openssl: Upgrade 3.0.12 -> 3.0.13

Fixes CVE-2024-0727 Removed included CVE patch backports. New module was implemented in tests and needs to be installed to successfully pass 04-test_provider.t test. Release information: https://github.com/openssl/openssl/blob/openssl-3.0/NEWS.md#major-changes-between-openssl-3012-and-openssl-3013-30-jan-2024 (From OE-Core rev: 2bdae590ab20dc4518ba247c903060fa67ed0fc4) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Peter Marko <peter.marko@siemens.com> 2024-02-04 17:05:29 +0100
committer: Steve Sakoman <steve@sakoman.com> 2024-02-09 03:46:50 -1000
commit: d47afb07da374de4c8424fcb3e16b15116f30f8d (patch)
tree: 33514b31bb6aa1b9375f738c585dfd9792f07b1d
parent: d803ca653139aa2d6acb4f99469c76a9d232b307 (diff)
download: poky-d47afb07da374de4c8424fcb3e16b15116f30f8d.tar.gz
4 files changed, 2 insertions, 424 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
deleted file mode 100644
index 796a4f8be9..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch
+++ /dev/null
@@ -1,180 +0,0 @@
-From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
-From: Richard Levitte <levitte@openssl.org>
-Date: Fri, 20 Oct 2023 09:18:19 +0200
-Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
-We already check for an excessively large P in DH_generate_key(), but not in
-DH_check_pub_key(), and none of them check for an excessively large Q.
-This change adds all the missing excessive size checks of P and Q.
-It's to be noted that behaviours surrounding excessively sized P and Q
-differ.  DH_check() raises an error on the excessively sized P, but only
-sets a flag for the excessively sized Q.  This behaviour is mimicked in
-DH_check_pub_key().
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/22518)
-(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
-Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017]
-CVE: CVE-2023-5678
-Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
- crypto/dh/dh_check.c    | 12 ++++++++++++
- crypto/dh/dh_err.c      |  3 ++-
- crypto/dh/dh_key.c      | 12 ++++++++++++
- crypto/err/openssl.txt  |  1 +
- include/crypto/dherr.h  |  2 +-
- include/openssl/dh.h    |  6 +++---
- include/openssl/dherr.h |  3 ++-
- 7 files changed, 33 insertions(+), 6 deletions(-)
-diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
-index 7ba2bea..e20eb62 100644
--- a/crypto/dh/dh_check.c
-+++ b/crypto/dh/dh_check.c
-@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
-  */
- int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
- {
-+    /* Don't do any checks at all with an excessively large modulus */
-+    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
-+        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
-+        return 0;
-+    }
-+
-+    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
-+        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
-+        return 1;
-+    }
-+
-     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
- }
-diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
-index 4152397..f76ac0d 100644
--- a/crypto/dh/dh_err.c
-+++ b/crypto/dh/dh_err.c
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
-     "parameter encoding error"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
-+    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
-     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
-     "unable to check generator"},
-diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
-index d84ea99..afc49f5 100644
--- a/crypto/dh/dh_key.c
-+++ b/crypto/dh/dh_key.c
-@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
-         goto err;
-     }
-+    if (dh->params.q != NULL
-+        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
-+        goto err;
-+    }
-+
-     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
-         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
-         return 0;
-@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
-         return 0;
-     }
-+    if (dh->params.q != NULL
-+        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
-+        return 0;
-+    }
-+
-     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
-         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
-         return 0;
-diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
-index e51504b..36de321 100644
--- a/crypto/err/openssl.txt
-+++ b/crypto/err/openssl.txt
-@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
- DH_R_NO_PRIVATE_VALUE:100:no private value
- DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
- DH_R_PEER_KEY_ERROR:111:peer key error
-+DH_R_Q_TOO_LARGE:130:q too large
- DH_R_SHARED_INFO_ERROR:113:shared info error
- DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
- DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
-diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
-index bb24d13..519327f 100644
--- a/include/crypto/dherr.h
-+++ b/include/crypto/dherr.h
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-diff --git a/include/openssl/dh.h b/include/openssl/dh.h
-index 6533260..50e0cf5 100644
--- a/include/openssl/dh.h
-+++ b/include/openssl/dh.h
-@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
- #   define DH_GENERATOR_3          3
- #   define DH_GENERATOR_5          5
-/* DH_check error codes */
-+/* DH_check error codes, some of them shared with DH_check_pub_key */
- /*
-  * NB: These values must align with the equivalently named macros in
-  * internal/ffc.h.
-@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
- #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
- #   define DH_NOT_SUITABLE_GENERATOR       0x08
- #   define DH_CHECK_Q_NOT_PRIME            0x10
-#   define DH_CHECK_INVALID_Q_VALUE        0x20
-+#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
- #   define DH_CHECK_INVALID_J_VALUE        0x40
- #   define DH_MODULUS_TOO_SMALL            0x80
-#   define DH_MODULUS_TOO_LARGE            0x100
-+#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
- /* DH_check_pub_key error codes */
- #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
-diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
-index 5d2a762..074a701 100644
--- a/include/openssl/dherr.h
-+++ b/include/openssl/dherr.h
-@@ -1,6 +1,6 @@
- /*
-  * Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
-+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
-  *
-  * Licensed under the Apache License 2.0 (the "License").  You may not use
-  * this file except in compliance with the License.  You can obtain a copy
-@@ -50,6 +50,7 @@
- #  define DH_R_NO_PRIVATE_VALUE                            100
- #  define DH_R_PARAMETER_ENCODING_ERROR                    105
- #  define DH_R_PEER_KEY_ERROR                              111
-+#  define DH_R_Q_TOO_LARGE                                 130
- #  define DH_R_SHARED_INFO_ERROR                           113
- #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
--
-2.40.1
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch
deleted file mode 100644
index c5749e1874..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 8d847a3ffd4f0b17ee33962cf69c36224925b34f Mon Sep 17 00:00:00 2001
-From: Rohan McLure <rmclure@linux.ibm.com>
-Date: Thu, 4 Jan 2024 10:25:50 +0100
-Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
-Fixes CVE-2023-6129
-The POLY1305 MAC (message authentication code) implementation in OpenSSL for
-PowerPC CPUs saves the the contents of vector registers in different order
-than they are restored. Thus the contents of some of these vector registers
-is corrupted when returning to the caller. The vulnerable code is used only
-on newer PowerPC processors supporting the PowerISA 2.07 instructions.
-Reviewed-by: Matt Caswell <matt@openssl.org>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23200)
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/8d847a3ffd4f0b17ee33962cf69c36224925b34f]
-CVE: CVE-2023-6129
-Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
---
- crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
- 1 file changed, 21 insertions(+), 21 deletions(-)
-diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
-index 9f86134..2e601bb 100755
--- a/crypto/poly1305/asm/poly1305-ppc.pl
-+++ b/crypto/poly1305/asm/poly1305-ppc.pl
-@@ -744,7 +744,7 @@ ___
- my $LOCALS= 6*$SIZE_T;
- my $VSXFRAME = $LOCALS + 6*$SIZE_T;
-    $VSXFRAME += 128;   # local variables
-   $VSXFRAME += 13*16; # v20-v31 offload
-+   $VSXFRAME += 12*16; # v20-v31 offload
- my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
-@@ -919,12 +919,12 @@ __poly1305_blocks_vsx:
-        addi    r11,r11,32
-        stvx    v22,r10,$sp
-        addi    r10,r10,32
-       stvx    v23,r10,$sp
-       addi    r10,r10,32
-       stvx    v24,r11,$sp
-+       stvx    v23,r11,$sp
-        addi    r11,r11,32
-       stvx    v25,r10,$sp
-+       stvx    v24,r10,$sp
-        addi    r10,r10,32
-+       stvx    v25,r11,$sp
-+       addi    r11,r11,32
-        stvx    v26,r10,$sp
-        addi    r10,r10,32
-        stvx    v27,r11,$sp
-@@ -1153,12 +1153,12 @@ __poly1305_blocks_vsx:
-        addi    r11,r11,32
-        stvx    v22,r10,$sp
-        addi    r10,r10,32
-       stvx    v23,r10,$sp
-       addi    r10,r10,32
-       stvx    v24,r11,$sp
-+       stvx    v23,r11,$sp
-        addi    r11,r11,32
-       stvx    v25,r10,$sp
-+       stvx    v24,r10,$sp
-        addi    r10,r10,32
-+       stvx    v25,r11,$sp
-+       addi    r11,r11,32
-        stvx    v26,r10,$sp
-        addi    r10,r10,32
-        stvx    v27,r11,$sp
-@@ -1899,26 +1899,26 @@ Ldone_vsx:
-        mtspr   256,r12                         # restore vrsave
-        lvx     v20,r10,$sp
-        addi    r10,r10,32
-       lvx     v21,r10,$sp
-       addi    r10,r10,32
-       lvx     v22,r11,$sp
-+       lvx     v21,r11,$sp
-        addi    r11,r11,32
-       lvx     v23,r10,$sp
-+       lvx     v22,r10,$sp
-        addi    r10,r10,32
-       lvx     v24,r11,$sp
-+       lvx     v23,r11,$sp
-        addi    r11,r11,32
-       lvx     v25,r10,$sp
-+       lvx     v24,r10,$sp
-        addi    r10,r10,32
-       lvx     v26,r11,$sp
-+       lvx     v25,r11,$sp
-        addi    r11,r11,32
-       lvx     v27,r10,$sp
-+       lvx     v26,r10,$sp
-        addi    r10,r10,32
-       lvx     v28,r11,$sp
-+       lvx     v27,r11,$sp
-        addi    r11,r11,32
-       lvx     v29,r10,$sp
-+       lvx     v28,r10,$sp
-        addi    r10,r10,32
-       lvx     v30,r11,$sp
-       lvx     v31,r10,$sp
-+       lvx     v29,r11,$sp
-+       addi    r11,r11,32
-+       lvx     v30,r10,$sp
-+       lvx     v31,r11,$sp
-        $POP    r27,`$VSXFRAME-$SIZE_T*5`($sp)
-        $POP    r28,`$VSXFRAME-$SIZE_T*4`($sp)
-        $POP    r29,`$VSXFRAME-$SIZE_T*3`($sp)
--
-2.39.3
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
deleted file mode 100644
index 621dc6b0ab..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 22 Dec 2023 16:25:56 +0100
-Subject: [PATCH] Limit the execution time of RSA public key check
-Fixes CVE-2023-6237
-If a large and incorrect RSA public key is checked with
-EVP_PKEY_public_check() the computation could take very long time
-due to no limit being applied to the RSA public key size and
-unnecessarily high number of Miller-Rabin algorithm rounds
-used for non-primality check of the modulus.
-Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
-will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
-Also the number of Miller-Rabin rounds was set to 5.
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23243)
-Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db]
-CVE: CVE-2023-6237
-Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
- crypto/rsa/rsa_sp800_56b_check.c              |  8 +++-
- test/recipes/91-test_pkey_check.t             |  2 +-
- .../91-test_pkey_check_data/rsapub_17k.pem    | 48 +++++++++++++++++++
- 3 files changed, 56 insertions(+), 2 deletions(-)
- create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
-diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
-index fc8f19b..bcbdd24 100644
--- a/crypto/rsa/rsa_sp800_56b_check.c
-+++ b/crypto/rsa/rsa_sp800_56b_check.c
-@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
-         return 0;
- 
-     nbits = BN_num_bits(rsa->n);
-+    if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
-+        ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
-+        return 0;
-+    }
-+
- #ifdef FIPS_MODULE
-     /*
-      * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
-@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
-         goto err;
-     }
- 
-    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
-+    /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
-+    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
- #ifdef FIPS_MODULE
-     if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
- #else
-diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
-index dc7cc64..f8088df 100644
--- a/test/recipes/91-test_pkey_check.t
-+++ b/test/recipes/91-test_pkey_check.t
-@@ -70,7 +70,7 @@ push(@positive_tests, (
-     "dhpkey.pem"
-     )) unless disabled("dh");
- 
-my @negative_pubtests = ();
-+my @negative_pubtests = ("rsapub_17k.pem");  # Too big RSA public key
- 
- push(@negative_pubtests, (
-     "dsapub_noparam.der"
-diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
-new file mode 100644
-index 0000000..9a2eaed
--- /dev/null
-+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
-@@ -0,0 +1,48 @@
-+-----BEGIN PUBLIC KEY-----
-+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
-+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
-+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
-+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
-+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
-+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
-+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
-+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
-+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
-+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
-+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
-+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
-+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
-+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
-+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
-+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
-+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
-+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
-+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
-+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
-+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
-+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
-+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
-+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
-+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
-+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
-+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
-+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
-+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
-+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
-+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
-+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
-+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
-+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
-+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
-+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
-+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
-+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
-+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
-+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
-+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
-+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
-+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
-+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
-+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
-+AQAB
-+-----END PUBLIC KEY-----
-- 
-2.25.1
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
index ce0f9fa8e3..5e43fdc2de 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
@@ -12,16 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://afalg.patch \
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
-           file://CVE-2023-5678.patch \
-           file://CVE-2023-6129.patch \
-           file://CVE-2023-6237.patch \
           "
 SRC_URI:append:class-nativesdk = " \
           file://environment.d-openssl.sh \
           "
-SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61"
+SRC_URI[sha256sum] = "88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313"
 inherit lib_package multilib_header multilib_script ptest perlnative
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -188,6 +185,7 @@ PTEST_BUILD_HOST_PATTERN = "perl_version ="
 do_install_ptest () {
        install -d ${D}${PTEST_PATH}/test
        install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
+        install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test
        install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
        # Prune the build tree
author	Peter Marko <peter.marko@siemens.com>	2024-02-04 17:05:29 +0100
committer	Steve Sakoman <steve@sakoman.com>	2024-02-09 03:46:50 -1000
commit	d47afb07da374de4c8424fcb3e16b15116f30f8d (patch)
tree	33514b31bb6aa1b9375f738c585dfd9792f07b1d
parent	d803ca653139aa2d6acb4f99469c76a9d232b307 (diff)
download	poky-d47afb07da374de4c8424fcb3e16b15116f30f8d.tar.gz

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch deleted file mode 100644 index 796a4f8be9..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch +++ /dev/null
@@ -1,180 +0,0 @@
1	From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
2	From: Richard Levitte <levitte@openssl.org>
3	Date: Fri, 20 Oct 2023 09:18:19 +0200
4	Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
5
6	We already check for an excessively large P in DH_generate_key(), but not in
7	DH_check_pub_key(), and none of them check for an excessively large Q.
8
9	This change adds all the missing excessive size checks of P and Q.
10
11	It's to be noted that behaviours surrounding excessively sized P and Q
12	differ. DH_check() raises an error on the excessively sized P, but only
13	sets a flag for the excessively sized Q. This behaviour is mimicked in
14	DH_check_pub_key().
15
16	Reviewed-by: Tomas Mraz <tomas@openssl.org>
17	Reviewed-by: Matt Caswell <matt@openssl.org>
18	Reviewed-by: Hugo Landau <hlandau@openssl.org>
19	(Merged from https://github.com/openssl/openssl/pull/22518)
20
21	(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
22
23	Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017]
24	CVE: CVE-2023-5678
25	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
26	---
27	crypto/dh/dh_check.c \| 12 ++++++++++++
28	crypto/dh/dh_err.c \| 3 ++-
29	crypto/dh/dh_key.c \| 12 ++++++++++++
30	crypto/err/openssl.txt \| 1 +
31	include/crypto/dherr.h \| 2 +-
32	include/openssl/dh.h \| 6 +++---
33	include/openssl/dherr.h \| 3 ++-
34	7 files changed, 33 insertions(+), 6 deletions(-)
35
36	diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
37	index 7ba2bea..e20eb62 100644
38	--- a/crypto/dh/dh_check.c
39	+++ b/crypto/dh/dh_check.c
40	@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH dh, const BIGNUM pub_key)
41	*/
42	int DH_check_pub_key(const DH dh, const BIGNUM pub_key, int *ret)
43	{
44	+ /* Don't do any checks at all with an excessively large modulus */
45	+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
46	+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
47	+ *ret = DH_MODULUS_TOO_LARGE \| DH_CHECK_PUBKEY_INVALID;
48	+ return 0;
49	+ }
50	+
51	+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
52	+ *ret \|= DH_CHECK_INVALID_Q_VALUE \| DH_CHECK_PUBKEY_INVALID;
53	+ return 1;
54	+ }
55	+
56	return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
57	}
58
59	diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
60	index 4152397..f76ac0d 100644
61	--- a/crypto/dh/dh_err.c
62	+++ b/crypto/dh/dh_err.c
63	@@ -1,6 +1,6 @@
64	/*
65	* Generated by util/mkerr.pl DO NOT EDIT
66	- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
67	+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
68	*
69	* Licensed under the Apache License 2.0 (the "License"). You may not use
70	* this file except in compliance with the License. You can obtain a copy
71	@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
72	{ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
73	"parameter encoding error"},
74	{ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
75	+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
76	{ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
77	{ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
78	"unable to check generator"},
79	diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
80	index d84ea99..afc49f5 100644
81	--- a/crypto/dh/dh_key.c
82	+++ b/crypto/dh/dh_key.c
83	@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char key, const BIGNUM pub_key, DH *dh)
84	goto err;
85	}
86
87	+ if (dh->params.q != NULL
88	+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
89	+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
90	+ goto err;
91	+ }
92	+
93	if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
94	ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
95	return 0;
96	@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
97	return 0;
98	}
99
100	+ if (dh->params.q != NULL
101	+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
102	+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
103	+ return 0;
104	+ }
105	+
106	if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
107	ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
108	return 0;
109	diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
110	index e51504b..36de321 100644
111	--- a/crypto/err/openssl.txt
112	+++ b/crypto/err/openssl.txt
113	@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
114	DH_R_NO_PRIVATE_VALUE:100:no private value
115	DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
116	DH_R_PEER_KEY_ERROR:111:peer key error
117	+DH_R_Q_TOO_LARGE:130:q too large
118	DH_R_SHARED_INFO_ERROR:113:shared info error
119	DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
120	DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
121	diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
122	index bb24d13..519327f 100644
123	--- a/include/crypto/dherr.h
124	+++ b/include/crypto/dherr.h
125	@@ -1,6 +1,6 @@
126	/*
127	* Generated by util/mkerr.pl DO NOT EDIT
128	- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
129	+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
130	*
131	* Licensed under the Apache License 2.0 (the "License"). You may not use
132	* this file except in compliance with the License. You can obtain a copy
133	diff --git a/include/openssl/dh.h b/include/openssl/dh.h
134	index 6533260..50e0cf5 100644
135	--- a/include/openssl/dh.h
136	+++ b/include/openssl/dh.h
137	@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
138	# define DH_GENERATOR_3 3
139	# define DH_GENERATOR_5 5
140
141	-/* DH_check error codes */
142	+/* DH_check error codes, some of them shared with DH_check_pub_key */
143	/*
144	* NB: These values must align with the equivalently named macros in
145	* internal/ffc.h.
146	@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
147	# define DH_UNABLE_TO_CHECK_GENERATOR 0x04
148	# define DH_NOT_SUITABLE_GENERATOR 0x08
149	# define DH_CHECK_Q_NOT_PRIME 0x10
150	-# define DH_CHECK_INVALID_Q_VALUE 0x20
151	+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */
152	# define DH_CHECK_INVALID_J_VALUE 0x40
153	# define DH_MODULUS_TOO_SMALL 0x80
154	-# define DH_MODULUS_TOO_LARGE 0x100
155	+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */
156
157	/* DH_check_pub_key error codes */
158	# define DH_CHECK_PUBKEY_TOO_SMALL 0x01
159	diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
160	index 5d2a762..074a701 100644
161	--- a/include/openssl/dherr.h
162	+++ b/include/openssl/dherr.h
163	@@ -1,6 +1,6 @@
164	/*
165	* Generated by util/mkerr.pl DO NOT EDIT
166	- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
167	+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
168	*
169	* Licensed under the Apache License 2.0 (the "License"). You may not use
170	* this file except in compliance with the License. You can obtain a copy
171	@@ -50,6 +50,7 @@
172	# define DH_R_NO_PRIVATE_VALUE 100
173	# define DH_R_PARAMETER_ENCODING_ERROR 105
174	# define DH_R_PEER_KEY_ERROR 111
175	+# define DH_R_Q_TOO_LARGE 130
176	# define DH_R_SHARED_INFO_ERROR 113
177	# define DH_R_UNABLE_TO_CHECK_GENERATOR 121
178
179	--
180	2.40.1


diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch deleted file mode 100644 index c5749e1874..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch +++ /dev/null
@@ -1,113 +0,0 @@
1	From 8d847a3ffd4f0b17ee33962cf69c36224925b34f Mon Sep 17 00:00:00 2001
2	From: Rohan McLure <rmclure@linux.ibm.com>
3	Date: Thu, 4 Jan 2024 10:25:50 +0100
4	Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
5
6	Fixes CVE-2023-6129
7
8	The POLY1305 MAC (message authentication code) implementation in OpenSSL for
9	PowerPC CPUs saves the the contents of vector registers in different order
10	than they are restored. Thus the contents of some of these vector registers
11	is corrupted when returning to the caller. The vulnerable code is used only
12	on newer PowerPC processors supporting the PowerISA 2.07 instructions.
13
14	Reviewed-by: Matt Caswell <matt@openssl.org>
15	Reviewed-by: Richard Levitte <levitte@openssl.org>
16	Reviewed-by: Tomas Mraz <tomas@openssl.org>
17	(Merged from https://github.com/openssl/openssl/pull/23200)
18
19	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/8d847a3ffd4f0b17ee33962cf69c36224925b34f]
20	CVE: CVE-2023-6129
21	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
22	---
23	crypto/poly1305/asm/poly1305-ppc.pl \| 42 ++++++++++++++---------------
24	1 file changed, 21 insertions(+), 21 deletions(-)
25
26	diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
27	index 9f86134..2e601bb 100755
28	--- a/crypto/poly1305/asm/poly1305-ppc.pl
29	+++ b/crypto/poly1305/asm/poly1305-ppc.pl
30	@@ -744,7 +744,7 @@ ___
31	my $LOCALS= 6*$SIZE_T;
32	my $VSXFRAME = $LOCALS + 6*$SIZE_T;
33	$VSXFRAME += 128; # local variables
34	- $VSXFRAME += 13*16; # v20-v31 offload
35	+ $VSXFRAME += 12*16; # v20-v31 offload
36
37	my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
38
39	@@ -919,12 +919,12 @@ __poly1305_blocks_vsx:
40	addi r11,r11,32
41	stvx v22,r10,$sp
42	addi r10,r10,32
43	- stvx v23,r10,$sp
44	- addi r10,r10,32
45	- stvx v24,r11,$sp
46	+ stvx v23,r11,$sp
47	addi r11,r11,32
48	- stvx v25,r10,$sp
49	+ stvx v24,r10,$sp
50	addi r10,r10,32
51	+ stvx v25,r11,$sp
52	+ addi r11,r11,32
53	stvx v26,r10,$sp
54	addi r10,r10,32
55	stvx v27,r11,$sp
56	@@ -1153,12 +1153,12 @@ __poly1305_blocks_vsx:
57	addi r11,r11,32
58	stvx v22,r10,$sp
59	addi r10,r10,32
60	- stvx v23,r10,$sp
61	- addi r10,r10,32
62	- stvx v24,r11,$sp
63	+ stvx v23,r11,$sp
64	addi r11,r11,32
65	- stvx v25,r10,$sp
66	+ stvx v24,r10,$sp
67	addi r10,r10,32
68	+ stvx v25,r11,$sp
69	+ addi r11,r11,32
70	stvx v26,r10,$sp
71	addi r10,r10,32
72	stvx v27,r11,$sp
73	@@ -1899,26 +1899,26 @@ Ldone_vsx:
74	mtspr 256,r12 # restore vrsave
75	lvx v20,r10,$sp
76	addi r10,r10,32
77	- lvx v21,r10,$sp
78	- addi r10,r10,32
79	- lvx v22,r11,$sp
80	+ lvx v21,r11,$sp
81	addi r11,r11,32
82	- lvx v23,r10,$sp
83	+ lvx v22,r10,$sp
84	addi r10,r10,32
85	- lvx v24,r11,$sp
86	+ lvx v23,r11,$sp
87	addi r11,r11,32
88	- lvx v25,r10,$sp
89	+ lvx v24,r10,$sp
90	addi r10,r10,32
91	- lvx v26,r11,$sp
92	+ lvx v25,r11,$sp
93	addi r11,r11,32
94	- lvx v27,r10,$sp
95	+ lvx v26,r10,$sp
96	addi r10,r10,32
97	- lvx v28,r11,$sp
98	+ lvx v27,r11,$sp
99	addi r11,r11,32
100	- lvx v29,r10,$sp
101	+ lvx v28,r10,$sp
102	addi r10,r10,32
103	- lvx v30,r11,$sp
104	- lvx v31,r10,$sp
105	+ lvx v29,r11,$sp
106	+ addi r11,r11,32
107	+ lvx v30,r10,$sp
108	+ lvx v31,r11,$sp
109	$POP r27,`$VSXFRAME-$SIZE_T*5`($sp)
110	$POP r28,`$VSXFRAME-$SIZE_T*4`($sp)
111	$POP r29,`$VSXFRAME-$SIZE_T*3`($sp)
112	--
113	2.39.3


diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch deleted file mode 100644 index 621dc6b0ab..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch +++ /dev/null
@@ -1,127 +0,0 @@
1	rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001
2	From: Tomas Mraz <tomas@openssl.org>
3	Date: Fri, 22 Dec 2023 16:25:56 +0100
4	Subject: [PATCH] Limit the execution time of RSA public key check
5
6	Fixes CVE-2023-6237
7
8	If a large and incorrect RSA public key is checked with
9	EVP_PKEY_public_check() the computation could take very long time
10	due to no limit being applied to the RSA public key size and
11	unnecessarily high number of Miller-Rabin algorithm rounds
12	used for non-primality check of the modulus.
13
14	Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
15	will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
16	Also the number of Miller-Rabin rounds was set to 5.
17
18	Reviewed-by: Neil Horman <nhorman@openssl.org>
19	Reviewed-by: Matt Caswell <matt@openssl.org>
20	(Merged from https://github.com/openssl/openssl/pull/23243)
21
22	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db]
23	CVE: CVE-2023-6237
24	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
25	---
26	crypto/rsa/rsa_sp800_56b_check.c \| 8 +++-
27	test/recipes/91-test_pkey_check.t \| 2 +-
28	.../91-test_pkey_check_data/rsapub_17k.pem \| 48 +++++++++++++++++++
29	3 files changed, 56 insertions(+), 2 deletions(-)
30	create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
31
32	diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
33	index fc8f19b..bcbdd24 100644
34	--- a/crypto/rsa/rsa_sp800_56b_check.c
35	+++ b/crypto/rsa/rsa_sp800_56b_check.c
36	@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
37	return 0;
38
39	nbits = BN_num_bits(rsa->n);
40	+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
41	+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
42	+ return 0;
43	+ }
44	+
45	#ifdef FIPS_MODULE
46	/*
47	* (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
48	@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
49	goto err;
50	}
51
52	- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
53	+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
54	+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
55	#ifdef FIPS_MODULE
56	if (ret != 1 \|\| status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
57	#else
58	diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
59	index dc7cc64..f8088df 100644
60	--- a/test/recipes/91-test_pkey_check.t
61	+++ b/test/recipes/91-test_pkey_check.t
62	@@ -70,7 +70,7 @@ push(@positive_tests, (
63	"dhpkey.pem"
64	)) unless disabled("dh");
65
66	-my @negative_pubtests = ();
67	+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key
68
69	push(@negative_pubtests, (
70	"dsapub_noparam.der"
71	diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
72	new file mode 100644
73	index 0000000..9a2eaed
74	--- /dev/null
75	+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
76	@@ -0,0 +1,48 @@
77	+-----BEGIN PUBLIC KEY-----
78	+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
79	+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
80	+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
81	+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
82	+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
83	+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
84	+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
85	+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
86	+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
87	+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
88	+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
89	+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
90	+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
91	+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
92	+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
93	+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
94	+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
95	+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
96	+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
97	+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
98	+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
99	+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
100	+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
101	+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
102	+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
103	+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
104	+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
105	+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
106	+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
107	+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
108	+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
109	+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
110	+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
111	+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
112	+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
113	+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
114	+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
115	+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
116	+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
117	+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
118	+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
119	+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
120	+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
121	+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
122	+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
123	+AQAB
124	+-----END PUBLIC KEY-----
125	--
126	2.25.1
127


diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb index ce0f9fa8e3..5e43fdc2de 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb
@@ -12,16 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13	file://afalg.patch \	13	file://afalg.patch \
14	file://0001-Configure-do-not-tweak-mips-cflags.patch \	14	file://0001-Configure-do-not-tweak-mips-cflags.patch \
15	file://CVE-2023-5678.patch \
16	file://CVE-2023-6129.patch \
17	file://CVE-2023-6237.patch \
18	"	15	"
19		16
20	SRC_URI:append:class-nativesdk = " \	17	SRC_URI:append:class-nativesdk = " \
21	file://environment.d-openssl.sh \	18	file://environment.d-openssl.sh \
22	"	19	"
23		20
24	SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61"	21	SRC_URI[sha256sum] = "88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313"
25		22
26	inherit lib_package multilib_header multilib_script ptest perlnative	23	inherit lib_package multilib_header multilib_script ptest perlnative
27	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"	24	MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -188,6 +185,7 @@ PTEST_BUILD_HOST_PATTERN = "perl_version ="
188	do_install_ptest () {	185	do_install_ptest () {
189	install -d ${D}${PTEST_PATH}/test	186	install -d ${D}${PTEST_PATH}/test
190	install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test	187	install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test
		188	install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test
191	install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test	189	install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test
192		190
193	# Prune the build tree	191	# Prune the build tree