On Fri, Jun 21, 2024 at 3:03 AM Clément Péron via lists.openembedded.org <[email protected]> wrote: > > Hi, > > I got an issue with riscv32 > > | crypto/riscv32cpuid.s:77: Error: symbol `riscv_vlen_asm' is already > defined 6703 > > It seems that it's due to OE that is applying a patch that has been > upstreameder > > https://github.com/openssl/openssl/commit/8702320db98d1346c230aff1282ade3ecdca681a >
Good catch. yes we backported it as 0001-Implement-riscv_vlen_asm-for-riscv32.patch it should be removed along with this upgrade. > On Tue, 4 Jun 2024 at 22:37, Peter Marko via lists.openembedded.org > <[email protected]> wrote: > > > > From: Peter Marko <[email protected]> > > > > Handles CVE-2024-4741 > > > > Removed included backports. > > > > Release information: > > https://github.com/openssl/openssl/blob/openssl-3.3/NEWS.md#major-changes-between-openssl-330-and-openssl-331-4-jun-2024 > > > > Signed-off-by: Peter Marko <[email protected]> > > --- > > .../openssl/openssl/CVE-2024-4603.patch | 179 ------------------ > > .../openssl/openssl/bti.patch | 58 ------ > > .../{openssl_3.3.0.bb => openssl_3.3.1.bb} | 4 +- > > 3 files changed, 1 insertion(+), 240 deletions(-) > > delete mode 100644 > > meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch > > delete mode 100644 meta/recipes-connectivity/openssl/openssl/bti.patch > > rename meta/recipes-connectivity/openssl/{openssl_3.3.0.bb => > > openssl_3.3.1.bb} (98%) > > > > diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch > > b/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch > > deleted file mode 100644 > > index cdc3d0d503..0000000000 > > --- a/meta/recipes-connectivity/openssl/openssl/CVE-2024-4603.patch > > +++ /dev/null > > @@ -1,179 +0,0 @@ > > -From 53ea06486d296b890d565fb971b2764fcd826e7e Mon Sep 17 00:00:00 2001 > > -From: Tomas Mraz <[email protected]> > > -Date: Wed, 8 May 2024 15:23:45 +0200 > > -Subject: [PATCH] Check DSA parameters for excessive sizes before validating > > - > > -This avoids overly long computation of various validation > > -checks. > > - > > -Fixes CVE-2024-4603 > > - > > -Reviewed-by: Paul Dale <[email protected]> > > -Reviewed-by: Matt Caswell <[email protected]> > > -Reviewed-by: Neil Horman <[email protected]> > > -Reviewed-by: Shane Lontis <[email protected]> > > -(Merged from https://github.com/openssl/openssl/pull/24346) > > - > > -(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) > > - > > -<dropped CHANGES.md modifications as it would need backport of all > > previous changes> > > - > > -CVE: CVE-2024-4603 > > -Upstream-Status: Backport > > [https://github.com/openssl/openssl/commit/53ea06486d296b890d565fb971b2764fcd826e7e] > > -Signed-off-by: Peter Marko <[email protected]> > > ---- > > - crypto/dsa/dsa_check.c | 44 ++++++++++++-- > > - .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ > > - 2 files changed, 97 insertions(+), 4 deletions(-) > > - > > -diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c > > -index 7b6d7df88f..e1375dfad9 100644 > > ---- a/crypto/dsa/dsa_check.c > > -+++ b/crypto/dsa/dsa_check.c > > -@@ -19,8 +19,34 @@ > > - #include "dsa_local.h" > > - #include "crypto/dsa.h" > > - > > -+static int dsa_precheck_params(const DSA *dsa, int *ret) > > -+{ > > -+ if (dsa->params.p == NULL || dsa->params.q == NULL) { > > -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); > > -+ *ret = FFC_CHECK_INVALID_PQ; > > -+ return 0; > > -+ } > > -+ > > -+ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { > > -+ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); > > -+ *ret = FFC_CHECK_INVALID_PQ; > > -+ return 0; > > -+ } > > -+ > > -+ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { > > -+ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); > > -+ *ret = FFC_CHECK_INVALID_PQ; > > -+ return 0; > > -+ } > > -+ > > -+ return 1; > > -+} > > -+ > > - int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) > > - { > > -+ if (!dsa_precheck_params(dsa, ret)) > > -+ return 0; > > -+ > > - if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) > > - return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, > > - FFC_PARAM_TYPE_DSA, ret); > > -@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa, int checktype, > > int *ret) > > - */ > > - int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int > > *ret) > > - { > > -+ if (!dsa_precheck_params(dsa, ret)) > > -+ return 0; > > -+ > > - return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) > > - && *ret == 0; > > - } > > -@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM > > *pub_key, int *ret) > > - */ > > - int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, > > int *ret) > > - { > > -+ if (!dsa_precheck_params(dsa, ret)) > > -+ return 0; > > -+ > > - return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, > > ret) > > - && *ret == 0; > > - } > > -@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *dsa, const > > BIGNUM *priv_key, int *ret) > > - { > > - *ret = 0; > > - > > -- return (dsa->params.q != NULL > > -- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, > > ret)); > > -+ if (!dsa_precheck_params(dsa, ret)) > > -+ return 0; > > -+ > > -+ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); > > - } > > - > > - /* > > -@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *dsa) > > - BN_CTX *ctx = NULL; > > - BIGNUM *pub_key = NULL; > > - > > -- if (dsa->params.p == NULL > > -- || dsa->params.g == NULL > > -+ if (!dsa_precheck_params(dsa, &ret)) > > -+ return 0; > > -+ > > -+ if (dsa->params.g == NULL > > - || dsa->priv_key == NULL > > - || dsa->pub_key == NULL) > > - return 0; > > -diff --git > > a/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem > > b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem > > -new file mode 100644 > > -index 0000000000..e85e2953b7 > > ---- /dev/null > > -+++ b/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem > > -@@ -0,0 +1,57 @@ > > -+-----BEGIN DSA PARAMETERS----- > > -+MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja > > -+p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil > > -+XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF > > -+x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk > > -+oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW > > -+dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb > > -+Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O > > -+pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ > > -+P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5 > > -+hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2 > > -+UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB > > -+koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN > > -+TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl > > -+RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ > > -+4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg > > -+c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG > > -+cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE > > -+DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN > > -+Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2 > > -+rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8 > > -+PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd > > -+UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW > > -+5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9 > > -+wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7 > > -+R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s > > -+xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs > > -+0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN > > -+uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy > > -+9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx > > -+TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36 > > -+gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2 > > -+ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B > > -+R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8 > > -+F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W > > -+SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl > > -++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX > > -+UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq > > -+fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX > > -+qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot > > -+B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK > > -+hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco > > -+4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD > > -+vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3 > > -+k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy > > -+i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct > > -+9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+ > > -+ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd > > -+Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG > > -+KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E > > -+x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk > > -+XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF > > -+YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d > > -+ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa > > -+4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D > > -+vKuje86bePD6kD/LH3wmkA== > > -+-----END DSA PARAMETERS----- > > --- > > -2.30.2 > > - > > diff --git a/meta/recipes-connectivity/openssl/openssl/bti.patch > > b/meta/recipes-connectivity/openssl/openssl/bti.patch > > deleted file mode 100644 > > index 748576c30c..0000000000 > > --- a/meta/recipes-connectivity/openssl/openssl/bti.patch > > +++ /dev/null > > @@ -1,58 +0,0 @@ > > -From ba8a599395f8b770c76316b5f5b0f3838567014f Mon Sep 17 00:00:00 2001 > > -From: Tom Cosgrove <[email protected]> > > -Date: Tue, 26 Mar 2024 13:18:00 +0000 > > -Subject: [PATCH] aarch64: fix BTI in bsaes assembly code > > - > > -In Arm systems where BTI is enabled but the Crypto extensions are not (more > > -likely in FVPs than in real hardware), the bit-sliced assembler code will > > -be used. However, this wasn't annotated with BTI instructions when BTI was > > -enabled, so the moment libssl jumps into this code it (correctly) aborts. > > - > > -Solve this by adding the missing BTI landing pads. > > - > > -Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/23982] > > -Signed-off-by: Ross Burton <[email protected]> > > ---- > > - crypto/aes/asm/bsaes-armv8.pl | 5 ++++- > > - 1 file changed, 4 insertions(+), 1 deletion(-) > > - > > -diff --git a/crypto/aes/asm/bsaes-armv8.pl b/crypto/aes/asm/bsaes-armv8.pl > > -index b3c97e439f..c3c5ff3e05 100644 > > ---- a/crypto/aes/asm/bsaes-armv8.pl > > -+++ b/crypto/aes/asm/bsaes-armv8.pl > > -@@ -1018,6 +1018,7 @@ _bsaes_key_convert: > > - // Initialisation vector overwritten with last quadword of ciphertext > > - // No output registers, usual AAPCS64 register preservation > > - ossl_bsaes_cbc_encrypt: > > -+ AARCH64_VALID_CALL_TARGET > > - cmp x2, #128 > > - bhs .Lcbc_do_bsaes > > - b AES_cbc_encrypt > > -@@ -1270,7 +1271,7 @@ ossl_bsaes_cbc_encrypt: > > - // Output text filled in > > - // No output registers, usual AAPCS64 register preservation > > - ossl_bsaes_ctr32_encrypt_blocks: > > -- > > -+ AARCH64_VALID_CALL_TARGET > > - cmp x2, #8 // use plain AES for > > - blo .Lctr_enc_short // small sizes > > - > > -@@ -1476,6 +1477,7 @@ ossl_bsaes_ctr32_encrypt_blocks: > > - // Output ciphertext filled in > > - // No output registers, usual AAPCS64 register preservation > > - ossl_bsaes_xts_encrypt: > > -+ AARCH64_VALID_CALL_TARGET > > - // Stack layout: > > - // sp -> > > - // nrounds*128-96 bytes: key schedule > > -@@ -1921,6 +1923,7 @@ ossl_bsaes_xts_encrypt: > > - // Output plaintext filled in > > - // No output registers, usual AAPCS64 register preservation > > - ossl_bsaes_xts_decrypt: > > -+ AARCH64_VALID_CALL_TARGET > > - // Stack layout: > > - // sp -> > > - // nrounds*128-96 bytes: key schedule > > --- > > -2.34.1 > > - > > diff --git a/meta/recipes-connectivity/openssl/openssl_3.3.0.bb > > b/meta/recipes-connectivity/openssl/openssl_3.3.1.bb > > similarity index 98% > > rename from meta/recipes-connectivity/openssl/openssl_3.3.0.bb > > rename to meta/recipes-connectivity/openssl/openssl_3.3.1.bb > > index a361185b65..a8746842b2 100644 > > --- a/meta/recipes-connectivity/openssl/openssl_3.3.0.bb > > +++ b/meta/recipes-connectivity/openssl/openssl_3.3.1.bb > > @@ -13,15 +13,13 @@ SRC_URI = > > "http://www.openssl.org/source/openssl-${PV}.tar.gz \ > > file://0001-Configure-do-not-tweak-mips-cflags.patch \ > > > > file://0001-Added-handshake-history-reporting-when-test-fails.patch \ > > file://0001-Implement-riscv_vlen_asm-for-riscv32.patch \ > > - file://bti.patch \ > > - file://CVE-2024-4603.patch \ > > " > > > > SRC_URI:append:class-nativesdk = " \ > > file://environment.d-openssl.sh \ > > " > > > > -SRC_URI[sha256sum] = > > "53e66b043322a606abf0087e7699a0e033a37fa13feb9742df35c3a33b18fb02" > > +SRC_URI[sha256sum] = > > "777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e" > > > > inherit lib_package multilib_header multilib_script ptest perlnative > > manpages > > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > > -- > > 2.30.2 > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201029): https://lists.openembedded.org/g/openembedded-core/message/201029 Mute This Topic: https://lists.openembedded.org/mt/106490812/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
