openssl: patch CVE-2024-9143

Pick patch from branch openssl-3.0. (From OE-Core rev: 75e1dedf85ac093fc43eb88a59bfe980bb363bf9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2024-10-23 19:38:44 +0200
committer: Steve Sakoman <steve@sakoman.com> 2024-11-02 06:32:36 -0700
commit: bce20db02a0c33f1cdb1a83c062b4699b6676928 (patch)
tree: a683c3ccf77c2dd0621c3926924d044973db92f3
parent: f167cac8568e3c5e7e97bd79b18a47360b6e5630 (diff)
download: poky-bce20db02a0c33f1cdb1a83c062b4699b6676928.tar.gz
2 files changed, 203 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
new file mode 100755
index 0000000000..c72a4193c6
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
@@ -0,0 +1,202 @@
+From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+Initially reported as oss-fuzz issue 71623.
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+Severity: Low, CVE-2024-9143
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+CVE: CVE-2024-9143
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
+ test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 71 insertions(+), 8 deletions(-)
+diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
+index c811ae82d6b15..bcc66613cc14d 100644
+--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
+# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
+ * coefficient.  The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1.  Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`.  It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
+    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
+    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+        return 0;
+
+    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
+    return k + 1;
+ }
+ 
+ /*
+diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
+index 8c2cd05631696..02cfd4e9d8858 100644
+--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+    int ret = 0;
+    BN_CTX *ctx = BN_CTX_new();
+    BIGNUM *p, *a, *b;
+    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+    TEST_info("Testing GF2m hardening\n");
+
+    BN_CTX_start(ctx);
+    p = BN_CTX_get(ctx);
+    a = BN_CTX_get(ctx);
+    if (!TEST_ptr(b = BN_CTX_get(ctx))
+        || !TEST_true(BN_one(a))
+        || !TEST_true(BN_one(b)))
+        goto out;
+
+    /* Even pentanomial value should be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf2)))
+        goto out;
+    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Zero constant term accepted in GF2m polynomial");
+
+    /* Odd hexanomial should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0xf3)))
+        goto out;
+    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("Hexanomial accepted as GF2m polynomial");
+
+    /* Excessive polynomial degree should also be rejected */
+    if (!TEST_true(BN_set_word(p, 0x71))
+        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+        goto out;
+    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+        TEST_error("GF2m polynomial degree > %d accepted",
+                   OPENSSL_ECC_MAX_FIELD_BITS);
+
+    ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+    EC_GROUP_free(group1);
+    EC_GROUP_free(group2);
+    EC_GROUP_free(group3);
+    BN_CTX_end(ctx);
+    BN_CTX_free(ctx);
+
+    return ret;
+}
+
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
+    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
index b76a763cc3..5f7e7c0000 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://afalg.patch \
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://CVE-2024-9143.patch \
           "
 SRC_URI:append:class-nativesdk = " \
author	Peter Marko <peter.marko@siemens.com>	2024-10-23 19:38:44 +0200
committer	Steve Sakoman <steve@sakoman.com>	2024-11-02 06:32:36 -0700
commit	bce20db02a0c33f1cdb1a83c062b4699b6676928 (patch)
tree	a683c3ccf77c2dd0621c3926924d044973db92f3
parent	f167cac8568e3c5e7e97bd79b18a47360b6e5630 (diff)
download	poky-bce20db02a0c33f1cdb1a83c062b4699b6676928.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch new file mode 100755 index 0000000000..c72a4193c6 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
@@ -0,0 +1,202 @@
		1	From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
		2	From: Viktor Dukhovni <viktor@openssl.org>
		3	Date: Thu, 19 Sep 2024 01:02:40 +1000
		4	Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
		5
		6	The BN_GF2m_poly2arr() function converts characteristic-2 field
		7	(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
		8	to a compact array with just the exponents of the non-zero terms.
		9
		10	These polynomials are then used in BN_GF2m_mod_arr() to perform modular
		11	reduction. A precondition of calling BN_GF2m_mod_arr() is that the
		12	polynomial must have a non-zero constant term (i.e. the array has `0` as
		13	its final element).
		14
		15	Internally, callers of BN_GF2m_poly2arr() did not verify that
		16	precondition, and binary EC curve parameters with an invalid polynomial
		17	could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
		18
		19	The precondition is always true for polynomials that arise from the
		20	standard form of EC parameters for characteristic-two fields (X9.62).
		21	See the "Finite Field Identification" section of:
		22
		23	https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
		24
		25	The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
		26	basis X9.62 forms.
		27
		28	This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
		29	the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
		30
		31	Additionally, the return value is made unambiguous when there is not
		32	enough space to also pad the array with a final `-1` sentinel value.
		33	The return value is now always the number of elements (including the
		34	final `-1`) that would be filled when the output array is sufficiently
		35	large. Previously the same count was returned both when the array has
		36	just enough room for the final `-1` and when it had only enough space
		37	for non-sentinel values.
		38
		39	Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
		40	degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
		41	CPU exhausition attacks via excessively large inputs.
		42
		43	The above issues do not arise in processing X.509 certificates. These
		44	generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
		45	disallows explicit EC parameters. The TLS code in OpenSSL enforces this
		46	constraint only after the certificate is decoded, but, even if explicit
		47	parameters are specified, they are in X9.62 form, which cannot represent
		48	problem values as noted above.
		49
		50	Initially reported as oss-fuzz issue 71623.
		51
		52	A closely related issue was earlier reported in
		53	<https://github.com/openssl/openssl/issues/19826>.
		54
		55	Severity: Low, CVE-2024-9143
		56
		57	Reviewed-by: Matt Caswell <matt@openssl.org>
		58	Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
		59	Reviewed-by: Paul Dale <ppzgs1@gmail.com>
		60	Reviewed-by: Tomas Mraz <tomas@openssl.org>
		61	(Merged from https://github.com/openssl/openssl/pull/25639)
		62
		63	(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
		64
		65	CVE: CVE-2024-9143
		66	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712]
		67	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		68	---
		69	crypto/bn/bn_gf2m.c \| 28 +++++++++++++++-------
		70	test/ec_internal_test.c \| 51 +++++++++++++++++++++++++++++++++++++++++
		71	2 files changed, 71 insertions(+), 8 deletions(-)
		72
		73	diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
		74	index c811ae82d6b15..bcc66613cc14d 100644
		75	--- a/crypto/bn/bn_gf2m.c
		76	+++ b/crypto/bn/bn_gf2m.c
		77	@@ -15,6 +15,7 @@
		78	#include "bn_local.h"
		79
		80	#ifndef OPENSSL_NO_EC2M
		81	+# include <openssl/ec.h>
		82
		83	/*
		84	* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
		85	@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM r, const BIGNUM a, const BIGNUM *p,
		86	/*
		87	* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
		88	* x^i) into an array of integers corresponding to the bits with non-zero
		89	- * coefficient. Array is terminated with -1. Up to max elements of the array
		90	- * will be filled. Return value is total number of array elements that would
		91	- * be filled if array was large enough.
		92	+ * coefficient. The array is intended to be suitable for use with
		93	+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
		94	+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
		95	+ *
		96	+ * Given sufficient room, the array is terminated with -1. Up to max elements
		97	+ * of the array will be filled.
		98	+ *
		99	+ * The return value is total number of array elements that would be filled if
		100	+ * array was large enough, including the terminating `-1`. It is `0` when `a`
		101	+ * is not odd or the constant term is zero contrary to requirement.
		102	+ *
		103	+ * The return value is also `0` when the leading exponent exceeds
		104	+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
		105	*/
		106	int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
		107	{
		108	int i, j, k = 0;
		109	BN_ULONG mask;
		110
		111	- if (BN_is_zero(a))
		112	+ if (!BN_is_odd(a))
		113	return 0;
		114
		115	for (i = a->top - 1; i >= 0; i--) {
		116	@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
		117	}
		118	}
		119
		120	- if (k < max) {
		121	+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
		122	+ return 0;
		123	+
		124	+ if (k < max)
		125	p[k] = -1;
		126	- k++;
		127	- }
		128
		129	- return k;
		130	+ return k + 1;
		131	}
		132
		133	/*
		134	diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
		135	index 8c2cd05631696..02cfd4e9d8858 100644
		136	--- a/test/ec_internal_test.c
		137	+++ b/test/ec_internal_test.c
		138	@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
		139	}
		140
		141	#ifndef OPENSSL_NO_EC2M
		142	+/* Test that decoding of invalid GF2m field parameters fails. */
		143	+static int ec2m_field_sanity(void)
		144	+{
		145	+ int ret = 0;
		146	+ BN_CTX *ctx = BN_CTX_new();
		147	+ BIGNUM p, a, *b;
		148	+ EC_GROUP group1 = NULL, group2 = NULL, *group3 = NULL;
		149	+
		150	+ TEST_info("Testing GF2m hardening\n");
		151	+
		152	+ BN_CTX_start(ctx);
		153	+ p = BN_CTX_get(ctx);
		154	+ a = BN_CTX_get(ctx);
		155	+ if (!TEST_ptr(b = BN_CTX_get(ctx))
		156	+ \|\| !TEST_true(BN_one(a))
		157	+ \|\| !TEST_true(BN_one(b)))
		158	+ goto out;
		159	+
		160	+ /* Even pentanomial value should be rejected */
		161	+ if (!TEST_true(BN_set_word(p, 0xf2)))
		162	+ goto out;
		163	+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
		164	+ TEST_error("Zero constant term accepted in GF2m polynomial");
		165	+
		166	+ /* Odd hexanomial should also be rejected */
		167	+ if (!TEST_true(BN_set_word(p, 0xf3)))
		168	+ goto out;
		169	+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
		170	+ TEST_error("Hexanomial accepted as GF2m polynomial");
		171	+
		172	+ /* Excessive polynomial degree should also be rejected */
		173	+ if (!TEST_true(BN_set_word(p, 0x71))
		174	+ \|\| !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
		175	+ goto out;
		176	+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
		177	+ TEST_error("GF2m polynomial degree > %d accepted",
		178	+ OPENSSL_ECC_MAX_FIELD_BITS);
		179	+
		180	+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
		181	+
		182	+ out:
		183	+ EC_GROUP_free(group1);
		184	+ EC_GROUP_free(group2);
		185	+ EC_GROUP_free(group3);
		186	+ BN_CTX_end(ctx);
		187	+ BN_CTX_free(ctx);
		188	+
		189	+ return ret;
		190	+}
		191	+
		192	/* test EC_GF2m_simple_method directly */
		193	static int field_tests_ec2_simple(void)
		194	{
		195	@@ -443,6 +493,7 @@ int setup_tests(void)
		196	ADD_TEST(field_tests_ecp_simple);
		197	ADD_TEST(field_tests_ecp_mont);
		198	#ifndef OPENSSL_NO_EC2M
		199	+ ADD_TEST(ec2m_field_sanity);
		200	ADD_TEST(field_tests_ec2_simple);
		201	#endif
		202	ADD_ALL_TESTS(field_tests_default, crv_len);


diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb index b76a763cc3..5f7e7c0000 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13	file://afalg.patch \	13	file://afalg.patch \
14	file://0001-Configure-do-not-tweak-mips-cflags.patch \	14	file://0001-Configure-do-not-tweak-mips-cflags.patch \
		15	file://CVE-2024-9143.patch \
15	"	16	"
16		17
17	SRC_URI:append:class-nativesdk = " \	18	SRC_URI:append:class-nativesdk = " \