Introduce limits to prevent malicious keys being able to
cause a denial of service. (CVE-2006-2940) [Steve Henson, Bodo Moeller] Fix ASN.1 parsing of certain invalid structures that can result in a denial of service. (CVE-2006-2937) [Steve Henson] Fix buffer overflow in SSL_get_shared_ciphers() function. (CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team] Fix SSL client code which could crash if connecting to a malicious SSLv2 server. (CVE-2006-4343) [Tavis Ormandy and Will Drewry, Google Security Team]
This commit is contained in:
Mark J. Cox
parent
8db3f4ace9
commit
b213966415
14
CHANGES
14
CHANGES
@ -4,6 +4,20 @@
|
||||
|
||||
Changes between 0.9.7k and 0.9.7l [xx XXX xxxx]
|
||||
|
||||
*) Introduce limits to prevent malicious keys being able to
|
||||
cause a denial of service. (CVE-2006-2940)
|
||||
[Steve Henson, Bodo Moeller]
|
||||
|
||||
*) Fix ASN.1 parsing of certain invalid structures that can result
|
||||
in a denial of service. (CVE-2006-2937) [Steve Henson]
|
||||
|
||||
*) Fix buffer overflow in SSL_get_shared_ciphers() function.
|
||||
(CVE-2006-3738) [Tavis Ormandy and Will Drewry, Google Security Team]
|
||||
|
||||
*) Fix SSL client code which could crash if connecting to a
|
||||
malicious SSLv2 server. (CVE-2006-4343)
|
||||
[Tavis Ormandy and Will Drewry, Google Security Team]
|
||||
|
||||
*) Change ciphersuite string processing so that an explicit
|
||||
ciphersuite selects this one ciphersuite (so that "AES256-SHA"
|
||||
will no longer include "AES128-SHA"), and any other similar
|
||||
|
||||
5
NEWS
5
NEWS
@ -5,6 +5,11 @@
|
||||
This file gives a brief overview of the major changes between each OpenSSL
|
||||
release. For more details please read the CHANGES file.
|
||||
|
||||
Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
|
||||
|
||||
o Introduce limits to prevent malicious key DoS (CVE-2006-2940)
|
||||
o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
|
||||
|
||||
Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
|
||||
|
||||
o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
|
||||
|
||||
@ -629,6 +629,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl
|
||||
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_NESTED_ASN1_ERROR);
|
||||
return 0;
|
||||
} else if(ret == -1) return -1;
|
||||
ret = 0;
|
||||
/* SEQUENCE, SET and "OTHER" are left in encoded form */
|
||||
if((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || (utype == V_ASN1_OTHER)) {
|
||||
/* Clear context cache for type OTHER because the auto clear when
|
||||
|
||||
@ -70,6 +70,10 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/ossl_typ.h>
|
||||
|
||||
#ifndef OPENSSL_DH_MAX_MODULUS_BITS
|
||||
# define OPENSSL_DH_MAX_MODULUS_BITS 10000
|
||||
#endif
|
||||
|
||||
#define DH_FLAG_CACHE_MONT_P 0x01
|
||||
#define DH_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DH
|
||||
* implementation now uses constant time
|
||||
@ -207,6 +211,7 @@ void ERR_load_DH_strings(void);
|
||||
/* Reason codes. */
|
||||
#define DH_R_BAD_GENERATOR 101
|
||||
#define DH_R_NO_PRIVATE_VALUE 100
|
||||
#define DH_R_MODULUS_TOO_LARGE 103
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
||||
@ -82,6 +82,7 @@ static ERR_STRING_DATA DH_str_functs[]=
|
||||
static ERR_STRING_DATA DH_str_reasons[]=
|
||||
{
|
||||
{ERR_REASON(DH_R_BAD_GENERATOR) ,"bad generator"},
|
||||
{ERR_REASON(DH_R_MODULUS_TOO_LARGE) ,"modulus too large"},
|
||||
{ERR_REASON(DH_R_NO_PRIVATE_VALUE) ,"no private value"},
|
||||
{0,NULL}
|
||||
};
|
||||
|
||||
@ -180,6 +180,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
|
||||
BIGNUM *tmp;
|
||||
int ret= -1;
|
||||
|
||||
if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS)
|
||||
{
|
||||
DHerr(DH_F_DH_COMPUTE_KEY,DH_R_MODULUS_TOO_LARGE);
|
||||
goto err;
|
||||
}
|
||||
|
||||
ctx = BN_CTX_new();
|
||||
if (ctx == NULL) goto err;
|
||||
BN_CTX_start(ctx);
|
||||
|
||||
@ -79,6 +79,10 @@
|
||||
# include <openssl/dh.h>
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
|
||||
# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
|
||||
#endif
|
||||
|
||||
#define DSA_FLAG_CACHE_MONT_P 0x01
|
||||
#define DSA_FLAG_NO_EXP_CONSTTIME 0x02 /* new with 0.9.7h; the built-in DSA
|
||||
* implementation now uses constant time
|
||||
@ -259,8 +263,10 @@ void ERR_load_DSA_strings(void);
|
||||
#define DSA_F_SIG_CB 114
|
||||
|
||||
/* Reason codes. */
|
||||
#define DSA_R_BAD_Q_VALUE 102
|
||||
#define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100
|
||||
#define DSA_R_MISSING_PARAMETERS 101
|
||||
#define DSA_R_MODULUS_TOO_LARGE 103
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
||||
@ -89,8 +89,10 @@ static ERR_STRING_DATA DSA_str_functs[]=
|
||||
|
||||
static ERR_STRING_DATA DSA_str_reasons[]=
|
||||
{
|
||||
{ERR_REASON(DSA_R_BAD_Q_VALUE) ,"bad q value"},
|
||||
{ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"},
|
||||
{ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"},
|
||||
{ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
|
||||
{0,NULL}
|
||||
};
|
||||
|
||||
|
||||
@ -274,6 +274,18 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (BN_num_bits(dsa->q) != 160)
|
||||
{
|
||||
DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS)
|
||||
{
|
||||
DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
|
||||
return -1;
|
||||
}
|
||||
|
||||
BN_init(&u1);
|
||||
BN_init(&u2);
|
||||
BN_init(&t1);
|
||||
|
||||
@ -154,6 +154,17 @@ struct rsa_st
|
||||
BN_BLINDING *blinding;
|
||||
};
|
||||
|
||||
#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
|
||||
# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
|
||||
# define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
|
||||
#endif
|
||||
#ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
|
||||
# define OPENSSL_RSA_MAX_PUBEXP_BITS 64 /* exponent limit enforced for "large" modulus only */
|
||||
#endif
|
||||
|
||||
#define RSA_3 0x3L
|
||||
#define RSA_F4 0x10001L
|
||||
|
||||
@ -386,6 +397,7 @@ void ERR_load_RSA_strings(void);
|
||||
#define RSA_R_IQMP_NOT_INVERSE_OF_Q 126
|
||||
#define RSA_R_KEY_SIZE_TOO_SMALL 120
|
||||
#define RSA_R_LAST_OCTET_INVALID 134
|
||||
#define RSA_R_MODULUS_TOO_LARGE 105
|
||||
#define RSA_R_NULL_BEFORE_BLOCK_MISSING 113
|
||||
#define RSA_R_N_DOES_NOT_EQUAL_P_Q 127
|
||||
#define RSA_R_OAEP_DECODING_ERROR 121
|
||||
|
||||
@ -157,6 +157,28 @@ static int RSA_eay_public_encrypt(int flen, const unsigned char *from,
|
||||
unsigned char *buf=NULL;
|
||||
BN_CTX *ctx=NULL;
|
||||
|
||||
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (BN_ucmp(rsa->n, rsa->e) <= 0)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* for large moduli, enforce exponent limit */
|
||||
if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
|
||||
{
|
||||
if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_DECRYPT, RSA_R_BAD_E_VALUE);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
BN_init(&f);
|
||||
BN_init(&ret);
|
||||
if ((ctx=BN_CTX_new()) == NULL) goto err;
|
||||
@ -600,6 +622,28 @@ static int RSA_eay_public_decrypt(int flen, const unsigned char *from,
|
||||
unsigned char *buf=NULL;
|
||||
BN_CTX *ctx=NULL;
|
||||
|
||||
if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (BN_ucmp(rsa->n, rsa->e) <= 0)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* for large moduli, enforce exponent limit */
|
||||
if (BN_num_bits(rsa->n) > OPENSSL_RSA_SMALL_MODULUS_BITS)
|
||||
{
|
||||
if (BN_num_bits(rsa->e) > OPENSSL_RSA_MAX_PUBEXP_BITS)
|
||||
{
|
||||
RSAerr(RSA_F_RSA_EAY_PUBLIC_ENCRYPT, RSA_R_BAD_E_VALUE);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
BN_init(&f);
|
||||
BN_init(&ret);
|
||||
ctx=BN_CTX_new();
|
||||
|
||||
@ -129,6 +129,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
|
||||
{ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) ,"iqmp not inverse of q"},
|
||||
{ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) ,"key size too small"},
|
||||
{ERR_REASON(RSA_R_LAST_OCTET_INVALID) ,"last octet invalid"},
|
||||
{ERR_REASON(RSA_R_MODULUS_TOO_LARGE) ,"modulus too large"},
|
||||
{ERR_REASON(RSA_R_NULL_BEFORE_BLOCK_MISSING),"null before block missing"},
|
||||
{ERR_REASON(RSA_R_N_DOES_NOT_EQUAL_P_Q) ,"n does not equal p q"},
|
||||
{ERR_REASON(RSA_R_OAEP_DECODING_ERROR) ,"oaep decoding error"},
|
||||
|
||||
@ -538,7 +538,8 @@ static int get_server_hello(SSL *s)
|
||||
CRYPTO_add(&s->session->peer->references, 1, CRYPTO_LOCK_X509);
|
||||
}
|
||||
|
||||
if (s->session->peer != s->session->sess_cert->peer_key->x509)
|
||||
if (s->session->sess_cert == NULL
|
||||
|| s->session->peer != s->session->sess_cert->peer_key->x509)
|
||||
/* can't happen */
|
||||
{
|
||||
ssl2_return_error(s, SSL2_PE_UNDEFINED_ERROR);
|
||||
|
||||
@ -1727,7 +1727,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
|
||||
|
||||
if (kssl_ctx->client_princ)
|
||||
{
|
||||
int len = strlen(kssl_ctx->client_princ);
|
||||
size_t len = strlen(kssl_ctx->client_princ);
|
||||
if ( len < SSL_MAX_KRB5_PRINCIPAL_LENGTH )
|
||||
{
|
||||
s->session->krb5_client_princ_len = len;
|
||||
|
||||
@ -1187,7 +1187,7 @@ char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
|
||||
c=sk_SSL_CIPHER_value(sk,i);
|
||||
for (cp=c->name; *cp; )
|
||||
{
|
||||
if (len-- == 0)
|
||||
if (len-- <= 0)
|
||||
{
|
||||
*p='\0';
|
||||
return(buf);
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user