wok-4.x rev 12478 tip
Up openssl 1.1.1zb_p2
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Tue Apr 22 11:58:26 2025 +0000 (5 months ago) |
| parents | e937cb65232c |
| children | |
| files | libcrypto-dev/receipt libcrypto/receipt libssl/receipt openssl-dev/receipt openssl/receipt openssl/stuff/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch openssl/stuff/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch openssl/stuff/0003-openssl-1.1.1za_CVE-2024-5535.patch openssl/stuff/0004-openssl-1.1.1zb_CVE_2024_9143.patch openssl/stuff/0005-openssl-1.1.1zb_p2_CVE_2024_13176.patch |
line diff
1.1 --- a/libcrypto-dev/receipt Sun Apr 02 14:34:44 2023 +0000 1.2 +++ b/libcrypto-dev/receipt Tue Apr 22 11:58:26 2025 +0000 1.3 @@ -1,7 +1,7 @@ 1.4 # SliTaz package receipt. 1.5 1.6 PACKAGE="libcrypto-dev" 1.7 -VERSION="1.1.1n" 1.8 +VERSION="1.1.1zb" 1.9 CATEGORY="development" 1.10 SHORT_DESC="General purpose cryptographic shared library devel files." 1.11 MAINTAINER="pascal.bellard@slitaz.org"
2.1 --- a/libcrypto/receipt Sun Apr 02 14:34:44 2023 +0000 2.2 +++ b/libcrypto/receipt Tue Apr 22 11:58:26 2025 +0000 2.3 @@ -1,7 +1,7 @@ 2.4 # SliTaz package receipt. 2.5 2.6 PACKAGE="libcrypto" 2.7 -VERSION="1.1.1n" 2.8 +VERSION="1.1.1zb" 2.9 CATEGORY="security" 2.10 SHORT_DESC="General purpose cryptographic shared library." 2.11 MAINTAINER="pascal.bellard@slitaz.org"
3.1 --- a/libssl/receipt Sun Apr 02 14:34:44 2023 +0000 3.2 +++ b/libssl/receipt Tue Apr 22 11:58:26 2025 +0000 3.3 @@ -1,7 +1,7 @@ 3.4 # SliTaz package receipt. 3.5 3.6 PACKAGE="libssl" 3.7 -VERSION="1.1.1n" 3.8 +VERSION="1.1.1zb" 3.9 CATEGORY="development" 3.10 SHORT_DESC="OpenSSL libraries." 3.11 MAINTAINER="pascal.bellard@slitaz.org"
4.1 --- a/openssl-dev/receipt Sun Apr 02 14:34:44 2023 +0000 4.2 +++ b/openssl-dev/receipt Tue Apr 22 11:58:26 2025 +0000 4.3 @@ -1,7 +1,7 @@ 4.4 # SliTaz package receipt. 4.5 4.6 PACKAGE="openssl-dev" 4.7 -VERSION="1.1.1n" 4.8 +VERSION="1.1.1zb" 4.9 CATEGORY="development" 4.10 SHORT_DESC="Open source Secure Sockets Layer devel files." 4.11 MAINTAINER="pascal.bellard@slitaz.org"
5.1 --- a/openssl/receipt Sun Apr 02 14:34:44 2023 +0000 5.2 +++ b/openssl/receipt Tue Apr 22 11:58:26 2025 +0000 5.3 @@ -1,11 +1,12 @@ 5.4 # SliTaz package receipt. 5.5 5.6 PACKAGE="openssl" 5.7 -VERSION="1.1.1n" 5.8 +VERSION="1.1.1zb" 5.9 +_realver="1.1.1w" 5.10 CATEGORY="security" 5.11 SHORT_DESC="Open source Secure Sockets Layer." 5.12 MAINTAINER="pascal.bellard@slitaz.org" 5.13 -TARBALL="$PACKAGE-$VERSION.tar.gz" 5.14 +TARBALL="$PACKAGE-$_realver.tar.gz" 5.15 WEB_SITE="http://www.openssl.org/" 5.16 WGET_URL="http://www.openssl.org/source/$TARBALL" 5.17 DEPENDS="libcrypto libssl" 5.18 @@ -20,8 +21,21 @@ 5.19 # MAKEFLAGS make openssl build fail. 5.20 unset MAKEFLAGS 5.21 5.22 + # Patches from slackware, big thanks to Pat, and Ken Zalewski 5.23 + 5.24 + # Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that 5.25 + # were only available to subscribers to OpenSSL's premium extended support. 5.26 + # These patches were prepared by backporting commits from the OpenSSL-3.0 repo. 5.27 + # Thanks to Ken Zalewski! 5.28 + patch -p1 < $stuff/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch 5.29 + patch -p1 < $stuff/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch 5.30 + patch -p1 < $stuff/0003-openssl-1.1.1za_CVE-2024-5535.patch 5.31 + patch -p1 < $stuff/0004-openssl-1.1.1zb_CVE_2024_9143.patch 5.32 + patch -p1 < $stuff/0005-openssl-1.1.1zb_p2_CVE_2024_13176.patch 5.33 + 5.34 # Add -Wa,--noexecstack here so that libcrypto's assembler modules will be 5.35 # marked as not requiring an executable stack (compatibility improvement). 5.36 + MACHINE=i686 \ 5.37 ./config --prefix=/usr --openssldir=/etc/ssl shared zlib enable-md2 \ 5.38 no-ssl3-method -Wa,--noexecstack && 5.39
6.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 6.2 +++ b/openssl/stuff/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch Tue Apr 22 11:58:26 2025 +0000 6.3 @@ -0,0 +1,294 @@ 6.4 +From 01ca0bbbe65215f6ae72bba7d63ea67fb53c4f9a Mon Sep 17 00:00:00 2001 6.5 +From: Ken Zalewski <ken.zalewski@gmail.com> 6.6 +Date: Sat, 13 Jul 2024 11:00:49 -0400 6.7 +Subject: [PATCH] Patch to openssl-1.1.1x. This version addresses two 6.8 + vulnerabilities: CVE-2023-5678 and CVE-2024-0727 6.9 + 6.10 +--- 6.11 + crypto/dh/dh_check.c | 13 +++++++++++++ 6.12 + crypto/dh/dh_err.c | 2 ++ 6.13 + crypto/dh/dh_key.c | 10 ++++++++++ 6.14 + crypto/err/openssl.txt | 2 ++ 6.15 + crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ 6.16 + crypto/pkcs12/p12_mutl.c | 5 +++++ 6.17 + crypto/pkcs12/p12_npas.c | 5 +++-- 6.18 + crypto/pkcs12/pk12err.c | 2 ++ 6.19 + crypto/pkcs7/pk7_mime.c | 9 +++++++-- 6.20 + include/openssl/dh.h | 6 ++++-- 6.21 + include/openssl/dherr.h | 2 ++ 6.22 + include/openssl/opensslv.h | 4 ++-- 6.23 + include/openssl/pkcs12err.h | 1 + 6.24 + 13 files changed, 71 insertions(+), 8 deletions(-) 6.25 + 6.26 +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c 6.27 +index ae1b03b..40dfc57 100644 6.28 +--- a/crypto/dh/dh_check.c 6.29 ++++ b/crypto/dh/dh_check.c 6.30 +@@ -198,6 +198,19 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) 6.31 + BN_CTX *ctx = NULL; 6.32 + 6.33 + *ret = 0; 6.34 ++ 6.35 ++ /* Don't do any checks at all with an excessively large modulus */ 6.36 ++ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { 6.37 ++ DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE); 6.38 ++ *ret = DH_CHECK_P_NOT_PRIME | DH_CHECK_PUBKEY_INVALID; 6.39 ++ return 0; 6.40 ++ } 6.41 ++ 6.42 ++ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) { 6.43 ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; 6.44 ++ return 1; 6.45 ++ } 6.46 ++ 6.47 + ctx = BN_CTX_new(); 6.48 + if (ctx == NULL) 6.49 + goto err; 6.50 +diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c 6.51 +index 92800d3..048ba66 100644 6.52 +--- a/crypto/dh/dh_err.c 6.53 ++++ b/crypto/dh/dh_err.c 6.54 +@@ -21,6 +21,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { 6.55 + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, 6.56 + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, 6.57 + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, 6.58 ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY, 0), "DH_check_pub_key"}, 6.59 + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, 6.60 + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_DECRYPT, 0), "dh_cms_decrypt"}, 6.61 + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, 6.62 +@@ -82,6 +83,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { 6.63 + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), 6.64 + "parameter encoding error"}, 6.65 + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, 6.66 ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, 6.67 + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, 6.68 + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), 6.69 + "unable to check generator"}, 6.70 +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c 6.71 +index 117f2fa..9f5e6f6 100644 6.72 +--- a/crypto/dh/dh_key.c 6.73 ++++ b/crypto/dh/dh_key.c 6.74 +@@ -114,6 +114,11 @@ static int generate_key(DH *dh) 6.75 + return 0; 6.76 + } 6.77 + 6.78 ++ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { 6.79 ++ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE); 6.80 ++ return 0; 6.81 ++ } 6.82 ++ 6.83 + ctx = BN_CTX_new(); 6.84 + if (ctx == NULL) 6.85 + goto err; 6.86 +@@ -207,6 +212,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) 6.87 + goto err; 6.88 + } 6.89 + 6.90 ++ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { 6.91 ++ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE); 6.92 ++ goto err; 6.93 ++ } 6.94 ++ 6.95 + ctx = BN_CTX_new(); 6.96 + if (ctx == NULL) 6.97 + goto err; 6.98 +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt 6.99 +index c0a3cd7..ec3823e 100644 6.100 +--- a/crypto/err/openssl.txt 6.101 ++++ b/crypto/err/openssl.txt 6.102 +@@ -969,6 +969,7 @@ PKCS12_F_PKCS12_SETUP_MAC:122:PKCS12_setup_mac 6.103 + PKCS12_F_PKCS12_SET_MAC:123:PKCS12_set_mac 6.104 + PKCS12_F_PKCS12_UNPACK_AUTHSAFES:130:PKCS12_unpack_authsafes 6.105 + PKCS12_F_PKCS12_UNPACK_P7DATA:131:PKCS12_unpack_p7data 6.106 ++PKCS12_F_PKCS12_UNPACK_P7ENCDATA:134:PKCS12_unpack_p7encdata 6.107 + PKCS12_F_PKCS12_VERIFY_MAC:126:PKCS12_verify_mac 6.108 + PKCS12_F_PKCS8_ENCRYPT:125:PKCS8_encrypt 6.109 + PKCS12_F_PKCS8_SET0_PBE:132:PKCS8_set0_pbe 6.110 +@@ -2106,6 +2107,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set 6.111 + DH_R_NO_PRIVATE_VALUE:100:no private value 6.112 + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error 6.113 + DH_R_PEER_KEY_ERROR:111:peer key error 6.114 ++DH_R_Q_TOO_LARGE:130:q too large 6.115 + DH_R_SHARED_INFO_ERROR:113:shared info error 6.116 + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator 6.117 + DSA_R_BAD_Q_VALUE:102:bad q value 6.118 +diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c 6.119 +index af184c8..6549691 100644 6.120 +--- a/crypto/pkcs12/p12_add.c 6.121 ++++ b/crypto/pkcs12/p12_add.c 6.122 +@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) 6.123 + PKCS12_R_CONTENT_TYPE_NOT_DATA); 6.124 + return NULL; 6.125 + } 6.126 ++ 6.127 ++ if (p7->d.data == NULL) { 6.128 ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); 6.129 ++ return NULL; 6.130 ++ } 6.131 ++ 6.132 + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); 6.133 + } 6.134 + 6.135 +@@ -132,6 +138,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, 6.136 + { 6.137 + if (!PKCS7_type_is_encrypted(p7)) 6.138 + return NULL; 6.139 ++ 6.140 ++ if (p7->d.encrypted == NULL) { 6.141 ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7ENCDATA, PKCS12_R_DECODE_ERROR); 6.142 ++ return NULL; 6.143 ++ } 6.144 ++ 6.145 + return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, 6.146 + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), 6.147 + pass, passlen, 6.148 +@@ -159,6 +171,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) 6.149 + PKCS12_R_CONTENT_TYPE_NOT_DATA); 6.150 + return NULL; 6.151 + } 6.152 ++ 6.153 ++ if (p12->authsafes->d.data == NULL) { 6.154 ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR); 6.155 ++ return NULL; 6.156 ++ } 6.157 ++ 6.158 + return ASN1_item_unpack(p12->authsafes->d.data, 6.159 + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); 6.160 + } 6.161 +diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c 6.162 +index 3658003..766c9c1 100644 6.163 +--- a/crypto/pkcs12/p12_mutl.c 6.164 ++++ b/crypto/pkcs12/p12_mutl.c 6.165 +@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, 6.166 + return 0; 6.167 + } 6.168 + 6.169 ++ if (p12->authsafes->d.data == NULL) { 6.170 ++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); 6.171 ++ return 0; 6.172 ++ } 6.173 ++ 6.174 + salt = p12->mac->salt->data; 6.175 + saltlen = p12->mac->salt->length; 6.176 + if (!p12->mac->iter) 6.177 +diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c 6.178 +index 0334289..1303376 100644 6.179 +--- a/crypto/pkcs12/p12_npas.c 6.180 ++++ b/crypto/pkcs12/p12_npas.c 6.181 +@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) 6.182 + bags = PKCS12_unpack_p7data(p7); 6.183 + } else if (bagnid == NID_pkcs7_encrypted) { 6.184 + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); 6.185 +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, 6.186 +- &pbe_nid, &pbe_iter, &pbe_saltlen)) 6.187 ++ if (p7->d.encrypted == NULL 6.188 ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, 6.189 ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) 6.190 + goto err; 6.191 + } else { 6.192 + continue; 6.193 +diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c 6.194 +index 38ce519..3eb7f2f 100644 6.195 +--- a/crypto/pkcs12/pk12err.c 6.196 ++++ b/crypto/pkcs12/pk12err.c 6.197 +@@ -58,6 +58,8 @@ static const ERR_STRING_DATA PKCS12_str_functs[] = { 6.198 + "PKCS12_unpack_authsafes"}, 6.199 + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7DATA, 0), 6.200 + "PKCS12_unpack_p7data"}, 6.201 ++ {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7ENCDATA, 0), 6.202 ++ "PKCS12_unpack_p7encdata"}, 6.203 + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_VERIFY_MAC, 0), 6.204 + "PKCS12_verify_mac"}, 6.205 + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS8_ENCRYPT, 0), "PKCS8_encrypt"}, 6.206 +diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c 6.207 +index 19e6868..635af10 100644 6.208 +--- a/crypto/pkcs7/pk7_mime.c 6.209 ++++ b/crypto/pkcs7/pk7_mime.c 6.210 +@@ -30,10 +30,15 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) 6.211 + { 6.212 + STACK_OF(X509_ALGOR) *mdalgs; 6.213 + int ctype_nid = OBJ_obj2nid(p7->type); 6.214 +- if (ctype_nid == NID_pkcs7_signed) 6.215 ++ if (ctype_nid == NID_pkcs7_signed) { 6.216 ++ if (p7->d.sign == NULL) { 6.217 ++ return 0; 6.218 ++ } 6.219 + mdalgs = p7->d.sign->md_algs; 6.220 +- else 6.221 ++ } 6.222 ++ else { 6.223 + mdalgs = NULL; 6.224 ++ } 6.225 + 6.226 + flags ^= SMIME_OLDMIME; 6.227 + 6.228 +diff --git a/include/openssl/dh.h b/include/openssl/dh.h 6.229 +index 6c6ff36..d2a9c0d 100644 6.230 +--- a/include/openssl/dh.h 6.231 ++++ b/include/openssl/dh.h 6.232 +@@ -71,14 +71,16 @@ DECLARE_ASN1_ITEM(DHparams) 6.233 + /* #define DH_GENERATOR_3 3 */ 6.234 + # define DH_GENERATOR_5 5 6.235 + 6.236 +-/* DH_check error codes */ 6.237 ++/* DH_check error codes, some of them shared with DH_check_pub_key */ 6.238 + # define DH_CHECK_P_NOT_PRIME 0x01 6.239 + # define DH_CHECK_P_NOT_SAFE_PRIME 0x02 6.240 + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 6.241 + # define DH_NOT_SUITABLE_GENERATOR 0x08 6.242 + # define DH_CHECK_Q_NOT_PRIME 0x10 6.243 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 6.244 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ 6.245 + # define DH_CHECK_INVALID_J_VALUE 0x40 6.246 ++# define DH_MODULUS_TOO_SMALL 0x80 6.247 ++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ 6.248 + 6.249 + /* DH_check_pub_key error codes */ 6.250 + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 6.251 +diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h 6.252 +index 528c819..a98bb1e 100644 6.253 +--- a/include/openssl/dherr.h 6.254 ++++ b/include/openssl/dherr.h 6.255 +@@ -33,6 +33,7 @@ int ERR_load_DH_strings(void); 6.256 + # define DH_F_DH_CHECK 126 6.257 + # define DH_F_DH_CHECK_EX 121 6.258 + # define DH_F_DH_CHECK_PARAMS_EX 122 6.259 ++# define DH_F_DH_CHECK_PUB_KEY 127 6.260 + # define DH_F_DH_CHECK_PUB_KEY_EX 123 6.261 + # define DH_F_DH_CMS_DECRYPT 114 6.262 + # define DH_F_DH_CMS_SET_PEERKEY 115 6.263 +@@ -82,6 +83,7 @@ int ERR_load_DH_strings(void); 6.264 + # define DH_R_NO_PRIVATE_VALUE 100 6.265 + # define DH_R_PARAMETER_ENCODING_ERROR 105 6.266 + # define DH_R_PEER_KEY_ERROR 111 6.267 ++# define DH_R_Q_TOO_LARGE 130 6.268 + # define DH_R_SHARED_INFO_ERROR 113 6.269 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 6.270 + 6.271 +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h 6.272 +index 5667d47..c16eafd 100644 6.273 +--- a/include/openssl/opensslv.h 6.274 ++++ b/include/openssl/opensslv.h 6.275 +@@ -39,8 +39,8 @@ extern "C" { 6.276 + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 6.277 + * major minor fix final patch/beta) 6.278 + */ 6.279 +-# define OPENSSL_VERSION_NUMBER 0x1010117fL 6.280 +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" 6.281 ++# define OPENSSL_VERSION_NUMBER 0x1010118fL 6.282 ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1x 25 Jan 2024" 6.283 + 6.284 + /*- 6.285 + * The macros below are to be used for shared library (.so, .dll, ...) 6.286 +diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h 6.287 +index eff5eb2..0d2f15a 100644 6.288 +--- a/include/openssl/pkcs12err.h 6.289 ++++ b/include/openssl/pkcs12err.h 6.290 +@@ -49,6 +49,7 @@ int ERR_load_PKCS12_strings(void); 6.291 + # define PKCS12_F_PKCS12_SET_MAC 123 6.292 + # define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 130 6.293 + # define PKCS12_F_PKCS12_UNPACK_P7DATA 131 6.294 ++# define PKCS12_F_PKCS12_UNPACK_P7ENCDATA 134 6.295 + # define PKCS12_F_PKCS12_VERIFY_MAC 126 6.296 + # define PKCS12_F_PKCS8_ENCRYPT 125 6.297 + # define PKCS12_F_PKCS8_SET0_PBE 132
7.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 7.2 +++ b/openssl/stuff/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch Tue Apr 22 11:58:26 2025 +0000 7.3 @@ -0,0 +1,183 @@ 7.4 +From 4e975e3aec06165e760953f6c51a795f3dcfd1a0 Mon Sep 17 00:00:00 2001 7.5 +From: Ken Zalewski <ken.zalewski@gmail.com> 7.6 +Date: Sat, 13 Jul 2024 12:02:52 -0400 7.7 +Subject: [PATCH] Patch to openssl-1.1.1y. This version addresses two 7.8 + vulnerabilities: CVE-2024-2511 and CVE-2024-4741 7.9 + 7.10 +--- 7.11 + include/openssl/opensslv.h | 4 ++-- 7.12 + include/openssl/ssl.h | 2 +- 7.13 + ssl/record/rec_layer_s3.c | 9 +++++++++ 7.14 + ssl/record/record.h | 1 + 7.15 + ssl/ssl_lib.c | 8 ++++++-- 7.16 + ssl/ssl_local.h | 2 +- 7.17 + ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ 7.18 + ssl/statem/statem_srvr.c | 5 ++--- 7.19 + 8 files changed, 44 insertions(+), 15 deletions(-) 7.20 + 7.21 +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h 7.22 +index c16eafd..585109a 100644 7.23 +--- a/include/openssl/opensslv.h 7.24 ++++ b/include/openssl/opensslv.h 7.25 +@@ -39,8 +39,8 @@ extern "C" { 7.26 + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 7.27 + * major minor fix final patch/beta) 7.28 + */ 7.29 +-# define OPENSSL_VERSION_NUMBER 0x1010118fL 7.30 +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1x 25 Jan 2024" 7.31 ++# define OPENSSL_VERSION_NUMBER 0x1010119fL 7.32 ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024" 7.33 + 7.34 + /*- 7.35 + * The macros below are to be used for shared library (.so, .dll, ...) 7.36 +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h 7.37 +index 9af0c89..64eaca3 100644 7.38 +--- a/include/openssl/ssl.h 7.39 ++++ b/include/openssl/ssl.h 7.40 +@@ -1659,7 +1659,7 @@ __owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, 7.41 + __owur int SSL_SESSION_is_resumable(const SSL_SESSION *s); 7.42 + 7.43 + __owur SSL_SESSION *SSL_SESSION_new(void); 7.44 +-__owur SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src); 7.45 ++__owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src); 7.46 + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, 7.47 + unsigned int *len); 7.48 + const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s, 7.49 +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c 7.50 +index 1db1712..525c3ab 100644 7.51 +--- a/ssl/record/rec_layer_s3.c 7.52 ++++ b/ssl/record/rec_layer_s3.c 7.53 +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) 7.54 + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; 7.55 + } 7.56 + 7.57 ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) 7.58 ++{ 7.59 ++ if (rl->rstate == SSL_ST_READ_BODY) 7.60 ++ return 1; 7.61 ++ if (RECORD_LAYER_processed_read_pending(rl)) 7.62 ++ return 1; 7.63 ++ return 0; 7.64 ++} 7.65 ++ 7.66 + /* Checks if we have decrypted unread record data pending */ 7.67 + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) 7.68 + { 7.69 +diff --git a/ssl/record/record.h b/ssl/record/record.h 7.70 +index af56206..513ab39 100644 7.71 +--- a/ssl/record/record.h 7.72 ++++ b/ssl/record/record.h 7.73 +@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); 7.74 + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); 7.75 + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); 7.76 + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); 7.77 ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); 7.78 + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); 7.79 + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); 7.80 + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); 7.81 +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c 7.82 +index 47adc32..356d65c 100644 7.83 +--- a/ssl/ssl_lib.c 7.84 ++++ b/ssl/ssl_lib.c 7.85 +@@ -3515,9 +3515,10 @@ void ssl_update_cache(SSL *s, int mode) 7.86 + 7.87 + /* 7.88 + * If the session_id_length is 0, we are not supposed to cache it, and it 7.89 +- * would be rather hard to do anyway :-) 7.90 ++ * would be rather hard to do anyway :-). Also if the session has already 7.91 ++ * been marked as not_resumable we should not cache it for later reuse. 7.92 + */ 7.93 +- if (s->session->session_id_length == 0) 7.94 ++ if (s->session->session_id_length == 0 || s->session->not_resumable) 7.95 + return; 7.96 + 7.97 + /* 7.98 +@@ -5247,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl) 7.99 + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) 7.100 + return 0; 7.101 + 7.102 ++ if (RECORD_LAYER_data_present(rl)) 7.103 ++ return 0; 7.104 ++ 7.105 + RECORD_LAYER_release(rl); 7.106 + return 1; 7.107 + } 7.108 +diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h 7.109 +index 5c79215..5e73fa4 100644 7.110 +--- a/ssl/ssl_local.h 7.111 ++++ b/ssl/ssl_local.h 7.112 +@@ -2261,7 +2261,7 @@ __owur int ssl_get_new_session(SSL *s, int session); 7.113 + __owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, 7.114 + size_t sess_id_len); 7.115 + __owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello); 7.116 +-__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); 7.117 ++__owur SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket); 7.118 + __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); 7.119 + DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); 7.120 + __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, 7.121 +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c 7.122 +index 68d1737..2b27a47 100644 7.123 +--- a/ssl/ssl_sess.c 7.124 ++++ b/ssl/ssl_sess.c 7.125 +@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void) 7.126 + return ss; 7.127 + } 7.128 + 7.129 +-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) 7.130 +-{ 7.131 +- return ssl_session_dup(src, 1); 7.132 +-} 7.133 +- 7.134 + /* 7.135 + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If 7.136 + * ticket == 0 then no ticket information is duplicated, otherwise it is. 7.137 + */ 7.138 +-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) 7.139 ++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) 7.140 + { 7.141 + SSL_SESSION *dest; 7.142 + 7.143 +@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) 7.144 + return NULL; 7.145 + } 7.146 + 7.147 ++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) 7.148 ++{ 7.149 ++ return ssl_session_dup_intern(src, 1); 7.150 ++} 7.151 ++ 7.152 ++/* 7.153 ++ * Used internally when duplicating a session which might be already shared. 7.154 ++ * We will have resumed the original session. Subsequently we might have marked 7.155 ++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to 7.156 ++ * resume from. 7.157 ++ */ 7.158 ++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) 7.159 ++{ 7.160 ++ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); 7.161 ++ 7.162 ++ if (sess != NULL) 7.163 ++ sess->not_resumable = 0; 7.164 ++ 7.165 ++ return sess; 7.166 ++} 7.167 ++ 7.168 + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) 7.169 + { 7.170 + if (len) 7.171 +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c 7.172 +index 43f77a5..2f6ce8f 100644 7.173 +--- a/ssl/statem/statem_srvr.c 7.174 ++++ b/ssl/statem/statem_srvr.c 7.175 +@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) 7.176 + * so the following won't overwrite an ID that we're supposed 7.177 + * to send back. 7.178 + */ 7.179 +- if (s->session->not_resumable || 7.180 +- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 7.181 +- && !s->hit)) 7.182 ++ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) 7.183 ++ && !s->hit) 7.184 + s->session->session_id_length = 0; 7.185 + 7.186 + if (usetls13) {
8.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 8.2 +++ b/openssl/stuff/0003-openssl-1.1.1za_CVE-2024-5535.patch Tue Apr 22 11:58:26 2025 +0000 8.3 @@ -0,0 +1,108 @@ 8.4 +From 72f5c8e48a09ab09dae91c869e53e3d0c75ef921 Mon Sep 17 00:00:00 2001 8.5 +From: Ken Zalewski <ken.zalewski@gmail.com> 8.6 +Date: Sat, 13 Jul 2024 12:19:50 -0400 8.7 +Subject: [PATCH] Patch to openssl-1.1.1za. This version addresses one 8.8 + vulnerability: CVE-2024-5535 8.9 + 8.10 +--- 8.11 + include/openssl/opensslv.h | 4 +-- 8.12 + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++-------------- 8.13 + 2 files changed, 42 insertions(+), 25 deletions(-) 8.14 + 8.15 +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h 8.16 +index 585109a..a1a5d07 100644 8.17 +--- a/include/openssl/opensslv.h 8.18 ++++ b/include/openssl/opensslv.h 8.19 +@@ -39,8 +39,8 @@ extern "C" { 8.20 + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 8.21 + * major minor fix final patch/beta) 8.22 + */ 8.23 +-# define OPENSSL_VERSION_NUMBER 0x1010119fL 8.24 +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024" 8.25 ++# define OPENSSL_VERSION_NUMBER 0x101011afL 8.26 ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024" 8.27 + 8.28 + /*- 8.29 + * The macros below are to be used for shared library (.so, .dll, ...) 8.30 +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c 8.31 +index 356d65c..ccb1d4a 100644 8.32 +--- a/ssl/ssl_lib.c 8.33 ++++ b/ssl/ssl_lib.c 8.34 +@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, 8.35 + unsigned int server_len, 8.36 + const unsigned char *client, unsigned int client_len) 8.37 + { 8.38 +- unsigned int i, j; 8.39 +- const unsigned char *result; 8.40 +- int status = OPENSSL_NPN_UNSUPPORTED; 8.41 ++ PACKET cpkt, csubpkt, spkt, ssubpkt; 8.42 ++ 8.43 ++ if (!PACKET_buf_init(&cpkt, client, client_len) 8.44 ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) 8.45 ++ || PACKET_remaining(&csubpkt) == 0) { 8.46 ++ *out = NULL; 8.47 ++ *outlen = 0; 8.48 ++ return OPENSSL_NPN_NO_OVERLAP; 8.49 ++ } 8.50 ++ 8.51 ++ /* 8.52 ++ * Set the default opportunistic protocol. Will be overwritten if we find 8.53 ++ * a match. 8.54 ++ */ 8.55 ++ *out = (unsigned char *)PACKET_data(&csubpkt); 8.56 ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); 8.57 + 8.58 + /* 8.59 + * For each protocol in server preference order, see if we support it. 8.60 + */ 8.61 +- for (i = 0; i < server_len;) { 8.62 +- for (j = 0; j < client_len;) { 8.63 +- if (server[i] == client[j] && 8.64 +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { 8.65 +- /* We found a match */ 8.66 +- result = &server[i]; 8.67 +- status = OPENSSL_NPN_NEGOTIATED; 8.68 +- goto found; 8.69 ++ if (PACKET_buf_init(&spkt, server, server_len)) { 8.70 ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { 8.71 ++ if (PACKET_remaining(&ssubpkt) == 0) 8.72 ++ continue; /* Invalid - ignore it */ 8.73 ++ if (PACKET_buf_init(&cpkt, client, client_len)) { 8.74 ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { 8.75 ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), 8.76 ++ PACKET_remaining(&ssubpkt))) { 8.77 ++ /* We found a match */ 8.78 ++ *out = (unsigned char *)PACKET_data(&ssubpkt); 8.79 ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); 8.80 ++ return OPENSSL_NPN_NEGOTIATED; 8.81 ++ } 8.82 ++ } 8.83 ++ /* Ignore spurious trailing bytes in the client list */ 8.84 ++ } else { 8.85 ++ /* This should never happen */ 8.86 ++ return OPENSSL_NPN_NO_OVERLAP; 8.87 + } 8.88 +- j += client[j]; 8.89 +- j++; 8.90 + } 8.91 +- i += server[i]; 8.92 +- i++; 8.93 ++ /* Ignore spurious trailing bytes in the server list */ 8.94 + } 8.95 + 8.96 +- /* There's no overlap between our protocols and the server's list. */ 8.97 +- result = client; 8.98 +- status = OPENSSL_NPN_NO_OVERLAP; 8.99 +- 8.100 +- found: 8.101 +- *out = (unsigned char *)result + 1; 8.102 +- *outlen = result[0]; 8.103 +- return status; 8.104 ++ /* 8.105 ++ * There's no overlap between our protocols and the server's list. We use 8.106 ++ * the default opportunistic protocol selected earlier 8.107 ++ */ 8.108 ++ return OPENSSL_NPN_NO_OVERLAP; 8.109 + } 8.110 + 8.111 + #ifndef OPENSSL_NO_NEXTPROTONEG
9.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 9.2 +++ b/openssl/stuff/0004-openssl-1.1.1zb_CVE_2024_9143.patch Tue Apr 22 11:58:26 2025 +0000 9.3 @@ -0,0 +1,345 @@ 9.4 +From 9ad69b994ae7c73ba06d9f75efd2625102de814c Mon Sep 17 00:00:00 2001 9.5 +From: Ken Zalewski <ken.zalewski@gmail.com> 9.6 +Date: Mon, 21 Oct 2024 16:24:47 -0400 9.7 +Subject: [PATCH] Patch to openssl-1.1.1zb. This version addresses one 9.8 + vulnerability: CVE-2024-9143 9.9 + 9.10 +--- 9.11 + CHANGES | 134 +++++++++++++++++++++++++++++++++++++ 9.12 + NEWS | 18 +++++ 9.13 + README | 2 +- 9.14 + crypto/bn/bn_gf2m.c | 28 +++++--- 9.15 + include/openssl/opensslv.h | 4 +- 9.16 + test/ec_internal_test.c | 51 ++++++++++++++ 9.17 + 6 files changed, 226 insertions(+), 11 deletions(-) 9.18 + 9.19 +diff --git a/CHANGES b/CHANGES 9.20 +index c440948..7d82f7a 100644 9.21 +--- a/CHANGES 9.22 ++++ b/CHANGES 9.23 +@@ -7,6 +7,140 @@ 9.24 + https://github.com/openssl/openssl/commits/ and pick the appropriate 9.25 + release branch. 9.26 + 9.27 ++ Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] 9.28 ++ 9.29 ++ *) Harden BN_GF2m_poly2arr against misuse 9.30 ++ 9.31 ++ The BN_GF2m_poly2arr() function converts characteristic-2 field 9.32 ++ (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, 9.33 ++ to a compact array with just the exponents of the non-zero terms. 9.34 ++ 9.35 ++ These polynomials are then used in BN_GF2m_mod_arr() to perform modular 9.36 ++ reduction. A precondition of calling BN_GF2m_mod_arr() is that the 9.37 ++ polynomial must have a non-zero constant term (i.e. the array has `0` as 9.38 ++ its final element). 9.39 ++ 9.40 ++ Internally, callers of BN_GF2m_poly2arr() did not verify that 9.41 ++ precondition, and binary EC curve parameters with an invalid polynomial 9.42 ++ could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). 9.43 ++ 9.44 ++ The precondition is always true for polynomials that arise from the 9.45 ++ standard form of EC parameters for characteristic-two fields (X9.62). 9.46 ++ See the "Finite Field Identification" section of: 9.47 ++ 9.48 ++ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html 9.49 ++ 9.50 ++ The OpenSSL GF(2^m) code supports only the trinomial and pentanomial 9.51 ++ basis X9.62 forms. 9.52 ++ 9.53 ++ This commit updates BN_GF2m_poly2arr() to return `0` (failure) when 9.54 ++ the constant term is zero (i.e. the input bitmask BIGNUM is not odd). 9.55 ++ 9.56 ++ Additionally, the return value is made unambiguous when there is not 9.57 ++ enough space to also pad the array with a final `-1` sentinel value. 9.58 ++ The return value is now always the number of elements (including the 9.59 ++ final `-1`) that would be filled when the output array is sufficiently 9.60 ++ large. Previously the same count was returned both when the array has 9.61 ++ just enough room for the final `-1` and when it had only enough space 9.62 ++ for non-sentinel values. 9.63 ++ 9.64 ++ Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose 9.65 ++ degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against 9.66 ++ CPU exhausition attacks via excessively large inputs. 9.67 ++ 9.68 ++ The above issues do not arise in processing X.509 certificates. These 9.69 ++ generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) 9.70 ++ disallows explicit EC parameters. The TLS code in OpenSSL enforces this 9.71 ++ constraint only after the certificate is decoded, but, even if explicit 9.72 ++ parameters are specified, they are in X9.62 form, which cannot represent 9.73 ++ problem values as noted above. 9.74 ++ 9.75 ++ (CVE-2024-9143) 9.76 ++ [Viktor Dukhovni] 9.77 ++ 9.78 ++ 9.79 ++ Changes between 1.1.1y and 1.1.1za [26 Jun 2024] 9.80 ++ 9.81 ++ *) Fix SSL_select_next_proto 9.82 ++ 9.83 ++ Ensure that the provided client list is non-NULL and starts with a valid 9.84 ++ entry. When called from the ALPN callback the client list should already 9.85 ++ have been validated by OpenSSL so this should not cause a problem. When 9.86 ++ called from the NPN callback the client list is locally configured and 9.87 ++ will not have already been validated. Therefore SSL_select_next_proto 9.88 ++ should not assume that it is correctly formatted. 9.89 ++ 9.90 ++ We implement stricter checking of the client protocol list. We also do the 9.91 ++ same for the server list while we are about it. 9.92 ++ 9.93 ++ (CVE-2024-5535) 9.94 ++ [Matt Caswell] 9.95 ++ 9.96 ++ 9.97 ++ Changes between 1.1.1x and 1.1.1y [27 May 2024] 9.98 ++ 9.99 ++ *) Only free the read buffers if we're not using them 9.100 ++ 9.101 ++ If we're part way through processing a record, or the application has 9.102 ++ not released all the records then we should not free our buffer because 9.103 ++ they are still needed. 9.104 ++ 9.105 ++ (CVE-2024-4741) 9.106 ++ [Matt Caswell] 9.107 ++ [Watson Ladd] 9.108 ++ 9.109 ++ *) Fix unconstrained session cache growth in TLSv1.3 9.110 ++ 9.111 ++ In TLSv1.3 we create a new session object for each ticket that we send. 9.112 ++ We do this by duplicating the original session. If SSL_OP_NO_TICKET is in 9.113 ++ use then the new session will be added to the session cache. However, if 9.114 ++ early data is not in use (and therefore anti-replay protection is being 9.115 ++ used), then multiple threads could be resuming from the same session 9.116 ++ simultaneously. If this happens and a problem occurs on one of the threads, 9.117 ++ then the original session object could be marked as not_resumable. When we 9.118 ++ duplicate the session object this not_resumable status gets copied into the 9.119 ++ new session object. The new session object is then added to the session 9.120 ++ cache even though it is not_resumable. 9.121 ++ 9.122 ++ Subsequently, another bug means that the session_id_length is set to 0 for 9.123 ++ sessions that are marked as not_resumable - even though that session is 9.124 ++ still in the cache. Once this happens the session can never be removed from 9.125 ++ the cache. When that object gets to be the session cache tail object the 9.126 ++ cache never shrinks again and grows indefinitely. 9.127 ++ 9.128 ++ (CVE-2024-2511) 9.129 ++ [Matt Caswell] 9.130 ++ 9.131 ++ 9.132 ++ Changes between 1.1.1w and 1.1.1x [25 Jan 2024] 9.133 ++ 9.134 ++ *) Add NULL checks where ContentInfo data can be NULL 9.135 ++ 9.136 ++ PKCS12 structures contain PKCS7 ContentInfo fields. These fields are 9.137 ++ optional and can be NULL even if the "type" is a valid value. OpenSSL 9.138 ++ was not properly accounting for this and a NULL dereference can occur 9.139 ++ causing a crash. 9.140 ++ 9.141 ++ (CVE-2024-0727) 9.142 ++ [Matt Caswell] 9.143 ++ 9.144 ++ *) Make DH_check_pub_key() and DH_generate_key() safer yet 9.145 ++ 9.146 ++ We already check for an excessively large P in DH_generate_key(), but not in 9.147 ++ DH_check_pub_key(), and none of them check for an excessively large Q. 9.148 ++ 9.149 ++ This change adds all the missing excessive size checks of P and Q. 9.150 ++ 9.151 ++ It's to be noted that behaviours surrounding excessively sized P and Q 9.152 ++ differ. DH_check() raises an error on the excessively sized P, but only 9.153 ++ sets a flag for the excessively sized Q. This behaviour is mimicked in 9.154 ++ DH_check_pub_key(). 9.155 ++ 9.156 ++ (CVE-2024-5678) 9.157 ++ [Richard Levitte] 9.158 ++ [Hugo Landau] 9.159 ++ 9.160 ++ 9.161 + Changes between 1.1.1v and 1.1.1w [11 Sep 2023] 9.162 + 9.163 + *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows. 9.164 +diff --git a/NEWS b/NEWS 9.165 +index 1b849cd..7810ece 100644 9.166 +--- a/NEWS 9.167 ++++ b/NEWS 9.168 +@@ -5,6 +5,24 @@ 9.169 + This file gives a brief overview of the major changes between each OpenSSL 9.170 + release. For more details please read the CHANGES file. 9.171 + 9.172 ++ Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] 9.173 ++ 9.174 ++ o Harden BN_GF2m_poly2arr against misuse 9.175 ++ 9.176 ++ Major changes between OpenSSL 1.1.1y and OpenSSL 1.1.1za [26 Jun 2024] 9.177 ++ 9.178 ++ o Fix SSL_select_next_proto 9.179 ++ 9.180 ++ Major changes between OpenSSL 1.1.1x and OpenSSL 1.1.1y [27 May 2024] 9.181 ++ 9.182 ++ o Only free the read buffers if we're not using them 9.183 ++ o Fix unconstrained session cache growth in TLSv1.3 9.184 ++ 9.185 ++ Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [25 Jan 2024] 9.186 ++ 9.187 ++ o Add NULL checks where ContentInfo data can be NULL 9.188 ++ o Make DH_check_pub_key() and DH_generate_key() safer yet 9.189 ++ 9.190 + Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023] 9.191 + 9.192 + o Fix POLY1305 MAC implementation corrupting XMM registers on Windows 9.193 +diff --git a/README b/README 9.194 +index e924e15..6612eb0 100644 9.195 +--- a/README 9.196 ++++ b/README 9.197 +@@ -1,5 +1,5 @@ 9.198 + 9.199 +- OpenSSL 1.1.1w 11 Sep 2023 9.200 ++ OpenSSL 1.1.1zb 16 Oct 2024 9.201 + 9.202 + Copyright (c) 1998-2023 The OpenSSL Project 9.203 + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson 9.204 +diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c 9.205 +index a2ea867..6709471 100644 9.206 +--- a/crypto/bn/bn_gf2m.c 9.207 ++++ b/crypto/bn/bn_gf2m.c 9.208 +@@ -15,6 +15,7 @@ 9.209 + #include "bn_local.h" 9.210 + 9.211 + #ifndef OPENSSL_NO_EC2M 9.212 ++#include <openssl/ec.h> 9.213 + 9.214 + /* 9.215 + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should 9.216 +@@ -1109,16 +1110,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 9.217 + /* 9.218 + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * 9.219 + * x^i) into an array of integers corresponding to the bits with non-zero 9.220 +- * coefficient. Array is terminated with -1. Up to max elements of the array 9.221 +- * will be filled. Return value is total number of array elements that would 9.222 +- * be filled if array was large enough. 9.223 ++ * coefficient. The array is intended to be suitable for use with 9.224 ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be 9.225 ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. 9.226 ++ * 9.227 ++ * Given sufficient room, the array is terminated with -1. Up to max elements 9.228 ++ * of the array will be filled. 9.229 ++ * 9.230 ++ * The return value is total number of array elements that would be filled if 9.231 ++ * array was large enough, including the terminating `-1`. It is `0` when `a` 9.232 ++ * is not odd or the constant term is zero contrary to requirement. 9.233 ++ * 9.234 ++ * The return value is also `0` when the leading exponent exceeds 9.235 ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, 9.236 + */ 9.237 + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) 9.238 + { 9.239 + int i, j, k = 0; 9.240 + BN_ULONG mask; 9.241 + 9.242 +- if (BN_is_zero(a)) 9.243 ++ if (!BN_is_odd(a)) 9.244 + return 0; 9.245 + 9.246 + for (i = a->top - 1; i >= 0; i--) { 9.247 +@@ -1136,12 +1147,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) 9.248 + } 9.249 + } 9.250 + 9.251 +- if (k < max) { 9.252 ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) 9.253 ++ return 0; 9.254 ++ 9.255 ++ if (k < max) 9.256 + p[k] = -1; 9.257 +- k++; 9.258 +- } 9.259 + 9.260 +- return k; 9.261 ++ return k + 1; 9.262 + } 9.263 + 9.264 + /* 9.265 +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h 9.266 +index a1a5d07..ddf42b6 100644 9.267 +--- a/include/openssl/opensslv.h 9.268 ++++ b/include/openssl/opensslv.h 9.269 +@@ -39,8 +39,8 @@ extern "C" { 9.270 + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 9.271 + * major minor fix final patch/beta) 9.272 + */ 9.273 +-# define OPENSSL_VERSION_NUMBER 0x101011afL 9.274 +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024" 9.275 ++# define OPENSSL_VERSION_NUMBER 0x101011bfL 9.276 ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" 9.277 + 9.278 + /*- 9.279 + * The macros below are to be used for shared library (.so, .dll, ...) 9.280 +diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c 9.281 +index 390f41f..1590a18 100644 9.282 +--- a/test/ec_internal_test.c 9.283 ++++ b/test/ec_internal_test.c 9.284 +@@ -150,6 +150,56 @@ static int field_tests_ecp_mont(void) 9.285 + } 9.286 + 9.287 + #ifndef OPENSSL_NO_EC2M 9.288 ++/* Test that decoding of invalid GF2m field parameters fails. */ 9.289 ++static int ec2m_field_sanity(void) 9.290 ++{ 9.291 ++ int ret = 0; 9.292 ++ BN_CTX *ctx = BN_CTX_new(); 9.293 ++ BIGNUM *p, *a, *b; 9.294 ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; 9.295 ++ 9.296 ++ TEST_info("Testing GF2m hardening\n"); 9.297 ++ 9.298 ++ BN_CTX_start(ctx); 9.299 ++ p = BN_CTX_get(ctx); 9.300 ++ a = BN_CTX_get(ctx); 9.301 ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) 9.302 ++ || !TEST_true(BN_one(a)) 9.303 ++ || !TEST_true(BN_one(b))) 9.304 ++ goto out; 9.305 ++ 9.306 ++ /* Even pentanomial value should be rejected */ 9.307 ++ if (!TEST_true(BN_set_word(p, 0xf2))) 9.308 ++ goto out; 9.309 ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) 9.310 ++ TEST_error("Zero constant term accepted in GF2m polynomial"); 9.311 ++ 9.312 ++ /* Odd hexanomial should also be rejected */ 9.313 ++ if (!TEST_true(BN_set_word(p, 0xf3))) 9.314 ++ goto out; 9.315 ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) 9.316 ++ TEST_error("Hexanomial accepted as GF2m polynomial"); 9.317 ++ 9.318 ++ /* Excessive polynomial degree should also be rejected */ 9.319 ++ if (!TEST_true(BN_set_word(p, 0x71)) 9.320 ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) 9.321 ++ goto out; 9.322 ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) 9.323 ++ TEST_error("GF2m polynomial degree > %d accepted", 9.324 ++ OPENSSL_ECC_MAX_FIELD_BITS); 9.325 ++ 9.326 ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; 9.327 ++ 9.328 ++ out: 9.329 ++ EC_GROUP_free(group1); 9.330 ++ EC_GROUP_free(group2); 9.331 ++ EC_GROUP_free(group3); 9.332 ++ BN_CTX_end(ctx); 9.333 ++ BN_CTX_free(ctx); 9.334 ++ 9.335 ++ return ret; 9.336 ++} 9.337 ++ 9.338 + /* test EC_GF2m_simple_method directly */ 9.339 + static int field_tests_ec2_simple(void) 9.340 + { 9.341 +@@ -367,6 +417,7 @@ int setup_tests(void) 9.342 + ADD_TEST(field_tests_ecp_simple); 9.343 + ADD_TEST(field_tests_ecp_mont); 9.344 + #ifndef OPENSSL_NO_EC2M 9.345 ++ ADD_TEST(ec2m_field_sanity); 9.346 + ADD_TEST(field_tests_ec2_simple); 9.347 + #endif 9.348 + ADD_ALL_TESTS(field_tests_default, crv_len);
10.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 10.2 +++ b/openssl/stuff/0005-openssl-1.1.1zb_p2_CVE_2024_13176.patch Tue Apr 22 11:58:26 2025 +0000 10.3 @@ -0,0 +1,177 @@ 10.4 +From 2a3058269d854754b66ef8bdaefb7820bd8c0908 Mon Sep 17 00:00:00 2001 10.5 +From: Ken Zalewski <ken.zalewski@gmail.com> 10.6 +Date: Sun, 9 Feb 2025 11:47:12 -0500 10.7 +Subject: [PATCH] Patch to openssl-1.1.1zb p2. This version addresses one 10.8 + vulnerability: CVE-2024-13176 10.9 + 10.10 +--- 10.11 + CHANGES | 25 +++++++++++++++++++++++++ 10.12 + NEWS | 5 +++++ 10.13 + README | 2 +- 10.14 + crypto/bn/bn_exp.c | 21 +++++++++++++++------ 10.15 + crypto/ec/ec_lib.c | 6 +++--- 10.16 + include/crypto/bn.h | 3 +++ 10.17 + include/openssl/opensslv.h | 2 +- 10.18 + 7 files changed, 53 insertions(+), 11 deletions(-) 10.19 + 10.20 +diff --git a/CHANGES b/CHANGES 10.21 +index 7d82f7a..66ae239 100644 10.22 +--- a/CHANGES 10.23 ++++ b/CHANGES 10.24 +@@ -7,6 +7,31 @@ 10.25 + https://github.com/openssl/openssl/commits/ and pick the appropriate 10.26 + release branch. 10.27 + 10.28 ++ Changes between 1.1.1zb_p1 and 1.1.1zb_p2 [20 Jan 2025] 10.29 ++ 10.30 ++ *) Fix timing side-channel in ECDSA signature computation 10.31 ++ 10.32 ++ There is a timing signal of around 300 nanoseconds when the top word of 10.33 ++ the inverted ECDSA nonce value is zero. This can happen with significant 10.34 ++ probability only for some of the supported elliptic curves. In particular 10.35 ++ the NIST P-521 curve is affected. To be able to measure this leak, the 10.36 ++ attacker process must either be located in the same physical computer or 10.37 ++ must have a very fast network connection with low latency. 10.38 ++ 10.39 ++ Attacks on ECDSA nonce are also known as Minerva attack. 10.40 ++ 10.41 ++ [CVE-2024-13176] 10.42 ++ [Tomas Mraz] 10.43 ++ 10.44 ++ 10.45 ++ Changes between 1.1.1zb and 1.1.1zb_p1 [24 Oct 2024] 10.46 ++ 10.47 ++ *) Fix the version number for versions that require two letters. 10.48 ++ 10.49 ++ [V Petrischew] 10.50 ++ [Ken Zalewski] 10.51 ++ 10.52 ++ 10.53 + Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] 10.54 + 10.55 + *) Harden BN_GF2m_poly2arr against misuse 10.56 +diff --git a/NEWS b/NEWS 10.57 +index 7810ece..ab46ab1 100644 10.58 +--- a/NEWS 10.59 ++++ b/NEWS 10.60 +@@ -5,6 +5,11 @@ 10.61 + This file gives a brief overview of the major changes between each OpenSSL 10.62 + release. For more details please read the CHANGES file. 10.63 + 10.64 ++ Major changes between OpenSSL 1.1.1zb and OpenSSL 1.1.1zb_p2 [20 Jan 2025] 10.65 ++ 10.66 ++ o Fix version number for versions that require two letters 10.67 ++ o Fix timing side-channel in ECDSA signature computation 10.68 ++ 10.69 + Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] 10.70 + 10.71 + o Harden BN_GF2m_poly2arr against misuse 10.72 +diff --git a/README b/README 10.73 +index 6612eb0..a02895e 100644 10.74 +--- a/README 10.75 ++++ b/README 10.76 +@@ -1,5 +1,5 @@ 10.77 + 10.78 +- OpenSSL 1.1.1zb 16 Oct 2024 10.79 ++ OpenSSL 1.1.1zb_p2 20 Jan 2025 10.80 + 10.81 + Copyright (c) 1998-2023 The OpenSSL Project 10.82 + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson 10.83 +diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c 10.84 +index 517e3c2..0489658 100644 10.85 +--- a/crypto/bn/bn_exp.c 10.86 ++++ b/crypto/bn/bn_exp.c 10.87 +@@ -601,7 +601,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, 10.88 + * out by Colin Percival, 10.89 + * http://www.daemonology.net/hyperthreading-considered-harmful/) 10.90 + */ 10.91 +-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 10.92 ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 10.93 + const BIGNUM *m, BN_CTX *ctx, 10.94 + BN_MONT_CTX *in_mont) 10.95 + { 10.96 +@@ -618,10 +618,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 10.97 + unsigned int t4 = 0; 10.98 + #endif 10.99 + 10.100 +- bn_check_top(a); 10.101 +- bn_check_top(p); 10.102 +- bn_check_top(m); 10.103 +- 10.104 + if (!BN_is_odd(m)) { 10.105 + BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); 10.106 + return 0; 10.107 +@@ -1141,7 +1137,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 10.108 + goto err; 10.109 + } else 10.110 + #endif 10.111 +- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) 10.112 ++ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) 10.113 + goto err; 10.114 + ret = 1; 10.115 + err: 10.116 +@@ -1155,6 +1151,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 10.117 + return ret; 10.118 + } 10.119 + 10.120 ++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 10.121 ++ const BIGNUM *m, BN_CTX *ctx, 10.122 ++ BN_MONT_CTX *in_mont) 10.123 ++{ 10.124 ++ bn_check_top(a); 10.125 ++ bn_check_top(p); 10.126 ++ bn_check_top(m); 10.127 ++ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) 10.128 ++ return 0; 10.129 ++ bn_correct_top(rr); 10.130 ++ return 1; 10.131 ++} 10.132 ++ 10.133 + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, 10.134 + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) 10.135 + { 10.136 +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c 10.137 +index 08db89f..fef0c2f 100644 10.138 +--- a/crypto/ec/ec_lib.c 10.139 ++++ b/crypto/ec/ec_lib.c 10.140 +@@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, 10.141 + if (!BN_sub(e, group->order, e)) 10.142 + goto err; 10.143 + /*- 10.144 +- * Exponent e is public. 10.145 +- * No need for scatter-gather or BN_FLG_CONSTTIME. 10.146 ++ * Although the exponent is public we want the result to be 10.147 ++ * fixed top. 10.148 + */ 10.149 +- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) 10.150 ++ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) 10.151 + goto err; 10.152 + 10.153 + ret = 1; 10.154 +diff --git a/include/crypto/bn.h b/include/crypto/bn.h 10.155 +index 250914c..10cfc84 100644 10.156 +--- a/include/crypto/bn.h 10.157 ++++ b/include/crypto/bn.h 10.158 +@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); 10.159 + */ 10.160 + int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 10.161 + BN_MONT_CTX *mont, BN_CTX *ctx); 10.162 ++int bn_mode_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 10.163 ++ const BIGNUM *m, BN_CTX *ctx, 10.164 ++ BN_MONT_CTX *in_mont); 10.165 + int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, 10.166 + BN_CTX *ctx); 10.167 + int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, 10.168 +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h 10.169 +index ddf42b6..1568415 100644 10.170 +--- a/include/openssl/opensslv.h 10.171 ++++ b/include/openssl/opensslv.h 10.172 +@@ -40,7 +40,7 @@ extern "C" { 10.173 + * major minor fix final patch/beta) 10.174 + */ 10.175 + # define OPENSSL_VERSION_NUMBER 0x101011bfL 10.176 +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" 10.177 ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 20 Jan 2025" 10.178 + 10.179 + /*- 10.180 + * The macros below are to be used for shared library (.so, .dll, ...)