SLFO-pool/openssl-3
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main openssl-3 revision fb9c37359399775f5e48eb6edfac852c

Browse Source
This commit is contained in:
Adrian Schröter 2024-09-30 10:56:09 +02:00
parent c5ce55a09c
commit b7d0840dcc
3 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
openssl-3.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Sep 19 08:05:52 UTC 2024 - Angel Yankov <angel.yankov@suse.com>
- Security fix: [bsc#1230698, CVE-2024-41996]
* Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used
* Added openssl-CVE-2024-41996.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Aug 22 15:18:03 UTC 2024 - Alexander Bergmann <abergmann@suse.com> Thu Aug 22 15:18:03 UTC 2024 - Alexander Bergmann <abergmann@suse.com>

3
openssl-3.spec
View File

@ -167,6 +167,9 @@ Patch69: openssl-3-FIPS-PCT_rsa_keygen.patch
Patch70: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch Patch70: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch
# PATCH-FIX-UPSTREAM: bsc#1229465 CVE-2024-6119: possible denial of service in X.509 name checks # PATCH-FIX-UPSTREAM: bsc#1229465 CVE-2024-6119: possible denial of service in X.509 name checks
Patch71: openssl-CVE-2024-6119.patch Patch71: openssl-CVE-2024-6119.patch
# PATCH-FIX-UPSTREAM bsc#1230698 CVE-2024-41996: Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers to trigger expensive server-side DHE
Patch72: openssl-CVE-2024-41996.patch
BuildRequires: pkgconfig BuildRequires: pkgconfig
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
BuildRequires: ulp-macros BuildRequires: ulp-macros

41
openssl-CVE-2024-41996.patch Normal file
View File

@ -0,0 +1,41 @@
From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 5 Aug 2024 17:54:14 +0200
Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
safe-prime groups
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The partial validation is fully sufficient to check the key validity.
Thanks to Szilárd Pfeiffer for reporting the issue.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/25088)
---
providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index 82c3093b122c2..ebdce767102ee 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype)
if (pub_key == NULL)
return 0;
- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
- && ossl_dh_is_named_safe_prime_group(dh))
+ /*
+ * The partial test is only valid for named group's with q = (p - 1) / 2
+ * but for that case it is also fully sufficient to check the key validity.
+ */
+ if (ossl_dh_is_named_safe_prime_group(dh))
return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
return DH_check_pub_key_ex(dh, pub_key);