diff options
author | Ovidiu Panait <ovidiu.panait@windriver.com> | 2022-03-20 11:25:36 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-23 23:16:12 +0000 |
commit | 95bdd2e6f83aec40febda1ff6fed6b899ef103fe (patch) | |
tree | ed422d55658bf712043b8e828f57c6ef78b6ccb7 /meta/recipes-connectivity/openssl | |
parent | 8b369ca021c212d36ec115c0b5e4596ae2c13543 (diff) | |
download | poky-95bdd2e6f83aec40febda1ff6fed6b899ef103fe.tar.gz |
openssl: upgrade 1.1.1l -> 1.1.1n
Upgrade openssl 1.1.1l -> 1.1.1n to fix CVE-2022-0778:
https://nvd.nist.gov/vuln/detail/CVE-2022-0778
https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=3118eb64934499d93db3230748a452351d1d9a65
This also fixes an evp_extra_test ptest failure introduced by openssl-1.1.1m:
"""
not ok 19 - test_signatures_with_engine
ERROR: (ptr) 'e = ENGINE_by_id(engine_id) != NULL' failed @ ../openssl-1.1.1m/test/evp_extra_test.c:1890
0x0
not ok 20 - test_cipher_with_engine
<snip>
"""
The ptest change is already present in Yocto master since oe-core
commit 5cd40648b0ba ("openssl: upgrade to 3.0.1").
(From OE-Core rev: 4d33b7ce0c50af81a01014a7d7d37c93a041a28d)
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity/openssl')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch | 145 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.1.1n.bb (renamed from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb) | 4 |
2 files changed, 2 insertions, 147 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch deleted file mode 100644 index ff1e807157..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch +++ /dev/null | |||
@@ -1,145 +0,0 @@ | |||
1 | From e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb Mon Sep 17 00:00:00 2001 | ||
2 | From: Bernd Edlinger <bernd.edlinger@hotmail.de> | ||
3 | Date: Sat, 11 Dec 2021 20:28:11 +0100 | ||
4 | Subject: [PATCH] Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit | ||
5 | targets | ||
6 | |||
7 | bn_sqr_comba8 does for instance compute a wrong result for the value: | ||
8 | a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45 | ||
9 | |||
10 | The correct result is: | ||
11 | r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f | ||
12 | 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899 | ||
13 | |||
14 | but the actual result was: | ||
15 | r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f | ||
16 | 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899 | ||
17 | |||
18 | so the forth word of the result was 0x75be8e3c but should have been | ||
19 | 0x75be8e3d instead. | ||
20 | |||
21 | Likewise bn_sqr_comba4 has an identical bug for the same value as well: | ||
22 | a=0x022181ba fd3aa878 899b2346 ee210f45 | ||
23 | |||
24 | correct result: | ||
25 | r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899 | ||
26 | |||
27 | wrong result: | ||
28 | r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899 | ||
29 | |||
30 | Fortunately the bn_mul_comba4/8 code paths are not affected. | ||
31 | |||
32 | Also the mips64 target does in fact not handle the carry propagation | ||
33 | correctly. | ||
34 | |||
35 | Example: | ||
36 | a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000 | ||
37 | 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001 | ||
38 | |||
39 | correct result: | ||
40 | r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 | ||
41 | 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d | ||
42 | 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 | ||
43 | 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 | ||
44 | |||
45 | wrong result: | ||
46 | r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 | ||
47 | 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d | ||
48 | 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 | ||
49 | 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 | ||
50 | |||
51 | Reviewed-by: Paul Dale <pauli@openssl.org> | ||
52 | (Merged from https://github.com/openssl/openssl/pull/17258) | ||
53 | |||
54 | (cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590) | ||
55 | |||
56 | Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb] | ||
57 | CVE: CVE-2021-4160 | ||
58 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
59 | |||
60 | --- | ||
61 | crypto/bn/asm/mips.pl | 4 ++++ | ||
62 | test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++ | ||
63 | 2 files changed, 49 insertions(+) | ||
64 | |||
65 | diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl | ||
66 | index 8ad715bda4..74101030f2 100644 | ||
67 | --- a/crypto/bn/asm/mips.pl | ||
68 | +++ b/crypto/bn/asm/mips.pl | ||
69 | @@ -1984,6 +1984,8 @@ $code.=<<___; | ||
70 | sltu $at,$c_2,$t_1 | ||
71 | $ADDU $c_3,$t_2,$at | ||
72 | $ST $c_2,$BNSZ($a0) | ||
73 | + sltu $at,$c_3,$t_2 | ||
74 | + $ADDU $c_1,$at | ||
75 | mflo ($t_1,$a_2,$a_0) | ||
76 | mfhi ($t_2,$a_2,$a_0) | ||
77 | ___ | ||
78 | @@ -2194,6 +2196,8 @@ $code.=<<___; | ||
79 | sltu $at,$c_2,$t_1 | ||
80 | $ADDU $c_3,$t_2,$at | ||
81 | $ST $c_2,$BNSZ($a0) | ||
82 | + sltu $at,$c_3,$t_2 | ||
83 | + $ADDU $c_1,$at | ||
84 | mflo ($t_1,$a_2,$a_0) | ||
85 | mfhi ($t_2,$a_2,$a_0) | ||
86 | ___ | ||
87 | diff --git a/test/bntest.c b/test/bntest.c | ||
88 | index b58028a301..bab34ba54b 100644 | ||
89 | --- a/test/bntest.c | ||
90 | +++ b/test/bntest.c | ||
91 | @@ -627,6 +627,51 @@ static int test_modexp_mont5(void) | ||
92 | if (!TEST_BN_eq(c, d)) | ||
93 | goto err; | ||
94 | |||
95 | + /* | ||
96 | + * Regression test for overflow bug in bn_sqr_comba4/8 for | ||
97 | + * mips-linux-gnu and mipsel-linux-gnu 32bit targets. | ||
98 | + */ | ||
99 | + { | ||
100 | + static const char *ehex[] = { | ||
101 | + "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", | ||
102 | + "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", | ||
103 | + "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", | ||
104 | + "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", | ||
105 | + "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", | ||
106 | + "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", | ||
107 | + "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", | ||
108 | + "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", | ||
109 | + NULL}; | ||
110 | + static const char *phex[] = { | ||
111 | + "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", | ||
112 | + "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", | ||
113 | + "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", | ||
114 | + "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", | ||
115 | + "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", | ||
116 | + "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", | ||
117 | + "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", | ||
118 | + "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", | ||
119 | + NULL}; | ||
120 | + static const char *mhex[] = { | ||
121 | + "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", | ||
122 | + "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", | ||
123 | + "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", | ||
124 | + "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", | ||
125 | + "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", | ||
126 | + "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", | ||
127 | + "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", | ||
128 | + "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", | ||
129 | + NULL}; | ||
130 | + | ||
131 | + if (!TEST_true(parse_bigBN(&e, ehex)) | ||
132 | + || !TEST_true(parse_bigBN(&p, phex)) | ||
133 | + || !TEST_true(parse_bigBN(&m, mhex)) | ||
134 | + || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) | ||
135 | + || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) | ||
136 | + || !TEST_BN_eq(a, d)) | ||
137 | + goto err; | ||
138 | + } | ||
139 | + | ||
140 | /* Zero input */ | ||
141 | if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) | ||
142 | goto err; | ||
143 | -- | ||
144 | 2.25.1 | ||
145 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb index 24466e11b1..8538bd5a18 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb | |||
@@ -18,14 +18,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | |||
18 | file://afalg.patch \ | 18 | file://afalg.patch \ |
19 | file://reproducible.patch \ | 19 | file://reproducible.patch \ |
20 | file://reproducibility.patch \ | 20 | file://reproducibility.patch \ |
21 | file://CVE-2021-4160.patch \ | ||
22 | " | 21 | " |
23 | 22 | ||
24 | SRC_URI_append_class-nativesdk = " \ | 23 | SRC_URI_append_class-nativesdk = " \ |
25 | file://environment.d-openssl.sh \ | 24 | file://environment.d-openssl.sh \ |
26 | " | 25 | " |
27 | 26 | ||
28 | SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" | 27 | SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" |
29 | 28 | ||
30 | inherit lib_package multilib_header multilib_script ptest | 29 | inherit lib_package multilib_header multilib_script ptest |
31 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" | 30 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" |
@@ -181,6 +180,7 @@ do_install_ptest () { | |||
181 | install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps | 180 | install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps |
182 | 181 | ||
183 | install -d ${D}${PTEST_PATH}/engines | 182 | install -d ${D}${PTEST_PATH}/engines |
183 | install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines | ||
184 | install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines | 184 | install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines |
185 | } | 185 | } |
186 | 186 | ||