diff options
author | Peter Marko <peter.marko@siemens.com> | 2024-02-04 18:25:15 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-02-05 14:03:12 +0000 |
commit | b50f1c4ccac12e9dbdeb5a6fec0413c9cd901d88 (patch) | |
tree | 8c4a72061c681718f31b2b7bc3a5b7996af2aa91 /meta/recipes-connectivity | |
parent | 3c922fb61aa4f3bbb5c4ef35639acdf263c4313c (diff) | |
download | openembedded-core-contrib-b50f1c4ccac12e9dbdeb5a6fec0413c9cd901d88.tar.gz |
openssl: Upgrade 3.2.0 -> 3.2.1
Fixes CVE-2024-0727 and CVE-2023-6237
Removed included patch backports.
New module was implemented in tests and needs to be installed
to successfully pass 04-test_provider.t test.
Release information:
https://github.com/openssl/openssl/blob/openssl-3.2/NEWS.md#major-changes-between-openssl-320-and-openssl-321-30-jan-2024
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-connectivity')
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/0001-riscv-Fix-mispelling-of-extension-test-macro.patch | 31 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch | 113 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl/aarch64-bti.patch | 35 | ||||
-rw-r--r-- | meta/recipes-connectivity/openssl/openssl_3.2.1.bb (renamed from meta/recipes-connectivity/openssl/openssl_3.2.0.bb) | 6 |
4 files changed, 2 insertions, 183 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/0001-riscv-Fix-mispelling-of-extension-test-macro.patch b/meta/recipes-connectivity/openssl/openssl/0001-riscv-Fix-mispelling-of-extension-test-macro.patch deleted file mode 100644 index 1d217bd8e3..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-riscv-Fix-mispelling-of-extension-test-macro.patch +++ /dev/null @@ -1,31 +0,0 @@ -From b51031b05f72923ff1cf3b6a4767450dee89d7f4 Mon Sep 17 00:00:00 2001 -From: Grant Nichol <me@grantnichol.com> -Date: Fri, 22 Dec 2023 23:46:39 -0600 -Subject: [PATCH] riscv: Fix mispelling of extension test macro - -When refactoring the riscv extension test macros, -RISCV_HAS_ZKND_AND_ZKNE was mispelled. - -CLA: trivial -Upstream-Status: Backport [https://github.com/openssl/openssl/pull/23139] -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- - providers/implementations/ciphers/cipher_aes_xts_hw.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c -index 564d6d6..4cf1361 100644 ---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c -@@ -225,7 +225,7 @@ static const PROV_CIPHER_HW aes_xts_rv32i_zbkb_zknd_zkne = { \ - # define PROV_CIPHER_HW_select_xts() \ - if (RISCV_HAS_ZBKB_AND_ZKND_AND_ZKNE()) \ - return &aes_xts_rv32i_zbkb_zknd_zkne; \ --if (RISCV_HAS_ZKND_ZKNE()) \ -+if (RISCV_HAS_ZKND_AND_ZKNE()) \ - return &aes_xts_rv32i_zknd_zkne; - # else - /* The generic case */ --- -2.43.0 - diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch deleted file mode 100644 index c2cbedd1b7..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-6129.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 5b139f95c9a47a55a0c54100f3837b1eee942b04 Mon Sep 17 00:00:00 2001 -From: Rohan McLure <rmclure@linux.ibm.com> -Date: Thu, 4 Jan 2024 10:25:50 +0100 -Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering - -Fixes CVE-2023-6129 - -The POLY1305 MAC (message authentication code) implementation in OpenSSL for -PowerPC CPUs saves the the contents of vector registers in different order -than they are restored. Thus the contents of some of these vector registers -is corrupted when returning to the caller. The vulnerable code is used only -on newer PowerPC processors supporting the PowerISA 2.07 instructions. - -Reviewed-by: Matt Caswell <matt@openssl.org> -Reviewed-by: Richard Levitte <levitte@openssl.org> -Reviewed-by: Tomas Mraz <tomas@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/23200) - -(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f) - -CVE: CVE-2023-6129 -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++--------------- - 1 file changed, 21 insertions(+), 21 deletions(-) - -diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl -index 9f86134d923fb..2e601bb9c24be 100755 ---- a/crypto/poly1305/asm/poly1305-ppc.pl -+++ b/crypto/poly1305/asm/poly1305-ppc.pl -@@ -744,7 +744,7 @@ - my $LOCALS= 6*$SIZE_T; - my $VSXFRAME = $LOCALS + 6*$SIZE_T; - $VSXFRAME += 128; # local variables -- $VSXFRAME += 13*16; # v20-v31 offload -+ $VSXFRAME += 12*16; # v20-v31 offload - - my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; - -@@ -919,12 +919,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1153,12 +1153,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1899,26 +1899,26 @@ - mtspr 256,r12 # restore vrsave - lvx v20,r10,$sp - addi r10,r10,32 -- lvx v21,r10,$sp -- addi r10,r10,32 -- lvx v22,r11,$sp -+ lvx v21,r11,$sp - addi r11,r11,32 -- lvx v23,r10,$sp -+ lvx v22,r10,$sp - addi r10,r10,32 -- lvx v24,r11,$sp -+ lvx v23,r11,$sp - addi r11,r11,32 -- lvx v25,r10,$sp -+ lvx v24,r10,$sp - addi r10,r10,32 -- lvx v26,r11,$sp -+ lvx v25,r11,$sp - addi r11,r11,32 -- lvx v27,r10,$sp -+ lvx v26,r10,$sp - addi r10,r10,32 -- lvx v28,r11,$sp -+ lvx v27,r11,$sp - addi r11,r11,32 -- lvx v29,r10,$sp -+ lvx v28,r10,$sp - addi r10,r10,32 -- lvx v30,r11,$sp -- lvx v31,r10,$sp -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp - $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) - $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) - $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/meta/recipes-connectivity/openssl/openssl/aarch64-bti.patch b/meta/recipes-connectivity/openssl/openssl/aarch64-bti.patch deleted file mode 100644 index 2a16debb76..0000000000 --- a/meta/recipes-connectivity/openssl/openssl/aarch64-bti.patch +++ /dev/null @@ -1,35 +0,0 @@ -From ad347c9ff0fd93bdd2fa2085611c65b88e94829f Mon Sep 17 00:00:00 2001 -From: "fangming.fang" <fangming.fang@arm.com> -Date: Thu, 7 Dec 2023 06:17:51 +0000 -Subject: [PATCH] Enable BTI feature for md5 on aarch64 - -Fixes: #22959 - -Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> -Reviewed-by: Tomas Mraz <tomas@openssl.org> -(Merged from https://github.com/openssl/openssl/pull/22971) - -Upstream-Status: Backport -Signed-off-by: Ross Burton <ross.burton@arm.com> ---- - crypto/md5/asm/md5-aarch64.pl | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl -index 3200a0fa9bff0..5a8608069691d 100755 ---- a/crypto/md5/asm/md5-aarch64.pl -+++ b/crypto/md5/asm/md5-aarch64.pl -@@ -28,10 +28,13 @@ - *STDOUT=*OUT; - - $code .= <<EOF; -+#include "arm_arch.h" -+ - .text - .globl ossl_md5_block_asm_data_order - .type ossl_md5_block_asm_data_order,\@function - ossl_md5_block_asm_data_order: -+ AARCH64_VALID_CALL_TARGET - // Save all callee-saved registers - stp x19,x20,[sp,#-80]! - stp x21,x22,[sp,#16] diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.0.bb b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb index b2cdf761fc..549fa4cd94 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.1.bb @@ -12,16 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ file://0001-Added-handshake-history-reporting-when-test-fails.patch \ - file://aarch64-bti.patch \ - file://0001-riscv-Fix-mispelling-of-extension-test-macro.patch \ - file://CVE-2023-6129.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e" +SRC_URI[sha256sum] = "83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39" inherit lib_package multilib_header multilib_script ptest perlnative manpages MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -189,6 +186,7 @@ PTEST_BUILD_HOST_PATTERN = "perl_version =" do_install_ptest () { install -d ${D}${PTEST_PATH}/test install -m755 ${B}/test/p_test.so ${D}${PTEST_PATH}/test + install -m755 ${B}/test/p_minimal.so ${D}${PTEST_PATH}/test install -m755 ${B}/test/provider_internal_test.cnf ${D}${PTEST_PATH}/test # Prune the build tree |