public inbox for git-commits@fedoraproject.org
help / color / mirror / Atom feed
* [rpms/openssl] rebase_40beta: Forbid custom EC more completely
@ 2026-06-09 12:45 Dmitry Belyavskiy
0 siblings, 0 replies; only message in thread
From: Dmitry Belyavskiy @ 2026-06-09 12:45 UTC (permalink / raw)
To: git-commits
A new commit has been pushed.
Repo : rpms/openssl
Branch : rebase_40beta
Commit : 2b0eda88de8c3f7b84c603882aad160c019ae3a4
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date : 2023-07-27T12:48:59+02:00
Stats : +91/-1 in 2 file(s)
URL : https://src.fedoraproject.org/rpms/openssl/c/2b0eda88de8c3f7b84c603882aad160c019ae3a4?branch=rebase_40beta
Log:
Forbid custom EC more completely
Resolves: rhbz#2223953
---
diff --git a/0012-Disable-explicit-ec.patch b/0012-Disable-explicit-ec.patch
index 550cdf4..0cae2fa 100644
--- a/0012-Disable-explicit-ec.patch
+++ b/0012-Disable-explicit-ec.patch
@@ -26,6 +26,29 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry
ret->version = priv_key->version;
if (priv_key->privateKey) {
+diff -up openssl-3.0.9/crypto/ec/ec_lib.c.noec openssl-3.0.9/crypto/ec/ec_lib.c
+--- openssl-3.0.9/crypto/ec/ec_lib.c.noec 2023-07-27 10:32:52.870910095 +0200
++++ openssl-3.0.9/crypto/ec/ec_lib.c 2023-07-27 10:35:18.029151181 +0200
+@@ -1728,6 +1728,11 @@ EC_GROUP *EC_GROUP_new_from_params(const
+ goto err;
+ }
+ if (named_group == group) {
++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) {
++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP);
++ goto err;
++ }
++#if 0
+ /*
+ * If we did not find a named group then the encoding should be explicit
+ * if it was specified
+@@ -1743,6 +1748,7 @@ EC_GROUP *EC_GROUP_new_from_params(const
+ goto err;
+ }
+ EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE);
++#endif
+ } else {
+ EC_GROUP_free(group);
+ group = named_group;
diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c
--- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100
+++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100
@@ -120,3 +143,66 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_ecdsa.txt.disable_e
PrivateKey = B-163
-----BEGIN PRIVATE KEY-----
MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K
+diff -up openssl-3.0.9/test/ectest.c.noec openssl-3.0.9/test/ectest.c
+--- openssl-3.0.9/test/ectest.c.noec 2023-07-27 11:30:24.078979261 +0200
++++ openssl-3.0.9/test/ectest.c 2023-07-27 11:35:12.335576107 +0200
+@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromd
+ if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld))
+ || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL))
+ || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0)
+- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam,
++ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam,
+ EVP_PKEY_KEY_PARAMETERS, params), 0))
+ goto err;
+-
++/* As creating the key should fail, the rest of the test is pointless */
++# if 0
+ /*- Check that all the set values are retrievable -*/
+
+ /* There should be no match to a group name since the generator changed */
+@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromd
+ #endif
+ )
+ goto err;
++#endif
+ ret = 1;
+ err:
+ BN_free(order_out);
+@@ -2714,21 +2716,21 @@ static int custom_params_test(int id)
+
+ /* Compute keyexchange in both directions */
+ if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL))
+- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1)
+- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
++ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0)
++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1)
+ || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1)
+ || !TEST_int_gt(bsize, sslen)
+- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1))
++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/)
+ goto err;
+ if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL))
+- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1)
+- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
++ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1)
++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1)
+ || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1)
+ || !TEST_int_gt(bsize, t)
+ || !TEST_int_le(sslen, t)
+- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1))
++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */)
+ goto err;
+-
++#if 0
+ /* Both sides should expect the same shared secret */
+ if (!TEST_mem_eq(buf1, sslen, buf2, t))
+ goto err;
+@@ -2780,7 +2782,7 @@ static int custom_params_test(int id)
+ /* compare with previous result */
+ || !TEST_mem_eq(buf1, t, buf2, sslen))
+ goto err;
+-
++#endif
+ ret = 1;
+
+ err:
diff --git a/openssl.spec b/openssl.spec
index b0ae81d..9828c2f 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16))
Summary: Utilities from the general purpose cryptography library with TLS implementation
Name: openssl
Version: 3.0.8
-Release: 3%{?dist}
+Release: 4%{?dist}
Epoch: 1
Source: openssl-%{version}.tar.gz
Source2: Makefile.certificate
@@ -483,6 +483,10 @@ install -m644 %{SOURCE9} \
%ldconfig_scriptlets libs
%changelog
+* Thu Jul 27 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.8-4
+- Forbid custom EC more completely
+ Resolves: rhbz#2223953
+
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1:3.0.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-06-09 12:45 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-06-09 12:45 [rpms/openssl] rebase_40beta: Forbid custom EC more completely Dmitry Belyavskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox