Major changes in 3.0.1:
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
([CVE-2021-4044])
* Allow fetching an operation from the provider that owns an unexportable key
as a fallback if that is still allowed by the property query.
Drop patches which were backported.
Signed-off-by: Ross Burton <ross.bur...@arm.com>
---
...-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | 108 ------------------
.../openssl/openssl/armv8-32bit.patch | 29 -----
.../{openssl_3.0.0.bb => openssl_3.0.1.bb} | 4 +-
3 files changed, 1 insertion(+), 140 deletions(-)
delete mode 100644
meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
delete mode 100644 meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch
rename meta/recipes-connectivity/openssl/{openssl_3.0.0.bb =>
openssl_3.0.1.bb} (97%)
diff --git
a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
deleted file mode 100644
index b85a3ad7d22..00000000000
---
a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-Fix EVP_PKEY_CTX_get_rsa_pss_saltlen, and also disable the tests in non-default
-context (required when backporting, not needed with 3.0.1).
-
-Upstream-Status: Backport
-Signed-off-by: Ross Burton <ross.bur...@arm.com>
-
-From 6b5c02f6173e5fd46a3685e676fcb5eee9ac43ea Mon Sep 17 00:00:00 2001
-From: Tom Cosgrove <tom.cosgr...@arm.com>
-Date: Thu, 25 Nov 2021 15:49:26 +0000
-Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
-
-When an integer value was specified, it was not being passed back via
-the orig_p2 weirdness.
-
-Regression test included.
-
-Reviewed-by: Tomas Mraz <to...@openssl.org>
-Reviewed-by: Paul Dale <pa...@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/17136)
----
- crypto/evp/ctrl_params_translate.c | 12 +++++++-----
- test/evp_extra_test.c | 30 ++++++++++++++++++++++++++++++
- 2 files changed, 37 insertions(+), 5 deletions(-)
-
-diff --git a/crypto/evp/ctrl_params_translate.c
b/crypto/evp/ctrl_params_translate.c
-index 88945e13e6..6638209a8d 100644
---- a/crypto/evp/ctrl_params_translate.c
-+++ b/crypto/evp/ctrl_params_translate.c
-@@ -1379,21 +1379,23 @@ static int fix_rsa_pss_saltlen(enum state state,
- if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL)
- || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) {
- size_t i;
-+ int val;
-
- for (i = 0; i < OSSL_NELEM(str_value_map); i++) {
- if (strcmp(ctx->p2, str_value_map[i].ptr) == 0)
- break;
- }
-- if (i == OSSL_NELEM(str_value_map)) {
-- ctx->p1 = atoi(ctx->p2);
-- } else if (state == POST_CTRL_TO_PARAMS) {
-+
-+ val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2)
-+ : (int)str_value_map[i].id;
-+ if (state == POST_CTRL_TO_PARAMS) {
- /*
- * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further
- * up
- */
-- *(int *)ctx->orig_p2 = str_value_map[i].id;
-+ *(int *)ctx->orig_p2 = val;
- } else {
-- ctx->p1 = (int)str_value_map[i].id;
-+ ctx->p1 = val;
- }
- ctx->p2 = NULL;
- }
-diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
-index 83f8902d24..9ad37a2bce 100644
---- a/test/evp_extra_test.c
-+++ b/test/evp_extra_test.c
-@@ -3049,6 +3049,35 @@ static int test_EVP_rsa_pss_with_keygen_bits(void)
- return ret;
- }
-
-+static int test_EVP_rsa_pss_set_saltlen(void)
-+{
-+ int ret = 0;
-+ EVP_PKEY *pkey = NULL;
-+ EVP_PKEY_CTX *pkey_ctx = NULL;
-+ EVP_MD *sha256 = NULL;
-+ EVP_MD_CTX *sha256_ctx = NULL;
-+ int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't
update this */
-+ const int test_value = 32;
-+
-+ if (nullprov != NULL)
-+ return TEST_skip("Test does not support a non-default library
context");
-+
-+ ret = TEST_ptr(pkey = load_example_rsa_key())
-+ && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL))
-+ && TEST_ptr(sha256_ctx = EVP_MD_CTX_new())
-+ && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL,
pkey))
-+ && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx,
RSA_PKCS1_PSS_PADDING))
-+ && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value))
-+ && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
-+ && TEST_int_eq(saltlen, test_value);
-+
-+ EVP_MD_CTX_free(sha256_ctx);
-+ EVP_PKEY_free(pkey);
-+ EVP_MD_free(sha256);
-+
-+ return ret;
-+}
-+
- static int success = 1;
- static void md_names(const char *name, void *vctx)
- {
-@@ -3966,6 +3995,7 @@ int setup_tests(void)
- ADD_ALL_TESTS(test_evp_iv_des, 6);
- #endif
- ADD_TEST(test_EVP_rsa_pss_with_keygen_bits);
-+ ADD_TEST(test_EVP_rsa_pss_set_saltlen);
- #ifndef OPENSSL_NO_EC
- ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids));
- #endif
---
-2.25.1
-
diff --git a/meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch
b/meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch
deleted file mode 100644
index 1935651be05..00000000000
--- a/meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/16951]
-Signed-off-by: Ross Burton <ross.bur...@arm.com>
-
-From 5118e96a3dbedde2523e7726fa34af30923a9add Mon Sep 17 00:00:00 2001
-From: Tom Cosgrove <tom.cosgr...@arm.com>
-Date: Tue, 2 Nov 2021 15:26:21 +0000
-Subject: [PATCH] Fix builds on Armv8 systems without AArch64
-
-This fixes "undefined reference to `aes_gcm_dec_128_kernel' in function
-`armv8_aes_gcm_decrypt'" and similar
-
-Fixes #16949
----
- include/crypto/aes_platform.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h
-index 015c3bd4ab91..e95ad5aa5de6 100644
---- a/include/crypto/aes_platform.h
-+++ b/include/crypto/aes_platform.h
-@@ -100,7 +100,7 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned
char *out, size_t len,
- # define AES_PMULL_CAPABLE ((OPENSSL_armcap_P & ARMV8_PMULL) &&
(OPENSSL_armcap_P & ARMV8_AES))
- # define AES_GCM_ENC_BYTES 512
- # define AES_GCM_DEC_BYTES 512
--# if __ARM_MAX_ARCH__>=8
-+# if __ARM_MAX_ARCH__>=8 && defined(__aarch64__)
- # define AES_gcm_encrypt armv8_aes_gcm_encrypt
- # define AES_gcm_decrypt armv8_aes_gcm_decrypt
- # define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_v8_ctr32_encrypt_blocks && \
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb
similarity index 97%
rename from meta/recipes-connectivity/openssl/openssl_3.0.0.bb
rename to meta/recipes-connectivity/openssl/openssl_3.0.1.bb
index da73ed6bc33..4cd090a26b7 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb
@@ -12,15 +12,13 @@ SRC_URI =
"http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
file://afalg.patch \
file://0001-Configure-do-not-tweak-mips-cflags.patch \
- file://armv8-32bit.patch \
- file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \
"
SRC_URI:append:class-nativesdk = " \
file://environment.d-openssl.sh \
"
-SRC_URI[sha256sum] =
"59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536"
+SRC_URI[sha256sum] =
"c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1"
inherit lib_package multilib_header multilib_script ptest perlnative
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#159721):
https://lists.openembedded.org/g/openembedded-core/message/159721
Mute This Topic: https://lists.openembedded.org/mt/87741802/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
