wok-current rev 25743
Add miss openssl 1.1.1zb_p2 patch
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Mon Feb 10 11:01:43 2025 +0000 (7 months ago) |
| parents | 5fcd8f86b172 |
| children | a9d624d7aa5a |
| files | openssl11/stuff/0005-openssl-1.1.1zb_p2_CVE_2024_13176.patch |
line diff
1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000 1.2 +++ b/openssl11/stuff/0005-openssl-1.1.1zb_p2_CVE_2024_13176.patch Mon Feb 10 11:01:43 2025 +0000 1.3 @@ -0,0 +1,177 @@ 1.4 +From 2a3058269d854754b66ef8bdaefb7820bd8c0908 Mon Sep 17 00:00:00 2001 1.5 +From: Ken Zalewski <ken.zalewski@gmail.com> 1.6 +Date: Sun, 9 Feb 2025 11:47:12 -0500 1.7 +Subject: [PATCH] Patch to openssl-1.1.1zb p2. This version addresses one 1.8 + vulnerability: CVE-2024-13176 1.9 + 1.10 +--- 1.11 + CHANGES | 25 +++++++++++++++++++++++++ 1.12 + NEWS | 5 +++++ 1.13 + README | 2 +- 1.14 + crypto/bn/bn_exp.c | 21 +++++++++++++++------ 1.15 + crypto/ec/ec_lib.c | 6 +++--- 1.16 + include/crypto/bn.h | 3 +++ 1.17 + include/openssl/opensslv.h | 2 +- 1.18 + 7 files changed, 53 insertions(+), 11 deletions(-) 1.19 + 1.20 +diff --git a/CHANGES b/CHANGES 1.21 +index 7d82f7a..66ae239 100644 1.22 +--- a/CHANGES 1.23 ++++ b/CHANGES 1.24 +@@ -7,6 +7,31 @@ 1.25 + https://github.com/openssl/openssl/commits/ and pick the appropriate 1.26 + release branch. 1.27 + 1.28 ++ Changes between 1.1.1zb_p1 and 1.1.1zb_p2 [20 Jan 2025] 1.29 ++ 1.30 ++ *) Fix timing side-channel in ECDSA signature computation 1.31 ++ 1.32 ++ There is a timing signal of around 300 nanoseconds when the top word of 1.33 ++ the inverted ECDSA nonce value is zero. This can happen with significant 1.34 ++ probability only for some of the supported elliptic curves. In particular 1.35 ++ the NIST P-521 curve is affected. To be able to measure this leak, the 1.36 ++ attacker process must either be located in the same physical computer or 1.37 ++ must have a very fast network connection with low latency. 1.38 ++ 1.39 ++ Attacks on ECDSA nonce are also known as Minerva attack. 1.40 ++ 1.41 ++ [CVE-2024-13176] 1.42 ++ [Tomas Mraz] 1.43 ++ 1.44 ++ 1.45 ++ Changes between 1.1.1zb and 1.1.1zb_p1 [24 Oct 2024] 1.46 ++ 1.47 ++ *) Fix the version number for versions that require two letters. 1.48 ++ 1.49 ++ [V Petrischew] 1.50 ++ [Ken Zalewski] 1.51 ++ 1.52 ++ 1.53 + Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] 1.54 + 1.55 + *) Harden BN_GF2m_poly2arr against misuse 1.56 +diff --git a/NEWS b/NEWS 1.57 +index 7810ece..ab46ab1 100644 1.58 +--- a/NEWS 1.59 ++++ b/NEWS 1.60 +@@ -5,6 +5,11 @@ 1.61 + This file gives a brief overview of the major changes between each OpenSSL 1.62 + release. For more details please read the CHANGES file. 1.63 + 1.64 ++ Major changes between OpenSSL 1.1.1zb and OpenSSL 1.1.1zb_p2 [20 Jan 2025] 1.65 ++ 1.66 ++ o Fix version number for versions that require two letters 1.67 ++ o Fix timing side-channel in ECDSA signature computation 1.68 ++ 1.69 + Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] 1.70 + 1.71 + o Harden BN_GF2m_poly2arr against misuse 1.72 +diff --git a/README b/README 1.73 +index 6612eb0..a02895e 100644 1.74 +--- a/README 1.75 ++++ b/README 1.76 +@@ -1,5 +1,5 @@ 1.77 + 1.78 +- OpenSSL 1.1.1zb 16 Oct 2024 1.79 ++ OpenSSL 1.1.1zb_p2 20 Jan 2025 1.80 + 1.81 + Copyright (c) 1998-2023 The OpenSSL Project 1.82 + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson 1.83 +diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c 1.84 +index 517e3c2..0489658 100644 1.85 +--- a/crypto/bn/bn_exp.c 1.86 ++++ b/crypto/bn/bn_exp.c 1.87 +@@ -601,7 +601,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, 1.88 + * out by Colin Percival, 1.89 + * http://www.daemonology.net/hyperthreading-considered-harmful/) 1.90 + */ 1.91 +-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 1.92 ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 1.93 + const BIGNUM *m, BN_CTX *ctx, 1.94 + BN_MONT_CTX *in_mont) 1.95 + { 1.96 +@@ -618,10 +618,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 1.97 + unsigned int t4 = 0; 1.98 + #endif 1.99 + 1.100 +- bn_check_top(a); 1.101 +- bn_check_top(p); 1.102 +- bn_check_top(m); 1.103 +- 1.104 + if (!BN_is_odd(m)) { 1.105 + BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); 1.106 + return 0; 1.107 +@@ -1141,7 +1137,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 1.108 + goto err; 1.109 + } else 1.110 + #endif 1.111 +- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) 1.112 ++ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) 1.113 + goto err; 1.114 + ret = 1; 1.115 + err: 1.116 +@@ -1155,6 +1151,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 1.117 + return ret; 1.118 + } 1.119 + 1.120 ++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 1.121 ++ const BIGNUM *m, BN_CTX *ctx, 1.122 ++ BN_MONT_CTX *in_mont) 1.123 ++{ 1.124 ++ bn_check_top(a); 1.125 ++ bn_check_top(p); 1.126 ++ bn_check_top(m); 1.127 ++ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) 1.128 ++ return 0; 1.129 ++ bn_correct_top(rr); 1.130 ++ return 1; 1.131 ++} 1.132 ++ 1.133 + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, 1.134 + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) 1.135 + { 1.136 +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c 1.137 +index 08db89f..fef0c2f 100644 1.138 +--- a/crypto/ec/ec_lib.c 1.139 ++++ b/crypto/ec/ec_lib.c 1.140 +@@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, 1.141 + if (!BN_sub(e, group->order, e)) 1.142 + goto err; 1.143 + /*- 1.144 +- * Exponent e is public. 1.145 +- * No need for scatter-gather or BN_FLG_CONSTTIME. 1.146 ++ * Although the exponent is public we want the result to be 1.147 ++ * fixed top. 1.148 + */ 1.149 +- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) 1.150 ++ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) 1.151 + goto err; 1.152 + 1.153 + ret = 1; 1.154 +diff --git a/include/crypto/bn.h b/include/crypto/bn.h 1.155 +index 250914c..10cfc84 100644 1.156 +--- a/include/crypto/bn.h 1.157 ++++ b/include/crypto/bn.h 1.158 +@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); 1.159 + */ 1.160 + int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, 1.161 + BN_MONT_CTX *mont, BN_CTX *ctx); 1.162 ++int bn_mode_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, 1.163 ++ const BIGNUM *m, BN_CTX *ctx, 1.164 ++ BN_MONT_CTX *in_mont); 1.165 + int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, 1.166 + BN_CTX *ctx); 1.167 + int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, 1.168 +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h 1.169 +index ddf42b6..1568415 100644 1.170 +--- a/include/openssl/opensslv.h 1.171 ++++ b/include/openssl/opensslv.h 1.172 +@@ -40,7 +40,7 @@ extern "C" { 1.173 + * major minor fix final patch/beta) 1.174 + */ 1.175 + # define OPENSSL_VERSION_NUMBER 0x101011bfL 1.176 +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" 1.177 ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 20 Jan 2025" 1.178 + 1.179 + /*- 1.180 + * The macros below are to be used for shared library (.so, .dll, ...)