summaryrefslogtreecommitdiff
path: root/security/openssl35
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--security/openssl35/Makefile17
-rw-r--r--security/openssl35/distinfo6
-rw-r--r--security/openssl35/files/patch-CVE-2025-457561
3 files changed, 11 insertions, 73 deletions
diff --git a/security/openssl35/Makefile b/security/openssl35/Makefile
index 03c8a5cf9203..025e57551ed5 100644
--- a/security/openssl35/Makefile
+++ b/security/openssl35/Makefile
@@ -1,5 +1,5 @@
PORTNAME= openssl
-PORTVERSION= 3.5.0
+PORTVERSION= 3.5.2
PORTREVISION= 1
CATEGORIES= security devel
PKGNAMESUFFIX= 35
@@ -29,8 +29,10 @@ LDFLAGS_i386= -Wl,-znotext
MAKE_ARGS+= WHOLE_ARCHIVE_FLAG=--whole-archive CNF_LDFLAGS="${LDFLAGS}"
MAKE_ENV+= LIBRPATH="${PREFIX}/lib" GREP_OPTIONS=
-OPTIONS_GROUP= CIPHERS COMPRESSION HASHES MODULES OPTIMIZE PQC PROTOCOLS
-OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 TLS-DEPRECATED-EC WEAK-SSL-CIPHERS
+OPTIONS_GROUP= CIPHERS COMPRESSION HASHES MODULES OPTIMIZE PQC \
+ PROTOCOLS
+OPTIONS_GROUP_CIPHERS= ARIA DES GOST IDEA SM4 RC2 RC4 RC5 TLS-DEPRECATED-EC \
+ WEAK-SSL-CIPHERS
OPTIONS_GROUP_COMPRESSION= BROTLI ZLIB ZSTD
OPTIONS_GROUP_HASHES= MD2 MD4 MDC2 RMD160 SM2 SM3
OPTIONS_GROUP_OPTIMIZE= ASM SSE2 THREADS THREADPOOL
@@ -41,10 +43,9 @@ OPTIONS_GROUP_PROTOCOLS=NEXTPROTONEG QUIC SCTP SSL3 TLS1 TLS1_1 TLS1_2
OPTIONS_DEFINE= ASYNC CT FIPS-JITTER KTLS MAN3 RFC3779 SHARED
-OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST MAN3 MD4 ML-DSA ML-KEM NEXTPROTONEG \
- QUIC RFC3779 RC2 RC4 RMD160 SCTP SHARED SLH-DSA SSE2 \
- THREADPOOL THREADS TLS1 TLS1_1 TLS1_2
-#OPTIONS_DEFAULT+= KTLS pending updated KTLS patch
+OPTIONS_DEFAULT=ASM ASYNC CT DES EC FIPS GOST KTLS MAN3 MD4 ML-DSA ML-KEM \
+ NEXTPROTONEG QUIC RFC3779 RC2 RC4 RMD160 SCTP SHARED SLH-DSA \
+ SSE2 THREADPOOL THREADS TLS1 TLS1_1 TLS1_2
OPTIONS_GROUP_OPTIMIZE_amd64= EC
@@ -131,8 +132,6 @@ I386_CONFIGURE_ON= 386
FIPS-JITTER_CFLAGS= -I${PREFIX}/include
FIPS-JITTER_LDFLAGS= -L${PREFIX}/lib
FIPS-JITTER_BUILD_DEPENDS= ${LOCALBASE}/lib/libjitterentropy.a:devel/libjitterentropy
-KTLS_BROKEN= Pending updated KTLS patch
-KTLS_EXTRA_PATCHES= ${FILESDIR}/extra-patch-ktls
LEGACY_VARS= shlibs+=lib/ossl-modules/legacy.so
MAN3_EXTRA_PATCHES_OFF= ${FILESDIR}/extra-patch-util_find-doc-nits
SHARED_MAKE_ENV= SHLIBVER=${OPENSSL_SHLIBVER}
diff --git a/security/openssl35/distinfo b/security/openssl35/distinfo
index a607cb09a0e2..255ff3531836 100644
--- a/security/openssl35/distinfo
+++ b/security/openssl35/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1744140897
-SHA256 (openssl-3.5.0.tar.gz) = 344d0a79f1a9b08029b0744e2cc401a43f9c90acd1044d09a530b4885a8e9fc0
-SIZE (openssl-3.5.0.tar.gz) = 53136912
+TIMESTAMP = 1754406677
+SHA256 (openssl-3.5.2.tar.gz) = c53a47e5e441c930c3928cf7bf6fb00e5d129b630e0aa873b08258656e7345ec
+SIZE (openssl-3.5.2.tar.gz) = 53180161
diff --git a/security/openssl35/files/patch-CVE-2025-4575 b/security/openssl35/files/patch-CVE-2025-4575
deleted file mode 100644
index 1bcec34bcb96..000000000000
--- a/security/openssl35/files/patch-CVE-2025-4575
+++ /dev/null
@@ -1,61 +0,0 @@
-From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 20 May 2025 16:34:10 +0200
-Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
- of rejection
-
-Fixes CVE-2025-4575
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/27672)
-
-(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac)
----
- apps/x509.c | 2 +-
- test/recipes/25-test_x509.t | 12 +++++++++++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/apps/x509.c b/apps/x509.c
-index fdae8f383a667..0c340c15b321a 100644
---- apps/x509.c.orig
-+++ apps/x509.c
-@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
- prog, opt_arg());
- goto opthelp;
- }
-- if (!sk_ASN1_OBJECT_push(trust, objtmp))
-+ if (!sk_ASN1_OBJECT_push(reject, objtmp))
- goto end;
- trustout = 1;
- break;
-diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
-index 09b61708ff8a5..dfa0a428f5f0c 100644
---- test/recipes/25-test_x509.t.orig
-+++ test/recipes/25-test_x509.t
-@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
-
- setup("test_x509");
-
--plan tests => 134;
-+plan tests => 138;
-
- # Prevent MSys2 filename munging for arguments that look like file paths but
- # aren't
-@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
- && run(app(["openssl", "verify", "-no_check_time",
- "-trusted", $ca, "-partial_chain", $caout])));
-
-+# test trust decoration
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
-+ "-out", "ca-trusted.pem"])));
-+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
-+ 1, 'trusted use - E-mail Protection');
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
-+ "-out", "ca-rejected.pem"])));
-+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
-+ 1, 'rejected use - E-mail Protection');
-+
- subtest 'x509 -- x.509 v1 certificate' => sub {
- tconversion( -type => 'x509', -prefix => 'x509v1',
- -in => srctop_file("test", "testx509.pem") );
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-28 09:32:16 +0000