dev-libs/openssl: upgrade to 3.0.15 (LTS's cut)

changelog/security/2024-12-02-openssl.md

@@ -0,0 +1 @@
+- OpenSSL ([CVE-2024-2511](https://nvd.nist.gov/vuln/detail/CVE-2024-2511), [CVE-2024-4603](https://nvd.nist.gov/vuln/detail/CVE-2024-4603), [CVE-2024-4741](https://nvd.nist.gov/vuln/detail/CVE-2024-4741), [CVE-2024-5535](https://nvd.nist.gov/vuln/detail/CVE-2024-5535), [CVE-2024-6119](https://nvd.nist.gov/vuln/detail/CVE-2024-6119), [CVE-2024-9143](https://nvd.nist.gov/vuln/detail/CVE-2024-9143))

changelog/updates/2024-12-02-openssl.md

@@ -0,0 +1 @@
+- OpenSSL ([3.0.15](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#openssl-30))

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest

@@ -1,2 +1,2 @@
-DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424
-DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1
+DIST openssl-3.0.15.tar.gz 15318633 BLAKE2B f2900d0894b97e86c709079ca4336d5dc508d69e91d3a4de4420c8d9344cb54dada6ea2cdd408166e53db0c652b06654e670701166b67a0a40578676e1cea535 SHA512 acd80f2f7924d90c1416946a5c61eff461926ad60f4821bb6b08845ea18f8452fd5e88a2c2c5bd0d7590a792cb8341a3f3be042fd0a5b6c9c1b84a497c347bbf
+DIST openssl-3.0.15.tar.gz.asc 833 BLAKE2B 43088d6ae9e95aec8cfa08c0d338d76c2299ee89a1719a39c497b25c83a4c0c2d155fa00a62b47e15a7f2889680197741390c850d62a84ec5ce27ed1bbddcd28 SHA512 8b9471074130fd26b511820a1c2586792fd0105421515734c213ae18de27b5b026261e64d4cb8f5e7b568d1f4193484ebe0e99eda9d99df72474310a568ca3bf

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 → sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.4

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 #
 # Openssl doesn't play along nicely with cross-compiling
@@ -32,6 +32,7 @@ if [[ $1 == "test" ]] ; then
 		"i686-apple-darwinX           |darwin-i386-cc" \
 		"i386-apple-darwinX           |darwin-i386-cc" \
 		"powerpc-apple-darwinX        |darwin-ppc-cc" \
+		"arm64-apple-darwinX          |darwin-arm64-cc" \
 		"i586-pc-winnt                |winnt-parity" \
 		"s390-ibm-linux-gnu           |linux-generic32 -DB_ENDIAN" \
 		"s390x-linux-gnu              |linux64-s390x" \
@@ -77,7 +78,9 @@ fi
 
 # Detect target arch
 machine=""
+submachine=""
 chost_machine=${CHOST%%-*}
+[[ ${CC} == *clang* ]] && submachine="-clang"
 case ${system} in
 linux)
 	case ${chost_machine}:${ABI} in
@@ -86,6 +89,10 @@ linux)
 		alphaev56*|\
 		alphaev[678]*)machine=alpha+bwx-${compiler};;
 		alpha*)       machine=alpha-${compiler};;
+		arc64*b*)     machine="generic64 -DB_ENDIAN";;
+		arc64*)       machine="generic64 -DL_ENDIAN";;
+		arc*b*)       machine="generic32 -DB_ENDIAN";;
+		arc*)         machine="generic32 -DL_ENDIAN";;
 		armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
 		armv[4-9]*)   machine="armv4 -DL_ENDIAN";;
 		arm*b*)       machine="generic32 -DB_ENDIAN";;
@@ -95,18 +102,24 @@ linux)
 	#	hppa64*)      machine=parisc64;;
 		hppa*)        machine="generic32 -DB_ENDIAN";;
 		i[0-9]86*|\
-		x86_64*:x86)  machine=elf;;
+		x86_64*:x86)  machine=x86${submachine};;
 		ia64*)        machine=ia64;;
-		loongarch64*) machine="generic64 -DL_ENDIAN";;
-		m68*)         machine="generic32 -DB_ENDIAN";;
-		mips*el*)     machine="generic32 -DL_ENDIAN";;
-		mips*)        machine="generic32 -DB_ENDIAN";;
+		loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
+		m68*)         machine="latomic -DB_ENDIAN";;
+		mips*el*:o32) machine="mips32 -DL_ENDIAN";;
+		mips*:o32)    machine="mips32 -DB_ENDIAN";;
+		mips*el*:n32) machine="mips64 -DL_ENDIAN";;
+		mips*:n32)    machine="mips64 -DB_ENDIAN";;
+		mips*el*:n64) machine="mips64 -DL_ENDIAN" system=linux64;;
+		mips*:n64)    machine="mips64 -DB_ENDIAN" system=linux64;;
 		powerpc64*le*)machine=ppc64le;;
 		powerpc64*)   machine=ppc64;;
 		powerpc*le*)  machine="generic32 -DL_ENDIAN";;
 		powerpc*)     machine=ppc;;
+		riscv32be*)   machine="generic32 -DB_ENDIAN";;
 		riscv32*)     machine="generic32 -DL_ENDIAN";;
-		riscv64*)     machine="generic64 -DL_ENDIAN";;
+		riscv64be*)   machine="riscv64 -DB_ENDIAN" system=linux64;;
+		riscv64*)     machine="riscv64 -DL_ENDIAN" system=linux64;;
 	#	sh64*)        machine=elf;;
 		sh*b*)        machine="generic32 -DB_ENDIAN";;
 		sh*)          machine="generic32 -DL_ENDIAN";;
@@ -121,7 +134,7 @@ linux)
 		s390x*)       machine=s390x system=linux64;;
 		s390*)        machine="generic32 -DB_ENDIAN";;
 		x86_64*:x32)  machine=x32;;
-		x86_64*)      machine=x86_64;;
+		x86_64*)      machine=x86_64${submachine};;
 	esac
 	;;
 BSD)
@@ -143,6 +156,7 @@ darwin)
 		powerpc)      machine=ppc-cc;;
 		i?86*)        machine=i386-cc;;
 		x86_64)       machine=x86_64-cc; system=${system}64;;
+		arm64)        machine=arm64-cc; system=${system}64;;
 	esac
 	;;
 hpux)

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch

@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712
+
+From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <[email protected]>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <[email protected]>
+Reviewed-by: Bernd Edlinger <[email protected]>
+Reviewed-by: Paul Dale <[email protected]>
+Reviewed-by: Tomas Mraz <[email protected]>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+
+-    return k;
++    return k + 1;
+ }
+
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml

@@ -6,10 +6,10 @@
 		<name>Gentoo Base System</name>
 	</maintainer>
 	<use>
-		<flag name="asm">Support assembly hand optimized crypto functions (i.e. faster run time)</flag>
 		<flag name="bindist">Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI</flag>
 		<flag name="fips">Enable FIPS provider</flag>
 		<flag name="ktls">Enable support for Kernel implementation of TLS (kTLS)</flag>
+		<flag name="quic">Enable support for QUIC (RFC 9000); a UDP-based protocol intended to replace TCP</flag>
 		<flag name="rfc3779">Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers)</flag>
 		<flag name="sslv2">Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https</flag>
 		<flag name="sslv3">Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https</flag>