From 7b57fb246e99e7b6b0f17f1a7a69f1dd5097b1c7 Mon Sep 17 00:00:00 2001
From: iigs <2274777+iigs@users.noreply.github.com>
Date: Fri, 21 Jun 2024 18:41:10 +0000
Subject: [PATCH] openssl-1.1: add patches for CVE-2024-2511 and CVE-2024-4741

---
 components/library/openssl/openssl-1.1/Makefile    |  2 +-
 .../openssl-1.1/patches/CVE-2024-2511.patch        | 85 ++++++++++++++++++++++
 .../openssl-1.1/patches/CVE-2024-4741.patch        | 48 ++++++++++++
 3 files changed, 134 insertions(+), 1 deletion(-)
 create mode 100644 components/library/openssl/openssl-1.1/patches/CVE-2024-2511.patch
 create mode 100644 components/library/openssl/openssl-1.1/patches/CVE-2024-4741.patch

diff --git a/components/library/openssl/openssl-1.1/Makefile b/components/library/openssl/openssl-1.1/Makefile
index cfb3118ae9..6c4421e369 100644
--- a/components/library/openssl/openssl-1.1/Makefile
+++ b/components/library/openssl/openssl-1.1/Makefile
@@ -31,7 +31,7 @@ COMPONENT_NAME=	openssl-$(COMPONENT_VERSION_SHORT)
 # and HUMAN_VERSION.
 COMPONENT_VERSION=	1.1.1.23
 HUMAN_VERSION=		1.1.1w
-COMPONENT_REVISION=	1
+COMPONENT_REVISION=	2
 COMPONENT_SUMMARY=	OpenSSL - a Toolkit for Transport Layer (TLS v1+) protocols and general purpose cryptographic library
 COMPONENT_PROJECT_URL=	https://www.openssl.org/
 COMPONENT_SRC=		openssl-$(HUMAN_VERSION)
diff --git a/components/library/openssl/openssl-1.1/patches/CVE-2024-2511.patch b/components/library/openssl/openssl-1.1/patches/CVE-2024-2511.patch
new file mode 100644
index 0000000000..7a5088418d
--- /dev/null
+++ b/components/library/openssl/openssl-1.1/patches/CVE-2024-2511.patch
@@ -0,0 +1,85 @@
+From b57a09724d6cd8f3860aec74feaf8b865385df27 Mon Sep 17 00:00:00 2001
+From: Andy Fiddaman <illumos@fiddaman.net>
+Date: Tue, 4 Jun 2024 18:05:50 +0000
+Subject: [PATCH 2/2] CVE-2024-2511
+
+diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/ssl_lib.c a/ssl/ssl_lib.c
+--- a~/ssl/ssl_lib.c	1970-01-01 00:00:00
++++ a/ssl/ssl_lib.c	1970-01-01 00:00:00
+@@ -3515,9 +3515,10 @@ void ssl_update_cache(SSL *s, int mode)
+ 
+     /*
+      * If the session_id_length is 0, we are not supposed to cache it, and it
+-     * would be rather hard to do anyway :-)
++     * would be rather hard to do anyway :-). Also if the session has already
++     * been marked as not_resumable we should not cache it for later reuse.
+      */
+-    if (s->session->session_id_length == 0)
++    if (s->session->session_id_length == 0 || s->session->not_resumable)
+         return;
+ 
+     /*
+diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/ssl_sess.c a/ssl/ssl_sess.c
+--- a~/ssl/ssl_sess.c	1970-01-01 00:00:00
++++ a/ssl/ssl_sess.c	1970-01-01 00:00:00
+@@ -94,16 +94,11 @@ SSL_SESSION *SSL_SESSION_new(void)
+     return ss;
+ }
+ 
+-SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
+-{
+-    return ssl_session_dup(src, 1);
+-}
+-
+ /*
+  * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
+  * ticket == 0 then no ticket information is duplicated, otherwise it is.
+  */
+-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
++static SSL_SESSION *ssl_session_dup_intern(SSL_SESSION *src, int ticket)
+ {
+     SSL_SESSION *dest;
+ 
+@@ -226,6 +221,27 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION
+     return NULL;
+ }
+ 
++SSL_SESSION *SSL_SESSION_dup(SSL_SESSION *src)
++{
++    return ssl_session_dup_intern(src, 1);
++}
++
++/*
++ * Used internally when duplicating a session which might be already shared.
++ * We will have resumed the original session. Subsequently we might have marked
++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
++ * resume from.
++ */
++SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
++{
++    SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
++
++    if (sess != NULL)
++        sess->not_resumable = 0;
++
++    return sess;
++}
++
+ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+     if (len)
+diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/statem/statem_srvr.c a/ssl/statem/statem_srvr.c
+--- a~/ssl/statem/statem_srvr.c	1970-01-01 00:00:00
++++ a/ssl/statem/statem_srvr.c	1970-01-01 00:00:00
+@@ -2403,9 +2403,8 @@ int tls_construct_server_hello(SSL *s, W
+      * so the following won't overwrite an ID that we're supposed
+      * to send back.
+      */
+-    if (s->session->not_resumable ||
+-        (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+-         && !s->hit))
++    if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
++            && !s->hit)
+         s->session->session_id_length = 0;
+ 
+     if (usetls13) {
diff --git a/components/library/openssl/openssl-1.1/patches/CVE-2024-4741.patch b/components/library/openssl/openssl-1.1/patches/CVE-2024-4741.patch
new file mode 100644
index 0000000000..05b8481f12
--- /dev/null
+++ b/components/library/openssl/openssl-1.1/patches/CVE-2024-4741.patch
@@ -0,0 +1,48 @@
+From 943f4f6160684320fb9956087c603689ed9ff731 Mon Sep 17 00:00:00 2001
+From: Andy Fiddaman <illumos@fiddaman.net>
+Date: Tue, 4 Jun 2024 18:02:06 +0000
+Subject: [PATCH 1/2] CVE-2024-4741
+
+diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/record/rec_layer_s3.c a/ssl/record/rec_layer_s3.c
+--- a~/ssl/record/rec_layer_s3.c	1970-01-01 00:00:00
++++ a/ssl/record/rec_layer_s3.c	1970-01-01 00:00:00
+@@ -81,6 +81,15 @@ int RECORD_LAYER_read_pending(const RECO
+     return SSL3_BUFFER_get_left(&rl->rbuf) != 0;
+ }
+ 
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl)
++{
++    if (rl->rstate == SSL_ST_READ_BODY)
++        return 1;
++    if (RECORD_LAYER_processed_read_pending(rl))
++        return 1;
++    return 0;
++}
++
+ /* Checks if we have decrypted unread record data pending */
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl)
+ {
+diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/record/record.h a/ssl/record/record.h
+--- a~/ssl/record/record.h	1970-01-01 00:00:00
++++ a/ssl/record/record.h	1970-01-01 00:00:00
+@@ -197,6 +197,7 @@ void RECORD_LAYER_release(RECORD_LAYER *
+ int RECORD_LAYER_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_processed_read_pending(const RECORD_LAYER *rl);
+ int RECORD_LAYER_write_pending(const RECORD_LAYER *rl);
++int RECORD_LAYER_data_present(const RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_read_sequence(RECORD_LAYER *rl);
+ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl);
+ int RECORD_LAYER_is_sslv2_record(RECORD_LAYER *rl);
+diff -wpruN --no-dereference '--exclude=*.orig' a~/ssl/ssl_lib.c a/ssl/ssl_lib.c
+--- a~/ssl/ssl_lib.c	1970-01-01 00:00:00
++++ a/ssl/ssl_lib.c	1970-01-01 00:00:00
+@@ -5248,6 +5248,9 @@ int SSL_free_buffers(SSL *ssl)
+     if (RECORD_LAYER_read_pending(rl) || RECORD_LAYER_write_pending(rl))
+         return 0;
+ 
++    if (RECORD_LAYER_data_present(rl))
++        return 0;
++
+     RECORD_LAYER_release(rl);
+     return 1;
+ }
-- 
2.11.4.GIT