From nobody Sat Oct 19 15:20:38 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XW4yZ2nsQz5bBtB; Sat, 19 Oct 2024 15:20:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XW4yZ27HJz4f3j; Sat, 19 Oct 2024 15:20:38 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1729351238; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4AkinrWbTXCFogZBFmO1mgDzctBEOzqdGsA6sIef8uI=; b=SLWMnvImzqYfRBUAKwUtNDEVQD00fj8TWYNM9b9/NYHGAk9Cnsfi6Ui2sXLaUaE4nL55zS kBcCL9FCqrSWKVSwcEqzD95OrDYICqnT5VMdpjY6SFl+29lqksJTBPcrHwC1jyUZp2W58K 2JdLgYKJSbsTNOQvvEfmhvic6OTzuvcl53wZhIFVZ/xQ4eWwvUicazneZHJ7cRhDUBg7wQ 4eig1VSNfPUYItokiQEhJJUo2VtD/Wi+/0O4URNBR2nCTqCc2vxPZUJxzA0KKz1hPQCho1 7AsLrIG1g/rPXS5/kSgrXXXkHAnZ6R4Xe0fyCIxqR4v1nvMQLQx7Q6ETVisaWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1729351238; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=4AkinrWbTXCFogZBFmO1mgDzctBEOzqdGsA6sIef8uI=; b=a2mglckGVBFhyS5SJhBig7DNDYkwvrbp+tR+zZr6oUl1QuB4p5PbT0r8ObdYUt4Cdd01bj Vg7/7GkgNHhoTwNjIofTGgbFdcc6C55sjhAtul5FlGiyLlp44hH9My1auj5OvoNhs3tqcZ oG4CkWnc2LZZcB2hl6n9Nxealv6W8pq769a/rj+Etxvq9lwN8k2nnsYY8jl04anUPS78Mx eBuvAlMdkImBdKzFFkJ7ei04IEtQL5SfoyXL0FRjbbbtfbsfx2SJOXtefWOYBnFKH0I3qr qqyXsfSe5ym7XUOiRP+BQEcSf1nBQSRmmqlScsYfBqVuTz0XV8k1znusbDJrig== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1729351238; a=rsa-sha256; cv=none; b=K6BeSShVlXiNJQjJVscXXosPmvYYz3tb/jDPhdn2iPcuYrTZlz0wdjFVcYwcpt3TmUjPA3 EFF1uFjuKgKZGPZy9cJ6iLdb27Aif8H0qANMm//2fJQsrC4eNKCmp/mD9YXG+rJvpIDMn8 k/Vy3CIZBZwRs/0yNp0fAF1XdWs90Mx4Wq0sunUEzwMxTEv0zd/Dpyl5C98ADZcimEJtl/ iiuAQh3hjH7zg0+ONMgdA56Ii4XS9tCkHcw9SpBtlYQuzqeEpvDlhI+rqRf38KK4dMmlOF IQEOQMnaJ1Jg9rrKew9TIg+HTVEqLmc1ukKDQxy/qw9/o3inTFGdLKL8kitRXA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XW4yZ1dTnzMyV; Sat, 19 Oct 2024 15:20:38 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 49JFKceM035412; Sat, 19 Oct 2024 15:20:38 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 49JFKclO035409; Sat, 19 Oct 2024 15:20:38 GMT (envelope-from git) Date: Sat, 19 Oct 2024 15:20:38 GMT Message-Id: <202410191520.49JFKclO035409@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Bernard Spil Subject: git: 7156320e1f08 - main - security/openssl31: Security update for CVE-2024-9143 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-ports-main@freebsd.org Sender: owner-dev-commits-ports-main@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: brnrd X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 7156320e1f0832048fdf6d341d6bcf2a2f955a00 Auto-Submitted: auto-generated The branch main has been updated by brnrd: URL: https://cgit.FreeBSD.org/ports/commit/?id=7156320e1f0832048fdf6d341d6bcf2a2f955a00 commit 7156320e1f0832048fdf6d341d6bcf2a2f955a00 Author: Bernard Spil AuthorDate: 2024-10-19 15:13:17 +0000 Commit: Bernard Spil CommitDate: 2024-10-19 15:13:17 +0000 security/openssl31: Security update for CVE-2024-9143 Security: c6f4177c-8e29-11ef-98e7-84a93843eb75 MFH: 2024Q4 --- security/openssl31/Makefile | 3 +- security/openssl31/files/patch-CVE-2024-9143 | 198 +++++++++++++++++++++++++++ 2 files changed, 200 insertions(+), 1 deletion(-) diff --git a/security/openssl31/Makefile b/security/openssl31/Makefile index a3c4b56d3e48..0c27060eafb4 100644 --- a/security/openssl31/Makefile +++ b/security/openssl31/Makefile @@ -1,5 +1,6 @@ PORTNAME= openssl PORTVERSION= 3.1.7 +PORTREVISION= 1 CATEGORIES= security devel PKGNAMESUFFIX= 31 @@ -12,7 +13,7 @@ LICENSE_FILE= ${WRKSRC}/LICENSE.txt #EXPIRATION_DATE= 2025-03-14 -CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl111 openssl3[23] openssl*-quictls +CONFLICTS_INSTALL= boringssl libressl libressl-devel openssl openssl111 openssl3[234] openssl*-quictls HAS_CONFIGURE= yes CONFIGURE_SCRIPT= config diff --git a/security/openssl31/files/patch-CVE-2024-9143 b/security/openssl31/files/patch-CVE-2024-9143 new file mode 100644 index 000000000000..f36b97f194f7 --- /dev/null +++ b/security/openssl31/files/patch-CVE-2024-9143 @@ -0,0 +1,198 @@ +From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 19 Sep 2024 01:02:40 +1000 +Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. + +The BN_GF2m_poly2arr() function converts characteristic-2 field +(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, +to a compact array with just the exponents of the non-zero terms. + +These polynomials are then used in BN_GF2m_mod_arr() to perform modular +reduction. A precondition of calling BN_GF2m_mod_arr() is that the +polynomial must have a non-zero constant term (i.e. the array has `0` as +its final element). + +Internally, callers of BN_GF2m_poly2arr() did not verify that +precondition, and binary EC curve parameters with an invalid polynomial +could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). + +The precondition is always true for polynomials that arise from the +standard form of EC parameters for characteristic-two fields (X9.62). +See the "Finite Field Identification" section of: + + https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html + +The OpenSSL GF(2^m) code supports only the trinomial and pentanomial +basis X9.62 forms. + +This commit updates BN_GF2m_poly2arr() to return `0` (failure) when +the constant term is zero (i.e. the input bitmask BIGNUM is not odd). + +Additionally, the return value is made unambiguous when there is not +enough space to also pad the array with a final `-1` sentinel value. +The return value is now always the number of elements (including the +final `-1`) that would be filled when the output array is sufficiently +large. Previously the same count was returned both when the array has +just enough room for the final `-1` and when it had only enough space +for non-sentinel values. + +Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose +degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against +CPU exhausition attacks via excessively large inputs. + +The above issues do not arise in processing X.509 certificates. These +generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) +disallows explicit EC parameters. The TLS code in OpenSSL enforces this +constraint only after the certificate is decoded, but, even if explicit +parameters are specified, they are in X9.62 form, which cannot represent +problem values as noted above. + +Initially reported as oss-fuzz issue 71623. + +A closely related issue was earlier reported in +. + +Severity: Low, CVE-2024-9143 + +Reviewed-by: Matt Caswell +Reviewed-by: Bernd Edlinger +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25639) + +(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2) +--- + crypto/bn/bn_gf2m.c | 28 +++++++++++++++------- + test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 71 insertions(+), 8 deletions(-) + +diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c +index c811ae82d6b15..bcc66613cc14d 100644 +--- crypto/bn/bn_gf2m.c.orig ++++ crypto/bn/bn_gf2m.c +@@ -15,6 +15,7 @@ + #include "bn_local.h" + + #ifndef OPENSSL_NO_EC2M ++# include + + /* + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should +@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + /* + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * + * x^i) into an array of integers corresponding to the bits with non-zero +- * coefficient. Array is terminated with -1. Up to max elements of the array +- * will be filled. Return value is total number of array elements that would +- * be filled if array was large enough. ++ * coefficient. The array is intended to be suitable for use with ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. ++ * ++ * Given sufficient room, the array is terminated with -1. Up to max elements ++ * of the array will be filled. ++ * ++ * The return value is total number of array elements that would be filled if ++ * array was large enough, including the terminating `-1`. It is `0` when `a` ++ * is not odd or the constant term is zero contrary to requirement. ++ * ++ * The return value is also `0` when the leading exponent exceeds ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, + */ + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + { + int i, j, k = 0; + BN_ULONG mask; + +- if (BN_is_zero(a)) ++ if (!BN_is_odd(a)) + return 0; + + for (i = a->top - 1; i >= 0; i--) { +@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + } + } + +- if (k < max) { ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) ++ return 0; ++ ++ if (k < max) + p[k] = -1; +- k++; +- } + +- return k; ++ return k + 1; + } + + /* +diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c +index 8c2cd05631696..02cfd4e9d8858 100644 +--- test/ec_internal_test.c.orig ++++ test/ec_internal_test.c +@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) + } + + #ifndef OPENSSL_NO_EC2M ++/* Test that decoding of invalid GF2m field parameters fails. */ ++static int ec2m_field_sanity(void) ++{ ++ int ret = 0; ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *p, *a, *b; ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; ++ ++ TEST_info("Testing GF2m hardening\n"); ++ ++ BN_CTX_start(ctx); ++ p = BN_CTX_get(ctx); ++ a = BN_CTX_get(ctx); ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) ++ || !TEST_true(BN_one(a)) ++ || !TEST_true(BN_one(b))) ++ goto out; ++ ++ /* Even pentanomial value should be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf2))) ++ goto out; ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Zero constant term accepted in GF2m polynomial"); ++ ++ /* Odd hexanomial should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf3))) ++ goto out; ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Hexanomial accepted as GF2m polynomial"); ++ ++ /* Excessive polynomial degree should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0x71)) ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) ++ goto out; ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("GF2m polynomial degree > %d accepted", ++ OPENSSL_ECC_MAX_FIELD_BITS); ++ ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; ++ ++ out: ++ EC_GROUP_free(group1); ++ EC_GROUP_free(group2); ++ EC_GROUP_free(group3); ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ ++ return ret; ++} ++ + /* test EC_GF2m_simple_method directly */ + static int field_tests_ec2_simple(void) + { +@@ -443,6 +493,7 @@ int setup_tests(void) + ADD_TEST(field_tests_ecp_simple); + ADD_TEST(field_tests_ecp_mont); + #ifndef OPENSSL_NO_EC2M ++ ADD_TEST(ec2m_field_sanity); + ADD_TEST(field_tests_ec2_simple); + #endif + ADD_ALL_TESTS(field_tests_default, crv_len);