mirror of
https://git.yoctoproject.org/poky
synced 2026-04-17 00:32:13 +02:00
openssl: upgrade to 3.0.1
Major changes in 3.0.1:
* Fixed invalid handling of X509_verify_cert() internal errors in libssl
([CVE-2021-4044])
* Allow fetching an operation from the provider that owns an unexportable key
as a fallback if that is still allowed by the property query.
Drop patches which were backported.
Add sed to openssl-ptest as the tests use 'sed -u', which isn't supported
by busybox.
Ensure that we package the dummy async engine, needed by the test suite.
(From OE-Core rev: 5cd40648b0ba88cd9905800e748ae98f08c10ac7)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ross Burton
committed by
Richard Purdie
Richard Purdie
parent
06b027b928
commit
42298b2978
@@ -1,108 +0,0 @@
|
||||
Fix EVP_PKEY_CTX_get_rsa_pss_saltlen, and also disable the tests in non-default
|
||||
context (required when backporting, not needed with 3.0.1).
|
||||
|
||||
Upstream-Status: Backport
|
||||
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
||||
|
||||
From 6b5c02f6173e5fd46a3685e676fcb5eee9ac43ea Mon Sep 17 00:00:00 2001
|
||||
From: Tom Cosgrove <tom.cosgrove@arm.com>
|
||||
Date: Thu, 25 Nov 2021 15:49:26 +0000
|
||||
Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value
|
||||
|
||||
When an integer value was specified, it was not being passed back via
|
||||
the orig_p2 weirdness.
|
||||
|
||||
Regression test included.
|
||||
|
||||
Reviewed-by: Tomas Mraz <tomas@openssl.org>
|
||||
Reviewed-by: Paul Dale <pauli@openssl.org>
|
||||
(Merged from https://github.com/openssl/openssl/pull/17136)
|
||||
---
|
||||
crypto/evp/ctrl_params_translate.c | 12 +++++++-----
|
||||
test/evp_extra_test.c | 30 ++++++++++++++++++++++++++++++
|
||||
2 files changed, 37 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c
|
||||
index 88945e13e6..6638209a8d 100644
|
||||
--- a/crypto/evp/ctrl_params_translate.c
|
||||
+++ b/crypto/evp/ctrl_params_translate.c
|
||||
@@ -1379,21 +1379,23 @@ static int fix_rsa_pss_saltlen(enum state state,
|
||||
if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL)
|
||||
|| (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) {
|
||||
size_t i;
|
||||
+ int val;
|
||||
|
||||
for (i = 0; i < OSSL_NELEM(str_value_map); i++) {
|
||||
if (strcmp(ctx->p2, str_value_map[i].ptr) == 0)
|
||||
break;
|
||||
}
|
||||
- if (i == OSSL_NELEM(str_value_map)) {
|
||||
- ctx->p1 = atoi(ctx->p2);
|
||||
- } else if (state == POST_CTRL_TO_PARAMS) {
|
||||
+
|
||||
+ val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2)
|
||||
+ : (int)str_value_map[i].id;
|
||||
+ if (state == POST_CTRL_TO_PARAMS) {
|
||||
/*
|
||||
* EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further
|
||||
* up
|
||||
*/
|
||||
- *(int *)ctx->orig_p2 = str_value_map[i].id;
|
||||
+ *(int *)ctx->orig_p2 = val;
|
||||
} else {
|
||||
- ctx->p1 = (int)str_value_map[i].id;
|
||||
+ ctx->p1 = val;
|
||||
}
|
||||
ctx->p2 = NULL;
|
||||
}
|
||||
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
|
||||
index 83f8902d24..9ad37a2bce 100644
|
||||
--- a/test/evp_extra_test.c
|
||||
+++ b/test/evp_extra_test.c
|
||||
@@ -3049,6 +3049,35 @@ static int test_EVP_rsa_pss_with_keygen_bits(void)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static int test_EVP_rsa_pss_set_saltlen(void)
|
||||
+{
|
||||
+ int ret = 0;
|
||||
+ EVP_PKEY *pkey = NULL;
|
||||
+ EVP_PKEY_CTX *pkey_ctx = NULL;
|
||||
+ EVP_MD *sha256 = NULL;
|
||||
+ EVP_MD_CTX *sha256_ctx = NULL;
|
||||
+ int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */
|
||||
+ const int test_value = 32;
|
||||
+
|
||||
+ if (nullprov != NULL)
|
||||
+ return TEST_skip("Test does not support a non-default library context");
|
||||
+
|
||||
+ ret = TEST_ptr(pkey = load_example_rsa_key())
|
||||
+ && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL))
|
||||
+ && TEST_ptr(sha256_ctx = EVP_MD_CTX_new())
|
||||
+ && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey))
|
||||
+ && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
|
||||
+ && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value))
|
||||
+ && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen))
|
||||
+ && TEST_int_eq(saltlen, test_value);
|
||||
+
|
||||
+ EVP_MD_CTX_free(sha256_ctx);
|
||||
+ EVP_PKEY_free(pkey);
|
||||
+ EVP_MD_free(sha256);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
static int success = 1;
|
||||
static void md_names(const char *name, void *vctx)
|
||||
{
|
||||
@@ -3966,6 +3995,7 @@ int setup_tests(void)
|
||||
ADD_ALL_TESTS(test_evp_iv_des, 6);
|
||||
#endif
|
||||
ADD_TEST(test_EVP_rsa_pss_with_keygen_bits);
|
||||
+ ADD_TEST(test_EVP_rsa_pss_set_saltlen);
|
||||
#ifndef OPENSSL_NO_EC
|
||||
ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids));
|
||||
#endif
|
||||
--
|
||||
2.25.1
|
||||
|
||||
@@ -1,29 +0,0 @@
|
||||
Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/16951]
|
||||
Signed-off-by: Ross Burton <ross.burton@arm.com>
|
||||
|
||||
From 5118e96a3dbedde2523e7726fa34af30923a9add Mon Sep 17 00:00:00 2001
|
||||
From: Tom Cosgrove <tom.cosgrove@arm.com>
|
||||
Date: Tue, 2 Nov 2021 15:26:21 +0000
|
||||
Subject: [PATCH] Fix builds on Armv8 systems without AArch64
|
||||
|
||||
This fixes "undefined reference to `aes_gcm_dec_128_kernel' in function
|
||||
`armv8_aes_gcm_decrypt'" and similar
|
||||
|
||||
Fixes #16949
|
||||
---
|
||||
include/crypto/aes_platform.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h
|
||||
index 015c3bd4ab91..e95ad5aa5de6 100644
|
||||
--- a/include/crypto/aes_platform.h
|
||||
+++ b/include/crypto/aes_platform.h
|
||||
@@ -100,7 +100,7 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len,
|
||||
# define AES_PMULL_CAPABLE ((OPENSSL_armcap_P & ARMV8_PMULL) && (OPENSSL_armcap_P & ARMV8_AES))
|
||||
# define AES_GCM_ENC_BYTES 512
|
||||
# define AES_GCM_DEC_BYTES 512
|
||||
-# if __ARM_MAX_ARCH__>=8
|
||||
+# if __ARM_MAX_ARCH__>=8 && defined(__aarch64__)
|
||||
# define AES_gcm_encrypt armv8_aes_gcm_encrypt
|
||||
# define AES_gcm_decrypt armv8_aes_gcm_decrypt
|
||||
# define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_v8_ctr32_encrypt_blocks && \
|
||||
@@ -12,15 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
|
||||
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
|
||||
file://afalg.patch \
|
||||
file://0001-Configure-do-not-tweak-mips-cflags.patch \
|
||||
file://armv8-32bit.patch \
|
||||
file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \
|
||||
"
|
||||
|
||||
SRC_URI:append:class-nativesdk = " \
|
||||
file://environment.d-openssl.sh \
|
||||
"
|
||||
|
||||
SRC_URI[sha256sum] = "59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536"
|
||||
SRC_URI[sha256sum] = "c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1"
|
||||
|
||||
inherit lib_package multilib_header multilib_script ptest perlnative
|
||||
MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
|
||||
@@ -194,21 +192,21 @@ do_install_ptest () {
|
||||
install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps
|
||||
|
||||
install -d ${D}${PTEST_PATH}/engines
|
||||
install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
|
||||
install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines
|
||||
install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines
|
||||
install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines
|
||||
|
||||
install -d ${D}${PTEST_PATH}/providers
|
||||
install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers
|
||||
|
||||
install -d ${D}${PTEST_PATH}/Configurations
|
||||
cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
|
||||
install -d ${D}${PTEST_PATH}/Configurations
|
||||
cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/
|
||||
|
||||
# seems to be needed with perl 5.32.1
|
||||
install -d ${D}${PTEST_PATH}/util/perl/recipes
|
||||
cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
|
||||
# seems to be needed with perl 5.32.1
|
||||
install -d ${D}${PTEST_PATH}/util/perl/recipes
|
||||
cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/
|
||||
|
||||
sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl
|
||||
|
||||
}
|
||||
|
||||
# Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
|
||||
@@ -234,7 +232,7 @@ CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf"
|
||||
|
||||
RRECOMMENDS:libcrypto += "openssl-conf"
|
||||
RDEPENDS:${PN}-misc = "perl"
|
||||
RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash"
|
||||
RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed"
|
||||
|
||||
RDEPENDS:${PN}-bin += "openssl-conf"
|
||||
|
||||
Reference in New Issue
Block a user