diff options
Diffstat (limited to 'system/openssl/za.patch')
| -rw-r--r-- | system/openssl/za.patch | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/system/openssl/za.patch b/system/openssl/za.patch new file mode 100644 index 000000000..90a30beb1 --- /dev/null +++ b/system/openssl/za.patch @@ -0,0 +1,108 @@ +From 72f5c8e48a09ab09dae91c869e53e3d0c75ef921 Mon Sep 17 00:00:00 2001 +From: Ken Zalewski <ken.zalewski@gmail.com> +Date: Sat, 13 Jul 2024 12:19:50 -0400 +Subject: [PATCH] Patch to openssl-1.1.1za. This version addresses one + vulnerability: CVE-2024-5535 + +--- + include/openssl/opensslv.h | 4 +-- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++-------------- + 2 files changed, 42 insertions(+), 25 deletions(-) + +diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h +index 585109a..a1a5d07 100644 +--- a/include/openssl/opensslv.h ++++ b/include/openssl/opensslv.h +@@ -39,8 +39,8 @@ extern "C" { + * (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for + * major minor fix final patch/beta) + */ +-# define OPENSSL_VERSION_NUMBER 0x1010119fL +-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1y 27 May 2024" ++# define OPENSSL_VERSION_NUMBER 0x101011afL ++# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1za 26 Jun 2024" + + /*- + * The macros below are to be used for shared library (.so, .dll, ...) +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 356d65c..ccb1d4a 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2761,37 +2761,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG |