1 files changed, 0 insertions, 122 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
deleted file mode 100644
index ef344dda7f..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Fri, 12 May 2023 10:00:13 +0200
-Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will
- translate
-OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
-numeric text form.  For gigantic sub-identifiers, this would take a very
-long time, the time complexity being O(n^2) where n is the size of that
-sub-identifier.
-To mitigate this, a restriction on the size that OBJ_obj2txt() will
-translate to canonical numeric text form is added, based on RFC 2578
-(STD 58), which says this:
-> 3.5. OBJECT IDENTIFIER values
->
-> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
-> For the SMIv2, each number in the list is referred to as a sub-identifier,
-> there are at most 128 sub-identifiers in a value, and each sub-identifier
-> has a maximum value of 2^32-1 (4294967295 decimal).
-Fixes otc/security#96
-Fixes CVE-2023-2650
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098]
-CVE: CVE-2023-2650
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- CHANGES                  | 28 +++++++++++++++++++++++++++-
- NEWS                     |  2 ++
- crypto/objects/obj_dat.c | 19 +++++++++++++++++++
- 3 files changed, 48 insertions(+), 1 deletion(-)
-diff --git a/CHANGES b/CHANGES
-index 1eaaf4e..f2cf38f 100644
--- a/CHANGES
-+++ b/CHANGES
-@@ -7,7 +7,33 @@
-  https://github.com/openssl/openssl/commits/ and pick the appropriate
-  release branch.
- 
- Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
-+ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
-+
-+  *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
-+     OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
-+
-+     OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
-+     numeric text form.  For gigantic sub-identifiers, this would take a very
-+     long time, the time complexity being O(n^2) where n is the size of that
-+     sub-identifier.  (CVE-2023-2650)
-+
-+     To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
-+     IDENTIFIER to canonical numeric text form if the size of that OBJECT
-+     IDENTIFIER is 586 bytes or less, and fail otherwise.
-+
-+     The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
-+     IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
-+     most 128 sub-identifiers, and that the maximum value that each sub-
-+     identifier may have is 2^32-1 (4294967295 decimal).
-+
-+     For each byte of every sub-identifier, only the 7 lower bits are part of
-+     the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
-+     these restrictions may occupy is 32 * 128 / 7, which is approximately 586
-+     bytes.
-+
-+     Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
-+
-+Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
- 
-   *) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
-      that it does not enable policy checking. Thanks to
-diff --git a/NEWS b/NEWS
-index a86220a..41922c4 100644
--- a/NEWS
-+++ b/NEWS
-@@ -7,6 +7,8 @@
- 
-   Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
- 
-+      o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
-+        OBJECT IDENTIFIER sub-identities.  (CVE-2023-2650)
-       o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
-       o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
-       o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
-diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
-index 7e8de72..d699915 100644
--- a/crypto/objects/obj_dat.c
-+++ b/crypto/objects/obj_dat.c
-@@ -428,6 +428,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name)
-     first = 1;
-     bl = NULL;
- 
-+    /*
-+     * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
-+     *
-+     * > 3.5. OBJECT IDENTIFIER values
-+     * >
-+     * > An OBJECT IDENTIFIER value is an ordered list of non-negative
-+     * > numbers. For the SMIv2, each number in the list is referred to as a
-+     * > sub-identifier, there are at most 128 sub-identifiers in a value,
-+     * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
-+     * > decimal).
-+     *
-+     * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
-+     * i.e. 586 bytes long.
-+     *
-+     * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
-+     */
-+    if (len > 586)
-+        goto err;
-+
-     while (len > 0) {
-         l = 0;
-         use_bn = 0;
-- 
-2.25.1

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch deleted file mode 100644 index ef344dda7f..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-2650.patch +++ /dev/null
@@ -1,122 +0,0 @@
1	From 9e209944b35cf82368071f160a744b6178f9b098 Mon Sep 17 00:00:00 2001
2	From: Richard Levitte <levitte@openssl.org>
3	Date: Fri, 12 May 2023 10:00:13 +0200
4	Subject: [PATCH] Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will
5	translate
6
7	OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
8	numeric text form. For gigantic sub-identifiers, this would take a very
9	long time, the time complexity being O(n^2) where n is the size of that
10	sub-identifier.
11
12	To mitigate this, a restriction on the size that OBJ_obj2txt() will
13	translate to canonical numeric text form is added, based on RFC 2578
14	(STD 58), which says this:
15
16	> 3.5. OBJECT IDENTIFIER values
17	>
18	> An OBJECT IDENTIFIER value is an ordered list of non-negative numbers.
19	> For the SMIv2, each number in the list is referred to as a sub-identifier,
20	> there are at most 128 sub-identifiers in a value, and each sub-identifier
21	> has a maximum value of 2^32-1 (4294967295 decimal).
22
23	Fixes otc/security#96
24	Fixes CVE-2023-2650
25
26	Reviewed-by: Matt Caswell <matt@openssl.org>
27	Reviewed-by: Tomas Mraz <tomas@openssl.org>
28
29	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9e209944b35cf82368071f160a744b6178f9b098]
30	CVE: CVE-2023-2650
31	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
32	---
33	CHANGES \| 28 +++++++++++++++++++++++++++-
34	NEWS \| 2 ++
35	crypto/objects/obj_dat.c \| 19 +++++++++++++++++++
36	3 files changed, 48 insertions(+), 1 deletion(-)
37
38	diff --git a/CHANGES b/CHANGES
39	index 1eaaf4e..f2cf38f 100644
40	--- a/CHANGES
41	+++ b/CHANGES
42	@@ -7,7 +7,33 @@
43	https://github.com/openssl/openssl/commits/ and pick the appropriate
44	release branch.
45
46	- Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
47	+ Changes between 1.1.1t and 1.1.1u [xx XXX xxxx]
48	+
49	+ *) Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic
50	+ OBJECT IDENTIFIER sub-identifiers to canonical numeric text form.
51	+
52	+ OBJ_obj2txt() would translate any size OBJECT IDENTIFIER to canonical
53	+ numeric text form. For gigantic sub-identifiers, this would take a very
54	+ long time, the time complexity being O(n^2) where n is the size of that
55	+ sub-identifier. (CVE-2023-2650)
56	+
57	+ To mitigitate this, `OBJ_obj2txt()` will only translate an OBJECT
58	+ IDENTIFIER to canonical numeric text form if the size of that OBJECT
59	+ IDENTIFIER is 586 bytes or less, and fail otherwise.
60	+
61	+ The basis for this restriction is RFC 2578 (STD 58), section 3.5. OBJECT
62	+ IDENTIFIER values, which stipulates that OBJECT IDENTIFIERS may have at
63	+ most 128 sub-identifiers, and that the maximum value that each sub-
64	+ identifier may have is 2^32-1 (4294967295 decimal).
65	+
66	+ For each byte of every sub-identifier, only the 7 lower bits are part of
67	+ the value, so the maximum amount of bytes that an OBJECT IDENTIFIER with
68	+ these restrictions may occupy is 32 * 128 / 7, which is approximately 586
69	+ bytes.
70	+
71	+ Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
72	+
73	+Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
74
75	*) Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention
76	that it does not enable policy checking. Thanks to
77	diff --git a/NEWS b/NEWS
78	index a86220a..41922c4 100644
79	--- a/NEWS
80	+++ b/NEWS
81	@@ -7,6 +7,8 @@
82
83	Major changes between OpenSSL 1.1.1s and OpenSSL 1.1.1t [7 Feb 2023]
84
85	+ o Mitigate for very slow `OBJ_obj2txt()` performance with gigantic
86	+ OBJECT IDENTIFIER sub-identities. (CVE-2023-2650)
87	o Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466)
88	o Fixed X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)
89	o Fixed Use-after-free following BIO_new_NDEF (CVE-2023-0215)
90	diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c
91	index 7e8de72..d699915 100644
92	--- a/crypto/objects/obj_dat.c
93	+++ b/crypto/objects/obj_dat.c
94	@@ -428,6 +428,25 @@ int OBJ_obj2txt(char buf, int buf_len, const ASN1_OBJECT a, int no_name)
95	first = 1;
96	bl = NULL;
97
98	+ /*
99	+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs:
100	+ *
101	+ * > 3.5. OBJECT IDENTIFIER values
102	+ * >
103	+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative
104	+ * > numbers. For the SMIv2, each number in the list is referred to as a
105	+ * > sub-identifier, there are at most 128 sub-identifiers in a value,
106	+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295
107	+ * > decimal).
108	+ *
109	+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7),
110	+ * i.e. 586 bytes long.
111	+ *
112	+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5
113	+ */
114	+ if (len > 586)
115	+ goto err;
116	+
117	while (len > 0) {
118	l = 0;
119	use_bn = 0;
120	--
121	2.25.1
122