2 files changed, 45 insertions, 0 deletions
diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
new file mode 100644
index 0000000000..dc18e0bef1
--- /dev/null
+++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
@@ -0,0 +1,44 @@
+From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Mon, 5 Aug 2024 17:54:14 +0200
+Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
+ safe-prime groups
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+The partial validation is fully sufficient to check the key validity.
+Thanks to Szilárd Pfeiffer for reporting the issue.
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+(Merged from https://github.com/openssl/openssl/pull/25088)
+CVE: CVE-2024-41996
+Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
+index 82c3093b12..ebdce76710 100644
+--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
+@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
+     if (pub_key == NULL)
+         return 0;
+ 
+-    /* The partial test is only valid for named group's with q = (p - 1) / 2 */
+-    if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
+-        && ossl_dh_is_named_safe_prime_group(dh))
+    /*
+     * The partial test is only valid for named group's with q = (p - 1) / 2
+     * but for that case it is also fully sufficient to check the key validity.
+     */
+    if (ossl_dh_is_named_safe_prime_group(dh))
+         return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
+ 
+     return DH_check_pub_key_ex(dh, pub_key);
diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
index c4ad80e734..d6bf32d989 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
           file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
           file://0001-Configure-do-not-tweak-mips-cflags.patch \
           file://0001-Added-handshake-history-reporting-when-test-fails.patch \
+           file://CVE-2024-41996.patch \
           "
 SRC_URI:append:class-nativesdk = " \

diff --git a/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch new file mode 100644 index 0000000000..dc18e0bef1 --- /dev/null +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2024-41996.patch
@@ -0,0 +1,44 @@
		1	From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001
		2	From: Tomas Mraz <tomas@openssl.org>
		3	Date: Mon, 5 Aug 2024 17:54:14 +0200
		4	Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known
		5	safe-prime groups
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	The partial validation is fully sufficient to check the key validity.
		11
		12	Thanks to Szilárd Pfeiffer for reporting the issue.
		13
		14	Reviewed-by: Neil Horman <nhorman@openssl.org>
		15	Reviewed-by: Matt Caswell <matt@openssl.org>
		16	Reviewed-by: Paul Dale <ppzgs1@gmail.com>
		17	(Merged from https://github.com/openssl/openssl/pull/25088)
		18
		19	CVE: CVE-2024-41996
		20	Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e70e34d857d4003199bcb5d3b52ca8102ccc1b98]
		21	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		22	---
		23	providers/implementations/keymgmt/dh_kmgmt.c \| 8 +++++---
		24	1 file changed, 5 insertions(+), 3 deletions(-)
		25
		26	diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
		27	index 82c3093b12..ebdce76710 100644
		28	--- a/providers/implementations/keymgmt/dh_kmgmt.c
		29	+++ b/providers/implementations/keymgmt/dh_kmgmt.c
		30	@@ -387,9 +387,11 @@ static int dh_validate_public(const DH *dh, int checktype)
		31	if (pub_key == NULL)
		32	return 0;
		33
		34	- /* The partial test is only valid for named group's with q = (p - 1) / 2 */
		35	- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK
		36	- && ossl_dh_is_named_safe_prime_group(dh))
		37	+ /*
		38	+ * The partial test is only valid for named group's with q = (p - 1) / 2
		39	+ * but for that case it is also fully sufficient to check the key validity.
		40	+ */
		41	+ if (ossl_dh_is_named_safe_prime_group(dh))
		42	return ossl_dh_check_pub_key_partial(dh, pub_key, &res);
		43
		44	return DH_check_pub_key_ex(dh, pub_key);


diff --git a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb index c4ad80e734..d6bf32d989 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.2.4.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.2.4.bb
@@ -12,6 +12,7 @@ SRC_URI = "https://github.com/openssl/openssl/releases/download/openssl-${PV}/op
12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \	12	file://0001-buildinfo-strip-sysroot-and-debug-prefix-map-from-co.patch \
13	file://0001-Configure-do-not-tweak-mips-cflags.patch \	13	file://0001-Configure-do-not-tweak-mips-cflags.patch \
14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \	14	file://0001-Added-handshake-history-reporting-when-test-fails.patch \
		15	file://CVE-2024-41996.patch \
15	"	16	"
16		17
17	SRC_URI:append:class-nativesdk = " \	18	SRC_URI:append:class-nativesdk = " \