New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 381200 link

Starred by 1 user

Issue metadata

Status: Verified
Owner:
Closed: Jun 2014
Cc:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: OpenSSL CCS Vulnerability

Project Member Reported by jorgelo@chromium.org, Jun 5 2014

Issue description

Exposure in Chrome OS is low since OpenSSL is only used in update-engine to talk to Google servers.

http://www.openssl.org/news/secadv_20140605.txt

SSL/TLS MITM vulnerability (CVE-2014-0224)
===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client *and*
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for discovering and
researching this issue.  This issue was reported to OpenSSL on 1st May
2014 via JPCERT/CC.

The fix was developed by Stephen Henson of the OpenSSL core team partly based on an original patch from KIKUCHI Masashi.
 
Cc: dkrahn@chromium.org
a cryptohome unittest fails w/new openssl, so i have to figure out why ...
Cc: cmasone@chromium.org
after failing at life and debugging the wrong func, here's a reduced testcase taken from cryptohome's unittests -- the Base64Decode func is unmodified (other than the std::cout).

you can debug in the sdk, so don't need a target board to reproduce.
 $ g++ test.cc `pkg-config --libs --cflags openssl`
 $ ./a.out

with openssl-1.0.1g you get:
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

with 1.0.1h you get:
Base64Decode failed: input: QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE= size: 44 output size: 0

the delta between the versions isn't that big, so i'll try backing out the hunks to narrow things down.  unless of course, cmasone@ thinks the existing Decode func is broken and that'll save some time :).
openssl-test.cc
972 bytes Download
Thanks Mike! I'll give it a shot too.
ok, it looks like the openssl bio funcs really want a trailing new line in their input and if you don't provide it, it just returns 0.  wheee.
https://chromium-review.googlesource.com/202701 fixes the unittest problems.  we can debate the future of this code in a diff bug as we really want openssl out.
Labels: Merge-Requested M-35 M-36
Labels: -M-35
approved for 36.
Labels: -Merge-Requested Merge-Approved
Project Member

Comment 10 by bugdroid1@chromium.org, Jun 6 2014

Project: chromiumos/platform/cryptohome
Branch : master
Author : Mike Frysinger <vapier@chromium.org>
Commit : 5e9c1786eee13c4bde95b893bbb007afe785540a

Code-Review  0 : Mike Frysinger, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes, Kees Cook
Commit-Queue 0 : Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch
Verified     +1: Mike Frysinger
Commit Queue   : Chumped
Change-Id      : Idf28fefcdc912926fd988f582baaf5c00c54b424
Reviewed-at    : https://chromium-review.googlesource.com/202701

add newlines to base64 content

OpenSSL wants a newline in the base64 content to decode it, so add
ones to make it happy.

BUG= chromium:381200 
TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1g
TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1h

homedirs_unittest.cc
Project Member

Comment 11 by bugdroid1@chromium.org, Jun 6 2014

Project: chromiumos/overlays/chromiumos-overlay
Branch : master
Author : Mike Frysinger <vapier@chromium.org>
Commit : 0e0e9e8fd4ac42ccf16ace3b004758ca2b85112d

Code-Review  0 : Mike Frysinger, Will Drewry, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes, Kees Cook
Commit-Queue 0 : Jorge Lucangeli Obes, Kees Cook, Will Drewry, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : Jorge Lucangeli Obes, Kees Cook, Will Drewry, chrome-internal-fetch
Verified     +1: Mike Frysinger
Commit Queue   : Chumped
Change-Id      : Iaadf35daf88056a6d26bd799b023e7f777019f8c
Reviewed-at    : https://chromium-review.googlesource.com/202672

openssl: version bump

BUG= chromium:381200 
TEST=`emerge openssl` works
TEST=`FEATURES=test emerge-x86-alex openssl` works
TEST=`cbuildbot chromiumos-sdk` passes
TEST=`cbuildbot {x86-alex,lumpy}-release` passes
CQ-DEPEND=CL:202701

dev-libs/openssl/Manifest
dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch
dev-libs/openssl/files/openssl-1.0.0d-windres.patch
dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch
dev-libs/openssl/files/openssl-1.0.1f-perl-5.18.patch
dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch
dev-libs/openssl/files/openssl-1.0.1h-blacklist-by-sha1.patch
dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch
dev-libs/openssl/metadata.xml
dev-libs/openssl/openssl-1.0.1h.ebuild
Project Member

Comment 12 by bugdroid1@chromium.org, Jun 6 2014

Project: chromiumos/overlays/chromiumos-overlay
Branch : release-R36-5841.B
Author : Mike Frysinger <vapier@chromium.org>
Commit : 582ed2bf5348a1d824dfd2c50bc69ac0811b370c

Code-Review  0 : Mike Frysinger
Code-Review  +2: Jorge Lucangeli Obes, Will Drewry
Verified     0 : Jorge Lucangeli Obes, Will Drewry
Verified     +1: Mike Frysinger
Commit Queue   : Chumped
Change-Id      : Iaadf35daf88056a6d26bd799b023e7f777019f8c
Reviewed-at    : https://chromium-review.googlesource.com/202673

openssl: version bump

BUG= chromium:381200 
TEST=`emerge openssl` works
TEST=`FEATURES=test emerge-x86-alex openssl` works
TEST=`cbuildbot chromiumos-sdk` passes
TEST=`cbuildbot {x86-alex,lumpy}-release` passes
CQ-DEPEND=CL:202701

Previous-Reviewed-on: https://chromium-review.googlesource.com/202672
(cherry picked from commit 0e0e9e8fd4ac42ccf16ace3b004758ca2b85112d)

dev-libs/openssl/Manifest
dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch
dev-libs/openssl/files/openssl-1.0.0d-windres.patch
dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch
dev-libs/openssl/files/openssl-1.0.1f-perl-5.18.patch
dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch
dev-libs/openssl/files/openssl-1.0.1h-blacklist-by-sha1.patch
dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch
dev-libs/openssl/metadata.xml
dev-libs/openssl/openssl-1.0.1h.ebuild
Project Member

Comment 13 by bugdroid1@chromium.org, Jun 6 2014

Project: chromiumos/platform/cryptohome
Branch : release-R36-5841.B
Author : Mike Frysinger <vapier@chromium.org>
Commit : 76cf2f1584e61201cde2aea98c61b892546435f1

Code-Review  0 : Mike Frysinger
Code-Review  +2: Jorge Lucangeli Obes, Will Drewry
Verified     0 : Jorge Lucangeli Obes, Will Drewry
Verified     +1: Mike Frysinger
Commit Queue   : Chumped
Change-Id      : Idf28fefcdc912926fd988f582baaf5c00c54b424
Reviewed-at    : https://chromium-review.googlesource.com/202920

add newlines to base64 content

OpenSSL wants a newline in the base64 content to decode it, so add
ones to make it happy.

BUG= chromium:381200 
TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1g
TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1h

Previous-Reviewed-on: https://chromium-review.googlesource.com/202701
(cherry picked from commit 5e9c1786eee13c4bde95b893bbb007afe785540a)

homedirs_unittest.cc
Labels: -Merge-Approved Merge-Merged
Status: Fixed
Labels: -M-36 M-35 Merge-Approved
Merge approved for M35.
Project Member

Comment 16 by bugdroid1@chromium.org, Jun 6 2014

Project: chromiumos/platform/cryptohome
Branch : master
Author : Mike Frysinger <vapier@chromium.org>
Commit : 5e9c1786eee13c4bde95b893bbb007afe785540a

Code-Review  0 : David Riley, Mike Frysinger, chrome-internal-fetch
Code-Review  +2: Jorge Lucangeli Obes, Kees Cook
Commit-Queue 0 : David Riley, Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch
Commit-Queue +1: Mike Frysinger
Verified     0 : David Riley, Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch
Verified     +1: Mike Frysinger
Commit Queue   : Chumped
Change-Id      : Idf28fefcdc912926fd988f582baaf5c00c54b424
Reviewed-at    : https://chromium-review.googlesource.com/202701

add newlines to base64 content

OpenSSL wants a newline in the base64 content to decode it, so add
ones to make it happy.

BUG= chromium:381200 
TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1g
TEST=`FEATURES=test emerge-x86-alex chromeos-cryptohome` passes w/openssl-1.0.1h

homedirs_unittest.cc
Project Member

Comment 17 by bugdroid1@chromium.org, Jun 6 2014

Project: chromiumos/overlays/chromiumos-overlay
Branch : release-R35-5712.B
Author : Mike Frysinger <vapier@chromium.org>
Commit : fe7c580931a07e35a178b353cdada82b27efe645

Code-Review  0 : Mike Frysinger
Code-Review  +2: Kees Cook
Verified     0 : Kees Cook
Verified     +1: Mike Frysinger
Commit Queue   : Chumped
Change-Id      : I71da0324034bd32858fb95e7a00ae5d80eeb076e
Reviewed-at    : https://chromium-review.googlesource.com/202704

openssl: version bump

BUG= chromium:381200 
TEST=`emerge openssl` works
TEST=`FEATURES=test emerge-x86-alex openssl` works
TEST=`cbuildbot chromiumos-sdk` passes
TEST=`cbuildbot {x86-alex,lumpy}-release` passes

Originally-Reviewed-on: https://chromium-review.googlesource.com/193316
Originally-Reviewed-on: https://chromium-review.googlesource.com/202672

dev-libs/openssl/Manifest
dev-libs/openssl/files/openssl-1.0.0a-ldflags.patch
dev-libs/openssl/files/openssl-1.0.0d-windres.patch
dev-libs/openssl/files/openssl-1.0.0h-pkg-config.patch
dev-libs/openssl/files/openssl-1.0.1f-perl-5.18.patch
dev-libs/openssl/files/openssl-1.0.1f-revert-alpha-perl-generation.patch
dev-libs/openssl/files/openssl-1.0.1h-blacklist-by-sha1.patch
dev-libs/openssl/files/openssl-1.0.1h-ipv6.patch
dev-libs/openssl/metadata.xml
dev-libs/openssl/openssl-1.0.1h.ebuild
Labels: -Merge-Approved
Removing "Approved" label as this was merged.
Labels: VerifyIn-38
Project Member

Comment 20 by ClusterFuzz, Sep 12 2014

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.

Comment 21 by krisr@chromium.org, Sep 17 2014

Status: Verified
Project Member

Comment 22 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 23 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 24 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Project Member

Comment 26 by sheriffbot@chromium.org, Jul 28

Labels: -Pri-1 Pri-2

Sign in to add a comment