openssl: patch CVE-2024-13176

Picked [1] per link in [2] [1] https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65 [2] https://nvd.nist.gov/vuln/detail/CVE-2024-13176 (From OE-Core rev: 7f9bb49394185fea268397db4fc7d96afae53f28) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-01-22 21:41:57 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-02-03 06:13:13 -0800
commit: 8cfec294571e813c2195149306188e14cf7e6338 (patch)
tree: 308c0eb4024817c7cfe867ffb6ffbda98c2bf7ba
parent: 7dad83c7e5e9637c0ff5d5712409611fd4a14946 (diff)
download: poky-8cfec294571e813c2195149306188e14cf7e6338.tar.gz
2 files changed, 127 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
new file mode 100644
index 0000000000..28d4dd706a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
@@ -0,0 +1,126 @@
+From 4b1cb94a734a7d4ec363ac0a215a25c181e11f65 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Wed, 15 Jan 2025 18:27:02 +0100
+Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
+There is a timing signal of around 300 nanoseconds when the top word of
+the inverted ECDSA nonce value is zero. This can happen with significant
+probability only for some of the supported elliptic curves. In particular
+the NIST P-521 curve is affected. To be able to measure this leak, the
+attacker process must either be located in the same physical computer or
+must have a very fast network connection with low latency.
+Attacks on ECDSA nonce are also known as Minerva attack.
+Fixes CVE-2024-13176
+Reviewed-by: Tim Hudson <tjh@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/26429)
+(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)
+(cherry picked from commit 392dcb336405a0c94486aa6655057f59fd3a0902)
+CVE: CVE-2024-13176
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ crypto/bn/bn_exp.c  | 21 +++++++++++++++------
+ crypto/ec/ec_lib.c  |  7 ++++---
+ include/crypto/bn.h |  3 +++
+ 3 files changed, 22 insertions(+), 9 deletions(-)
+diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
+index b876edbfac36e..af52e2ced6914 100644
+--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
+@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
+  * out by Colin Percival,
+  * http://www.daemonology.net/hyperthreading-considered-harmful/)
+  */
+-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                               const BIGNUM *m, BN_CTX *ctx,
+                               BN_MONT_CTX *in_mont)
+ {
+@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     unsigned int t4 = 0;
+ #endif
+ 
+-    bn_check_top(a);
+-    bn_check_top(p);
+-    bn_check_top(m);
+-
+     if (!BN_is_odd(m)) {
+         ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
+         return 0;
+@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+             goto err;
+     } else
+ #endif
+-    if (!BN_from_montgomery(rr, &tmp, mont, ctx))
+    if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
+         goto err;
+     ret = 1;
+  err:
+@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+     return ret;
+ }
+ 
+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                              const BIGNUM *m, BN_CTX *ctx,
+                              BN_MONT_CTX *in_mont)
+{
+    bn_check_top(a);
+    bn_check_top(p);
+    bn_check_top(m);
+    if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
+        return 0;
+    bn_correct_top(rr);
+    return 1;
+}
+
+ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
+                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
+ {
+diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
+index c92b4dcb0ac45..a79fbb98cf6fa 100644
+--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
+@@ -21,6 +21,7 @@
+ #include <openssl/opensslv.h>
+ #include <openssl/param_build.h>
+ #include "crypto/ec.h"
+#include "crypto/bn.h"
+ #include "internal/nelem.h"
+ #include "ec_local.h"
+ 
+@@ -1261,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
+     if (!BN_sub(e, group->order, e))
+         goto err;
+     /*-
+-     * Exponent e is public.
+-     * No need for scatter-gather or BN_FLG_CONSTTIME.
+     * Although the exponent is public we want the result to be
+     * fixed top.
+      */
+-    if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
+    if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
+         goto err;
+ 
+     ret = 1;
+diff --git a/include/crypto/bn.h b/include/crypto/bn.h
+index 302f031c2ff1d..499e1d10efab0 100644
+--- a/include/crypto/bn.h
+++ b/include/crypto/bn.h
+@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
+  */
+ int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
+                           BN_MONT_CTX *mont, BN_CTX *ctx);
+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
+                              const BIGNUM *m, BN_CTX *ctx,
+                              BN_MONT_CTX *in_mont);
+ int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
+                          BN_CTX *ctx);
+ int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
index 2c30dbd47a..0b47bab550 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
           file://CVE-2024-9143.patch \
+           file://CVE-2024-13176.patch \
           "
 SRC_URI:append:class-nativesdk = " \
author	Peter Marko <peter.marko@siemens.com>	2025-01-22 21:41:57 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-02-03 06:13:13 -0800
commit	8cfec294571e813c2195149306188e14cf7e6338 (patch)
tree	308c0eb4024817c7cfe867ffb6ffbda98c2bf7ba
parent	7dad83c7e5e9637c0ff5d5712409611fd4a14946 (diff)
download	poky-8cfec294571e813c2195149306188e14cf7e6338.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch new file mode 100644 index 0000000000..28d4dd706a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
@@ -0,0 +1,126 @@
		1	From 4b1cb94a734a7d4ec363ac0a215a25c181e11f65 Mon Sep 17 00:00:00 2001
		2	From: Tomas Mraz <tomas@openssl.org>
		3	Date: Wed, 15 Jan 2025 18:27:02 +0100
		4	Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
		5
		6	There is a timing signal of around 300 nanoseconds when the top word of
		7	the inverted ECDSA nonce value is zero. This can happen with significant
		8	probability only for some of the supported elliptic curves. In particular
		9	the NIST P-521 curve is affected. To be able to measure this leak, the
		10	attacker process must either be located in the same physical computer or
		11	must have a very fast network connection with low latency.
		12
		13	Attacks on ECDSA nonce are also known as Minerva attack.
		14
		15	Fixes CVE-2024-13176
		16
		17	Reviewed-by: Tim Hudson <tjh@openssl.org>
		18	Reviewed-by: Neil Horman <nhorman@openssl.org>
		19	Reviewed-by: Paul Dale <ppzgs1@gmail.com>
		20	(Merged from https://github.com/openssl/openssl/pull/26429)
		21
		22	(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)
		23	(cherry picked from commit 392dcb336405a0c94486aa6655057f59fd3a0902)
		24
		25	CVE: CVE-2024-13176
		26	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/4b1cb94a734a7d4ec363ac0a215a25c181e11f65]
		27	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		28	---
		29	crypto/bn/bn_exp.c \| 21 +++++++++++++++------
		30	crypto/ec/ec_lib.c \| 7 ++++---
		31	include/crypto/bn.h \| 3 +++
		32	3 files changed, 22 insertions(+), 9 deletions(-)
		33
		34	diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
		35	index b876edbfac36e..af52e2ced6914 100644
		36	--- a/crypto/bn/bn_exp.c
		37	+++ b/crypto/bn/bn_exp.c
		38	@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
		39	* out by Colin Percival,
		40	* http://www.daemonology.net/hyperthreading-considered-harmful/)
		41	*/
		42	-int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
		43	+int bn_mod_exp_mont_fixed_top(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
		44	const BIGNUM m, BN_CTX ctx,
		45	BN_MONT_CTX *in_mont)
		46	{
		47	@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
		48	unsigned int t4 = 0;
		49	#endif
		50
		51	- bn_check_top(a);
		52	- bn_check_top(p);
		53	- bn_check_top(m);
		54	-
		55	if (!BN_is_odd(m)) {
		56	ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
		57	return 0;
		58	@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
		59	goto err;
		60	} else
		61	#endif
		62	- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
		63	+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
		64	goto err;
		65	ret = 1;
		66	err:
		67	@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
		68	return ret;
		69	}
		70
		71	+int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
		72	+ const BIGNUM m, BN_CTX ctx,
		73	+ BN_MONT_CTX *in_mont)
		74	+{
		75	+ bn_check_top(a);
		76	+ bn_check_top(p);
		77	+ bn_check_top(m);
		78	+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
		79	+ return 0;
		80	+ bn_correct_top(rr);
		81	+ return 1;
		82	+}
		83	+
		84	int BN_mod_exp_mont_word(BIGNUM rr, BN_ULONG a, const BIGNUM p,
		85	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *in_mont)
		86	{
		87	diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
		88	index c92b4dcb0ac45..a79fbb98cf6fa 100644
		89	--- a/crypto/ec/ec_lib.c
		90	+++ b/crypto/ec/ec_lib.c
		91	@@ -21,6 +21,7 @@
		92	#include <openssl/opensslv.h>
		93	#include <openssl/param_build.h>
		94	#include "crypto/ec.h"
		95	+#include "crypto/bn.h"
		96	#include "internal/nelem.h"
		97	#include "ec_local.h"
		98
		99	@@ -1261,10 +1262,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP group, BIGNUM r,
		100	if (!BN_sub(e, group->order, e))
		101	goto err;
		102	/*-
		103	- * Exponent e is public.
		104	- * No need for scatter-gather or BN_FLG_CONSTTIME.
		105	+ * Although the exponent is public we want the result to be
		106	+ * fixed top.
		107	*/
		108	- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
		109	+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
		110	goto err;
		111
		112	ret = 1;
		113	diff --git a/include/crypto/bn.h b/include/crypto/bn.h
		114	index 302f031c2ff1d..499e1d10efab0 100644
		115	--- a/include/crypto/bn.h
		116	+++ b/include/crypto/bn.h
		117	@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM a, const BN_ULONG words, int num_words);
		118	*/
		119	int bn_mul_mont_fixed_top(BIGNUM r, const BIGNUM a, const BIGNUM *b,
		120	BN_MONT_CTX mont, BN_CTX ctx);
		121	+int bn_mod_exp_mont_fixed_top(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
		122	+ const BIGNUM m, BN_CTX ctx,
		123	+ BN_MONT_CTX *in_mont);
		124	int bn_to_mont_fixed_top(BIGNUM r, const BIGNUM a, BN_MONT_CTX *mont,
		125	BN_CTX *ctx);
		126	int bn_from_mont_fixed_top(BIGNUM r, const BIGNUM a, BN_MONT_CTX *mont,


diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb index 2c30dbd47a..0b47bab550 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.3.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.3.bb
@@ -13,6 +13,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
13	file://0001-Configure-do-not-tweak-mips-cflags.patch \	13	file://0001-Configure-do-not-tweak-mips-cflags.patch \
14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \	14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \
15	file://CVE-2024-9143.patch \	15	file://CVE-2024-9143.patch \
		16	file://CVE-2024-13176.patch \
16	"	17	"
17		18
18	SRC_URI:append:class-nativesdk = " \	19	SRC_URI:append:class-nativesdk = " \