package/libopenssl: security bump to version 3.2.1

And drop the now upstreamed patches. Fixes the following (low severity) issues: - CVE-2023-6129 POLY1305 MAC implementation corrupts vector registers on PowerPC https://www.openssl.org/news/secadv/20240109.txt - CVE-2023-6237 Excessive time spent checking invalid RSA public keys https://www.openssl.org/news/secadv/20240115.txt - CVE-2024-0727 PKCS12 Decoding crashes https://www.openssl.org/news/secadv/20240125.txt Signed-off-by: Peter Korsgaard <peter@korsgaard.com> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2024-02-08 12:12:13 +01:00 · 2024-02-08 12:12:13 +01:00 · ce4d278739
commit ce4d278739
parent 16eec25142
5 changed files with 3 additions and 197 deletions
--- a/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch
+++ b/package/libopenssl/0004-riscv-Fix-mispelling-of-extension-test-macro.patch
@ -1,30 +0,0 @@
-From 68c549df05892c16b99603b9a831c79c540f268c Mon Sep 17 00:00:00 2001
-From: Grant Nichol <me@grantnichol.com>
-Date: Fri, 22 Dec 2023 23:46:39 -0600
-Subject: [PATCH] riscv: Fix mispelling of extension test macro
-
-When refactoring the riscv extension test macros,
-RISCV_HAS_ZKND_AND_ZKNE was mispelled.
-
-Upstream: https://github.com/openssl/openssl/pull/23139
-Signed-off-by: Grant Nichol <me@grantnichol.com>
---
- providers/implementations/ciphers/cipher_aes_xts_hw.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/providers/implementations/ciphers/cipher_aes_xts_hw.c b/providers/implementations/ciphers/cipher_aes_xts_hw.c
-index b35b71020e..65adc47d1f 100644
--- a/providers/implementations/ciphers/cipher_aes_xts_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c
-@@ -285,7 +285,7 @@ static const PROV_CIPHER_HW aes_xts_rv32i_zbkb_zknd_zkne = {                   \
- # define PROV_CIPHER_HW_select_xts()                                           \
- if (RISCV_HAS_ZBKB_AND_ZKND_AND_ZKNE())                                        \
-     return &aes_xts_rv32i_zbkb_zknd_zkne;                                      \
-if (RISCV_HAS_ZKND_ZKNE())                                                     \
-+if (RISCV_HAS_ZKND_AND_ZKNE())                                                     \
-     return &aes_xts_rv32i_zknd_zkne;
- # else
- /* The generic case */
--
-2.43.0
-
--- a/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch
+++ b/package/libopenssl/0005-Fix-genstr-genconf-option-in-asn1parse.patch
@ -1,42 +0,0 @@
-From 749fcc0e3ce796474a15d6fac221e57daeacff1e Mon Sep 17 00:00:00 2001
-From: Neil Horman <nhorman@openssl.org>
-Date: Tue, 5 Dec 2023 14:50:01 -0500
-Subject: [PATCH] Fix genstr/genconf option in asn1parse
-
-At some point the asn1parse applet was changed to default the inform to
-PEM, and defalt input file to stdin.  Doing so broke the -genstr|conf options,
-in that, before we attempt to generate an ASN1 block from the provided
-genstr string, we attempt to read a PEM input from stdin.  As a result,
-this command:
-openssl asn1parse -genstr OID:1.2.3.4
-hangs because we are attempting a blocking read on stdin, waiting for
-data that never arrives
-
-Fix it by giving priority to genstr|genconf, such that, if set, will just run
-do_generate on that string and exit
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/22957)
-Upstream: https://github.com/openssl/openssl/commit/749fcc0e3ce796474a15d6fac221e57daeacff1e
-Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com>
---
- apps/asn1parse.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/apps/asn1parse.c b/apps/asn1parse.c
-index 097b0cc1ed..6597a6180b 100644
--- a/apps/asn1parse.c
-+++ b/apps/asn1parse.c
-@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv)
- 
-     if ((buf = BUF_MEM_new()) == NULL)
-         goto end;
-    if (informat == FORMAT_PEM) {
-+    if (genstr == NULL && informat == FORMAT_PEM) {
-         if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
-             BIO_printf(bio_err, "Error reading PEM file\n");
-             ERR_print_errors(bio_err);
-- 
-2.40.0
-
--- a/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch
+++ b/package/libopenssl/0006-Harden-asn1-oid-loader-to-invalid-inputs.patch
@ -1,122 +0,0 @@
-From a552c23c6502592c1b3c67d93dd7e5ffbe958aa4 Mon Sep 17 00:00:00 2001
-From: Neil Horman <nhorman@openssl.org>
-Date: Tue, 5 Dec 2023 15:24:20 -0500
-Subject: [PATCH] Harden asn1 oid loader to invalid inputs
-
-In the event that a config file contains this sequence:
-=======
-openssl_conf = openssl_init
-
-config_diagnostics = 1
-
-[openssl_init]
-oid_section = oids
-
-[oids]
-testoid1 = 1.2.3.4.1
-testoid2 = A Very Long OID Name, 1.2.3.4.2
-testoid3 = ,1.2.3.4.3
-======
-
-The leading comma in testoid3 can cause a heap buffer overflow, as the
-parsing code will move the string pointer back 1 character, thereby
-pointing to an invalid memory space
-
-correct the parser to detect this condition and handle it by treating it
-as if the comma doesn't exist (i.e. an empty long oid name)
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/22957)
-Upstream: https://github.com/openssl/openssl/commit/a552c23c6502592c1b3c67d93dd7e5ffbe958aa4
-Signed-off-by: Martin Kurbanov <mmkurbanov@salutedevices.com>
---
- apps/asn1parse.c                  |  2 +-
- crypto/asn1/asn_moid.c            |  4 ++++
- test/recipes/04-test_asn1_parse.t | 26 ++++++++++++++++++++++++++
- test/test_asn1_parse.cnf          | 12 ++++++++++++
- 4 files changed, 43 insertions(+), 1 deletion(-)
- create mode 100644 test/recipes/04-test_asn1_parse.t
- create mode 100644 test/test_asn1_parse.cnf
-
-diff --git a/apps/asn1parse.c b/apps/asn1parse.c
-index 6597a6180b..bf62f85947 100644
--- a/apps/asn1parse.c
-+++ b/apps/asn1parse.c
-@@ -178,7 +178,7 @@ int asn1parse_main(int argc, char **argv)
- 
-     if ((buf = BUF_MEM_new()) == NULL)
-         goto end;
-    if (genstr == NULL && informat == FORMAT_PEM) {
-+    if (genconf == NULL && genstr == NULL && informat == FORMAT_PEM) {
-         if (PEM_read_bio(in, &name, &header, &str, &num) != 1) {
-             BIO_printf(bio_err, "Error reading PEM file\n");
-             ERR_print_errors(bio_err);
-diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c
-index 6f816307af..1e183f4f18 100644
--- a/crypto/asn1/asn_moid.c
-+++ b/crypto/asn1/asn_moid.c
-@@ -67,6 +67,10 @@ static int do_create(const char *value, const char *name)
-     if (p == NULL) {
-         ln = name;
-         ostr = value;
-+    } else if (p == value) {
-+        /* we started with a leading comma */
-+        ln = name;
-+        ostr = p + 1;
-     } else {
-         ln = value;
-         ostr = p + 1;
-diff --git a/test/recipes/04-test_asn1_parse.t b/test/recipes/04-test_asn1_parse.t
-new file mode 100644
-index 0000000000..f3af436592
--- /dev/null
-+++ b/test/recipes/04-test_asn1_parse.t
-@@ -0,0 +1,26 @@
-+#! /usr/bin/env perl
-+# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
-+#
-+# Licensed under the Apache License 2.0 (the "License").  You may not use
-+# this file except in compliance with the License.  You can obtain a copy
-+# in the file LICENSE in the source distribution or at
-+# https://www.openssl.org/source/license.html
-+
-+use strict;
-+use OpenSSL::Test qw(:DEFAULT srctop_file);
-+use OpenSSL::Test::Utils;
-+
-+setup("test_asn1_parse");
-+
-+plan tests => 3;
-+
-+$ENV{OPENSSL_CONF} = srctop_file("test", "test_asn1_parse.cnf");
-+
-+ok(run(app(([ 'openssl', 'asn1parse',
-+              '-genstr', 'OID:1.2.3.4.1']))));
-+
-+ok(run(app(([ 'openssl', 'asn1parse',
-+              '-genstr', 'OID:1.2.3.4.2']))));
-+
-+ok(run(app(([ 'openssl', 'asn1parse',
-+              '-genstr', 'OID:1.2.3.4.3']))));
-diff --git a/test/test_asn1_parse.cnf b/test/test_asn1_parse.cnf
-new file mode 100644
-index 0000000000..5f0305657e
--- /dev/null
-+++ b/test/test_asn1_parse.cnf
-@@ -0,0 +1,12 @@
-+openssl_conf = openssl_init
-+
-+# Comment out the next line to ignore configuration errors
-+config_diagnostics = 1
-+
-+[openssl_init]
-+oid_section = oids
-+
-+[oids]
-+testoid1 = 1.2.3.4.1
-+testoid2 = A Very Long OID Name, 1.2.3.4.2
-+testoid3 = ,1.2.3.4.3
-- 
-2.40.0
-
--- a/package/libopenssl/libopenssl.hash
+++ b/package/libopenssl/libopenssl.hash
@ -1,5 +1,5 @@
-# From https://www.openssl.org/source/openssl-3.2.0.tar.gz.sha256
-sha256  14c826f07c7e433706fb5c69fa9e25dab95684844b4c962a2cf1bf183eb4690e  openssl-3.2.0.tar.gz
+# From https://www.openssl.org/source/openssl-3.2.1.tar.gz.sha256
+sha256  83c7329fe52c850677d75e5d0b0ca245309b97e8ecbcfdc1dfdc4ab9fac35b39  openssl-3.2.1.tar.gz

 # License files
 sha256  7d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7a  LICENSE.txt
--- a/package/libopenssl/libopenssl.mk
+++ b/package/libopenssl/libopenssl.mk
@ -4,7 +4,7 @@
 #
 ################################################################################

-LIBOPENSSL_VERSION = 3.2.0
+LIBOPENSSL_VERSION = 3.2.1
 LIBOPENSSL_SITE = https://www.openssl.org/source
 LIBOPENSSL_SOURCE = openssl-$(LIBOPENSSL_VERSION).tar.gz
 LIBOPENSSL_LICENSE = Apache-2.0