Add FreeBSD-SA-17:12.openssl.

svn path=/head/; revision=51269

share/security/advisories/FreeBSD-SA-17:12.openssl.asc

@@ -0,0 +1,169 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-SA-17:12.openssl                                    Security Advisory
+                                                          The FreeBSD Project
+
+Topic:          OpenSSL multiple vulnerabilities
+
+Category:       contrib
+Module:         openssl
+Announced:      2017-12-09
+Affects:        All supported versions of FreeBSD.
+Corrected:      2017-12-07 18:04:48 UTC (stable/11, 11.1-STABLE)
+                2017-12-09 03:44:26 UTC (releng/11.1, 11.1-RELEASE-p6)
+                2017-12-09 03:41:31 UTC (stable/10, 10.4-STABLE)
+                2017-12-09 03:45:23 UTC (releng/10.4, 10.4-RELEASE-p5)
+                2017-12-09 03:45:23 UTC (releng/10.3, 10.3-RELEASE-p26)
+CVE Name:       CVE-2017-3737, CVE-2017-3738
+
+For general information regarding FreeBSD Security Advisories,
+including descriptions of the fields above, security branches, and the
+following sections, please visit <URL:https://security.FreeBSD.org/>.
+
+I.   Background
+
+FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
+a collaborative effort to develop a robust, commercial-grade, full-featured
+Open Source toolkit for the Transport Layer Security (TLS) and Secure Sockets
+Layer (SSL) protocols.  It is also a full-strength general purpose
+cryptography library.
+
+II.  Problem Description
+
+Invoking SSL_read()/SSL_write() while in an error state causes data to be
+passed without being decrypted/encrypted directly from the SSL/TLS record
+layer.
+
+In order to exploit this issue an application bug would have to be present
+that resulted in a call to SSL_read()/SSL_write() being issued after having
+already received a fatal error.  [CVE-2017-3737]
+
+There is an overflow bug in the x86_64 Montgomery multiplication procedure
+used in exponentiation with 1024-bit moduli.  This only affects processors
+that support the AVX2 but not ADX extensions like Intel Haswell (4th
+generation).  [CVE-2017-3738]  This bug only affects FreeBSD 11.x.
+
+III. Impact
+
+Applications with incorrect error handling may inappropriately pass
+unencrypted data.  [CVE-2017-3737]
+
+Mishandling of carry propagation will produce incorrect output, and make it
+easier for a remote attacker to obtain sensitive private-key information.  No
+EC algorithms are affected and analysis suggests that attacks against RSA and
+DSA as a result of this defect would be very difficult to perform and are not
+believed likely.
+
+Attacks against DH1024 are considered just feasible (although very difficult)
+because most of the work necessary to deduce information about a private key
+may be performed offline.  The amount of resources required for such an
+attack would be very significant and likely only accessible to a limited
+number of attackers.  However, for an attack on TLS to be meaningful, the
+server would have to share the DH1024 private key among multiple clients,
+which is no longer an option since CVE-2016-0701.  [CVE-2017-3738]
+
+IV.  Workaround
+
+No workaround is available.
+
+V.   Solution
+
+Perform one of the following:
+
+1) Upgrade your vulnerable system to a supported FreeBSD stable or
+release / security branch (releng) dated after the correction date.
+
+Restart all daemons that use the library, or reboot the system.
+
+2) To update your vulnerable system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the i386 or amd64
+platforms can be updated via the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+
+Restart all daemons that use the library, or reboot the system.
+
+3) To update your vulnerable system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+[FreeBSD 10.x]
+# fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-10.patch.asc
+# gpg --verify openssl-10.patch.asc
+
+[FreeBSD 11.x]
+# fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch
+# fetch https://security.FreeBSD.org/patches/SA-17:12/openssl-11.patch.asc
+# gpg --verify openssl-11.patch.asc
+
+b) Apply the patch.  Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile the operating system using buildworld and installworld as
+described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
+
+Restart all daemons that use the library, or reboot the system.
+
+VI.  Correction details
+
+The following list contains the correction revision numbers for each
+affected branch.
+
+Branch/path                                                      Revision
+- -------------------------------------------------------------------------
+stable/10/                                                        r326721
+releng/10.3/                                                      r326723
+releng/10.4/                                                      r326723
+stable/11/                                                        r326663
+releng/11.1/                                                      r326722
+- -------------------------------------------------------------------------
+
+To see which files were modified by a particular revision, run the
+following command, replacing NNNNNN with the revision number, on a
+machine with Subversion installed:
+
+# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
+
+Or visit the following URL, replacing NNNNNN with the revision number:
+
+<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
+
+VII. References
+
+<URL:https://www.openssl.org/news/secadv/20171207.txt>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3737>
+
+<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3738>
+
+The latest revision of this advisory is available at
+<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-17:12.openssl.asc>
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAEBCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlorX9pfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
+RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
+aucRig//XLyBjQb+uqZbCWBG9TuefOrdNFeGay5QjBMXRT6TsHel+lUQbAZuMoA7
+p4Iammlir+krH9+D/iWPZqLVRhY29LMmI7eyCL9vgA0McRsoDI1bN0daJiAOypo4
+AWjzslm+Z/8vLcs93fpi0Y26yf45CY8uzGVJBspGg1D9wPJ60bqKqimCPTYMBXtS
+2ZecrF89Vg9u+U2dYmsoTryBNerPR+UWLMtO5DUUgDtcdAdINKjjcQt6i6A0XPr2
+2d7fzVCN4k4eBqmOOi1YWL96uoYcfDOCmUWD4NYN3x6+1n/oHVpviYYi8CgXJNbU
+1dsD6fPeAlqfBOi4e3tNKY2bwzq93/nJF9/RpzDz2JDlUxjHk2jc0EG64Dh3HSjK
+hwzXhc43qWnfzTs6PRkgZRNQp+0NFEZZT8gEXEQ8mCnW+3qF0LgvQYHBFknGDYCi
+EdZhnVN+DTHvaqLJpVrgE8TKt/qWCkdhsw1RRQblAovsC6CZZD3lYUS/o86jn2tp
+WVjndsfmfNs2EFWeZsKcwYCb+bdQGXbhlxb8iSU7f+U+msau5ZF++0+6T/EXvuvq
+hVOfwXJUD8xjO1ebZ+gtjn4HvRORLXqwi3zkoKJrSBOikK5ttlKyed445Q0cvuRk
+UHpNB7+q57SrO/4syinjh9fozSVSf78tTZaI9YbTCuC3DRY5luI=
+=/29R
+-----END PGP SIGNATURE-----

share/security/patches/SA-17:12/openssl-10.patch

@@ -0,0 +1,11 @@
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -1544,7 +1544,7 @@
+ # define SSL_ST_BEFORE                   0x4000
+ # define SSL_ST_OK                       0x03
+ # define SSL_ST_RENEGOTIATE              (0x04|SSL_ST_INIT)
+-# define SSL_ST_ERR                      0x05
++# define SSL_ST_ERR                      (0x05|SSL_ST_INIT)
+ 
+ # define SSL_CB_LOOP                     0x01
+ # define SSL_CB_EXIT                     0x02

share/security/patches/SA-17:12/openssl-10.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlorX9tfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
+RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
+audhmhAAsuGff3b1BmmhZC05lY4RLSj7Jicg66UYDdmf9MgyFIb6yJ0fxTDpC+o/
+eGByIcusfBdaXEcHWmIP77MHVpKt1FT335bV109kzefW043Ec9oWBglbIWB6GA+y
+om1xeJWJAl/ONnKBBwvjUQ9m1KYoQORm8MsZgptoDmujpRlhD85yPIO4Vp7DKxT3
+mMXmxB66XsSlSfLEJQrpr1IuhL0wpeOWxNWgX+ehwbQ7crXlKihJ/G5HzBlUEE8E
+0oBAQ1cWLomd/2SMnTezr1yVVuMDQxcaO4D3t5atLZ4lQ8bzyVWFR4NodnrLUupc
+uPtD3vDra9BwO4ezJeck/EoRKf0YDb110qbbMFzpoDioUfT2lDrkHedg0M98ysLo
+qn/PcoD7na2LtCjSBfPEnBewvQr3ESBjBE3tEVNTMFtcadC/NBLHDgKvw4LFtK1I
+7aHQbGhgiALwagbQCMOKn97A1vIGDUk6FvuLDFHI+iTXpn46rkU2pwWyVJdoUKgs
+dSeQK6y77QKQEEzdFKMa6aGT/dsk8nXro3uPzwnjG/DUxsIFfxyerz3fTHugUqEh
+Hs8ssJ38Y2ZnuiQJMGYxZPMJale+q4ofm9f7aEhlAIE+beD5BlMGUUt6wTTxgk0Q
+hZjDvyE4Nv+KpnXetB5f/2CbrBq9rOROGCU55z/wUdFqLIIbUnY=
+=Zas4
+-----END PGP SIGNATURE-----

share/security/patches/SA-17:12/openssl-11.patch

@@ -0,0 +1,122 @@
+--- crypto/openssl/crypto/bn/asm/rsaz-avx2.pl.orig
++++ crypto/openssl/crypto/bn/asm/rsaz-avx2.pl
+@@ -239,7 +239,7 @@
+ 	vmovdqu		32*8-128($ap), $ACC8
+ 
+ 	lea	192(%rsp), $tp0			# 64+128=192
+-	vpbroadcastq	.Land_mask(%rip), $AND_MASK
++	vmovdqu	.Land_mask(%rip), $AND_MASK
+ 	jmp	.LOOP_GRANDE_SQR_1024
+ 
+ .align	32
+@@ -1070,10 +1070,10 @@
+ 	vpmuludq	32*6-128($np),$Yi,$TEMP1
+ 	vpaddq		$TEMP1,$ACC6,$ACC6
+ 	vpmuludq	32*7-128($np),$Yi,$TEMP2
+-	 vpblendd	\$3, $ZERO, $ACC9, $ACC9	# correct $ACC3
++	 vpblendd	\$3, $ZERO, $ACC9, $TEMP1	# correct $ACC3
+ 	vpaddq		$TEMP2,$ACC7,$ACC7
+ 	vpmuludq	32*8-128($np),$Yi,$TEMP0
+-	 vpaddq		$ACC9, $ACC3, $ACC3		# correct $ACC3
++	 vpaddq		$TEMP1, $ACC3, $ACC3		# correct $ACC3
+ 	vpaddq		$TEMP0,$ACC8,$ACC8
+ 
+ 	mov	%rbx, %rax
+@@ -1086,7 +1086,9 @@
+ 	 vmovdqu	-8+32*2-128($ap),$TEMP2
+ 
+ 	mov	$r1, %rax
++	 vpblendd	\$0xfc, $ZERO, $ACC9, $ACC9	# correct $ACC3
+ 	imull	$n0, %eax
++	 vpaddq		$ACC9,$ACC4,$ACC4		# correct $ACC3
+ 	and	\$0x1fffffff, %eax
+ 
+ 	 imulq	16-128($ap),%rbx
+@@ -1322,15 +1324,12 @@
+ #	But as we underutilize resources, it's possible to correct in
+ #	each iteration with marginal performance loss. But then, as
+ #	we do it in each iteration, we can correct less digits, and
+-#	avoid performance penalties completely. Also note that we
+-#	correct only three digits out of four. This works because
+-#	most significant digit is subjected to less additions.
++#	avoid performance penalties completely.
+ 
+ $TEMP0 = $ACC9;
+ $TEMP3 = $Bi;
+ $TEMP4 = $Yi;
+ $code.=<<___;
+-	vpermq		\$0, $AND_MASK, $AND_MASK
+ 	vpaddq		(%rsp), $TEMP1, $ACC0
+ 
+ 	vpsrlq		\$29, $ACC0, $TEMP1
+@@ -1763,7 +1762,7 @@
+ 
+ .align	64
+ .Land_mask:
+-	.quad	0x1fffffff,0x1fffffff,0x1fffffff,-1
++	.quad	0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
+ .Lscatter_permd:
+ 	.long	0,2,4,6,7,7,7,7
+ .Lgather_permd:
+--- crypto/openssl/ssl/ssl.h.orig
++++ crypto/openssl/ssl/ssl.h
+@@ -1727,7 +1727,7 @@
+ # define SSL_ST_BEFORE                   0x4000
+ # define SSL_ST_OK                       0x03
+ # define SSL_ST_RENEGOTIATE              (0x04|SSL_ST_INIT)
+-# define SSL_ST_ERR                      0x05
++# define SSL_ST_ERR                      (0x05|SSL_ST_INIT)
+ 
+ # define SSL_CB_LOOP                     0x01
+ # define SSL_CB_EXIT                     0x02
+--- secure/lib/libcrypto/amd64/rsaz-avx2.S.orig
++++ secure/lib/libcrypto/amd64/rsaz-avx2.S
+@@ -68,7 +68,7 @@
+ 	vmovdqu	256-128(%rsi),%ymm8
+ 
+ 	leaq	192(%rsp),%rbx
+-	vpbroadcastq	.Land_mask(%rip),%ymm15
++	vmovdqu	.Land_mask(%rip),%ymm15
+ 	jmp	.LOOP_GRANDE_SQR_1024
+ 
+ .align	32
+@@ -801,10 +801,10 @@
+ 	vpmuludq	192-128(%rcx),%ymm11,%ymm12
+ 	vpaddq	%ymm12,%ymm6,%ymm6
+ 	vpmuludq	224-128(%rcx),%ymm11,%ymm13
+-	vpblendd	$3,%ymm14,%ymm9,%ymm9
++	vpblendd	$3,%ymm14,%ymm9,%ymm12
+ 	vpaddq	%ymm13,%ymm7,%ymm7
+ 	vpmuludq	256-128(%rcx),%ymm11,%ymm0
+-	vpaddq	%ymm9,%ymm3,%ymm3
++	vpaddq	%ymm12,%ymm3,%ymm3
+ 	vpaddq	%ymm0,%ymm8,%ymm8
+ 
+ 	movq	%rbx,%rax
+@@ -817,7 +817,9 @@
+ 	vmovdqu	-8+64-128(%rsi),%ymm13
+ 
+ 	movq	%r10,%rax
++	vpblendd	$0xfc,%ymm14,%ymm9,%ymm9
+ 	imull	%r8d,%eax
++	vpaddq	%ymm9,%ymm4,%ymm4
+ 	andl	$0x1fffffff,%eax
+ 
+ 	imulq	16-128(%rsi),%rbx
+@@ -1046,7 +1048,6 @@
+ 
+ 	decl	%r14d
+ 	jnz	.Loop_mul_1024
+-	vpermq	$0,%ymm15,%ymm15
+ 	vpaddq	(%rsp),%ymm12,%ymm0
+ 
+ 	vpsrlq	$29,%ymm0,%ymm12
+@@ -1686,7 +1687,7 @@
+ 
+ .align	64
+ .Land_mask:
+-.quad	0x1fffffff,0x1fffffff,0x1fffffff,-1
++.quad	0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
+ .Lscatter_permd:
+ .long	0,2,4,6,7,7,7,7
+ .Lgather_permd:

share/security/patches/SA-17:12/openssl-11.patch.asc

@@ -0,0 +1,18 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQKTBAABCgB9FiEEHPf/b631yp++G4yy7Wfs1l3PaucFAlorX9tfFIAAAAAALgAo
+aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDFD
+RjdGRjZGQURGNUNBOUZCRTFCOENCMkVENjdFQ0Q2NURDRjZBRTcACgkQ7Wfs1l3P
+audlow/+Jb44Q4QjlFqNVrj8y9HKhLtCM5u2zNwsYb0xWhgQ7bxlDoQYa+zbtqRo
+kKjzpIjxoXSq/Otx61WkbUukc1RZrN6E1j+47TylWk2S0gl3mtFXvUjbI8YzM6w3
+zvxh9GIfm8u1RV8MFt+eAbjMdsCSw1s5L+Qipv4R1BmOgINsdomgKipXIdsfCSUC
+KAGlY4d1KsedRIvG50rpa/lYn4RjI4EjklbDewosNb7NYOKi18QYSTEhJWl27e2L
+tbhaCBfNP1SKKs5qyYptO2XPw0ToJIAR97Xtj+7Y0AWiPm26x+IE6+v8/VdFUP7L
+Y8f6gtB4Q8vvSRsqsCwS+6GIUVs3tFYNqRwq5S53AFGvlFfjbOreffjYJm2VvlI6
+GIrrDiNEq/JDW3d0ueAt0fdySexfYmhvfd7WXlNnX3Opc164zthQZ4kxc5X2WL2x
+xTyQIeWsWW6Om39QSCmQKmSEyhhiFHTHBfCgTQz6c+pVy7tr1cA4+h25XaloWbyM
+gUBNRwD7i7er5DFL7GpPMTyW7QbmloE6EIEKMdFl20IfVARPKWBqZIWg093JtoU6
+1SmOcCncVLnzAJodecRy2Jvw0OpRK5imwYIlPpCmOiKvngPIe5X+aNZzsuqDS4Ia
+2F3tklxMtvZ3jIgaDpBq6utMnJw0wOTS0TH+U1dFnik3TkCFTdA=
+=4IBI
+-----END PGP SIGNATURE-----