Accepting request 1327180 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1327180
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libcryptopp?expand=0&rev=44

libcryptopp-CVE-2023-50979.patch

@@ -0,0 +1,70 @@
+From 0923d82f5c3ac8cf6c99108be2ad9260f2a61f6c Mon Sep 17 00:00:00 2001
+From: CoraleSoft <82213665+Coralesoft@users.noreply.github.com>
+Date: Sun, 26 Oct 2025 17:43:39 +1300
+Subject: [PATCH] Fix timing attack in PKCS1v15 padding validation
+
+Replaces variable-time separator search with constant-time implementation to mitigate Marvin Attack (CVE-2022-4304). Uses bitwise operations to avoid data-dependent timing leaks.
+
+Fixes three timing vulnerabilities:
+  - Variable-time while loop
+  - Early return on invalid padding
+  - Variable-length memcpy operation
+
+Fixes #1247
+---
+ pkcspad.cpp | 36 ++++++++++++++++++++++++++++--------
+ 1 file changed, 28 insertions(+), 8 deletions(-)
+
+diff --git a/pkcspad.cpp b/pkcspad.cpp
+index 7f5cd2099..456e52015 100644
+--- a/pkcspad.cpp
++++ b/pkcspad.cpp
+@@ -100,20 +100,40 @@ DecodingResult PKCS_EncryptionPaddingScheme::Unpad(const byte *pkcsBlock, size_t
+ 	// Require block type 2.
+ 	invalid = (pkcsBlock[0] != 2) || invalid;
+ 
+-	// skip past the padding until we find the separator
+-	size_t i=1;
+-	while (i<pkcsBlockLen && pkcsBlock[i++]) { // null body
+-		}
++	// Constant-time separator search to mitigate timing attacks (Marvin Attack, CVE-2022-4304)
++	// Scan every byte to find first zero separator without variable-time loop termination
++	size_t separatorIndex = 0;
++	size_t foundSeparator = 0;
++
++	for (size_t j = 1; j < pkcsBlockLen; j++)
++	{
++		// Check if current byte is zero (separator)
++		size_t isZero = (pkcsBlock[j] == 0) ? 1 : 0;
++		size_t notFoundYet = 1 - foundSeparator;
++
++		// Constant-time conditional: record position using bitwise ops
++		// Equivalent to: if (isZero && notFoundYet) separatorIndex = j;
++		size_t mask = -(isZero & notFoundYet);  // all 1s if true, all 0s if false
++		separatorIndex = (separatorIndex & ~mask) | (j & mask);
++
++		// Mark that we found a separator
++		foundSeparator |= isZero;
++	}
++
++	// Position after the separator
++	size_t i = separatorIndex + 1;
+ 	CRYPTOPP_ASSERT(i==pkcsBlockLen || pkcsBlock[i-1]==0);
+ 
+ 	size_t outputLen = pkcsBlockLen - i;
+ 	invalid = (outputLen > maxOutputLen) || invalid;
++	invalid = (foundSeparator == 0) || invalid;  // No separator found
+ 
+-	if (invalid)
+-		return DecodingResult();
+-
++	// Always perform memcpy to avoid timing leak from early return
++	// This ensures both valid and invalid padding take the same code path
+ 	std::memcpy (output, pkcsBlock+i, outputLen);
+-	return DecodingResult(outputLen);
++
++	// Return error on invalid padding, otherwise return decoded length
++	return invalid ? DecodingResult() : DecodingResult(outputLen);
+ }
+ 
+ // ********************************************************

libcryptopp-CVE-2024-28285.patch

@@ -0,0 +1,26 @@
+commit 2472be710f8518caab1f62999c50970b475f162f
+Author: Angel Yankov <angel.yankov@suse.com>
+Date:   Wed May 28 16:17:10 2025 +0300
+
+    Fix ElGamal side channel issue
+
+Index: cryptopp-CRYPTOPP_8_9_0/pubkey.h
+===================================================================
+--- cryptopp-CRYPTOPP_8_9_0.orig/pubkey.h
++++ cryptopp-CRYPTOPP_8_9_0/pubkey.h
+@@ -1855,7 +1855,14 @@ public:
+ 			SecByteBlock derivedKey(encAlg.GetSymmetricKeyLength(encAlg.GetMaxSymmetricPlaintextLength(ciphertextLength)));
+ 			derivAlg.Derive(params, derivedKey, derivedKey.size(), z, q, parameters);
+ 
+-			return encAlg.SymmetricDecrypt(derivedKey, ciphertext, ciphertextLength, plaintext, parameters);
++                        DecodingResult res =  encAlg.SymmetricDecrypt(derivedKey, ciphertext, ciphertextLength, plaintext, parameters);
++                        Element z2 = agreeAlg.AgreeWithStaticPrivateKey(params, q, true, key.GetPrivateExponent());
++                        if (z == z2) {
++                        } else {
++                                return DecodingResult();
++                        }
++                        return res;
++
+ 		}
+ 		catch (DL_BadElement &)
+ 		{

libcryptopp.changes

@@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Wed Jan 14 09:08:04 UTC 2026 - Angel Yankov <angel.yankov@suse.com>
+
+- Security fix [bsc#1218217, CVE-2023-50979]
+  * Fix  side-channel leakage during decryption with PKCS#1v1.5 padding
+  * Added patch libcryptopp-CVE-2023-50979.patch
+  * https://github.com/Coralesoft/cryptopp/commit/0923d82f5c3ac8cf6c99108be2ad9260f2a61f6c 
+
+-------------------------------------------------------------------
+Fri Oct 24 06:59:04 UTC 2025 - Guillaume GARDET <guillaume.gardet@opensuse.org>
+
+- Fix build on aarch64
+
+-------------------------------------------------------------------
+Tue Oct  7 07:56:39 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Security fix [bsc#1224280, CVE-2024-28285]
+  * potential leak of secret key of ElGamal encryption via fault injection 
+  * Added patch libcryptopp-CVE-2024-28285.patch
+  * https://github.com/weidai11/cryptopp/issues/1262 
+
 -------------------------------------------------------------------
 Mon Feb  3 09:09:55 UTC 2025 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 

libcryptopp.spec

@@ -1,6 +1,24 @@
 #
 # spec file for package libcryptopp
 #
+# Copyright (c) 2026 SUSE LLC and contributors
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+ #
+# spec file for package libcryptopp
+#
 # Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
@@ -15,7 +33,6 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
-
 %define major 8
 %define minor 9
 %define patchlevel 0
@@ -40,6 +57,10 @@ Patch1:         libcryptopp-shared.patch
 Patch2:         libcryptopp-CVE-2023-50980.patch
 # CVE-2023-50981 [bsc#1218222], issue on ModularSquareRoot function leads to potential DoS
 Patch3:         libcryptopp-CVE-2023-50981.patch
+# PATCH-FIX-SUSE: [bsc#1224280] CVE-2024-28285 potential leak of secret key of ElGamal encryption via fault injection
+Patch4:         libcryptopp-CVE-2024-28285.patch
+# PATCH-FIX-UPSTREAM: [bsc#1218217,  CVE-2023-50979] side-channel leakage during decryption with PKCS#1v1.5 padding  (marvin )
+Patch5:         libcryptopp-CVE-2023-50979.patch
 BuildRequires:  dos2unix
 BuildRequires:  gcc-c++
 BuildRequires:  pkgconfig
@@ -100,7 +121,8 @@ CXXFLAGS="$CXXFLAGS -DCRYPTOPP_DISABLE_ALTIVEC"
 %make_install \
     PREFIX="%{_prefix}" \
     LIB="%{_lib}" \
-    LIBSUFFIX="-%{version}"
+    LIBSUFFIX="-%{version}" \
+    LDFLAGS="-pthread -lgomp"
 
 rm -rf "%{buildroot}%{_bindir}" %{buildroot}%{_datadir}/cryptopp
 rm -rf %{buildroot}%{_libdir}/*.a