3 files changed, 280 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Implement-riscv_vlen_asm-for-riscv32.patch b/meta/recipes-connectivity/openssl/openssl/0001-Implement-riscv_vlen_asm-for-riscv32.patch
new file mode 100644
index 0000000000..e398d1074a
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Implement-riscv_vlen_asm-for-riscv32.patch
@@ -0,0 +1,43 @@
+From 725b1530456545e8511adc9cbdd265309dffad53 Mon Sep 17 00:00:00 2001
+From: Hongren Zheng <i@zenithal.me>
+Date: Fri, 26 Apr 2024 06:03:43 +0000
+Subject: [PATCH] Implement riscv_vlen_asm for riscv32
+riscvcap.c: undefined reference to 'riscv_vlen_asm'
+Upstream-Status: Backport [https://github.com/openssl/openssl/pull/24270]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ crypto/riscv32cpuid.pl | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+diff --git a/crypto/riscv32cpuid.pl b/crypto/riscv32cpuid.pl
+index 20694e7..ac1c043 100644
+--- a/crypto/riscv32cpuid.pl
+++ b/crypto/riscv32cpuid.pl
+@@ -84,5 +84,22 @@ OPENSSL_cleanse:
+ ___
+ }
+ 
+{
+my ($ret) = ('a0');
+$code .= <<___;
+################################################################################
+# size_t riscv_vlen_asm(void)
+# Return VLEN (i.e. the length of a vector register in bits).
+.p2align 3
+.globl riscv_vlen_asm
+.type riscv_vlen_asm,\@function
+riscv_vlen_asm:
+    csrr $ret, vlenb
+    slli $ret, $ret, 3
+    ret
+.size riscv_vlen_asm,.-riscv_vlen_asm
+___
+}
+
+ print $code;
+ close STDOUT or die "error closing STDOUT: $!";
+-- 
+2.45.0
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
new file mode 100644
index 0000000000..cdc3d0d503
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
@@ -0,0 +1,179 @@
+From 53ea06486d296b890d565fb971b2764fcd826e7e Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Wed, 8 May 2024 15:23:45 +0200
+Subject: [PATCH] Check DSA parameters for excessive sizes before validating
+This avoids overly long computation of various validation
+checks.
+Fixes CVE-2024-4603
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
+(Merged from https://github.com/openssl/openssl/pull/24346)
+(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
+<dropped CHANGES.md modifications as it would need backport of all previous changes>
+CVE: CVE-2024-4603
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ crypto/dsa/dsa_check.c                        | 44 ++++++++++++--
+ .../invalid/p10240_q256_too_big.pem           | 57 +++++++++++++++++++
+ 2 files changed, 97 insertions(+), 4 deletions(-)
+diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
+index 7b6d7df88f..e1375dfad9 100644
+--- a/crypto/dsa/dsa_check.c
+++ b/crypto/dsa/dsa_check.c
+@@ -19,8 +19,34 @@
+ #include "dsa_local.h"
+ #include "crypto/dsa.h"
+ 
+static int dsa_precheck_params(const DSA *dsa, int *ret)
+{
+    if (dsa->params.p == NULL || dsa->params.q == NULL) {
+        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
+        *ret = FFC_CHECK_INVALID_PQ;
+        return 0;
+    }
+
+    if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
+        ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
+        *ret = FFC_CHECK_INVALID_PQ;
+        return 0;
+    }
+
+    if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
+        ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
+        *ret = FFC_CHECK_INVALID_PQ;
+        return 0;
+    }
+
+    return 1;
+}
+
+ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+ {
+    if (!dsa_precheck_params(dsa, ret))
+        return 0;
+
+     if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
+         return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
+                                                FFC_PARAM_TYPE_DSA, ret);
+@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret)
+  */
+ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
+    if (!dsa_precheck_params(dsa, ret))
+        return 0;
+
+     return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+  */
+ int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret)
+ {
+    if (!dsa_precheck_params(dsa, ret))
+        return 0;
+
+     return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
+            && *ret == 0;
+ }
+@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const BIGNUM *priv_key, int *ret)
+ {
+     *ret = 0;
+ 
+-    return (dsa->params.q != NULL
+-            && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
+    if (!dsa_precheck_params(dsa, ret))
+        return 0;
+
+    return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
+ }
+ 
+ /*
+@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
+     BN_CTX *ctx = NULL;
+     BIGNUM *pub_key = NULL;
+ 
+-    if (dsa->params.p == NULL
+-        || dsa->params.g == NULL
+    if (!dsa_precheck_params(dsa, &ret))
+        return 0;
+
+    if (dsa->params.g == NULL
+         || dsa->priv_key == NULL
+         || dsa->pub_key == NULL)
+         return 0;
+diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+new file mode 100644
+index 0000000000..e85e2953b7
+--- /dev/null
+++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
+@@ -0,0 +1,57 @@
+-----BEGIN DSA PARAMETERS-----
+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
+vKuje86bePD6kD/LH3wmkA==
+-----END DSA PARAMETERS-----
+-- 
+2.30.2
diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch
new file mode 100644
index 0000000000..748576c30c
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/bti.patch
@@ -0,0 +1,58 @@
+From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001
+From: Tom Cosgrove <tom.cosgrove@arm.com>
+Date: Tue, 26 Mar 2024 13:18:00 +0000
+Subject: [PATCH] aarch64: fix BTI in bsaes assembly code
+In Arm systems where BTI is enabled but the Crypto extensions are not (more
+likely in FVPs than in real hardware), the bit-sliced assembler code will
+be used. However, this wasn't annotated with BTI instructions when BTI was
+enabled, so the moment libssl jumps into this code it (correctly) aborts.
+Solve this by adding the missing BTI landing pads.
+Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982]
+Signed-off-by: Ross Burton <ross.burton@arm.com>
+---
+ crypto/aes/asm/bsaes-armv8.pl | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl
+index b3c97e439f..c3c5ff3e05 100644
+--- a/crypto/aes/asm/bsaes-armv8.pl
+++ b/crypto/aes/asm/bsaes-armv8.pl
+@@ -1018,6 +1018,7 @@ _bsaes_key_convert:
+ //   Initialisation vector overwritten with last quadword of ciphertext
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_cbc_encrypt:
+        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #128
+         bhs     .Lcbc_do_bsaes
+         b       AES_cbc_encrypt
+@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt:
+ //   Output text filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_ctr32_encrypt_blocks:
+-
+        AARCH64_VALID_CALL_TARGET
+         cmp     x2, #8                      // use plain AES for
+         blo     .Lctr_enc_short             // small sizes
+ 
+@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
+ //   Output ciphertext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_encrypt:
+        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt:
+ //   Output plaintext filled in
+ //   No output registers, usual AAPCS64 register preservation
+ ossl_bsaes_xts_decrypt:
+        AARCH64_VALID_CALL_TARGET
+         // Stack layout:
+         // sp ->
+         //        nrounds*128-96 bytes: key schedule
+-- 
+2.34.1

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Implement-riscv_vlen_asm-for-riscv32.patch b/meta/recipes-connectivity/openssl/openssl/0001-Implement-riscv_vlen_asm-for-riscv32.patch new file mode 100644 index 0000000000..e398d1074a --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Implement-riscv_vlen_asm-for-riscv32.patch
@@ -0,0 +1,43 @@
	1	From 725b1530456545e8511adc9cbdd265309dffad53 Mon Sep 17 00:00:00 2001
	2	From: Hongren Zheng <i@zenithal.me>
	3	Date: Fri, 26 Apr 2024 06:03:43 +0000
	4	Subject: [PATCH] Implement riscv_vlen_asm for riscv32
	5
	6	riscvcap.c: undefined reference to 'riscv_vlen_asm'
	7
	8	Upstream-Status: Backport [https://github.com/openssl/openssl/pull/24270]
	9	Signed-off-by: Khem Raj <raj.khem@gmail.com>
	10	---
	11	crypto/riscv32cpuid.pl \| 17 +++++++++++++++++
	12	1 file changed, 17 insertions(+)
	13
	14	diff --git a/crypto/riscv32cpuid.pl b/crypto/riscv32cpuid.pl
	15	index 20694e7..ac1c043 100644
	16	--- a/crypto/riscv32cpuid.pl
	17	+++ b/crypto/riscv32cpuid.pl
	18	@@ -84,5 +84,22 @@ OPENSSL_cleanse:
	19	___
	20	}
	21
	22	+{
	23	+my ($ret) = ('a0');
	24	+$code .= <<___;
	25	+################################################################################
	26	+# size_t riscv_vlen_asm(void)
	27	+# Return VLEN (i.e. the length of a vector register in bits).
	28	+.p2align 3
	29	+.globl riscv_vlen_asm
	30	+.type riscv_vlen_asm,\@function
	31	+riscv_vlen_asm:
	32	+ csrr $ret, vlenb
	33	+ slli $ret, $ret, 3
	34	+ ret
	35	+.size riscv_vlen_asm,.-riscv_vlen_asm
	36	+___
	37	+}
	38	+
	39	print $code;
	40	close STDOUT or die "error closing STDOUT: $!";
	41	--
	42	2.45.0
	43


diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch new file mode 100644 index 0000000000..cdc3d0d503 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch
@@ -0,0 +1,179 @@
	1	From 53ea06486d296b890d565fb971b2764fcd826e7e Mon Sep 17 00:00:00 2001
	2	From: Tomas Mraz <tomas@openssl.org>
	3	Date: Wed, 8 May 2024 15:23:45 +0200
	4	Subject: [PATCH] Check DSA parameters for excessive sizes before validating
	5
	6	This avoids overly long computation of various validation
	7	checks.
	8
	9	Fixes CVE-2024-4603
	10
	11	Reviewed-by: Paul Dale <ppzgs1@gmail.com>
	12	Reviewed-by: Matt Caswell <matt@openssl.org>
	13	Reviewed-by: Neil Horman <nhorman@openssl.org>
	14	Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
	15	(Merged from https://github.com/openssl/openssl/pull/24346)
	16
	17	(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b)
	18
	19	<dropped CHANGES.md modifications as it would need backport of all previous changes>
	20
	21	CVE: CVE-2024-4603
	22	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e]
	23	Signed-off-by: Peter Marko <peter.marko@siemens.com>
	24	---
	25	crypto/dsa/dsa_check.c \| 44 ++++++++++++--
	26	.../invalid/p10240_q256_too_big.pem \| 57 +++++++++++++++++++
	27	2 files changed, 97 insertions(+), 4 deletions(-)
	28
	29	diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
	30	index 7b6d7df88f..e1375dfad9 100644
	31	--- a/crypto/dsa/dsa_check.c
	32	+++ b/crypto/dsa/dsa_check.c
	33	@@ -19,8 +19,34 @@
	34	#include "dsa_local.h"
	35	#include "crypto/dsa.h"
	36
	37	+static int dsa_precheck_params(const DSA dsa, int ret)
	38	+{
	39	+ if (dsa->params.p == NULL \|\| dsa->params.q == NULL) {
	40	+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS);
	41	+ *ret = FFC_CHECK_INVALID_PQ;
	42	+ return 0;
	43	+ }
	44	+
	45	+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) {
	46	+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE);
	47	+ *ret = FFC_CHECK_INVALID_PQ;
	48	+ return 0;
	49	+ }
	50	+
	51	+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) {
	52	+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE);
	53	+ *ret = FFC_CHECK_INVALID_PQ;
	54	+ return 0;
	55	+ }
	56	+
	57	+ return 1;
	58	+}
	59	+
	60	int ossl_dsa_check_params(const DSA dsa, int checktype, int ret)
	61	{
	62	+ if (!dsa_precheck_params(dsa, ret))
	63	+ return 0;
	64	+
	65	if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK)
	66	return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params,
	67	FFC_PARAM_TYPE_DSA, ret);
	68	@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA dsa, int checktype, int ret)
	69	*/
	70	int ossl_dsa_check_pub_key(const DSA dsa, const BIGNUM pub_key, int *ret)
	71	{
	72	+ if (!dsa_precheck_params(dsa, ret))
	73	+ return 0;
	74	+
	75	return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret)
	76	&& *ret == 0;
	77	}
	78	@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA dsa, const BIGNUM pub_key, int *ret)
	79	*/
	80	int ossl_dsa_check_pub_key_partial(const DSA dsa, const BIGNUM pub_key, int *ret)
	81	{
	82	+ if (!dsa_precheck_params(dsa, ret))
	83	+ return 0;
	84	+
	85	return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret)
	86	&& *ret == 0;
	87	}
	88	@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA dsa, const BIGNUM priv_key, int *ret)
	89	{
	90	*ret = 0;
	91
	92	- return (dsa->params.q != NULL
	93	- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret));
	94	+ if (!dsa_precheck_params(dsa, ret))
	95	+ return 0;
	96	+
	97	+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret);
	98	}
	99
	100	/*
	101	@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa)
	102	BN_CTX *ctx = NULL;
	103	BIGNUM *pub_key = NULL;
	104
	105	- if (dsa->params.p == NULL
	106	- \|\| dsa->params.g == NULL
	107	+ if (!dsa_precheck_params(dsa, &ret))
	108	+ return 0;
	109	+
	110	+ if (dsa->params.g == NULL
	111	\|\| dsa->priv_key == NULL
	112	\|\| dsa->pub_key == NULL)
	113	return 0;
	114	diff --git a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
	115	new file mode 100644
	116	index 0000000000..e85e2953b7
	117	--- /dev/null
	118	+++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem
	119	@@ -0,0 +1,57 @@
	120	+-----BEGIN DSA PARAMETERS-----
	121	+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja
	122	+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil
	123	+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF
	124	+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk
	125	+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW
	126	+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb
	127	+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O
	128	+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ
	129	+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5
	130	+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2
	131	+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB
	132	+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN
	133	+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl
	134	+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ
	135	+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg
	136	+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG
	137	+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE
	138	+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN
	139	+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2
	140	+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8
	141	+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd
	142	+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW
	143	+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9
	144	+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7
	145	+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s
	146	+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs
	147	+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN
	148	+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy
	149	+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx
	150	+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36
	151	+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2
	152	+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B
	153	+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8
	154	+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W
	155	+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl
	156	++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX
	157	+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq
	158	+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX
	159	+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot
	160	+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK
	161	+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco
	162	+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD
	163	+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3
	164	+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy
	165	+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct
	166	+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+
	167	+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd
	168	+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG
	169	+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E
	170	+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk
	171	+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF
	172	+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d
	173	+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa
	174	+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D
	175	+vKuje86bePD6kD/LH3wmkA==
	176	+-----END DSA PARAMETERS-----
	177	--
	178	2.30.2
	179


diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch b/meta/recipes-connectivity/openssl/openssl/bti.patch new file mode 100644 index 0000000000..748576c30c --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/bti.patch
@@ -0,0 +1,58 @@
	1	From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001
	2	From: Tom Cosgrove <tom.cosgrove@arm.com>
	3	Date: Tue, 26 Mar 2024 13:18:00 +0000
	4	Subject: [PATCH] aarch64: fix BTI in bsaes assembly code
	5
	6	In Arm systems where BTI is enabled but the Crypto extensions are not (more
	7	likely in FVPs than in real hardware), the bit-sliced assembler code will
	8	be used. However, this wasn't annotated with BTI instructions when BTI was
	9	enabled, so the moment libssl jumps into this code it (correctly) aborts.
	10
	11	Solve this by adding the missing BTI landing pads.
	12
	13	Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982]
	14	Signed-off-by: Ross Burton <ross.burton@arm.com>
	15	---
	16	crypto/aes/asm/bsaes-armv8.pl \| 5 ++++-
	17	1 file changed, 4 insertions(+), 1 deletion(-)
	18
	19	diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl
	20	index b3c97e439f..c3c5ff3e05 100644
	21	--- a/crypto/aes/asm/bsaes-armv8.pl
	22	+++ b/crypto/aes/asm/bsaes-armv8.pl
	23	@@ -1018,6 +1018,7 @@ _bsaes_key_convert:
	24	// Initialisation vector overwritten with last quadword of ciphertext
	25	// No output registers, usual AAPCS64 register preservation
	26	ossl_bsaes_cbc_encrypt:
	27	+ AARCH64_VALID_CALL_TARGET
	28	cmp x2, #128
	29	bhs .Lcbc_do_bsaes
	30	b AES_cbc_encrypt
	31	@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt:
	32	// Output text filled in
	33	// No output registers, usual AAPCS64 register preservation
	34	ossl_bsaes_ctr32_encrypt_blocks:
	35	-
	36	+ AARCH64_VALID_CALL_TARGET
	37	cmp x2, #8 // use plain AES for
	38	blo .Lctr_enc_short // small sizes
	39
	40	@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks:
	41	// Output ciphertext filled in
	42	// No output registers, usual AAPCS64 register preservation
	43	ossl_bsaes_xts_encrypt:
	44	+ AARCH64_VALID_CALL_TARGET
	45	// Stack layout:
	46	// sp ->
	47	// nrounds*128-96 bytes: key schedule
	48	@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt:
	49	// Output plaintext filled in
	50	// No output registers, usual AAPCS64 register preservation
	51	ossl_bsaes_xts_decrypt:
	52	+ AARCH64_VALID_CALL_TARGET
	53	// Stack layout:
	54	// sp ->
	55	// nrounds*128-96 bytes: key schedule
	56	--
	57	2.34.1
	58