Thu Dec 2 17:33:42 MST 1999
PROBLEM DESCRIPTION
----------------------------------------
USA intellectual property laws require users within the USA to license
RSA public key cryptography software. For non-commercial use, RSA
requires the use of their reference implementation RSAREF2. Other
implementations are a patent violation, and you could end up in court
(and they've got a lot of lawyers).
A CORE-SDI Bugtraq posting revealed a serious buffer overflow in
RSAREF's encryption and decryption functions due to missing checks on
the length of the input key.
OpenBSD ships with applications using public key cryptography.
Because we are trying to make release CDROMs for the entire world, we
cannot put RSA onto the CD (yeah, major bummer). Instead, we've made
it so that the RSA patented code stays in a package containing some
shared libraries, and our installation software installs this package
from over the 'net.
Each package contains two shared libraries: libcrypto and libssl; just
like regular OpenSSL. People outside the USA can use these two
libraries, found in the "ssl26" package. Non-commercial entities in
the USA cannot -- because of the patent issue -- and for them we
provide the "sslUSA26" package. Commercial entities in the USA must
contact RSA for a licence, or wait till next September.
The "sslUSA26" package is OpenSSL, like the other package, but we have
removed the OpenSSL RSA code and replaced it with RSAREF2. This
permits the non-commercial use of "sslUSA26" inside the USA.
Commercial users who think they can use the RSA without a licence in
the USA should see a lawyer and a therapist.
Well, all this just really means that "sslUSA26" contains the problem
found by CORE-SDI.
AFFECTED PROGRAMS
----------------------------------------
The following built-in OpenBSD applications might be affected when they
are used with the USA version of libssl.
- openssh:
Even though the OpenSSH code checks all input parameters carefully,
internal RSAREF functions can still overflow. OpenSSH itself is not
vulnerable. However, users within the USA should update their
shared ssl library, because of other applications.
- isakmpd:
When used with x509 certificates and rsa signature mode,
the signature functions in RSAREF might overflow.
- httpd:
When SSL support is enabled in /etc/rc.conf using -DSSL, and
when using RSA keys, the signature functions in RSAREF might
overflow.
It isn't known yet if this problem is exploitable in any of these
programs.
PATCHES
----------------------------------------
You can find out which ssl libraries you are using by doing:
# pkg_info | grep ssl
WE REPEAT:
If you are using ssl26.tar.gz, you are are NOT AFFECTED.
(This crypto problem only burns Americans!)
If you are using sslUSA26.tar.gz, you want the replacement libraries:
1) Get the correct file for your architecture:
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/i386/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/sparc/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/hp300/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/mvme68k/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/mac68k/sslUSA26.tar.gz
ftp://ftp.usa.openbsd.org/pub/OpenBSD/2.6/amiga/sslUSA26.tar.gz
MD5 (amiga/sslUSA26.tar.gz) = 8e49697fb7ee60ef0d3cdbbaeb1ae2ef
MD5 (hp300/sslUSA26.tar.gz) = 8e49697fb7ee60ef0d3cdbbaeb1ae2ef
MD5 (i386/sslUSA26.tar.gz) = 77348327c5cc0f880991230fd0ccab50
MD5 (mac68k/sslUSA26.tar.gz) = 8e49697fb7ee60ef0d3cdbbaeb1ae2ef
MD5 (mvme68k/sslUSA26.tar.gz) = 8e49697fb7ee60ef0d3cdbbaeb1ae2ef
MD5 (sparc/sslUSA26.tar.gz) = e37f67c16b203ae47cdcb0a4bb451644
SHA1 (amiga/sslUSA26.tar.gz) = a9de4d792dfed893d9dcab2514013af3901e71f1
SHA1 (hp300/sslUSA26.tar.gz) = a9de4d792dfed893d9dcab2514013af3901e71f1
SHA1 (i386/sslUSA26.tar.gz) = b9adef041db6cfc91ad399668be9d03882f7e195
SHA1 (mac68k/sslUSA26.tar.gz) = a9de4d792dfed893d9dcab2514013af3901e71f1
SHA1 (mvme68k/sslUSA26.tar.gz) = a9de4d792dfed893d9dcab2514013af3901e71f1
SHA1 (sparc/sslUSA26.tar.gz) = c7f889ae74e22c82bb234a955c84aa38a18c7315
2) Install it by doing:
# pkg_delete sslUSA26
# pkg_add -v sslUSA26.tar.gz
Then restart any affected daemons.
If you have the new version, you will see the following:
# pkg_info sslUSA26
Information for sslUSA26:
Comment:
ssl26.1 USA-only non-commercial crypto libs incl. SSL & RSA
Description:
sslUSA26 libcrypto and libssl libraries that includes the
RSA algorithm from the RSAREF implementation.
*This version is for noncommercial use IN THE USA ONLY.*
This package contains patch#1, with the RSA bugfix. The
shared libraries are libcrypto.so.2.2 and libssl.so.2.2.
These two OpenBSD libraries (libssl and libcrypto, based on OpenSSL)
implement many cryptographic functions which are used by OpenBSD
programs like ssh, httpd, and isakmpd. Due to patent licensing
reasons, those libraries may not be included on the CD -- instead the
base distribution contains libraries which have had the troublesome
code removed -- the programs listed above will not be fully functional
as a result. Libraries which _include_ the troublesome routines are
in this package, and may be used as long as you meet the follow
(legal) criteria:
(1) Outside the USA, no restrictions apply. Use ssl26
(NOT this package)
(2) Inside the USA, non-commercial entities may the install
the sslUSA26 package which includes RSAREF (This package).
(3) Commercial entities in the USA are left in the cold, due to how
the licences work. (This is how the USA crypto export policy
feels to the rest of the world.)
#
----------------------------------------
Information on OpenBSD /
Information on OpenSSH http://www.OpenSSH.com/
Information on OpenSSL http://www.OpenSSL.org/
Information on cryptography export /images/tshirt-7b.jpg
¡®Yes, sir. I felt sure you understood that. She said she had told you.¡¯ "Why, eh,--I--I don't know that my movements need have anything to do with his. Yours, of course,--" "Ah, but if it saved your life!" "No, I'm not," grumbled the Doctor, "I've had enough of this wild-goose chase. And besides, it's nearly dinner time." "I am coming to that," Lawrence said, lighting a fresh cigarette. "As soon as Bruce was in trouble and the plot began to reel off I saw that it was mine. Of course there were large varyings in the details, but the scheme was mine. It was even laid on the same spot as my skeleton story. When I grasped that, I knew quite well that somebody must have stolen my plot." Judy In a coach-house, through which we passed on our way to see the prince's favourite horses with the state carriages¡ªquite commonplace and comfortable, and made at Palitana¡ªwas a chigram,[Pg 68] off which its silk cover was lifted; it was painted bright red and spangled with twinkling copper nails. This carriage, which is hermetically closed when the Ranee goes out in it, was lined with cloth-of-gold patterned with Gohel Sheri's initials within a horseshoe: a little hand-glass on one of the cushions, two boxes of chased silver, the curtains and hangings redolent of otto of roses. "Are you certain of it? You have seen so very little of him, and you may be mistaken." "And your wife?" "I drawed on my man's bundle o' wood," said Gid, "and then dropped a little, so's to git him where he was biggest and make sure o' him." HoME²¨¶àÒ°½áÒÂ×óÏßÊÓƵ
ENTER NUMBET 0016www.gyetgc.com.cn
www.lztpv.net.cn
www.hilltop.net.cn
oefciw.com.cn
www.sftcjs.com.cn
qxbxln.com.cn
shenyanyi.com.cn
vimily.com.cn
tplhtz.com.cn
www.uipc.com.cn