3 files changed, 2 insertions, 162 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
deleted file mode 100644
index 2a3e03fe2a..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-Backport patch to fix CVE-2018-0734. Remove a section which only remove a
-space. It can't be applied because the context is different.
-CVE: CVE-2018-0734
-Upstream-Status: Backport
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-From 8abfe72e8c1de1b95f50aa0d9134803b4d00070f Mon Sep 17 00:00:00 2001
-From: Pauli <paul.dale@oracle.com>
-Date: Wed, 24 Oct 2018 07:42:46 +1000
-Subject: [PATCH] Timing vulnerability in DSA signature generation
- (CVE-2018-0734).
-Avoid a timing attack that leaks information via a side channel that
-triggers when a BN is resized.  Increasing the size of the BNs
-prior to doing anything with them suppresses the attack.
-Thanks due to Samuel Weiser for finding and locating this.
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-(Merged from https://github.com/openssl/openssl/pull/7486)
-(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
---
- crypto/dsa/dsa_ossl.c | 28 +++++++++++++++-------------
- 1 file changed, 15 insertions(+), 13 deletions(-)
-diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
-index ca20811200..2dd2d7489a 100644
--- a/crypto/dsa/dsa_ossl.c
-+++ b/crypto/dsa/dsa_ossl.c
-@@ -9,6 +9,7 @@
- 
- #include <stdio.h>
- #include "internal/cryptlib.h"
-+#include "internal/bn_int.h"
- #include <openssl/bn.h>
- #include <openssl/sha.h>
- #include "dsa_locl.h"
-@@ -180,9 +181,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- {
-     BN_CTX *ctx = NULL;
-     BIGNUM *k, *kinv = NULL, *r = *rp;
-    BIGNUM *l, *m;
-+    BIGNUM *l;
-     int ret = 0;
-    int q_bits;
-+    int q_bits, q_words;
- 
-     if (!dsa->p || !dsa->q || !dsa->g) {
-         DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
-@@ -191,8 +192,7 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- 
-     k = BN_new();
-     l = BN_new();
-    m = BN_new();
-    if (k == NULL || l == NULL || m == NULL)
-+    if (k == NULL || l == NULL)
-         goto err;
- 
-     if (ctx_in == NULL) {
-@@ -203,9 +203,9 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
- 
-     /* Preallocate space */
-     q_bits = BN_num_bits(dsa->q);
-    if (!BN_set_bit(k, q_bits)
-        || !BN_set_bit(l, q_bits)
-        || !BN_set_bit(m, q_bits))
-+    q_words = bn_get_top(dsa->q);
-+    if (!bn_wexpand(k, q_words + 2)
-+        || !bn_wexpand(l, q_words + 2))
-         goto err;
- 
-     /* Get random k */
-@@ -240,14 +240,17 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-      * small timing information leakage.  We then choose the sum that is
-      * one bit longer than the modulus.
-      *
-     * TODO: revisit the BN_copy aiming for a memory access agnostic
-     * conditional copy.
-+     * There are some concerns about the efficacy of doing this.  More
-+     * specificly refer to the discussion starting with:
-+     *     https://github.com/openssl/openssl/pull/7486#discussion_r228323705
-+     * The fix is to rework BN so these gymnastics aren't required.
-      */
-     if (!BN_add(l, k, dsa->q)
-        || !BN_add(m, l, dsa->q)
-        || !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
-+        || !BN_add(k, l, dsa->q))
-         goto err;
- 
-+    BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
-+
-     if ((dsa)->meth->bn_mod_exp != NULL) {
-             if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
-                                        dsa->method_mont_p))
-@@ -275,7 +278,6 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in,
-         BN_CTX_free(ctx);
-     BN_clear_free(k);
-     BN_clear_free(l);
-    BN_clear_free(m);
-     return ret;
- }
- 
-- 
-2.17.0
diff --git a/meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch b/meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch
deleted file mode 100644
index 736323f0ce..0000000000
--- a/meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-CVE: CVE-2018-0735
-Upstream-Status: Backport
-Signed-off-by: Kai Kang <kai.kang@windriver.com>
-From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001
-From: Pauli <paul.dale@oracle.com>
-Date: Fri, 26 Oct 2018 10:54:58 +1000
-Subject: [PATCH] Timing vulnerability in ECDSA signature generation
- (CVE-2018-0735)
-Preallocate an extra limb for some of the big numbers to avoid a reallocation
-that can potentially provide a side channel.
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-(Merged from https://github.com/openssl/openssl/pull/7486)
-(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
---
- crypto/ec/ec_mult.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
-index 7e1b3650e7..0e0a5e1394 100644
--- a/crypto/ec/ec_mult.c
-+++ b/crypto/ec/ec_mult.c
-@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
-      */
-     cardinality_bits = BN_num_bits(cardinality);
-     group_top = bn_get_top(cardinality);
-    if ((bn_wexpand(k, group_top + 1) == NULL)
-        || (bn_wexpand(lambda, group_top + 1) == NULL)) {
-+    if ((bn_wexpand(k, group_top + 2) == NULL)
-+        || (bn_wexpand(lambda, group_top + 2) == NULL)) {
-         ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
-         goto err;
-     }
-@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP *group, EC_POINT *r,
-      * k := scalar + 2*cardinality
-      */
-     kbit = BN_is_bit_set(lambda, cardinality_bits);
-    BN_consttime_swap(kbit, k, lambda, group_top + 1);
-+    BN_consttime_swap(kbit, k, lambda, group_top + 2);
- 
-     group_top = bn_get_top(group->field);
-     if ((bn_wexpand(s->X, group_top) == NULL)
-- 
-2.17.0
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
index 5d19910941..3629f7e6a1 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
@@ -15,8 +15,6 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
           file://run-ptest \
           file://openssl-c_rehash.sh \
           file://0001-skip-test_symbol_presence.patch \
-           file://0002-fix-CVE-2018-0734.patch \
-           file://0003-fix-CVE-2018-0735.patch \
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://afalg.patch \
           "
@@ -25,8 +23,8 @@ SRC_URI_append_class-nativesdk = " \
           file://environment.d-openssl.sh \
           "
-SRC_URI[md5sum] = "7079eb017429e0ffb9efb42bf80ccb21"
+SRC_URI[md5sum] = "963deb2272d6be7d4c2458afd2517b73"
-SRC_URI[sha256sum] = "2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d"
+SRC_URI[sha256sum] = "fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41"
 inherit lib_package multilib_header ptest

diff --git a/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch b/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch deleted file mode 100644 index 2a3e03fe2a..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0002-fix-CVE-2018-0734.patch +++ /dev/null
@@ -1,108 +0,0 @@
1	Backport patch to fix CVE-2018-0734. Remove a section which only remove a
2	space. It can't be applied because the context is different.
3
4	CVE: CVE-2018-0734
5	Upstream-Status: Backport
6
7	Signed-off-by: Kai Kang <kai.kang@windriver.com>
8
9	From 8abfe72e8c1de1b95f50aa0d9134803b4d00070f Mon Sep 17 00:00:00 2001
10	From: Pauli <paul.dale@oracle.com>
11	Date: Wed, 24 Oct 2018 07:42:46 +1000
12	Subject: [PATCH] Timing vulnerability in DSA signature generation
13	(CVE-2018-0734).
14
15	Avoid a timing attack that leaks information via a side channel that
16	triggers when a BN is resized. Increasing the size of the BNs
17	prior to doing anything with them suppresses the attack.
18
19	Thanks due to Samuel Weiser for finding and locating this.
20
21	Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
22	(Merged from https://github.com/openssl/openssl/pull/7486)
23
24	(cherry picked from commit a9cfb8c2aa7254a4aa6a1716909e3f8cb78049b6)
25	---
26	crypto/dsa/dsa_ossl.c \| 28 +++++++++++++++-------------
27	1 file changed, 15 insertions(+), 13 deletions(-)
28
29	diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
30	index ca20811200..2dd2d7489a 100644
31	--- a/crypto/dsa/dsa_ossl.c
32	+++ b/crypto/dsa/dsa_ossl.c
33	@@ -9,6 +9,7 @@
34
35	#include <stdio.h>
36	#include "internal/cryptlib.h"
37	+#include "internal/bn_int.h"
38	#include <openssl/bn.h>
39	#include <openssl/sha.h>
40	#include "dsa_locl.h"
41	@@ -180,9 +181,9 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
42	{
43	BN_CTX *ctx = NULL;
44	BIGNUM k, kinv = NULL, r = rp;
45	- BIGNUM l, m;
46	+ BIGNUM *l;
47	int ret = 0;
48	- int q_bits;
49	+ int q_bits, q_words;
50
51	if (!dsa->p \|\| !dsa->q \|\| !dsa->g) {
52	DSAerr(DSA_F_DSA_SIGN_SETUP, DSA_R_MISSING_PARAMETERS);
53	@@ -191,8 +192,7 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
54
55	k = BN_new();
56	l = BN_new();
57	- m = BN_new();
58	- if (k == NULL \|\| l == NULL \|\| m == NULL)
59	+ if (k == NULL \|\| l == NULL)
60	goto err;
61
62	if (ctx_in == NULL) {
63	@@ -203,9 +203,9 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
64
65	/* Preallocate space */
66	q_bits = BN_num_bits(dsa->q);
67	- if (!BN_set_bit(k, q_bits)
68	- \|\| !BN_set_bit(l, q_bits)
69	- \|\| !BN_set_bit(m, q_bits))
70	+ q_words = bn_get_top(dsa->q);
71	+ if (!bn_wexpand(k, q_words + 2)
72	+ \|\| !bn_wexpand(l, q_words + 2))
73	goto err;
74
75	/* Get random k */
76	@@ -240,14 +240,17 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
77	* small timing information leakage. We then choose the sum that is
78	* one bit longer than the modulus.
79	*
80	- * TODO: revisit the BN_copy aiming for a memory access agnostic
81	- * conditional copy.
82	+ * There are some concerns about the efficacy of doing this. More
83	+ * specificly refer to the discussion starting with:
84	+ * https://github.com/openssl/openssl/pull/7486#discussion_r228323705
85	+ * The fix is to rework BN so these gymnastics aren't required.
86	*/
87	if (!BN_add(l, k, dsa->q)
88	- \|\| !BN_add(m, l, dsa->q)
89	- \|\| !BN_copy(k, BN_num_bits(l) > q_bits ? l : m))
90	+ \|\| !BN_add(k, l, dsa->q))
91	goto err;
92
93	+ BN_consttime_swap(BN_is_bit_set(l, q_bits), k, l, q_words + 2);
94	+
95	if ((dsa)->meth->bn_mod_exp != NULL) {
96	if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx,
97	dsa->method_mont_p))
98	@@ -275,7 +278,6 @@ static int dsa_sign_setup(DSA dsa, BN_CTX ctx_in,
99	BN_CTX_free(ctx);
100	BN_clear_free(k);
101	BN_clear_free(l);
102	- BN_clear_free(m);
103	return ret;
104	}
105
106	--
107	2.17.0
108


diff --git a/meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch b/meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch deleted file mode 100644 index 736323f0ce..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0003-fix-CVE-2018-0735.patch +++ /dev/null
@@ -1,50 +0,0 @@
1	CVE: CVE-2018-0735
2
3	Upstream-Status: Backport
4
5	Signed-off-by: Kai Kang <kai.kang@windriver.com>
6
7	From b1d6d55ece1c26fa2829e2b819b038d7b6d692b4 Mon Sep 17 00:00:00 2001
8	From: Pauli <paul.dale@oracle.com>
9	Date: Fri, 26 Oct 2018 10:54:58 +1000
10	Subject: [PATCH] Timing vulnerability in ECDSA signature generation
11	(CVE-2018-0735)
12
13	Preallocate an extra limb for some of the big numbers to avoid a reallocation
14	that can potentially provide a side channel.
15
16	Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
17	(Merged from https://github.com/openssl/openssl/pull/7486)
18
19	(cherry picked from commit 99540ec79491f59ed8b46b4edf130e17dc907f52)
20	---
21	crypto/ec/ec_mult.c \| 6 +++---
22	1 file changed, 3 insertions(+), 3 deletions(-)
23
24	diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c
25	index 7e1b3650e7..0e0a5e1394 100644
26	--- a/crypto/ec/ec_mult.c
27	+++ b/crypto/ec/ec_mult.c
28	@@ -206,8 +206,8 @@ int ec_scalar_mul_ladder(const EC_GROUP group, EC_POINT r,
29	*/
30	cardinality_bits = BN_num_bits(cardinality);
31	group_top = bn_get_top(cardinality);
32	- if ((bn_wexpand(k, group_top + 1) == NULL)
33	- \|\| (bn_wexpand(lambda, group_top + 1) == NULL)) {
34	+ if ((bn_wexpand(k, group_top + 2) == NULL)
35	+ \|\| (bn_wexpand(lambda, group_top + 2) == NULL)) {
36	ECerr(EC_F_EC_SCALAR_MUL_LADDER, ERR_R_BN_LIB);
37	goto err;
38	}
39	@@ -244,7 +244,7 @@ int ec_scalar_mul_ladder(const EC_GROUP group, EC_POINT r,
40	* k := scalar + 2*cardinality
41	*/
42	kbit = BN_is_bit_set(lambda, cardinality_bits);
43	- BN_consttime_swap(kbit, k, lambda, group_top + 1);
44	+ BN_consttime_swap(kbit, k, lambda, group_top + 2);
45
46	group_top = bn_get_top(group->field);
47	if ((bn_wexpand(s->X, group_top) == NULL)
48	--
49	2.17.0
50


diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb index 5d19910941..3629f7e6a1 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1a.bb
@@ -15,8 +15,6 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
15	file://run-ptest \	15	file://run-ptest \
16	file://openssl-c_rehash.sh \	16	file://openssl-c_rehash.sh \
17	file://0001-skip-test_symbol_presence.patch \	17	file://0001-skip-test_symbol_presence.patch \
18	file://0002-fix-CVE-2018-0734.patch \
19	file://0003-fix-CVE-2018-0735.patch \
20	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \	18	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
21	file://afalg.patch \	19	file://afalg.patch \
22	"	20	"
@@ -25,8 +23,8 @@ SRC_URI_append_class-nativesdk = " \
25	file://environment.d-openssl.sh \	23	file://environment.d-openssl.sh \
26	"	24	"
27		25
28	SRC_URI[md5sum] = "7079eb017429e0ffb9efb42bf80ccb21"	26	SRC_URI[md5sum] = "963deb2272d6be7d4c2458afd2517b73"
29	SRC_URI[sha256sum] = "2836875a0f89c03d0fdf483941512613a50cfb421d6fd94b9f41d7279d586a3d"	27	SRC_URI[sha256sum] = "fc20130f8b7cbd2fb918b2f14e2f429e109c31ddd0fb38fc5d71d9ffed3f9f41"
30		28
31	inherit lib_package multilib_header ptest	29	inherit lib_package multilib_header ptest
32		30