From patchwork Mon Dec 20 18:05:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 1744 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6E1A8C433F5 for ; Mon, 20 Dec 2021 18:06:15 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web09.335.1640023574309238470 for ; Mon, 20 Dec 2021 10:06:15 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id DB0C46D for ; Mon, 20 Dec 2021 10:06:13 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 829F53F774 for ; Mon, 20 Dec 2021 10:06:13 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH v2 1/2] python3: backport a fix so the test suite passes with OpenSSL 3.0.1 Date: Mon, 20 Dec 2021 18:05:58 +0000 Message-Id: <20211220180559.880221-1-ross.burton@arm.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Dec 2021 18:06:15 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/159893 The test suite makes incorrect assumptions about OpenSSL versions post- 3.0, so backport the fix for the test suite. Signed-off-by: Ross Burton --- ...enSSL-version-check-for-3.0.1-GH-301.patch | 60 +++++++++++++++++++ .../recipes-devtools/python/python3_3.10.1.bb | 1 + 2 files changed, 61 insertions(+) create mode 100644 meta/recipes-devtools/python/python3/0001-bpo-46114-Fix-OpenSSL-version-check-for-3.0.1-GH-301.patch diff --git a/meta/recipes-devtools/python/python3/0001-bpo-46114-Fix-OpenSSL-version-check-for-3.0.1-GH-301.patch b/meta/recipes-devtools/python/python3/0001-bpo-46114-Fix-OpenSSL-version-check-for-3.0.1-GH-301.patch new file mode 100644 index 00000000000..6f4ceae1889 --- /dev/null +++ b/meta/recipes-devtools/python/python3/0001-bpo-46114-Fix-OpenSSL-version-check-for-3.0.1-GH-301.patch @@ -0,0 +1,60 @@ +Upstream-Status: Backport +Signed-off-by: Ross Burton + +From 251d2eadc7f5b4042245709f41c38169a284e146 Mon Sep 17 00:00:00 2001 +From: "Miss Islington (bot)" + <31488909+miss-islington@users.noreply.github.com> +Date: Fri, 17 Dec 2021 07:38:11 -0800 +Subject: [PATCH] bpo-46114: Fix OpenSSL version check for 3.0.1 (GH-30170) + +(cherry picked from commit 2985feac4e02d590bb78bcce9e30864be53280ac) + +Co-authored-by: Christian Heimes +--- + .github/workflows/build.yml | 2 +- + Lib/test/test_ssl.py | 6 +++++- + .../next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst | 1 + + Tools/ssl/multissltests.py | 2 +- + 4 files changed, 8 insertions(+), 3 deletions(-) + create mode 100644 Misc/NEWS.d/next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst + +diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py +index a485f7d4c3..873db6403d 100644 +--- a/Lib/test/test_ssl.py ++++ b/Lib/test/test_ssl.py +@@ -539,7 +539,11 @@ def test_openssl_version(self): + self.assertLessEqual(status, 15) + + libressl_ver = f"LibreSSL {major:d}" +- openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}" ++ if major >= 3: ++ # 3.x uses 0xMNN00PP0L ++ openssl_ver = f"OpenSSL {major:d}.{minor:d}.{patch:d}" ++ else: ++ openssl_ver = f"OpenSSL {major:d}.{minor:d}.{fix:d}" + self.assertTrue( + s.startswith((openssl_ver, libressl_ver)), + (s, t, hex(n)) +diff --git a/Misc/NEWS.d/next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst b/Misc/NEWS.d/next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst +new file mode 100644 +index 0000000000..6878cea032 +--- /dev/null ++++ b/Misc/NEWS.d/next/Tests/2021-12-17-14-46-19.bpo-46114.9iyZ_9.rst +@@ -0,0 +1 @@ ++Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses ``0xMNN00PP0L``. +diff --git a/Tools/ssl/multissltests.py b/Tools/ssl/multissltests.py +index ba2663e9a3..8fe5b5d0c2 100755 +--- a/Tools/ssl/multissltests.py ++++ b/Tools/ssl/multissltests.py +@@ -48,7 +48,7 @@ + + OPENSSL_RECENT_VERSIONS = [ + "1.1.1l", +- "3.0.0" ++ "3.0.1" + ] + + LIBRESSL_OLD_VERSIONS = [ +-- +2.25.1 + diff --git a/meta/recipes-devtools/python/python3_3.10.1.bb b/meta/recipes-devtools/python/python3_3.10.1.bb index 6115ffe5b37..e7ae6871777 100644 --- a/meta/recipes-devtools/python/python3_3.10.1.bb +++ b/meta/recipes-devtools/python/python3_3.10.1.bb @@ -33,6 +33,7 @@ SRC_URI = "http://www.python.org/ftp/python/${PV}/Python-${PV}.tar.xz \ file://makerace.patch \ file://0001-sysconfig.py-use-platlibdir-also-for-purelib.patch \ file://0001-Lib-pty.py-handle-stdin-I-O-errors-same-way-as-maste.patch \ + file://0001-bpo-46114-Fix-OpenSSL-version-check-for-3.0.1-GH-301.patch \ " SRC_URI:append:class-native = " \ From patchwork Mon Dec 20 18:05:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 1745 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57922C433FE for ; Mon, 20 Dec 2021 18:06:16 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web08.311.1640023575000194397 for ; Mon, 20 Dec 2021 10:06:15 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: ross.burton@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 8EE40D6E for ; Mon, 20 Dec 2021 10:06:14 -0800 (PST) Received: from oss-tx204.lab.cambridge.arm.com (usa-sjc-imap-foss1.foss.arm.com [10.121.207.14]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 1CA2C3F774 for ; Mon, 20 Dec 2021 10:06:13 -0800 (PST) From: Ross Burton To: openembedded-core@lists.openembedded.org Subject: [PATCH v2 2/2] openssl: upgrade to 3.0.1 Date: Mon, 20 Dec 2021 18:05:59 +0000 Message-Id: <20211220180559.880221-2-ross.burton@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211220180559.880221-1-ross.burton@arm.com> References: <20211220180559.880221-1-ross.burton@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Mon, 20 Dec 2021 18:06:16 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/159894 Major changes in 3.0.1: * Fixed invalid handling of X509_verify_cert() internal errors in libssl ([CVE-2021-4044]) * Allow fetching an operation from the provider that owns an unexportable key as a fallback if that is still allowed by the property query. Drop patches which were backported. Add sed to openssl-ptest as the tests use 'sed -u', which isn't supported by busybox. Ensure that we package the dummy async engine, needed by the test suite. Signed-off-by: Ross Burton --- ...-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch | 108 ------------------ .../openssl/openssl/armv8-32bit.patch | 29 ----- .../{openssl_3.0.0.bb => openssl_3.0.1.bb} | 20 ++-- 3 files changed, 9 insertions(+), 148 deletions(-) delete mode 100644 meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch delete mode 100644 meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch rename meta/recipes-connectivity/openssl/{openssl_3.0.0.bb => openssl_3.0.1.bb} (93%) diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch b/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch deleted file mode 100644 index b85a3ad7d22..00000000000 --- a/meta/recipes-connectivity/openssl/openssl/0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch +++ /dev/null @@ -1,108 +0,0 @@ -Fix EVP_PKEY_CTX_get_rsa_pss_saltlen, and also disable the tests in non-default -context (required when backporting, not needed with 3.0.1). - -Upstream-Status: Backport -Signed-off-by: Ross Burton - -From 6b5c02f6173e5fd46a3685e676fcb5eee9ac43ea Mon Sep 17 00:00:00 2001 -From: Tom Cosgrove -Date: Thu, 25 Nov 2021 15:49:26 +0000 -Subject: [PATCH] Fix EVP_PKEY_CTX_get_rsa_pss_saltlen() not returning a value - -When an integer value was specified, it was not being passed back via -the orig_p2 weirdness. - -Regression test included. - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17136) ---- - crypto/evp/ctrl_params_translate.c | 12 +++++++----- - test/evp_extra_test.c | 30 ++++++++++++++++++++++++++++++ - 2 files changed, 37 insertions(+), 5 deletions(-) - -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index 88945e13e6..6638209a8d 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -1379,21 +1379,23 @@ static int fix_rsa_pss_saltlen(enum state state, - if ((ctx->action_type == SET && state == PRE_PARAMS_TO_CTRL) - || (ctx->action_type == GET && state == POST_CTRL_TO_PARAMS)) { - size_t i; -+ int val; - - for (i = 0; i < OSSL_NELEM(str_value_map); i++) { - if (strcmp(ctx->p2, str_value_map[i].ptr) == 0) - break; - } -- if (i == OSSL_NELEM(str_value_map)) { -- ctx->p1 = atoi(ctx->p2); -- } else if (state == POST_CTRL_TO_PARAMS) { -+ -+ val = i == OSSL_NELEM(str_value_map) ? atoi(ctx->p2) -+ : (int)str_value_map[i].id; -+ if (state == POST_CTRL_TO_PARAMS) { - /* - * EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN weirdness explained further - * up - */ -- *(int *)ctx->orig_p2 = str_value_map[i].id; -+ *(int *)ctx->orig_p2 = val; - } else { -- ctx->p1 = (int)str_value_map[i].id; -+ ctx->p1 = val; - } - ctx->p2 = NULL; - } -diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c -index 83f8902d24..9ad37a2bce 100644 ---- a/test/evp_extra_test.c -+++ b/test/evp_extra_test.c -@@ -3049,6 +3049,35 @@ static int test_EVP_rsa_pss_with_keygen_bits(void) - return ret; - } - -+static int test_EVP_rsa_pss_set_saltlen(void) -+{ -+ int ret = 0; -+ EVP_PKEY *pkey = NULL; -+ EVP_PKEY_CTX *pkey_ctx = NULL; -+ EVP_MD *sha256 = NULL; -+ EVP_MD_CTX *sha256_ctx = NULL; -+ int saltlen = 9999; /* buggy EVP_PKEY_CTX_get_rsa_pss_saltlen() didn't update this */ -+ const int test_value = 32; -+ -+ if (nullprov != NULL) -+ return TEST_skip("Test does not support a non-default library context"); -+ -+ ret = TEST_ptr(pkey = load_example_rsa_key()) -+ && TEST_ptr(sha256 = EVP_MD_fetch(testctx, "sha256", NULL)) -+ && TEST_ptr(sha256_ctx = EVP_MD_CTX_new()) -+ && TEST_true(EVP_DigestSignInit(sha256_ctx, &pkey_ctx, sha256, NULL, pkey)) -+ && TEST_true(EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING)) -+ && TEST_true(EVP_PKEY_CTX_set_rsa_pss_saltlen(pkey_ctx, test_value)) -+ && TEST_true(EVP_PKEY_CTX_get_rsa_pss_saltlen(pkey_ctx, &saltlen)) -+ && TEST_int_eq(saltlen, test_value); -+ -+ EVP_MD_CTX_free(sha256_ctx); -+ EVP_PKEY_free(pkey); -+ EVP_MD_free(sha256); -+ -+ return ret; -+} -+ - static int success = 1; - static void md_names(const char *name, void *vctx) - { -@@ -3966,6 +3995,7 @@ int setup_tests(void) - ADD_ALL_TESTS(test_evp_iv_des, 6); - #endif - ADD_TEST(test_EVP_rsa_pss_with_keygen_bits); -+ ADD_TEST(test_EVP_rsa_pss_set_saltlen); - #ifndef OPENSSL_NO_EC - ADD_ALL_TESTS(test_ecpub, OSSL_NELEM(ecpub_nids)); - #endif --- -2.25.1 - diff --git a/meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch b/meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch deleted file mode 100644 index 1935651be05..00000000000 --- a/meta/recipes-connectivity/openssl/openssl/armv8-32bit.patch +++ /dev/null @@ -1,29 +0,0 @@ -Upstream-Status: Submitted [https://github.com/openssl/openssl/pull/16951] -Signed-off-by: Ross Burton - -From 5118e96a3dbedde2523e7726fa34af30923a9add Mon Sep 17 00:00:00 2001 -From: Tom Cosgrove -Date: Tue, 2 Nov 2021 15:26:21 +0000 -Subject: [PATCH] Fix builds on Armv8 systems without AArch64 - -This fixes "undefined reference to `aes_gcm_dec_128_kernel' in function -`armv8_aes_gcm_decrypt'" and similar - -Fixes #16949 ---- - include/crypto/aes_platform.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h -index 015c3bd4ab91..e95ad5aa5de6 100644 ---- a/include/crypto/aes_platform.h -+++ b/include/crypto/aes_platform.h -@@ -100,7 +100,7 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, - # define AES_PMULL_CAPABLE ((OPENSSL_armcap_P & ARMV8_PMULL) && (OPENSSL_armcap_P & ARMV8_AES)) - # define AES_GCM_ENC_BYTES 512 - # define AES_GCM_DEC_BYTES 512 --# if __ARM_MAX_ARCH__>=8 -+# if __ARM_MAX_ARCH__>=8 && defined(__aarch64__) - # define AES_gcm_encrypt armv8_aes_gcm_encrypt - # define AES_gcm_decrypt armv8_aes_gcm_decrypt - # define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_v8_ctr32_encrypt_blocks && \ diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb similarity index 93% rename from meta/recipes-connectivity/openssl/openssl_3.0.0.bb rename to meta/recipes-connectivity/openssl/openssl_3.0.1.bb index da73ed6bc33..162435480c4 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.0.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb @@ -12,15 +12,13 @@ SRC_URI = "http://www.openssl.org/source/openssl-${PV}.tar.gz \ file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \ file://afalg.patch \ file://0001-Configure-do-not-tweak-mips-cflags.patch \ - file://armv8-32bit.patch \ - file://0001-Fix-EVP_PKEY_CTX_get_rsa_pss_saltlen-no.patch \ " SRC_URI:append:class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "59eedfcb46c25214c9bd37ed6078297b4df01d012267fe9e9eee31f61bc70536" +SRC_URI[sha256sum] = "c311ad853353bce796edad01a862c50a8a587f62e7e2100ef465ab53ec9b06d1" inherit lib_package multilib_header multilib_script ptest perlnative MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" @@ -194,21 +192,21 @@ do_install_ptest () { install -m755 ${B}/apps/CA.pl ${D}${PTEST_PATH}/apps install -d ${D}${PTEST_PATH}/engines - install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/dasync.so ${D}${PTEST_PATH}/engines install -m755 ${B}/engines/loader_attic.so ${D}${PTEST_PATH}/engines + install -m755 ${B}/engines/ossltest.so ${D}${PTEST_PATH}/engines install -d ${D}${PTEST_PATH}/providers install -m755 ${B}/providers/legacy.so ${D}${PTEST_PATH}/providers - install -d ${D}${PTEST_PATH}/Configurations - cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/ + install -d ${D}${PTEST_PATH}/Configurations + cp -rf ${S}/Configurations/* ${D}${PTEST_PATH}/Configurations/ - # seems to be needed with perl 5.32.1 - install -d ${D}${PTEST_PATH}/util/perl/recipes - cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ + # seems to be needed with perl 5.32.1 + install -d ${D}${PTEST_PATH}/util/perl/recipes + cp ${D}${PTEST_PATH}/test/recipes/tconversion.pl ${D}${PTEST_PATH}/util/perl/recipes/ sed 's|${S}|${PTEST_PATH}|g' -i ${D}${PTEST_PATH}/util/wrap.pl - } # Add the openssl.cnf file to the openssl-conf package. Make the libcrypto @@ -234,7 +232,7 @@ CONFFILES:openssl-conf = "${sysconfdir}/ssl/openssl.cnf" RRECOMMENDS:libcrypto += "openssl-conf" RDEPENDS:${PN}-misc = "perl" -RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash" +RDEPENDS:${PN}-ptest += "openssl-bin perl perl-modules bash sed" RDEPENDS:${PN}-bin += "openssl-conf"