···

       
1
       
1
       
-
       
From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001

     

       
2
       
2
       
-
       
From: Tomas Mraz <tomas@openssl.org>

     

       
3
       
3
       
-
       
Date: Tue, 20 May 2025 16:34:10 +0200

     

       
4
       
4
       
-
       
Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead

     

       
5
       
5
       
-
       
 of rejection

     

       
6
       
6
       
-
       


     

       
7
       
7
       
-
       
Fixes CVE-2025-4575

     

       
8
       
8
       
-
       


     

       
9
       
9
       
-
       
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>

     

       
10
       
10
       
-
       
Reviewed-by: Paul Dale <ppzgs1@gmail.com>

     

       
11
       
11
       
-
       
(Merged from https://github.com/openssl/openssl/pull/27672)

     

       
12
       
12
       
-
       


     

       
13
       
13
       
-
       
(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac)

     

       
14
       
14
       
-
       
---

     

       
15
       
15
       
-
       
 apps/x509.c                 |  2 +-

     

       
16
       
16
       
-
       
 test/recipes/25-test_x509.t | 12 +++++++++++-

     

       
17
       
17
       
-
       
 2 files changed, 12 insertions(+), 2 deletions(-)

     

       
18
       
18
       
-
       


     

       
19
       
19
       
-
       
diff --git a/apps/x509.c b/apps/x509.c

     

       
20
       
20
       
-
       
index fdae8f383a667..0c340c15b321a 100644

     

       
21
       
21
       
-
       
--- a/apps/x509.c

     

       
22
       
22
       
-
       
+++ b/apps/x509.c

     

       
23
       
23
       
-
       
@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)

     

       
24
       
24
       
-
       
                            prog, opt_arg());

     

       
25
       
25
       
-
       
                 goto opthelp;

     

       
26
       
26
       
-
       
             }

     

       
27
       
27
       
-
       
-            if (!sk_ASN1_OBJECT_push(trust, objtmp))

     

       
28
       
28
       
-
       
+            if (!sk_ASN1_OBJECT_push(reject, objtmp))

     

       
29
       
29
       
-
       
                 goto end;

     

       
30
       
30
       
-
       
             trustout = 1;

     

       
31
       
31
       
-
       
             break;

     

       
32
       
32
       
-
       
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t

     

       
33
       
33
       
-
       
index 09b61708ff8a5..dfa0a428f5f0c 100644

     

       
34
       
34
       
-
       
--- a/test/recipes/25-test_x509.t

     

       
35
       
35
       
-
       
+++ b/test/recipes/25-test_x509.t

     

       
36
       
36
       
-
       
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;

     

       
37
       
37
       
-
       
 

     

       
38
       
38
       
-
       
 setup("test_x509");

     

       
39
       
39
       
-
       
 

     

       
40
       
40
       
-
       
-plan tests => 134;

     

       
41
       
41
       
-
       
+plan tests => 138;

     

       
42
       
42
       
-
       
 

     

       
43
       
43
       
-
       
 # Prevent MSys2 filename munging for arguments that look like file paths but

     

       
44
       
44
       
-
       
 # aren't

     

       
45
       
45
       
-
       
@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",

     

       
46
       
46
       
-
       
 && run(app(["openssl", "verify", "-no_check_time",

     

       
47
       
47
       
-
       
             "-trusted", $ca, "-partial_chain", $caout])));

     

       
48
       
48
       
-
       
 

     

       
49
       
49
       
-
       
+# test trust decoration

     

       
50
       
50
       
-
       
+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",

     

       
51
       
51
       
-
       
+            "-out", "ca-trusted.pem"])));

     

       
52
       
52
       
-
       
+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",

     

       
53
       
53
       
-
       
+              1, 'trusted use - E-mail Protection');

     

       
54
       
54
       
-
       
+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",

     

       
55
       
55
       
-
       
+            "-out", "ca-rejected.pem"])));

     

       
56
       
56
       
-
       
+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",

     

       
57
       
57
       
-
       
+              1, 'rejected use - E-mail Protection');

     

       
58
       
58
       
-
       
+

     

       
59
       
59
       
-
       
 subtest 'x509 -- x.509 v1 certificate' => sub {

     

       
60
       
60
       
-
       
     tconversion( -type => 'x509', -prefix => 'x509v1',

     

       
61
       
61
       
-
       
                  -in => srctop_file("test", "testx509.pem") );

     

···

       
1
       
1
       
-
       
From 38bf6f3036d1baddbe4618a219aaf17d460091d9 Mon Sep 17 00:00:00 2001

     

       
2
       
2
       
-
       
From: Matt Caswell <matt@openssl.org>

     

       
3
       
3
       
-
       
Date: Mon, 7 Apr 2025 09:58:30 +0100

     

       
4
       
4
       
-
       
Subject: [PATCH] Fix SSL_accept()

     

       
5
       
5
       
-
       
MIME-Version: 1.0

     

       
6
       
6
       
-
       
Content-Type: text/plain; charset=UTF-8

     

       
7
       
7
       
-
       
Content-Transfer-Encoding: 8bit

     

       
8
       
8
       
-
       


     

       
9
       
9
       
-
       
If you have a QUIC server SSL connection object, you should be able to

     

       
10
       
10
       
-
       
call SSL_accept() on it.

     

       
11
       
11
       
-
       


     

       
12
       
12
       
-
       
Fixes #27282

     

       
13
       
13
       
-
       


     

       
14
       
14
       
-
       
Reviewed-by: Neil Horman <nhorman@openssl.org>

     

       
15
       
15
       
-
       
Reviewed-by: Saša Nedvědický <sashan@openssl.org>

     

       
16
       
16
       
-
       
(Merged from https://github.com/openssl/openssl/pull/27283)

     

       
17
       
17
       
-
       
---

     

       
18
       
18
       
-
       
 ssl/quic/quic_method.c | 4 ++--

     

       
19
       
19
       
-
       
 1 file changed, 2 insertions(+), 2 deletions(-)

     

       
20
       
20
       
-
       


     

       
21
       
21
       
-
       
diff --git a/ssl/quic/quic_method.c b/ssl/quic/quic_method.c

     

       
22
       
22
       
-
       
index 0de2bca47e6bb..8092855efc61a 100644

     

       
23
       
23
       
-
       
--- a/ssl/quic/quic_method.c

     

       
24
       
24
       
-
       
+++ b/ssl/quic/quic_method.c

     

       
25
       
25
       
-
       
@@ -23,5 +23,5 @@ IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION,

     

       
26
       
26
       
-
       
 

     

       
27
       
27
       
-
       
 IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION,

     

       
28
       
28
       
-
       
                          OSSL_QUIC_server_method,

     

       
29
       
29
       
-
       
-                         ssl_undefined_function,

     

       
30
       
30
       
-
       
-                         ossl_quic_connect, ssl3_undef_enc_method)

     

       
31
       
31
       
-
       
+                         ossl_quic_accept,

     

       
32
       
32
       
-
       
+                         ssl_undefined_function, ssl3_undef_enc_method)

     

···

       
388
       
388
       
 
       
  };

     

       
389
       
389
       
 
       


     

       
390
       
390
       
 
       
  openssl_3_5 = common {

     

       
391
       
391
       
-
       
    version = "3.5.0";

     

       
392
       
392
       
-
       
    hash = "sha256-NE0KefGpsIApsHROLMQBpD+ckKzRBE0JpTC0iFqOn8A=";

     

       
391
       
391
       
+
       
    version = "3.5.1";

     

       
392
       
392
       
+
       
    hash = "sha256-UpBDsVz/pfNgd6TQr4Pz3jmYBxgdYHRB1zQZbYibZB8=";

     

       
393
       
393
       
 
       


     

       
394
       
394
       
 
       
    patches = [

     

       
395
       
395
       
 
       
      ./3.0/nix-ssl-cert-file.patch

     
···

       
404
       
404
       
 
       
        else

     

       
405
       
405
       
 
       
          ./3.5/use-etc-ssl-certs.patch

     

       
406
       
406
       
 
       
      )

     

       
407
       
407
       
-
       


     

       
408
       
408
       
-
       
      # can be dropped again with 3.5.1, see: https://github.com/openssl/openssl/issues/27282

     

       
409
       
409
       
-
       
      ./3.5/quic_accept.patch

     

       
410
       
410
       
-
       


     

       
411
       
411
       
-
       
      # can be dropped again with 3.5.1

     

       
412
       
412
       
-
       
      ./3.5/CVE-2025-4575.patch

     

       
413
       
407
       
 
       
    ];

     

       
414
       
408
       
 
       


     

       
415
       
409
       
 
       
    withDocs = true;