diff options
Diffstat (limited to 'system/openssl/zb2.patch')
| -rw-r--r-- | system/openssl/zb2.patch | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/system/openssl/zb2.patch b/system/openssl/zb2.patch new file mode 100644 index 000000000..f6405e003 --- /dev/null +++ b/system/openssl/zb2.patch @@ -0,0 +1,177 @@ +From 2a3058269d854754b66ef8bdaefb7820bd8c0908 Mon Sep 17 00:00:00 2001 +From: Ken Zalewski <ken.zalewski@gmail.com> +Date: Sun, 9 Feb 2025 11:47:12 -0500 +Subject: [PATCH] Patch to openssl-1.1.1zb p2. This version addresses one + vulnerability: CVE-2024-13176 + +--- + CHANGES | 25 +++++++++++++++++++++++++ + NEWS | 5 +++++ + README | 2 +- + crypto/bn/bn_exp.c | 21 +++++++++++++++------ + crypto/ec/ec_lib.c | 6 +++--- + include/crypto/bn.h | 3 +++ + include/openssl/opensslv.h | 2 +- + 7 files changed, 53 insertions(+), 11 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 7d82f7a..66ae239 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -7,6 +7,31 @@ + https://github.com/openssl/openssl/commits/ and pick the appropriate + release branch. + ++ Changes between 1.1.1zb_p1 and 1.1.1zb_p2 [20 Jan 2025] ++ ++ *) Fix timing side-channel in ECDSA signature computation ++ ++ There is a timing signal of around 300 nanoseconds when the top word of ++ the inverted ECDSA nonce value is zero. This can happen with significant ++ probability only for some of the supported elliptic curves. In particular ++ the NIST P-521 curve is affected. To be able to measure this leak, the ++ attacker process must either be located in the same physical computer or ++ must have a very fast network connection with low latency. ++ ++ Attacks on ECDSA nonce are also known as Minerva attack. ++ ++ [CVE-2024-13176] ++ [Tomas Mraz] ++ ++ ++ Changes between 1.1.1zb and 1.1.1zb_p1 [24 Oct 2024] ++ ++ *) Fix the version number for versions that require two letters. ++ ++ [V Petrischew] ++ [Ken Zalewski] ++ ++ + Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] + + *) Harden BN_GF2m_poly2arr against misuse +diff --git a/NEWS b/NEWS +index 7810ece..ab46ab1 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,6 +5,11 @@ + This file gives a brief overview of the major changes between each OpenSSL + release. For more details please read the CHANGES file. + ++ Major changes between OpenSSL 1.1.1zb and OpenSSL 1.1.1zb_p2 [20 Jan 2025] ++ ++ o Fix version number for versions that require two letters ++ o Fix timing side-channel in ECDSA signature computation ++ + Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] + + o Harden BN_GF2m_poly2arr against misuse +diff --git a/README b/README +index 6612eb0..a02895e 100644 +--- a/README ++++ b/README +@@ -1,5 +1,5 @@ + +- OpenSSL 1.1.1zb 16 Oct 2024 ++ OpenSSL 1.1.1zb_p2 20 Jan 2025 + + Copyright (c) 1998-2023 The OpenSSL Project + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson +diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c +index 517e3c2..0489658 100644 +--- a/crypto/bn/bn_exp.c ++++ b/crypto/bn/bn_exp.c +@@ -601,7 +601,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + * out by Colin Percival, + * http://www.daemonology.net/hyperthreading-considered-harmful/) + */ +-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) + { +@@ -618,10 +618,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + unsigned int t4 = 0; + #endif + +- bn_check_top(a); +- bn_check_top(p); +- bn_check_top(m); +- + if (!BN_is_odd(m)) { + BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); + return 0; +@@ -1141,7 +1137,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + goto err; + } else + #endif +- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) ++ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) + goto err; + ret = 1; + err: +@@ -1155,6 +1151,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + return ret; + } + ++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont) ++{ ++ bn_check_top(a); ++ bn_check_top(p); ++ bn_check_top(m); ++ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) ++ return 0; ++ bn_correct_top(rr); ++ return 1; ++} ++ + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + { +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index 08db89f..fef0c2f 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, + if (!BN_sub(e, group->order, e)) + goto err; + /*- +- * Exponent e is public. +- * No need for scatter-gather or BN_FLG_CONSTTIME. ++ * Although the exponent is public we want the result to be ++ * fixed top. + */ +- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) ++ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) + goto err; + + ret = 1; +diff --git a/include/crypto/bn.h b/include/crypto/bn.h +index 250914c..10cfc84 100644 +--- a/include/crypto/bn.h ++++ b/include/crypto/bn.h +@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); + */ + int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); ++int bn_mode_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont); + int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); + int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index ddf42b6..1568415 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -40,7 +40,7 @@ extern "C" { + * major minor fix final patch/beta) + */ + # define OPENSSL_VERSION_NUMBER 0x101011bfL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1z 20 Jan 2025" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) |