* [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1c
@ 2019-05-30 21:43 Peter Korsgaard
2019-05-31 7:59 ` Peter Korsgaard
2019-06-06 15:35 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-05-30 21:43 UTC (permalink / raw)
To: buildroot
Fixes the following security issues:
Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
every encryption operation. RFC 7539 specifies that the nonce value (IV)
should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
front pads the nonce with 0 bytes if it is less than 12 bytes. However it
also incorrectly allows a nonce to be set of up to 16 bytes. In this case
only the last 12 bytes are significant and any additional leading bytes are
ignored.
It is a requirement of using this cipher that nonce values are unique.
Messages encrypted using a reused nonce value are susceptible to serious
confidentiality and integrity attacks. If an application changes the
default nonce length to be longer than 12 bytes and then makes a change to
the leading bytes of the nonce expecting the new value to be a new unique
nonce then such an application could inadvertently encrypt messages with a
reused nonce.
Additionally the ignored bytes in a long nonce are not covered by the
integrity guarantee of this cipher. Any application that relies on the
integrity of these ignored leading bytes of a long nonce may be further
affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is
safe because no such use sets such a long nonce value. However user
applications that use this cipher directly and set a non-default nonce
length to be longer than 12 bytes may be vulnerable.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
package/libopenssl/libopenssl.hash | 2 +-
package/libopenssl/libopenssl.mk | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/package/libopenssl/libopenssl.hash b/package/libopenssl/libopenssl.hash
index 3a8192c46c..753f447abe 100644
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@@ -1,5 +1,5 @@
# From https://www.openssl.org/source/openssl-1.1.1b.tar.gz.sha256
-sha256 5c557b023230413dfb0756f3137a13e6d726838ccd1430888ad15bfb2b43ea4b openssl-1.1.1b.tar.gz
+sha256 f6fb3079ad15076154eda9413fed42877d668e7069d9b87396d0804fdb3f4c90 openssl-1.1.1c.tar.gz
# License files
sha256 c32913b33252e71190af2066f08115c69bc9fddadf3bf29296e20c835389841c LICENSE
diff --git a/package/libopenssl/libopenssl.mk b/package/libopenssl/libopenssl.mk
index b7eff06c80..064b71bb2e 100644
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@@ -4,7 +4,7 @@
#
################################################################################
-LIBOPENSSL_VERSION = 1.1.1b
+LIBOPENSSL_VERSION = 1.1.1c
LIBOPENSSL_SITE = https://www.openssl.org/source
LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
LIBOPENSSL_LICENSE = OpenSSL or SSLeay
--
2.11.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1c
2019-05-30 21:43 [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1c Peter Korsgaard
@ 2019-05-31 7:59 ` Peter Korsgaard
2019-06-06 15:35 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-05-31 7:59 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
> ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
> every encryption operation. RFC 7539 specifies that the nonce value (IV)
> should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
> front pads the nonce with 0 bytes if it is less than 12 bytes. However it
> also incorrectly allows a nonce to be set of up to 16 bytes. In this case
> only the last 12 bytes are significant and any additional leading bytes are
> ignored.
> It is a requirement of using this cipher that nonce values are unique.
> Messages encrypted using a reused nonce value are susceptible to serious
> confidentiality and integrity attacks. If an application changes the
> default nonce length to be longer than 12 bytes and then makes a change to
> the leading bytes of the nonce expecting the new value to be a new unique
> nonce then such an application could inadvertently encrypt messages with a
> reused nonce.
> Additionally the ignored bytes in a long nonce are not covered by the
> integrity guarantee of this cipher. Any application that relies on the
> integrity of these ignored leading bytes of a long nonce may be further
> affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is
> safe because no such use sets such a long nonce value. However user
> applications that use this cipher directly and set a non-default nonce
> length to be longer than 12 bytes may be vulnerable.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1c
2019-05-30 21:43 [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1c Peter Korsgaard
2019-05-31 7:59 ` Peter Korsgaard
@ 2019-06-06 15:35 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2019-06-06 15:35 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:
> Fixes the following security issues:
> Prevent over long nonces in ChaCha20-Poly1305 (CVE-2019-1543)
> ChaCha20-Poly1305 is an AEAD cipher, and requires a unique nonce input for
> every encryption operation. RFC 7539 specifies that the nonce value (IV)
> should be 96 bits (12 bytes). OpenSSL allows a variable nonce length and
> front pads the nonce with 0 bytes if it is less than 12 bytes. However it
> also incorrectly allows a nonce to be set of up to 16 bytes. In this case
> only the last 12 bytes are significant and any additional leading bytes are
> ignored.
> It is a requirement of using this cipher that nonce values are unique.
> Messages encrypted using a reused nonce value are susceptible to serious
> confidentiality and integrity attacks. If an application changes the
> default nonce length to be longer than 12 bytes and then makes a change to
> the leading bytes of the nonce expecting the new value to be a new unique
> nonce then such an application could inadvertently encrypt messages with a
> reused nonce.
> Additionally the ignored bytes in a long nonce are not covered by the
> integrity guarantee of this cipher. Any application that relies on the
> integrity of these ignored leading bytes of a long nonce may be further
> affected. Any OpenSSL internal use of this cipher, including in SSL/TLS, is
> safe because no such use sets such a long nonce value. However user
> applications that use this cipher directly and set a non-default nonce
> length to be longer than 12 bytes may be vulnerable.
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Committed to 2019.02.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-06-06 15:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-30 21:43 [Buildroot] [PATCH] package/libopenssl: security bump to version 1.1.1c Peter Korsgaard
2019-05-31 7:59 ` Peter Korsgaard
2019-06-06 15:35 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox