wok-current diff openssl11/stuff/0004-openssl-1.1.1zb_CVE_2024_9143.patch @ rev 25728
Merge wok for both arch and few updates
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Dec 05 08:39:45 2024 +0000 (9 months ago) |
| parents | |
| children |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/openssl11/stuff/0004-openssl-1.1.1zb_CVE_2024_9143.patch Thu Dec 05 08:39:45 2024 +0000 1.3 @@ -0,0 +1,345 @@ 1.4 +From 9ad69b994ae7c73ba06d9f75efd2625102de814c Mon Sep 17 00:00:00 2001 1.5 +From: Ken Zalewski <ken.zalewski@gmail.com> 1.6 +Date: Mon, 21 Oct 2024 16:24:47 -0400 1.7 +Subject: [PATCH] Patch to openssl-1.1.1zb. This version addresses one 1.8 + vulnerability: CVE-2024-9143 1.9 + 1.10 +--- 1.11 + CHANGES | 134 +++++++++++++++++++++++++++++++++++++ 1.12 + NEWS | 18 +++++ 1.13 + README | 2 +- 1.14 + crypto/bn/bn_gf2m.c | 28 +++++--- 1.15 + include/openssl/opensslv.h | 4 +- 1.16 + test/ec_internal_test.c | 51 ++++++++++++++ 1.17 + 6 files changed, 226 insertions(+), 11 deletions(-) 1.18 + 1.19 +diff --git a/CHANGES b/CHANGES 1.20 +index c440948..7d82f7a 100644 1.21 +--- a/CHANGES 1.22 ++++ b/CHANGES 1.23 +@@ -7,6 +7,140 @@ 1.24 + https://github.com/openssl/openssl/commits/ and pick the appropriate 1.25 + release branch. 1.26 + 1.27 ++ Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] 1.28 ++ 1.29 ++ *) Harden BN_GF2m_poly2arr against misuse 1.30 ++ 1.31 ++ The BN_GF2m_poly2arr() function converts characteristic-2 field 1.32 ++ (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, 1.33 ++ to a compact array with just the exponents of the non-zero terms. 1.34 ++ 1.35 ++ These polynomials are then used in BN_GF2m_mod_arr() to perform modular 1.36 ++ reduction. A precondition of calling BN_GF2m_mod_arr() is that the 1.37 ++ polynomial must have a non-zero constant term (i.e. the array has `0` as 1.38 ++ its final element). 1.39 ++ 1.40 ++ Internally, callers of BN_GF2m_poly2arr() did not verify that 1.41 ++ precondition, and binary EC curve parameters with an invalid polynomial 1.42 ++ could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). 1.43 ++ 1.44 ++ The precondition is always true for polynomials that arise from the 1.45 ++ standard form of EC parameters for characteristic-two fields (X9.62). 1.46 ++ See the "Finite Field Identification" section of: 1.47 ++ 1.48 ++ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html 1.49 ++ 1.50 ++ The OpenSSL GF(2^m) code supports only the trinomial and pentanomial 1.51 ++ basis X9.62 forms. 1.52 ++ 1.53 ++ This commit updates BN_GF2m_poly2arr() to return `0` (failure) when 1.54 ++ the constant term is zero (i.e. the input bitmask BIGNUM is not odd). 1.55 ++ 1.56 ++ Additionally, the return value is made unambiguous when there is not 1.57 ++ enough space to also pad the array with a final `-1` sentinel value. 1.58 ++ The return value is now always the number of elements (including the 1.59 ++ final `-1`) that would be filled when the output array is sufficiently 1.60 ++ large. Previously the same count was returned both when the array has 1.61 ++ just enough room for the final `-1` and when it had only enough space 1.62 ++ for non-sentinel values. 1.63 ++ 1.64 ++ Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose 1.65 ++ degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against 1.66 ++ CPU exhausition attacks via excessively large inputs. 1.67 ++ 1.68 ++ The above issues do not arise in processing X.509 certificates. These 1.69 ++ generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) 1.70 ++ disallows explicit EC parameters. The TLS code in OpenSSL enforces this 1.71 ++ constraint only after the certificate is decoded, but, even if explicit 1.72 ++ parameters are specified, they are in X9.62 form, which cannot represent 1.73 ++ problem values as noted above. 1.74 ++ 1.75 ++ (CVE-2024-9143) 1.76 ++ [Viktor Dukhovni] 1.77 ++ 1.78 ++ 1.79 ++ Changes between 1.1.1y and 1.1.1za [26 Jun 2024] 1.80 ++ 1.81 ++ *) Fix SSL_select_next_proto 1.82 ++ 1.83 ++ Ensure that the provided client list is non-NULL and starts with a valid 1.84 ++ entry. When called from the ALPN callback the client list should already 1.85 ++ have been validated by OpenSSL so this should not cause a problem. When 1.86 ++ called from the NPN callback the client list is locally configured and 1.87 ++ will not have already been validated. Therefore SSL_select_next_proto 1.88 ++ should not assume that it is correctly formatted. 1.89 ++ 1.90 ++ We implement stricter checking of the client protocol list. We also do the 1.91 ++ same for the server list while we are about it. 1.92 ++ 1.93 ++ (CVE-2024-5535) 1.94 ++ [Matt Caswell] 1.95 ++ 1.96 ++ 1.97 ++ Changes between 1.1.1x and 1.1.1y [27 May 2024] 1.98 ++ 1.99 ++ *) Only free the read buffers if we're not using them 1.100 ++ 1.101 ++ If we're part way through processing a record, or the application has 1.102 ++ not released all the records then we should not free our buffer because 1.103 ++ they are still needed. 1.104 ++ 1.105 ++ (CVE-2024-4741) 1.106 ++ [Matt Caswell] 1.107 ++ [Watson Ladd] 1.108 ++ 1.109 ++ *) Fix unconstrained session cache growth in TLSv1.3 1.110 ++ 1.111 ++ In TLSv1.3 we create a new session object for each ticket that we send. 1.112 ++ We do this by duplicating the original session. If SSL_OP_NO_TICKET is in 1.113 ++ use then the new session will be added to the session cache. However, if 1.114 ++ early data is not in use (and therefore anti-replay protection is being 1.115 ++ used), then multiple threads could be resuming from the same session 1.116 ++ simultaneously. If this happens and a problem occurs on one of the threads, 1.117 ++ then the original session object could be marked as not_resumable. When we 1.118 ++ duplicate the session object this not_resumable status gets copied into the 1.119 ++ new session object. The new session object is then added to the session 1.120 ++ cache even though it is not_resumable. 1.121 ++ 1.122 ++ Subsequently, another bug means that the session_id_length is set to 0 for 1.123 ++ sessions that are marked as not_resumable - even though that session is 1.124 ++ still in the cache. Once this happens the session can never be removed from 1.125 ++ the cache. When that object gets to be the session cache tail object the 1.126 ++ cache never shrinks again and grows indefinitely. 1.127 ++ 1.128 ++ (CVE-2024-2511) 1.129 ++ [Matt Caswell] 1.130 ++ 1.131 ++ 1.132 ++ Changes between 1.1.1w and 1.1.1x [25 Jan 2024] 1.133 ++ 1.134 ++ *) Add NULL checks where ContentInfo data can be NULL 1.135 ++ 1.136 ++ PKCS12 structures contain PKCS7 ContentInfo fields. These fields are 1.137 ++ optional and can be NULL even if the "type" is a valid value. OpenSSL 1.138 ++ was not properly accounting for this and a NULL dereference can occur 1.139 ++ causing a crash. 1.140 ++ 1.141 ++ (CVE-2024-0727) 1.142 ++ [Matt Caswell] 1.143 ++ 1.144 ++ *) Make DH_check_pub_key() and DH_generate_key() safer yet 1.145 ++ 1.146 ++ We already check for an excessively large P in DH_generate_key(), but not in 1.147 ++ DH_check_pub_key(), and none of them check for an excessively large Q. 1.148 ++ 1.149 ++ This change adds all the missing excessive size checks of P and Q. 1.150 ++ 1.151 ++ It's to be noted that behaviours surrounding excessively sized P and Q 1.152 ++ differ. DH_check() raises an error on the excessively sized P, but only 1.153 ++ sets a flag for the excessively sized Q. This behaviour is mimicked in 1.154 ++ DH_check_pub_key(). 1.155 ++ 1.156 ++ (CVE-2024-5678) 1.157 ++ [Richard Levitte] 1.158 ++ [Hugo Landau] 1.159 ++ 1.160 ++ 1.161 + Changes between 1.1.1v and 1.1.1w [11 Sep 2023] 1.162 + 1.163 + *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows. 1.164 +diff --git a/NEWS b/NEWS 1.165 +index 1b849cd..7810ece 100644 1.166 +--- a/NEWS 1.167 ++++ b/NEWS 1.168 +@@ -5,6 +5,24 @@ 1.169 + This file gives a brief overview of the major changes between each OpenSSL 1.170 + release. For more details please read the CHANGES file. 1.171 + 1.172 ++ Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] 1.173 ++ 1.174 ++ o Harden BN_GF2m_poly2arr against misuse 1.175 ++ 1.176 ++ Major changes between OpenSSL 1.1.1y and OpenSSL 1.1.1za [26 Jun 2024] 1.177 ++ 1.178 ++ o Fix SSL_select_next_proto 1.179 ++ 1.180 ++ Major changes between OpenSSL 1.1.1x and OpenSSL 1.1.1y [27 May 2024] 1.181 ++ 1.182 ++ o Only free the read buffers if we're not using them 1.183 ++ o Fix unconstrained session cache growth in TLSv1.3 1.184 ++ 1.185 ++ Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [25 Jan 2024] 1.186 ++ 1.187 ++ o Add NULL checks where ContentInfo data can be NULL 1.188 ++ o Make DH_check_pub_key() and DH_generate_key() safer yet 1.189 ++ 1.190 + Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023] 1.191 + 1.192 + o Fix POLY1305 MAC implementation corrupting XMM registers on Windows 1.193 +diff --git a/README b/README 1.194 +index e924e15..6612eb0 100644 1.195 +--- a/README 1.196 ++++ b/README 1.197 +@@ -1,5 +1,5 @@ 1.198 + 1.199 +- OpenSSL 1.1.1w 11 Sep 2023 1.200 ++ OpenSSL 1.1.1zb 16 Oct 2024 1.201 + 1.202 + Copyright (c) 1998-2023 The OpenSSL Project 1.203 + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson 1.204 +diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c 1.205 +index a2ea867..6709471 100644 1.206 +--- a/crypto/bn/bn_gf2m.c 1.207 ++++ b/crypto/bn/bn_gf2m.c 1.208 +@@ -15,6 +15,7 @@ 1.209 + #include "bn_local.h" 1.210 + 1.211 + #ifndef OPENSSL_NO_EC2M 1.212 ++#include <openssl/ec.h> 1.213 + 1.214 + /* 1.215 + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should 1.216 +@@ -1109,16 +1110,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, 1.217 + /* 1.218 + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * 1.219 + * x^i) into an array of integers corresponding to the bits with non-zero 1.220 +- * coefficient. Array is terminated with -1. Up to max elements of the array 1.221 +- * will be filled. Return value is total number of array elements that would 1.222 +- * be filled if array was large enough. 1.223 ++ * coefficient. The array is intended to be suitable for use with 1.224 ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be 1.225 ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. 1.226 ++ * 1.227 ++ * Given sufficient room, the array is terminated with -1. Up to max elements 1.228 ++ * of the array will be filled. 1.229 ++ * 1.230 ++ * The return value is total number of array elements that would be filled if 1.231 ++ * array was large enough, including the terminating `-1`. It is `0` when `a` 1.232 ++ * is not odd or the constant term is zero contrary to requirement. 1.233 ++ * 1.234 ++ * The return value is also `0` when the leading exponent exceeds 1.235 ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, 1.236 + */ 1.237 + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) 1.238 + { 1.239 + int i, j, k = 0; 1.240 + BN_ULONG mask; 1.241 + 1.242 +- if (BN_is_zero(a)) 1.243 ++ if (!BN_is_odd(a)) 1.244 + return 0; 1.245 + 1.246 + for (i = a->top - 1; i >= 0; i--) { 1.247 +@@ -1136,12 +1147,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) 1.248 + } 1.249 + } 1.250 + 1.251 +- if (k < max) { 1.252 ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) 1.253 ++ return 0; 1.254 ++ 1.255 ++ if (k < max) 1.256 + p[k] = -1; 1.257 +- k++; 1.258 +- } 1.259 + 1.260 +- return k; 1.261 ++ return k + 1; 1.262 + } 1.263 + 1.264 + /* 1.265 +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h 1.266 +index a1a5d07..ddf42b6 100644 1.267 +--- a/include/openssl/opensslv.h 1.268 ++++ b/include/openssl/opensslv.h 1.269 +@@ -39,8 +39,8 @@ extern "C" { 1.270 + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for 1.271 + * major minor fix final patch/beta) 1.272 + */ 1.273 +-# define OPENSSL_VERSION_NUMBER 0x101011afL 1.274 +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024" 1.275 ++# define OPENSSL_VERSION_NUMBER 0x101011bfL 1.276 ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" 1.277 + 1.278 + /*- 1.279 + * The macros below are to be used for shared library (.so, .dll, ...) 1.280 +diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c 1.281 +index 390f41f..1590a18 100644 1.282 +--- a/test/ec_internal_test.c 1.283 ++++ b/test/ec_internal_test.c 1.284 +@@ -150,6 +150,56 @@ static int field_tests_ecp_mont(void) 1.285 + } 1.286 + 1.287 + #ifndef OPENSSL_NO_EC2M 1.288 ++/* Test that decoding of invalid GF2m field parameters fails. */ 1.289 ++static int ec2m_field_sanity(void) 1.290 ++{ 1.291 ++ int ret = 0; 1.292 ++ BN_CTX *ctx = BN_CTX_new(); 1.293 ++ BIGNUM *p, *a, *b; 1.294 ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; 1.295 ++ 1.296 ++ TEST_info("Testing GF2m hardening\n"); 1.297 ++ 1.298 ++ BN_CTX_start(ctx); 1.299 ++ p = BN_CTX_get(ctx); 1.300 ++ a = BN_CTX_get(ctx); 1.301 ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) 1.302 ++ || !TEST_true(BN_one(a)) 1.303 ++ || !TEST_true(BN_one(b))) 1.304 ++ goto out; 1.305 ++ 1.306 ++ /* Even pentanomial value should be rejected */ 1.307 ++ if (!TEST_true(BN_set_word(p, 0xf2))) 1.308 ++ goto out; 1.309 ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) 1.310 ++ TEST_error("Zero constant term accepted in GF2m polynomial"); 1.311 ++ 1.312 ++ /* Odd hexanomial should also be rejected */ 1.313 ++ if (!TEST_true(BN_set_word(p, 0xf3))) 1.314 ++ goto out; 1.315 ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) 1.316 ++ TEST_error("Hexanomial accepted as GF2m polynomial"); 1.317 ++ 1.318 ++ /* Excessive polynomial degree should also be rejected */ 1.319 ++ if (!TEST_true(BN_set_word(p, 0x71)) 1.320 ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) 1.321 ++ goto out; 1.322 ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) 1.323 ++ TEST_error("GF2m polynomial degree > %d accepted", 1.324 ++ OPENSSL_ECC_MAX_FIELD_BITS); 1.325 ++ 1.326 ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; 1.327 ++ 1.328 ++ out: 1.329 ++ EC_GROUP_free(group1); 1.330 ++ EC_GROUP_free(group2); 1.331 ++ EC_GROUP_free(group3); 1.332 ++ BN_CTX_end(ctx); 1.333 ++ BN_CTX_free(ctx); 1.334 ++ 1.335 ++ return ret; 1.336 ++} 1.337 ++ 1.338 + /* test EC_GF2m_simple_method directly */ 1.339 + static int field_tests_ec2_simple(void) 1.340 + { 1.341 +@@ -367,6 +417,7 @@ int setup_tests(void) 1.342 + ADD_TEST(field_tests_ecp_simple); 1.343 + ADD_TEST(field_tests_ecp_mont); 1.344 + #ifndef OPENSSL_NO_EC2M 1.345 ++ ADD_TEST(ec2m_field_sanity); 1.346 + ADD_TEST(field_tests_ec2_simple); 1.347 + #endif 1.348 + ADD_ALL_TESTS(field_tests_default, crv_len);