commit: 22235f92b4d8cd565c29264b7955ed1f5ea4ac48 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Tue Oct 29 02:08:41 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Tue Oct 29 02:09:24 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22235f92
dev-libs/openssl: fix CVE-2024-9143 for 3.3.2-r1 Bug: https://bugs.gentoo.org/941643 Signed-off-by: Sam James <sam <AT> gentoo.org> .../files/openssl-3.3.2-CVE-2024-9143.patch | 193 +++++++++++++ dev-libs/openssl/openssl-3.3.2-r1.ebuild | 304 +++++++++++++++++++++ 2 files changed, 497 insertions(+) diff --git a/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch new file mode 100644 index 000000000000..5776c78bfbbf --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch @@ -0,0 +1,193 @@ +https://bugs.gentoo.org/941643 +https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4 + +From c0d3e4d32d2805f49bec30547f225bc4d092e1f4 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni <[email protected]> +Date: Thu, 19 Sep 2024 01:02:40 +1000 +Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. + +The BN_GF2m_poly2arr() function converts characteristic-2 field +(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, +to a compact array with just the exponents of the non-zero terms. + +These polynomials are then used in BN_GF2m_mod_arr() to perform modular +reduction. A precondition of calling BN_GF2m_mod_arr() is that the +polynomial must have a non-zero constant term (i.e. the array has `0` as +its final element). + +Internally, callers of BN_GF2m_poly2arr() did not verify that +precondition, and binary EC curve parameters with an invalid polynomial +could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). + +The precondition is always true for polynomials that arise from the +standard form of EC parameters for characteristic-two fields (X9.62). +See the "Finite Field Identification" section of: + + https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html + +The OpenSSL GF(2^m) code supports only the trinomial and pentanomial +basis X9.62 forms. + +This commit updates BN_GF2m_poly2arr() to return `0` (failure) when +the constant term is zero (i.e. the input bitmask BIGNUM is not odd). + +Additionally, the return value is made unambiguous when there is not +enough space to also pad the array with a final `-1` sentinel value. +The return value is now always the number of elements (including the +final `-1`) that would be filled when the output array is sufficiently +large. Previously the same count was returned both when the array has +just enough room for the final `-1` and when it had only enough space +for non-sentinel values. + +Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose +degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against +CPU exhausition attacks via excessively large inputs. + +The above issues do not arise in processing X.509 certificates. These +generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) +disallows explicit EC parameters. The TLS code in OpenSSL enforces this +constraint only after the certificate is decoded, but, even if explicit +parameters are specified, they are in X9.62 form, which cannot represent +problem values as noted above. + +Initially reported as oss-fuzz issue 71623. + +A closely related issue was earlier reported in +<https://github.com/openssl/openssl/issues/19826>. + +Severity: Low, CVE-2024-9143 + +Reviewed-by: Matt Caswell <[email protected]> +Reviewed-by: Bernd Edlinger <[email protected]> +Reviewed-by: Paul Dale <[email protected]> +Reviewed-by: Tomas Mraz <[email protected]> +(Merged from https://github.com/openssl/openssl/pull/25639) + +(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2) +--- a/crypto/bn/bn_gf2m.c ++++ b/crypto/bn/bn_gf2m.c +@@ -15,6 +15,7 @@ + #include "bn_local.h" + + #ifndef OPENSSL_NO_EC2M ++# include <openssl/ec.h> + + /* + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should +@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + /* + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * + * x^i) into an array of integers corresponding to the bits with non-zero +- * coefficient. Array is terminated with -1. Up to max elements of the array +- * will be filled. Return value is total number of array elements that would +- * be filled if array was large enough. ++ * coefficient. The array is intended to be suitable for use with ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. ++ * ++ * Given sufficient room, the array is terminated with -1. Up to max elements ++ * of the array will be filled. ++ * ++ * The return value is total number of array elements that would be filled if ++ * array was large enough, including the terminating `-1`. It is `0` when `a` ++ * is not odd or the constant term is zero contrary to requirement. ++ * ++ * The return value is also `0` when the leading exponent exceeds ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, + */ + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + { + int i, j, k = 0; + BN_ULONG mask; + +- if (BN_is_zero(a)) ++ if (!BN_is_odd(a)) + return 0; + + for (i = a->top - 1; i >= 0; i--) { +@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + } + } + +- if (k < max) { ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) ++ return 0; ++ ++ if (k < max) + p[k] = -1; +- k++; +- } + +- return k; ++ return k + 1; + } + + /* +--- a/test/ec_internal_test.c ++++ b/test/ec_internal_test.c +@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) + } + + #ifndef OPENSSL_NO_EC2M ++/* Test that decoding of invalid GF2m field parameters fails. */ ++static int ec2m_field_sanity(void) ++{ ++ int ret = 0; ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *p, *a, *b; ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; ++ ++ TEST_info("Testing GF2m hardening\n"); ++ ++ BN_CTX_start(ctx); ++ p = BN_CTX_get(ctx); ++ a = BN_CTX_get(ctx); ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) ++ || !TEST_true(BN_one(a)) ++ || !TEST_true(BN_one(b))) ++ goto out; ++ ++ /* Even pentanomial value should be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf2))) ++ goto out; ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Zero constant term accepted in GF2m polynomial"); ++ ++ /* Odd hexanomial should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf3))) ++ goto out; ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Hexanomial accepted as GF2m polynomial"); ++ ++ /* Excessive polynomial degree should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0x71)) ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) ++ goto out; ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("GF2m polynomial degree > %d accepted", ++ OPENSSL_ECC_MAX_FIELD_BITS); ++ ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; ++ ++ out: ++ EC_GROUP_free(group1); ++ EC_GROUP_free(group2); ++ EC_GROUP_free(group3); ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ ++ return ret; ++} ++ + /* test EC_GF2m_simple_method directly */ + static int field_tests_ec2_simple(void) + { +@@ -443,6 +493,7 @@ int setup_tests(void) + ADD_TEST(field_tests_ecp_simple); + ADD_TEST(field_tests_ecp_mont); + #ifndef OPENSSL_NO_EC2M ++ ADD_TEST(ec2m_field_sanity); + ADD_TEST(field_tests_ec2_simple); + #endif + ADD_ALL_TESTS(field_tests_default, crv_len); + diff --git a/dev-libs/openssl/openssl-3.3.2-r1.ebuild b/dev-libs/openssl/openssl-3.3.2-r1.ebuild new file mode 100644 index 000000000000..8014cc0dea66 --- /dev/null +++ b/dev-libs/openssl/openssl-3.3.2-r1.ebuild @@ -0,0 +1,304 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/"; + +MY_P=${P/_/-} + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git"; + + inherit git-r3 +else + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !<net-misc/openssh-9.2_p1-r3 + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2024-9143.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_unpack() { + # Can delete this once test fix patch is dropped + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} + fi + + default +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + ebegin "Running openssl fipsinstall" + "${ED}/usr/bin/openssl" fipsinstall -quiet \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" + eend $? + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +}
