mirror of
https://git.yoctoproject.org/poky
synced 2026-05-09 17:39:31 +00:00
openssl: CVE-2024-41996
As discussed in [1], this commit fixes CVE-2024-41996. Although openssl project does not consider this a vulnerability, it got CVE number assigned so it deserves attention. [1] https://github.com/openssl/openssl/pull/25088 (From OE-Core rev: cb49b9e49b4561ccea4c231cac591af557b9749c) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Peter Marko
committed by
Steve Sakoman
Steve Sakoman
parent
5f469434d3
commit
ed5a1a7443
@@ -0,0 +1,44 @@
|
||||
From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tomas@openssl.org>
|
||||
Date: Mon, 5 Aug 2024 17:54:14 +0200
|
||||
Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
|
||||
safe-prime groups
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The partial validation is fully sufficient to check the key validity.
|
||||
|
||||
Thanks to Szilárd Pfeiffer for reporting the issue.
|
||||
|
||||
Reviewed-by: Neil Horman <nhorman@openssl.org>
|
||||
Reviewed-by: Matt Caswell <matt@openssl.org>
|
||||
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
|
||||
(Merged from https://github.com/openssl/openssl/pull/25088)
|
||||
|
||||
CVE: CVE-2024-41996
|
||||
Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
|
||||
Signed-off-by: Peter Marko <peter.marko@siemens.com>
|
||||
---
|
||||
providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
index 82c3093b12..ebdce76710 100644
|
||||
--- a/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
|
||||
@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
|
||||
if (pub_key == NULL)
|
||||
return 0;
|
||||
|
||||
- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
|
||||
- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
|
||||
- && ossl_dh_is_named_safe_prime_group(dh))
|
||||
+ /*
|
||||
+ * The partial test is only valid for named group's with q = (p - 1) / 2
|
||||
+ * but for that case it is also fully sufficient to check the key validity.
|
||||
+ */
|
||||
+ if (ossl_dh_is_named_safe_prime_group(dh))
|
||||
return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
|
||||
|
||||
return DH_check_pub_key_ex(dh, pub_key);
|
||||
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
|
||||
file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
|
||||
file://0001-Configure-do-not-tweak-mips-cflags.patch \
|
||||
file://0001-Added-handshake-history-reporting-when-test-fails.patch \
|
||||
file://CVE-2024-41996.patch \
|
||||
"
|
||||
|
||||
SRC_URI:append:class-nativesdk = " \
|
||||
|
||||
Reference in New Issue
Block a user