openssl: upgrade 3.0.15 -> 3.0.16

Release information: https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3015-and-openssl-3016-11-feb-2025 All CVEs were already patched, so this upgrade fixes only minor bugs. Remove CVE patches included in the new version. (From OE-Core rev: 68c01710e3522af317f8fe09465b56e6aca01615) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2025-02-11 19:36:14 +0100
committer: Steve Sakoman <steve@sakoman.com> 2025-02-15 06:04:44 -0800
commit: 3d029078fe1b6af21ba753ad417b0511a7041f1c (patch)
tree: 57ed90cd69fec79dba1bfd9ea2a66954bef27d88
parent: d49f124652a78bea033358aac079e1b6d81c7000 (diff)
download: poky-3d029078fe1b6af21ba753ad417b0511a7041f1c.tar.gz
3 files changed, 1 insertions, 330 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
deleted file mode 100644
index 0076003db1..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch
+++ /dev/null
@@ -1,125 +0,0 @@
-From 07272b05b04836a762b4baa874958af51d513844 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Wed, 15 Jan 2025 18:27:02 +0100
-Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
-There is a timing signal of around 300 nanoseconds when the top word of
-the inverted ECDSA nonce value is zero. This can happen with significant
-probability only for some of the supported elliptic curves. In particular
-the NIST P-521 curve is affected. To be able to measure this leak, the
-attacker process must either be located in the same physical computer or
-must have a very fast network connection with low latency.
-Attacks on ECDSA nonce are also known as Minerva attack.
-Fixes CVE-2024-13176
-Reviewed-by: Tim Hudson <tjh@openssl.org>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/26429)
-(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)
-CVE: CVE-2024-13176
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
- crypto/bn/bn_exp.c  | 21 +++++++++++++++------
- crypto/ec/ec_lib.c  |  7 ++++---
- include/crypto/bn.h |  3 +++
- 3 files changed, 22 insertions(+), 9 deletions(-)
-diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
-index 598a592ca1397..d84c7de18a6b6 100644
--- a/crypto/bn/bn_exp.c
-+++ b/crypto/bn/bn_exp.c
-@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
-  * out by Colin Percival,
-  * http://www.daemonology.net/hyperthreading-considered-harmful/)
-  */
-int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-                               const BIGNUM *m, BN_CTX *ctx,
-                               BN_MONT_CTX *in_mont)
- {
-@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-     unsigned int t4 = 0;
- #endif
- 
-    bn_check_top(a);
-    bn_check_top(p);
-    bn_check_top(m);
-
-     if (!BN_is_odd(m)) {
-         ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
-         return 0;
-@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-             goto err;
-     } else
- #endif
-    if (!BN_from_montgomery(rr, &tmp, mont, ctx))
-+    if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
-         goto err;
-     ret = 1;
-  err:
-@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-     return ret;
- }
- 
-+int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-+                              const BIGNUM *m, BN_CTX *ctx,
-+                              BN_MONT_CTX *in_mont)
-+{
-+    bn_check_top(a);
-+    bn_check_top(p);
-+    bn_check_top(m);
-+    if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
-+        return 0;
-+    bn_correct_top(rr);
-+    return 1;
-+}
-+
- int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
-                          const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont)
- {
-diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
-index b1696d93bd6dd..1f0bf1ec795fa 100644
--- a/crypto/ec/ec_lib.c
-+++ b/crypto/ec/ec_lib.c
-@@ -20,6 +20,7 @@
- #include <openssl/err.h>
- #include <openssl/opensslv.h>
- #include "crypto/ec.h"
-+#include "crypto/bn.h"
- #include "internal/nelem.h"
- #include "ec_local.h"
- 
-@@ -1262,10 +1263,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP *group, BIGNUM *r,
-     if (!BN_sub(e, group->order, e))
-         goto err;
-     /*-
-     * Exponent e is public.
-     * No need for scatter-gather or BN_FLG_CONSTTIME.
-+     * Although the exponent is public we want the result to be
-+     * fixed top.
-      */
-    if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
-+    if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
-         goto err;
- 
-     ret = 1;
-diff --git a/include/crypto/bn.h b/include/crypto/bn.h
-index c5f328156d3a9..59a629b9f6288 100644
--- a/include/crypto/bn.h
-+++ b/include/crypto/bn.h
-@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM *a, const BN_ULONG *words, int num_words);
-  */
- int bn_mul_mont_fixed_top(BIGNUM *r, const BIGNUM *a, const BIGNUM *b,
-                           BN_MONT_CTX *mont, BN_CTX *ctx);
-+int bn_mod_exp_mont_fixed_top(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
-+                              const BIGNUM *m, BN_CTX *ctx,
-+                              BN_MONT_CTX *in_mont);
- int bn_to_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
-                          BN_CTX *ctx);
- int bn_from_mont_fixed_top(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont,
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
deleted file mode 100755
index c72a4193c6..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch
+++ /dev/null
@@ -1,202 +0,0 @@
-From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <viktor@openssl.org>
-Date: Thu, 19 Sep 2024 01:02:40 +1000
-Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
-The BN_GF2m_poly2arr() function converts characteristic-2 field
-(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
-to a compact array with just the exponents of the non-zero terms.
-These polynomials are then used in BN_GF2m_mod_arr() to perform modular
-reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
-polynomial must have a non-zero constant term (i.e. the array has `0` as
-its final element).
-Internally, callers of BN_GF2m_poly2arr() did not verify that
-precondition, and binary EC curve parameters with an invalid polynomial
-could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
-The precondition is always true for polynomials that arise from the
-standard form of EC parameters for characteristic-two fields (X9.62).
-See the "Finite Field Identification" section of:
-    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
-The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
-basis X9.62 forms.
-This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
-the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
-Additionally, the return value is made unambiguous when there is not
-enough space to also pad the array with a final `-1` sentinel value.
-The return value is now always the number of elements (including the
-final `-1`) that would be filled when the output array is sufficiently
-large.  Previously the same count was returned both when the array has
-just enough room for the final `-1` and when it had only enough space
-for non-sentinel values.
-Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
-degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
-CPU exhausition attacks via excessively large inputs.
-The above issues do not arise in processing X.509 certificates.  These
-generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
-disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
-constraint only after the certificate is decoded, but, even if explicit
-parameters are specified, they are in X9.62 form, which cannot represent
-problem values as noted above.
-Initially reported as oss-fuzz issue 71623.
-A closely related issue was earlier reported in
-<https://github.com/openssl/openssl/issues/19826>.
-Severity: Low, CVE-2024-9143
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/25639)
-(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
-CVE: CVE-2024-9143
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712]
-Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
- crypto/bn/bn_gf2m.c     | 28 +++++++++++++++-------
- test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++
- 2 files changed, 71 insertions(+), 8 deletions(-)
-diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
-index c811ae82d6b15..bcc66613cc14d 100644
--- a/crypto/bn/bn_gf2m.c
-+++ b/crypto/bn/bn_gf2m.c
-@@ -15,6 +15,7 @@
- #include "bn_local.h"
- 
- #ifndef OPENSSL_NO_EC2M
-+# include <openssl/ec.h>
- 
- /*
-  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
-@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
- /*
-  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
-  * x^i) into an array of integers corresponding to the bits with non-zero
- * coefficient.  Array is terminated with -1. Up to max elements of the array
- * will be filled.  Return value is total number of array elements that would
- * be filled if array was large enough.
-+ * coefficient.  The array is intended to be suitable for use with
-+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
-+ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
-+ *
-+ * Given sufficient room, the array is terminated with -1.  Up to max elements
-+ * of the array will be filled.
-+ *
-+ * The return value is total number of array elements that would be filled if
-+ * array was large enough, including the terminating `-1`.  It is `0` when `a`
-+ * is not odd or the constant term is zero contrary to requirement.
-+ *
-+ * The return value is also `0` when the leading exponent exceeds
-+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
-  */
- int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
- {
-     int i, j, k = 0;
-     BN_ULONG mask;
- 
-    if (BN_is_zero(a))
-+    if (!BN_is_odd(a))
-         return 0;
- 
-     for (i = a->top - 1; i >= 0; i--) {
-@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
-         }
-     }
- 
-    if (k < max) {
-+    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
-+        return 0;
-+
-+    if (k < max)
-         p[k] = -1;
-        k++;
-    }
- 
-    return k;
-+    return k + 1;
- }
- 
- /*
-diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
-index 8c2cd05631696..02cfd4e9d8858 100644
--- a/test/ec_internal_test.c
-+++ b/test/ec_internal_test.c
-@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
- }
- 
- #ifndef OPENSSL_NO_EC2M
-+/* Test that decoding of invalid GF2m field parameters fails. */
-+static int ec2m_field_sanity(void)
-+{
-+    int ret = 0;
-+    BN_CTX *ctx = BN_CTX_new();
-+    BIGNUM *p, *a, *b;
-+    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
-+
-+    TEST_info("Testing GF2m hardening\n");
-+
-+    BN_CTX_start(ctx);
-+    p = BN_CTX_get(ctx);
-+    a = BN_CTX_get(ctx);
-+    if (!TEST_ptr(b = BN_CTX_get(ctx))
-+        || !TEST_true(BN_one(a))
-+        || !TEST_true(BN_one(b)))
-+        goto out;
-+
-+    /* Even pentanomial value should be rejected */
-+    if (!TEST_true(BN_set_word(p, 0xf2)))
-+        goto out;
-+    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("Zero constant term accepted in GF2m polynomial");
-+
-+    /* Odd hexanomial should also be rejected */
-+    if (!TEST_true(BN_set_word(p, 0xf3)))
-+        goto out;
-+    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("Hexanomial accepted as GF2m polynomial");
-+
-+    /* Excessive polynomial degree should also be rejected */
-+    if (!TEST_true(BN_set_word(p, 0x71))
-+        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
-+        goto out;
-+    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
-+        TEST_error("GF2m polynomial degree > %d accepted",
-+                   OPENSSL_ECC_MAX_FIELD_BITS);
-+
-+    ret = group1 == NULL && group2 == NULL && group3 == NULL;
-+
-+ out:
-+    EC_GROUP_free(group1);
-+    EC_GROUP_free(group2);
-+    EC_GROUP_free(group3);
-+    BN_CTX_end(ctx);
-+    BN_CTX_free(ctx);
-+
-+    return ret;
-+}
-+
- /* test EC_GF2m_simple_method directly */
- static int field_tests_ec2_simple(void)
- {
-@@ -443,6 +493,7 @@ int setup_tests(void)
-     ADD_TEST(field_tests_ecp_simple);
-     ADD_TEST(field_tests_ecp_mont);
- #ifndef OPENSSL_NO_EC2M
-+    ADD_TEST(ec2m_field_sanity);
-     ADD_TEST(field_tests_ec2_simple);
- #endif
-     ADD_ALL_TESTS(field_tests_default, crv_len);
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb b/meta/recipes-connectivity/openssl/openssl_3.0.16.bb
index 295f05729f..a9fffd18ba 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.16.bb
@@ -12,15 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://afalg.patch \
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://CVE-2024-9143.patch \
-           file://CVE-2024-13176.patch \
           "
 SRC_URI:append:class-nativesdk = " \
           file://environment.d-openssl.sh \
           "
-SRC_URI[sha256sum] = "23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533"
+SRC_URI[sha256sum] = "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86"
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
author	Peter Marko <peter.marko@siemens.com>	2025-02-11 19:36:14 +0100
committer	Steve Sakoman <steve@sakoman.com>	2025-02-15 06:04:44 -0800
commit	3d029078fe1b6af21ba753ad417b0511a7041f1c (patch)
tree	57ed90cd69fec79dba1bfd9ea2a66954bef27d88
parent	d49f124652a78bea033358aac079e1b6d81c7000 (diff)
download	poky-3d029078fe1b6af21ba753ad417b0511a7041f1c.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch deleted file mode 100644 index 0076003db1..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-13176.patch +++ /dev/null
@@ -1,125 +0,0 @@
1	From 07272b05b04836a762b4baa874958af51d513844 Mon Sep 17 00:00:00 2001
2	From: Tomas Mraz <tomas@openssl.org>
3	Date: Wed, 15 Jan 2025 18:27:02 +0100
4	Subject: [PATCH] Fix timing side-channel in ECDSA signature computation
5
6	There is a timing signal of around 300 nanoseconds when the top word of
7	the inverted ECDSA nonce value is zero. This can happen with significant
8	probability only for some of the supported elliptic curves. In particular
9	the NIST P-521 curve is affected. To be able to measure this leak, the
10	attacker process must either be located in the same physical computer or
11	must have a very fast network connection with low latency.
12
13	Attacks on ECDSA nonce are also known as Minerva attack.
14
15	Fixes CVE-2024-13176
16
17	Reviewed-by: Tim Hudson <tjh@openssl.org>
18	Reviewed-by: Neil Horman <nhorman@openssl.org>
19	Reviewed-by: Paul Dale <ppzgs1@gmail.com>
20	(Merged from https://github.com/openssl/openssl/pull/26429)
21
22	(cherry picked from commit 63c40a66c5dc287485705d06122d3a6e74a6a203)
23
24	CVE: CVE-2024-13176
25	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/07272b05b04836a762b4baa874958af51d513844]
26	Signed-off-by: Peter Marko <peter.marko@siemens.com>
27	---
28	crypto/bn/bn_exp.c \| 21 +++++++++++++++------
29	crypto/ec/ec_lib.c \| 7 ++++---
30	include/crypto/bn.h \| 3 +++
31	3 files changed, 22 insertions(+), 9 deletions(-)
32
33	diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c
34	index 598a592ca1397..d84c7de18a6b6 100644
35	--- a/crypto/bn/bn_exp.c
36	+++ b/crypto/bn/bn_exp.c
37	@@ -606,7 +606,7 @@ static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top,
38	* out by Colin Percival,
39	* http://www.daemonology.net/hyperthreading-considered-harmful/)
40	*/
41	-int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
42	+int bn_mod_exp_mont_fixed_top(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
43	const BIGNUM m, BN_CTX ctx,
44	BN_MONT_CTX *in_mont)
45	{
46	@@ -623,10 +623,6 @@ int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
47	unsigned int t4 = 0;
48	#endif
49
50	- bn_check_top(a);
51	- bn_check_top(p);
52	- bn_check_top(m);
53	-
54	if (!BN_is_odd(m)) {
55	ERR_raise(ERR_LIB_BN, BN_R_CALLED_WITH_EVEN_MODULUS);
56	return 0;
57	@@ -1146,7 +1142,7 @@ int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
58	goto err;
59	} else
60	#endif
61	- if (!BN_from_montgomery(rr, &tmp, mont, ctx))
62	+ if (!bn_from_mont_fixed_top(rr, &tmp, mont, ctx))
63	goto err;
64	ret = 1;
65	err:
66	@@ -1160,6 +1156,19 @@ int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
67	return ret;
68	}
69
70	+int BN_mod_exp_mont_consttime(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
71	+ const BIGNUM m, BN_CTX ctx,
72	+ BN_MONT_CTX *in_mont)
73	+{
74	+ bn_check_top(a);
75	+ bn_check_top(p);
76	+ bn_check_top(m);
77	+ if (!bn_mod_exp_mont_fixed_top(rr, a, p, m, ctx, in_mont))
78	+ return 0;
79	+ bn_correct_top(rr);
80	+ return 1;
81	+}
82	+
83	int BN_mod_exp_mont_word(BIGNUM rr, BN_ULONG a, const BIGNUM p,
84	const BIGNUM m, BN_CTX ctx, BN_MONT_CTX *in_mont)
85	{
86	diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
87	index b1696d93bd6dd..1f0bf1ec795fa 100644
88	--- a/crypto/ec/ec_lib.c
89	+++ b/crypto/ec/ec_lib.c
90	@@ -20,6 +20,7 @@
91	#include <openssl/err.h>
92	#include <openssl/opensslv.h>
93	#include "crypto/ec.h"
94	+#include "crypto/bn.h"
95	#include "internal/nelem.h"
96	#include "ec_local.h"
97
98	@@ -1262,10 +1263,10 @@ static int ec_field_inverse_mod_ord(const EC_GROUP group, BIGNUM r,
99	if (!BN_sub(e, group->order, e))
100	goto err;
101	/*-
102	- * Exponent e is public.
103	- * No need for scatter-gather or BN_FLG_CONSTTIME.
104	+ * Although the exponent is public we want the result to be
105	+ * fixed top.
106	*/
107	- if (!BN_mod_exp_mont(r, x, e, group->order, ctx, group->mont_data))
108	+ if (!bn_mod_exp_mont_fixed_top(r, x, e, group->order, ctx, group->mont_data))
109	goto err;
110
111	ret = 1;
112	diff --git a/include/crypto/bn.h b/include/crypto/bn.h
113	index c5f328156d3a9..59a629b9f6288 100644
114	--- a/include/crypto/bn.h
115	+++ b/include/crypto/bn.h
116	@@ -73,6 +73,9 @@ int bn_set_words(BIGNUM a, const BN_ULONG words, int num_words);
117	*/
118	int bn_mul_mont_fixed_top(BIGNUM r, const BIGNUM a, const BIGNUM *b,
119	BN_MONT_CTX mont, BN_CTX ctx);
120	+int bn_mod_exp_mont_fixed_top(BIGNUM rr, const BIGNUM a, const BIGNUM *p,
121	+ const BIGNUM m, BN_CTX ctx,
122	+ BN_MONT_CTX *in_mont);
123	int bn_to_mont_fixed_top(BIGNUM r, const BIGNUM a, BN_MONT_CTX *mont,
124	BN_CTX *ctx);
125	int bn_from_mont_fixed_top(BIGNUM r, const BIGNUM a, BN_MONT_CTX *mont,


diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch deleted file mode 100755 index c72a4193c6..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-9143.patch +++ /dev/null
@@ -1,202 +0,0 @@
1	From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
2	From: Viktor Dukhovni <viktor@openssl.org>
3	Date: Thu, 19 Sep 2024 01:02:40 +1000
4	Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
5
6	The BN_GF2m_poly2arr() function converts characteristic-2 field
7	(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
8	to a compact array with just the exponents of the non-zero terms.
9
10	These polynomials are then used in BN_GF2m_mod_arr() to perform modular
11	reduction. A precondition of calling BN_GF2m_mod_arr() is that the
12	polynomial must have a non-zero constant term (i.e. the array has `0` as
13	its final element).
14
15	Internally, callers of BN_GF2m_poly2arr() did not verify that
16	precondition, and binary EC curve parameters with an invalid polynomial
17	could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
18
19	The precondition is always true for polynomials that arise from the
20	standard form of EC parameters for characteristic-two fields (X9.62).
21	See the "Finite Field Identification" section of:
22
23	https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
24
25	The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
26	basis X9.62 forms.
27
28	This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
29	the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
30
31	Additionally, the return value is made unambiguous when there is not
32	enough space to also pad the array with a final `-1` sentinel value.
33	The return value is now always the number of elements (including the
34	final `-1`) that would be filled when the output array is sufficiently
35	large. Previously the same count was returned both when the array has
36	just enough room for the final `-1` and when it had only enough space
37	for non-sentinel values.
38
39	Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
40	degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
41	CPU exhausition attacks via excessively large inputs.
42
43	The above issues do not arise in processing X.509 certificates. These
44	generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
45	disallows explicit EC parameters. The TLS code in OpenSSL enforces this
46	constraint only after the certificate is decoded, but, even if explicit
47	parameters are specified, they are in X9.62 form, which cannot represent
48	problem values as noted above.
49
50	Initially reported as oss-fuzz issue 71623.
51
52	A closely related issue was earlier reported in
53	<https://github.com/openssl/openssl/issues/19826>.
54
55	Severity: Low, CVE-2024-9143
56
57	Reviewed-by: Matt Caswell <matt@openssl.org>
58	Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
59	Reviewed-by: Paul Dale <ppzgs1@gmail.com>
60	Reviewed-by: Tomas Mraz <tomas@openssl.org>
61	(Merged from https://github.com/openssl/openssl/pull/25639)
62
63	(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
64
65	CVE: CVE-2024-9143
66	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712]
67	Signed-off-by: Peter Marko <peter.marko@siemens.com>
68	---
69	crypto/bn/bn_gf2m.c \| 28 +++++++++++++++-------
70	test/ec_internal_test.c \| 51 +++++++++++++++++++++++++++++++++++++++++
71	2 files changed, 71 insertions(+), 8 deletions(-)
72
73	diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c
74	index c811ae82d6b15..bcc66613cc14d 100644
75	--- a/crypto/bn/bn_gf2m.c
76	+++ b/crypto/bn/bn_gf2m.c
77	@@ -15,6 +15,7 @@
78	#include "bn_local.h"
79
80	#ifndef OPENSSL_NO_EC2M
81	+# include <openssl/ec.h>
82
83	/*
84	* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
85	@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM r, const BIGNUM a, const BIGNUM *p,
86	/*
87	* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
88	* x^i) into an array of integers corresponding to the bits with non-zero
89	- * coefficient. Array is terminated with -1. Up to max elements of the array
90	- * will be filled. Return value is total number of array elements that would
91	- * be filled if array was large enough.
92	+ * coefficient. The array is intended to be suitable for use with
93	+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
94	+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
95	+ *
96	+ * Given sufficient room, the array is terminated with -1. Up to max elements
97	+ * of the array will be filled.
98	+ *
99	+ * The return value is total number of array elements that would be filled if
100	+ * array was large enough, including the terminating `-1`. It is `0` when `a`
101	+ * is not odd or the constant term is zero contrary to requirement.
102	+ *
103	+ * The return value is also `0` when the leading exponent exceeds
104	+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
105	*/
106	int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
107	{
108	int i, j, k = 0;
109	BN_ULONG mask;
110
111	- if (BN_is_zero(a))
112	+ if (!BN_is_odd(a))
113	return 0;
114
115	for (i = a->top - 1; i >= 0; i--) {
116	@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
117	}
118	}
119
120	- if (k < max) {
121	+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
122	+ return 0;
123	+
124	+ if (k < max)
125	p[k] = -1;
126	- k++;
127	- }
128
129	- return k;
130	+ return k + 1;
131	}
132
133	/*
134	diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c
135	index 8c2cd05631696..02cfd4e9d8858 100644
136	--- a/test/ec_internal_test.c
137	+++ b/test/ec_internal_test.c
138	@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
139	}
140
141	#ifndef OPENSSL_NO_EC2M
142	+/* Test that decoding of invalid GF2m field parameters fails. */
143	+static int ec2m_field_sanity(void)
144	+{
145	+ int ret = 0;
146	+ BN_CTX *ctx = BN_CTX_new();
147	+ BIGNUM p, a, *b;
148	+ EC_GROUP group1 = NULL, group2 = NULL, *group3 = NULL;
149	+
150	+ TEST_info("Testing GF2m hardening\n");
151	+
152	+ BN_CTX_start(ctx);
153	+ p = BN_CTX_get(ctx);
154	+ a = BN_CTX_get(ctx);
155	+ if (!TEST_ptr(b = BN_CTX_get(ctx))
156	+ \|\| !TEST_true(BN_one(a))
157	+ \|\| !TEST_true(BN_one(b)))
158	+ goto out;
159	+
160	+ /* Even pentanomial value should be rejected */
161	+ if (!TEST_true(BN_set_word(p, 0xf2)))
162	+ goto out;
163	+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
164	+ TEST_error("Zero constant term accepted in GF2m polynomial");
165	+
166	+ /* Odd hexanomial should also be rejected */
167	+ if (!TEST_true(BN_set_word(p, 0xf3)))
168	+ goto out;
169	+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
170	+ TEST_error("Hexanomial accepted as GF2m polynomial");
171	+
172	+ /* Excessive polynomial degree should also be rejected */
173	+ if (!TEST_true(BN_set_word(p, 0x71))
174	+ \|\| !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
175	+ goto out;
176	+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
177	+ TEST_error("GF2m polynomial degree > %d accepted",
178	+ OPENSSL_ECC_MAX_FIELD_BITS);
179	+
180	+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
181	+
182	+ out:
183	+ EC_GROUP_free(group1);
184	+ EC_GROUP_free(group2);
185	+ EC_GROUP_free(group3);
186	+ BN_CTX_end(ctx);
187	+ BN_CTX_free(ctx);
188	+
189	+ return ret;
190	+}
191	+
192	/* test EC_GF2m_simple_method directly */
193	static int field_tests_ec2_simple(void)
194	{
195	@@ -443,6 +493,7 @@ int setup_tests(void)
196	ADD_TEST(field_tests_ecp_simple);
197	ADD_TEST(field_tests_ecp_mont);
198	#ifndef OPENSSL_NO_EC2M
199	+ ADD_TEST(ec2m_field_sanity);
200	ADD_TEST(field_tests_ec2_simple);
201	#endif
202	ADD_ALL_TESTS(field_tests_default, crv_len);


diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb b/meta/recipes-connectivity/openssl/openssl_3.0.16.bb index 295f05729f..a9fffd18ba 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.15.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.16.bb
@@ -12,15 +12,13 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13	file://afalg.patch \	13	file://afalg.patch \
14	file://0001-Configure-do-not-tweak-mips-cflags.patch \	14	file://0001-Configure-do-not-tweak-mips-cflags.patch \
15	file://CVE-2024-9143.patch \
16	file://CVE-2024-13176.patch \
17	"	15	"
18		16
19	SRC_URI:append:class-nativesdk = " \	17	SRC_URI:append:class-nativesdk = " \
20	file://environment.d-openssl.sh \	18	file://environment.d-openssl.sh \
21	"	19	"
22		20
23	SRC_URI[sha256sum] = "23c666d0edf20f14249b3d8f0368acaee9ab585b09e1de82107c66e1f3ec9533"	21	SRC_URI[sha256sum] = "57e03c50feab5d31b152af2b764f10379aecd8ee92f16c985983ce4a99f7ef86"
24		22
25	inherit lib_package multilib_header multilib_script ptest perlnative	23	inherit lib_package multilib_header multilib_script ptest perlnative
26	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"	24	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"