diff options
Diffstat (limited to 'system/openssl')
| -rw-r--r-- | system/openssl/APKBUILD | 23 | ||||
| -rw-r--r-- | system/openssl/x.patch | 294 | ||||
| -rw-r--r-- | system/openssl/y.patch | 183 | ||||
| -rw-r--r-- | system/openssl/za.patch | 108 | ||||
| -rw-r--r-- | system/openssl/zb.patch | 345 | ||||
| -rw-r--r-- | system/openssl/zb2.patch | 177 |
6 files changed, 1126 insertions, 4 deletions
diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD index 9e178ca77..677942d41 100644 --- a/system/openssl/APKBUILD +++ b/system/openssl/APKBUILD @@ -1,6 +1,6 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=openssl -pkgver=1.1.1v +pkgver=1.1.1z_p2 pkgrel=0 pkgdesc="Toolkit for SSL and TLS" url="https://www.openssl.org/" @@ -11,9 +11,14 @@ checkdepends="perl" makedepends_build="perl" subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto libssl1.1:libssl" -source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz +source="https://www.openssl.org/source/${pkgname}-${pkgver%z_p2}w.tar.gz ppc-auxv.patch ppc64.patch + x.patch + y.patch + za.patch + zb.patch + zb2.patch " # secfixes: @@ -63,6 +68,11 @@ source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz # 1.1.1t-r1: # - CVE-2023-0465 +unpack() { + default_unpack + mv "$pkgname-${pkgver%z_p2}w" "$pkgname-$pkgver" +} + build() { # openssl will prepend crosscompile always core CC et al CC=${CC#${CROSS_COMPILE}} @@ -131,6 +141,11 @@ libssl() { done } -sha512sums="1a67340d99026aa62bf50ff89165d9f77fe4a6690fe30d1751b5021dd3f238391afd581b41724687c322c4e3af1770c44a63766a06e9b8cab6425101153e0c7e openssl-1.1.1v.tar.gz +sha512sums="b4c625fe56a4e690b57b6a011a225ad0cb3af54bd8fb67af77b5eceac55cc7191291d96a660c5b568a08a2fbf62b4612818e7cca1bb95b2b6b4fc649b0552b6d openssl-1.1.1w.tar.gz 7fd3158c6eb3451f10e4bfd78f85c3e7aef84716eb38e00503d5cfc8e414b7bdf02e0671d0299a96a453dd2e38249dcf1281136b27b6df372f3ea08fbf78329b ppc-auxv.patch -e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch" +e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch +8116cc9e1ae192ac85ad3c85619a297748a04cbf80e91b9d72fc9857dcbfc7da449724b7d6782de97fe6367e5374d6cf06b8864355473608147b45f7fb741d8a x.patch +f696bb088cf75a4ad0307f919344b1e3361bb77a42f34c5db557cdba9e2c091ca1fe1f8d66cd4612fa2a7d64a41245bee72ba603789cf20d86b952490284756d y.patch +85f5eb3a5423ced9b01fa20d020cbbfd987e3c82467d9d196ba5f0bc327c8b09e1e39b98a479c8fc1f9a90b3eda82202995d8abe8ff536c4644b73cca630f053 za.patch +060992bff56f9e69f4dc89f3de3a74817cd21b7338e8062a9e9e52a74a08d7b461ead51fb5c7ae9fcc2c717e72e285d42922dd0c37b314b3e5d0e5cf3ae2682f zb.patch +b2c31f588aec1ef641985f08a302f815b3854e5be2291eeb2c9db4b12cf69caaa6c813ec75139e623fe3a48a6f4f02500b9b5b1ac2c83d9d053ef098c220a929 zb2.patch" diff --git a/system/openssl/x.patch b/system/openssl/x.patch new file mode 100644 index 000000000..52e575b08 --- /dev/null +++ b/system/openssl/x.patch @@ -0,0 +1,294 @@ +From 01ca0bbbe65215f6ae72bba7d63ea67fb53c4f9a Mon Sep 17 00:00:00 2001 +From: Ken Zalewski <ken.zalewski@gmail.com> +Date: Sat, 13 Jul 2024 11:00:49 -0400 +Subject: [PATCH] Patch to openssl-1.1.1x. This version addresses two + vulnerabilities: CVE-2023-5678 and CVE-2024-0727 + +--- + crypto/dh/dh_check.c | 13 +++++++++++++ + crypto/dh/dh_err.c | 2 ++ + crypto/dh/dh_key.c | 10 ++++++++++ + crypto/err/openssl.txt | 2 ++ + crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + crypto/pkcs12/p12_mutl.c | 5 +++++ + crypto/pkcs12/p12_npas.c | 5 +++-- + crypto/pkcs12/pk12err.c | 2 ++ + crypto/pkcs7/pk7_mime.c | 9 +++++++-- + include/openssl/dh.h | 6 ++++-- + include/openssl/dherr.h | 2 ++ + include/openssl/opensslv.h | 4 ++-- + include/openssl/pkcs12err.h | 1 + + 13 files changed, 71 insertions(+), 8 deletions(-) + +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index ae1b03b..40dfc57 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -198,6 +198,19 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + BN_CTX *ctx = NULL; + + *ret = 0; ++ ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ DHerr(DH_F_DH_CHECK_PUB_KEY, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_CHECK_P_NOT_PRIME | DH_CHECK_PUBKEY_INVALID; ++ return 0; ++ } ++ ++ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; ++ return 1; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c +index 92800d3..048ba66 100644 +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -21,6 +21,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY, 0), "DH_check_pub_key"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_DECRYPT, 0), "dh_cms_decrypt"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, +@@ -82,6 +83,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), + "unable to check generator"}, +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 117f2fa..9f5e6f6 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -114,6 +114,11 @@ static int generate_key(DH *dh) + return 0; + } + ++ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +@@ -207,6 +212,11 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + goto err; + } + ++ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE); ++ goto err; ++ } ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index c0a3cd7..ec3823e 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -969,6 +969,7 @@ PKCS12_F_PKCS12_SETUP_MAC:122:PKCS12_setup_mac + PKCS12_F_PKCS12_SET_MAC:123:PKCS12_set_mac + PKCS12_F_PKCS12_UNPACK_AUTHSAFES:130:PKCS12_unpack_authsafes + PKCS12_F_PKCS12_UNPACK_P7DATA:131:PKCS12_unpack_p7data ++PKCS12_F_PKCS12_UNPACK_P7ENCDATA:134:PKCS12_unpack_p7encdata + PKCS12_F_PKCS12_VERIFY_MAC:126:PKCS12_verify_mac + PKCS12_F_PKCS8_ENCRYPT:125:PKCS8_encrypt + PKCS12_F_PKCS8_SET0_PBE:132:PKCS8_set0_pbe +@@ -2106,6 +2107,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DH_R_PEER_KEY_ERROR:111:peer key error ++DH_R_Q_TOO_LARGE:130:q too large + DH_R_SHARED_INFO_ERROR:113:shared info error + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator + DSA_R_BAD_Q_VALUE:102:bad q value +diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c +index af184c8..6549691 100644 +--- a/crypto/pkcs12/p12_add.c ++++ b/crypto/pkcs12/p12_add.c +@@ -76,6 +76,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -132,6 +138,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_P7ENCDATA, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -159,6 +171,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) + PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + } +diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c +index 3658003..766c9c1 100644 +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (!p12->mac->iter) +diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c +index 0334289..1303376 100644 +--- a/crypto/pkcs12/p12_npas.c ++++ b/crypto/pkcs12/p12_npas.c +@@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c +index 38ce519..3eb7f2f 100644 +--- a/crypto/pkcs12/pk12err.c ++++ b/crypto/pkcs12/pk12err.c +@@ -58,6 +58,8 @@ static const ERR_STRING_DATA PKCS12_str_functs[] = { + "PKCS12_unpack_authsafes"}, + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7DATA, 0), + "PKCS12_unpack_p7data"}, ++ {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_UNPACK_P7ENCDATA, 0), ++ "PKCS12_unpack_p7encdata"}, + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS12_VERIFY_MAC, 0), + "PKCS12_verify_mac"}, + {ERR_PACK(ERR_LIB_PKCS12, PKCS12_F_PKCS8_ENCRYPT, 0), "PKCS8_encrypt"}, +diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c +index 19e6868..635af10 100644 +--- a/crypto/pkcs7/pk7_mime.c ++++ b/crypto/pkcs7/pk7_mime.c +@@ -30,10 +30,15 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) + { + STACK_OF(X509_ALGOR) *mdalgs; + int ctype_nid = OBJ_obj2nid(p7->type); +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) { ++ return 0; ++ } + mdalgs = p7->d.sign->md_algs; +- else ++ } ++ else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index 6c6ff36..d2a9c0d 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -71,14 +71,16 @@ DECLARE_ASN1_ITEM(DHparams) + /* #define DH_GENERATOR_3 3 */ + # define DH_GENERATOR_5 5 + +-/* DH_check error codes */ ++/* DH_check error codes, some of them shared with DH_check_pub_key */ + # define DH_CHECK_P_NOT_PRIME 0x01 + # define DH_CHECK_P_NOT_SAFE_PRIME 0x02 + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 + # define DH_NOT_SUITABLE_GENERATOR 0x08 + # define DH_CHECK_Q_NOT_PRIME 0x10 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ + # define DH_CHECK_INVALID_J_VALUE 0x40 ++# define DH_MODULUS_TOO_SMALL 0x80 ++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ + + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 +diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h +index 528c819..a98bb1e 100644 +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -33,6 +33,7 @@ int ERR_load_DH_strings(void); + # define DH_F_DH_CHECK 126 + # define DH_F_DH_CHECK_EX 121 + # define DH_F_DH_CHECK_PARAMS_EX 122 ++# define DH_F_DH_CHECK_PUB_KEY 127 + # define DH_F_DH_CHECK_PUB_KEY_EX 123 + # define DH_F_DH_CMS_DECRYPT 114 + # define DH_F_DH_CMS_SET_PEERKEY 115 +@@ -82,6 +83,7 @@ int ERR_load_DH_strings(void); + # define DH_R_NO_PRIVATE_VALUE 100 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 ++# define DH_R_Q_TOO_LARGE 130 + # define DH_R_SHARED_INFO_ERROR 113 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 + +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index 5667d47..c16eafd 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -39,8 +39,8 @@ extern "C" { + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-# define OPENSSL_VERSION_NUMBER 0x1010117fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1w 11 Sep 2023" ++# define OPENSSL_VERSION_NUMBER 0x1010118fL ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1x 25 Jan 2024" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) +diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h +index eff5eb2..0d2f15a 100644 +--- a/include/openssl/pkcs12err.h ++++ b/include/openssl/pkcs12err.h +@@ -49,6 +49,7 @@ int ERR_load_PKCS12_strings(void); + # define PKCS12_F_PKCS12_SET_MAC 123 + # define PKCS12_F_PKCS12_UNPACK_AUTHSAFES 130 + # define PKCS12_F_PKCS12_UNPACK_P7DATA 131 ++# define PKCS12_F_PKCS12_UNPACK_P7ENCDATA 134 + # define PKCS12_F_PKCS12_VERIFY_MAC 126 + # define PKCS12_F_PKCS8_ENCRYPT 125 + # define PKCS12_F_PKCS8_SET0_PBE 132 diff --git a/system/openssl/y.patch b/system/openssl/y.patch new file mode 100644 index 000000000..3c8c4ace5 --- /dev/null +++ b/system/openssl/y.patch @@ -0,0 +1,183 @@ +From 4e975e3aec06165e760953f6c51a795f3dcfd1a0 Mon Sep 17 00:00:00 2001 +From: Ken Zalewski <ken.zalewski@gmail.com> +Date: Sat, 13 Jul 2024 12:02:52 -0400 +Subject: [PATCH] Patch to openssl-1.1.1y. This version addresses two + vulnerabilities: CVE-2024-2511 and CVE-2024-4741 + +--- + include/openssl/opensslv.h | 4 ++-- + include/openssl/ssl.h | 2 +- + ssl/record/rec_layer_s3.c | 9 +++++++++ + ssl/record/record.h | 1 + + ssl/ssl_lib.c | 8 ++++++-- + ssl/ssl_local.h | 2 +- + ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ + ssl/statem/statem_srvr.c | 5 ++--- + 8 files changed, 44 insertions(+), 15 deletions(-) + +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index c16eafd..585109a 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -39,8 +39,8 @@ extern "C" { + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-# define OPENSSL_VERSION_NUMBER 0x1010118fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1x 25 Jan 2024" ++# define OPENSSL_VERSION_NUMBER 0x1010119fL ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) +diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h +index 9af0c89..64eaca3 100644 +--- a/include/openssl/ssl.h ++++ b/include/openssl/ssl.h +@@ -1659,7 +1659,7 @@ __owur int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, + __owur int SSL_SESSION_is_resumable(const SSL_SESSION *s); + + __owur SSL_SESSION *SSL_SESSION_new(void); +-__owur SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src); ++__owur SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src); + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, + unsigned int *len); + const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *s, +diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c +index 1db1712..525c3ab 100644 +--- a/ssl/record/rec_layer_s3.c ++++ b/ssl/record/rec_layer_s3.c +@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl) + return SSL3_BUFFER_get_left(&rl->rbuf) != 0; + } + ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl) ++{ ++ if (rl->rstate == SSL_ST_READ_BODY) ++ return 1; ++ if (RECORD_LAYER_processed_read_pending(rl)) ++ return 1; ++ return 0; ++} ++ + /* Checks if we have decrypted unread record data pending */ + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl) + { +diff --git a/ssl/record/record.h b/ssl/record/record.h +index af56206..513ab39 100644 +--- a/ssl/record/record.h ++++ b/ssl/record/record.h +@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *rl); + int RECORD_LAYER_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl); + int RECORD_LAYER_write_pending(const RECORD_LAYER *rl); ++int RECORD_LAYER_data_present(const RECORD_LAYER *rl); + void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl); + void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl); + int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 47adc32..356d65c 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3515,9 +3515,10 @@ void ssl_update_cache(SSL *s, int mode) + + /* + * If the session_id_length is 0, we are not supposed to cache it, and it +- * would be rather hard to do anyway :-) ++ * would be rather hard to do anyway :-). Also if the session has already ++ * been marked as not_resumable we should not cache it for later reuse. + */ +- if (s->session->session_id_length == 0) ++ if (s->session->session_id_length == 0 || s->session->not_resumable) + return; + + /* +@@ -5247,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl) + if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl)) + return 0; + ++ if (RECORD_LAYER_data_present(rl)) ++ return 0; ++ + RECORD_LAYER_release(rl); + return 1; + } +diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h +index 5c79215..5e73fa4 100644 +--- a/ssl/ssl_local.h ++++ b/ssl/ssl_local.h +@@ -2261,7 +2261,7 @@ __owur int ssl_get_new_session(SSL *s, int session); + __owur SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, + size_t sess_id_len); + __owur int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello); +-__owur SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket); ++__owur SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket); + __owur int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); + DECLARE_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id); + __owur int ssl_cipher_ptr_id_cmp(const SSL_CIPHER *const *ap, +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index 68d1737..2b27a47 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void) + return ss; + } + +-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src) +-{ +- return ssl_session_dup(src, 1); +-} +- + /* + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If + * ticket == 0 then no ticket information is duplicated, otherwise it is. + */ +-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) ++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) + { + SSL_SESSION *dest; + +@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket) + return NULL; + } + ++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) ++{ ++ return ssl_session_dup_intern(src, 1); ++} ++ ++/* ++ * Used internally when duplicating a session which might be already shared. ++ * We will have resumed the original session. Subsequently we might have marked ++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to ++ * resume from. ++ */ ++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) ++{ ++ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); ++ ++ if (sess != NULL) ++ sess->not_resumable = 0; ++ ++ return sess; ++} ++ + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if (len) +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index 43f77a5..2f6ce8f 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) + * so the following won't overwrite an ID that we're supposed + * to send back. + */ +- if (s->session->not_resumable || +- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) +- && !s->hit)) ++ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) ++ && !s->hit) + s->session->session_id_length = 0; + + if (usetls13) { diff --git a/system/openssl/za.patch b/system/openssl/za.patch new file mode 100644 index 000000000..90a30beb1 --- /dev/null +++ b/system/openssl/za.patch @@ -0,0 +1,108 @@ +From 72f5c8e48a09ab09dae91c869e53e3d0c75ef921 Mon Sep 17 00:00:00 2001 +From: Ken Zalewski <ken.zalewski@gmail.com> +Date: Sat, 13 Jul 2024 12:19:50 -0400 +Subject: [PATCH] Patch to openssl-1.1.1za. This version addresses one + vulnerability: CVE-2024-5535 + +--- + include/openssl/opensslv.h | 4 +-- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++-------------- + 2 files changed, 42 insertions(+), 25 deletions(-) + +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index 585109a..a1a5d07 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -39,8 +39,8 @@ extern "C" { + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-# define OPENSSL_VERSION_NUMBER 0x1010119fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024" ++# define OPENSSL_VERSION_NUMBER 0x101011afL ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 356d65c..ccb1d4a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG diff --git a/system/openssl/zb.patch b/system/openssl/zb.patch new file mode 100644 index 000000000..97a6239b9 --- /dev/null +++ b/system/openssl/zb.patch @@ -0,0 +1,345 @@ +From 9ad69b994ae7c73ba06d9f75efd2625102de814c Mon Sep 17 00:00:00 2001 +From: Ken Zalewski <ken.zalewski@gmail.com> +Date: Mon, 21 Oct 2024 16:24:47 -0400 +Subject: [PATCH] Patch to openssl-1.1.1zb. This version addresses one + vulnerability: CVE-2024-9143 + +--- + CHANGES | 134 +++++++++++++++++++++++++++++++++++++ + NEWS | 18 +++++ + README | 2 +- + crypto/bn/bn_gf2m.c | 28 +++++--- + include/openssl/opensslv.h | 4 +- + test/ec_internal_test.c | 51 ++++++++++++++ + 6 files changed, 226 insertions(+), 11 deletions(-) + +diff --git a/CHANGES b/CHANGES +index c440948..7d82f7a 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -7,6 +7,140 @@ + https://github.com/openssl/openssl/commits/ and pick the appropriate + release branch. + ++ Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] ++ ++ *) Harden BN_GF2m_poly2arr against misuse ++ ++ The BN_GF2m_poly2arr() function converts characteristic-2 field ++ (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, ++ to a compact array with just the exponents of the non-zero terms. ++ ++ These polynomials are then used in BN_GF2m_mod_arr() to perform modular ++ reduction. A precondition of calling BN_GF2m_mod_arr() is that the ++ polynomial must have a non-zero constant term (i.e. the array has `0` as ++ its final element). ++ ++ Internally, callers of BN_GF2m_poly2arr() did not verify that ++ precondition, and binary EC curve parameters with an invalid polynomial ++ could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). ++ ++ The precondition is always true for polynomials that arise from the ++ standard form of EC parameters for characteristic-two fields (X9.62). ++ See the "Finite Field Identification" section of: ++ ++ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html ++ ++ The OpenSSL GF(2^m) code supports only the trinomial and pentanomial ++ basis X9.62 forms. ++ ++ This commit updates BN_GF2m_poly2arr() to return `0` (failure) when ++ the constant term is zero (i.e. the input bitmask BIGNUM is not odd). ++ ++ Additionally, the return value is made unambiguous when there is not ++ enough space to also pad the array with a final `-1` sentinel value. ++ The return value is now always the number of elements (including the ++ final `-1`) that would be filled when the output array is sufficiently ++ large. Previously the same count was returned both when the array has ++ just enough room for the final `-1` and when it had only enough space ++ for non-sentinel values. ++ ++ Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose ++ degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against ++ CPU exhausition attacks via excessively large inputs. ++ ++ The above issues do not arise in processing X.509 certificates. These ++ generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) ++ disallows explicit EC parameters. The TLS code in OpenSSL enforces this ++ constraint only after the certificate is decoded, but, even if explicit ++ parameters are specified, they are in X9.62 form, which cannot represent ++ problem values as noted above. ++ ++ (CVE-2024-9143) ++ [Viktor Dukhovni] ++ ++ ++ Changes between 1.1.1y and 1.1.1za [26 Jun 2024] ++ ++ *) Fix SSL_select_next_proto ++ ++ Ensure that the provided client list is non-NULL and starts with a valid ++ entry. When called from the ALPN callback the client list should already ++ have been validated by OpenSSL so this should not cause a problem. When ++ called from the NPN callback the client list is locally configured and ++ will not have already been validated. Therefore SSL_select_next_proto ++ should not assume that it is correctly formatted. ++ ++ We implement stricter checking of the client protocol list. We also do the ++ same for the server list while we are about it. ++ ++ (CVE-2024-5535) ++ [Matt Caswell] ++ ++ ++ Changes between 1.1.1x and 1.1.1y [27 May 2024] ++ ++ *) Only free the read buffers if we're not using them ++ ++ If we're part way through processing a record, or the application has ++ not released all the records then we should not free our buffer because ++ they are still needed. ++ ++ (CVE-2024-4741) ++ [Matt Caswell] ++ [Watson Ladd] ++ ++ *) Fix unconstrained session cache growth in TLSv1.3 ++ ++ In TLSv1.3 we create a new session object for each ticket that we send. ++ We do this by duplicating the original session. If SSL_OP_NO_TICKET is in ++ use then the new session will be added to the session cache. However, if ++ early data is not in use (and therefore anti-replay protection is being ++ used), then multiple threads could be resuming from the same session ++ simultaneously. If this happens and a problem occurs on one of the threads, ++ then the original session object could be marked as not_resumable. When we ++ duplicate the session object this not_resumable status gets copied into the ++ new session object. The new session object is then added to the session ++ cache even though it is not_resumable. ++ ++ Subsequently, another bug means that the session_id_length is set to 0 for ++ sessions that are marked as not_resumable - even though that session is ++ still in the cache. Once this happens the session can never be removed from ++ the cache. When that object gets to be the session cache tail object the ++ cache never shrinks again and grows indefinitely. ++ ++ (CVE-2024-2511) ++ [Matt Caswell] ++ ++ ++ Changes between 1.1.1w and 1.1.1x [25 Jan 2024] ++ ++ *) Add NULL checks where ContentInfo data can be NULL ++ ++ PKCS12 structures contain PKCS7 ContentInfo fields. These fields are ++ optional and can be NULL even if the "type" is a valid value. OpenSSL ++ was not properly accounting for this and a NULL dereference can occur ++ causing a crash. ++ ++ (CVE-2024-0727) ++ [Matt Caswell] ++ ++ *) Make DH_check_pub_key() and DH_generate_key() safer yet ++ ++ We already check for an excessively large P in DH_generate_key(), but not in ++ DH_check_pub_key(), and none of them check for an excessively large Q. ++ ++ This change adds all the missing excessive size checks of P and Q. ++ ++ It's to be noted that behaviours surrounding excessively sized P and Q ++ differ. DH_check() raises an error on the excessively sized P, but only ++ sets a flag for the excessively sized Q. This behaviour is mimicked in ++ DH_check_pub_key(). ++ ++ (CVE-2024-5678) ++ [Richard Levitte] ++ [Hugo Landau] ++ ++ + Changes between 1.1.1v and 1.1.1w [11 Sep 2023] + + *) Fix POLY1305 MAC implementation corrupting XMM registers on Windows. +diff --git a/NEWS b/NEWS +index 1b849cd..7810ece 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,6 +5,24 @@ + This file gives a brief overview of the major changes between each OpenSSL + release. For more details please read the CHANGES file. + ++ Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] ++ ++ o Harden BN_GF2m_poly2arr against misuse ++ ++ Major changes between OpenSSL 1.1.1y and OpenSSL 1.1.1za [26 Jun 2024] ++ ++ o Fix SSL_select_next_proto ++ ++ Major changes between OpenSSL 1.1.1x and OpenSSL 1.1.1y [27 May 2024] ++ ++ o Only free the read buffers if we're not using them ++ o Fix unconstrained session cache growth in TLSv1.3 ++ ++ Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [25 Jan 2024] ++ ++ o Add NULL checks where ContentInfo data can be NULL ++ o Make DH_check_pub_key() and DH_generate_key() safer yet ++ + Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023] + + o Fix POLY1305 MAC implementation corrupting XMM registers on Windows +diff --git a/README b/README +index e924e15..6612eb0 100644 +--- a/README ++++ b/README +@@ -1,5 +1,5 @@ + +- OpenSSL 1.1.1w 11 Sep 2023 ++ OpenSSL 1.1.1zb 16 Oct 2024 + + Copyright (c) 1998-2023 The OpenSSL Project + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson +diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c +index a2ea867..6709471 100644 +--- a/crypto/bn/bn_gf2m.c ++++ b/crypto/bn/bn_gf2m.c +@@ -15,6 +15,7 @@ + #include "bn_local.h" + + #ifndef OPENSSL_NO_EC2M ++#include <openssl/ec.h> + + /* + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should +@@ -1109,16 +1110,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + /* + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * + * x^i) into an array of integers corresponding to the bits with non-zero +- * coefficient. Array is terminated with -1. Up to max elements of the array +- * will be filled. Return value is total number of array elements that would +- * be filled if array was large enough. ++ * coefficient. The array is intended to be suitable for use with ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. ++ * ++ * Given sufficient room, the array is terminated with -1. Up to max elements ++ * of the array will be filled. ++ * ++ * The return value is total number of array elements that would be filled if ++ * array was large enough, including the terminating `-1`. It is `0` when `a` ++ * is not odd or the constant term is zero contrary to requirement. ++ * ++ * The return value is also `0` when the leading exponent exceeds ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, + */ + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + { + int i, j, k = 0; + BN_ULONG mask; + +- if (BN_is_zero(a)) ++ if (!BN_is_odd(a)) + return 0; + + for (i = a->top - 1; i >= 0; i--) { +@@ -1136,12 +1147,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + } + } + +- if (k < max) { ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) ++ return 0; ++ ++ if (k < max) + p[k] = -1; +- k++; +- } + +- return k; ++ return k + 1; + } + + /* +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index a1a5d07..ddf42b6 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -39,8 +39,8 @@ extern "C" { + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-# define OPENSSL_VERSION_NUMBER 0x101011afL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024" ++# define OPENSSL_VERSION_NUMBER 0x101011bfL ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) +diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c +index 390f41f..1590a18 100644 +--- a/test/ec_internal_test.c ++++ b/test/ec_internal_test.c +@@ -150,6 +150,56 @@ static int field_tests_ecp_mont(void) + } + + #ifndef OPENSSL_NO_EC2M ++/* Test that decoding of invalid GF2m field parameters fails. */ ++static int ec2m_field_sanity(void) ++{ ++ int ret = 0; ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *p, *a, *b; ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; ++ ++ TEST_info("Testing GF2m hardening\n"); ++ ++ BN_CTX_start(ctx); ++ p = BN_CTX_get(ctx); ++ a = BN_CTX_get(ctx); ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) ++ || !TEST_true(BN_one(a)) ++ || !TEST_true(BN_one(b))) ++ goto out; ++ ++ /* Even pentanomial value should be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf2))) ++ goto out; ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Zero constant term accepted in GF2m polynomial"); ++ ++ /* Odd hexanomial should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf3))) ++ goto out; ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Hexanomial accepted as GF2m polynomial"); ++ ++ /* Excessive polynomial degree should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0x71)) ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) ++ goto out; ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("GF2m polynomial degree > %d accepted", ++ OPENSSL_ECC_MAX_FIELD_BITS); ++ ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; ++ ++ out: ++ EC_GROUP_free(group1); ++ EC_GROUP_free(group2); ++ EC_GROUP_free(group3); ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ ++ return ret; ++} ++ + /* test EC_GF2m_simple_method directly */ + static int field_tests_ec2_simple(void) + { +@@ -367,6 +417,7 @@ int setup_tests(void) + ADD_TEST(field_tests_ecp_simple); + ADD_TEST(field_tests_ecp_mont); + #ifndef OPENSSL_NO_EC2M ++ ADD_TEST(ec2m_field_sanity); + ADD_TEST(field_tests_ec2_simple); + #endif + ADD_ALL_TESTS(field_tests_default, crv_len); diff --git a/system/openssl/zb2.patch b/system/openssl/zb2.patch new file mode 100644 index 000000000..f6405e003 --- /dev/null +++ b/system/openssl/zb2.patch @@ -0,0 +1,177 @@ +From 2a3058269d854754b66ef8bdaefb7820bd8c0908 Mon Sep 17 00:00:00 2001 +From: Ken Zalewski <ken.zalewski@gmail.com> +Date: Sun, 9 Feb 2025 11:47:12 -0500 +Subject: [PATCH] Patch to openssl-1.1.1zb p2. This version addresses one + vulnerability: CVE-2024-13176 + +--- + CHANGES | 25 +++++++++++++++++++++++++ + NEWS | 5 +++++ + README | 2 +- + crypto/bn/bn_exp.c | 21 +++++++++++++++------ + crypto/ec/ec_lib.c | 6 +++--- + include/crypto/bn.h | 3 +++ + include/openssl/opensslv.h | 2 +- + 7 files changed, 53 insertions(+), 11 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 7d82f7a..66ae239 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -7,6 +7,31 @@ + https://github.com/openssl/openssl/commits/ and pick the appropriate + release branch. + ++ Changes between 1.1.1zb_p1 and 1.1.1zb_p2 [20 Jan 2025] ++ ++ *) Fix timing side-channel in ECDSA signature computation ++ ++ There is a timing signal of around 300 nanoseconds when the top word of ++ the inverted ECDSA nonce value is zero. This can happen with significant ++ probability only for some of the supported elliptic curves. In particular ++ the NIST P-521 curve is affected. To be able to measure this leak, the ++ attacker process must either be located in the same physical computer or ++ must have a very fast network connection with low latency. ++ ++ Attacks on ECDSA nonce are also known as Minerva attack. ++ ++ [CVE-2024-13176] ++ [Tomas Mraz] ++ ++ ++ Changes between 1.1.1zb and 1.1.1zb_p1 [24 Oct 2024] ++ ++ *) Fix the version number for versions that require two letters. ++ ++ [V Petrischew] ++ [Ken Zalewski] ++ ++ + Changes between 1.1.1za and 1.1.1zb [16 Oct 2024] + + *) Harden BN_GF2m_poly2arr against misuse +diff --git a/NEWS b/NEWS +index 7810ece..ab46ab1 100644 +--- a/NEWS ++++ b/NEWS +@@ -5,6 +5,11 @@ + This file gives a brief overview of the major changes between each OpenSSL + release. For more details please read the CHANGES file. + ++ Major changes between OpenSSL 1.1.1zb and OpenSSL 1.1.1zb_p2 [20 Jan 2025] ++ ++ o Fix version number for versions that require two letters ++ o Fix timing side-channel in ECDSA signature computation ++ + Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024] + + o Harden BN_GF2m_poly2arr against misuse +diff --git a/README b/README +index 6612eb0..a02895e 100644 +--- a/README ++++ b/README +@@ -1,5 +1,5 @@ + +- OpenSSL 1.1.1zb 16 Oct 2024 ++ OpenSSL 1.1.1zb_p2 20 Jan 2025 + + Copyright (c) 1998-2023 The OpenSSL Project + Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson +diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c +index 517e3c2..0489658 100644 +--- a/crypto/bn/bn_exp.c ++++ b/crypto/bn/bn_exp.c +@@ -601,7 +601,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, + * out by Colin Percival, + * http://www.daemonology.net/hyperthreading-considered-harmful/) + */ +-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) + { +@@ -618,10 +618,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + unsigned int t4 = 0; + #endif + +- bn_check_top(a); +- bn_check_top(p); +- bn_check_top(m); +- + if (!BN_is_odd(m)) { + BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME, BN_R_CALLED_WITH_EVEN_MODULUS); + return 0; +@@ -1141,7 +1137,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + goto err; + } else + #endif +- if (!BN_from_montgomery(rr, &tmp, mont, ctx)) ++ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx)) + goto err; + ret = 1; + err: +@@ -1155,6 +1151,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, + return ret; + } + ++int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont) ++{ ++ bn_check_top(a); ++ bn_check_top(p); ++ bn_check_top(m); ++ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont)) ++ return 0; ++ bn_correct_top(rr); ++ return 1; ++} ++ + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) + { +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index 08db89f..fef0c2f 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1155,10 +1155,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r, + if (!BN_sub(e, group->order, e)) + goto err; + /*- +- * Exponent e is public. +- * No need for scatter-gather or BN_FLG_CONSTTIME. ++ * Although the exponent is public we want the result to be ++ * fixed top. + */ +- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data)) ++ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data)) + goto err; + + ret = 1; +diff --git a/include/crypto/bn.h b/include/crypto/bn.h +index 250914c..10cfc84 100644 +--- a/include/crypto/bn.h ++++ b/include/crypto/bn.h +@@ -72,6 +72,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words); + */ + int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mont, BN_CTX *ctx); ++int bn_mode_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, ++ const BIGNUM *m, BN_CTX *ctx, ++ BN_MONT_CTX *in_mont); + int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, + BN_CTX *ctx); + int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index ddf42b6..1568415 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -40,7 +40,7 @@ extern "C" { + * major minor fix final patch/beta) + */ + # define OPENSSL_VERSION_NUMBER 0x101011bfL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024" ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1z 20 Jan 2025" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) |