[AUTO-CHERRYPICK] Patch openssl for CVE-2025-15467, CVE-2025-15468, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69420, CVE-2025-69421 - branch 3.0-dev (#15627)

Co-authored-by: corvus-callidus <lyrydber@microsoft.com>
Co-authored-by: jslobodzian <joslobo@microsoft.com>

Author: 3 people

SPECS/openssl/0001-Add-NULL-check-to-PKCS12_item_decrypt_d2i_ex.patch

@@ -0,0 +1,31 @@
+From 0a2ecb95993b588d2156dd6527459cc3983aabd5 Mon Sep 17 00:00:00 2001
+From: Andrew Dinh <andrewd@openssl.org>
+Date: Thu, 8 Jan 2026 01:24:30 +0900
+Subject: [PATCH] Add NULL check to PKCS12_item_decrypt_d2i_ex
+
+Address CVE-2025-69421
+
+Add NULL check for oct parameter
+---
+ crypto/pkcs12/p12_decr.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
+index 606713b9ee..1614da4404 100644
+--- a/crypto/pkcs12/p12_decr.c
++++ b/crypto/pkcs12/p12_decr.c
+@@ -146,6 +146,11 @@ void *PKCS12_item_decrypt_d2i_ex(const X509_ALGOR *algor, const ASN1_ITEM *it,
+     void *ret;
+     int outlen = 0;
+ 
++    if (oct == NULL) {
++        ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
++        return NULL;
++    }
++
+     if (!PKCS12_pbe_crypt_ex(algor, pass, passlen, oct->data, oct->length,
+                              &out, &outlen, 0, libctx, propq))
+         return NULL;
+-- 
+2.52.0
+

SPECS/openssl/0001-Check-the-received-uncompressed-certificate-length-t.patch

@@ -0,0 +1,33 @@
+From 04a93ac145041e3ef0121a2688cf7c1b23780519 Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Thu, 8 Jan 2026 14:02:54 +0100
+Subject: [PATCH] Check the received uncompressed certificate length to prevent
+ excessive pre-decompression allocation.
+
+The patch was proposed by Tomas Dulka and Stanislav Fort (Aisle Research).
+
+Fixes: CVE-2025-66199
+---
+ ssl/statem/statem_lib.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
+index 9e0c853c0d..f82d8dcdac 100644
+--- a/ssl/statem/statem_lib.c
++++ b/ssl/statem/statem_lib.c
+@@ -2877,6 +2877,12 @@ MSG_PROCESS_RETURN tls13_process_compressed_certificate(SSL_CONNECTION *sc,
+         goto err;
+     }
+ 
++    /* Prevent excessive pre-decompression allocation */
++    if (expected_length > sc->max_cert_list) {
++        SSLfatal(sc, SSL_AD_ILLEGAL_PARAMETER, SSL_R_EXCESSIVE_MESSAGE_SIZE);
++        goto err;
++    }
++
+     if (PACKET_remaining(pkt) != comp_length || comp_length == 0) {
+         SSLfatal(sc, SSL_AD_DECODE_ERROR, SSL_R_BAD_DECOMPRESSION);
+         goto err;
+-- 
+2.52.0
+

SPECS/openssl/0001-Correct-handling-of-AEAD-encrypted-CMS-with-inadmiss.patch

@@ -0,0 +1,31 @@
+From 190ba58c0a1d995d4da8b017054d4b74d138291c Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Mon, 12 Jan 2026 12:13:35 +0100
+Subject: [PATCH 1/3] Correct handling of AEAD-encrypted CMS with inadmissibly
+ long IV
+
+Fixes CVE-2025-15467
+---
+ crypto/evp/evp_lib.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
+index 9eae1d421c..58fa7ce43b 100644
+--- a/crypto/evp/evp_lib.c
++++ b/crypto/evp/evp_lib.c
+@@ -228,10 +228,9 @@ int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
+     if (type == NULL || asn1_params == NULL)
+         return 0;
+ 
+-    i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
+-    if (i <= 0)
++    i = ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
++    if (i <= 0 || i > EVP_MAX_IV_LENGTH)
+         return -1;
+-    ossl_asn1_type_get_octetstring_int(type, &tl, iv, i);
+ 
+     memcpy(asn1_params->iv, iv, i);
+     asn1_params->iv_len = i;
+-- 
+2.52.0
+

SPECS/openssl/0001-Fix-OCB-AES-NI-HW-stream-path-unauthenticated-unencr.patch

@@ -0,0 +1,70 @@
+From 1a556ff619473af9e179b202284a961590d5a2bd Mon Sep 17 00:00:00 2001
+From: Norbert Pocs <norbertp@openssl.org>
+Date: Thu, 8 Jan 2026 15:04:54 +0100
+Subject: [PATCH] Fix OCB AES-NI/HW stream path unauthenticated/unencrypted
+ trailing bytes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When ctx->stream (e.g., AES‑NI or ARMv8 CE) is available, the fast path
+encrypts/decrypts full blocks but does not advance in/out pointers. The
+tail-handling code then operates on the base pointers, effectively reprocessing
+the beginning of the buffer while leaving the actual trailing bytes
+unencrypted (encryption) or using the wrong plaintext (decryption). The
+authentication checksum excludes the true tail.
+
+CVE-2025-69418
+
+Fixes: https://github.com/openssl/srt/issues/58
+
+Signed-off-by: Norbert Pocs <norbertp@openssl.org>
+---
+ crypto/modes/ocb128.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/modes/ocb128.c b/crypto/modes/ocb128.c
+index ce72baf6da..8a5d7c7db0 100644
+--- a/crypto/modes/ocb128.c
++++ b/crypto/modes/ocb128.c
+@@ -337,7 +337,7 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
+ 
+     if (num_blocks && all_num_blocks == (size_t)all_num_blocks
+         && ctx->stream != NULL) {
+-        size_t max_idx = 0, top = (size_t)all_num_blocks;
++        size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
+ 
+         /*
+          * See how many L_{i} entries we need to process data at hand
+@@ -351,6 +351,9 @@ int CRYPTO_ocb128_encrypt(OCB128_CONTEXT *ctx,
+         ctx->stream(in, out, num_blocks, ctx->keyenc,
+                     (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
+                     (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
++        processed_bytes = num_blocks * 16;
++        in += processed_bytes;
++        out += processed_bytes;
+     } else {
+         /* Loop through all full blocks to be encrypted */
+         for (i = ctx->sess.blocks_processed + 1; i <= all_num_blocks; i++) {
+@@ -429,7 +432,7 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
+ 
+     if (num_blocks && all_num_blocks == (size_t)all_num_blocks
+         && ctx->stream != NULL) {
+-        size_t max_idx = 0, top = (size_t)all_num_blocks;
++        size_t max_idx = 0, top = (size_t)all_num_blocks, processed_bytes = 0;
+ 
+         /*
+          * See how many L_{i} entries we need to process data at hand
+@@ -443,6 +446,9 @@ int CRYPTO_ocb128_decrypt(OCB128_CONTEXT *ctx,
+         ctx->stream(in, out, num_blocks, ctx->keydec,
+                     (size_t)ctx->sess.blocks_processed + 1, ctx->sess.offset.c,
+                     (const unsigned char (*)[16])ctx->l, ctx->sess.checksum.c);
++        processed_bytes = num_blocks * 16;
++        in += processed_bytes;
++        out += processed_bytes;
+     } else {
+         OCB_BLOCK tmp;
+ 
+-- 
+2.52.0
+

SPECS/openssl/0001-Fix-heap-buffer-overflow-in-BIO_f_linebuffer.patch

@@ -0,0 +1,67 @@
+From fb41a020b838f8145d07586275053568469a999c Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Wed, 7 Jan 2026 11:52:09 -0500
+Subject: [PATCH] Fix heap buffer overflow in BIO_f_linebuffer
+
+When a FIO_f_linebuffer is part of a bio chain, and the next BIO
+preforms short writes, the remainder of the unwritten buffer is copied
+unconditionally to the internal buffer ctx->obuf, which may not be
+sufficiently sized to handle the remaining data, resulting in a buffer
+overflow.
+
+Fix it by only copying data when ctx->obuf has space, flushing to the
+next BIO to increase available storage if needed.
+
+Fixes CVE-2025-68160
+---
+ crypto/bio/bf_lbuf.c | 32 ++++++++++++++++++++++++++------
+ 1 file changed, 26 insertions(+), 6 deletions(-)
+
+diff --git a/crypto/bio/bf_lbuf.c b/crypto/bio/bf_lbuf.c
+index eed3dc4..ce71231 100644
+--- a/crypto/bio/bf_lbuf.c
++++ b/crypto/bio/bf_lbuf.c
+@@ -186,14 +186,34 @@ static int linebuffer_write(BIO *b, const char *in, int inl)
+     while (foundnl && inl > 0);
+     /*
+      * We've written as much as we can.  The rest of the input buffer, if
+-     * any, is text that doesn't and with a NL and therefore needs to be
+-     * saved for the next trip.
++     * any, is text that doesn't end with a NL and therefore we need to try
++     * free up some space in our obuf so we can make forward progress.
+      */
+-    if (inl > 0) {
+-        memcpy(&(ctx->obuf[ctx->obuf_len]), in, inl);
+-        ctx->obuf_len += inl;
+-        num += inl;
++    while (inl > 0) {
++        size_t avail = (size_t)ctx->obuf_size - (size_t)ctx->obuf_len;
++        size_t to_copy;
++
++        if (avail == 0) {
++            /* Flush buffered data to make room */
++            i = BIO_write(b->next_bio, ctx->obuf, ctx->obuf_len);
++            if (i <= 0) {
++                BIO_copy_next_retry(b);
++                return num > 0 ? num : i;
++            }
++            if (i < ctx->obuf_len)
++                memmove(ctx->obuf, ctx->obuf + i, ctx->obuf_len - i);
++            ctx->obuf_len -= i;
++            continue;
++        }
++
++        to_copy = inl > (int)avail ? avail : (size_t)inl;
++        memcpy(&(ctx->obuf[ctx->obuf_len]), in, to_copy);
++        ctx->obuf_len += (int)to_copy;
++        in += to_copy;
++        inl -= (int)to_copy;
++        num += (int)to_copy;
+     }
++
+     return num;
+ }
+ 
+-- 
+2.45.4
+

SPECS/openssl/0001-Verify-ASN1-object-s-types-before-attempting-to-acce.patch

@@ -0,0 +1,40 @@
+From 6453d278557c8719233793730ec500c84aea55d9 Mon Sep 17 00:00:00 2001
+From: Bob Beck <beck@openssl.org>
+Date: Wed, 7 Jan 2026 11:29:48 -0700
+Subject: [PATCH] Verify ASN1 object's types before attempting to access them
+ as a particular type
+
+Issue was reported in ossl_ess_get_signing_cert but is also present in
+ossl_ess_get_signing_cert_v2.
+
+Fixes: https://github.com/openssl/srt/issues/61
+Fixes CVE-2025-69420
+---
+ crypto/ts/ts_rsp_verify.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
+index 3876e30f47..40dab687d1 100644
+--- a/crypto/ts/ts_rsp_verify.c
++++ b/crypto/ts/ts_rsp_verify.c
+@@ -209,7 +209,7 @@ static ESS_SIGNING_CERT *ossl_ess_get_signing_cert(const PKCS7_SIGNER_INFO *si)
+     const unsigned char *p;
+ 
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificate);
+-    if (attr == NULL)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length);
+@@ -221,7 +221,7 @@ static ESS_SIGNING_CERT_V2 *ossl_ess_get_signing_cert_v2(const PKCS7_SIGNER_INFO
+     const unsigned char *p;
+ 
+     attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2);
+-    if (attr == NULL)
++    if (attr == NULL || attr->type != V_ASN1_SEQUENCE)
+         return NULL;
+     p = attr->value.sequence->data;
+     return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length);
+-- 
+2.52.0
+

SPECS/openssl/0001-ossl_quic_get_cipher_by_char-Add-a-NULL-guard-before.patch

@@ -0,0 +1,27 @@
+From 7da6afe3dac7d65b30f87f2c5d305b6e699bc5dc Mon Sep 17 00:00:00 2001
+From: Daniel Kubec <kubec@openssl.org>
+Date: Fri, 9 Jan 2026 14:33:24 +0100
+Subject: [PATCH] ossl_quic_get_cipher_by_char(): Add a NULL guard before
+ dereferencing SSL_CIPHER
+
+Fixes CVE-2025-15468
+---
+ ssl/quic/quic_impl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ssl/quic/quic_impl.c b/ssl/quic/quic_impl.c
+index 87c1370a8d..89c108a973 100644
+--- a/ssl/quic/quic_impl.c
++++ b/ssl/quic/quic_impl.c
+@@ -5222,6 +5222,8 @@ const SSL_CIPHER *ossl_quic_get_cipher_by_char(const unsigned char *p)
+ {
+     const SSL_CIPHER *ciph = ssl3_get_cipher_by_char(p);
+ 
++    if (ciph == NULL)
++        return NULL;
+     if ((ciph->algorithm2 & SSL_QUIC) == 0)
+         return NULL;
+ 
+-- 
+2.52.0
+

SPECS/openssl/0002-Some-comments-to-clarify-functions-usage.patch

@@ -0,0 +1,57 @@
+From 6fb47957bfb0aef2deaa7df7aebd4eb52ffe20ce Mon Sep 17 00:00:00 2001
+From: Igor Ustinov <igus68@gmail.com>
+Date: Mon, 12 Jan 2026 12:15:42 +0100
+Subject: [PATCH 2/3] Some comments to clarify functions usage
+
+---
+ crypto/asn1/evp_asn1.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c
+index 382576364b..e73bda64e3 100644
+--- a/crypto/asn1/evp_asn1.c
++++ b/crypto/asn1/evp_asn1.c
+@@ -60,6 +60,12 @@ static ossl_inline void asn1_type_init_oct(ASN1_OCTET_STRING *oct,
+     oct->flags = 0;
+ }
+ 
++/*
++ * This function copies 'anum' to 'num' and the data of 'oct' to 'data'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ static int asn1_type_get_int_oct(ASN1_OCTET_STRING *oct, int32_t anum,
+                                  long *num, unsigned char *data, int max_len)
+ {
+@@ -106,6 +112,13 @@ int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data,
+     return 0;
+ }
+ 
++/*
++ * This function decodes an int-octet sequence and copies the integer to 'num'
++ * and the data of octet to 'data'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num,
+                                   unsigned char *data, int max_len)
+ {
+@@ -162,6 +175,13 @@ int ossl_asn1_type_set_octetstring_int(ASN1_TYPE *a, long num,
+     return 0;
+ }
+ 
++/*
++ * This function decodes an octet-int sequence and copies the data of octet
++ * to 'data' and the integer to 'num'.
++ * If the length of 'data' > 'max_len', copies only the first 'max_len'
++ * bytes, but returns the full length of 'oct'; this allows distinguishing
++ * whether all the data was copied.
++ */
+ int ossl_asn1_type_get_octetstring_int(const ASN1_TYPE *a, long *num,
+                                        unsigned char *data, int max_len)
+ {
+-- 
+2.52.0
+