Sync from SUSE:ALP:Source:Standard:1.0 openssl-3 revision 99795a6b1300793b3879b1361cd91437

2025-01-24 13:02:00 +01:00 · 2025-01-24 13:02:00 +01:00 · 40d3419017
commit 40d3419017
parent ba43724f28
4 changed files with 1417 additions and 2 deletions
--- a/openssl-3-CVE-2024-41996.patch
+++ b/openssl-3-CVE-2024-41996.patch
@ -0,0 +1,41 @@
 From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
 From: Tomas Mraz <tomas@openssl.org>
 Date: Mon, 5 Aug 2024 17:54:14 +0200
 Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
 safe-prime groups
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 The partial validation is fully sufficient to check the key validity.
 Thanks to Szilárd Pfeiffer for reporting the issue.
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 Reviewed-by: Matt Caswell <matt@openssl.org>
 Reviewed-by: Paul Dale <ppzgs1@gmail.com>
 (Merged from https://github.com/openssl/openssl/pull/25088)
 ---
 providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
 index 82c3093b122c2..ebdce767102ee 100644
 --- a/providers/implementations/keymgmt/dh_kmgmt.c
 +++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype)
     if (pub_key == NULL)
         return 0;
 -    /* The partial test is only valid for named group's with q = (p - 1) / 2 */
 -    if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
 -        && ossl_dh_is_named_safe_prime_group(dh))
 +    /*
 +     * The partial test is only valid for named group's with q = (p - 1) / 2
 +     * but for that case it is also fully sufficient to check the key validity.
 +     */
 +    if (ossl_dh_is_named_safe_prime_group(dh))
         return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
     return DH_check_pub_key_ex(dh, pub_key);
--- a/openssl-3.changes
+++ b/openssl-3.changes
@ -1,9 +1,24 @@
 -------------------------------------------------------------------
-Wed Aug 28 08:44:51 UTC 2024 - Alexander Bergmann <abergmann@suse.com>
+Thu Oct 17 12:21:14 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 - Security fix: [bsc#1220262, CVE-2023-50782]
  * Implicit rejection in PKCS#1 v1.5
  * Add openssl-CVE-2023-50782.patch
 -------------------------------------------------------------------
 Wed Sep 25 06:59:52 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
 - Security fix: [bsc#1230698, CVE-2024-41996] 
  * Validating the order of the public keys in the Diffie-Hellman
    Key Agreement Protocol, when an approved safe prime is used.
  * Added openssl-3-CVE-2024-41996.patch
 -------------------------------------------------------------------
 Thu Aug 22 15:18:03 UTC 2024 - Alexander Bergmann <abergmann@suse.com>
 - Security fix: [bsc#1229465, CVE-2024-6119]
  * possible denial of service in X.509 name checks
-  * openssl-CVE-2024-6119.patch 
+  * openssl-CVE-2024-6119.patch
 -------------------------------------------------------------------
 Mon Jul 22 16:42:52 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
--- a/openssl-3.spec
+++ b/openssl-3.spec
@ -167,6 +167,11 @@ Patch69:        openssl-3-FIPS-PCT_rsa_keygen.patch
 Patch70:        openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
 # PATCH-FIX-UPSTREAM: bsc#1229465 CVE-2024-6119: possible denial of service in X.509 name checks
 Patch71:        openssl-CVE-2024-6119.patch
 # PATCH-FIX-UPSTREAM bsc#1230698 CVE-2024-41996: Validation order of the DH public keys
 Patch72:        openssl-3-CVE-2024-41996.patch
 # PATCH-FIX-SUSE bsc#1220262 CVE-2023-50782: Implicit rejection in PKCS#1 v1.5
 Patch73:        openssl-CVE-2023-50782.patch
 BuildRequires:  pkgconfig
 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
 BuildRequires:  ulp-macros
--- a/openssl-CVE-2023-50782.patch
+++ b/openssl-CVE-2023-50782.patch