[packages/openssl] Rel 2; fixes https://github.com/openssl/openssl/issues/15465
arekm
arekm at pld-linux.org
Wed Feb 2 18:00:14 CET 2022
commit ab91405a1cf4bfab81ebeb096d69dc1f8f9fcf7c
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Wed Feb 2 17:59:09 2022 +0100
Rel 2; fixes https://github.com/openssl/openssl/issues/15465
bug-15465.patch | 47 +++++++++++++++++++++++++++++++++++++++++++++++
openssl.spec | 4 +++-
2 files changed, 50 insertions(+), 1 deletion(-)
---
diff --git a/openssl.spec b/openssl.spec
index 9bfc66d..d2efa16 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -14,7 +14,7 @@ Summary(ru.UTF-8): Библиотеки и утилиты для соедине
Summary(uk.UTF-8): Бібліотеки та утиліти для з'єднань через Secure Sockets Layer
Name: openssl
Version: 3.0.1
-Release: 1
+Release: 2
License: Apache v2.0
Group: Libraries
Source0: https://www.openssl.org/source/%{name}-%{version}.tar.gz
@@ -27,6 +27,7 @@ Patch1: %{name}-ca-certificates.patch
Patch2: %{name}-find.patch
Patch3: pic.patch
Patch4: engines-dir.patch
+Patch5: bug-15465.patch
URL: http://www.openssl.org/
%ifarch %{arm} ppc mips sparc sparcv9
BuildRequires: libatomic-devel
@@ -211,6 +212,7 @@ RC4, RSA и SSL. Включает статические библиотеки д
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
# fails with enable-sctp as of 1.1.1
%{__rm} test/recipes/80-test_ssl_new.t
diff --git a/bug-15465.patch b/bug-15465.patch
new file mode 100644
index 0000000..de318e6
--- /dev/null
+++ b/bug-15465.patch
@@ -0,0 +1,47 @@
+From 517a7737dccb9837b4d9d751e64ae7b60948ef2e Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas at openssl.org>
+Date: Wed, 2 Feb 2022 17:47:26 +0100
+Subject: [PATCH] Replace size check with more meaningful pubkey check
+
+It does not make sense to check the size because this
+function can be used in other contexts than in TLS-1.3 and
+the value might not be padded to the size of p.
+
+However it makes sense to do the partial pubkey check because
+there is no valid reason having the pubkey value outside the
+1 < pubkey < p-1 bounds.
+
+Fixes #15465
+---
+ crypto/dh/dh_key.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c
+index 6b8cd550f25f..c78ed618bf83 100644
+--- a/crypto/dh/dh_key.c
++++ b/crypto/dh/dh_key.c
+@@ -375,20 +375,17 @@ int ossl_dh_buf2key(DH *dh, const unsigned char *buf, size_t len)
+ int err_reason = DH_R_BN_ERROR;
+ BIGNUM *pubkey = NULL;
+ const BIGNUM *p;
+- size_t p_size;
++ int ret;
+
+ if ((pubkey = BN_bin2bn(buf, len, NULL)) == NULL)
+ goto err;
+ DH_get0_pqg(dh, &p, NULL, NULL);
+- if (p == NULL || (p_size = BN_num_bytes(p)) == 0) {
++ if (p == NULL || BN_num_bytes(p) == 0) {
+ err_reason = DH_R_NO_PARAMETERS_SET;
+ goto err;
+ }
+- /*
+- * As per Section 4.2.8.1 of RFC 8446 fail if DHE's
+- * public key is of size not equal to size of p
+- */
+- if (BN_is_zero(pubkey) || p_size != len) {
++ /* Prevent small subgroup attacks per RFC 8446 Section 4.2.8.1 */
++ if (!ossl_dh_check_pub_key_partial(dh, pubkey, &ret)) {
+ err_reason = DH_R_INVALID_PUBKEY;
+ goto err;
+ }
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/openssl.git/commitdiff/ab91405a1cf4bfab81ebeb096d69dc1f8f9fcf7c
More information about the pld-cvs-commit
mailing list