Hi Team, Any Update on this ?
Thanks & Regards, Vijay On Fri, Jan 30, 2026 at 5:12 PM <[email protected]> wrote: > From: Vijay Anusuri <[email protected]> > > This release incorporates the following bug fixes and mitigations: > > Fixed Stack buffer overflow in CMS AuthEnvelopedData parsing. > (CVE-2025-15467) > Fixed Heap out-of-bounds write in BIO_f_linebuffer on short writes. > (CVE-2025-68160) > Fixed Unauthenticated/unencrypted trailing bytes with low-level OCB > function calls. (CVE-2025-69418) > Fixed Out of bounds write in PKCS12_get_friendlyname() UTF-8 conversion. > (CVE-2025-69419) > Fixed Missing ASN1_TYPE validation in TS_RESP_verify_response() function. > (CVE-2025-69420) > Fixed NULL Pointer Dereference in PKCS12_item_decrypt_d2i_ex() function. > (CVE-2025-69421) > Fixed Missing ASN1_TYPE validation in PKCS#12 parsing. (CVE-2026-22795) > Fixed ASN1_TYPE Type Confusion in the PKCS7_digest_from_attributes() > function. (CVE-2026-22796) > > Changelog: > https://github.com/openssl/openssl/blob/openssl-3.0.19/NEWS.md > > Refreshed CVE-2023-50781 patches for openssl-3.0.19 > > Reference: https://openssl-library.org/news/secadv/20260127.txt > > Signed-off-by: Vijay Anusuri <[email protected]> > --- > .../openssl/openssl/CVE-2023-50781-1.patch | 46 ++++--- > .../openssl/openssl/CVE-2023-50781-2.patch | 112 +++++++++--------- > .../openssl/openssl/CVE-2023-50781-3.patch | 16 ++- > .../{openssl_3.0.18.bb => openssl_3.0.19.bb} | 2 +- > 4 files changed, 85 insertions(+), 91 deletions(-) > rename meta/recipes-connectivity/openssl/{openssl_3.0.18.bb => > openssl_3.0.19.bb} (99%) > > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch > index 234fe7b8aa..a00f67027d 100644 > --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-1.patch > @@ -1,7 +1,7 @@ > -From 24734088e1034392de981151dfe57e3a379ada18 Mon Sep 17 00:00:00 2001 > +From 295485f5c4b3120b272b81f92356f6d24871c02e Mon Sep 17 00:00:00 2001 > From: Hubert Kario <[email protected]> > Date: Tue, 15 Mar 2022 13:58:08 +0100 > -Subject: [PATCH 1/3] rsa: add implicit rejection in PKCS#1 v1.5 > +Subject: [PATCH] rsa: add implicit rejection in PKCS#1 v1.5 > > The RSA decryption as implemented before required very careful handling > of both the exit code returned by OpenSSL and the potentially returned > @@ -43,6 +43,7 @@ Reviewed-by: Tomas Mraz <[email protected]> > (Merged from https://github.com/openssl/openssl/pull/13817) > > Signed-off-by: Jiaying Song <[email protected]> > + > --- > crypto/rsa/rsa_ossl.c | 95 +++++++- > crypto/rsa/rsa_pk1.c | 252 ++++++++++++++++++++++ > @@ -56,7 +57,7 @@ Signed-off-by: Jiaying Song < > [email protected]> > 9 files changed, 393 insertions(+), 5 deletions(-) > > diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c > -index 0fc642e777..330302ae55 100644 > +index 6c32764..d658a3c 100644 > --- a/crypto/rsa/rsa_ossl.c > +++ b/crypto/rsa/rsa_ossl.c > @@ -17,6 +17,9 @@ > @@ -68,8 +69,8 @@ index 0fc642e777..330302ae55 100644 > +#include <openssl/hmac.h> > > static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, > - unsigned char *to, RSA *rsa, int > padding); > -@@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > + unsigned char *to, RSA *rsa, int padding); > +@@ -373,8 +376,13 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > BIGNUM *f, *ret; > int j, num = 0, r = -1; > unsigned char *buf = NULL; > @@ -83,7 +84,7 @@ index 0fc642e777..330302ae55 100644 > /* > * Used only if the blinding structure is shared. A non-NULL unblind > * instructs rsa_blinding_convert() and rsa_blinding_invert() to > store > -@@ -408,6 +416,11 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > +@@ -404,6 +412,11 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > goto err; > } > > @@ -95,7 +96,7 @@ index 0fc642e777..330302ae55 100644 > /* make data into a big number */ > if (BN_bin2bn(from, (int)flen, f) == NULL) > goto err; > -@@ -472,13 +485,91 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > +@@ -464,13 +477,91 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) > goto err; > > @@ -188,17 +189,17 @@ index 0fc642e777..330302ae55 100644 > break; > case RSA_PKCS1_OAEP_PADDING: > r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); > -@@ -501,6 +592,8 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > +@@ -493,6 +584,8 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > #endif > > - err: > + err: > + HMAC_CTX_free(hmac); > + EVP_MD_free(md); > BN_CTX_end(ctx); > BN_CTX_free(ctx); > OPENSSL_clear_free(buf, num); > diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c > -index 51507fc030..5cd2b26879 100644 > +index bebb43a..3fe12b2 100644 > --- a/crypto/rsa/rsa_pk1.c > +++ b/crypto/rsa/rsa_pk1.c > @@ -21,10 +21,14 @@ > @@ -214,7 +215,7 @@ index 51507fc030..5cd2b26879 100644 > > + > int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, > - const unsigned char *from, int flen) > + const unsigned char *from, int flen) > { > @@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char > *to, int tlen, > return constant_time_select_int(good, mlen, -1); > @@ -472,7 +473,7 @@ index 51507fc030..5cd2b26879 100644 > * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the > PKCS1 type 2 > * padding from a decrypted RSA message in a TLS signature. The result > is stored > diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/ > openssl-pkeyutl.pod.in > -index 2f6ef0021d..015265a74d 100644 > +index 2f6ef00..015265a 100644 > --- a/doc/man1/openssl-pkeyutl.pod.in > +++ b/doc/man1/openssl-pkeyutl.pod.in > @@ -273,6 +273,11 @@ signed or verified directly instead of using a > B<DigestInfo> structure. If a > @@ -488,7 +489,7 @@ index 2f6ef0021d..015265a74d 100644 > > For B<x931> if the digest type is set it is used to format the block data > diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/ > openssl-rsautl.pod.in > -index 0a32fd965b..4c462abc8c 100644 > +index 0a32fd9..4c462ab 100644 > --- a/doc/man1/openssl-rsautl.pod.in > +++ b/doc/man1/openssl-rsautl.pod.in > @@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), > PKCS#1 OAEP, > @@ -504,7 +505,7 @@ index 0a32fd965b..4c462abc8c 100644 > > Hex dump the output data. > diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod > b/doc/man3/EVP_PKEY_CTX_ctrl.pod > -index 3075eaafd6..e788f38809 100644 > +index 3075eaa..e788f38 100644 > --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod > +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod > @@ -386,6 +386,13 @@ this behaviour should be tolerated then > @@ -522,7 +523,7 @@ index 3075eaafd6..e788f38809 100644 > > EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA > diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod > -index b6f9bad5f1..898535a7a2 100644 > +index b6f9bad..898535a 100644 > --- a/doc/man3/EVP_PKEY_decrypt.pod > +++ b/doc/man3/EVP_PKEY_decrypt.pod > @@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for > failure. In particular a > @@ -545,7 +546,7 @@ index b6f9bad5f1..898535a7a2 100644 > > Decrypt data using OAEP (for RSA keys): > diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod > b/doc/man3/RSA_padding_add_PKCS1_type_1.pod > -index 9f7025c497..36ae18563f 100644 > +index 9f7025c..36ae185 100644 > --- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod > +++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod > @@ -121,8 +121,8 @@ L<ERR_get_error(3)>. > @@ -570,7 +571,7 @@ index 9f7025c497..36ae18563f 100644 > > L<RSA_public_encrypt(3)>, > diff --git a/doc/man3/RSA_public_encrypt.pod > b/doc/man3/RSA_public_encrypt.pod > -index 1d38073aea..bd3f835ac6 100644 > +index 1d38073..bd3f835 100644 > --- a/doc/man3/RSA_public_encrypt.pod > +++ b/doc/man3/RSA_public_encrypt.pod > @@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. > @@ -599,20 +600,17 @@ index 1d38073aea..bd3f835ac6 100644 > > SSL, PKCS #1 v2.0 > diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h > -index 949873d0ee..f267e5d9d1 100644 > +index 797dc1f..2f86e4c 100644 > --- a/include/crypto/rsa.h > +++ b/include/crypto/rsa.h > @@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR > *alg); > RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, > - OSSL_LIB_CTX *libctx, const char *propq); > + OSSL_LIB_CTX *libctx, const char *propq); > > +int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, > + unsigned char *to, int tlen, > + const unsigned char *from, int > flen, > + int num, unsigned char *kdk); > int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned > char *to, > - size_t tlen, > - const unsigned char *from, > --- > -2.34.1 > - > + size_t tlen, > + const unsigned char *from, > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch > index b336d9e850..13ea3c717a 100644 > --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-2.patch > @@ -1,7 +1,7 @@ > -From e92f0cd3b03e5aca948b03df7e3d02e536700f68 Mon Sep 17 00:00:00 2001 > +From 584936eb09cef64eb0755c0ccb2661e7ba1aea58 Mon Sep 17 00:00:00 2001 > From: Hubert Kario <[email protected]> > Date: Thu, 27 Oct 2022 19:16:58 +0200 > -Subject: [PATCH 2/3] rsa: Add option to disable implicit rejection > +Subject: [PATCH] rsa: Add option to disable implicit rejection > > CVE: CVE-2023-50781 > > @@ -14,6 +14,7 @@ Reviewed-by: Tomas Mraz <[email protected]> > (Merged from https://github.com/openssl/openssl/pull/13817) > > Signed-off-by: Jiaying Song <[email protected]> > + > --- > crypto/cms/cms_env.c | 7 +++++ > crypto/evp/ctrl_params_translate.c | 6 +++++ > @@ -28,10 +29,10 @@ Signed-off-by: Jiaying Song < > [email protected]> > 10 files changed, 95 insertions(+), 8 deletions(-) > > diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c > -index 445a16fb77..49b0289114 100644 > +index 2326253..96e3315 100644 > --- a/crypto/cms/cms_env.c > +++ b/crypto/cms/cms_env.c > -@@ -581,6 +581,13 @@ static int > cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, > +@@ -576,6 +576,13 @@ static int > cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, > if (!ossl_cms_env_asn1_ctrl(ri, 1)) > goto err; > > @@ -43,15 +44,15 @@ index 445a16fb77..49b0289114 100644 > + EVP_PKEY_CTX_ctrl_str(ktri->pctx, > "rsa_pkcs1_implicit_rejection", "0"); > + > if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, > - ktri->encryptedKey->data, > - ktri->encryptedKey->length) <= 0) > + ktri->encryptedKey->data, > + ktri->encryptedKey->length) > diff --git a/crypto/evp/ctrl_params_translate.c > b/crypto/evp/ctrl_params_translate.c > -index 44d0895bcf..db7325439a 100644 > +index 14306a0..b481776 100644 > --- a/crypto/evp/ctrl_params_translate.c > +++ b/crypto/evp/ctrl_params_translate.c > -@@ -2269,6 +2269,12 @@ static const struct translation_st > evp_pkey_ctx_translations[] = { > - EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, > - OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL }, > +@@ -2249,6 +2249,12 @@ static const struct translation_st > evp_pkey_ctx_translations[] = { > + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, > + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL }, > > + { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, > + EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, > @@ -60,13 +61,13 @@ index 44d0895bcf..db7325439a 100644 > + NULL }, > + > { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, > - EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, > - OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, > + EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, > + OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, > diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c > -index 330302ae55..4bdacd5ed9 100644 > +index d658a3c..5a0b160 100644 > --- a/crypto/rsa/rsa_ossl.c > +++ b/crypto/rsa/rsa_ossl.c > -@@ -395,6 +395,12 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > +@@ -391,6 +391,12 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > BIGNUM *unblind = NULL; > BN_BLINDING *blinding = NULL; > > @@ -79,7 +80,7 @@ index 330302ae55..4bdacd5ed9 100644 > if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) > goto err; > BN_CTX_start(ctx); > -@@ -489,7 +495,7 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > +@@ -481,7 +487,7 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > * derive the Key Derivation Key from private exponent and public > * ciphertext > */ > @@ -88,7 +89,7 @@ index 330302ae55..4bdacd5ed9 100644 > /* > * because we use d as a handle to rsa->d we need to keep it > local and > * free before any further use of rsa->d > -@@ -565,11 +571,11 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > +@@ -557,11 +563,11 @@ static int rsa_ossl_private_decrypt(int flen, const > unsigned char *from, > goto err; > > switch (padding) { > @@ -105,7 +106,7 @@ index 330302ae55..4bdacd5ed9 100644 > case RSA_PKCS1_OAEP_PADDING: > r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); > diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c > -index 0bf5ac098a..81b031f81b 100644 > +index 85cdfb4..7f3d810 100644 > --- a/crypto/rsa/rsa_pmeth.c > +++ b/crypto/rsa/rsa_pmeth.c > @@ -52,6 +52,8 @@ typedef struct { > @@ -133,17 +134,17 @@ index 0bf5ac098a..81b031f81b 100644 > if (sctx->oaep_label) { > OPENSSL_free(dctx->oaep_label); > dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, > sctx->oaep_labellen); > -@@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, > - const unsigned char *in, size_t inlen) > +@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, > + const unsigned char *in, size_t inlen) > { > int ret; > + int pad_mode; > RSA_PKEY_CTX *rctx = ctx->data; > /* > * Discard const. Its marked as const because this may be a cached > copy of > -@@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, > - rctx->oaep_labellen, > - rctx->md, rctx->mgf1md); > +@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, > + rctx->oaep_labellen, > + rctx->md, rctx->mgf1md); > } else { > - ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); > + if (rctx->pad_mode == RSA_PKCS1_PADDING && > @@ -155,7 +156,7 @@ index 0bf5ac098a..81b031f81b 100644 > } > *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, > ret); > ret = constant_time_select_int(constant_time_msb(ret), ret, 1); > -@@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int > type, int p1, void *p2) > +@@ -587,6 +597,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int > type, int p1, void *p2) > *(unsigned char **)p2 = rctx->oaep_label; > return rctx->oaep_labellen; > > @@ -171,7 +172,7 @@ index 0bf5ac098a..81b031f81b 100644 > case EVP_PKEY_CTRL_PKCS7_SIGN: > #ifndef OPENSSL_NO_CMS > diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/ > openssl-pkeyutl.pod.in > -index 015265a74d..5e62551d34 100644 > +index 015265a..5e62551 100644 > --- a/doc/man1/openssl-pkeyutl.pod.in > +++ b/doc/man1/openssl-pkeyutl.pod.in > @@ -305,6 +305,16 @@ explicitly set in PSS mode then the signing digest > is used. > @@ -192,7 +193,7 @@ index 015265a74d..5e62551d34 100644 > > =head1 RSA-PSS ALGORITHM > diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod > b/doc/man3/EVP_PKEY_CTX_ctrl.pod > -index e788f38809..3844aa2199 100644 > +index e788f38..3844aa2 100644 > --- a/doc/man3/EVP_PKEY_CTX_ctrl.pod > +++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod > @@ -392,6 +392,8 @@ instead of padding errors in case padding checks > fail. Applications that > @@ -205,7 +206,7 @@ index e788f38809..3844aa2199 100644 > =head2 DSA parameters > > diff --git a/doc/man7/provider-asym_cipher.pod > b/doc/man7/provider-asym_cipher.pod > -index 0976a263a8..2a8426a6ed 100644 > +index 0976a26..2a8426a 100644 > --- a/doc/man7/provider-asym_cipher.pod > +++ b/doc/man7/provider-asym_cipher.pod > @@ -234,6 +234,15 @@ The TLS protocol version first requested by the > client. > @@ -225,50 +226,50 @@ index 0976a263a8..2a8426a6ed 100644 > > OSSL_FUNC_asym_cipher_gettable_ctx_params() and > OSSL_FUNC_asym_cipher_settable_ctx_params() > diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h > -index 6bed5a8a67..5a350b537f 100644 > +index 02bebc6..9586a6d 100644 > --- a/include/openssl/core_names.h > +++ b/include/openssl/core_names.h > @@ -292,6 +292,7 @@ extern "C" { > - #define OSSL_PKEY_PARAM_DIST_ID "distid" > - #define OSSL_PKEY_PARAM_PUB_KEY "pub" > - #define OSSL_PKEY_PARAM_PRIV_KEY "priv" > -+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" > + #define OSSL_PKEY_PARAM_DIST_ID "distid" > + #define OSSL_PKEY_PARAM_PUB_KEY "pub" > + #define OSSL_PKEY_PARAM_PRIV_KEY "priv" > ++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" > > /* Diffie-Hellman/DSA Parameters */ > - #define OSSL_PKEY_PARAM_FFC_P "p" > + #define OSSL_PKEY_PARAM_FFC_P "p" > @@ -467,6 +468,7 @@ extern "C" { > - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" > - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION > "tls-client-version" > - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION > "tls-negotiated-version" > -+#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION > "implicit-rejection" > + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" > + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" > + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION > "tls-negotiated-version" > ++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" > > /* > * Encoder / decoder parameters > diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h > -index a55c9727c6..247f9014e3 100644 > +index 36a780d..ceb05b2 100644 > --- a/include/openssl/rsa.h > +++ b/include/openssl/rsa.h > @@ -183,6 +183,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX > *ctx, unsigned char **label); > > - # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) > + #define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) > > -+# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) > ++#define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) > + > - # define RSA_PKCS1_PADDING 1 > - # define RSA_NO_PADDING 3 > - # define RSA_PKCS1_OAEP_PADDING 4 > + #define RSA_PKCS1_PADDING 1 > + #define RSA_NO_PADDING 3 > + #define RSA_PKCS1_OAEP_PADDING 4 > @@ -192,6 +194,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX > *ctx, unsigned char **label); > - # define RSA_PKCS1_PSS_PADDING 6 > - # define RSA_PKCS1_WITH_TLS_PADDING 7 > + #define RSA_PKCS1_PSS_PADDING 6 > + #define RSA_PKCS1_WITH_TLS_PADDING 7 > > +/* internal RSA_ only */ > -+# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 > ++#define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 > + > - # define RSA_PKCS1_PADDING_SIZE 11 > + #define RSA_PKCS1_PADDING_SIZE 11 > > - # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) > + #define RSA_set_app_data(s, arg) RSA_set_ex_data(s, 0, arg) > diff --git a/providers/implementations/asymciphers/rsa_enc.c > b/providers/implementations/asymciphers/rsa_enc.c > -index c8921acd6e..11a91e62b1 100644 > +index 799357f3..1e74150 100644 > --- a/providers/implementations/asymciphers/rsa_enc.c > +++ b/providers/implementations/asymciphers/rsa_enc.c > @@ -75,6 +75,8 @@ typedef struct { > @@ -288,7 +289,7 @@ index c8921acd6e..11a91e62b1 100644 > > switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { > case RSA_FLAG_TYPE_RSA: > -@@ -199,6 +202,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char > *out, size_t *outlen, > +@@ -203,6 +206,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char > *out, size_t *outlen, > { > PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; > int ret; > @@ -296,12 +297,12 @@ index c8921acd6e..11a91e62b1 100644 > size_t len = RSA_size(prsactx->rsa); > > if (!ossl_prov_is_running()) > -@@ -276,8 +280,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char > *out, size_t *outlen, > +@@ -280,8 +284,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char > *out, size_t *outlen, > } > OPENSSL_free(tbuf); > } else { > - ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, > -- prsactx->pad_mode); > +- prsactx->pad_mode); > + if ((prsactx->implicit_rejection == 0) && > + (prsactx->pad_mode == RSA_PKCS1_PADDING)) > + pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; > @@ -311,7 +312,7 @@ index c8921acd6e..11a91e62b1 100644 > } > *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, > ret); > ret = constant_time_select_int(constant_time_msb(ret), 0, 1); > -@@ -401,6 +409,10 @@ static int rsa_get_ctx_params(void *vprsactx, > OSSL_PARAM *params) > +@@ -403,6 +411,10 @@ static int rsa_get_ctx_params(void *vprsactx, > OSSL_PARAM *params) > if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) > return 0; > > @@ -322,8 +323,8 @@ index c8921acd6e..11a91e62b1 100644 > return 1; > } > > -@@ -412,6 +424,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = > { > - NULL, 0), > +@@ -414,6 +426,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = > { > + NULL, 0), > OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), > OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), > + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), > @@ -353,6 +354,3 @@ index c8921acd6e..11a91e62b1 100644 > OSSL_PARAM_END > }; > > --- > -2.34.1 > - > diff --git > a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch > b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch > index 0a1f63f30a..324e41ed2f 100644 > --- a/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch > +++ b/meta/recipes-connectivity/openssl/openssl/CVE-2023-50781-3.patch > @@ -1,7 +1,7 @@ > -From ba78f7b0599ba5bfb5032dd2664465c5b13388e3 Mon Sep 17 00:00:00 2001 > +From 156a6ca5791f9c642a77270a90d5dbd0a3a7a33d Mon Sep 17 00:00:00 2001 > From: Hubert Kario <[email protected]> > Date: Tue, 22 Nov 2022 18:25:49 +0100 > -Subject: [PATCH 3/3] smime/pkcs7: disable the Bleichenbacher workaround > +Subject: [PATCH] smime/pkcs7: disable the Bleichenbacher workaround > > CVE: CVE-2023-50781 > > @@ -14,15 +14,16 @@ Reviewed-by: Tomas Mraz <[email protected]> > (Merged from https://github.com/openssl/openssl/pull/13817) > > Signed-off-by: Jiaying Song <[email protected]> > + > --- > crypto/pkcs7/pk7_doit.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c > -index e9de097da1..6d3124da87 100644 > +index a38e8a3..d751f5e 100644 > --- a/crypto/pkcs7/pk7_doit.c > +++ b/crypto/pkcs7/pk7_doit.c > -@@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, > int *peklen, > +@@ -168,6 +168,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, > int *peklen, > if (EVP_PKEY_decrypt_init(pctx) <= 0) > goto err; > > @@ -34,8 +35,5 @@ index e9de097da1..6d3124da87 100644 > + EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); > + > if (EVP_PKEY_decrypt(pctx, NULL, &eklen, > - ri->enc_key->data, ri->enc_key->length) <= 0) > - goto err; > --- > -2.34.1 > - > + ri->enc_key->data, ri->enc_key->length) > + <= 0) > diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.18.bb > b/meta/recipes-connectivity/openssl/openssl_3.0.19.bb > similarity index 99% > rename from meta/recipes-connectivity/openssl/openssl_3.0.18.bb > rename to meta/recipes-connectivity/openssl/openssl_3.0.19.bb > index a8dd338327..293b450cd0 100644 > --- a/meta/recipes-connectivity/openssl/openssl_3.0.18.bb > +++ b/meta/recipes-connectivity/openssl/openssl_3.0.19.bb > @@ -25,7 +25,7 @@ SRC_URI:append:class-nativesdk = " \ > file://environment.d-openssl.sh \ > " > > -SRC_URI[sha256sum] = > "d80c34f5cf902dccf1f1b5df5ebb86d0392e37049e5d73df1b3abae72e4ffe8b" > +SRC_URI[sha256sum] = > "fa5a4143b8aae18be53ef2f3caf29a2e0747430b8bc74d32d88335b94ab63072" > > inherit lib_package multilib_header multilib_script ptest perlnative > MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" > -- > 2.25.1 > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230897): https://lists.openembedded.org/g/openembedded-core/message/230897 Mute This Topic: https://lists.openembedded.org/mt/117542730/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
