
+     (CVE-2016-2109)
+     [Stephen Henson]
+
+  *) EBCDIC overread
+
+     ASN1 Strings that are over 1024 bytes can cause an overread in applications
+     using the X509_NAME_oneline() function on EBCDIC systems. This could result
+     in arbitrary stack data being returned in the buffer.
+
+     This issue was reported by Guido Vranken.
+     (CVE-2016-2176)
+     [Matt Caswell]
+
+  *) Modify behavior of ALPN to invoke callback after SNI/servername
+     callback, such that updates to the SSL_CTX affect ALPN.
+     [Todd Short]
+
+  *) Remove LOW from the DEFAULT cipher list.  This removes singles DES from the
+     default.
+     [Kurt Roeckx]
+
+  *) Only remove the SSLv2 methods with the no-ssl2-method option. When the
+     methods are enabled and ssl2 is disabled the methods return NULL.
+     [Kurt Roeckx]
+
  Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
 
   * Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/Makefile
--- a/crypto/external/bsd/openssl/dist/Makefile Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/Makefile Tue May 03 17:21:32 2016 +0000
@@ -4,7 +4,7 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=1.0.1s
+VERSION=1.0.1t
 MAJOR=1
 MINOR=0.1
 SHLIB_VERSION_NUMBER=1.0.0
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/NEWS
--- a/crypto/external/bsd/openssl/dist/NEWS     Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/NEWS     Tue May 03 17:21:32 2016 +0000
@@ -5,6 +5,19 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [3 May 2016]
+
+      o Prevent padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
+      o Fix EVP_EncodeUpdate overflow (CVE-2016-2105)
+      o Fix EVP_EncryptUpdate overflow (CVE-2016-2106)
+      o Prevent ASN.1 BIO excessive memory allocation (CVE-2016-2109)
+      o EBCDIC overread (CVE-2016-2176)
+      o Modify behavior of ALPN to invoke callback after SNI/servername
+        callback, such that updates to the SSL_CTX affect ALPN.
+      o Remove LOW from the DEFAULT cipher list.  This removes singles DES from
+        the default.
+      o Only remove the SSLv2 methods with the no-ssl2-method option.
+
   Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
 
       o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/README
--- a/crypto/external/bsd/openssl/dist/README   Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/README   Tue May 03 17:21:32 2016 +0000
@@ -1,5 +1,5 @@
 
- OpenSSL 1.0.1s 1 Mar 2016
+ OpenSSL 1.0.1t 3 May 2016
 
  Copyright (c) 1998-2015 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c   Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_d2i_fp.c   Tue May 03 17:21:32 2016 +0000
@@ -141,6 +141,7 @@
 #endif
 
 #define HEADER_SIZE   8
+#define ASN1_CHUNK_INITIAL_SIZE (16 * 1024)
 static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 {
     BUF_MEM *b;
@@ -217,29 +218,44 @@
             /* suck in c.slen bytes of data */
             want = c.slen;
             if (want > (len - off)) {
+                size_t chunk_max = ASN1_CHUNK_INITIAL_SIZE;
+
                 want -= (len - off);
                 if (want > INT_MAX /* BIO_read takes an int length */  ||
                     len + want < len) {
                     ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ASN1_R_TOO_LONG);
                     goto err;
                 }
-                if (!BUF_MEM_grow_clean(b, len + want)) {
-                    ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
-                    goto err;
-                }
                 while (want > 0) {
-                    i = BIO_read(in, &(b->data[len]), want);
-                    if (i <= 0) {
-                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
-                                ASN1_R_NOT_ENOUGH_DATA);
+                    /*
+                     * Read content in chunks of increasing size
+                     * so we can return an error for EOF without
+                     * having to allocate the entire content length
+                     * in one go.
+                     */
+                    size_t chunk = want > chunk_max ? chunk_max : want;
+
+                    if (!BUF_MEM_grow_clean(b, len + chunk)) {
+                        ASN1err(ASN1_F_ASN1_D2I_READ_BIO, ERR_R_MALLOC_FAILURE);
                         goto err;
                     }
+                    want -= chunk;
+                    while (chunk > 0) {
+                        i = BIO_read(in, &(b->data[len]), chunk);
+                        if (i <= 0) {
+                            ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
+                                    ASN1_R_NOT_ENOUGH_DATA);
+                            goto err;
+                        }
                     /*
                      * This can't overflow because |len+want| didn't
                      * overflow.
                      */
-                    len += i;
-                    want -= i;
+                        len += i;
+                        chunk -= i;
+                    }
+                    if (chunk_max < INT_MAX/2)
+                        chunk_max *= 2;
                 }
             }
             if (off + c.slen < off) {
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c     Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/a_type.c     Tue May 03 17:21:32 2016 +0000
@@ -126,9 +126,7 @@
         result = 0;             /* They do not have content. */
         break;
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
     case V_ASN1_BIT_STRING:
     case V_ASN1_OCTET_STRING:
     case V_ASN1_SEQUENCE:
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c   Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_dec.c   Tue May 03 17:21:32 2016 +0000
@@ -903,9 +903,7 @@
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         tint = (ASN1_INTEGER **)pval;
         if (!c2i_ASN1_INTEGER(tint, &cont, len))
             goto err;
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c
--- a/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c   Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/asn1/tasn_enc.c   Tue May 03 17:21:32 2016 +0000
@@ -611,9 +611,7 @@
         break;
 
     case V_ASN1_INTEGER:
-    case V_ASN1_NEG_INTEGER:
     case V_ASN1_ENUMERATED:
-    case V_ASN1_NEG_ENUMERATED:
         /*
          * These are all have the same content format as ASN1_INTEGER
          */
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/crypto/evp/Makefile
--- a/crypto/external/bsd/openssl/dist/crypto/evp/Makefile      Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/evp/Makefile      Tue May 03 17:21:32 2016 +0000
@@ -199,8 +199,8 @@
 e_aes.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
 e_aes.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 e_aes.o: ../modes/modes_lcl.h e_aes.c evp_locl.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/aes.h ../../include/openssl/asn1.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/bio.h
+e_aes_cbc_hmac_sha1.o: ../../e_os.h ../../include/openssl/aes.h
+e_aes_cbc_hmac_sha1.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/crypto.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/e_os2.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/evp.h
@@ -212,8 +212,8 @@
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/safestack.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/sha.h
 e_aes_cbc_hmac_sha1.o: ../../include/openssl/stack.h
-e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h e_aes_cbc_hmac_sha1.c
-e_aes_cbc_hmac_sha1.o: evp_locl.h
+e_aes_cbc_hmac_sha1.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
+e_aes_cbc_hmac_sha1.o: e_aes_cbc_hmac_sha1.c evp_locl.h
 e_bf.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
 e_bf.o: ../../include/openssl/blowfish.h ../../include/openssl/buffer.h
 e_bf.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c
--- a/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c     Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/evp/evp_enc.c     Tue May 03 17:21:32 2016 +0000
@@ -334,7 +334,7 @@
     bl = ctx->cipher->block_size;
     OPENSSL_assert(bl <= (int)sizeof(ctx->buf));
     if (i != 0) {
-        if (i + inl < bl) {
+        if (bl - i > inl) {
             memcpy(&(ctx->buf[i]), in, inl);
             ctx->buf_len += inl;
             *outl = 0;
diff -r 23a7669358fc -r 64a324eb76c6 crypto/external/bsd/openssl/dist/crypto/opensslv.h
--- a/crypto/external/bsd/openssl/dist/crypto/opensslv.h        Tue May 03 17:21:02 2016 +0000
+++ b/crypto/external/bsd/openssl/dist/crypto/opensslv.h        Tue May 03 17:21:32 2016 +0000
@@ -30,11 +30,11 @@
  * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
  *  major minor fix final patch/beta)



Home | Main Index | Thread Index | Old Index