openssl: update to 3.3.2

2024-09-11 14:20:18 -04:00 · 2024-09-11 14:20:18 -04:00 · e443c47ff1
parent 2991ed7a16
commit e443c47ff1
2 changed files with 2 additions and 110 deletions
--- a/srcpkgs/openssl/patches/CVE-2024-5535.patch
+++ b/srcpkgs/openssl/patches/CVE-2024-5535.patch
@ -1,108 +0,0 @@
-From e86ac436f0bd54d4517745483e2315650fae7b2c Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 31 May 2024 11:14:33 +0100
-Subject: [PATCH] Fix SSL_select_next_proto
-
-Ensure that the provided client list is non-NULL and starts with a valid
-entry. When called from the ALPN callback the client list should already
-have been validated by OpenSSL so this should not cause a problem. When
-called from the NPN callback the client list is locally configured and
-will not have already been validated. Therefore SSL_select_next_proto
-should not assume that it is correctly formatted.
-
-We implement stricter checking of the client protocol list. We also do the
-same for the server list while we are about it.
-
-CVE-2024-5535
-
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24716)
-
-(cherry picked from commit 2ebbe2d7ca8551c4cb5fbb391ab9af411708090e)
---
- ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++-------------------
- 1 file changed, 40 insertions(+), 23 deletions(-)
-
-diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
-index 5ec6ac4b63dc5..4c20ac4bf1fe7 100644
--- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3530,37 +3530,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
-                           unsigned int server_len,
-                           const unsigned char *client, unsigned int client_len)
- {
-    unsigned int i, j;
-    const unsigned char *result;
-    int status = OPENSSL_NPN_UNSUPPORTED;
-+    PACKET cpkt, csubpkt, spkt, ssubpkt;
-+
-+    if (!PACKET_buf_init(&cpkt, client, client_len)
-+            || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt)
-+            || PACKET_remaining(&csubpkt) == 0) {
-+        *out = NULL;
-+        *outlen = 0;
-+        return OPENSSL_NPN_NO_OVERLAP;
-+    }
-+
-+    /*
-+     * Set the default opportunistic protocol. Will be overwritten if we find
-+     * a match.
-+     */
-+    *out = (unsigned char *)PACKET_data(&csubpkt);
-+    *outlen = (unsigned char)PACKET_remaining(&csubpkt);
- 
-     /*
-      * For each protocol in server preference order, see if we support it.
-      */
-    for (i = 0; i < server_len;) {
-        for (j = 0; j < client_len;) {
-            if (server[i] == client[j] &&
-                memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) {
-                /* We found a match */
-                result = &server[i];
-                status = OPENSSL_NPN_NEGOTIATED;
-                goto found;
-+    if (PACKET_buf_init(&spkt, server, server_len)) {
-+        while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) {
-+            if (PACKET_remaining(&ssubpkt) == 0)
-+                continue; /* Invalid - ignore it */
-+            if (PACKET_buf_init(&cpkt, client, client_len)) {
-+                while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) {
-+                    if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt),
-+                                     PACKET_remaining(&ssubpkt))) {
-+                        /* We found a match */
-+                        *out = (unsigned char *)PACKET_data(&ssubpkt);
-+                        *outlen = (unsigned char)PACKET_remaining(&ssubpkt);
-+                        return OPENSSL_NPN_NEGOTIATED;
-+                    }
-+                }
-+                /* Ignore spurious trailing bytes in the client list */
-+            } else {
-+                /* This should never happen */
-+                return OPENSSL_NPN_NO_OVERLAP;
-             }
-            j += client[j];
-            j++;
-         }
-        i += server[i];
-        i++;
-+        /* Ignore spurious trailing bytes in the server list */
-     }
- 
-    /* There's no overlap between our protocols and the server's list. */
-    result = client;
-    status = OPENSSL_NPN_NO_OVERLAP;
-
- found:
-    *out = (unsigned char *)result + 1;
-    *outlen = result[0];
-    return status;
-+    /*
-+     * There's no overlap between our protocols and the server's list. We use
-+     * the default opportunistic protocol selected earlier
-+     */
-+    return OPENSSL_NPN_NO_OVERLAP;
- }
- 
- #ifndef OPENSSL_NO_NEXTPROTONEG
--- a/srcpkgs/openssl/template
+++ b/srcpkgs/openssl/template
@ -1,6 +1,6 @@
 # Template file for 'openssl'
 pkgname=openssl
-version=3.3.1
+version=3.3.2
 revision=1
 bootstrap=yes
 build_style=configure
@ -17,7 +17,7 @@ maintainer="John <me@johnnynator.dev>"
 license="Apache-2.0"
 homepage="https://openssl-library.org"
 distfiles="https://github.com/openssl/openssl/releases/download/openssl-${version}/openssl-${version}.tar.gz"
-checksum=777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e
+checksum=2e8a40b01979afe8be0bbfb3de5dc1c6709fedb46d6c89c10da114ab5fc3d281
 conf_files="/etc/ssl/openssl.cnf"
 replaces="libressl>=0"