There were two changes between 1.1.1e and 1.1.1f:
- a change in BN prime generation to avoid possible fingerprinting of
newly generated RSA modules
- the patch reversing EOF detection we had already applied.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This adds patches to avoid possible application breakage caused by a
change in behavior introduced in 1.1.1e. It affects at least nginx,
which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while
keepalive, client: xxxx, server: [::]:443
Openssl commits db943f4 (Detect EOF while reading in libssl), and
22623e0 (Teach more BIOs how to handle BIO_CTRL_EOF) changed the
behavior when encountering an EOF in SSL_read(). Previous behavior was
to return SSL_ERROR_SYSCALL, but errno would still be 0. The commits
being reverted changed it to SSL_ERRO_SSL, and add an error to the
stack, which is correct. Unfortunately this affects a number of
applications that counted on the old behavior, including nginx.
The reversion was discussed in openssl/openssl#11378, and implemented as
PR openssl/openssl#11400.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This version includes bug and security fixes, including medium-severity
CVE-2019-1551, affecting RSA1024, RSA1536, DSA1024 & DH512 on x86_64.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This adds commented configuration help for the alternate, afalg-sync
engine to /etc/ssl/openssl.cnf.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This adds engine configuration sections to openssl.cnf, with a commented
list of engines. To enable an engine, all you have to do is uncomment
the engine line.
It also adds some useful comments to the devcrypto engine configuration
section. Other engines currently don't have configuration commands.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
gcc-8 switch -ffile-prefix-map helps a lot with reproducible build paths
in the resulting binaries.
Ref: https://reproducible-builds.org/docs/build-path/
Signed-off-by: Paul Spooren <mail@aparcar.org>
[refactored into separate commit]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This version fixes 3 low-severity vulnerabilities:
- CVE-2019-1547: ECDSA remote timing attack
- CVE-2019-1549: Fork Protection
- CVE-2019-1563: Padding Oracle in PKCS7_dataDecode and
CMS_decrypt_set1_pkey
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Highlights of this version:
- Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
- Fix OPENSSL_config bug (patch removed)
- Change the default RSA, DSA and DH size to 2048 bit instead of 1024.
- Enable SHA3 pre-hashing for ECDSA and DSA
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [DMARC removal]
This applies an upstream patch that fixes a OPENSSL_config() bug that
causes SSL initialization to fail when the openssl.cnf file is not
found. The config file is not installed by default.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Openssh uses digest contexts across forks, which is not supported by the
/dev/crypto engine. The speed of digests is usually not worth enabling
them anyway. This changes the default of the DIGESTS option to NONE, so
the user still has the option to enable them.
Added another patch related to the use of encryption contexts across
forks, that ignores a failure to close a previous open session when
reinitializing a context, instead of failing the reinitialization.
Added a link to the Cryptographic Hardware Accelerators document to the
engine pacakges description, to provide more detailed instructions to
configure the engines.
Revert the removal of the OPENSSL_ENGINE_CRYPTO symbol, currently used
by openssh. There is an open PR to update openssh; when merged, this
symbol can be safely removed.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> [refresh patches]
The patches to the /dev/crypto engine were commited to openssl master,
and will be in the next major version (3.0).
Changes:
- Optimization in computing a digest in one operation, saving an ioctl
- Runtime configuration options for the choice of algorithms to use
- Command to dump useful information about the algorithms supported by
the engine and the system.
- Build the devcrypto engine as a dynamic module, like other engines.
The devcrypto engine is built as a separate package by default, but
options were added to allow building the engines into the main library.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
[refresh patches]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is bugfix release that incorporated all of the devcrypto engine
patches currently in the tree.
The cleaning procedure in Package/Configure was not removing the
dependency files, causing linking errors during a rebuild with
different options. It was replaced by a simple make clean.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Applies a patch from https://github.com/openssl/openssl/pull/8213
that fixes an error where open /dev/crypto sessions were not closed.
Thanks to Ansuel Smith for reporting it.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Add a patch to enable the option to change the default ciphersuite list
ordering to prefer ChaCha20 over AES-GCM. This is used by default for
all platforms, except for x86_64 and aarch64. The assumption is that
only the latter have AES-specific CPU instructions and asm code that
uses them in openssl. Chacha20Poly1305 is 3x faster than AES-256 in
systems without AES instructions, with an equivalent strength.
Disable error messages by default except for devices with small flash or
RAM, to aid debugging.
Disable ASM by default on arm platform with small flash. Size
difference on mips and powerpc, the other platforms with small flash
devices, are not really relevant (using 100K as a threshold). All of
the affected platforms are source-only anyway.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This version adds the following functionality:
* TLS 1.3
* AFALG engine support for hardware accelleration
* x25519 ECC curve support
* CRIME protection: disable use of compression by default
* Support for ChaCha20 and Poly1305
Patches fixing bugs in the /dev/crypto engine were applied, from
https://github.com/openssl/openssl/pull/7585
This increses the size of the ipk binray on MIPS32 by about 32%:
old:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
new:
912.493 bin/packages/mips_24kc/base/libopenssl1.1_1.1.1a-2_mips_24kc.ipk
239.316 bin/packages/mips_24kc/base/openssl-util_1.1.1a-2_mips_24kc.ipk
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
Adds the following configuration options:
* using optimized assembler code (was always on before)
* use of x86 SSE2 instructions
* dyanic engine support
* include error messages
* Camellia, Gost, Idea, MDC2, Seed & Whirlpool algorithms
* RFC3779, CMS protocols
* VIA padlock hardware acceleration engine
Installs openssl.cnf with the library as it is used by engines
independent of the openssl util.
Fixes DTLS option that was innefective before.
Disables insecure SSL3 protocol and SHA0.
Adds openwrt-specific targets to Configure script, including asm support
for i386, ppc and mips64.
Strips building dirs from CFLAGS shown in binary.
Skips the fuzz directory during build.
Removed include/crypto/devcrypto.h that was included here, to use the
cryptodev-linux package, now that it was been moved from the packages
feed to the main openwrt repository.
This decreses the size of the ipk binray on MIPS32 by about 3.3%:
old:
706.957 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
199.294 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
new:
693.941 bin/packages/mips_24kc/base/libopenssl1.0.0_1.0.2q-2_mips_24kc.ipk
193.827 bin/packages/mips_24kc/base/openssl-util_1.0.2q-2_mips_24kc.ipk
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
This fixes the following security problems:
* CVE-2018-0732: Client DoS due to large DH parameter
* CVE-2018-0737: Cache timing vulnerability in RSA Key Generation
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
don't set no-ssl3-method when CONFIG_OPENSSL_WITH_SSL3 di disabled otherwise the compile breaks with this error:
../libssl.so: undefined reference to `SSLv3_client_method'
Fixes CVE: CVE-2017-3735, CVE-2017-3736
Signed-off-by: Peter Wagner <tripolar@gmx.at>
OpenSSL is built with the generic linux settings for most targets,
including aarch64. These generic settings are designed for 32-bit CPU and
provide no assembler optmization: this is widely suboptimal for aarch64.
This patch simply switches to the aarch64 settings that are already
available in OpenSSL.
Here is the output of "openssl speed" before the optimization, with
"(...)" representing build flags that didn't change:
OpenSSL 1.0.2l 25 May 2017
options:bn(64,32) rc4(ptr,char) des(idx,cisc,2,int) aes(partial) blowfish(ptr)
compiler: aarch64-openwrt-linux-musl-gcc (...)
And after this patch, OpenSSL uses 64 bit mode and assembler optimizations:
OpenSSL 1.0.2l 25 May 2017
options:bn(64,64) rc4(ptr,char) des(idx,cisc,2,int) aes(partial) blowfish(ptr)
compiler: aarch64-openwrt-linux-musl-gcc (...) -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
Here are some benchmarks on a pine64+ running latest LEDE master r5142-20d363aed3:
before# openssl speed sha aes blowfish
The 'numbers' are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 3918.89k 9982.43k 19148.03k 24933.03k 27325.78k
sha256 4604.51k 10240.64k 17472.51k 21355.18k 22801.07k
sha512 3662.19k 14539.41k 21443.16k 29544.11k 33177.60k
blowfish cbc 16266.63k 16940.86k 17176.92k 17237.33k 17252.35k
aes-128 cbc 19712.95k 21447.40k 22091.09k 22258.35k 22304.09k
aes-192 cbc 17680.12k 19064.47k 19572.14k 19703.13k 19737.26k
aes-256 cbc 15986.67k 17132.48k 17537.28k 17657.17k 17689.26k
after# openssl speed sha aes blowfish
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 6770.87k 26172.80k 86878.38k 205649.58k 345978.20k
sha256 20913.93k 74663.85k 184658.18k 290891.09k 351032.66k
sha512 7633.10k 30110.14k 50083.24k 71883.43k 82485.25k
blowfish cbc 16224.93k 16933.55k 17173.76k 17234.94k 17252.35k
aes-128 cbc 19425.74k 21193.31k 22065.74k 22304.77k 22380.54k
aes-192 cbc 17452.29k 18883.84k 19536.90k 19741.70k 19800.06k
aes-256 cbc 15815.89k 17003.01k 17530.03k 17695.40k 17746.60k
For some reason AES and blowfish do not benefit, but SHA performance
improves between 1.7x and 15x. SHA256 clearly benefits the most from the
optimization (4.5x on small blocks, 15x on large blocks!).
When using EVP (with "openssl speed -evp <algo>"):
# Before, EVP mode
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 3824.46k 10049.66k 19170.56k 24947.03k 27325.78k
sha256 3368.33k 8511.15k 16061.44k 20772.52k 22721.88k
sha512 2845.23k 11381.57k 19467.69k 28512.26k 33008.30k
bf-cbc 15146.74k 16623.83k 17092.01k 17211.39k 17249.62k
aes-128-cbc 17873.03k 20870.61k 21933.65k 22216.36k 22301.35k
aes-192-cbc 16184.18k 18607.15k 19447.13k 19670.02k 19737.26k
aes-256-cbc 14774.06k 16757.25k 17457.58k 17639.42k 17686.53k
# After, EVP mode
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
sha1 7056.97k 27142.10k 89515.86k 209155.41k 347419.99k
sha256 7745.70k 29750.06k 95341.48k 211001.69k 332376.75k
sha512 4550.47k 18086.06k 39997.10k 65880.75k 81431.21k
bf-cbc 15129.20k 16619.03k 17090.56k 17212.76k 17246.89k
aes-128-cbc 99619.74k 269032.34k 450214.23k 567353.00k 613933.06k
aes-192-cbc 93180.74k 231017.79k 361766.66k 433671.51k 461731.16k
aes-256-cbc 89343.23k 209858.58k 310160.04k 362234.88k 380878.85k
Blowfish does not seem to have assembler optimization at all, and SHA
still benefits (between 1.6x and 14.5x) but is generally slower than in
non-EVP mode.
However, AES performance is improved between 5.5x and 27.5x, which is
really impressive! For aes-128-cbc on large blocks, a core i7-6600U
@2.60GHz is only twice as fast...
Signed-off-by: Baptiste Jonglez <git@bitsofnetworks.org>
This fixes the following security problems:
CVE-2017-3731: Truncated packet could crash via OOB read
CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64
CVE-2016-7055: Montgomery multiplication may produce incorrect results
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
A bug fix which included a CRL sanity check was added to OpenSSL 1.1.0
but was omitted from OpenSSL 1.0.2i. As a result any attempt to use
CRLs in OpenSSL 1.0.2i will crash with a null pointer exception.
Patches applied upstream:
* 301-fix_no_nextprotoneg_build.patch
* 302-Fix_typo_introduced_by_a03f81f4.patch
Security advisory: https://www.openssl.org/news/secadv/20160926.txt
Signed-off-by: Magnus Kroken <mkroken@gmail.com>
The patch needed for this commit has been sent upstream:
https://github.com/openssl/openssl/pull/1155
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name> [add back bf and srp]
NPN has been superseded by ALPN so NPN is disabled by default
The patch has been sent to OpenSSL for inclusion, see
https://github.com/openssl/openssl/pull/1100
Signed-off-by: Dirk Feytons <dirk.feytons@gmail.com>
CVE-2016-0704
s2_srvr.c overwrite the wrong bytes in the master-key when applying
Bleichenbacher protection for export cipher suites. This provides a
Bleichenbacher oracle, and could potentially allow more efficient variants of
the DROWN attack.
CVE-2016-0703
s2_srvr.c did not enforce that clear-key-length is 0 for non-export ciphers.
If clear-key bytes are present for these ciphers, they *displace* encrypted-key
bytes. This leads to an efficient divide-and-conquer key recovery attack: if
an eavesdropper has intercepted an SSLv2 handshake, they can use the server as
an oracle to determine the SSLv2 master-key, using only 16 connections to the
server and negligible computation. More importantly, this leads to a more
efficient version of DROWN that is effective against non-export ciphersuites,
and requires no significant computation.
CVE-2016-0702
A side-channel attack was found which makes use of cache-bank conflicts on
the Intel Sandy-Bridge microarchitecture which could lead to the recovery of
RSA keys. The ability to exploit this issue is limited as it relies on an
attacker who has control of code in a thread running on the same hyper-
threaded core as the victim thread which is performing decryptions.
CVE-2016-0799
The internal |fmtstr| function used in processing a "%s" format string in
the BIO_*printf functions could overflow while calculating the length of a
string and cause an OOB read when printing very long strings. Additionally
the internal |doapr_outch| function can attempt to write to an OOB memory
location (at an offset from the NULL pointer) in the event of a memory
allocation failure. In 1.0.2 and below this could be caused where the size
of a buffer to be allocated is greater than INT_MAX. E.g. this could be in
processing a very long "%s" format string. Memory leaks can also occur.
The first issue may mask the second issue dependent on compiler behaviour.
These problems could enable attacks where large amounts of untrusted data is
passed to the BIO_*printf functions. If applications use these functions in
this way then they could be vulnerable. OpenSSL itself uses these functions
when printing out human-readable dumps of ASN.1 data. Therefore applications
that print this data could be vulnerable if the data is from untrusted sources.
OpenSSL command line applications could also be vulnerable where they print out
ASN.1 data, or if untrusted data is passed as command line arguments. Libssl is
not considered directly vulnerable. Additionally certificates etc received via
remote connections via libssl are also unlikely to be able to trigger these
issues because of message size limits enforced within libssl.
CVE-2016-0797
In the BN_hex2bn function the number of hex digits is calculated using an int
value |i|. Later |bn_expand| is called with a value of |i * 4|. For large
values of |i| this can result in |bn_expand| not allocating any memory because
|i * 4| is negative. This can leave the internal BIGNUM data field as NULL
leading to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this case
memory is allocated to the internal BIGNUM data field, but it is insufficiently
sized leading to heap corruption. A similar issue exists in BN_dec2bn. This
could have security consequences if BN_hex2bn/BN_dec2bn is ever called by user
applications with very large untrusted hex/dec data. This is anticipated to be
a rare occurrence. All OpenSSL internal usage of these functions use data that
is not expected to be untrusted, e.g. config file data or application command
line arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be rare.
CVE-2016-0798
The SRP user database lookup method SRP_VBASE_get_by_user had confusing memory
management semantics; the returned pointer was sometimes newly allocated, and
sometimes owned by the callee. The calling code has no way of distinguishing
these two cases. Specifically, SRP servers that configure a secret seed to hide
valid login information are vulnerable to a memory leak: an attacker connecting
with an invalid username can cause a memory leak of around 300 bytes per
connection. Servers that do not configure SRP, or configure SRP but do not
configure a seed are not vulnerable. In Apache, the seed directive is known as
SSLSRPUnknownUserSeed. To mitigate the memory leak, the seed handling in
SRP_VBASE_get_by_user is now disabled even if the user has configured a seed.
Applications are advised to migrate to SRP_VBASE_get1_by_user. However, note
that OpenSSL makes no strong guarantees about the indistinguishability of valid
and invalid logins. In particular, computations are currently not carried out
in constant time.
CVE-2016-0705
A double free bug was discovered when OpenSSL parses malformed DSA private keys
and could lead to a DoS attack or memory corruption for applications that
receive DSA private keys from untrusted sources. This scenario is considered
rare.
CVE-2016-0800
A cross-protocol attack was discovered that could lead to decryption of TLS
sessions by using a server supporting SSLv2 and EXPORT cipher suites as a
Bleichenbacher RSA padding oracle. Note that traffic between clients and non-
vulnerable servers can be decrypted provided another server supporting SSLv2
and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP)
shares the RSA keys of the non-vulnerable server. This vulnerability is known
as DROWN (CVE-2016-0800). Recovering one session key requires the attacker to
perform approximately 2^50 computation, as well as thousands of connections to
the affected server. A more efficient variant of the DROWN attack exists
against unpatched OpenSSL servers using versions that predate 1.0.2a, 1.0.1m,
1.0.0r and 0.9.8zf released on 19/Mar/2015 (see CVE-2016-0703 below). Users can
avoid this issue by disabling the SSLv2 protocol in all their SSL/TLS servers,
if they've not done so already. Disabling all SSLv2 ciphers is also sufficient,
provided the patches for CVE-2015-3197 (fixed in OpenSSL 1.0.1r and 1.0.2f)
have been deployed. Servers that have not disabled the SSLv2 protocol, and are
not patched for CVE-2015-3197 are vulnerable to DROWN even if all SSLv2
ciphers are nominally disabled, because malicious clients can force the use of
SSLv2 with EXPORT ciphers. OpenSSL 1.0.2g and 1.0.1s deploy the following
mitigation against DROWN: SSLv2 is now by default disabled at build-time.
Builds that are not configured with "enable-ssl2" will not support SSLv2.
Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either of:
SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl,
SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the
application explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery
have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2
56-bit DES are no longer available. In addition, weak ciphers in SSLv3 and up
are now disabled in default builds of OpenSSL. Builds that are not configured
with "enable-weak-ssl-ciphers" will not provide any "EXPORT" or "LOW" strength
ciphers.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 48868
During certificate verification, OpenSSL (starting from version 1.0.1n and
1.0.2b) will attempt to find an alternative certificate chain if the first
attempt to build such a chain fails. An error in the implementation of this
logic can mean that an attacker could cause certain checks on untrusted
certificates to be bypassed, such as the CA flag, enabling them to use a valid
leaf certificate to act as a CA and "issue" an invalid certificate.
This issue will impact any application that verifies certificates including
SSL/TLS/DTLS clients and SSL/TLS/DTLS servers using client authentication.
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
SVN-Revision: 46285
Tested myself on ixp4xx and mvebu, and (originally)
by Daniel on i.MX6. Also tested on a MIPS target,
to make sure the change to ASFLAGS does not break things.
Based on a patch submitted by Daniel Drown:
https://lists.openwrt.org/pipermail/openwrt-devel/2014-July/026639.html
Signed-off-by: Claudio Leite <leitec@staticky.com>
Signed-off-by: Daniel Drown <dan-openwrt@drown.org>
SVN-Revision: 44618
This version includes this changes:
Don't include gmt_unix_time in TLS server and client random values
Fix for TLS record tampering bug CVE-2013-4353
Fix for TLS version checking bug CVE-2013-6449
Fix for DTLS retransmission bug CVE-2013-6450
Signed-off-by: Peter Wagner <tripolar@gmx.at>
SVN-Revision: 39853
1.0.1d had a rushed fix for CVE-2013-0169 which broke in certain
circumstances. 1.0.1e has the fix for TLS.
Also include a further patch from the 1.0.1 branch which fixes the
breakage this introduced for Cisco's outdated pre-standard version of
DTLS, as used by OpenConnect.
Update mirror URLs to reflect current reality.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Florian Fainelli <florian@openwrt.org>
SVN-Revision: 35600
Eneas U de Queiroz
Paul Spooren
Christian Lamparter
Eneas U de Queiroz
Hauke Mehrtens
Paul Wassi
Peter Wagner
Baptiste Jonglez
Lucian Cristian
Magnus Kroken
Dirk Feytons
Jo-Philipp Wich
Felix Fietkau
Steven Barth
John Crispin
Florian Fainelli
Tim Yardley