new file mode 100644
@@ -0,0 +1,71 @@
+From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 28 Feb 2022 18:26:21 +0100
+Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
+
+The calculation in some cases does not finish for non-prime p.
+
+This fixes CVE-2022-0778.
+
+Based on patch by David Benjamin <davidben@google.com>.
+
+Reviewed-by: Paul Dale <pauli@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+
+Upstream-Status: Backport [https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=3118eb64934499d93db3230748a452351d1d9a65]
+CVE: CVE-2022-0778
+Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
+
+---
+ crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------
+ 1 file changed, 18 insertions(+), 12 deletions(-)
+
+diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c
+index 1723d5ded5a8..53b0f559855c 100644
+--- a/crypto/bn/bn_sqrt.c
++++ b/crypto/bn/bn_sqrt.c
+@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ /*
+ * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
+ * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
+- * Theory", algorithm 1.5.1). 'p' must be prime!
++ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
++ * an incorrect "result" will be returned.
+ */
+ {
+ BIGNUM *ret = in;
+@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
+ goto vrfy;
+ }
+
+- /* find smallest i such that b^(2^i) = 1 */
+- i = 1;
+- if (!BN_mod_sqr(t, b, p, ctx))
+- goto end;
+- while (!BN_is_one(t)) {
+- i++;
+- if (i == e) {
+- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+- goto end;
++ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
++ for (i = 1; i < e; i++) {
++ if (i == 1) {
++ if (!BN_mod_sqr(t, b, p, ctx))
++ goto end;
++
++ } else {
++ if (!BN_mod_mul(t, t, t, p, ctx))
++ goto end;
+ }
+- if (!BN_mod_mul(t, t, t, p, ctx))
+- goto end;
++ if (BN_is_one(t))
++ break;
++ }
++ /* If not found, a is not a square or p is not prime. */
++ if (i >= e) {
++ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
++ goto end;
+ }
+
+ /* t := y^2^(e - i - 1) */
@@ -19,6 +19,7 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \
file://reproducible.patch \
file://reproducibility.patch \
file://CVE-2021-4160.patch \
+ file://CVE-2022-0778.patch \
"
SRC_URI_append_class-nativesdk = " \
* Fixed a bug in the BN_mod_sqrt() function that can cause it to loop foreverfor non-prime moduli ([CVE-2022-0778]) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> --- .../openssl/openssl/CVE-2022-0778.patch | 71 +++++++++++++++++++ .../openssl/openssl_1.1.1l.bb | 1 + 2 files changed, 72 insertions(+) create mode 100644 meta/recipes-connectivity/openssl/openssl/CVE-2022-0778.patch