!311 master 分支升级到3.0.12版本

From: @hzero1996 Reviewed-by: @zcfsite Signed-off-by: @zcfsite
2024-02-05 02:26:52 +00:00 · 2024-02-05 02:26:52 +00:00 · 900d34179e
commit 900d34179e
parent a36eeb879f 37adfb905c
16 changed files with 564 additions and 467 deletions
--- a/Backport-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch
+++ b/Backport-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch
@ -0,0 +1,123 @@
 From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 19 Jan 2024 11:28:58 +0000
 Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL
 PKCS12 structures contain PKCS7 ContentInfo fields. These fields are
 optional and can be NULL even if the "type" is a valid value. OpenSSL
 was not properly accounting for this and a NULL dereference can occur
 causing a crash.
 CVE-2024-0727
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23362)
 (cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c)
 ---
 crypto/pkcs12/p12_add.c  | 18 ++++++++++++++++++
 crypto/pkcs12/p12_mutl.c |  5 +++++
 crypto/pkcs12/p12_npas.c |  5 +++--
 crypto/pkcs7/pk7_mime.c  |  7 +++++--
 4 files changed, 31 insertions(+), 4 deletions(-)
 diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
 index 6fd4184af5..80ce31b3bc 100644
 --- a/crypto/pkcs12/p12_add.c
 +++ b/crypto/pkcs12/p12_add.c
@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7)
         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
         return NULL;
     }
 +
 +    if (p7->d.data == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS));
 }
@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass,
 {
     if (!PKCS7_type_is_encrypted(p7))
         return NULL;
 +
 +    if (p7->d.encrypted == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm,
                                    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
                                    pass, passlen,
@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12)
         ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA);
         return NULL;
     }
 +
 +    if (p12->authsafes->d.data == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return NULL;
 +    }
 +
     p7s = ASN1_item_unpack(p12->authsafes->d.data,
                            ASN1_ITEM_rptr(PKCS12_AUTHSAFES));
     if (p7s != NULL) {
 diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
 index 67a885a45f..68ff54d0e9 100644
 --- a/crypto/pkcs12/p12_mutl.c
 +++ b/crypto/pkcs12/p12_mutl.c
@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
         return 0;
     }
 +    if (p12->authsafes->d.data == NULL) {
 +        ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR);
 +        return 0;
 +    }
 +
     salt = p12->mac->salt->data;
     saltlen = p12->mac->salt->length;
     if (p12->mac->iter == NULL)
 diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c
 index 62230bc618..1e5b549599 100644
 --- a/crypto/pkcs12/p12_npas.c
 +++ b/crypto/pkcs12/p12_npas.c
@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass)
             bags = PKCS12_unpack_p7data(p7);
         } else if (bagnid == NID_pkcs7_encrypted) {
             bags = PKCS12_unpack_p7encdata(p7, oldpass, -1);
 -            if (!alg_get(p7->d.encrypted->enc_data->algorithm,
 -                         &pbe_nid, &pbe_iter, &pbe_saltlen))
 +            if (p7->d.encrypted == NULL
 +                    || !alg_get(p7->d.encrypted->enc_data->algorithm,
 +                                &pbe_nid, &pbe_iter, &pbe_saltlen))
                 goto err;
         } else {
             continue;
 diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c
 index 49a0da5f81..8228315eea 100644
 --- a/crypto/pkcs7/pk7_mime.c
 +++ b/crypto/pkcs7/pk7_mime.c
@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags)
     int ctype_nid = OBJ_obj2nid(p7->type);
     const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7);
 -    if (ctype_nid == NID_pkcs7_signed)
 +    if (ctype_nid == NID_pkcs7_signed) {
 +        if (p7->d.sign == NULL)
 +            return 0;
         mdalgs = p7->d.sign->md_algs;
 -    else
 +    } else {
         mdalgs = NULL;
 +    }
     flags ^= SMIME_OLDMIME;
 -- 
 2.36.1
--- a/Backport-Limit-the-execution-time-of-RSA-public-key-check.patch
+++ b/Backport-Limit-the-execution-time-of-RSA-public-key-check.patch
@ -0,0 +1,125 @@
 From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Fri, 22 Dec 2023 16:25:56 +0100
 Subject: [PATCH] Limit the execution time of RSA public key check
 Fixes CVE-2023-6237
 If a large and incorrect RSA public key is checked with
 EVP_PKEY_public_check() the computation could take very long time
 due to no limit being applied to the RSA public key size and
 unnecessarily high number of Miller-Rabin algorithm rounds
 used for non-primality check of the modulus.
 Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS)
 will fail the check with RSA_R_MODULUS_TOO_LARGE error reason.
 Also the number of Miller-Rabin rounds was set to 5.
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23243)
 (cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db)
 ---
 crypto/rsa/rsa_sp800_56b_check.c              |  8 +++-
 test/recipes/91-test_pkey_check.t             |  2 +-
 .../91-test_pkey_check_data/rsapub_17k.pem    | 48 +++++++++++++++++++
 3 files changed, 56 insertions(+), 2 deletions(-)
 create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem
 diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c
 index fc8f19b487..bcbdd24fb8 100644
 --- a/crypto/rsa/rsa_sp800_56b_check.c
 +++ b/crypto/rsa/rsa_sp800_56b_check.c
@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
         return 0;
     nbits = BN_num_bits(rsa->n);
 +    if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE);
 +        return 0;
 +    }
 +
 #ifdef FIPS_MODULE
     /*
      * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1)
@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa)
         goto err;
     }
 -    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status);
 +    /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */
 +    ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status);
 #ifdef FIPS_MODULE
     if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) {
 #else
 diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t
 index dc7cc64533..f8088df14d 100644
 --- a/test/recipes/91-test_pkey_check.t
 +++ b/test/recipes/91-test_pkey_check.t
@@ -70,7 +70,7 @@ push(@positive_tests, (
     "dhpkey.pem"
     )) unless disabled("dh");
 -my @negative_pubtests = ();
 +my @negative_pubtests = ("rsapub_17k.pem");  # Too big RSA public key
 push(@negative_pubtests, (
     "dsapub_noparam.der"
 diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
 new file mode 100644
 index 0000000000..9a2eaedaf1
 --- /dev/null
 +++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem
@@ -0,0 +1,48 @@
 +-----BEGIN PUBLIC KEY-----
 +MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR
 +B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph
 +gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2
 +GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/
 +XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj
 +b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2
 +gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq
 +TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1
 +vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0
 +V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j
 +/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH
 +SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa
 +PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y
 +Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu
 +C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J
 +xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo
 +F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id
 +aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB
 +nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi
 +R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7
 +kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN
 +mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux
 +AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O
 +f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi
 +ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH
 +UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx
 +wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP
 +fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4
 +y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS
 +Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL
 +HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ
 +eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ
 +EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz
 +chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq
 +4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW
 +gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC
 +A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK
 +FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys
 +26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC
 +xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J
 +pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+
 +k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa
 +2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q
 +Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb
 +77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID
 +AQAB
 +-----END PUBLIC KEY-----
 -- 
 2.36.1
--- a/Backport-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch
+++ b/Backport-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch
@ -0,0 +1,177 @@
 From db925ae2e65d0d925adef429afc37f75bd1c2017 Mon Sep 17 00:00:00 2001
 From: Richard Levitte <levitte@openssl.org>
 Date: Fri, 20 Oct 2023 09:18:19 +0200
 Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet
 We already check for an excessively large P in DH_generate_key(), but not in
 DH_check_pub_key(), and none of them check for an excessively large Q.
 This change adds all the missing excessive size checks of P and Q.
 It's to be noted that behaviours surrounding excessively sized P and Q
 differ.  DH_check() raises an error on the excessively sized P, but only
 sets a flag for the excessively sized Q.  This behaviour is mimicked in
 DH_check_pub_key().
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/22518)
 (cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6)
 ---
 crypto/dh/dh_check.c    | 12 ++++++++++++
 crypto/dh/dh_err.c      |  3 ++-
 crypto/dh/dh_key.c      | 12 ++++++++++++
 crypto/err/openssl.txt  |  1 +
 include/crypto/dherr.h  |  2 +-
 include/openssl/dh.h    |  6 +++---
 include/openssl/dherr.h |  3 ++-
 7 files changed, 33 insertions(+), 6 deletions(-)
 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
 index 7ba2beae7f..e20eb62081 100644
 --- a/crypto/dh/dh_check.c
 +++ b/crypto/dh/dh_check.c
@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key)
  */
 int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret)
 {
 +    /* Don't do any checks at all with an excessively large modulus */
 +    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
 +        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID;
 +        return 0;
 +    }
 +
 +    if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) {
 +        *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID;
 +        return 1;
 +    }
 +
     return ossl_ffc_validate_public_key(&dh->params, pub_key, ret);
 }
 diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c
 index 4152397426..f76ac0dd14 100644
 --- a/crypto/dh/dh_err.c
 +++ b/crypto/dh/dh_err.c
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = {
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR),
     "parameter encoding error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"},
 +    {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"},
     {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR),
     "unable to check generator"},
 diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
 index d84ea99241..afc49f5cdc 100644
 --- a/crypto/dh/dh_key.c
 +++ b/crypto/dh/dh_key.c
@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh)
         goto err;
     }
 +    if (dh->params.q != NULL
 +        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
 +        goto err;
 +    }
 +
     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
         return 0;
@@ -267,6 +273,12 @@ static int generate_key(DH *dh)
         return 0;
     }
 +    if (dh->params.q != NULL
 +        && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE);
 +        return 0;
 +    }
 +
     if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) {
         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL);
         return 0;
 diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
 index e51504b7ab..36de321b74 100644
 --- a/crypto/err/openssl.txt
 +++ b/crypto/err/openssl.txt
@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set
 DH_R_NO_PRIVATE_VALUE:100:no private value
 DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error
 DH_R_PEER_KEY_ERROR:111:peer key error
 +DH_R_Q_TOO_LARGE:130:q too large
 DH_R_SHARED_INFO_ERROR:113:shared info error
 DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator
 DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters
 diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h
 index bb24d131eb..519327f795 100644
 --- a/include/crypto/dherr.h
 +++ b/include/crypto/dherr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
 diff --git a/include/openssl/dh.h b/include/openssl/dh.h
 index 6533260f20..50e0cf54be 100644
 --- a/include/openssl/dh.h
 +++ b/include/openssl/dh.h
@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams)
 #   define DH_GENERATOR_3          3
 #   define DH_GENERATOR_5          5
 -/* DH_check error codes */
 +/* DH_check error codes, some of them shared with DH_check_pub_key */
 /*
  * NB: These values must align with the equivalently named macros in
  * internal/ffc.h.
@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams)
 #   define DH_UNABLE_TO_CHECK_GENERATOR    0x04
 #   define DH_NOT_SUITABLE_GENERATOR       0x08
 #   define DH_CHECK_Q_NOT_PRIME            0x10
 -#   define DH_CHECK_INVALID_Q_VALUE        0x20
 +#   define DH_CHECK_INVALID_Q_VALUE        0x20 /* +DH_check_pub_key */
 #   define DH_CHECK_INVALID_J_VALUE        0x40
 #   define DH_MODULUS_TOO_SMALL            0x80
 -#   define DH_MODULUS_TOO_LARGE            0x100
 +#   define DH_MODULUS_TOO_LARGE            0x100 /* +DH_check_pub_key */
 /* DH_check_pub_key error codes */
 #   define DH_CHECK_PUBKEY_TOO_SMALL       0x01
 diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h
 index 5d2a762a96..074a70145f 100644
 --- a/include/openssl/dherr.h
 +++ b/include/openssl/dherr.h
@@ -1,6 +1,6 @@
 /*
  * Generated by util/mkerr.pl DO NOT EDIT
 - * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
 + * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -50,6 +50,7 @@
 #  define DH_R_NO_PRIVATE_VALUE                            100
 #  define DH_R_PARAMETER_ENCODING_ERROR                    105
 #  define DH_R_PEER_KEY_ERROR                              111
 +#  define DH_R_Q_TOO_LARGE                                 130
 #  define DH_R_SHARED_INFO_ERROR                           113
 #  define DH_R_UNABLE_TO_CHECK_GENERATOR                   121
 -- 
 2.36.1
--- a/Backport-poly1305-ppc.pl-Fix-vector-register-clobbering.patch
+++ b/Backport-poly1305-ppc.pl-Fix-vector-register-clobbering.patch
@ -0,0 +1,112 @@
 From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001
 From: Rohan McLure <rmclure@linux.ibm.com>
 Date: Thu, 4 Jan 2024 10:25:50 +0100
 Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering
 Fixes CVE-2023-6129
 The POLY1305 MAC (message authentication code) implementation in OpenSSL for
 PowerPC CPUs saves the the contents of vector registers in different order
 than they are restored. Thus the contents of some of these vector registers
 is corrupted when returning to the caller. The vulnerable code is used only
 on newer PowerPC processors supporting the PowerISA 2.07 instructions.
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Richard Levitte <levitte@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/23200)
 (cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f)
 ---
 crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++---------------
 1 file changed, 21 insertions(+), 21 deletions(-)
 diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl
 index 9f86134d92..2e601bb9c2 100755
 --- a/crypto/poly1305/asm/poly1305-ppc.pl
 +++ b/crypto/poly1305/asm/poly1305-ppc.pl
@@ -744,7 +744,7 @@ ___
 my $LOCALS= 6*$SIZE_T;
 my $VSXFRAME = $LOCALS + 6*$SIZE_T;
    $VSXFRAME += 128;	# local variables
 -   $VSXFRAME += 13*16;	# v20-v31 offload
 +   $VSXFRAME += 12*16;	# v20-v31 offload
 my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0;
@@ -919,12 +919,12 @@ __poly1305_blocks_vsx:
 	addi	r11,r11,32
 	stvx	v22,r10,$sp
 	addi	r10,r10,32
 -	stvx	v23,r10,$sp
 -	addi	r10,r10,32
 -	stvx	v24,r11,$sp
 +	stvx	v23,r11,$sp
 	addi	r11,r11,32
 -	stvx	v25,r10,$sp
 +	stvx	v24,r10,$sp
 	addi	r10,r10,32
 +	stvx	v25,r11,$sp
 +	addi	r11,r11,32
 	stvx	v26,r10,$sp
 	addi	r10,r10,32
 	stvx	v27,r11,$sp
@@ -1153,12 +1153,12 @@ __poly1305_blocks_vsx:
 	addi	r11,r11,32
 	stvx	v22,r10,$sp
 	addi	r10,r10,32
 -	stvx	v23,r10,$sp
 -	addi	r10,r10,32
 -	stvx	v24,r11,$sp
 +	stvx	v23,r11,$sp
 	addi	r11,r11,32
 -	stvx	v25,r10,$sp
 +	stvx	v24,r10,$sp
 	addi	r10,r10,32
 +	stvx	v25,r11,$sp
 +	addi	r11,r11,32
 	stvx	v26,r10,$sp
 	addi	r10,r10,32
 	stvx	v27,r11,$sp
@@ -1899,26 +1899,26 @@ Ldone_vsx:
 	mtspr	256,r12				# restore vrsave
 	lvx	v20,r10,$sp
 	addi	r10,r10,32
 -	lvx	v21,r10,$sp
 -	addi	r10,r10,32
 -	lvx	v22,r11,$sp
 +	lvx	v21,r11,$sp
 	addi	r11,r11,32
 -	lvx	v23,r10,$sp
 +	lvx	v22,r10,$sp
 	addi	r10,r10,32
 -	lvx	v24,r11,$sp
 +	lvx	v23,r11,$sp
 	addi	r11,r11,32
 -	lvx	v25,r10,$sp
 +	lvx	v24,r10,$sp
 	addi	r10,r10,32
 -	lvx	v26,r11,$sp
 +	lvx	v25,r11,$sp
 	addi	r11,r11,32
 -	lvx	v27,r10,$sp
 +	lvx	v26,r10,$sp
 	addi	r10,r10,32
 -	lvx	v28,r11,$sp
 +	lvx	v27,r11,$sp
 	addi	r11,r11,32
 -	lvx	v29,r10,$sp
 +	lvx	v28,r10,$sp
 	addi	r10,r10,32
 -	lvx	v30,r11,$sp
 -	lvx	v31,r10,$sp
 +	lvx	v29,r11,$sp
 +	addi	r11,r11,32
 +	lvx	v30,r10,$sp
 +	lvx	v31,r11,$sp
 	$POP	r27,`$VSXFRAME-$SIZE_T*5`($sp)
 	$POP	r28,`$VSXFRAME-$SIZE_T*4`($sp)
 	$POP	r29,`$VSXFRAME-$SIZE_T*3`($sp)
 -- 
 2.36.1
--- a/Feature-support-SM2-CMS-signature.patch
+++ b/Feature-support-SM2-CMS-signature.patch
@ -10,7 +10,7 @@ Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
 2 files changed, 4 insertions(+), 1 deletion(-)
 diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
-index 34c021b..093b41c 100644
+index 2093657..083edd2 100644
 --- a/crypto/cms/cms_sd.c
 +++ b/crypto/cms/cms_sd.c
@@ -232,7 +232,7 @@ static int cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd)
@ -19,9 +19,9 @@ index 34c021b..093b41c 100644
 -    if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC"))
 +    if (EVP_PKEY_is_a(pkey, "DSA") || EVP_PKEY_is_a(pkey, "EC") || EVP_PKEY_is_a(pkey, "SM2"))
-         return ossl_cms_ecdsa_dsa_sign(si, cmd);
+         return ossl_cms_ecdsa_dsa_sign(si, cmd) > 0;
     else if (EVP_PKEY_is_a(pkey, "RSA") || EVP_PKEY_is_a(pkey, "RSA-PSS"))
-         return ossl_cms_rsa_sign(si, cmd);
+         return ossl_cms_rsa_sign(si, cmd) > 0;
 diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
 index f6acb5b..9567bb0 100644
 --- a/crypto/evp/p_lib.c
--- a/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch
+++ b/backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch
@ -1,36 +0,0 @@
 From a8da305fa3dd6e34ba5aab3978281f652fd12883 Mon Sep 17 00:00:00 2001
 From: yangyangtiantianlonglong <yangtianlong1224@163.com>
 Date: Mon, 31 Jul 2023 07:04:41 -0700
 Subject: [PATCH] A null pointer dereference occurs when memory allocation
 fails
 Fixes #21605
 Reviewed-by: Hugo Landau <hlandau@openssl.org>
 Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21606)
 ---
 ssl/ssl_sess.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
 index cda6b7cc5b..2a5d21be79 100644
 --- a/ssl/ssl_sess.c
 +++ b/ssl/ssl_sess.c
@@ -139,8 +139,11 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
     dest->references = 1;
     dest->lock = CRYPTO_THREAD_lock_new();
 -    if (dest->lock == NULL)
 +    if (dest->lock == NULL) {
 +        OPENSSL_free(dest);
 +        dest = NULL;
         goto err;
 +    }
     if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, dest, &dest->ex_data))
         goto err;
 -- 
 2.27.0
--- a/backport-Add-a-test-for-CVE-2023-3446.patch
+++ b/backport-Add-a-test-for-CVE-2023-3446.patch
@ -1,63 +0,0 @@
 From 8a62fd996cb1c22383ec75b4155d54dec4a1b0ee Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 7 Jul 2023 14:39:48 +0100
 Subject: [PATCH] Add a test for CVE-2023-3446
 Confirm that the only errors DH_check() finds with DH parameters with an
 excessively long modulus is that the modulus is too large. We should not
 be performing time consuming checks using that modulus.
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21451)
 (cherry picked from commit ede782b4c8868d1f09c9cd237f82b6f35b7dba8b)
 ---
 test/dhtest.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)
 diff --git a/test/dhtest.c b/test/dhtest.c
 index 7b587f3cfa..f8dd8f3aa7 100644
 --- a/test/dhtest.c
 +++ b/test/dhtest.c
@@ -73,7 +73,7 @@ static int dh_test(void)
         goto err1;
     /* check fails, because p is way too small */
 -    if (!DH_check(dh, &i))
 +    if (!TEST_true(DH_check(dh, &i)))
         goto err2;
     i ^= DH_MODULUS_TOO_SMALL;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
@@ -124,6 +124,17 @@ static int dh_test(void)
     /* We'll have a stale error on the queue from the above test so clear it */
     ERR_clear_error();
 +    /* Modulus of size: dh check max modulus bits + 1 */
 +    if (!TEST_true(BN_set_word(p, 1))
 +            || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
 +        goto err3;
 +
 +    /*
 +     * We expect no checks at all for an excessively large modulus
 +     */
 +    if (!TEST_false(DH_check(dh, &i)))
 +        goto err3;
 +
     /*
      * II) key generation
      */
@@ -138,7 +149,7 @@ static int dh_test(void)
         goto err3;
     /* ... and check whether it is valid */
 -    if (!DH_check(a, &i))
 +    if (!TEST_true(DH_check(a, &i)))
         goto err3;
     if (!TEST_false(i & DH_CHECK_P_NOT_PRIME)
             || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME)
 -- 
 2.27.0
--- a/backport-Add-testcases-for-empty-associated-data-entries-with.patch
+++ b/backport-Add-testcases-for-empty-associated-data-entries-with.patch
@ -1,66 +0,0 @@
 From 96318a8d21bed334d78797eca5b32790775d5f05 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Tue, 4 Jul 2023 17:50:37 +0200
 Subject: [PATCH] Add testcases for empty associated data entries with AES-SIV
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21384)
 (cherry picked from commit 3993bb0c0c87e3ed0ab4274e4688aa814e164cfc)
 ---
 .../30-test_evp_data/evpciph_aes_siv.txt      | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)
 diff --git a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
 index a78a49158d..e434f13f41 100644
 --- a/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
 +++ b/test/recipes/30-test_evp_data/evpciph_aes_siv.txt
@@ -20,6 +20,19 @@ Tag = 85632d07c6e8f37f950acd320a2ecc93
 Plaintext =  112233445566778899aabbccddee
 Ciphertext = 40c02b9690c4dc04daef7f6afe5c
 +Cipher = aes-128-siv
 +Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 +Tag = f1c5fdeac1f15a26779c1501f9fb7588
 +Plaintext =  112233445566778899aabbccddee
 +Ciphertext = 27e946c669088ab06da58c5c831c
 +
 +Cipher = aes-128-siv
 +Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff
 +AAD =
 +Tag = d1022f5b3664e5a4dfaf90f85be6f28a
 +Plaintext =  112233445566778899aabbccddee
 +Ciphertext = b66cff6b8eca0b79f083b39a0901
 +
 Cipher = aes-128-siv
 Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
 AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
@@ -29,6 +42,24 @@ Tag = 7bdb6e3b432667eb06f4d14bff2fbd0f
 Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
 Ciphertext = cb900f2fddbe404326601965c889bf17dba77ceb094fa663b7a3f748ba8af829ea64ad544a272e9c485b62a3fd5c0d
 +Cipher = aes-128-siv
 +Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
 +AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
 +AAD =
 +AAD = 09f911029d74e35bd84156c5635688c0
 +Tag = 83ce6593a8fa67eb6fcd2819cedfc011
 +Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
 +Ciphertext = 30d937b42f71f71f93fc2d8d702d3eac8dc7651eefcd81120081ff29d626f97f3de17f2969b691c91b69b652bf3a6d
 +
 +Cipher = aes-128-siv
 +Key = 7f7e7d7c7b7a79787776757473727170404142434445464748494a4b4c4d4e4f
 +AAD =
 +AAD = 00112233445566778899aabbccddeeffdeaddadadeaddadaffeeddccbbaa99887766554433221100
 +AAD = 09f911029d74e35bd84156c5635688c0
 +Tag = 77dd4a44f5a6b41302121ee7f378de25
 +Plaintext =  7468697320697320736f6d6520706c61696e7465787420746f20656e6372797074207573696e67205349562d414553
 +Ciphertext = 0fcd664c922464c88939d71fad7aefb864e501b0848a07d39201c1067a7288f3dadf0131a823a0bc3d588e8564a5fe
 +
 Cipher = aes-192-siv
 Key = fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0f0f1f2f3f4f5f6f7f8f9fafbfcfdfefffffefdfcfbfaf9f8f7f6f5f4f3f2f1f0
 AAD = 101112131415161718191a1b1c1d1e1f2021222324252627
 -- 
 2.27.0
--- a/backport-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch
+++ b/backport-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch
@ -1,61 +0,0 @@
 From 9002fd07327a91f35ba6c1307e71fa6fd4409b7f Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Tue, 25 Jul 2023 15:22:48 +0200
 Subject: [PATCH] DH_check(): Do not try checking q properties if it is
 obviously invalid
 If  |q| >= |p| then the q value is obviously wrong as q
 is supposed to be a prime divisor of p-1.
 We check if p is overly large so this added test implies that
 q is not large either when performing subsequent tests using that
 q value.
 Otherwise if it is too large these additional checks of the q value
 such as the primality test can then trigger DoS by doing overly long
 computations.
 Fixes CVE-2023-3817
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
 Reviewed-by: Todd Short <todd.short@me.com>
 (Merged from https://github.com/openssl/openssl/pull/21550)
 (cherry picked from commit 1c16253f3c3a8d1e25918c3f404aae6a5b0893de)
 (cherry picked from commit 6a1eb62c29db6cb5eec707f9338aee00f44e26f5)
 ---
 crypto/dh/dh_check.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)
 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
 index aef6f9b1b7..fbe2797569 100644
 --- a/crypto/dh/dh_check.c
 +++ b/crypto/dh/dh_check.c
@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret)
 #ifdef FIPS_MODULE
     return DH_check_params(dh, ret);
 #else
 -    int ok = 0, r;
 +    int ok = 0, r, q_good = 0;
     BN_CTX *ctx = NULL;
     BIGNUM *t1 = NULL, *t2 = NULL;
     int nid = DH_get_nid((DH *)dh);
@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret)
         goto err;
     if (dh->params.q != NULL) {
 +        if (BN_ucmp(dh->params.p, dh->params.q) > 0)
 +            q_good = 1;
 +        else
 +            *ret |= DH_CHECK_INVALID_Q_VALUE;
 +    }
 +
 +    if (q_good) {
         if (BN_cmp(dh->params.g, BN_value_one()) <= 0)
             *ret |= DH_NOT_SUITABLE_GENERATOR;
         else if (BN_cmp(dh->params.g, dh->params.p) >= 0)
 -- 
 2.27.0
--- a/backport-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch
+++ b/backport-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch
@ -1,57 +0,0 @@
 From 00e2f5eea29994d19293ec4e8c8775ba73678598 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Tue, 4 Jul 2023 17:30:35 +0200
 Subject: [PATCH] Do not ignore empty associated data with AES-SIV mode
 The AES-SIV mode allows for multiple associated data items
 authenticated separately with any of these being 0 length.
 The provided implementation ignores such empty associated data
 which is incorrect in regards to the RFC 5297 and is also
 a security issue because such empty associated data then become
 unauthenticated if an application expects to authenticate them.
 Fixes CVE-2023-2975
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21384)
 (cherry picked from commit c426c281cfc23ab182f7d7d7a35229e7db1494d9)
 ---
 .../implementations/ciphers/cipher_aes_siv.c   | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)
 diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c
 index 45010b90db..b396c8651a 100644
 --- a/providers/implementations/ciphers/cipher_aes_siv.c
 +++ b/providers/implementations/ciphers/cipher_aes_siv.c
@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl,
     if (!ossl_prov_is_running())
         return 0;
 -    if (inl == 0) {
 -        *outl = 0;
 -        return 1;
 -    }
 +    /* Ignore just empty encryption/decryption call and not AAD. */
 +    if (out != NULL) {
 +        if (inl == 0) {
 +            if (outl != NULL)
 +                *outl = 0;
 +            return 1;
 +        }
 -    if (outsize < inl) {
 -        ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
 -        return 0;
 +        if (outsize < inl) {
 +            ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL);
 +            return 0;
 +        }
     }
     if (ctx->hw->cipher(ctx, out, in, inl) <= 0)
 -- 
 2.27.0
--- a/backport-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
+++ b/backport-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
@ -1,74 +0,0 @@
 From 1fa20cf2f506113c761777127a38bce5068740eb Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Thu, 6 Jul 2023 16:36:35 +0100
 Subject: [PATCH] Fix DH_check() excessive time with over sized modulus
 The DH_check() function checks numerous aspects of the key or parameters
 that have been supplied. Some of those checks use the supplied modulus
 value even if it is excessively large.
 There is already a maximum DH modulus size (10,000 bits) over which
 OpenSSL will not generate or derive keys. DH_check() will however still
 perform various tests for validity on such a large modulus. We introduce a
 new maximum (32,768) over which DH_check() will just fail.
 An application that calls DH_check() and supplies a key or parameters
 obtained from an untrusted source could be vulnerable to a Denial of
 Service attack.
 The function DH_check() is itself called by a number of other OpenSSL
 functions. An application calling any of those other functions may
 similarly be affected. The other functions affected by this are
 DH_check_ex() and EVP_PKEY_param_check().
 CVE-2023-3446
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21451)
 (cherry picked from commit 9e0094e2aa1b3428a12d5095132f133c078d3c3d)
 ---
 crypto/dh/dh_check.c | 6 ++++++
 include/openssl/dh.h | 6 +++++-
 2 files changed, 11 insertions(+), 1 deletion(-)
 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
 index 0b391910d6..84a926998e 100644
 --- a/crypto/dh/dh_check.c
 +++ b/crypto/dh/dh_check.c
@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret)
     if (nid != NID_undef)
         return 1;
 +    /* Don't do any checks at all with an excessively large modulus */
 +    if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
 +        ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
 +        return 0;
 +    }
 +
     if (!DH_check_params(dh, ret))
         return 0;
 diff --git a/include/openssl/dh.h b/include/openssl/dh.h
 index b97871eca7..36420f51d8 100644
 --- a/include/openssl/dh.h
 +++ b/include/openssl/dh.h
@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm);
 #  include <openssl/dherr.h>
 #  ifndef OPENSSL_DH_MAX_MODULUS_BITS
 -#   define OPENSSL_DH_MAX_MODULUS_BITS    10000
 +#   define OPENSSL_DH_MAX_MODULUS_BITS        10000
 +#  endif
 +
 +#  ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS
 +#   define OPENSSL_DH_CHECK_MAX_MODULUS_BITS  32768
 #  endif
 #  define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024
 -- 
 2.27.0
--- a/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch
+++ b/backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch
@ -1,39 +0,0 @@
 From e648db50d9a63f71cab5cb78424c2932d019a744 Mon Sep 17 00:00:00 2001
 From: Bernd Edlinger <bernd.edlinger@hotmail.de>
 Date: Sun, 23 Jul 2023 14:27:54 +0200
 Subject: [PATCH] Make DH_check set some error bits in recently added error
 The pre-existing error cases where DH_check returned zero
 are not related to the dh params in any way, but are only
 triggered by out-of-memory errors, therefore having *ret
 set to zero feels right, but since the new error case is
 triggered by too large p values that is something different.
 On the other hand some callers of this function might not
 be prepared to handle the return value correctly but only
 rely on *ret. Therefore we set some error bits in *ret as
 additional safety measure.
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/21524)
 (cherry picked from commit 81d10e61a4b7d5394d08a718bf7d6bae20e818fc)
 ---
 crypto/dh/dh_check.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c
 index 84a926998e..aef6f9b1b7 100644
 --- a/crypto/dh/dh_check.c
 +++ b/crypto/dh/dh_check.c
@@ -155,6 +155,7 @@ int DH_check(const DH *dh, int *ret)
     /* Don't do any checks at all with an excessively large modulus */
     if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) {
         ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE);
 +        *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_P_NOT_PRIME;
         return 0;
     }
 -- 
 2.27.0
--- a/backport-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch
+++ b/backport-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch
@ -1,53 +0,0 @@
 From 2255f6c74e6c8b702adcf352b04c5d3e6c759745 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Tue, 25 Jul 2023 15:23:43 +0200
 Subject: [PATCH] dhtest.c: Add test of DH_check() with q = p + 1
 This must fail with DH_CHECK_INVALID_Q_VALUE and
 with DH_CHECK_Q_NOT_PRIME unset.
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Paul Dale <pauli@openssl.org>
 Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
 Reviewed-by: Todd Short <todd.short@me.com>
 (Merged from https://github.com/openssl/openssl/pull/21550)
 (cherry picked from commit ad5d35572695d7b5748b2bd4fb1afaa189b29e28)
 (cherry picked from commit 1478ffad3f123550ec1014642d5c880dfbe270ef)
 ---
 test/dhtest.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 diff --git a/test/dhtest.c b/test/dhtest.c
 index f8dd8f3aa7..d02b3b7c58 100644
 --- a/test/dhtest.c
 +++ b/test/dhtest.c
@@ -124,6 +124,15 @@ static int dh_test(void)
     /* We'll have a stale error on the queue from the above test so clear it */
     ERR_clear_error();
 +    if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one())))
 +        goto err3;
 +
 +    if (!TEST_true(DH_check(dh, &i)))
 +        goto err3;
 +    if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE)
 +        || !TEST_false(i & DH_CHECK_Q_NOT_PRIME))
 +        goto err3;
 +
     /* Modulus of size: dh check max modulus bits + 1 */
     if (!TEST_true(BN_set_word(p, 1))
             || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS)))
@@ -135,6 +144,9 @@ static int dh_test(void)
     if (!TEST_false(DH_check(dh, &i)))
         goto err3;
 +    /* We'll have a stale error on the queue from the above test so clear it */
 +    ERR_clear_error();
 +
     /*
      * II) key generation
      */
 -- 
 2.27.0
--- a/openssl-3.0-build.patch
+++ b/openssl-3.0-build.patch
@ -21,7 +21,7 @@ index b578a3c..1ad81c3 100644
     "linux-arm64ilp32" => {  # https://wiki.linaro.org/Platform/arm64-ilp32
         inherit_from     => [ "linux-generic32" ],
 diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl
-index 110ba06..712a779 100644
+index a48fae5..56b4292 100644
 --- a/Configurations/unix-Makefile.tmpl
 +++ b/Configurations/unix-Makefile.tmpl
@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime
@ -32,7 +32,7 @@ index 110ba06..712a779 100644
 +install_docs: install_man_docs
 uninstall_docs: uninstall_man_docs uninstall_html_docs
- 	$(RM) -r $(DESTDIR)$(DOCDIR)
+ 	$(RM) -r "$(DESTDIR)$(DOCDIR)"
 -- 
 2.27.0
--- a/openssl-3.0.12.tar.gz
+++ b/openssl-3.0.12.tar.gz
--- a/openssl.spec
+++ b/openssl.spec
@ -1,8 +1,8 @@
 %define soversion 3
 Name:        openssl
 Epoch:       1
-Version:     3.0.9
+Version:     3.0.12
-Release:     5
+Release:     1
 Summary:     Cryptography and SSL/TLS Toolkit
 License:     OpenSSL and SSLeay
 URL:         https://www.openssl.org/
@ -23,17 +23,13 @@ Patch11:     Backport-Fix-SM4-test-failures-on-big-endian-ARM-processors.patch
 Patch12:     Backport-Apply-SM4-optimization-patch-to-Kunpeng-920.patch
 Patch13:     Backport-SM4-AESE-optimization-for-ARMv8.patch
 Patch14:     Backport-Fix-SM4-XTS-build-failure-on-Mac-mini-M1.patch
-Patch15:     backport-Add-testcases-for-empty-associated-data-entries-with.patch
+Patch15:     Backport-support-decode-SM2-parameters.patch
-Patch16:     backport-Do-not-ignore-empty-associated-data-with-AES-SIV-mod.patch
+Patch16:     Feature-support-SM2-CMS-signature.patch
-Patch17:     backport-Add-a-test-for-CVE-2023-3446.patch
+Patch17:     Feature-use-default-id-if-SM2-id-is-not-set.patch
-Patch18:     backport-Fix-DH_check-excessive-time-with-over-sized-modulus.patch
+Patch18:     Backport-Make-DH_check_pub_key-and-DH_generate_key-safer-yet.patch
-Patch19:     backport-Make-DH_check-set-some-error-bits-in-recently-added-.patch
+Patch19:     Backport-poly1305-ppc.pl-Fix-vector-register-clobbering.patch
-Patch20:     backport-DH_check-Do-not-try-checking-q-properties-if-it-is-o.patch
+Patch20:     Backport-Limit-the-execution-time-of-RSA-public-key-check.patch
-Patch21:     backport-dhtest.c-Add-test-of-DH_check-with-q-p-1.patch
+Patch21:     Backport-Add-NULL-checks-where-ContentInfo-data-can-be-NULL.patch
 Patch22:     Backport-support-decode-SM2-parameters.patch
 Patch23:     Feature-support-SM2-CMS-signature.patch
 Patch24:     Feature-use-default-id-if-SM2-id-is-not-set.patch
 Patch25:     backport-A-null-pointer-dereference-occurs-when-memory-alloca.patch
 BuildRequires: gcc gcc-c++ perl make lksctp-tools-devel coreutils util-linux zlib-devel
 Requires:    coreutils %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
@ -234,6 +230,19 @@ make test || :
 %ldconfig_scriptlets libs
 %changelog
 * Thu Jan 04 2024 wangcheng <wangcheng156@huawei.com> - 1:3.0.12-1
 - Upgrade to 3.0.12
  Resolves: CVE-2023-0464
  Resolves: CVE-2023-0465
  Resolves: CVE-2023-0466
  Resolves: CVE-2023-1255
  Resolves: CVE-2023-2650
  Resolves: CVE-2023-5363
  Resolves: CVE-2023-6237
  Resolves: CVE-2023-6129
  Resolves: CVE-2023-5678
  Resolves: CVE-2024-0727
 * Fri Sep 22 2023 dongyuzhen <dongyuzhen@h-partners.com> - 1:3.0.9-5
 - Backport some upstream patches