From patchwork Fri Oct  3 14:04:35 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Adolf Belka <adolf.belka@ipfire.org>
X-Patchwork-Id: 9151
Return-Path: <development+bounces-1138-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)
 server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4cdVlt2VXpz3wdV
	for <patchwork@web04.haj.ipfire.org>; Fri, 03 Oct 2025 14:04:42 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4cdVlt14nzz3x8
	for <patchwork@ipfire.org>; Fri, 03 Oct 2025 14:04:42 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cdVlt0NN0z2yVp
	for <patchwork@ipfire.org>; Fri, 03 Oct 2025 14:04:42 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cdVlq3FsNz2xMF
	for <development@lists.ipfire.org>; Fri, 03 Oct 2025 14:04:39 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4cdVlp1zKRz81;
	Fri, 03 Oct 2025 14:04:38 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1759500278;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9v6kdiWA/aIl5QoCnn+Hl4IDowKcNXLMrrkX7InjlY0=;
	b=lqop92aD2dz2lBWdxlDplZ3FdANYHah6pQYc1TxNPqrrlCc0pjKsTaQwnXdOSNsCrrbjWT
	FKthMD4Xn2aSwiBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1759500278;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=9v6kdiWA/aIl5QoCnn+Hl4IDowKcNXLMrrkX7InjlY0=;
	b=Hi2X8PBxCMPc+h2SexXPWRqv08zLr7bRGmgZPS+Syc965b+5aNgVSm0nSh6cDypYsEzSU6
	QCKOi4sQljcP0q1qF2cjDunA1PdLkRjBJ/jiCBl5yyjIvOhgm8ogiws7Sl0L+vjmTQ5RWy
	8fEuS+b+Js31ODFvLWpXSFQg9AY83xM9CSOXoQd7KiXRlqHsa7IBH97LYNAco7pP+Ca80r
	C1KkQajZCFyfNrrZNConAdQ/tgJ0psYuSclBKxVuyecJakI3aEU/0XPCDCV8OKA7KODEQs
	aZngvdV2Kg1q5Gk3Mk66hgQ7HJP/nejTi4QVU3KJXyCvaEFy41F1WpNHdF3gWQ==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH] openssl: Update to version 3.5.4
Date: Fri,  3 Oct 2025 16:04:35 +0200
Message-ID: <20251003140435.3411510-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

- Update from version 3.5.1 to 3.5.4
- Update of rootfile
- Changelog
    3.5.4
	 * Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
	   Issue summary: An application trying to decrypt CMS messages encrypted using
	   password based encryption can trigger an out-of-bounds read and write.
	   Impact summary: This out-of-bounds read may trigger a crash which leads to
	   Denial of Service for an application. The out-of-bounds write can cause
	   a memory corruption which can have various consequences including
	   a Denial of Service or Execution of attacker-supplied code.
	   The issue was reported by Stanislav Fort (Aisle Research).
	   ([CVE-2025-9230])
	 * Fix Timing side-channel in SM2 algorithm on 64 bit ARM
	   Issue summary: A timing side-channel which could potentially allow remote
	   recovery of the private key exists in the SM2 algorithm implementation on
	   64 bit ARM platforms.
	   Impact summary: A timing side-channel in SM2 signature computations on
	   64 bit ARM platforms could allow recovering the private key by an attacker.
	   The issue was reported by Stanislav Fort (Aisle Research).
	   ([CVE-2025-9231])
	 * Fix Out-of-bounds read in HTTP client no_proxy handling
	   Issue summary: An application using the OpenSSL HTTP client API functions
	   may trigger an out-of-bounds read if the "no_proxy" environment variable is
	   set and the host portion of the authority component of the HTTP URL is an
	   IPv6 address.
	   Impact summary: An out-of-bounds read can trigger a crash which leads to
	   Denial of Service for an application.
	   The issue was reported by Stanislav Fort (Aisle Research).
	   ([CVE-2025-9232])
	 * The FIPS provider no longer performs a PCT on key import for ECX keys
	   (that was introduced in 3.5.2), following the latest update
	   on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
	 * Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
	   signatures.
	 * Reverted the synthesised `OPENSSL_VERSION_NUMBER` change for the release
	   builds, as it broke some exiting applications that relied on the previous
	   3.x semantics, as documented in `OpenSSL_version(3)`.
    3.5.3
	 * Avoided a potential race condition introduced in 3.5.1, where
	   `OSSL_STORE_CTX` kept open during lookup while potentially being used
	   by multiple threads simultaneously, that could lead to potential crashes
	   when multiple concurrent TLS connections are served.
	 * The FIPS provider no longer performs a PCT on key import for RSA, DH,
	   and EC keys (that was introduced in 3.5.2), following the latest update
	   on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
	 * Secure memory allocation calls are no longer used for HMAC keys.
	 * `openssl req` no longer generates certificates with an empty extension list
	   when SKID/AKID are set to `none` during generation.
	 * The man page date is now derived from the release date provided
	   in `VERSION.dat` and not the current date for the released builds.
	 * Hardened the provider implementation of the RSA public key "encrypt"
	   operation to add a missing check that the caller-indicated output buffer
	   size is at least as large as the byte count of the RSA modulus.  The issue
	   was reported by Arash Ale Ebrahim from SYSPWN.
	   This operation is typically invoked via `EVP_PKEY_encrypt(3)`.  Callers that
	   in fact provide a sufficiently large buffer, but fail to correctly indicate
	   its size may now encounter unexpected errors.  In applications that attempt
	   RSA public encryption into a buffer that is too small, an out-of-bounds
	   write is now avoided and an error is reported instead.
	 * Added FIPS 140-3 PCT on DH key generation.
	 * Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
    3.5.2
	 * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
	   This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 config/rootfiles/common/openssl | 2 ++
 lfs/openssl                     | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index 8c154485e..5374f5e65 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -5530,10 +5530,12 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/SSL_POLL_EVENT_E.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_EC.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_ECD.3ossl
+#usr/share/man/man3/SSL_POLL_EVENT_EL.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_ER.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_EW.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_F.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_I.3ossl
+#usr/share/man/man3/SSL_POLL_EVENT_IC.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_IS.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_ISB.3ossl
 #usr/share/man/man3/SSL_POLL_EVENT_ISE.3ossl
diff --git a/lfs/openssl b/lfs/openssl
index c59714470..dc3f733a0 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
 
 include Config
 
-VER        = 3.5.1
+VER        = 3.5.4
 
 THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_BLAKE2 = 172db56ac41cee78bcb5d2223c33d78baf3326d8d466115f39be414384d265ad4541e00096d3f53435f9f89119882ae587b20b1ac05dc2ace46a0d43d7cc6996
+$(DL_FILE)_BLAKE2 = 07e02f88af05e189385eef28599b81bd16d242130975c79df46e565a0dd92f74e59807d4770a2b3316adf08f2ca6a0dd2bfc96ab2a88a8dfb5c0d19197fe8fbf
 
 install : $(TARGET)