[scarthgap][PATCH] openssl: upgrade 3.5.6 -> 3.5.7

[scarthgap][PATCH] openssl: upgrade 3.5.6 -> 3.5.7

[Peter Marko]

From: Peter Marko <peter.marko@siemens.com>

Release information [1]:

OpenSSL 3.5.7 is a security patch release. The most severe CVE fixed in this release is High.
This release incorporates the following bug fixes and mitigations:
* Fixed heap use-after-free in PKCS7_verify(). (CVE-2026-45447)
* Fixed CMS AuthEnvelopedData processing may accept forged messages. (CVE-2026-34182)
* Fixed unbounded memory growth in the QUIC PATH_CHALLENGE handler. (CVE-2026-34183)
* Fixed NULL pointer dereference in QUIC server initial packet handling. (CVE-2026-42764)
* Fixed AES-OCB IV ignored on EVP_Cipher() path. (CVE-2026-45445)
* Fixed possible heap buffer overflow in ASN.1 multibyte string conversion. (CVE-2026-7383)
* Fixed out-of-bounds read in CMS password-based decryption. (CVE-2026-9076)
* Fixed heap buffer over-read in ASN.1 content parsing. (CVE-2026-34180)
* Fixed PKCS#12 files with PBMAC1 are accepted with short HMAC keys. (CVE-2026-34181)
* Fixed possible NULL dereference in password-dased CMS decryption. (CVE-2026-42766)
* Fixed NULL pointer dereference in CRMF EncryptedValue decryption. (CVE-2026-42767)
* Fixed multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt(). (CVE-2026-42768)
* Fixed trust anchor substitution via cert/issuer typo in CMP rootCaKeyUpdate. (CVE-2026-42769)
* Fixed FFC-DH peer validation uses attacker-supplied q. (CVE-2026-42770)
* Fixed incorrect tag processing for empty messages in AES-GCM-SIV and AES-SIV modes. (CVE-2026-45446)

Refreshed patches.
Installed new test files to pass ptests.

[1] https://github.com/openssl/openssl/blob/openssl-3.5/NEWS.md#major-changes-between-openssl-356-and-openssl-357-9-jun-2026

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(From OE-Core rev: 9365ac47f994a7d6be92b8c011c51ecf48e8ef87)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../openssl/0001-Configure-do-not-tweak-mips-cflags.patch     | 2 +-
 .../openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb}            | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 rename meta/recipes-connectivity/openssl/{openssl_3.5.6.bb => openssl_3.5.7.bb} (98%)

diff --git a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
index cf5ff356ee7..cd8906df675 100644
--- a/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
+++ b/meta/recipes-connectivity/openssl/openssl/0001-Configure-do-not-tweak-mips-cflags.patch
@@ -20,7 +20,7 @@ diff --git a/Configure b/Configure
 index fff97bd..5ee54c1 100755
 --- a/Configure
 +++ b/Configure
-@@ -1552,16 +1552,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
+@@ -1557,16 +1557,6 @@ if ($target =~ /^mingw/ && `$config{CC} --target-help 2>&1` =~ m/-mno-cygwin/m)
          push @{$config{shared_ldflag}}, "-mno-cygwin";
          }
  
diff --git a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
similarity index 98%
rename from meta/recipes-connectivity/openssl/openssl_3.5.6.bb
rename to meta/recipes-connectivity/openssl/openssl_3.5.7.bb
index 3bf78eff5c2..0b8e8afec81 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.5.6.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.5.7.bb
@@ -19,7 +19,7 @@ SRC_URI:append:class-nativesdk = " \
            file://environment.d-openssl.sh \
            "
 
-SRC_URI[sha256sum] = "deae7c80cba99c4b4f940ecadb3c3338b13cb77418409238e57d7f31f2a3b736"
+SRC_URI[sha256sum] = "a8c0d28a529ca480f9f36cf5792e2cd21984552a3c8e4aa11a24aa31aeac98e8"
 
 inherit lib_package multilib_header multilib_script ptest perlnative manpages
 MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash"
@@ -215,7 +215,7 @@ do_install_ptest() {
 	ln -s ${bindir}/openssl ${D}${PTEST_PATH}/apps
 
 	cd ${S}
-	find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
+	find test/certs test/ct test/d2i-tests test/recipes test/ocsp-tests test/ssl-tests test/smime-certs test/smime-eml -type f -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
 	find apps test -name \*.cnf -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
 	find apps test -name \*.der -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;
 	find apps test -name \*.pem -exec install -m644 -D {} ${D}${PTEST_PATH}/{} \;

Re: [scarthgap][PATCH] openssl: upgrade 3.5.6 -> 3.5.7

[Sai Sneha]

[-- Attachment #1: Type: text/plain, Size: 1155 bytes --]

Hi Peter,

I applied your scarthgap patch (#238923) directly via git am on a clean origin/scarthgap checkout and ran the openssl ptests on QEMU (qemux86-64, default memory, no manual config changes).

lhash_test fails with an OOM kill:

Out of memory: Killed process 546 (lhash_test) total-vm:72960kB, anon-rss:65792kB

41 tests pass before this ( 02-test_list.t is the last to pass), then 02-test_lhash.t fails with exit code 137 (SIGKILL). Later in the run, the ptest-runner process itself also gets killed by the OOM killer, so the suite doesn't complete fully (TOTAL: 1 FAIL: 2).

I also tested this independently on oe-core master-next (your original commit 9365ac47f994a7d6be92b8c011c51ecf48e8ef87 ) and on my own scarthgap backport same lhash_test OOM occurs in all three cases under default QEMU memory. When I manually bumped QEMU's memory to 1GB, lhash_test passes, so it's a memory-availability issue rather than a problem with the patch itself.

Is this a known/expected limitation with the default qemux86-64 ptest QEMU memory, or is there something I should configure differently when running these tests?

Thanks,
Sai Sneha

[-- Attachment #2: Type: text/html, Size: 3303 bytes --]

RE: [OE-core] [scarthgap][PATCH] openssl: upgrade 3.5.6 -> 3.5.7

[Marko, Peter]

Hello Sai,

Tests usually need more RAM and flash space then if only using the component/library.
Ptests should be run via "core-image-ptest-openssl" which has 1GB RAM (and even more for some other components).

Note that I send my patches only after successful ptest executon.

Peter

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Sai Sneha via
> lists.openembedded.org
> Sent: Wednesday, June 17, 2026 12:14 PM
> To: openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [scarthgap][PATCH] openssl: upgrade 3.5.6 -> 3.5.7
> 
> Hi Peter,
> 
> I applied your scarthgap patch (#238923) directly via git am on a clean
> origin/scarthgap checkout and ran the openssl ptests on QEMU (qemux86-64,
> default memory, no manual config changes).
> 
> lhash_test fails with an OOM kill:
> 
> 
> 
> Out of memory: Killed process 546 (lhash_test) total-vm:72960kB, anon-
> rss:65792kB
> 
> 41 tests pass before this (02-test_list.t is the last to pass), then 02-test_lhash.t fails
> with exit code 137 (SIGKILL). Later in the run, the ptest-runner process itself also
> gets killed by the OOM killer, so the suite doesn't complete fully (TOTAL: 1 FAIL:
> 2).
> 
> I also tested this independently on oe-core master-next (your original commit
> 9365ac47f994a7d6be92b8c011c51ecf48e8ef87) and on my own scarthgap
> backport same lhash_test OOM occurs in all three cases under default QEMU
> memory. When I manually bumped QEMU's memory to 1GB, lhash_test passes,
> so it's a memory-availability issue rather than a problem with the patch itself.
> 
> Is this a known/expected limitation with the default qemux86-64 ptest QEMU
> memory, or is there something I should configure differently when running these
> tests?
> 
> Thanks,
> Sai Sneha