2 files changed, 49 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
new file mode 100644
index 0000000000..49ec9c0130
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
@@ -0,0 +1,48 @@
+From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 5 Aug 2024 17:54:14 +0200
+Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
+ safe-prime groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The partial validation is fully sufficient to check the key validity.
+Thanks to Szilárd Pfeiffer for reporting the issue.
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/25088)
+CVE: CVE-2024-41996
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
+index 795a3f2..3e7a811 100644
+--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
+@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
+     if (pub_key == NULL)
+         return 0;
+-    /* The partial test is only valid for named group's with q = (p - 1) / 2 */
+-    if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
+-        && ossl_dh_is_named_safe_prime_group(dh))
+    /*
+     * The partial test is only valid for named group's with q = (p - 1) / 2
+     * but for that case it is also fully sufficient to check the key validity.
+     */
+    if (ossl_dh_is_named_safe_prime_group(dh))
+         return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
+     return DH_check_pub_key_ex(dh, pub_key);
+--
+2.40.0
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
index 5bc8801b98..ee0ab2e498 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://afalg.patch \
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
+           file://CVE-2024-41996.patch \
           "
 SRC_URI:append:class-nativesdk = " \

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch new file mode 100644 index 0000000000..49ec9c0130 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
@@ -0,0 +1,48 @@
		1	From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
		2	From: Tomas Mraz <tomas@openssl.org>
		3	Date: Mon, 5 Aug 2024 17:54:14 +0200
		4	Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
		5	safe-prime groups
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	The partial validation is fully sufficient to check the key validity.
		11
		12	Thanks to Szilárd Pfeiffer for reporting the issue.
		13
		14	Reviewed-by: Neil Horman <nhorman@openssl.org>
		15	Reviewed-by: Matt Caswell <matt@openssl.org>
		16	Reviewed-by: Paul Dale <ppzgs1@gmail.com>
		17	(Merged from https://github.com/openssl/openssl/pull/25088)
		18
		19	CVE: CVE-2024-41996
		20
		21	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
		22
		23	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		24	---
		25	providers/implementations/keymgmt/dh_kmgmt.c \| 8 +++++---
		26	1 file changed, 5 insertions(+), 3 deletions(-)
		27
		28	diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
		29	index 795a3f2..3e7a811 100644
		30	--- a/providers/implementations/keymgmt/dh_kmgmt.c
		31	+++ b/providers/implementations/keymgmt/dh_kmgmt.c
		32	@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
		33	if (pub_key == NULL)
		34	return 0;
		35
		36	- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
		37	- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
		38	- && ossl_dh_is_named_safe_prime_group(dh))
		39	+ /*
		40	+ * The partial test is only valid for named group's with q = (p - 1) / 2
		41	+ * but for that case it is also fully sufficient to check the key validity.
		42	+ */
		43	+ if (ossl_dh_is_named_safe_prime_group(dh))
		44	return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
		45
		46	return DH_check_pub_key_ex(dh, pub_key);
		47	--
		48	2.40.0


diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb index 5bc8801b98..ee0ab2e498 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.17.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.17.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13	file://afalg.patch \	13	file://afalg.patch \
14	file://0001-Configure-do-not-tweak-mips-cflags.patch \	14	file://0001-Configure-do-not-tweak-mips-cflags.patch \
		15	file://CVE-2024-41996.patch \
15	"	16	"
16		17
17	SRC_URI:append:class-nativesdk = " \	18	SRC_URI:append:class-nativesdk = " \