diff options
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch | 180 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch | 113 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch | 127 | ||||
| -rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.0.13.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.0.12.bb) | 6 | 
4 files changed, 2 insertions, 424 deletions
| diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch deleted file mode 100644 index 796a4f8be9..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-5678.patch +++ /dev/null | |||
| @@ -1,180 +0,0 @@ | |||
| 1 | From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Richard Levitte <levitte@openssl.org> | ||
| 3 | Date: Fri, 20 Oct 2023 09:18:19 +0200 | ||
| 4 | Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet | ||
| 5 | |||
| 6 | We already check for an excessively large P in DH_generate_key(), but not in | ||
| 7 | DH_check_pub_key(), and none of them check for an excessively large Q. | ||
| 8 | |||
| 9 | This change adds all the missing excessive size checks of P and Q. | ||
| 10 | |||
| 11 | It's to be noted that behaviours surrounding excessively sized P and Q | ||
| 12 | differ. DH_check() raises an error on the excessively sized P, but only | ||
| 13 | sets a flag for the excessively sized Q. This behaviour is mimicked in | ||
| 14 | DH_check_pub_key(). | ||
| 15 | |||
| 16 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 17 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
| 18 | Reviewed-by: Hugo Landau <hlandau@openssl.org> | ||
| 19 | (Merged from https://github.com/openssl/openssl/pull/22518) | ||
| 20 | |||
| 21 | (cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) | ||
| 22 | |||
| 23 | Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=db925ae2e65d0d925adef429afc37f75bd1c2017] | ||
| 24 | CVE: CVE-2023-5678 | ||
| 25 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
| 26 | --- | ||
| 27 | crypto/dh/dh_check.c | 12 ++++++++++++ | ||
| 28 | crypto/dh/dh_err.c | 3 ++- | ||
| 29 | crypto/dh/dh_key.c | 12 ++++++++++++ | ||
| 30 | crypto/err/openssl.txt | 1 + | ||
| 31 | include/crypto/dherr.h | 2 +- | ||
| 32 | include/openssl/dh.h | 6 +++--- | ||
| 33 | include/openssl/dherr.h | 3 ++- | ||
| 34 | 7 files changed, 33 insertions(+), 6 deletions(-) | ||
| 35 | |||
| 36 | diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c | ||
| 37 | index 7ba2bea..e20eb62 100644 | ||
| 38 | --- a/crypto/dh/dh_check.c | ||
| 39 | +++ b/crypto/dh/dh_check.c | ||
| 40 | @@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) | ||
| 41 | */ | ||
| 42 | int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) | ||
| 43 | { | ||
| 44 | + /* Don't do any checks at all with an excessively large modulus */ | ||
| 45 | + if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { | ||
| 46 | + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); | ||
| 47 | + *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; | ||
| 48 | + return 0; | ||
| 49 | + } | ||
| 50 | + | ||
| 51 | + if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { | ||
| 52 | + *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; | ||
| 53 | + return 1; | ||
| 54 | + } | ||
| 55 | + | ||
| 56 | return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); | ||
| 57 | } | ||
| 58 | |||
| 59 | diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c | ||
| 60 | index 4152397..f76ac0d 100644 | ||
| 61 | --- a/crypto/dh/dh_err.c | ||
| 62 | +++ b/crypto/dh/dh_err.c | ||
| 63 | @@ -1,6 +1,6 @@ | ||
| 64 | /* | ||
| 65 | * Generated by util/mkerr.pl DO NOT EDIT | ||
| 66 | - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. | ||
| 67 | + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. | ||
| 68 | * | ||
| 69 | * Licensed under the Apache License 2.0 (the "License"). You may not use | ||
| 70 | * this file except in compliance with the License. You can obtain a copy | ||
| 71 | @@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { | ||
| 72 | {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), | ||
| 73 | "parameter encoding error"}, | ||
| 74 | {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, | ||
| 75 | + {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, | ||
| 76 | {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, | ||
| 77 | {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), | ||
| 78 | "unable to check generator"}, | ||
| 79 | diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c | ||
| 80 | index d84ea99..afc49f5 100644 | ||
| 81 | --- a/crypto/dh/dh_key.c | ||
| 82 | +++ b/crypto/dh/dh_key.c | ||
| 83 | @@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) | ||
| 84 | goto err; | ||
| 85 | } | ||
| 86 | |||
| 87 | + if (dh->params.q != NULL | ||
| 88 | + && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { | ||
| 89 | + ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); | ||
| 90 | + goto err; | ||
| 91 | + } | ||
| 92 | + | ||
| 93 | if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { | ||
| 94 | ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); | ||
| 95 | return 0; | ||
| 96 | @@ -267,6 +273,12 @@ static int generate_key(DH *dh) | ||
| 97 | return 0; | ||
| 98 | } | ||
| 99 | |||
| 100 | + if (dh->params.q != NULL | ||
| 101 | + && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { | ||
| 102 | + ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); | ||
| 103 | + return 0; | ||
| 104 | + } | ||
| 105 | + | ||
| 106 | if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { | ||
| 107 | ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); | ||
| 108 | return 0; | ||
| 109 | diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt | ||
| 110 | index e51504b..36de321 100644 | ||
| 111 | --- a/crypto/err/openssl.txt | ||
| 112 | +++ b/crypto/err/openssl.txt | ||
| 113 | @@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set | ||
| 114 | DH_R_NO_PRIVATE_VALUE:100:no private value | ||
| 115 | DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error | ||
| 116 | DH_R_PEER_KEY_ERROR:111:peer key error | ||
| 117 | +DH_R_Q_TOO_LARGE:130:q too large | ||
| 118 | DH_R_SHARED_INFO_ERROR:113:shared info error | ||
| 119 | DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator | ||
| 120 | DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters | ||
| 121 | diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h | ||
| 122 | index bb24d13..519327f 100644 | ||
| 123 | --- a/include/crypto/dherr.h | ||
| 124 | +++ b/include/crypto/dherr.h | ||
| 125 | @@ -1,6 +1,6 @@ | ||
| 126 | /* | ||
| 127 | * Generated by util/mkerr.pl DO NOT EDIT | ||
| 128 | - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. | ||
| 129 | + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. | ||
| 130 | * | ||
| 131 | * Licensed under the Apache License 2.0 (the "License"). You may not use | ||
| 132 | * this file except in compliance with the License. You can obtain a copy | ||
| 133 | diff --git a/include/openssl/dh.h b/include/openssl/dh.h | ||
| 134 | index 6533260..50e0cf5 100644 | ||
| 135 | --- a/include/openssl/dh.h | ||
| 136 | +++ b/include/openssl/dh.h | ||
| 137 | @@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) | ||
| 138 | # define DH_GENERATOR_3 3 | ||
| 139 | # define DH_GENERATOR_5 5 | ||
| 140 | |||
| 141 | -/* DH_check error codes */ | ||
| 142 | +/* DH_check error codes, some of them shared with DH_check_pub_key */ | ||
| 143 | /* | ||
| 144 | * NB: These values must align with the equivalently named macros in | ||
| 145 | * internal/ffc.h. | ||
| 146 | @@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) | ||
| 147 | # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 | ||
| 148 | # define DH_NOT_SUITABLE_GENERATOR 0x08 | ||
| 149 | # define DH_CHECK_Q_NOT_PRIME 0x10 | ||
| 150 | -# define DH_CHECK_INVALID_Q_VALUE 0x20 | ||
| 151 | +# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ | ||
| 152 | # define DH_CHECK_INVALID_J_VALUE 0x40 | ||
| 153 | # define DH_MODULUS_TOO_SMALL 0x80 | ||
| 154 | -# define DH_MODULUS_TOO_LARGE 0x100 | ||
| 155 | +# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ | ||
| 156 | |||
| 157 | /* DH_check_pub_key error codes */ | ||
| 158 | # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 | ||
| 159 | diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h | ||
| 160 | index 5d2a762..074a701 100644 | ||
| 161 | --- a/include/openssl/dherr.h | ||
| 162 | +++ b/include/openssl/dherr.h | ||
| 163 | @@ -1,6 +1,6 @@ | ||
| 164 | /* | ||
| 165 | * Generated by util/mkerr.pl DO NOT EDIT | ||
| 166 | - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. | ||
| 167 | + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. | ||
| 168 | * | ||
| 169 | * Licensed under the Apache License 2.0 (the "License"). You may not use | ||
| 170 | * this file except in compliance with the License. You can obtain a copy | ||
| 171 | @@ -50,6 +50,7 @@ | ||
| 172 | # define DH_R_NO_PRIVATE_VALUE 100 | ||
| 173 | # define DH_R_PARAMETER_ENCODING_ERROR 105 | ||
| 174 | # define DH_R_PEER_KEY_ERROR 111 | ||
| 175 | +# define DH_R_Q_TOO_LARGE 130 | ||
| 176 | # define DH_R_SHARED_INFO_ERROR 113 | ||
| 177 | # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 | ||
| 178 | |||
| 179 | -- | ||
| 180 | 2.40.1 | ||
| diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch deleted file mode 100644 index c5749e1874..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch +++ /dev/null | |||
| @@ -1,113 +0,0 @@ | |||
| 1 | From 8d847a3ffd4f0b17ee33962cf69c36224925b34f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Rohan McLure <rmclure@linux.ibm.com> | ||
| 3 | Date: Thu, 4 Jan 2024 10:25:50 +0100 | ||
| 4 | Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering | ||
| 5 | |||
| 6 | Fixes CVE-2023-6129 | ||
| 7 | |||
| 8 | The POLY1305 MAC (message authentication code) implementation in OpenSSL for | ||
| 9 | PowerPC CPUs saves the the contents of vector registers in different order | ||
| 10 | than they are restored. Thus the contents of some of these vector registers | ||
| 11 | is corrupted when returning to the caller. The vulnerable code is used only | ||
| 12 | on newer PowerPC processors supporting the PowerISA 2.07 instructions. | ||
| 13 | |||
| 14 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
| 15 | Reviewed-by: Richard Levitte <levitte@openssl.org> | ||
| 16 | Reviewed-by: Tomas Mraz <tomas@openssl.org> | ||
| 17 | (Merged from https://github.com/openssl/openssl/pull/23200) | ||
| 18 | |||
| 19 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/8d847a3ffd4f0b17ee33962cf69c36224925b34f] | ||
| 20 | CVE: CVE-2023-6129 | ||
| 21 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
| 22 | --- | ||
| 23 | crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++--------------- | ||
| 24 | 1 file changed, 21 insertions(+), 21 deletions(-) | ||
| 25 | |||
| 26 | diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl | ||
| 27 | index 9f86134..2e601bb 100755 | ||
| 28 | --- a/crypto/poly1305/asm/poly1305-ppc.pl | ||
| 29 | +++ b/crypto/poly1305/asm/poly1305-ppc.pl | ||
| 30 | @@ -744,7 +744,7 @@ ___ | ||
| 31 | my $LOCALS= 6*$SIZE_T; | ||
| 32 | my $VSXFRAME = $LOCALS + 6*$SIZE_T; | ||
| 33 | $VSXFRAME += 128; # local variables | ||
| 34 | - $VSXFRAME += 13*16; # v20-v31 offload | ||
| 35 | + $VSXFRAME += 12*16; # v20-v31 offload | ||
| 36 | |||
| 37 | my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; | ||
| 38 | |||
| 39 | @@ -919,12 +919,12 @@ __poly1305_blocks_vsx: | ||
| 40 | addi r11,r11,32 | ||
| 41 | stvx v22,r10,$sp | ||
| 42 | addi r10,r10,32 | ||
| 43 | - stvx v23,r10,$sp | ||
| 44 | - addi r10,r10,32 | ||
| 45 | - stvx v24,r11,$sp | ||
| 46 | + stvx v23,r11,$sp | ||
| 47 | addi r11,r11,32 | ||
| 48 | - stvx v25,r10,$sp | ||
| 49 | + stvx v24,r10,$sp | ||
| 50 | addi r10,r10,32 | ||
| 51 | + stvx v25,r11,$sp | ||
| 52 | + addi r11,r11,32 | ||
| 53 | stvx v26,r10,$sp | ||
| 54 | addi r10,r10,32 | ||
| 55 | stvx v27,r11,$sp | ||
| 56 | @@ -1153,12 +1153,12 @@ __poly1305_blocks_vsx: | ||
| 57 | addi r11,r11,32 | ||
| 58 | stvx v22,r10,$sp | ||
| 59 | addi r10,r10,32 | ||
| 60 | - stvx v23,r10,$sp | ||
| 61 | - addi r10,r10,32 | ||
| 62 | - stvx v24,r11,$sp | ||
| 63 | + stvx v23,r11,$sp | ||
| 64 | addi r11,r11,32 | ||
| 65 | - stvx v25,r10,$sp | ||
| 66 | + stvx v24,r10,$sp | ||
| 67 | addi r10,r10,32 | ||
| 68 | + stvx v25,r11,$sp | ||
| 69 | + addi r11,r11,32 | ||
| 70 | stvx v26,r10,$sp | ||
| 71 | addi r10,r10,32 | ||
| 72 | stvx v27,r11,$sp | ||
| 73 | @@ -1899,26 +1899,26 @@ Ldone_vsx: | ||
| 74 | mtspr 256,r12 # restore vrsave | ||
| 75 | lvx v20,r10,$sp | ||
| 76 | addi r10,r10,32 | ||
| 77 | - lvx v21,r10,$sp | ||
| 78 | - addi r10,r10,32 | ||
| 79 | - lvx v22,r11,$sp | ||
| 80 | + lvx v21,r11,$sp | ||
| 81 | addi r11,r11,32 | ||
| 82 | - lvx v23,r10,$sp | ||
| 83 | + lvx v22,r10,$sp | ||
| 84 | addi r10,r10,32 | ||
| 85 | - lvx v24,r11,$sp | ||
| 86 | + lvx v23,r11,$sp | ||
| 87 | addi r11,r11,32 | ||
| 88 | - lvx v25,r10,$sp | ||
| 89 | + lvx v24,r10,$sp | ||
| 90 | addi r10,r10,32 | ||
| 91 | - lvx v26,r11,$sp | ||
| 92 | + lvx v25,r11,$sp | ||
| 93 | addi r11,r11,32 | ||
| 94 | - lvx v27,r10,$sp | ||
| 95 | + lvx v26,r10,$sp | ||
| 96 | addi r10,r10,32 | ||
| 97 | - lvx v28,r11,$sp | ||
| 98 | + lvx v27,r11,$sp | ||
| 99 | addi r11,r11,32 | ||
| 100 | - lvx v29,r10,$sp | ||
| 101 | + lvx v28,r10,$sp | ||
| 102 | addi r10,r10,32 | ||
| 103 | - lvx v30,r11,$sp | ||
| 104 | - lvx v31,r10,$sp | ||
| 105 | + lvx v29,r11,$sp | ||
| 106 | + addi r11,r11,32 | ||
| 107 | + lvx v30,r10,$sp | ||
| 108 | + lvx v31,r11,$sp | ||
| 109 | $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) | ||
| 110 | $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) | ||
| 111 | $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) | ||
| 112 | -- | ||
| 113 | 2.39.3 | ||
| diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch deleted file mode 100644 index 621dc6b0ab..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6237.patch +++ /dev/null | |||
| @@ -1,127 +0,0 @@ | |||
| 1 | rom e09fc1d746a4fd15bb5c3d7bbbab950aadd005db Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Tomas Mraz <tomas@openssl.org> | ||
| 3 | Date: Fri, 22 Dec 2023 16:25:56 +0100 | ||
| 4 | Subject: [PATCH] Limit the execution time of RSA public key check | ||
| 5 | |||
| 6 | Fixes CVE-2023-6237 | ||
| 7 | |||
| 8 | If a large and incorrect RSA public key is checked with | ||
| 9 | EVP_PKEY_public_check() the computation could take very long time | ||
| 10 | due to no limit being applied to the RSA public key size and | ||
| 11 | unnecessarily high number of Miller-Rabin algorithm rounds | ||
| 12 | used for non-primality check of the modulus. | ||
| 13 | |||
| 14 | Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) | ||
| 15 | will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. | ||
| 16 | Also the number of Miller-Rabin rounds was set to 5. | ||
| 17 | |||
| 18 | Reviewed-by: Neil Horman <nhorman@openssl.org> | ||
| 19 | Reviewed-by: Matt Caswell <matt@openssl.org> | ||
| 20 | (Merged from https://github.com/openssl/openssl/pull/23243) | ||
| 21 | |||
| 22 | Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e09fc1d746a4fd15bb5c3d7bbbab950aadd005db] | ||
| 23 | CVE: CVE-2023-6237 | ||
| 24 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
| 25 | --- | ||
| 26 | crypto/rsa/rsa_sp800_56b_check.c | 8 +++- | ||
| 27 | test/recipes/91-test_pkey_check.t | 2 +- | ||
| 28 | .../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++ | ||
| 29 | 3 files changed, 56 insertions(+), 2 deletions(-) | ||
| 30 | create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem | ||
| 31 | |||
| 32 | diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c | ||
| 33 | index fc8f19b..bcbdd24 100644 | ||
| 34 | --- a/crypto/rsa/rsa_sp800_56b_check.c | ||
| 35 | +++ b/crypto/rsa/rsa_sp800_56b_check.c | ||
| 36 | @@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) | ||
| 37 | return 0; | ||
| 38 | |||
| 39 | nbits = BN_num_bits(rsa->n); | ||
| 40 | + if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { | ||
| 41 | + ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); | ||
| 42 | + return 0; | ||
| 43 | + } | ||
| 44 | + | ||
| 45 | #ifdef FIPS_MODULE | ||
| 46 | /* | ||
| 47 | * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) | ||
| 48 | @@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) | ||
| 49 | goto err; | ||
| 50 | } | ||
| 51 | |||
| 52 | - ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); | ||
| 53 | + /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ | ||
| 54 | + ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); | ||
| 55 | #ifdef FIPS_MODULE | ||
| 56 | if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { | ||
| 57 | #else | ||
| 58 | diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t | ||
| 59 | index dc7cc64..f8088df 100644 | ||
| 60 | --- a/test/recipes/91-test_pkey_check.t | ||
| 61 | +++ b/test/recipes/91-test_pkey_check.t | ||
| 62 | @@ -70,7 +70,7 @@ push(@positive_tests, ( | ||
| 63 | "dhpkey.pem" | ||
| 64 | )) unless disabled("dh"); | ||
| 65 | |||
| 66 | -my @negative_pubtests = (); | ||
| 67 | +my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key | ||
| 68 | |||
| 69 | push(@negative_pubtests, ( | ||
| 70 | "dsapub_noparam.der" | ||
| 71 | diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem | ||
| 72 | new file mode 100644 | ||
| 73 | index 0000000..9a2eaed | ||
| 74 | --- /dev/null | ||
| 75 | +++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem | ||
| 76 | @@ -0,0 +1,48 @@ | ||
| 77 | +-----BEGIN PUBLIC KEY----- | ||
| 78 | +MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR | ||
| 79 | +B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph | ||
| 80 | +gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 | ||
| 81 | +GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ | ||
| 82 | +XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj | ||
| 83 | +b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 | ||
| 84 | +gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq | ||
| 85 | +TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 | ||
| 86 | +vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 | ||
| 87 | +V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j | ||
| 88 | +/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH | ||
| 89 | +SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa | ||
| 90 | +PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y | ||
| 91 | +Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu | ||
| 92 | +C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J | ||
| 93 | +xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo | ||
| 94 | +F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id | ||
| 95 | +aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB | ||
| 96 | +nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi | ||
| 97 | +R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 | ||
| 98 | +kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN | ||
| 99 | +mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux | ||
| 100 | +AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O | ||
| 101 | +f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi | ||
| 102 | +ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH | ||
| 103 | +UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx | ||
| 104 | +wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP | ||
| 105 | +fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 | ||
| 106 | +y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS | ||
| 107 | +Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL | ||
| 108 | +HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ | ||
| 109 | +eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ | ||
| 110 | +EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz | ||
| 111 | +chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq | ||
| 112 | +4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW | ||
| 113 | +gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC | ||
| 114 | +A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK | ||
| 115 | +FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys | ||
| 116 | +26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC | ||
| 117 | +xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J | ||
| 118 | +pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ | ||
| 119 | +k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa | ||
| 120 | +2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q | ||
| 121 | +Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb | ||
| 122 | +77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID | ||
| 123 | +AQAB | ||
| 124 | +-----END PUBLIC KEY----- | ||
| 125 | -- | ||
| 126 | 2.25.1 | ||
| 127 | |||
| diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb index ce0f9fa8e3..5e43fdc2de 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.12.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.13.bb | |||
| @@ -12,16 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ | |||
| 12 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ | 12 | file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ | 
| 13 | file://afalg.patch \ | 13 | file://afalg.patch \ | 
| 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | 14 | file://0001-Configure-do-not-tweak-mips-cflags.patch \ | 
| 15 | file://CVE-2023-5678.patch \ | ||
| 16 | file://CVE-2023-6129.patch \ | ||
| 17 | file://CVE-2023-6237.patch \ | ||
| 18 | " | 15 | " | 
| 19 | 16 | ||
| 20 | SRC_URI:append:class-nativesdk = " \ | 17 | SRC_URI:append:class-nativesdk = " \ | 
| 21 | file://environment.d-openssl.sh \ | 18 | file://environment.d-openssl.sh \ | 
| 22 | " | 19 | " | 
| 23 | 20 | ||
| 24 | SRC_URI[sha256sum] = "f93c9e8edde5e9166119de31755fc87b4aa34863662f67ddfcba14d0b6b69b61" | 21 | SRC_URI[sha256sum] = "88525753f79d3bec27d2fa7c66aa0b92b3aa9498dafd93d7cfa4b3780cdae313" | 
| 25 | 22 | ||
| 26 | inherit lib_package multilib_header multilib_script ptest perlnative | 23 | inherit lib_package multilib_header multilib_script ptest perlnative | 
| 27 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" | 24 | MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" | 
| @@ -188,6 +185,7 @@ PTEST_BUILD_HOST_PATTERN = "perl_version =" | |||
| 188 | do_install_ptest () { | 185 | do_install_ptest () { | 
| 189 | install -d ${D}${PTEST_PATH}/test | 186 | install -d ${D}${PTEST_PATH}/test | 
| 190 | install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test | 187 | install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test | 
| 188 | install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test | ||
| 191 | install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test | 189 | install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test | 
| 192 | 190 | ||
| 193 | # Prune the build tree | 191 | # Prune the build tree | 
