Mon Oct 21 21:23:46 UTC 2024

patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
  Apply patch to fix a security issue:
  Harden BN_GF2m_poly2arr against misuse.
  This CVE was fixed by the 1.1.1zb release that is only available to
  subscribers to OpenSSL's premium extended support. The patch was prepared
  by backporting from the OpenSSL-3.0 repo. The reported version number has
  been updated so that vulnerability scanners calm down.
  Thanks to Ken Zalewski for the patch!
  For more information, see:
    https://www.cve.org/CVERecord?id=CVE-2024-9143
  (* Security fix *)
patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz:  Upgraded.
This commit is contained in:
Patrick J Volkerding 2024-10-21 21:23:46 +00:00 committed by Eric Hameleers
parent 72f412a04a
commit af81c69cb8
7 changed files with 414 additions and 31 deletions

View file

@ -11,9 +11,31 @@
<description>Tracking Slackware development in git.</description>
<language>en-us</language>
<id xmlns="http://www.w3.org/2005/Atom">urn:uuid:c964f45e-6732-11e8-bbe5-107b4450212f</id>
<pubDate>Sun, 20 Oct 2024 23:42:23 GMT</pubDate>
<lastBuildDate>Mon, 21 Oct 2024 11:30:25 GMT</lastBuildDate>
<pubDate>Mon, 21 Oct 2024 21:23:46 GMT</pubDate>
<lastBuildDate>Tue, 22 Oct 2024 11:30:25 GMT</lastBuildDate>
<generator>maintain_current_git.sh v 1.17</generator>
<item>
<title>Mon, 21 Oct 2024 21:23:46 GMT</title>
<pubDate>Mon, 21 Oct 2024 21:23:46 GMT</pubDate>
<link>https://git.slackware.nl/current/tag/?h=20241021212346</link>
<guid isPermaLink="false">20241021212346</guid>
<description>
<![CDATA[<pre>
patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded.
Apply patch to fix a security issue:
Harden BN_GF2m_poly2arr against misuse.
This CVE was fixed by the 1.1.1zb release that is only available to
subscribers to OpenSSL's premium extended support. The patch was prepared
by backporting from the OpenSSL-3.0 repo. The reported version number has
been updated so that vulnerability scanners calm down.
Thanks to Ken Zalewski for the patch!
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-9143
(* Security fix *)
patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded.
</pre>]]>
</description>
</item>
<item>
<title>Sun, 20 Oct 2024 23:42:23 GMT</title>
<pubDate>Sun, 20 Oct 2024 23:42:23 GMT</pubDate>

View file

@ -1,3 +1,17 @@
Mon Oct 21 21:23:46 UTC 2024
patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded.
Apply patch to fix a security issue:
Harden BN_GF2m_poly2arr against misuse.
This CVE was fixed by the 1.1.1zb release that is only available to
subscribers to OpenSSL's premium extended support. The patch was prepared
by backporting from the OpenSSL-3.0 repo. The reported version number has
been updated so that vulnerability scanners calm down.
Thanks to Ken Zalewski for the patch!
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2024-9143
(* Security fix *)
patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz: Upgraded.
+--------------------------+
Sun Oct 20 23:42:23 UTC 2024
testing/packages/rust-1.82.0-x86_64-1_slack15.0.txz: Upgraded.
+--------------------------+

View file

@ -1,20 +1,20 @@
Sun Oct 20 23:44:19 UTC 2024
Mon Oct 21 21:24:52 UTC 2024
Here is the file list for this directory. If you are using a
mirror site and find missing or extra files in the disk
subdirectories, please have the archive administrator refresh
the mirror.
drwxr-xr-x 12 root root 4096 2024-10-20 23:42 .
drwxr-xr-x 12 root root 4096 2024-10-21 21:23 .
-rw-r--r-- 1 root root 5767 2022-02-02 22:44 ./ANNOUNCE.15.0
-rw-r--r-- 1 root root 16609 2022-03-30 19:03 ./CHANGES_AND_HINTS.TXT
-rw-r--r-- 1 root root 1268302 2024-10-18 22:54 ./CHECKSUMS.md5
-rw-r--r-- 1 root root 195 2024-10-18 22:54 ./CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 1268302 2024-10-20 23:44 ./CHECKSUMS.md5
-rw-r--r-- 1 root root 195 2024-10-20 23:44 ./CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 17976 1994-06-10 02:28 ./COPYING
-rw-r--r-- 1 root root 35147 2007-06-30 04:21 ./COPYING3
-rw-r--r-- 1 root root 19573 2016-06-23 20:08 ./COPYRIGHT.TXT
-rw-r--r-- 1 root root 616 2006-10-02 04:37 ./CRYPTO_NOTICE.TXT
-rw-r--r-- 1 root root 2167435 2024-10-20 23:42 ./ChangeLog.txt
-rw-r--r-- 1 root root 2168137 2024-10-21 21:23 ./ChangeLog.txt
drwxr-xr-x 3 root root 4096 2013-03-20 22:17 ./EFI
drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT
-rw-r--r-- 1 root root 1187840 2021-06-15 19:16 ./EFI/BOOT/bootx64.efi
@ -25,7 +25,7 @@ drwxr-xr-x 2 root root 4096 2022-02-02 08:21 ./EFI/BOOT
-rwxr-xr-x 1 root root 2504 2019-07-05 18:54 ./EFI/BOOT/make-grub.sh
-rw-r--r-- 1 root root 10722 2013-09-21 19:02 ./EFI/BOOT/osdetect.cfg
-rw-r--r-- 1 root root 1273 2013-08-12 21:08 ./EFI/BOOT/tools.cfg
-rw-r--r-- 1 root root 1662688 2024-10-18 22:54 ./FILELIST.TXT
-rw-r--r-- 1 root root 1662688 2024-10-20 23:44 ./FILELIST.TXT
-rw-r--r-- 1 root root 1572 2012-08-29 18:27 ./GPG-KEY
-rw-r--r-- 1 root root 864745 2022-02-02 08:25 ./PACKAGES.TXT
-rw-r--r-- 1 root root 8034 2022-02-02 03:36 ./README.TXT
@ -832,13 +832,13 @@ drwxr-xr-x 2 root root 4096 2022-12-17 19:52 ./pasture/source/samba
-rw-r--r-- 1 root root 7921 2018-04-29 17:31 ./pasture/source/samba/smb.conf.default
-rw-r--r-- 1 root root 7933 2018-01-14 20:41 ./pasture/source/samba/smb.conf.default.orig
-rw-r--r-- 1 root root 536 2017-03-23 19:18 ./pasture/source/samba/smb.conf.diff.gz
drwxr-xr-x 4 root root 4096 2024-10-16 19:15 ./patches
-rw-r--r-- 1 root root 141120 2024-10-16 19:15 ./patches/CHECKSUMS.md5
-rw-r--r-- 1 root root 195 2024-10-16 19:15 ./patches/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 194584 2024-10-16 19:15 ./patches/FILE_LIST
-rw-r--r-- 1 root root 18279603 2024-10-16 19:15 ./patches/MANIFEST.bz2
-rw-r--r-- 1 root root 99128 2024-10-16 19:15 ./patches/PACKAGES.TXT
drwxr-xr-x 7 root root 32768 2024-10-16 19:15 ./patches/packages
drwxr-xr-x 4 root root 4096 2024-10-21 21:24 ./patches
-rw-r--r-- 1 root root 141212 2024-10-21 21:24 ./patches/CHECKSUMS.md5
-rw-r--r-- 1 root root 195 2024-10-21 21:24 ./patches/CHECKSUMS.md5.asc
-rw-r--r-- 1 root root 194694 2024-10-21 21:24 ./patches/FILE_LIST
-rw-r--r-- 1 root root 18272184 2024-10-21 21:24 ./patches/MANIFEST.bz2
-rw-r--r-- 1 root root 99128 2024-10-21 21:24 ./patches/PACKAGES.TXT
drwxr-xr-x 7 root root 32768 2024-10-21 21:24 ./patches/packages
-rw-r--r-- 1 root root 360 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 2389564 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 163 2023-09-26 19:28 ./patches/packages/Cython-0.29.36-x86_64-1_slack15.0.txz.asc
@ -1174,12 +1174,12 @@ drwxr-xr-x 2 root root 4096 2024-06-08 19:45 ./patches/packages/old-linux
-rw-r--r-- 1 root root 672 2024-10-13 19:31 ./patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 1133060 2024-10-13 19:31 ./patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 195 2024-10-13 19:31 ./patches/packages/openssh-9.9p1-x86_64-1_slack15.0.txz.asc
-rw-r--r-- 1 root root 559 2024-07-17 19:13 ./patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 3614628 2024-07-17 19:13 ./patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 195 2024-07-17 19:13 ./patches/packages/openssl-1.1.1za-x86_64-1_slack15.0.txz.asc
-rw-r--r-- 1 root root 623 2024-07-17 19:13 ./patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 1370412 2024-07-17 19:13 ./patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 195 2024-07-17 19:13 ./patches/packages/openssl-solibs-1.1.1za-x86_64-1_slack15.0.txz.asc
-rw-r--r-- 1 root root 559 2024-10-21 21:10 ./patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 3612768 2024-10-21 21:10 ./patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 195 2024-10-21 21:10 ./patches/packages/openssl-1.1.1zb-x86_64-1_slack15.0.txz.asc
-rw-r--r-- 1 root root 623 2024-10-21 21:10 ./patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 1371192 2024-10-21 21:10 ./patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 195 2024-10-21 21:10 ./patches/packages/openssl-solibs-1.1.1zb-x86_64-1_slack15.0.txz.asc
-rw-r--r-- 1 root root 422 2024-01-26 20:40 ./patches/packages/pam-1.6.0-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 448944 2024-01-26 20:40 ./patches/packages/pam-1.6.0-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 163 2024-01-26 20:40 ./patches/packages/pam-1.6.0-x86_64-1_slack15.0.txz.asc
@ -1324,7 +1324,7 @@ drwxr-xr-x 2 root root 4096 2024-06-08 19:45 ./patches/packages/old-linux
-rw-r--r-- 1 root root 463 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txt
-rw-r--r-- 1 root root 459652 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz
-rw-r--r-- 1 root root 163 2023-04-05 18:16 ./patches/packages/zstd-1.5.5-x86_64-1_slack15.0.txz.asc
drwxr-xr-x 134 root root 4096 2024-10-16 18:35 ./patches/source
drwxr-xr-x 134 root root 4096 2024-10-21 21:18 ./patches/source
drwxr-xr-x 2 root root 4096 2023-09-26 19:22 ./patches/source/Cython
-rw-r--r-- 1 root root 1623580 2023-07-04 19:24 ./patches/source/Cython/Cython-0.29.36.tar.lz
-rwxr-xr-x 1 root root 3041 2023-09-26 19:23 ./patches/source/Cython/Cython.SlackBuild
@ -2234,17 +2234,18 @@ drwxr-xr-x 2 root root 4096 2024-10-13 19:28 ./patches/source/openssh
-rw-r--r-- 1 root root 482 2024-07-07 17:43 ./patches/source/openssh/sshd.default
-rw-r--r-- 1 root root 1228 2021-09-29 19:00 ./patches/source/openssh/sshd.pam
-rw-r--r-- 1 root root 271 2021-08-21 03:23 ./patches/source/openssh/sshd_config-pam.diff.gz
drwxr-xr-x 2 root root 4096 2024-07-17 17:54 ./patches/source/openssl
drwxr-xr-x 2 root root 4096 2024-10-21 21:02 ./patches/source/openssl
-rw-rw-r-- 1 root root 10175 2024-06-04 14:27 ./patches/source/openssl/0000-patch-license.txt
-rw-r--r-- 1 root root 11910 2024-07-16 21:01 ./patches/source/openssl/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch
-rw-r--r-- 1 root root 6816 2024-07-16 21:02 ./patches/source/openssl/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch
-rw-r--r-- 1 root root 4085 2024-07-16 21:03 ./patches/source/openssl/0003-openssl-1.1.1za_CVE-2024-5535.patch
-rw-r--r-- 1 root root 12842 2024-10-21 21:00 ./patches/source/openssl/0004-openssl-1.1.1zb_CVE_2024_9143.patch
-rw-r--r-- 1 root root 1791 2023-08-12 19:52 ./patches/source/openssl/certwatch.gz
-rw-r--r-- 1 root root 281 2007-06-13 17:20 ./patches/source/openssl/doinst.sh-openssl-solibs.gz
-rw-r--r-- 1 root root 501 2012-07-12 16:21 ./patches/source/openssl/doinst.sh-openssl.gz
-rw-r--r-- 1 root root 9893384 2023-09-11 14:46 ./patches/source/openssl/openssl-1.1.1w.tar.gz
-rw-r--r-- 1 root root 833 2023-09-11 14:46 ./patches/source/openssl/openssl-1.1.1w.tar.gz.asc
-rwxr-xr-x 1 root root 10277 2024-07-17 19:10 ./patches/source/openssl/openssl.SlackBuild
-rwxr-xr-x 1 root root 10359 2024-10-21 21:02 ./patches/source/openssl/openssl.SlackBuild
-rw-r--r-- 1 root root 1014 2018-02-27 06:13 ./patches/source/openssl/slack-desc.openssl
-rw-r--r-- 1 root root 1085 2018-02-27 06:13 ./patches/source/openssl/slack-desc.openssl-solibs
drwxr-xr-x 4 root root 4096 2024-01-26 20:39 ./patches/source/pam

View file

@ -0,0 +1,345 @@
From 9ad69b994ae7c73ba06d9f75efd2625102de814c Mon Sep 17 00:00:00 2001
From: Ken Zalewski <ken.zalewski@gmail.com>
Date: Mon, 21 Oct 2024 16:24:47 -0400
Subject: [PATCH] Patch to openssl-1.1.1zb. This version addresses one
vulnerability: CVE-2024-9143
---
CHANGES | 134 +++++++++++++++++++++++++++++++++++++
NEWS | 18 +++++
README | 2 +-
crypto/bn/bn_gf2m.c | 28 +++++---
include/openssl/opensslv.h | 4 +-
test/ec_internal_test.c | 51 ++++++++++++++
6 files changed, 226 insertions(+), 11 deletions(-)
diff --git a/CHANGES b/CHANGES
index c440948..7d82f7a 100644
--- a/CHANGES
+++ b/CHANGES
@@ -7,6 +7,140 @@
https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1za and 1.1.1zb [16 Oct 2024]
+
+ *) Harden BN_GF2m_poly2arr against misuse
+
+ The BN_GF2m_poly2arr() function converts characteristic-2 field
+ (GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+ to a compact array with just the exponents of the non-zero terms.
+
+ These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+ reduction. A precondition of calling BN_GF2m_mod_arr() is that the
+ polynomial must have a non-zero constant term (i.e. the array has `0` as
+ its final element).
+
+ Internally, callers of BN_GF2m_poly2arr() did not verify that
+ precondition, and binary EC curve parameters with an invalid polynomial
+ could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+ The precondition is always true for polynomials that arise from the
+ standard form of EC parameters for characteristic-two fields (X9.62).
+ See the "Finite Field Identification" section of:
+
+ https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+ The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+ basis X9.62 forms.
+
+ This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+ the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+ Additionally, the return value is made unambiguous when there is not
+ enough space to also pad the array with a final `-1` sentinel value.
+ The return value is now always the number of elements (including the
+ final `-1`) that would be filled when the output array is sufficiently
+ large. Previously the same count was returned both when the array has
+ just enough room for the final `-1` and when it had only enough space
+ for non-sentinel values.
+
+ Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+ degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+ CPU exhausition attacks via excessively large inputs.
+
+ The above issues do not arise in processing X.509 certificates. These
+ generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+ disallows explicit EC parameters. The TLS code in OpenSSL enforces this
+ constraint only after the certificate is decoded, but, even if explicit
+ parameters are specified, they are in X9.62 form, which cannot represent
+ problem values as noted above.
+
+ (CVE-2024-9143)
+ [Viktor Dukhovni]
+
+
+ Changes between 1.1.1y and 1.1.1za [26 Jun 2024]
+
+ *) Fix SSL_select_next_proto
+
+ Ensure that the provided client list is non-NULL and starts with a valid
+ entry. When called from the ALPN callback the client list should already
+ have been validated by OpenSSL so this should not cause a problem. When
+ called from the NPN callback the client list is locally configured and
+ will not have already been validated. Therefore SSL_select_next_proto
+ should not assume that it is correctly formatted.
+
+ We implement stricter checking of the client protocol list. We also do the
+ same for the server list while we are about it.
+
+ (CVE-2024-5535)
+ [Matt Caswell]
+
+
+ Changes between 1.1.1x and 1.1.1y [27 May 2024]
+
+ *) Only free the read buffers if we're not using them
+
+ If we're part way through processing a record, or the application has
+ not released all the records then we should not free our buffer because
+ they are still needed.
+
+ (CVE-2024-4741)
+ [Matt Caswell]
+ [Watson Ladd]
+
+ *) Fix unconstrained session cache growth in TLSv1.3
+
+ In TLSv1.3 we create a new session object for each ticket that we send.
+ We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
+ use then the new session will be added to the session cache. However, if
+ early data is not in use (and therefore anti-replay protection is being
+ used), then multiple threads could be resuming from the same session
+ simultaneously. If this happens and a problem occurs on one of the threads,
+ then the original session object could be marked as not_resumable. When we
+ duplicate the session object this not_resumable status gets copied into the
+ new session object. The new session object is then added to the session
+ cache even though it is not_resumable.
+
+ Subsequently, another bug means that the session_id_length is set to 0 for
+ sessions that are marked as not_resumable - even though that session is
+ still in the cache. Once this happens the session can never be removed from
+ the cache. When that object gets to be the session cache tail object the
+ cache never shrinks again and grows indefinitely.
+
+ (CVE-2024-2511)
+ [Matt Caswell]
+
+
+ Changes between 1.1.1w and 1.1.1x [25 Jan 2024]
+
+ *) Add NULL checks where ContentInfo data can be NULL
+
+ PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
+ optional and can be NULL even if the "type" is a valid value. OpenSSL
+ was not properly accounting for this and a NULL dereference can occur
+ causing a crash.
+
+ (CVE-2024-0727)
+ [Matt Caswell]
+
+ *) Make DH_check_pub_key() and DH_generate_key() safer yet
+
+ We already check for an excessively large P in DH_generate_key(), but not in
+ DH_check_pub_key(), and none of them check for an excessively large Q.
+
+ This change adds all the missing excessive size checks of P and Q.
+
+ It's to be noted that behaviours surrounding excessively sized P and Q
+ differ. DH_check() raises an error on the excessively sized P, but only
+ sets a flag for the excessively sized Q. This behaviour is mimicked in
+ DH_check_pub_key().
+
+ (CVE-2024-5678)
+ [Richard Levitte]
+ [Hugo Landau]
+
+
Changes between 1.1.1v and 1.1.1w [11 Sep 2023]
*) Fix POLY1305 MAC implementation corrupting XMM registers on Windows.
diff --git a/NEWS b/NEWS
index 1b849cd..7810ece 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,24 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1za and OpenSSL 1.1.1zb [16 Oct 2024]
+
+ o Harden BN_GF2m_poly2arr against misuse
+
+ Major changes between OpenSSL 1.1.1y and OpenSSL 1.1.1za [26 Jun 2024]
+
+ o Fix SSL_select_next_proto
+
+ Major changes between OpenSSL 1.1.1x and OpenSSL 1.1.1y [27 May 2024]
+
+ o Only free the read buffers if we're not using them
+ o Fix unconstrained session cache growth in TLSv1.3
+
+ Major changes between OpenSSL 1.1.1w and OpenSSL 1.1.1x [25 Jan 2024]
+
+ o Add NULL checks where ContentInfo data can be NULL
+ o Make DH_check_pub_key() and DH_generate_key() safer yet
+
Major changes between OpenSSL 1.1.1v and OpenSSL 1.1.1w [11 Sep 2023]
o Fix POLY1305 MAC implementation corrupting XMM registers on Windows
diff --git a/README b/README
index e924e15..6612eb0 100644
--- a/README
+++ b/README
@@ -1,5 +1,5 @@
- OpenSSL 1.1.1w 11 Sep 2023
+ OpenSSL 1.1.1zb 16 Oct 2024
Copyright (c) 1998-2023 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
index a2ea867..6709471 100644
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -15,6 +15,7 @@
#include "bn_local.h"
#ifndef OPENSSL_NO_EC2M
+#include <openssl/ec.h>
/*
* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
@@ -1109,16 +1110,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
/*
* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
* x^i) into an array of integers corresponding to the bits with non-zero
- * coefficient. Array is terminated with -1. Up to max elements of the array
- * will be filled. Return value is total number of array elements that would
- * be filled if array was large enough.
+ * coefficient. The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1. Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`. It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
*/
int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
{
int i, j, k = 0;
BN_ULONG mask;
- if (BN_is_zero(a))
+ if (!BN_is_odd(a))
return 0;
for (i = a->top - 1; i >= 0; i--) {
@@ -1136,12 +1147,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
}
}
- if (k < max) {
+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+ return 0;
+
+ if (k < max)
p[k] = -1;
- k++;
- }
- return k;
+ return k + 1;
}
/*
diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h
index a1a5d07..ddf42b6 100644
--- a/include/openssl/opensslv.h
+++ b/include/openssl/opensslv.h
@@ -39,8 +39,8 @@ extern "C" {
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x101011afL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024"
+# define OPENSSL_VERSION_NUMBER 0x101011bfL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1zb 16 Oct 2024"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
index 390f41f..1590a18 100644
--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
@@ -150,6 +150,56 @@ static int field_tests_ecp_mont(void)
}
#ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+ int ret = 0;
+ BN_CTX *ctx = BN_CTX_new();
+ BIGNUM *p, *a, *b;
+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+ TEST_info("Testing GF2m hardening\n");
+
+ BN_CTX_start(ctx);
+ p = BN_CTX_get(ctx);
+ a = BN_CTX_get(ctx);
+ if (!TEST_ptr(b = BN_CTX_get(ctx))
+ || !TEST_true(BN_one(a))
+ || !TEST_true(BN_one(b)))
+ goto out;
+
+ /* Even pentanomial value should be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf2)))
+ goto out;
+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Zero constant term accepted in GF2m polynomial");
+
+ /* Odd hexanomial should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf3)))
+ goto out;
+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Hexanomial accepted as GF2m polynomial");
+
+ /* Excessive polynomial degree should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0x71))
+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+ goto out;
+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("GF2m polynomial degree > %d accepted",
+ OPENSSL_ECC_MAX_FIELD_BITS);
+
+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+ EC_GROUP_free(group1);
+ EC_GROUP_free(group2);
+ EC_GROUP_free(group3);
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+
+ return ret;
+}
+
/* test EC_GF2m_simple_method directly */
static int field_tests_ec2_simple(void)
{
@@ -367,6 +417,7 @@ int setup_tests(void)
ADD_TEST(field_tests_ecp_simple);
ADD_TEST(field_tests_ecp_mont);
#ifndef OPENSSL_NO_EC2M
+ ADD_TEST(ec2m_field_sanity);
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);

View file

@ -78,6 +78,7 @@ find . -name "*.pod" -exec sed -i "s/^\=item \([0-9]\)\(\ \|$\)/\=item C<\1>/g"
cat $CWD/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch | patch -p1 --verbose || exit 1
cat $CWD/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch | patch -p1 --verbose || exit 1
cat $CWD/0003-openssl-1.1.1za_CVE-2024-5535.patch | patch -p1 --verbose || exit 1
cat $CWD/0004-openssl-1.1.1zb_CVE_2024_9143.patch | patch -p1 --verbose || exit 1
## For openssl-1.1.x, don't try to change the soname.
## Use .so.1, not .so.1.0.0: