openssl: update to 3.3.2

2025-06-05 06:33:50 +02:00 · 2024-09-11 14:20:18 -04:00 · 2024-09-11 14:20:18 -04:00 · e443c47ff1
commit e443c47ff1
parent 2991ed7a16
2 changed files with 2 additions and 110 deletions
--- a/srcpkgs/openssl/patches/CVE-2024-5535.patch
+++ b/srcpkgs/openssl/patches/CVE-2024-5535.patch
@ -1,108 +0,0 @@
 From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001
 From: Matt Caswell <matt@openssl.org>
 Date: Fri, 31 May 2024 11:14:33 +0100
 Subject: [PATCH] Fix SSL_select_next_proto
 Ensure that the provided client list is non-NULL and starts with a valid
 entry. When called from the ALPN callback the client list should already
 have been validated by OpenSSL so this should not cause a problem. When
 called from the NPN callback the client list is locally configured and
 will not have already been validated. Therefore SSL_select_next_proto
 should not assume that it is correctly formatted.
 We implement stricter checking of the client protocol list. We also do the
 same for the server list while we are about it.
 CVE-2024-5535
 Reviewed-by: Tomas Mraz <tomas@openssl.org>
 Reviewed-by: Neil Horman <nhorman@openssl.org>
 (Merged from https://github.com/openssl/openssl/pull/24716)
 (cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e)
 ---
 ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
 1 file changed, 40 insertions(+), 23 deletions(-)
 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
 index 5ec6ac4b63dc5..4c20ac4bf1fe7 100644
 --- a/ssl/ssl_lib.c
 +++ b/ssl/ssl_lib.c
@@ -3530,37 +3530,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
                           unsigned int server_len,
                           const unsigned char *client, unsigned int client_len)
 {
 -    unsigned int i, j;
 -    const unsigned char *result;
 -    int status = OPENSSL_NPN_UNSUPPORTED;
 +    PACKET cpkt, csubpkt, spkt, ssubpkt;
 +
 +    if (!PACKET_buf_init(&cpkt, client, client_len)
 +            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
 +            || PACKET_remaining(&csubpkt) == 0) {
 +        *out = NULL;
 +        *outlen = 0;
 +        return OPENSSL_NPN_NO_OVERLAP;
 +    }
 +
 +    /*
 +     * Set the default opportunistic protocol. Will be overwritten if we find
 +     * a match.
 +     */
 +    *out = (unsigned char *)PACKET_data(&csubpkt);
 +    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
     /*
      * For each protocol in server preference order, see if we support it.
      */
 -    for (i = 0; i < server_len;) {
 -        for (j = 0; j < client_len;) {
 -            if (server[i] == client[j] &&
 -                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
 -                /* We found a match */
 -                result = &server[i];
 -                status = OPENSSL_NPN_NEGOTIATED;
 -                goto found;
 +    if (PACKET_buf_init(&spkt, server, server_len)) {
 +        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
 +            if (PACKET_remaining(&ssubpkt) == 0)
 +                continue; /* Invalid - ignore it */
 +            if (PACKET_buf_init(&cpkt, client, client_len)) {
 +                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
 +                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
 +                                     PACKET_remaining(&ssubpkt))) {
 +                        /* We found a match */
 +                        *out = (unsigned char *)PACKET_data(&ssubpkt);
 +                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
 +                        return OPENSSL_NPN_NEGOTIATED;
 +                    }
 +                }
 +                /* Ignore spurious trailing bytes in the client list */
 +            } else {
 +                /* This should never happen */
 +                return OPENSSL_NPN_NO_OVERLAP;
             }
 -            j += client[j];
 -            j++;
         }
 -        i += server[i];
 -        i++;
 +        /* Ignore spurious trailing bytes in the server list */
     }
 -    /* There's no overlap between our protocols and the server's list. */
 -    result = client;
 -    status = OPENSSL_NPN_NO_OVERLAP;
 -
 - found:
 -    *out = (unsigned char *)result + 1;
 -    *outlen = result[0];
 -    return status;
 +    /*
 +     * There's no overlap between our protocols and the server's list. We use
 +     * the default opportunistic protocol selected earlier
 +     */
 +    return OPENSSL_NPN_NO_OVERLAP;
 }
 #ifndef OPENSSL_NO_NEXTPROTONEG
--- a/srcpkgs/openssl/template
+++ b/srcpkgs/openssl/template
@ -1,6 +1,6 @@
 # Template file for 'openssl'
 pkgname=openssl
-version=3.3.1
+version=3.3.2
 revision=1
 bootstrap=yes
 build_style=configure
@ -17,7 +17,7 @@ maintainer="John <me@johnnynator.dev>"
 license="Apache-2.0"
 homepage="https://openssl-library.org"
 distfiles="https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz"
-checksum=777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e
+checksum=2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281
 conf_files="/etc/ssl/openssl.cnf"
 replaces="libressl>=0"