Merge pull request #2492 from flatcar/tormath1/openssl

dev-libs/openssl: upgrade to 3.2.3

changelog/security/2024-12-02-openssl.md

@@ -0,0 +1 @@
+- OpenSSL ([CVE-2024-2511](https://nvd.nist.gov/vuln/detail/CVE-2024-2511), [CVE-2024-4603](https://nvd.nist.gov/vuln/detail/CVE-2024-4603), [CVE-2024-4741](https://nvd.nist.gov/vuln/detail/CVE-2024-4741), [CVE-2024-5535](https://nvd.nist.gov/vuln/detail/CVE-2024-5535), [CVE-2024-6119](https://nvd.nist.gov/vuln/detail/CVE-2024-6119), [CVE-2024-9143](https://nvd.nist.gov/vuln/detail/CVE-2024-9143))

changelog/updates/2024-12-02-openssl.md

@@ -0,0 +1 @@
+- OpenSSL ([3.2.3](https://github.com/openssl/openssl/blob/openssl-3.2/CHANGES.md#openssl-32))

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest

@@ -1,2 +1,2 @@
-DIST openssl-3.2.1.tar.gz 17733249 BLAKE2B 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 SHA512 bab2b2419319f1feffaba4692f03edbf13b44d1090c6e075a2d69dad67a2d51e64e6edbf83456a26c83900a726d20d2c4ee4ead9c94b322fd0b536f3b5a863c4
+DIST openssl-3.2.3.tar.gz 17762604 BLAKE2B 1445336aa92d0fd9df266ad570fe2bf5701279e462dd3fccd4cf662f328bfee923dc6c72c42c1921fd38bce43e1c60cacdec3f1c2963fe0ffda6a0e8e34ac6e4 SHA512 9e9f06ab630914e32e64bfb945dfa375ea3595b3db4eb8ef68288a58909baf753b34998439907c22ff2b8561cfd3f3f6b7fbf22981479e66a98c2e92fda172a2
-DIST openssl-3.2.1.tar.gz.asc 833 BLAKE2B a1d25fe30bf1804d13a8b6b98edf56be5bf744d9e2706f4169455c24efe2e3a361487d00d0d4bac240c3f0170693d77a39dd0d4ee5c792d2247aa00c47e74ebf SHA512 de39516c7b77612f33cdc830a8d13ef6bcd91c03d24a6ed105480f140f9e1ad7049844e234c96a516d62e0e33ce90442ffd0f309ea674884c735f04d8562f372
+DIST openssl-3.2.3.tar.gz.asc 833 BLAKE2B 5a7289ed40534a058b9eb7686ce444b9d453a2973ab7ebda01c99f7245f6ba19197123f8bb3b16940d4bfbc5e313babc0249f280e55911190b47da3a47ed1e6a SHA512 e727adb88f84c48082ef0cae963bf999cce11619f7322014cc7f36c16e8375a60542f518c1b86319208cf8da33044e942b3d65208bc59fd4a5f522ab78ff1c23

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.4

@@ -32,6 +32,7 @@ if [[ $1 == "test" ]] ; then
 		"i686-apple-darwinX           |darwin-i386-cc" \
 		"i386-apple-darwinX           |darwin-i386-cc" \
 		"powerpc-apple-darwinX        |darwin-ppc-cc" \
+		"arm64-apple-darwinX          |darwin-arm64-cc" \
 		"i586-pc-winnt                |winnt-parity" \
 		"s390-ibm-linux-gnu           |linux-generic32 -DB_ENDIAN" \
 		"s390x-linux-gnu              |linux64-s390x" \
@@ -155,6 +156,7 @@ darwin)
 		powerpc)      machine=ppc-cc;;
 		i?86*)        machine=i386-cc;;
 		x86_64)       machine=x86_64-cc; system=${system}64;;
+		arm64)        machine=arm64-cc; system=${system}64;;
 	esac
 	;;
 hpux)

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch

@@ -1,79 +0,0 @@
-https://bugs.gentoo.org/916328
-https://github.com/opendnssec/SoftHSMv2/issues/729
-https://github.com/openssl/openssl/issues/22508
-https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65
-
-From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 15 Dec 2023 13:45:50 +0100
-Subject: [PATCH] Revert "Improved detection of engine-provided private
- "classic" keys"
-
-This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
-
-The commit was wrong. With 3.x versions the engines must be themselves
-responsible for creating their EVP_PKEYs in a way that they are treated
-as legacy - either by using the respective set1 calls or by setting
-non-default EVP_PKEY_METHOD.
-
-The workaround has caused more problems than it solved.
-
-Fixes #22945
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23063)
-
-(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
---- a/crypto/engine/eng_pkey.c
-+++ b/crypto/engine/eng_pkey.c
-@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
-         ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
-         return NULL;
-     }
--    /* We enforce check for legacy key */
--    switch (EVP_PKEY_get_id(pkey)) {
--    case EVP_PKEY_RSA:
--        {
--        RSA *rsa = EVP_PKEY_get1_RSA(pkey);
--        EVP_PKEY_set1_RSA(pkey, rsa);
--        RSA_free(rsa);
--        }
--        break;
--#  ifndef OPENSSL_NO_EC
--    case EVP_PKEY_SM2:
--    case EVP_PKEY_EC:
--        {
--        EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
--        EVP_PKEY_set1_EC_KEY(pkey, ec);
--        EC_KEY_free(ec);
--        }
--        break;
--#  endif
--#  ifndef OPENSSL_NO_DSA
--    case EVP_PKEY_DSA:
--        {
--        DSA *dsa = EVP_PKEY_get1_DSA(pkey);
--        EVP_PKEY_set1_DSA(pkey, dsa);
--        DSA_free(dsa);
--        }
--        break;
--#endif
--#  ifndef OPENSSL_NO_DH
--    case EVP_PKEY_DH:
--        {
--        DH *dh = EVP_PKEY_get1_DH(pkey);
--        EVP_PKEY_set1_DH(pkey, dh);
--        DH_free(dh);
--        }
--        break;
--#endif
--    default:
--        /*Do nothing */
--        break;
--    }
--
-     return pkey;
- }
- 
-

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.2.3-CVE-2024-9143.patch

@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700
+
+From bc7e04d7c8d509fb78fc0e285aa948fb0da04700 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml

@@ -9,6 +9,7 @@
 		<flag name="bindist">Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI</flag>
 		<flag name="fips">Enable FIPS provider</flag>
 		<flag name="ktls">Enable support for Kernel implementation of TLS (kTLS)</flag>
+		<flag name="quic">Enable support for QUIC (RFC 9000); a UDP-based protocol intended to replace TCP</flag>
 		<flag name="rfc3779">Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)</flag>
 		<flag name="sslv2">Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https</flag>
 		<flag name="sslv3">Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https</flag>

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.3-r1.ebuild

@@ -9,7 +9,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs
 inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig tmpfiles
 
 DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
 
 MY_P=${P/_/-}
 
@@ -19,12 +19,14 @@ if [[ ${PV} == 9999 ]] ; then
 	inherit git-r3
 else
 	SRC_URI="
-		mirror://openssl/source/${MY_P}.tar.gz
+		https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
-		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+		verify-sig? (
+			https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+		)
 	"
 
 	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
-		KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+		KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 	fi
 fi
 
@@ -51,8 +53,8 @@ BDEPEND="
 		app-alternatives/bc
 		sys-process/procps
 	)
-	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
-
+"
 DEPEND="${COMMON_DEPEND}"
 RDEPEND="${COMMON_DEPEND}"
 PDEPEND="app-misc/ca-certificates"
@@ -62,7 +64,7 @@ MULTILIB_WRAPPED_HEADERS=(
 )
 
 PATCHES=(
-	"${FILESDIR}"/${P}-p11-segfault.patch
+	"${FILESDIR}"/${P}-CVE-2024-9143.patch
 )
 
 pkg_setup() {
@@ -151,8 +153,8 @@ src_configure() {
 
 	append-flags $(test-flags-CC -Wa,--noexecstack)
 
-	# bug #895308
+	# bug #895308 -- check inserts GNU ld-compatible arguments
-	append-atomic-flags
+	[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
 	# Configure doesn't respect LIBS
 	export LDLIBS="${LIBS}"