From patchwork Wed Mar 4 18:48:01 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 82509 X-Patchwork-Delegate: yoann.congal@smile.fr Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B034EFCE3B for ; Wed, 4 Mar 2026 18:48:20 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.msgproc01-g2.25900.1772650089259703120 for ; Wed, 04 Mar 2026 10:48:10 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm1 header.b=PS9mpljH; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-202603041848055d565fe6d50002075a-lanvjh@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 202603041848055d565fe6d50002075a for ; Wed, 04 Mar 2026 19:48:06 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm1; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=2EfyGToTad69KPJBFGNriiO2UfaUPMyNgt1wKyYxIQg=; b=PS9mpljHTnOqEEKTRtzoBgSQBMgOTFL73/vItje0fzto2sFnjMCSghlZIEIQX3kW1f0JEZ T6u7jwCLEZepHmUh6uqNFiKI8j2XMx7YWE7B5DQFemh6/wSXZvm5H9Mo/p424zDOSXGj/9W9 CcxMhfksEADEN94QGuwLBLYFFIb53yFjdVb/kpkSLfLui3Mo4qudPcplHv5MosGqnWzzQ8K6 XPPHLqmdFpDip7uta8MWn0FC5BkXTtj8+uUGBEbSeQT4+A3ikMwA9WMbz5ryMgQxwEdzu8AP dAtjq8Tr5zRCfE383yBmn/aGAb6gTT3xo5vAJOmBypCgeCLQMYn78k4Q==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][scarthgap][PATCH] openssl: upgrade 3.2.6 -> 3.5.5 Date: Wed, 4 Mar 2026 19:48:01 +0100 Message-Id: <20260304184801.1840527-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 04 Mar 2026 18:48:20 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/232436 From: Peter Marko Openssl 3.2 has reached EOL. Some projects would like to use LTS version due to criticality and exposure of this component, so upgrade to 3.5 branch. Copy recipe from oe-core master fd3b1efb6f7ffb5505ff7eb95cae222e1db9f776 which is the last revision before disabling TLS 1/1.1 by default. Single change is replacing UNPACKDIR by WORKIDR (one occurence). Signed-off-by: Peter Marko --- .../openssl/files/environment.d-openssl.sh | 9 ++- ...ke-history-reporting-when-test-fails.patch | 32 ++++---- ...1-Configure-do-not-tweak-mips-cflags.patch | 4 +- ...sysroot-and-debug-prefix-map-from-co.patch | 26 ++++--- .../0001-extend-check_cwm-test-timeout.patch | 32 ++++++++ .../openssl/openssl/CVE-2024-41996.patch | 44 ----------- .../openssl/openssl/CVE-2025-15468.patch | 39 ---------- .../openssl/openssl/CVE-2025-69419.patch | 61 --------------- .../{openssl_3.2.6.bb => openssl_3.5.5.bb} | 75 ++++++++++++------- 9 files changed, 119 insertions(+), 203 deletions(-) create mode 100644 meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch rename meta/recipes-connectivity/openssl/{openssl_3.2.6.bb => openssl_3.5.5.bb} (76%) diff --git a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh index d72edcb5edf..77747c1fdaf 100644 --- a/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh +++ b/meta/recipes-connectivity/openssl/files/environment.d-openssl.sh @@ -1,14 +1,15 @@ -export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/openssl.cnf" +export OPENSSL_CONF="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/openssl.cnf" export OPENSSL_MODULES="$OECORE_NATIVE_SYSROOT/usr/lib/ossl-modules/" export OPENSSL_ENGINES="$OECORE_NATIVE_SYSROOT/usr/lib/engines-3" +export BB_ENV_PASSTHROUGH_ADDITIONS="${BB_ENV_PASSTHROUGH_ADDITIONS:-} OPENSSL_CONF OPENSSL_MODULES OPENSSL_ENGINES" # Respect host env SSL_CERT_FILE/SSL_CERT_DIR first, then auto-detected host cert, then cert in buildtools -# CAFILE/CAPATH is auto-deteced when source buildtools +# CAFILE/CAPATH is auto-detected when source buildtools if [ -z "${SSL_CERT_FILE:-}" ]; then if [ -n "${CAFILE:-}" ];then export SSL_CERT_FILE="$CAFILE" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then - export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs/ca-certificates.crt" + export SSL_CERT_FILE="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs/ca-certificates.crt" fi fi @@ -16,7 +17,7 @@ if [ -z "${SSL_CERT_DIR:-}" ]; then if [ -n "${CAPATH:-}" ];then export SSL_CERT_DIR="$CAPATH" elif [ -e "${OECORE_NATIVE_SYSROOT}/etc/ssl/certs/ca-certificates.crt" ];then - export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl/certs" + export SSL_CERT_DIR="$OECORE_NATIVE_SYSROOT/usr/lib/ssl-3/certs" fi fi diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch index b05d7abf7cb..a74c79303f6 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Added-handshake-history-reporting-when-test-fails.patch @@ -6,18 +6,17 @@ Subject: [PATCH] Added handshake history reporting when test fails Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/22481] Signed-off-by: William Lyu -Signed-off-by: Siddharth Doshi --- - test/helpers/handshake.c | 137 +++++++++++++++++++++++++++++---------- + test/helpers/handshake.c | 136 ++++++++++++++++++++++++++++++--------- test/helpers/handshake.h | 70 +++++++++++++++++++- test/ssl_test.c | 44 +++++++++++++ - 3 files changed, 217 insertions(+), 34 deletions(-) + 3 files changed, 217 insertions(+), 33 deletions(-) diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c -index e0422469e4..ae2ad59dd4 100644 +index f611b3a..5703b48 100644 --- a/test/helpers/handshake.c +++ b/test/helpers/handshake.c -@@ -24,6 +24,102 @@ +@@ -25,6 +25,102 @@ #include #endif @@ -120,7 +119,7 @@ index e0422469e4..ae2ad59dd4 100644 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) { HANDSHAKE_RESULT *ret; -@@ -725,15 +821,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, +@@ -724,15 +820,6 @@ static void configure_handshake_ssl(SSL *server, SSL *client, SSL_set_post_handshake_auth(client, 1); } @@ -136,7 +135,7 @@ index e0422469e4..ae2ad59dd4 100644 /* An SSL object and associated read-write buffers. */ typedef struct peer_st { SSL *ssl; -@@ -1080,17 +1167,6 @@ static void do_shutdown_step(PEER *peer) +@@ -1077,16 +1164,6 @@ static void do_shutdown_step(PEER *peer) } } @@ -149,12 +148,11 @@ index e0422469e4..ae2ad59dd4 100644 - SHUTDOWN, - CONNECTION_DONE -} connect_phase_t; -- - static int renegotiate_op(const SSL_TEST_CTX *test_ctx) { switch (test_ctx->handshake_mode) { -@@ -1168,19 +1244,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, +@@ -1164,19 +1241,6 @@ static void do_connect_step(const SSL_TEST_CTX *test_ctx, PEER *peer, } } @@ -174,7 +172,7 @@ index e0422469e4..ae2ad59dd4 100644 /* * Determine the handshake outcome. * last_status: the status of the peer to have acted last. -@@ -1545,6 +1608,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( +@@ -1541,6 +1605,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( start = time(NULL); @@ -185,8 +183,8 @@ index e0422469e4..ae2ad59dd4 100644 /* * Half-duplex handshake loop. * Client and server speak to each other synchronously in the same process. -@@ -1566,6 +1633,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( - 0 /* server went last */); +@@ -1562,6 +1630,10 @@ static HANDSHAKE_RESULT *do_handshake_internal( + 0 /* server went last */); } + save_loop_history(&(ret->history), @@ -197,7 +195,7 @@ index e0422469e4..ae2ad59dd4 100644 case HANDSHAKE_SUCCESS: client_turn_count = 0; diff --git a/test/helpers/handshake.h b/test/helpers/handshake.h -index 78b03f9f4b..b9967c2623 100644 +index 78b03f9..b9967c2 100644 --- a/test/helpers/handshake.h +++ b/test/helpers/handshake.h @@ -1,5 +1,5 @@ @@ -293,16 +291,16 @@ index 78b03f9f4b..b9967c2623 100644 HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void); @@ -95,4 +159,8 @@ int configure_handshake_ctx_for_srp(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, - CTX_DATA *server2_ctx_data, - CTX_DATA *client_ctx_data); + CTX_DATA *server2_ctx_data, + CTX_DATA *client_ctx_data); +const char *handshake_connect_phase_name(connect_phase_t phase); +const char *handshake_status_name(handshake_status_t handshake_status); +const char *handshake_peer_status_name(peer_status_t peer_status); + - #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ + #endif /* OSSL_TEST_HANDSHAKE_HELPER_H */ diff --git a/test/ssl_test.c b/test/ssl_test.c -index ea608518f9..9d6b093c81 100644 +index ea60851..9d6b093 100644 --- a/test/ssl_test.c +++ b/test/ssl_test.c @@ -26,6 +26,44 @@ static OSSL_LIB_CTX *libctx = NULL; diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch index 3f6ab97795a..cf5ff356ee7 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch @@ -17,10 +17,10 @@ Signed-off-by: Tim Orling 1 file changed, 10 deletions(-) diff --git a/Configure b/Configure -index 4569952..adf019b 100755 +index fff97bd..5ee54c1 100755 --- a/Configure +++ b/Configure -@@ -1485,16 +1485,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) +@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m) push @{$config{shared_ldflag}}, "-mno-cygwin"; } diff --git a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch index ce2acb24629..dadc034c913 100644 --- a/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch +++ b/meta/recipes-connectivity/openssl/openssl/0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch @@ -30,23 +30,26 @@ Update to fix buildpaths qa issue for '-ffile-prefix-map'. Signed-off-by: Khem Raj --- - Configurations/unix-Makefile.tmpl | 12 +++++++++++- + Configurations/unix-Makefile.tmpl | 16 +++++++++++++++- crypto/build.info | 2 +- - 2 files changed, 12 insertions(+), 2 deletions(-) + 2 files changed, 16 insertions(+), 2 deletions(-) -Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl -=================================================================== ---- openssl-3.0.4.orig/Configurations/unix-Makefile.tmpl -+++ openssl-3.0.4/Configurations/unix-Makefile.tmpl -@@ -481,13 +481,23 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 09303c4..011bda1 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -513,13 +513,27 @@ BIN_LDFLAGS={- join(' ', $target{bin_lflags} || (), '$(CNF_LDFLAGS)', '$(LDFLAGS)') -} BIN_EX_LIBS=$(CNF_EX_LIBS) $(EX_LIBS) -# CPPFLAGS_Q is used for one thing only: to build up buildinf.h +# *_Q variables are used for one thing only: to build up buildinf.h CPPFLAGS_Q={- $cppflags1 =~ s|([\\"])|\\$1|g; ++ $cppflags1 =~ s|-isystem/[^ ]+/usr/include||g; $cppflags2 =~ s|([\\"])|\\$1|g; ++ $cppflags2 =~ s|-isystem/[^ ]+/usr/include||g; $lib_cppflags =~ s|([\\"])|\\$1|g; ++ $lib_cppflags =~ s|-isystem/[^ ]+/usr/include||g; join(' ', $lib_cppflags || (), $cppflags2 || (), $cppflags1 || ()) -} @@ -54,6 +57,7 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl + s|-fdebug-prefix-map=[^ ]+|-fdebug-prefix-map=|g; + s|-fmacro-prefix-map=[^ ]+|-fmacro-prefix-map=|g; + s|-ffile-prefix-map=[^ ]+|-ffile-prefix-map=|g; ++ s|-isystem/[^ ]+/usr/include ||g; + } + join(' ', @{$config{CFLAGS}}) -} + @@ -63,10 +67,10 @@ Index: openssl-3.0.4/Configurations/unix-Makefile.tmpl PERLASM_SCHEME= {- $target{perlasm_scheme} -} # For x86 assembler: Set PROCESSOR to 386 if you want to support -Index: openssl-3.0.4/crypto/build.info -=================================================================== ---- openssl-3.0.4.orig/crypto/build.info -+++ openssl-3.0.4/crypto/build.info +diff --git a/crypto/build.info b/crypto/build.info +index aee5c46..95c9577 100644 +--- a/crypto/build.info ++++ b/crypto/build.info @@ -115,7 +115,7 @@ DEFINE[../libcrypto]=$UPLINKDEF DEPEND[info.o]=buildinf.h diff --git a/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch new file mode 100644 index 00000000000..f6eb28069ac --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/0001-extend-check_cwm-test-timeout.patch @@ -0,0 +1,32 @@ +From c7000672296f4c367341aa3415f26c4d9f5e4749 Mon Sep 17 00:00:00 2001 +From: Gyorgy Sarvari +Date: Thu, 23 Oct 2025 11:24:36 +0200 +Subject: [PATCH] extend check_cwm test timeout + +The default, 3s long test timeout isn't always enough for this +particular test in case there is a high load on the host machine +(assuming it is running in qemu). Extend the default timeout to 6s +for the check_cwm test to avoid timeouts. + +Upstream-Status: Inappropriate [upstream issue: https://github.com/openssl/openssl/issues/28983] +Signed-off-by: Gyorgy Sarvari +--- + test/radix/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/test/radix/main.c b/test/radix/main.c +index 4a1e886a71..39f8c61ef9 100644 +--- a/test/radix/main.c ++++ b/test/radix/main.c +@@ -25,6 +25,11 @@ static int test_script(int idx) + int testresult; + TERP_CONFIG cfg = { 0 }; + ++ // check_cwm test sometimes times out, the default 3000ms is ++ // not enough if the test execution starves for CPU ++ if (!strncmp("check_cwm", script_info->name, strlen("check_cwm"))) ++ cfg.max_execution_time = ossl_ms2time(6000); ++ + if (!TEST_true(bindings_process_init(0, 0))) + return 0; + diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch deleted file mode 100644 index dc18e0bef19..00000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch +++ /dev/null @@ -1,44 +0,0 @@ -From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 5 Aug 2024 17:54:14 +0200 -Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known - safe-prime groups -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The partial validation is fully sufficient to check the key validity. - -Thanks to Szilárd Pfeiffer for reporting the issue. - -Reviewed-by: Neil Horman -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/25088) - -CVE: CVE-2024-41996 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98] -Signed-off-by: Peter Marko ---- - providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c -index 82c3093b12..ebdce76710 100644 ---- a/providers/implementations/keymgmt/dh_kmgmt.c -+++ b/providers/implementations/keymgmt/dh_kmgmt.c -@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype) - if (pub_key == NULL) - return 0; - -- /* The partial test is only valid for named group's with q = (p - 1) / 2 */ -- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK -- && ossl_dh_is_named_safe_prime_group(dh)) -+ /* -+ * The partial test is only valid for named group's with q = (p - 1) / 2 -+ * but for that case it is also fully sufficient to check the key validity. -+ */ -+ if (ossl_dh_is_named_safe_prime_group(dh)) - return ossl_dh_check_pub_key_partial(dh, pub_key, &res); - - return DH_check_pub_key_ex(dh, pub_key); diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch deleted file mode 100644 index dcd862bedf6..00000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2025-15468.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 1f08e54bad32843044fe8a675948d65e3b4ece65 Mon Sep 17 00:00:00 2001 -From: Daniel Kubec -Date: Fri, 9 Jan 2026 14:33:24 +0100 -Subject: [PATCH] ossl_quic_get_cipher_by_char(): Add a NULL guard before - dereferencing SSL_CIPHER -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Fixes CVE-2025-15468 - -Reviewed-by: Saša Nedvědický -Reviewed-by: Tomas Mraz -MergeDate: Mon Jan 26 19:36:04 2026 -(cherry picked from commit 293b55de0c434a99d0e744d0521170ca280606a9) - -CVE: CVE-2025-15468 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/1f08e54bad32843044fe8a675948d65e3b4ece65] -Signed-off-by: Hitendra Prajapati ---- - ssl/quic/quic_impl.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c -index 98b6a0a..4abde64 100644 ---- a/ssl/quic/quic_impl.c -+++ b/ssl/quic/quic_impl.c -@@ -3646,6 +3646,8 @@ const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p) - { - const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p); - -+ if (ciph == NULL) -+ return NULL; - if ((ciph->algorithm2 & SSL_QUIC) == 0) - return NULL; - --- -2.50.1 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch deleted file mode 100644 index dcfdba82acb..00000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2025-69419.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 41be0f216404f14457bbf3b9cc488dba60b49296 Mon Sep 17 00:00:00 2001 -From: Norbert Pocs -Date: Thu, 11 Dec 2025 12:49:00 +0100 -Subject: [PATCH] Check return code of UTF8_putc - -Signed-off-by: Norbert Pocs - -Reviewed-by: Nikola Pajkovsky -Reviewed-by: Viktor Dukhovni -(Merged from https://github.com/openssl/openssl/pull/29376) - -CVE: CVE-2025-69419 -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/41be0f216404f14457bbf3b9cc488dba60b49296] -Signed-off-by: Hitendra Prajapati ---- - crypto/asn1/a_strex.c | 6 ++++-- - crypto/pkcs12/p12_utl.c | 11 +++++++++-- - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c -index f64e352..7d76700 100644 ---- a/crypto/asn1/a_strex.c -+++ b/crypto/asn1/a_strex.c -@@ -204,8 +204,10 @@ static int do_buf(unsigned char *buf, int buflen, - orflags = CHARTYPE_LAST_ESC_2253; - if (type & BUF_TYPE_CONVUTF8) { - unsigned char utfbuf[6]; -- int utflen; -- utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); -+ int utflen = UTF8_putc(utfbuf, sizeof(utfbuf), c); -+ -+ if (utflen < 0) -+ return -1; /* error happened with UTF8 */ - for (i = 0; i < utflen; i++) { - /* - * We don't need to worry about setting orflags correctly -diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c -index a96623f..b109dab 100644 ---- a/crypto/pkcs12/p12_utl.c -+++ b/crypto/pkcs12/p12_utl.c -@@ -206,8 +206,15 @@ char *OPENSSL_uni2utf8(const unsigned char *uni, int unilen) - /* re-run the loop emitting UTF-8 string */ - for (asclen = 0, i = 0; i < unilen; ) { - j = bmp_to_utf8(asctmp+asclen, uni+i, unilen-i); -- if (j == 4) i += 4; -- else i += 2; -+ /* when UTF8_putc fails */ -+ if (j < 0) { -+ OPENSSL_free(asctmp); -+ return NULL; -+ } -+ if (j == 4) -+ i += 4; -+ else -+ i += 2; - asclen += j; - } - --- -2.50.1 - diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb similarity index 76% rename from meta/recipes-connectivity/openssl/openssl_3.2.6.bb rename to meta/recipes-connectivity/openssl/openssl_3.5.5.bb index 074ab121316..1321adda92a 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.6.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.5.5.bb @@ -7,21 +7,19 @@ SECTION = "libs/network" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=c75985e733726beaba57bc5253e96d04" -SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/openssl-${PV}.tar.gz \ +SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://run-ptest \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://0001-Added-handshake-history-reporting-when-test-fails.patch \ - file://CVE-2024-41996.patch \ - file://CVE-2025-15468.patch \ - file://CVE-2025-69419.patch \ + file://0001-extend-check_cwm-test-timeout.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "89681a9ddaa9ed7cf25ea8ef61338db805200bae47d00510490623547380c148" +SRC_URI[sha256sum] = "b28c91532a8b65a1f983b4c28b7488174e4a01008e29ce8e69bd789f28bc2a89" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -34,10 +32,13 @@ PACKAGECONFIG[cryptodev-linux] = "enable-devcryptoeng,disable-devcryptoeng,crypt PACKAGECONFIG[no-tls1] = "no-tls1" PACKAGECONFIG[no-tls1_1] = "no-tls1_1" PACKAGECONFIG[manpages] = "" +PACKAGECONFIG[fips] = "enable-fips" B = "${WORKDIR}/build" do_configure[cleandirs] = "${B}" +EXTRA_OECONF = "${@bb.utils.contains('PTEST_ENABLED', '1', '', 'no-tests', d)}" + #| ./libcrypto.so: undefined reference to `getcontext' #| ./libcrypto.so: undefined reference to `setcontext' #| ./libcrypto.so: undefined reference to `makecontext' @@ -46,12 +47,15 @@ EXTRA_OECONF:append:libc-musl:powerpc64 = " no-asm" # adding devrandom prevents openssl from using getrandom() which is not available on older glibc versions # (native versions can be built with newer glibc, but then relocated onto a system with older glibc) -EXTRA_OECONF:class-native = "--with-rand-seed=os,devrandom" -EXTRA_OECONF:class-nativesdk = "--with-rand-seed=os,devrandom" +EXTRA_OECONF:append:class-native = " --with-rand-seed=os,devrandom" +EXTRA_OECONF:append:class-nativesdk = " --with-rand-seed=os,devrandom" # Relying on hardcoded built-in paths causes openssl-native to not be relocateable from sstate. -CFLAGS:append:class-native = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" -CFLAGS:append:class-nativesdk = " -DOPENSSLDIR=/not/builtin -DENGINESDIR=/not/builtin" +EXTRA_OEMAKE:append:task-compile:class-native = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"' +EXTRA_OEMAKE:append:task-compile:class-nativesdk = ' OPENSSLDIR="/not/builtin" ENGINESDIR="/not/builtin" MODULESDIR="/not/builtin"' + +#| threads_pthread.c:(.text+0x372): undefined reference to `__atomic_is_lock_free' +EXTRA_OECONF:append:toolchain-clang:x86 = " -latomic" # This allows disabling deprecated or undesirable crypto algorithms. # The default is to trust upstream choices. @@ -138,21 +142,26 @@ do_configure () { ;; esac - useprefix=${prefix} - if [ "x$useprefix" = "x" ]; then - useprefix=/ - fi # WARNING: do not set compiler/linker flags (-I/-D etc.) in EXTRA_OECONF, as they will fully replace the # environment variables set by bitbake. Adjust the environment variables instead. PERLEXTERNAL="$(realpath ${S}/external/perl/Text-Template-*/lib)" test -d "$PERLEXTERNAL" || bberror "PERLEXTERNAL '$PERLEXTERNAL' not found!" HASHBANGPERL="/usr/bin/env perl" PERL=perl PERL5LIB="$PERLEXTERNAL" \ - perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=$useprefix --openssldir=${libdir}/ssl-3 --libdir=${libdir} $target + perl ${S}/Configure ${EXTRA_OECONF} ${PACKAGECONFIG_CONFARGS} ${DEPRECATED_CRYPTO_FLAGS} --prefix=${prefix} --openssldir=${libdir}/ssl-3 --libdir=${baselib} $target perl ${B}/configdata.pm --dump } +do_compile:append () { + # The test suite binaries are large and we don't need the debugging in them + if test -d ${B}/test; then + find ${B}/test -type f -executable -exec ${STRIP} {} \; + fi +} + do_install () { - oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} + oe_runmake DESTDIR="${D}" MANDIR="${mandir}" MANSUFFIX=ssl install_sw install_ssldirs \ + ${@bb.utils.contains('PACKAGECONFIG', 'manpages', 'install_docs', '', d)} \ + ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'install_fips', '', d)} oe_multilib_header openssl/opensslconf.h oe_multilib_header openssl/configuration.h @@ -170,21 +179,30 @@ do_install () { ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/certs')} ${D}${libdir}/ssl-3/certs ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/private')} ${D}${libdir}/ssl-3/private ln -sf ${@oe.path.relative('${libdir}/ssl-3', '${sysconfdir}/ssl/openssl.cnf')} ${D}${libdir}/ssl-3/openssl.cnf + + # Generate fipsmodule.cnf in pkg_postinst_ontarget + if ${@bb.utils.contains('PACKAGECONFIG', 'fips', 'true', 'false', d)}; then + rm -f ${D}${libdir}/ssl-3/fipsmodule.cnf + fi } do_install:append:class-native () { create_wrapper ${D}${bindir}/openssl \ - OPENSSL_CONF=${libdir}/ssl-3/openssl.cnf \ - SSL_CERT_DIR=${libdir}/ssl-3/certs \ - SSL_CERT_FILE=${libdir}/ssl-3/cert.pem \ - OPENSSL_ENGINES=${libdir}/engines-3 \ - OPENSSL_MODULES=${libdir}/ossl-modules + OPENSSL_CONF=\${OPENSSL_CONF:-${libdir}/ssl-3/openssl.cnf} \ + SSL_CERT_DIR=\${SSL_CERT_DIR:-${libdir}/ssl-3/certs} \ + SSL_CERT_FILE=\${SSL_CERT_FILE:-${libdir}/ssl-3/cert.pem} \ + OPENSSL_ENGINES=\${OPENSSL_ENGINES:-${libdir}/engines-3} \ + OPENSSL_MODULES=\${OPENSSL_MODULES:-${libdir}/ossl-modules} + + # Setting ENGINESDIR and MODULESDIR to invalid paths prevents host contamination, + # but also breaks the generated libcrypto.pc file. Post-Fix it manually here. + sed -i 's|^enginesdir=\($.libdir.\)/.*|enginesdir=\1/engines-3|' ${D}${libdir}/pkgconfig/libcrypto.pc + sed -i 's|^modulesdir=\($.libdir.\)/.*|modulesdir=\1/ossl-modules|' ${D}${libdir}/pkgconfig/libcrypto.pc } do_install:append:class-nativesdk () { mkdir -p ${D}${SDKPATHNATIVE}/environment-setup.d install -m 644 ${WORKDIR}/environment.d-openssl.sh ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh - sed 's|/usr/lib/ssl/|/usr/lib/ssl-3/|g' -i ${D}${SDKPATHNATIVE}/environment-setup.d/openssl.sh } PTEST_BUILD_HOST_FILES += "configdata.pm" @@ -228,12 +246,18 @@ do_install_ptest() { ln -s ${libdir}/ossl-modules/ ${D}${PTEST_PATH}/providers } +pkg_postinst_ontarget:${PN}-ossl-module-fips () { + if test -f ${libdir}/ossl-modules/fips.so; then + ${bindir}/openssl fipsinstall -out ${libdir}/ssl-3/fipsmodule.cnf -module ${libdir}/ossl-modules/fips.so + fi +} + # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto # package RRECOMMENDS on this package. This will enable the configuration # file to be installed for both the openssl-bin package and the libcrypto # package since the openssl-bin package depends on the libcrypto package. -PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy" +PACKAGES =+ "libcrypto libssl openssl-conf ${PN}-engines ${PN}-misc ${PN}-ossl-module-legacy ${PN}-ossl-module-fips" FILES:libcrypto = "${libdir}/libcrypto${SOLIBS}" FILES:libssl = "${libdir}/libssl${SOLIBS}" @@ -245,6 +269,7 @@ FILES:${PN}-engines = "${libdir}/engines-3" FILES:${PN}-engines:append:mingw32:class-nativesdk = " ${prefix}${libdir}/engines-3" FILES:${PN}-misc = "${libdir}/ssl-3/misc ${bindir}/c_rehash" FILES:${PN}-ossl-module-legacy = "${libdir}/ossl-modules/legacy.so" +FILES:${PN}-ossl-module-fips = "${libdir}/ossl-modules/fips.so" FILES:${PN} =+ "${libdir}/ssl-3/* ${libdir}/ossl-modules/" FILES:${PN}:append:class-nativesdk = " ${SDKPATHNATIVE}/environment-setup.d/openssl.sh" @@ -256,9 +281,9 @@ RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed openssl-engines RDEPENDS:${PN}-bin += "openssl-conf" +# The test suite is installed stripped +INSANE_SKIP:${PN} = "already-stripped" + BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "openssl:openssl" - -CVE_VERSION_SUFFIX = "alphabetical" -