Message ID | 20220316161547.1527214-1-ralph.siemsen@linaro.org |
---|---|
State | New, archived |
Headers | show |
Series | [dunfell] openssl: update from 1.1.1l to 1.1.1n | expand |
Sigh, now I remember why we did the CVE only patch - this version update introduces a ptest regression. It's sad I can't remember things from just a month ago! See discussion here: https://lists.openembedded.org/g/openembedded-core/topic/89179173#162027 If you can find a way to deal with the regression I'd be happy to take the upgrade! On Wed, Mar 16, 2022 at 6:15 AM Ralph Siemsen <ralph.siemsen@linaro.org> wrote: > > This includes a fix for CVE-2022-0778. There are quite a lot of changes > but they seem to mostly be fixes or cves, see the CHANGES file[1]. > > Drop previous fix for CVE-2021-4160 since it is now upstream [2] > and include since release 1.1.1m. > > [1] https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=CHANGES;hb=refs/heads/OpenSSL_1_1_1-stable > [2] https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb > > Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> > --- > .../openssl/openssl/CVE-2021-4160.patch | 145 ------------------ > .../{openssl_1.1.1l.bb => openssl_1.1.1n.bb} | 3 +- > 2 files changed, 1 insertion(+), 147 deletions(-) > delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch > rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (98%) > > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch > deleted file mode 100644 > index ff1e807157..0000000000 > --- a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch > +++ /dev/null > @@ -1,145 +0,0 @@ > -From e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb Mon Sep 17 00:00:00 2001 > -From: Bernd Edlinger <bernd.edlinger@hotmail.de> > -Date: Sat, 11 Dec 2021 20:28:11 +0100 > -Subject: [PATCH] Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit > - targets > - > -bn_sqr_comba8 does for instance compute a wrong result for the value: > -a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45 > - > -The correct result is: > -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f > - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899 > - > -but the actual result was: > -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f > - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899 > - > -so the forth word of the result was 0x75be8e3c but should have been > -0x75be8e3d instead. > - > -Likewise bn_sqr_comba4 has an identical bug for the same value as well: > -a=0x022181ba fd3aa878 899b2346 ee210f45 > - > -correct result: > -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899 > - > -wrong result: > -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899 > - > -Fortunately the bn_mul_comba4/8 code paths are not affected. > - > -Also the mips64 target does in fact not handle the carry propagation > -correctly. > - > -Example: > -a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000 > - 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001 > - > -correct result: > -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 > - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d > - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 > - 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 > - > -wrong result: > -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 > - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d > - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 > - 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 > - > -Reviewed-by: Paul Dale <pauli@openssl.org> > -(Merged from https://github.com/openssl/openssl/pull/17258) > - > -(cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590) > - > -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb] > -CVE: CVE-2021-4160 > -Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> > - > ---- > - crypto/bn/asm/mips.pl | 4 ++++ > - test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++ > - 2 files changed, 49 insertions(+) > - > -diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl > -index 8ad715bda4..74101030f2 100644 > ---- a/crypto/bn/asm/mips.pl > -+++ b/crypto/bn/asm/mips.pl > -@@ -1984,6 +1984,8 @@ $code.=<<___; > - sltu $at,$c_2,$t_1 > - $ADDU $c_3,$t_2,$at > - $ST $c_2,$BNSZ($a0) > -+ sltu $at,$c_3,$t_2 > -+ $ADDU $c_1,$at > - mflo ($t_1,$a_2,$a_0) > - mfhi ($t_2,$a_2,$a_0) > - ___ > -@@ -2194,6 +2196,8 @@ $code.=<<___; > - sltu $at,$c_2,$t_1 > - $ADDU $c_3,$t_2,$at > - $ST $c_2,$BNSZ($a0) > -+ sltu $at,$c_3,$t_2 > -+ $ADDU $c_1,$at > - mflo ($t_1,$a_2,$a_0) > - mfhi ($t_2,$a_2,$a_0) > - ___ > -diff --git a/test/bntest.c b/test/bntest.c > -index b58028a301..bab34ba54b 100644 > ---- a/test/bntest.c > -+++ b/test/bntest.c > -@@ -627,6 +627,51 @@ static int test_modexp_mont5(void) > - if (!TEST_BN_eq(c, d)) > - goto err; > - > -+ /* > -+ * Regression test for overflow bug in bn_sqr_comba4/8 for > -+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets. > -+ */ > -+ { > -+ static const char *ehex[] = { > -+ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", > -+ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", > -+ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", > -+ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", > -+ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", > -+ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", > -+ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", > -+ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", > -+ NULL}; > -+ static const char *phex[] = { > -+ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", > -+ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", > -+ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", > -+ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", > -+ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", > -+ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", > -+ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", > -+ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", > -+ NULL}; > -+ static const char *mhex[] = { > -+ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", > -+ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", > -+ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", > -+ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", > -+ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", > -+ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", > -+ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", > -+ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", > -+ NULL}; > -+ > -+ if (!TEST_true(parse_bigBN(&e, ehex)) > -+ || !TEST_true(parse_bigBN(&p, phex)) > -+ || !TEST_true(parse_bigBN(&m, mhex)) > -+ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) > -+ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) > -+ || !TEST_BN_eq(a, d)) > -+ goto err; > -+ } > -+ > - /* Zero input */ > - if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) > - goto err; > --- > -2.25.1 > - > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb > similarity index 98% > rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > rename to meta/recipes-connectivity/openssl/openssl_1.1.1n.bb > index 24466e11b1..de6eafbcfe 100644 > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb > @@ -18,14 +18,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ > file://afalg.patch \ > file://reproducible.patch \ > file://reproducibility.patch \ > - file://CVE-2021-4160.patch \ > " > > SRC_URI_append_class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" > +SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" > > inherit lib_package multilib_header multilib_script ptest > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > -- > 2.25.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#163338): https://lists.openembedded.org/g/openembedded-core/message/163338 > Mute This Topic: https://lists.openembedded.org/mt/89825642/3620601 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com] > -=-=-=-=-=-=-=-=-=-=-=- >
On 2022-03-16 17:50, Steve Sakoman wrote: > Sigh, now I remember why we did the CVE only patch - this version > update introduces a ptest regression. It's sad I can't remember things > from just a month ago! > > See discussion here: > > https://lists.openembedded.org/g/openembedded-core/topic/89179173#162027 > > If you can find a way to deal with the regression I'd be happy to take > the upgrade! Steve mentioned this GH issue on IRC: https://github.com/openssl/openssl/issues/17537 it's a long thread and I honestly haven't confirmed that it's the same problem as our regression tests but it likely is. Yi Zhao was looking at this update for hardknott but it's likely also relevant for dunfell so I'm CCing him here. Yi, Do you have more to add to the discussion? Where are you with debugging the ptest regressions? Ralph, Yi is in Beijing so maybe the two of you can do an email/poky-contrib ping pong on the problem and get to a solution sooner. ../Randy > > On Wed, Mar 16, 2022 at 6:15 AM Ralph Siemsen <ralph.siemsen@linaro.org> wrote: >> >> This includes a fix for CVE-2022-0778. There are quite a lot of changes >> but they seem to mostly be fixes or cves, see the CHANGES file[1]. >> >> Drop previous fix for CVE-2021-4160 since it is now upstream [2] >> and include since release 1.1.1m. >> >> [1] https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=CHANGES;hb=refs/heads/OpenSSL_1_1_1-stable >> [2] https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb >> >> Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> >> --- >> .../openssl/openssl/CVE-2021-4160.patch | 145 ------------------ >> .../{openssl_1.1.1l.bb => openssl_1.1.1n.bb} | 3 +- >> 2 files changed, 1 insertion(+), 147 deletions(-) >> delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch >> rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (98%) >> >> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch >> deleted file mode 100644 >> index ff1e807157..0000000000 >> --- a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch >> +++ /dev/null >> @@ -1,145 +0,0 @@ >> -From e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb Mon Sep 17 00:00:00 2001 >> -From: Bernd Edlinger <bernd.edlinger@hotmail.de> >> -Date: Sat, 11 Dec 2021 20:28:11 +0100 >> -Subject: [PATCH] Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit >> - targets >> - >> -bn_sqr_comba8 does for instance compute a wrong result for the value: >> -a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45 >> - >> -The correct result is: >> -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f >> - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899 >> - >> -but the actual result was: >> -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f >> - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899 >> - >> -so the forth word of the result was 0x75be8e3c but should have been >> -0x75be8e3d instead. >> - >> -Likewise bn_sqr_comba4 has an identical bug for the same value as well: >> -a=0x022181ba fd3aa878 899b2346 ee210f45 >> - >> -correct result: >> -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899 >> - >> -wrong result: >> -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899 >> - >> -Fortunately the bn_mul_comba4/8 code paths are not affected. >> - >> -Also the mips64 target does in fact not handle the carry propagation >> -correctly. >> - >> -Example: >> -a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000 >> - 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001 >> - >> -correct result: >> -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 >> - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d >> - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 >> - 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 >> - >> -wrong result: >> -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 >> - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d >> - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 >> - 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 >> - >> -Reviewed-by: Paul Dale <pauli@openssl.org> >> -(Merged from https://github.com/openssl/openssl/pull/17258) >> - >> -(cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590) >> - >> -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb] >> -CVE: CVE-2021-4160 >> -Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> >> - >> ---- >> - crypto/bn/asm/mips.pl | 4 ++++ >> - test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++ >> - 2 files changed, 49 insertions(+) >> - >> -diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl >> -index 8ad715bda4..74101030f2 100644 >> ---- a/crypto/bn/asm/mips.pl >> -+++ b/crypto/bn/asm/mips.pl >> -@@ -1984,6 +1984,8 @@ $code.=<<___; >> - sltu $at,$c_2,$t_1 >> - $ADDU $c_3,$t_2,$at >> - $ST $c_2,$BNSZ($a0) >> -+ sltu $at,$c_3,$t_2 >> -+ $ADDU $c_1,$at >> - mflo ($t_1,$a_2,$a_0) >> - mfhi ($t_2,$a_2,$a_0) >> - ___ >> -@@ -2194,6 +2196,8 @@ $code.=<<___; >> - sltu $at,$c_2,$t_1 >> - $ADDU $c_3,$t_2,$at >> - $ST $c_2,$BNSZ($a0) >> -+ sltu $at,$c_3,$t_2 >> -+ $ADDU $c_1,$at >> - mflo ($t_1,$a_2,$a_0) >> - mfhi ($t_2,$a_2,$a_0) >> - ___ >> -diff --git a/test/bntest.c b/test/bntest.c >> -index b58028a301..bab34ba54b 100644 >> ---- a/test/bntest.c >> -+++ b/test/bntest.c >> -@@ -627,6 +627,51 @@ static int test_modexp_mont5(void) >> - if (!TEST_BN_eq(c, d)) >> - goto err; >> - >> -+ /* >> -+ * Regression test for overflow bug in bn_sqr_comba4/8 for >> -+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets. >> -+ */ >> -+ { >> -+ static const char *ehex[] = { >> -+ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", >> -+ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", >> -+ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", >> -+ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", >> -+ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", >> -+ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", >> -+ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", >> -+ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", >> -+ NULL}; >> -+ static const char *phex[] = { >> -+ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", >> -+ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", >> -+ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", >> -+ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", >> -+ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", >> -+ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", >> -+ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", >> -+ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", >> -+ NULL}; >> -+ static const char *mhex[] = { >> -+ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", >> -+ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", >> -+ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", >> -+ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", >> -+ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", >> -+ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", >> -+ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", >> -+ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", >> -+ NULL}; >> -+ >> -+ if (!TEST_true(parse_bigBN(&e, ehex)) >> -+ || !TEST_true(parse_bigBN(&p, phex)) >> -+ || !TEST_true(parse_bigBN(&m, mhex)) >> -+ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) >> -+ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) >> -+ || !TEST_BN_eq(a, d)) >> -+ goto err; >> -+ } >> -+ >> - /* Zero input */ >> - if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) >> - goto err; >> --- >> -2.25.1 >> - >> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb >> similarity index 98% >> rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb >> rename to meta/recipes-connectivity/openssl/openssl_1.1.1n.bb >> index 24466e11b1..de6eafbcfe 100644 >> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb >> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb >> @@ -18,14 +18,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ >> file://afalg.patch \ >> file://reproducible.patch \ >> file://reproducibility.patch \ >> - file://CVE-2021-4160.patch \ >> " >> >> SRC_URI_append_class-nativesdk = " \ >> file://environment.d-openssl.sh \ >> " >> >> -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" >> +SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" >> >> inherit lib_package multilib_header multilib_script ptest >> MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" >> -- >> 2.25.1 >> >> >> >> >> >> >> -=-=-=-=-=-=-=-=-=-=-=- >> Links: You receive all messages sent to this group. >> View/Reply Online (#163359): https://lists.openembedded.org/g/openembedded-core/message/163359 >> Mute This Topic: https://lists.openembedded.org/mt/89825642/3616765 >> Group Owner: openembedded-core+owner@lists.openembedded.org >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] >> -=-=-=-=-=-=-=-=-=-=-=- >>
On Wed, Mar 16, 2022 at 12:10 PM Randy MacLeod <randy.macleod@windriver.com> wrote: > > On 2022-03-16 17:50, Steve Sakoman wrote: > > Sigh, now I remember why we did the CVE only patch - this version > > update introduces a ptest regression. It's sad I can't remember things > > from just a month ago! > > > > See discussion here: > > > > https://lists.openembedded.org/g/openembedded-core/topic/89179173#162027 > > > > If you can find a way to deal with the regression I'd be happy to take > > the upgrade! > > Steve mentioned this GH issue on IRC: > https://github.com/openssl/openssl/issues/17537 > it's a long thread and I honestly haven't confirmed that it's the same > problem as our regression tests but it likely is. This thread mentions versions prior to 3.0.1 aren't impacted, but perhaps the 1.1.1n update backported the issue. Suspicious that the same test is failing in any event. Steve > > Yi Zhao was looking at this update for hardknott but it's likely > also relevant for dunfell so I'm CCing him here. > > Yi, > > Do you have more to add to the discussion? > Where are you with debugging the ptest regressions? > > Ralph, > Yi is in Beijing so maybe the two of you can do an email/poky-contrib > ping pong > on the problem and get to a solution sooner. > > ../Randy > > > > > On Wed, Mar 16, 2022 at 6:15 AM Ralph Siemsen <ralph.siemsen@linaro.org> wrote: > >> > >> This includes a fix for CVE-2022-0778. There are quite a lot of changes > >> but they seem to mostly be fixes or cves, see the CHANGES file[1]. > >> > >> Drop previous fix for CVE-2021-4160 since it is now upstream [2] > >> and include since release 1.1.1m. > >> > >> [1] https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=CHANGES;hb=refs/heads/OpenSSL_1_1_1-stable > >> [2] https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb > >> > >> Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> > >> --- > >> .../openssl/openssl/CVE-2021-4160.patch | 145 ------------------ > >> .../{openssl_1.1.1l.bb => openssl_1.1.1n.bb} | 3 +- > >> 2 files changed, 1 insertion(+), 147 deletions(-) > >> delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch > >> rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (98%) > >> > >> diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch > >> deleted file mode 100644 > >> index ff1e807157..0000000000 > >> --- a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch > >> +++ /dev/null > >> @@ -1,145 +0,0 @@ > >> -From e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb Mon Sep 17 00:00:00 2001 > >> -From: Bernd Edlinger <bernd.edlinger@hotmail.de> > >> -Date: Sat, 11 Dec 2021 20:28:11 +0100 > >> -Subject: [PATCH] Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit > >> - targets > >> - > >> -bn_sqr_comba8 does for instance compute a wrong result for the value: > >> -a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45 > >> - > >> -The correct result is: > >> -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f > >> - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899 > >> - > >> -but the actual result was: > >> -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f > >> - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899 > >> - > >> -so the forth word of the result was 0x75be8e3c but should have been > >> -0x75be8e3d instead. > >> - > >> -Likewise bn_sqr_comba4 has an identical bug for the same value as well: > >> -a=0x022181ba fd3aa878 899b2346 ee210f45 > >> - > >> -correct result: > >> -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899 > >> - > >> -wrong result: > >> -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899 > >> - > >> -Fortunately the bn_mul_comba4/8 code paths are not affected. > >> - > >> -Also the mips64 target does in fact not handle the carry propagation > >> -correctly. > >> - > >> -Example: > >> -a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000 > >> - 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001 > >> - > >> -correct result: > >> -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 > >> - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d > >> - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 > >> - 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 > >> - > >> -wrong result: > >> -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 > >> - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d > >> - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 > >> - 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 > >> - > >> -Reviewed-by: Paul Dale <pauli@openssl.org> > >> -(Merged from https://github.com/openssl/openssl/pull/17258) > >> - > >> -(cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590) > >> - > >> -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb] > >> -CVE: CVE-2021-4160 > >> -Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> > >> - > >> ---- > >> - crypto/bn/asm/mips.pl | 4 ++++ > >> - test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++ > >> - 2 files changed, 49 insertions(+) > >> - > >> -diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl > >> -index 8ad715bda4..74101030f2 100644 > >> ---- a/crypto/bn/asm/mips.pl > >> -+++ b/crypto/bn/asm/mips.pl > >> -@@ -1984,6 +1984,8 @@ $code.=<<___; > >> - sltu $at,$c_2,$t_1 > >> - $ADDU $c_3,$t_2,$at > >> - $ST $c_2,$BNSZ($a0) > >> -+ sltu $at,$c_3,$t_2 > >> -+ $ADDU $c_1,$at > >> - mflo ($t_1,$a_2,$a_0) > >> - mfhi ($t_2,$a_2,$a_0) > >> - ___ > >> -@@ -2194,6 +2196,8 @@ $code.=<<___; > >> - sltu $at,$c_2,$t_1 > >> - $ADDU $c_3,$t_2,$at > >> - $ST $c_2,$BNSZ($a0) > >> -+ sltu $at,$c_3,$t_2 > >> -+ $ADDU $c_1,$at > >> - mflo ($t_1,$a_2,$a_0) > >> - mfhi ($t_2,$a_2,$a_0) > >> - ___ > >> -diff --git a/test/bntest.c b/test/bntest.c > >> -index b58028a301..bab34ba54b 100644 > >> ---- a/test/bntest.c > >> -+++ b/test/bntest.c > >> -@@ -627,6 +627,51 @@ static int test_modexp_mont5(void) > >> - if (!TEST_BN_eq(c, d)) > >> - goto err; > >> - > >> -+ /* > >> -+ * Regression test for overflow bug in bn_sqr_comba4/8 for > >> -+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets. > >> -+ */ > >> -+ { > >> -+ static const char *ehex[] = { > >> -+ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", > >> -+ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", > >> -+ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", > >> -+ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", > >> -+ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", > >> -+ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", > >> -+ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", > >> -+ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", > >> -+ NULL}; > >> -+ static const char *phex[] = { > >> -+ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", > >> -+ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", > >> -+ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", > >> -+ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", > >> -+ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", > >> -+ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", > >> -+ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", > >> -+ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", > >> -+ NULL}; > >> -+ static const char *mhex[] = { > >> -+ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", > >> -+ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", > >> -+ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", > >> -+ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", > >> -+ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", > >> -+ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", > >> -+ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", > >> -+ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", > >> -+ NULL}; > >> -+ > >> -+ if (!TEST_true(parse_bigBN(&e, ehex)) > >> -+ || !TEST_true(parse_bigBN(&p, phex)) > >> -+ || !TEST_true(parse_bigBN(&m, mhex)) > >> -+ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) > >> -+ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) > >> -+ || !TEST_BN_eq(a, d)) > >> -+ goto err; > >> -+ } > >> -+ > >> - /* Zero input */ > >> - if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) > >> - goto err; > >> --- > >> -2.25.1 > >> - > >> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb > >> similarity index 98% > >> rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > >> rename to meta/recipes-connectivity/openssl/openssl_1.1.1n.bb > >> index 24466e11b1..de6eafbcfe 100644 > >> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb > >> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb > >> @@ -18,14 +18,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ > >> file://afalg.patch \ > >> file://reproducible.patch \ > >> file://reproducibility.patch \ > >> - file://CVE-2021-4160.patch \ > >> " > >> > >> SRC_URI_append_class-nativesdk = " \ > >> file://environment.d-openssl.sh \ > >> " > >> > >> -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" > >> +SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" > >> > >> inherit lib_package multilib_header multilib_script ptest > >> MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > >> -- > >> 2.25.1 > >> > >> > >> > >> > >> > >> > >> -=-=-=-=-=-=-=-=-=-=-=- > >> Links: You receive all messages sent to this group. > >> View/Reply Online (#163359): https://lists.openembedded.org/g/openembedded-core/message/163359 > >> Mute This Topic: https://lists.openembedded.org/mt/89825642/3616765 > >> Group Owner: openembedded-core+owner@lists.openembedded.org > >> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [randy.macleod@windriver.com] > >> -=-=-=-=-=-=-=-=-=-=-=- > >> > > > -- > # Randy MacLeod > # Wind River Linux >
Hi Steve Somehow despite watching for replies, I managed to miss them until now. On Wed, Mar 16, 2022 at 5:50 PM Steve Sakoman <steve@sakoman.com> wrote: > > Sigh, now I remember why we did the CVE only patch - this version > update introduces a ptest regression. It's sad I can't remember things > from just a month ago! > > See discussion here: > > https://lists.openembedded.org/g/openembedded-core/topic/89179173#162027 > > If you can find a way to deal with the regression I'd be happy to take > the upgrade! I'm not sure I want to go down that rabbit hole right now. I did a backport of just the CVE, it was straightforward. I'll post it. Regards, Ralph
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch deleted file mode 100644 index ff1e807157..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch +++ /dev/null @@ -1,145 +0,0 @@ -From e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb Mon Sep 17 00:00:00 2001 -From: Bernd Edlinger <bernd.edlinger@hotmail.de> -Date: Sat, 11 Dec 2021 20:28:11 +0100 -Subject: [PATCH] Fix a carry overflow bug in bn_sqr_comba4/8 for mips 32-bit - targets - -bn_sqr_comba8 does for instance compute a wrong result for the value: -a=0x4aaac919 62056c84 fba7334e 1a6be678 022181ba fd3aa878 899b2346 ee210f45 - -The correct result is: -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3d 97ed17d4 7950b465 3cb32899 - -but the actual result was: -r=0x15c72e32 605a3061 d11b1012 3c187483 6df96999 bd0c22ba d3e7d437 4724a82f - 912c5e61 6a187efe 8f7c47fc f6945fe5 75be8e3c 97ed17d4 7950b465 3cb32899 - -so the forth word of the result was 0x75be8e3c but should have been -0x75be8e3d instead. - -Likewise bn_sqr_comba4 has an identical bug for the same value as well: -a=0x022181ba fd3aa878 899b2346 ee210f45 - -correct result: -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3d 97ed17d4 7950b465 3cb32899 - -wrong result: -r=0x00048a69 9fe82f8b 62bd2ed1 88781335 75be8e3c 97ed17d4 7950b465 3cb32899 - -Fortunately the bn_mul_comba4/8 code paths are not affected. - -Also the mips64 target does in fact not handle the carry propagation -correctly. - -Example: -a=0x4aaac91900000000 62056c8400000000 fba7334e00000000 1a6be67800000000 - 022181ba00000000 fd3aa87800000000 899b234635dad283 ee210f4500000001 - -correct result: -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 - 2822309cd1d292f9 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 - -wrong result: -r=0x15c72e32272c4471 392debf018c679c8 b85496496bf8254c d0204f36611e2be1 - 0cdb3db8f3c081d8 c94ba0e1bacc5061 191b83d47ff929f6 5be0aebfc13ae68d - 3eea7a7fdf2f5758 42f7ec656cab3cb5 6a28095be34756f2 64f24687bf37de06 - 2822309cd1d292f8 6fa698c972372f09 771e97d3a868cda0 dc421e8a00000001 - -Reviewed-by: Paul Dale <pauli@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/17258) - -(cherry picked from commit 336923c0c8d705cb8af5216b29a205662db0d590) - -Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb] -CVE: CVE-2021-4160 -Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> - ---- - crypto/bn/asm/mips.pl | 4 ++++ - test/bntest.c | 45 +++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 49 insertions(+) - -diff --git a/crypto/bn/asm/mips.pl b/crypto/bn/asm/mips.pl -index 8ad715bda4..74101030f2 100644 ---- a/crypto/bn/asm/mips.pl -+++ b/crypto/bn/asm/mips.pl -@@ -1984,6 +1984,8 @@ $code.=<<___; - sltu $at,$c_2,$t_1 - $ADDU $c_3,$t_2,$at - $ST $c_2,$BNSZ($a0) -+ sltu $at,$c_3,$t_2 -+ $ADDU $c_1,$at - mflo ($t_1,$a_2,$a_0) - mfhi ($t_2,$a_2,$a_0) - ___ -@@ -2194,6 +2196,8 @@ $code.=<<___; - sltu $at,$c_2,$t_1 - $ADDU $c_3,$t_2,$at - $ST $c_2,$BNSZ($a0) -+ sltu $at,$c_3,$t_2 -+ $ADDU $c_1,$at - mflo ($t_1,$a_2,$a_0) - mfhi ($t_2,$a_2,$a_0) - ___ -diff --git a/test/bntest.c b/test/bntest.c -index b58028a301..bab34ba54b 100644 ---- a/test/bntest.c -+++ b/test/bntest.c -@@ -627,6 +627,51 @@ static int test_modexp_mont5(void) - if (!TEST_BN_eq(c, d)) - goto err; - -+ /* -+ * Regression test for overflow bug in bn_sqr_comba4/8 for -+ * mips-linux-gnu and mipsel-linux-gnu 32bit targets. -+ */ -+ { -+ static const char *ehex[] = { -+ "95564994a96c45954227b845a1e99cb939d5a1da99ee91acc962396ae999a9ee", -+ "38603790448f2f7694c242a875f0cad0aae658eba085f312d2febbbd128dd2b5", -+ "8f7d1149f03724215d704344d0d62c587ae3c5939cba4b9b5f3dc5e8e911ef9a", -+ "5ce1a5a749a4989d0d8368f6e1f8cdf3a362a6c97fb02047ff152b480a4ad985", -+ "2d45efdf0770542992afca6a0590d52930434bba96017afbc9f99e112950a8b1", -+ "a359473ec376f329bdae6a19f503be6d4be7393c4e43468831234e27e3838680", -+ "b949390d2e416a3f9759e5349ab4c253f6f29f819a6fe4cbfd27ada34903300e", -+ "da021f62839f5878a36f1bc3085375b00fd5fa3e68d316c0fdace87a97558465", -+ NULL}; -+ static const char *phex[] = { -+ "f95dc0f980fbd22e90caa5a387cc4a369f3f830d50dd321c40db8c09a7e1a241", -+ "a536e096622d3280c0c1ba849c1f4a79bf490f60006d081e8cf69960189f0d31", -+ "2cd9e17073a3fba7881b21474a13b334116cb2f5dbf3189a6de3515d0840f053", -+ "c776d3982d391b6d04d642dda5cc6d1640174c09875addb70595658f89efb439", -+ "dc6fbd55f903aadd307982d3f659207f265e1ec6271b274521b7a5e28e8fd7a5", -+ "5df089292820477802a43cf5b6b94e999e8c9944ddebb0d0e95a60f88cb7e813", -+ "ba110d20e1024774107dd02949031864923b3cb8c3f7250d6d1287b0a40db6a4", -+ "7bd5a469518eb65aa207ddc47d8c6e5fc8e0c105be8fc1d4b57b2e27540471d5", -+ NULL}; -+ static const char *mhex[] = { -+ "fef15d5ce4625f1bccfbba49fc8439c72bf8202af039a2259678941b60bb4a8f", -+ "2987e965d58fd8cf86a856674d519763d0e1211cc9f8596971050d56d9b35db3", -+ "785866cfbca17cfdbed6060be3629d894f924a89fdc1efc624f80d41a22f1900", -+ "9503fcc3824ef62ccb9208430c26f2d8ceb2c63488ec4c07437aa4c96c43dd8b", -+ "9289ed00a712ff66ee195dc71f5e4ead02172b63c543d69baf495f5fd63ba7bc", -+ "c633bd309c016e37736da92129d0b053d4ab28d21ad7d8b6fab2a8bbdc8ee647", -+ "d2fbcf2cf426cf892e6f5639e0252993965dfb73ccd277407014ea784aaa280c", -+ "b7b03972bc8b0baa72360bdb44b82415b86b2f260f877791cd33ba8f2d65229b", -+ NULL}; -+ -+ if (!TEST_true(parse_bigBN(&e, ehex)) -+ || !TEST_true(parse_bigBN(&p, phex)) -+ || !TEST_true(parse_bigBN(&m, mhex)) -+ || !TEST_true(BN_mod_exp_mont_consttime(d, e, p, m, ctx, NULL)) -+ || !TEST_true(BN_mod_exp_simple(a, e, p, m, ctx)) -+ || !TEST_BN_eq(a, d)) -+ goto err; -+ } -+ - /* Zero input */ - if (!TEST_true(BN_bntest_rand(p, 1024, 0, 0))) - goto err; --- -2.25.1 - diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_1.1.1l.bb rename to meta/recipes-connectivity/openssl/openssl_1.1.1n.bb index 24466e11b1..de6eafbcfe 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1l.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1n.bb @@ -18,14 +18,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://afalg.patch \ file://reproducible.patch \ file://reproducibility.patch \ - file://CVE-2021-4160.patch \ " SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "0b7a3e5e59c34827fe0c3a74b7ec8baef302b98fa80088d7f9153aa16fa76bd1" +SRC_URI[sha256sum] = "40dceb51a4f6a5275bde0e6bf20ef4b91bfc32ed57c0552e2e8e15463372b17a" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
This includes a fix for CVE-2022-0778. There are quite a lot of changes but they seem to mostly be fixes or cves, see the CHANGES file[1]. Drop previous fix for CVE-2021-4160 since it is now upstream [2] and include since release 1.1.1m. [1] https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=CHANGES;hb=refs/heads/OpenSSL_1_1_1-stable [2] https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=e9e726506cd2a3fd9c0f12daf8cc1fe934c7dddb Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> --- .../openssl/openssl/CVE-2021-4160.patch | 145 ------------------ .../{openssl_1.1.1l.bb => openssl_1.1.1n.bb} | 3 +- 2 files changed, 1 insertion(+), 147 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2021-4160.patch rename meta/recipes-connectivity/openssl/{openssl_1.1.1l.bb => openssl_1.1.1n.bb} (98%)