Version in base suite: 3.5.1-1

Base version: openssl_3.5.1-1
Target version: openssl_3.5.1-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/o/openssl/openssl_3.5.1-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/o/openssl/openssl_3.5.1-1+deb13u1.dsc

 changelog                                                              |    8 
 gbp.conf                                                               |    2 
 patches/SM2-Use-constant-time-modular-inversion.patch                  |   42 +++
 patches/ecp_sm2p256.c-Remove-unused-code.patch                         |  135 ++++++++++
 patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch |   25 +
 patches/series                                                         |    4 
 patches/use_proxy-Add-missing-terminating-NUL-byte.patch               |   24 +
 7 files changed, 239 insertions(+), 1 deletion(-)

diff -Nru openssl-3.5.1/debian/changelog openssl-3.5.1/debian/changelog
--- openssl-3.5.1/debian/changelog	2025-07-12 16:49:06.000000000 +0000
+++ openssl-3.5.1/debian/changelog	2025-09-26 19:18:35.000000000 +0000
@@ -1,3 +1,11 @@
+openssl (3.5.1-1+deb13u1) trixie-security; urgency=medium
+
+  * CVE-2025-9230 (Out-of-bounds read & write in RFC 3211 KEK Unwrap)
+  * CVE-2025-9231 (Timing side-channel in SM2 algorithm on 64 bit ARM)
+  * CVE-2025-9232 (Out-of-bounds read in HTTP client no_proxy handling)
+
+ -- Sebastian Andrzej Siewior <sebastian@breakpoint.cc>  Fri, 26 Sep 2025 21:18:35 +0200
+
 openssl (3.5.1-1) unstable; urgency=medium
 
   * Import 3.5.1
diff -Nru openssl-3.5.1/debian/gbp.conf openssl-3.5.1/debian/gbp.conf
--- openssl-3.5.1/debian/gbp.conf	2025-07-12 16:44:04.000000000 +0000
+++ openssl-3.5.1/debian/gbp.conf	2025-09-26 19:05:05.000000000 +0000
@@ -1,7 +1,7 @@
 [DEFAULT]
 dist = DEP14
 upstream-branch = upstream/openssl-3.5
-debian-branch = debian/unstable
+debian-branch = debian/trixie
 debian-tag = debian/openssl-%(version)s
 id-length = 12
 abbrev = 12
diff -Nru openssl-3.5.1/debian/patches/SM2-Use-constant-time-modular-inversion.patch openssl-3.5.1/debian/patches/SM2-Use-constant-time-modular-inversion.patch
--- openssl-3.5.1/debian/patches/SM2-Use-constant-time-modular-inversion.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssl-3.5.1/debian/patches/SM2-Use-constant-time-modular-inversion.patch	2025-09-26 19:17:51.000000000 +0000
@@ -0,0 +1,42 @@
+From: Tomas Mraz <tomas@openssl.org>
+Date: Thu, 11 Sep 2025 18:40:34 +0200
+Subject: SM2: Use constant time modular inversion
+
+Fixes CVE-2025-9231
+
+Issue and a proposed fix reported by Stanislav Fort (Aisle Research).
+---
+ crypto/ec/ecp_sm2p256.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/crypto/ec/ecp_sm2p256.c b/crypto/ec/ecp_sm2p256.c
+index 7668b61378b6..f3ace351bdff 100644
+--- a/crypto/ec/ecp_sm2p256.c
++++ b/crypto/ec/ecp_sm2p256.c
+@@ -747,7 +747,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void)
+         ossl_ec_GFp_simple_point_copy,
+         ossl_ec_GFp_simple_point_set_to_infinity,
+         ossl_ec_GFp_simple_point_set_affine_coordinates,
+-        ecp_sm2p256_get_affine,
++        ossl_ec_GFp_simple_point_get_affine_coordinates,
+         0, 0, 0,
+         ossl_ec_GFp_simple_add,
+         ossl_ec_GFp_simple_dbl,
+@@ -763,7 +763,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void)
+         ecp_sm2p256_field_mul,
+         ecp_sm2p256_field_sqr,
+         0 /* field_div */,
+-        0 /* field_inv */,
++        ossl_ec_GFp_simple_field_inv,
+         0 /* field_encode */,
+         0 /* field_decode */,
+         0 /* field_set_to_one */,
+@@ -779,7 +779,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void)
+         ossl_ecdsa_simple_sign_setup,
+         ossl_ecdsa_simple_sign_sig,
+         ossl_ecdsa_simple_verify_sig,
+-        ecp_sm2p256_inv_mod_ord,
++        0, /* use constant‑time fallback for inverse mod order */
+         0, /* blind_coordinates */
+         0, /* ladder_pre */
+         0, /* ladder_step */
diff -Nru openssl-3.5.1/debian/patches/ecp_sm2p256.c-Remove-unused-code.patch openssl-3.5.1/debian/patches/ecp_sm2p256.c-Remove-unused-code.patch
--- openssl-3.5.1/debian/patches/ecp_sm2p256.c-Remove-unused-code.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssl-3.5.1/debian/patches/ecp_sm2p256.c-Remove-unused-code.patch	2025-09-26 19:17:51.000000000 +0000
@@ -0,0 +1,135 @@
+From: Tomas Mraz <tomas@openssl.org>
+Date: Tue, 16 Sep 2025 14:48:31 +0200
+Subject: ecp_sm2p256.c: Remove unused code
+
+---
+ crypto/ec/ecp_sm2p256.c | 95 -------------------------------------------------
+ 1 file changed, 95 deletions(-)
+
+diff --git a/crypto/ec/ecp_sm2p256.c b/crypto/ec/ecp_sm2p256.c
+index f3ace351bdff..ffb58399dfd0 100644
+--- a/crypto/ec/ecp_sm2p256.c
++++ b/crypto/ec/ecp_sm2p256.c
+@@ -56,10 +56,6 @@ ALIGN32 static const BN_ULONG def_p[P256_LIMBS] = {
+     0xffffffffffffffff, 0xffffffff00000000,
+     0xffffffffffffffff, 0xfffffffeffffffff
+ };
+-ALIGN32 static const BN_ULONG def_ord[P256_LIMBS] = {
+-    0x53bbf40939d54123, 0x7203df6b21c6052b,
+-    0xffffffffffffffff, 0xfffffffeffffffff
+-};
+ 
+ ALIGN32 static const BN_ULONG ONE[P256_LIMBS] = {1, 0, 0, 0};
+ 
+@@ -177,13 +173,6 @@ static ossl_inline void ecp_sm2p256_mod_inverse(BN_ULONG* out,
+     BN_MOD_INV(out, in, ecp_sm2p256_div_by_2, ecp_sm2p256_sub, def_p);
+ }
+ 
+-/* Modular inverse mod order |out| = |in|^(-1) % |ord|. */
+-static ossl_inline void ecp_sm2p256_mod_ord_inverse(BN_ULONG* out,
+-                                                    const BN_ULONG* in) {
+-    BN_MOD_INV(out, in, ecp_sm2p256_div_by_2_mod_ord, ecp_sm2p256_sub_mod_ord,
+-               def_ord);
+-}
+-
+ /* Point double: R <- P + P */
+ static void ecp_sm2p256_point_double(P256_POINT *R, const P256_POINT *P)
+ {
+@@ -454,52 +443,6 @@ static int ecp_sm2p256_is_affine_G(const EC_POINT *generator)
+ }
+ #endif
+ 
+-/*
+- * Convert Jacobian coordinate point into affine coordinate (x,y)
+- */
+-static int ecp_sm2p256_get_affine(const EC_GROUP *group,
+-                                  const EC_POINT *point,
+-                                  BIGNUM *x, BIGNUM *y, BN_CTX *ctx)
+-{
+-    ALIGN32 BN_ULONG z_inv2[P256_LIMBS] = {0};
+-    ALIGN32 BN_ULONG z_inv3[P256_LIMBS] = {0};
+-    ALIGN32 BN_ULONG x_aff[P256_LIMBS] = {0};
+-    ALIGN32 BN_ULONG y_aff[P256_LIMBS] = {0};
+-    ALIGN32 BN_ULONG point_x[P256_LIMBS] = {0};
+-    ALIGN32 BN_ULONG point_y[P256_LIMBS] = {0};
+-    ALIGN32 BN_ULONG point_z[P256_LIMBS] = {0};
+-
+-    if (EC_POINT_is_at_infinity(group, point)) {
+-        ECerr(ERR_LIB_EC, EC_R_POINT_AT_INFINITY);
+-        return 0;
+-    }
+-
+-    if (ecp_sm2p256_bignum_field_elem(point_x, point->X) <= 0
+-        || ecp_sm2p256_bignum_field_elem(point_y, point->Y) <= 0
+-        || ecp_sm2p256_bignum_field_elem(point_z, point->Z) <= 0) {
+-        ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
+-        return 0;
+-    }
+-
+-    ecp_sm2p256_mod_inverse(z_inv3, point_z);
+-    ecp_sm2p256_sqr(z_inv2, z_inv3);
+-
+-    if (x != NULL) {
+-        ecp_sm2p256_mul(x_aff, point_x, z_inv2);
+-        if (!bn_set_words(x, x_aff, P256_LIMBS))
+-            return 0;
+-    }
+-
+-    if (y != NULL) {
+-        ecp_sm2p256_mul(z_inv3, z_inv3, z_inv2);
+-        ecp_sm2p256_mul(y_aff, point_y, z_inv3);
+-        if (!bn_set_words(y, y_aff, P256_LIMBS))
+-            return 0;
+-    }
+-
+-    return 1;
+-}
+-
+ /* r = sum(scalar[i]*point[i]) */
+ static int ecp_sm2p256_windowed_mul(const EC_GROUP *group,
+                                     P256_POINT *r,
+@@ -689,44 +632,6 @@ static int ecp_sm2p256_field_sqr(const EC_GROUP *group, BIGNUM *r,
+     return 1;
+ }
+ 
+-static int ecp_sm2p256_inv_mod_ord(const EC_GROUP *group, BIGNUM *r,
+-                                             const BIGNUM *x, BN_CTX *ctx)
+-{
+-    int ret = 0;
+-    ALIGN32 BN_ULONG t[P256_LIMBS] = {0};
+-    ALIGN32 BN_ULONG out[P256_LIMBS] = {0};
+-
+-    if (bn_wexpand(r, P256_LIMBS) == NULL) {
+-        ECerr(ERR_LIB_EC, ERR_R_BN_LIB);
+-        goto err;
+-    }
+-
+-    if ((BN_num_bits(x) > 256) || BN_is_negative(x)) {
+-        BIGNUM *tmp;
+-
+-        if ((tmp = BN_CTX_get(ctx)) == NULL
+-            || !BN_nnmod(tmp, x, group->order, ctx)) {
+-            ECerr(ERR_LIB_EC, ERR_R_BN_LIB);
+-            goto err;
+-        }
+-        x = tmp;
+-    }
+-
+-    if (!ecp_sm2p256_bignum_field_elem(t, x)) {
+-        ECerr(ERR_LIB_EC, EC_R_COORDINATES_OUT_OF_RANGE);
+-        goto err;
+-    }
+-
+-    ecp_sm2p256_mod_ord_inverse(out, t);
+-
+-    if (!bn_set_words(r, out, P256_LIMBS))
+-        goto err;
+-
+-    ret = 1;
+-err:
+-    return ret;
+-}
+-
+ const EC_METHOD *EC_GFp_sm2p256_method(void)
+ {
+     static const EC_METHOD ret = {
diff -Nru openssl-3.5.1/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch openssl-3.5.1/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch
--- openssl-3.5.1/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssl-3.5.1/debian/patches/kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch	2025-09-26 19:17:51.000000000 +0000
@@ -0,0 +1,25 @@
+From: Viktor Dukhovni <openssl-users@dukhovni.org>
+Date: Thu, 11 Sep 2025 18:10:12 +0200
+Subject: kek_unwrap_key(): Fix incorrect check of unwrapped key size
+
+Fixes CVE-2025-9230
+
+The check is off by 8 bytes so it is possible to overread by
+up to 8 bytes and overwrite up to 4 bytes.
+---
+ crypto/cms/cms_pwri.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c
+index a7d609f83791..ee1b8aa6ed61 100644
+--- a/crypto/cms/cms_pwri.c
++++ b/crypto/cms/cms_pwri.c
+@@ -242,7 +242,7 @@ static int kek_unwrap_key(unsigned char *out, size_t *outlen,
+         /* Check byte failure */
+         goto err;
+     }
+-    if (inlen < (size_t)(tmp[0] - 4)) {
++    if (inlen < 4 + (size_t)tmp[0]) {
+         /* Invalid length value */
+         goto err;
+     }
diff -Nru openssl-3.5.1/debian/patches/series openssl-3.5.1/debian/patches/series
--- openssl-3.5.1/debian/patches/series	2025-07-12 16:46:26.000000000 +0000
+++ openssl-3.5.1/debian/patches/series	2025-09-26 19:17:51.000000000 +0000
@@ -5,3 +5,7 @@
 c_rehash-compat.patch
 Configure-allow-to-enable-ktls-if-target-does-not-start-w.patch
 conf-Serialize-allocation-free-of-ssl_names.patch
+use_proxy-Add-missing-terminating-NUL-byte.patch
+kek_unwrap_key-Fix-incorrect-check-of-unwrapped-key-size.patch
+SM2-Use-constant-time-modular-inversion.patch
+ecp_sm2p256.c-Remove-unused-code.patch
diff -Nru openssl-3.5.1/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch openssl-3.5.1/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch
--- openssl-3.5.1/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch	1970-01-01 00:00:00.000000000 +0000
+++ openssl-3.5.1/debian/patches/use_proxy-Add-missing-terminating-NUL-byte.patch	2025-09-26 19:17:51.000000000 +0000
@@ -0,0 +1,24 @@
+From: Tomas Mraz <tomas@openssl.org>
+Date: Thu, 11 Sep 2025 18:43:55 +0200
+Subject: use_proxy(): Add missing terminating NUL byte
+
+Fixes CVE-2025-9232
+
+There is a missing terminating NUL byte after strncpy() call.
+Issue and a proposed fix reported by Stanislav Fort (Aisle Research).
+---
+ crypto/http/http_lib.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/crypto/http/http_lib.c b/crypto/http/http_lib.c
+index fcf8a69e07a8..022b8c194cbe 100644
+--- a/crypto/http/http_lib.c
++++ b/crypto/http/http_lib.c
+@@ -263,6 +263,7 @@ static int use_proxy(const char *no_proxy, const char *server)
+         /* strip leading '[' and trailing ']' from escaped IPv6 address */
+         sl -= 2;
+         strncpy(host, server + 1, sl);
++        host[sl] = '\0';
+         server = host;
+     }
+