wok-current view openssl11/stuff/0004-openssl-1.1.1zb_CVE_2024_9143.patch @ rev 25728
Merge wok for both arch and few updates
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Thu Dec 05 08:39:45 2024 +0000 (9 months ago) |
| parents | |
| children |
line source
1 From 9ad69b994ae7c73ba06d9f75efd2625102de814c Mon Sep 17 00:00:00 2001
2 From: Ken Zalewski <ken.zalewski@gmail.com>
3 Date: Mon, 21 Oct 2024 16:24:47 -0400
4 Subject: [PATCH] Patch to openssl-1.1.1zb. This version addresses one
5 vulnerability: CVE-2024-9143
7 ---
8 CHANGES | 134 +++++++++++++++++++++++++++++++++++++
9 NEWS | 18 +++++
10 README | 2 +-
11 crypto/bn/bn_gf2m.c | 28 +++++---
12 include/openssl/opensslv.h | 4 +-
13 test/ec_internal_test.c | 51 ++++++++++++++
14 6 files changed, 226 insertions(+), 11 deletions(-)
16 diff --git a/CHANGES b/CHANGES
17 index c440948..7d82f7a 100644
18 --- a/CHANGES
19 +++ b/CHANGES
20 @@ -7,6 +7,140 @@
21 https://github.com/openssl/openssl/commits/ and pick the appropriate
22 release branch.
24 + Changes between 1.1.1za and 1.1.1zb [16 Oct 2024]
25 +
26 + *) Harden BN_GF2m_poly2arr against misuse
27 +
28 + The BN_GF2m_poly2arr() function converts characteristic-2 field
29 + (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
30 + to a compact array with just the exponents of the non-zero terms.
31 +
32 + These polynomials are then used in BN_GF2m_mod_arr() to perform modular
33 + reduction. A precondition of calling BN_GF2m_mod_arr() is that the
34 + polynomial must have a non-zero constant term (i.e. the array has `0` as
35 + its final element).
36 +
37 + Internally, callers of BN_GF2m_poly2arr() did not verify that
38 + precondition, and binary EC curve parameters with an invalid polynomial
39 + could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
40 +
41 + The precondition is always true for polynomials that arise from the
42 + standard form of EC parameters for characteristic-two fields (X9.62).
43 + See the "Finite Field Identification" section of:
44 +
45 + https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
46 +
47 + The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
48 + basis X9.62 forms.
49 +
50 + This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
51 + the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
52 +
53 + Additionally, the return value is made unambiguous when there is not
54 + enough space to also pad the array with a final `-1` sentinel value.
55 + The return value is now always the number of elements (including the
56 + final `-1`) that would be filled when the output array is sufficiently
57 + large. Previously the same count was returned both when the array has
58 + just enough room for the final `-1` and when it had only enough space
59 + for non-sentinel values.
60 +
61 + Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
62 + degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
63 + CPU exhausition attacks via excessively large inputs.
64 +
65 + The above issues do not arise in processing X.509 certificates. These
66 + generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
67 + disallows explicit EC parameters. The TLS code in OpenSSL enforces this
68 + constraint only after the certificate is decoded, but, even if explicit
69 + parameters are specified, they are in X9.62 form, which cannot represent
70 + problem values as noted above.
71 +
72 + (CVE-2024-9143)
73 + [Viktor Dukhovni]
74 +
75 +
76 + Changes between 1.1.1y and 1.1.1za [26 Jun 2024]
77 +
78 + *) Fix SSL_select_next_proto
79 +
80 + Ensure that the provided client list is non-NULL and starts with a valid
81 + entry. When called from the ALPN callback the client list should already
82 + have been validated by OpenSSL so this should not cause a problem. When
83 + called from the NPN callback the client list is locally configured and
84 + will not have already been validated. Therefore SSL_select_next_proto
85 + should not assume that it is correctly formatted.
86 +
87 + We implement stricter checking of the client protocol list. We also do the
88 + same for the server list while we are about it.
89 +
90 + (CVE-2024-5535)
91 + [Matt Caswell]
92 +
93 +
94 + Changes between 1.1.1x and 1.1.1y [27 May 2024]
95 +
96 + *) Only free the read buffers if we're not using them
97 +
98 + If we're part way through processing a record, or the application has
99 + not released all the records then we should not free our buffer because
100 + they are still needed.
101 +
102 + (CVE-2024-4741)
103 + [Matt Caswell]
104 + [Watson Ladd]
105 +
106 + *) Fix unconstrained session cache growth in TLSv1.3
107 +
108 + In TLSv1.3 we create a new session object for each ticket that we send.
109 + We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
110 + use then the new session will be added to the session cache. However, if
111 + early data is not in use (and therefore anti-replay protection is being
112 + used), then multiple threads could be resuming from the same session
113 + simultaneously. If this happens and a problem occurs on one of the threads,
114 + then the original session object could be marked as not_resumable. When we
115 + duplicate the session object this not_resumable status gets copied into the
116 + new session object. The new session object is then added to the session
117 + cache even though it is not_resumable.
118 +
119 + Subsequently, another bug means that the session_id_length is set to 0 for
120 + sessions that are marked as not_resumable - even though that session is
121 + still in the cache. Once this happens the session can never be removed from
122 + the cache. When that object gets to be the session cache tail object the
123 + cache never shrinks again and grows indefinitely.
124 +
125 + (CVE-2024-2511)
126 + [Matt Caswell]
127 +
128 +
129 + Changes between 1.1.1w and 1.1.1x [25 Jan 2024]
130 +
131 + *) Add NULL checks where ContentInfo data can be NULL
132 +
133 + PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
134 + optional and can be NULL even if the "type" is a valid value. OpenSSL
135 + was not properly accounting for this and a NULL dereference can occur
136 + causing a crash.
137 +
138 + (CVE-2024-0727)
139 + [Matt Caswell]
140 +
141 + *) Make DH_check_pub_key() and DH_generate_key() safer yet
142 +
143 + We already check for an excessively large P in DH_generate_key(), but not in
144 + DH_check_pub_key(), and none of them check for an excessively large Q.
145 +
146 + This change adds all the missing excessive size checks of P and Q.
147 +
148 + It's to be noted that behaviours surrounding excessively sized P and Q
149 + differ. DH_check() raises an error on the excessively sized P, but only
150 + sets a flag for the excessively sized Q. This behaviour is mimicked in
151 + DH_check_pub_key().
152 +
153 + (CVE-2024-5678)
154 + [Richard Levitte]
155 + [Hugo Landau]
156 +
157 +
158 Changes between 1.1.1v and 1.1.1w [11 Sep 2023]
160 *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
161 diff --git a/NEWS b/NEWS
162 index 1b849cd..7810ece 100644
163 --- a/NEWS
164 +++ b/NEWS
165 @@ -5,6 +5,24 @@
166 This file gives a brief overview of the major changes between each OpenSSL
167 release. For more details please read the CHANGES file.
169 + Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024]
170 +
171 + o Harden BN_GF2m_poly2arr against misuse
172 +
173 + Major changes between OpenSSL 1.1.1y and OpenSSL 1.1.1za [26 Jun 2024]
174 +
175 + o Fix SSL_select_next_proto
176 +
177 + Major changes between OpenSSL 1.1.1x and OpenSSL 1.1.1y [27 May 2024]
178 +
179 + o Only free the read buffers if we're not using them
180 + o Fix unconstrained session cache growth in TLSv1.3
181 +
182 + Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [25 Jan 2024]
183 +
184 + o Add NULL checks where ContentInfo data can be NULL
185 + o Make DH_check_pub_key() and DH_generate_key() safer yet
186 +
187 Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]
189 o Fix POLY1305 MAC implementation corrupting XMM registers on Windows
190 diff --git a/README b/README
191 index e924e15..6612eb0 100644
192 --- a/README
193 +++ b/README
194 @@ -1,5 +1,5 @@
196 - OpenSSL 1.1.1w 11 Sep 2023
197 + OpenSSL 1.1.1zb 16 Oct 2024
199 Copyright (c) 1998-2023 The OpenSSL Project
200 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
201 diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
202 index a2ea867..6709471 100644
203 --- a/crypto/bn/bn_gf2m.c
204 +++ b/crypto/bn/bn_gf2m.c
205 @@ -15,6 +15,7 @@
206 #include "bn_local.h"
208 #ifndef OPENSSL_NO_EC2M
209 +#include <openssl/ec.h>
211 /*
212 * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
213 @@ -1109,16 +1110,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
214 /*
215 * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
216 * x^i) into an array of integers corresponding to the bits with non-zero
217 - * coefficient. Array is terminated with -1. Up to max elements of the array
218 - * will be filled. Return value is total number of array elements that would
219 - * be filled if array was large enough.
220 + * coefficient. The array is intended to be suitable for use with
221 + * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
222 + * zero. This translates to a requirement that the input BIGNUM `a` is odd.
223 + *
224 + * Given sufficient room, the array is terminated with -1. Up to max elements
225 + * of the array will be filled.
226 + *
227 + * The return value is total number of array elements that would be filled if
228 + * array was large enough, including the terminating `-1`. It is `0` when `a`
229 + * is not odd or the constant term is zero contrary to requirement.
230 + *
231 + * The return value is also `0` when the leading exponent exceeds
232 + * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
233 */
234 int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
235 {
236 int i, j, k = 0;
237 BN_ULONG mask;
239 - if (BN_is_zero(a))
240 + if (!BN_is_odd(a))
241 return 0;
243 for (i = a->top - 1; i >= 0; i--) {
244 @@ -1136,12 +1147,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
245 }
246 }
248 - if (k < max) {
249 + if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
250 + return 0;
251 +
252 + if (k < max)
253 p[k] = -1;
254 - k++;
255 - }
257 - return k;
258 + return k + 1;
259 }
261 /*
262 diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
263 index a1a5d07..ddf42b6 100644
264 --- a/include/openssl/opensslv.h
265 +++ b/include/openssl/opensslv.h
266 @@ -39,8 +39,8 @@ extern "C" {
267 * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
268 * major minor fix final patch/beta)
269 */
270 -# define OPENSSL_VERSION_NUMBER 0x101011afL
271 -# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024"
272 +# define OPENSSL_VERSION_NUMBER 0x101011bfL
273 +# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024"
275 /*-
276 * The macros below are to be used for shared library (.so, .dll, ...)
277 diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
278 index 390f41f..1590a18 100644
279 --- a/test/ec_internal_test.c
280 +++ b/test/ec_internal_test.c
281 @@ -150,6 +150,56 @@ static int field_tests_ecp_mont(void)
282 }
284 #ifndef OPENSSL_NO_EC2M
285 +/* Test that decoding of invalid GF2m field parameters fails. */
286 +static int ec2m_field_sanity(void)
287 +{
288 + int ret = 0;
289 + BN_CTX *ctx = BN_CTX_new();
290 + BIGNUM *p, *a, *b;
291 + EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
292 +
293 + TEST_info("Testing GF2m hardening\n");
294 +
295 + BN_CTX_start(ctx);
296 + p = BN_CTX_get(ctx);
297 + a = BN_CTX_get(ctx);
298 + if (!TEST_ptr(b = BN_CTX_get(ctx))
299 + || !TEST_true(BN_one(a))
300 + || !TEST_true(BN_one(b)))
301 + goto out;
302 +
303 + /* Even pentanomial value should be rejected */
304 + if (!TEST_true(BN_set_word(p, 0xf2)))
305 + goto out;
306 + if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
307 + TEST_error("Zero constant term accepted in GF2m polynomial");
308 +
309 + /* Odd hexanomial should also be rejected */
310 + if (!TEST_true(BN_set_word(p, 0xf3)))
311 + goto out;
312 + if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
313 + TEST_error("Hexanomial accepted as GF2m polynomial");
314 +
315 + /* Excessive polynomial degree should also be rejected */
316 + if (!TEST_true(BN_set_word(p, 0x71))
317 + || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
318 + goto out;
319 + if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
320 + TEST_error("GF2m polynomial degree > %d accepted",
321 + OPENSSL_ECC_MAX_FIELD_BITS);
322 +
323 + ret = group1 == NULL && group2 == NULL && group3 == NULL;
324 +
325 + out:
326 + EC_GROUP_free(group1);
327 + EC_GROUP_free(group2);
328 + EC_GROUP_free(group3);
329 + BN_CTX_end(ctx);
330 + BN_CTX_free(ctx);
331 +
332 + return ret;
333 +}
334 +
335 /* test EC_GF2m_simple_method directly */
336 static int field_tests_ec2_simple(void)
337 {
338 @@ -367,6 +417,7 @@ int setup_tests(void)
339 ADD_TEST(field_tests_ecp_simple);
340 ADD_TEST(field_tests_ecp_mont);
341 #ifndef OPENSSL_NO_EC2M
342 + ADD_TEST(ec2m_field_sanity);
343 ADD_TEST(field_tests_ec2_simple);
344 #endif
345 ADD_ALL_TESTS(field_tests_default, crv_len);