Accepting request 1100559 from home:ohollmann:branches:security:tls

- Dont pass zero length input to EVP_Cipher because assembler optimized AES cannot handle zero size. [bsc#1213517] * Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch OBS-URL: https://build.opensuse.org/request/show/1100559 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=140
2023-07-25 08:04:18 +00:00 · 2023-07-25 08:04:18 +00:00 · a620e0aeaf
commit a620e0aeaf
parent 2f6ae03793
3 changed files with 25 additions and 0 deletions
--- a/openssl-1_1.changes
+++ b/openssl-1_1.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Jul 24 12:40:38 UTC 2023 - Otto Hollmann <otto.hollmann@suse.com>
+
+- Dont pass zero length input to EVP_Cipher because assembler
+  optimized AES cannot handle zero size. [bsc#1213517]
+  * Add openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
+
 -------------------------------------------------------------------
 Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal <pmonreal@suse.com>

--- a/openssl-1_1.spec
+++ b/openssl-1_1.spec
@ -135,6 +135,8 @@ Patch80:        openssl-1_1-openssl-config.patch
 # PATCH-FIX-UPSTREAM: bsc#1213487 CVE-2023-3446 DH_check() excessive time with over sized modulus
 Patch81:        openssl-CVE-2023-3446.patch
 Patch82:        openssl-CVE-2023-3446-test.patch
+# PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher
+Patch83:        openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
 BuildRequires:  pkgconfig
 BuildRequires:  pkgconfig(zlib)
 Provides:       ssl
--- a/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
+++ b/openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch
@ -0,0 +1,16 @@
+---
+ crypto/evp/e_aes.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/evp/e_aes.c
+++ b/crypto/evp/e_aes.c
+@@ -2742,6 +2742,9 @@ static int aes_cbc_cipher(EVP_CIPHER_CTX
+ {
+     EVP_AES_KEY *dat = EVP_C_DATA(EVP_AES_KEY,ctx);
+ 
+    if (!len)
+        return 1;
+
+     if (dat->stream.cbc)
+         (*dat->stream.cbc) (in, out, len, &dat->ks,
+                             EVP_CIPHER_CTX_iv_noconst(ctx),