diff options
Diffstat (limited to 'meta/recipes-connectivity/openssl')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch | 38 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch | 37 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch | 122 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/reproducibility.patch | 22 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_1.1.1w.bb (renamed from meta/recipes-connectivity/openssl/openssl_1.1.1i.bb) | 7 |
5 files changed, 225 insertions, 1 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch new file mode 100644 index 0000000000..e2a65d0998 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-add-2-missing-key-sorts.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 679ae2f72ef8cf37609cb0eff5de3b98aa85e395 Mon Sep 17 00:00:00 2001 | ||
2 | From: Steve Sakoman <steve@sakoman.com> | ||
3 | Date: Thu, 20 Jul 2023 04:14:42 -1000 | ||
4 | Subject: [PATCH] Configure: add 2 missing key sorts in generation of unified_info | ||
5 | |||
6 | Otherwise generation of this section in configdata.pm is not reproducible | ||
7 | |||
8 | Signed-off-by: Steve Sakoman <steve@sakoman.com> | ||
9 | Upstream-Status: Backport [adapted from 3.x commit https://github.com/openssl/openssl/commit/764cf5b26306a8712e8b3d41599c44dc5ed07a25] | ||
10 | --- | ||
11 | Configure | 4 ++-- | ||
12 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
13 | |||
14 | diff --git a/Configure b/Configure | ||
15 | index 2a01746..8fc5a2c 100755 | ||
16 | --- a/Configure | ||
17 | +++ b/Configure | ||
18 | @@ -2326,7 +2326,7 @@ EOF | ||
19 | "dso" => [ @{$unified_info{engines}} ], | ||
20 | "bin" => [ @{$unified_info{programs}} ], | ||
21 | "script" => [ @{$unified_info{scripts}} ] ); | ||
22 | - foreach my $type (keys %loopinfo) { | ||
23 | + foreach my $type (sort keys %loopinfo) { | ||
24 | foreach my $product (@{$loopinfo{$type}}) { | ||
25 | my %dirs = (); | ||
26 | my $pd = dirname($product); | ||
27 | @@ -2347,7 +2347,7 @@ EOF | ||
28 | push @{$unified_info{dirinfo}->{$d}->{deps}}, $_ | ||
29 | if $d ne $pd; | ||
30 | } | ||
31 | - foreach (keys %dirs) { | ||
32 | + foreach (sort keys %dirs) { | ||
33 | push @{$unified_info{dirinfo}->{$_}->{products}->{$type}}, | ||
34 | $product; | ||
35 | } | ||
36 | -- | ||
37 | 2.34.1 | ||
38 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch new file mode 100644 index 0000000000..b3f6a942d5 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From 326909baf81a638d51fa8be1d8227518784f5cc4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Alexander Kanavin <alex@linutronix.de> | ||
3 | Date: Tue, 14 Sep 2021 12:18:25 +0200 | ||
4 | Subject: [PATCH] Configure: do not tweak mips cflags | ||
5 | |||
6 | This conflicts with mips machine definitons from yocto, | ||
7 | e.g. | ||
8 | | Error: -mips3 conflicts with the other architecture options, which imply -mips64r2 | ||
9 | |||
10 | Upstream-Status: Inappropriate [oe-core specific] | ||
11 | Signed-off-by: Alexander Kanavin <alex@linutronix.de> | ||
12 | Signed-off-by: Peter Marko <peter.marko@siemens.com> | ||
13 | --- | ||
14 | Configure | 10 ---------- | ||
15 | 1 file changed, 10 deletions(-) | ||
16 | |||
17 | Index: openssl-3.0.4/Configure | ||
18 | =================================================================== | ||
19 | --- openssl-3.0.4.orig/Configure | ||
20 | +++ openssl-3.0.4/Configure | ||
21 | @@ -1243,16 +1243,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) | ||
22 | push @{$config{shared_ldflag}}, "-mno-cygwin"; | ||
23 | } | ||
24 | |||
25 | -if ($target =~ /linux.*-mips/ && !$disabled{asm} | ||
26 | - && !grep { $_ =~ /-m(ips|arch=)/ } (@{$config{CFLAGS}})) { | ||
27 | - # minimally required architecture flags for assembly modules | ||
28 | - my $value; | ||
29 | - $value = '-mips2' if ($target =~ /mips32/); | ||
30 | - $value = '-mips3' if ($target =~ /mips64/); | ||
31 | - unshift @{$config{cflags}}, $value; | ||
32 | - unshift @{$config{cxxflags}}, $value if $config{CXX}; | ||
33 | -} | ||
34 | - | ||
35 | # If threads aren't disabled, check how possible they are | ||
36 | unless ($disabled{threads}) { | ||
37 | if ($auto_threads) { | ||
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch new file mode 100644 index 0000000000..3da6879ccb --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-0727.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | Backport of: | ||
2 | |||
3 | From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 | ||
4 | From: Matt Caswell <matt@openssl.org> | ||
5 | Date: Fri, 19 Jan 2024 11:28:58 +0000 | ||
6 | Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL | ||
7 | |||
8 | PKCS12 structures contain PKCS7 ContentInfo fields. These fields are | ||
9 | optional and can be NULL even if the "type" is a valid value. OpenSSL | ||
10 | was not properly accounting for this and a NULL dereference can occur | ||
11 | causing a crash. | ||
12 | |||
13 | CVE-2024-0727 | ||
14 | |||
15 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
16 | Reviewed-by: Hugo Landau <hlandau@openssl.org> | ||
17 | Reviewed-by: Neil Horman <nhorman@openssl.org> | ||
18 | (Merged from https://github.com/openssl/openssl/pull/23362) | ||
19 | |||
20 | (cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) | ||
21 | |||
22 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c] | ||
23 | |||
24 | CVE: CVE-2024-0727 | ||
25 | |||
26 | Signed-off-by: virendra thakur <virendrak@kpit.com> | ||
27 | --- | ||
28 | crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ | ||
29 | crypto/pkcs12/p12_mutl.c | 5 +++++ | ||
30 | crypto/pkcs12/p12_npas.c | 5 +++-- | ||
31 | crypto/pkcs7/pk7_mime.c | 7 +++++-- | ||
32 | 4 files changed, 31 insertions(+), 4 deletions(-) | ||
33 | |||
34 | --- a/crypto/pkcs12/p12_add.c | ||
35 | +++ b/crypto/pkcs12/p12_add.c | ||
36 | @@ -76,6 +76,13 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ | ||
37 | PKCS12_R_CONTENT_TYPE_NOT_DATA); | ||
38 | return NULL; | ||
39 | } | ||
40 | + | ||
41 | + if (p7->d.data == NULL) { | ||
42 | + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, | ||
43 | + PKCS12_R_DECODE_ERROR); | ||
44 | + return NULL; | ||
45 | + } | ||
46 | + | ||
47 | return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); | ||
48 | } | ||
49 | |||
50 | @@ -132,6 +139,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_ | ||
51 | { | ||
52 | if (!PKCS7_type_is_encrypted(p7)) | ||
53 | return NULL; | ||
54 | + | ||
55 | + if (p7->d.encrypted == NULL) { | ||
56 | + PKCS12err(PKCS12_F_PKCS12_UNPACK_P7DATA, PKCS12_R_DECODE_ERROR); | ||
57 | + return NULL; | ||
58 | + } | ||
59 | + | ||
60 | return PKCS12_item_decrypt_d2i(p7->d.encrypted->enc_data->algorithm, | ||
61 | ASN1_ITEM_rptr(PKCS12_SAFEBAGS), | ||
62 | pass, passlen, | ||
63 | @@ -159,6 +172,13 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes | ||
64 | PKCS12_R_CONTENT_TYPE_NOT_DATA); | ||
65 | return NULL; | ||
66 | } | ||
67 | + | ||
68 | + if (p12->authsafes->d.data == NULL) { | ||
69 | + PKCS12err(PKCS12_F_PKCS12_UNPACK_AUTHSAFES, | ||
70 | + PKCS12_R_DECODE_ERROR); | ||
71 | + return NULL; | ||
72 | + } | ||
73 | + | ||
74 | return ASN1_item_unpack(p12->authsafes->d.data, | ||
75 | ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); | ||
76 | } | ||
77 | --- a/crypto/pkcs12/p12_mutl.c | ||
78 | +++ b/crypto/pkcs12/p12_mutl.c | ||
79 | @@ -93,6 +93,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, c | ||
80 | return 0; | ||
81 | } | ||
82 | |||
83 | + if (p12->authsafes->d.data == NULL) { | ||
84 | + PKCS12err(PKCS12_F_PKCS12_GEN_MAC, PKCS12_R_DECODE_ERROR); | ||
85 | + return 0; | ||
86 | + } | ||
87 | + | ||
88 | salt = p12->mac->salt->data; | ||
89 | saltlen = p12->mac->salt->length; | ||
90 | if (!p12->mac->iter) | ||
91 | --- a/crypto/pkcs12/p12_npas.c | ||
92 | +++ b/crypto/pkcs12/p12_npas.c | ||
93 | @@ -78,8 +78,9 @@ static int newpass_p12(PKCS12 *p12, cons | ||
94 | bags = PKCS12_unpack_p7data(p7); | ||
95 | } else if (bagnid == NID_pkcs7_encrypted) { | ||
96 | bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); | ||
97 | - if (!alg_get(p7->d.encrypted->enc_data->algorithm, | ||
98 | - &pbe_nid, &pbe_iter, &pbe_saltlen)) | ||
99 | + if (p7->d.encrypted == NULL | ||
100 | + || !alg_get(p7->d.encrypted->enc_data->algorithm, | ||
101 | + &pbe_nid, &pbe_iter, &pbe_saltlen)) | ||
102 | goto err; | ||
103 | } else { | ||
104 | continue; | ||
105 | --- a/crypto/pkcs7/pk7_mime.c | ||
106 | +++ b/crypto/pkcs7/pk7_mime.c | ||
107 | @@ -30,10 +30,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p | ||
108 | { | ||
109 | STACK_OF(X509_ALGOR) *mdalgs; | ||
110 | int ctype_nid = OBJ_obj2nid(p7->type); | ||
111 | - if (ctype_nid == NID_pkcs7_signed) | ||
112 | + if (ctype_nid == NID_pkcs7_signed) { | ||
113 | + if (p7->d.sign == NULL) | ||
114 | + return 0; | ||
115 | mdalgs = p7->d.sign->md_algs; | ||
116 | - else | ||
117 | + } else { | ||
118 | mdalgs = NULL; | ||
119 | + } | ||
120 | |||
121 | flags ^= SMIME_OLDMIME; | ||
122 | |||
diff --git a/meta/recipes-connectivity/openssl/openssl/reproducibility.patch b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch new file mode 100644 index 0000000000..8accbc9df2 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/reproducibility.patch | |||
@@ -0,0 +1,22 @@ | |||
1 | Using localtime() means the output can depend on the timezone of the build machine. | ||
2 | Using gmtime() is safer. For complete reproducibility use SOURCE_DATE_EPOCH if set. | ||
3 | |||
4 | Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> | ||
5 | Upstream-Status: Pending [should be suitable] | ||
6 | |||
7 | Index: openssl-3.0.1/apps/progs.pl | ||
8 | =================================================================== | ||
9 | --- openssl-3.0.1.orig/apps/progs.pl | ||
10 | +++ openssl-3.0.1/apps/progs.pl | ||
11 | @@ -21,7 +21,10 @@ die "Unrecognised option, must be -C or | ||
12 | my %commands = (); | ||
13 | my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/; | ||
14 | my $apps_openssl = shift @ARGV; | ||
15 | -my $YEAR = [localtime()]->[5] + 1900; | ||
16 | +my $YEAR = [gmtime()]->[5] + 1900; | ||
17 | +if (defined($ENV{SOURCE_DATE_EPOCH}) && $ENV{SOURCE_DATE_EPOCH} !~ /\D/) { | ||
18 | + $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH})]->[5] + 1900; | ||
19 | +} | ||
20 | |||
21 | # because the program apps/openssl has object files as sources, and | ||
22 | # they then have the corresponding C files as source, we need to chain | ||
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb index 5d22c511aa..0e490eabc3 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1w.bb | |||
@@ -17,13 +17,17 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | |||
17 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ | 17 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ |
18 | file://afalg.patch \ | 18 | file://afalg.patch \ |
19 | file://reproducible.patch \ | 19 | file://reproducible.patch \ |
20 | file://reproducibility.patch \ | ||
21 | file://0001-Configure-add-2-missing-key-sorts.patch \ | ||
22 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | ||
23 | file://CVE-2024-0727.patch \ | ||
20 | " | 24 | " |
21 | 25 | ||
22 | SRC_URI_append_class-nativesdk = " \ | 26 | SRC_URI_append_class-nativesdk = " \ |
23 | file://environment.d-openssl.sh \ | 27 | file://environment.d-openssl.sh \ |
24 | " | 28 | " |
25 | 29 | ||
26 | SRC_URI[sha256sum] = "e8be6a35fe41d10603c3cc635e93289ed00bf34b79671a3a4de64fcee00d5242" | 30 | SRC_URI[sha256sum] = "cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8" |
27 | 31 | ||
28 | inherit lib_package multilib_header multilib_script ptest | 32 | inherit lib_package multilib_header multilib_script ptest |
29 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" | 33 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" |
@@ -179,6 +183,7 @@ do_install_ptest () { | |||
179 | install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps | 183 | install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps |
180 | 184 | ||
181 | install -d ${D}${PTEST_PATH}/engines | 185 | install -d ${D}${PTEST_PATH}/engines |
186 | install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines | ||
182 | install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines | 187 | install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines |
183 | } | 188 | } |
184 | 189 | ||