[rpms/openssl] f44: Rebase to OpenSSL 3.5.7

[Dmitry Belyavskiy <dbelyavs@redhat.com>]

A new commit has been pushed.

Repo   : rpms/openssl
Branch : f44
Commit : 41f6acd6f478a34d96e47681ac0bdf6b72d580eb
Author : Dmitry Belyavskiy <dbelyavs@redhat.com>
Date   : 2026-06-10T14:14:05+02:00
Stats  : +8/-812 in 11 file(s)
URL    : https://src.fedoraproject.org/rpms/openssl/c/41f6acd6f478a34d96e47681ac0bdf6b72d580eb?branch=f44

Log:
Rebase to OpenSSL 3.5.7

---
diff --git a/.gitignore b/.gitignore
index efab622..7dccd1e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -69,3 +69,4 @@ openssl-1.0.0a-usa.tar.bz2
 /openssl-3.5.1.tar.gz
 /openssl-3.5.4.tar.gz
 /openssl-3.5.5.tar.gz
+/openssl-3.5.7.tar.gz

diff --git a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
index d53c49a..8d7cae7 100644
--- a/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
+++ b/0006-RH-Add-support-for-PROFILE-SYSTEM-system-default-cip.patch
@@ -317,7 +317,7 @@ index 9874e6bad6..76b6befbad 100644
 +#endif
      ADD_TEST(test_default_cipherlist_explicit);
      ADD_TEST(test_default_cipherlist_clear);
-     ADD_TEST(test_stdname_cipherlist);
+ #ifndef OPENSSL_NO_TLS1_3
 -- 
 2.52.0
 

diff --git a/0058-CVE-2026-2673.patch b/0058-CVE-2026-2673.patch
deleted file mode 100644
index 6ee0ab5..0000000
--- a/0058-CVE-2026-2673.patch
+++ /dev/null
@@ -1,424 +0,0 @@
-From 85977e013f32ceb96aa034c0e741adddc1a05e34 Mon Sep 17 00:00:00 2001
-From: Viktor Dukhovni <openssl-users@dukhovni.org>
-Date: Tue, 17 Feb 2026 18:37:06 +1100
-Subject: [PATCH] Fix group tuple handling in DEFAULT expansion
-
-Also fine-tune docs and add tests.
-
-Fixes: #30109
-Fixes: CVE-2026-2673
-
-Reviewed-by: Matt Caswell <matt@openssl.foundation>
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-MergeDate: Fri Mar 13 12:44:06 2026
-(Merged from https://github.com/openssl/openssl/pull/30110)
----
-
-diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod
-index 017eefd3176a9..472d3858315a9 100755
---- a/doc/man3/SSL_CTX_set1_curves.pod
-+++ b/doc/man3/SSL_CTX_set1_curves.pod
-@@ -40,13 +40,13 @@ SSL_get1_curves, SSL_get_shared_curve, SSL_CTX_get0_implemented_groups
- 
- For all of the functions below that set the supported groups there must be at
- least one group in the list. A number of these functions identify groups via a
--unique integer NID value. However, support for some groups may be added by
--external providers. In this case there will be no NID assigned for the group.
-+unique integer B<NID> value. However, support for some groups may be added by
-+external providers. In this case there will be no B<NID> assigned for the group.
- When setting such groups applications should use the "list" form of these
- functions (i.e. SSL_CTX_set1_groups_list() and SSL_set1_groups_list()).
- 
- SSL_CTX_set1_groups() sets the supported groups for B<ctx> to B<glistlen>
--groups in the array B<glist>. The array consist of all NIDs of supported groups.
-+groups in the array B<glist>. The array consist of all B<NIDs> of supported groups.
- The supported groups for B<TLSv1.3> include:
- B<NID_X9_62_prime256v1>,
- B<NID_secp384r1>,
-@@ -73,20 +73,27 @@ B<SSL_OP_CIPHER_SERVER_PREFERENCE> is set, the order of the elements in the
- array determines the selected group. Otherwise, the order is ignored and the
- client's order determines the selection.
- 
--For a TLS 1.3 server, the groups determine the selected group, but
--selection is more complex. A TLS 1.3 client sends both a group list as well as a
--predicted subset of groups. Choosing a group outside the predicted subset incurs
--an extra roundtrip. However, in some situations, the most preferred group may
--not be predicted. OpenSSL considers all supported groups in I<clist> to be comparable
--in security and prioritizes avoiding roundtrips above either client or server
--preference order. If an application uses an external provider to extend OpenSSL
--with, e.g., a post-quantum algorithm, this behavior may allow a network attacker
--to downgrade connections to a weaker algorithm. It is therefore recommended
--to use SSL_CTX_set1_groups_list() with the ability to specify group tuples.
-+For a TLS 1.3 server, the groups determine the selected group, but selection is
-+more complex.
-+A TLS 1.3 client sends both a group list and predicted keyshares for a subset
-+of groups.
-+A server choosing a group outside the client's predicted subset incurs an extra
-+roundtrip.
-+However, in some situations, the most preferred group may not be predicted.
-+
-+When groups are specified via SSL_CTX_set1_groups() as a list of B<NID>
-+values, OpenSSL considers all supported groups in I<clist> to be comparable in
-+security and prioritises avoiding roundtrips above either client or server
-+preference order.
-+If an application uses an external provider to extend OpenSSL with, e.g., a
-+post-quantum algorithm, this behavior may allow a network attacker to downgrade
-+connections to a weaker algorithm.
-+It is therefore recommended to use SSL_CTX_set1_groups_list() instead, making
-+it possible to specify group tuples as described below.
- 
- SSL_CTX_set1_groups_list() sets the supported groups for B<ctx> to
- string I<list>. In contrast to SSL_CTX_set1_groups(), the names of the
--groups, rather than their NIDs, are used.
-+groups, rather than their B<NIDs>, are used.
- 
- The commands below list the available groups for TLS 1.2 and TLS 1.3,
- respectively:
-@@ -102,30 +109,72 @@ The preferred group names are those defined by
- L<IANA|https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>.
- 
- The I<list> can be used to define several group tuples of comparable security
--levels, and can specify which key shares should be sent by a client.
--The specified list elements can optionally be ignored, if not implemented
-+levels, and can specify which predicted key shares should be sent by a client.
-+Group tuples are used by OpenSSL TLS servers to decide whether to request a
-+stronger keyshare than those predicted by sending a Hello Retry Request
-+(B<HRR>) even if some of the predicted groups are supported.
-+OpenSSL clients ignore tuple boundaries, and pay attenion only to the overall
-+order of I<list> elements and which groups are selected as predicted keyshares
-+as described below.
-+
-+The specified list elements can optionally be ignored if not implemented
- (listing unknown groups otherwise results in error).
--It is also possible to specify the built-in default set of groups, and to explicitly
--remove a group from that list.
--
--In its simplest form, the string I<list> is just a colon separated list
--of group names, for example "P-521:P-384:P-256:X25519:ffdhe2048". The first
--group listed will also be used for the B<key_share> sent by a client in a
--TLSv1.3 B<ClientHello>. For servers note the discussion above. The list should
--be in order of preference with the most preferred group first.
--
--Group tuples of comparable security are defined by separating them from each
--other by a tuple separator C</>. Keyshares to be sent by a client are specified
--by prepending a C<*> to the group name, while any C<*> will be ignored by a
--server. The following string I<list> for example defines three tuples when
--used on the server-side, and triggers the generation of three key shares
--when used on the client-side: P-521:*P-256/*P-384/*X25519:P-384:ffdhe2048.
--
--If a group name is preceded with the C<?> character, it will be ignored if an
--implementation is missing. If a group name is preceded with the C<-> character, it
--will be removed from the list of groups if present (including not sending a
--key share for this group), ignored otherwise. The pseudo group name
--C<DEFAULT> can be used to select the OpenSSL built-in default list of groups.
-+It is also possible to specify the built-in default set of groups, and to
-+explicitly remove a group from that list.
-+
-+In its simplest legacy form, the string I<list> is just a colon separated list
-+of group names, for example "P-521:P-384:P-256:X25519:ffdhe2048".
-+The first group listed will in this case be used as the sole predicted
-+B<key_share> sent by a client in a TLSv1.3 B<ClientHello>.
-+The list should be in order of preference with the most preferred group first.
-+
-+A more expressive syntax supports definition of group tuples of comparable
-+security by separating them from each other with C</> characters.
-+
-+The predicted keyshares to be sent by clients can be explicitly specified by
-+adding a C<*> prefix to the associated group name.
-+These C<*> prefixes are ignored by servers.
-+
-+If a group name is prefixed with the C<?> character, it will be ignored if an
-+implementation is missing.
-+Otherwise, listing an unknown group name will cause a failure to parse the
-+I<list>.
-+Note that whether a group is known or not may depend on the OpenSSL version,
-+how OpenSSL was compiled and/or which providers are loaded.
-+Make sure you have the correct spelling of the group name and when in doubt
-+prefix it with a C<?> to handle configurations in which it might nevertheless
-+be unknown.
-+
-+If a group name is prefixed with the C<-> character, it will be removed from
-+the list of groups specified up to that point.
-+It can be added again if specified later.
-+Removal of groups that have not been included earlier in the list is silently
-+ignored.
-+
-+The pseudo group name C<DEFAULT> can be used to select the OpenSSL built-in
-+default list of groups.
-+Prepending one or more groups to C<DEFAULT> using only C<:> separators prepends those
-+groups to the built-in default list's first tuple.
-+Additional tuples can be prepended by use of the C</> separator.
-+Appending a set of groups to C<DEFAULT> using only C<:> separators appends those
-+groups to the built-in default list's last tuple.
-+Additional tuples can be appended by use of the C</> separator.
-+
-+The B<DEFAULT> list selects B<X25519MLKEM768> as one of the predicted keyshares.
-+In rare cases this can lead to failures or timeouts because the resulting
-+larger TLS Client Hello message may no longer fit in a single TCP segment and
-+firewall software may erroneously disrupt the TLS handshake.
-+If this is an issue or concern, prepending C<?X25519MLKEM768:> without a C<*>
-+prefix leads to its occurrence in the default list to be ignored as a duplicate,
-+and along with that also the keyshare prediction.
-+The group will then only be selected by servers that specifically expect it,
-+after a Hello Retry Request (HRR).
-+Servers that specifically prefer B<X25519MLKEM768>, are much less likely to be
-+found behind problematic firewalls.
-+
-+The following string I<list> for example defines three tuples when used on the
-+server-side, and triggers the generation of three key shares when used on the
-+client-side: P-521:*P-256/*P-384/*X25519:P-384:ffdhe2048.
- 
- For a TLS 1.3 client, all the groups in the string I<list> are added to the
- supported groups extension of a C<ClientHello>, in the order in which they are listed,
-diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
-index 52dbdd9d4adeb..42953b530e8b8 100644
---- a/ssl/t1_lib.c
-+++ b/ssl/t1_lib.c
-@@ -211,7 +211,7 @@ static const uint16_t suiteb_curves[] = {
- 
- /* Group list string of the built-in pseudo group DEFAULT_SUITE_B */
- #define SUITE_B_GROUP_NAME "DEFAULT_SUITE_B"
--#define SUITE_B_GROUP_LIST "secp256r1:secp384r1",
-+#define SUITE_B_GROUP_LIST "?secp256r1:?secp384r1",
- 
- struct provider_ctx_data_st {
-     SSL_CTX *ctx;
-@@ -1244,8 +1244,8 @@ typedef struct {
-     size_t ksidcnt; /* Number of key shares */
-     uint16_t *ksid_arr; /* The IDs of the key share groups (flat list) */
-     /* Variable to keep state between execution of callback or helper functions */
--    size_t tuple_mode; /* Keeps track whether tuple_cb called from 'the top' or from gid_cb */
--    int ignore_unknown_default; /* Flag such that unknown groups for DEFAULT[_XYZ] are ignored */
-+    int inner; /* Are we expanding a DEFAULT list */
-+    int first; /* First tuple of possibly nested expansion? */
- } gid_cb_st;
- 
- /* Forward declaration of tuple callback function */
-@@ -1320,16 +1320,16 @@ static int gid_cb(const char *elem, int len, void *arg)
-             for (i = 0; i < OSSL_NELEM(default_group_strings); i++) {
-                 if ((size_t)len == (strlen(default_group_strings[i].list_name))
-                     && OPENSSL_strncasecmp(default_group_strings[i].list_name, elem, len) == 0) {
-+                    int saved_first;
-+
-                     /*
-                      * We're asked to insert an entire list of groups from a
-                      * DEFAULT[_XYZ] 'pseudo group' which we do by
-                      * recursively calling this function (indirectly via
-                      * CONF_parse_list and tuple_cb); essentially, we treat a DEFAULT
-                      * group string like a tuple which is appended to the current tuple
--                     * rather then starting a new tuple. Variable tuple_mode is the flag which
--                     * controls append tuple vs start new tuple.
-+                     * rather then starting a new tuple.
-                      */
--
-                     if (ignore_unknown || remove_group)
-                         return -1; /* removal or ignore not allowed here -> syntax error */
- 
-@@ -1350,15 +1350,17 @@ static int gid_cb(const char *elem, int len, void *arg)
-                         default_group_strings[i].group_string,
-                         strlen(default_group_strings[i].group_string));
-                     restored_default_group_string[strlen(default_group_strings[i].group_string) + restored_prefix_index] = '\0';
--                    /* We execute the recursive call */
--                    garg->ignore_unknown_default = 1; /* We ignore unknown groups for DEFAULT_XYZ */
--                    /* we enforce group mode (= append tuple) for DEFAULT_XYZ group lists */
--                    garg->tuple_mode = 0;
--                    /* We use the tuple_cb callback to process the pseudo group tuple */
-+                    /*
-+                     * Append first tuple of result to current tuple, and don't
-+                     * terminate the last tuple until we return to a top-level
-+                     * tuple_cb.
-+                     */
-+                    saved_first = garg->first;
-+                    garg->inner = garg->first = 1;
-                     retval = CONF_parse_list(restored_default_group_string,
-                         TUPLE_DELIMITER_CHARACTER, 1, tuple_cb, garg);
--                    garg->tuple_mode = 1; /* next call to tuple_cb will again start new tuple */
--                    garg->ignore_unknown_default = 0; /* reset to original value */
-+                    garg->inner = 0;
-+                    garg->first = saved_first;
-                     /* We don't need the \0-terminated string anymore */
-                     OPENSSL_free(restored_default_group_string);
- 
-@@ -1378,9 +1380,6 @@ static int gid_cb(const char *elem, int len, void *arg)
-     if (len == 0)
-         return -1; /* Seems we have prefxes without a group name -> syntax error */
- 
--    if (garg->ignore_unknown_default == 1) /* Always ignore unknown groups for DEFAULT[_XYZ] */
--        ignore_unknown = 1;
--
-     /* Memory management in case more groups are present compared to initial allocation */
-     if (garg->gidcnt == garg->gidmax) {
-         uint16_t *tmp = OPENSSL_realloc(garg->gid_arr,
-@@ -1514,7 +1513,7 @@ static int gid_cb(const char *elem, int len, void *arg)
-         /* and update the book keeping for the number of groups in current tuple */
-         garg->tuplcnt_arr[garg->tplcnt]++;
- 
--        /* We memorize if needed that we want to add a key share for the current group */
-+        /* We want to add a key share for the current group */
-         if (add_keyshare)
-             garg->ksid_arr[garg->ksidcnt++] = gid;
-     }
-@@ -1523,6 +1522,39 @@ static int gid_cb(const char *elem, int len, void *arg)
-     return retval;
- }
- 
-+static int grow_tuples(gid_cb_st *garg)
-+{
-+    static size_t max_tplcnt = (~(size_t)0) / sizeof(size_t);
-+
-+    /* This uses OPENSSL_realloc_array() in newer releases */
-+    if (garg->tplcnt == garg->tplmax) {
-+        size_t newcnt = garg->tplmax + GROUPLIST_INCREMENT;
-+        size_t newsz = newcnt * sizeof(size_t);
-+        size_t *tmp;
-+
-+        if (newsz > max_tplcnt
-+            || (tmp = OPENSSL_realloc(garg->tuplcnt_arr, newsz)) == NULL)
-+            return 0;
-+
-+        garg->tplmax = newcnt;
-+        garg->tuplcnt_arr = tmp;
-+    }
-+    return 1;
-+}
-+
-+static int close_tuple(gid_cb_st *garg)
-+{
-+    size_t gidcnt = garg->tuplcnt_arr[garg->tplcnt];
-+
-+    if (gidcnt == 0)
-+        return 1;
-+    if (!grow_tuples(garg))
-+        return 0;
-+
-+    garg->tuplcnt_arr[++garg->tplcnt] = 0;
-+    return 1;
-+}
-+
- /* Extract and process a tuple of groups */
- static int tuple_cb(const char *tuple, int len, void *arg)
- {
-@@ -1536,16 +1568,9 @@ static int tuple_cb(const char *tuple, int len, void *arg)
-         return 0;
-     }
- 
--    /* Memory management for tuples */
--    if (garg->tplcnt == garg->tplmax) {
--        size_t *tmp = OPENSSL_realloc(garg->tuplcnt_arr,
--            (garg->tplmax + GROUPLIST_INCREMENT) * sizeof(*garg->tuplcnt_arr));
--
--        if (tmp == NULL)
--            return 0;
--        garg->tplmax += GROUPLIST_INCREMENT;
--        garg->tuplcnt_arr = tmp;
--    }
-+    if (garg->inner && !garg->first && !close_tuple(garg))
-+        return 0;
-+    garg->first = 0;
- 
-     /* Convert to \0-terminated string */
-     restored_tuple_string = OPENSSL_malloc((len + 1 /* \0 */) * sizeof(char));
-@@ -1560,15 +1585,8 @@ static int tuple_cb(const char *tuple, int len, void *arg)
-     /* We don't need the \o-terminated string anymore */
-     OPENSSL_free(restored_tuple_string);
- 
--    if (garg->tuplcnt_arr[garg->tplcnt] > 0) { /* Some valid groups are present in current tuple... */
--        if (garg->tuple_mode) {
--            /* We 'close' the tuple */
--            garg->tplcnt++;
--            garg->tuplcnt_arr[garg->tplcnt] = 0; /* Next tuple is initialized to be empty */
--            garg->tuple_mode = 1; /* next call will start a tuple (unless overridden in gid_cb) */
--        }
--    }
--
-+    if (!garg->inner && !close_tuple(garg))
-+        return 0;
-     return retval;
- }
- 
-@@ -1599,8 +1617,6 @@ int tls1_set_groups_list(SSL_CTX *ctx,
-     }
- 
-     memset(&gcb, 0, sizeof(gcb));
--    gcb.tuple_mode = 1; /* We prepare to collect the first tuple */
--    gcb.ignore_unknown_default = 0;
-     gcb.gidmax = GROUPLIST_INCREMENT;
-     gcb.tplmax = GROUPLIST_INCREMENT;
-     gcb.ksidmax = GROUPLIST_INCREMENT;
-diff --git a/test/tls13groupselection_test.c b/test/tls13groupselection_test.c
-index 8340a9fd2b3b6..bcae5e7159446 100644
---- a/test/tls13groupselection_test.c
-+++ b/test/tls13groupselection_test.c
-@@ -40,6 +40,12 @@ typedef enum SERVER_RESPONSE {
-     SH = 2
- } SERVER_RESPONSE;
- 
-+static const char *response_desc[] = {
-+    "HRR",
-+    "INIT",
-+    "SH",
-+};
-+
- static char *cert = NULL;
- static char *privkey = NULL;
- 
-@@ -307,7 +313,23 @@ static const struct tls13groupselection_test_st tls13groupselection_tests[] = {
-     { "*brainpoolP256r1:X25519", /* test 43 */
-         "X25519",
-         SERVER_PREFERENCE,
--        NEGOTIATION_FAILURE, INIT }
-+        NEGOTIATION_FAILURE, INIT },
-+
-+    /* DEFAULT retains tuple structure */
-+    { "*X25519:secp256r1",
-+        "secp256r1:DEFAULT", /* test 44 */
-+        SERVER_PREFERENCE,
-+        "secp256r1", HRR },
-+#ifndef OPENSSL_NO_DH
-+    { "*ffdhe2048:secp256r1",
-+        "DEFAULT:ffdhe4096", /* test 45 */
-+        CLIENT_PREFERENCE,
-+        "secp256r1", HRR },
-+    { "x25519:ffdhe2048:*ffdhe4096",
-+        "DEFAULT:ffdhe4096", /* test 46 */
-+        SERVER_PREFERENCE,
-+        "x25519", HRR },
-+#endif
- };
- 
- static void server_response_check_cb(int write_p, int version,
-@@ -318,10 +340,12 @@ static void server_response_check_cb(int write_p, int version,
-     enum SERVER_RESPONSE *server_response = (enum SERVER_RESPONSE *)arg;
-     /* Prepare check for HRR */
-     const uint8_t *incoming_random = (uint8_t *)buf + 6;
--    const uint8_t magic_HRR_random[32] = { 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
-+    const uint8_t magic_HRR_random[32] = {
-+        0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11,
-         0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
-         0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
--        0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C };
-+        0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
-+    };
- 
-     /* Did a server hello arrive? */
-     if (write_p == 0 && /* Incoming data... */
-@@ -450,13 +474,16 @@ static int test_groupnegotiation(const struct tls13groupselection_test_st *curre
-         group_name_client = SSL_group_to_name(clientssl, negotiated_group_client);
-         if (!TEST_int_eq(negotiated_group_client, negotiated_group_server))
-             goto end;
--        if (!TEST_int_eq((int)current_test_vector->expected_server_response, (int)server_response))
-+        if (!TEST_str_eq(response_desc[current_test_vector->expected_server_response],
-+                response_desc[server_response]))
-             goto end;
-         if (TEST_str_eq(group_name_client, current_test_vector->expected_group))
-             ok = 1;
-     } else {
-         TEST_false_or_end(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE));
--        if (test_type == TEST_NEGOTIATION_FAILURE && !TEST_int_eq((int)current_test_vector->expected_server_response, (int)server_response))
-+        if (test_type == TEST_NEGOTIATION_FAILURE
-+            && !TEST_str_eq(response_desc[current_test_vector->expected_server_response],
-+                response_desc[server_response]))
-             goto end;
-         ok = 1;
-     }

diff --git a/0059-CVE-2026-28387.patch b/0059-CVE-2026-28387.patch
deleted file mode 100644
index bd70804..0000000
--- a/0059-CVE-2026-28387.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 444958deaf450aea819171f97ae69eaedede42c3 Mon Sep 17 00:00:00 2001
-From: Alexandr Nedvedicky <sashan@openssl.org>
-Date: Tue, 3 Mar 2026 13:23:46 +0100
-Subject: [PATCH] dane_match_cert() should X509_free() on ->mcert instead of
- OPENSSL_free()
-
-Fixes: 170b735820ac "DANE support for X509_verify_cert()"
-
-Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-MergeDate: Thu Mar  5 12:37:17 2026
-(Merged from https://github.com/openssl/openssl/pull/30250)
-
-(cherry picked from commit 8b5cd6a682f0f6e7b8bf55137137c567d1899c4a)
----
- crypto/x509/x509_vfy.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 8f1b9f58cacdb..01ce14982d6e0 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -3016,7 +3016,7 @@ static int dane_match_cert(X509_STORE_CTX *ctx, X509 *cert, int depth)
-                     break;
-                 }
- 
--                OPENSSL_free(dane->mcert);
-+                X509_free(dane->mcert);
-                 dane->mcert = cert;
-                 dane->mdpth = depth;
-                 dane->mtlsa = t;

diff --git a/0060-CVE-2026-28388.patch b/0060-CVE-2026-28388.patch
deleted file mode 100644
index ba92a70..0000000
--- a/0060-CVE-2026-28388.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From d3a901e8d9f021f3e67d6cfbc12e768129862726 Mon Sep 17 00:00:00 2001
-From: Daniel Kubec <kubec@openssl.org>
-Date: Tue, 17 Mar 2026 11:11:22 +0100
-Subject: [PATCH] Fix NULL Dereference When Delta CRL Lacks CRL Number
- Extension
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes CVE-2026-28388
-
-Co-authored-by: Igor Morgenstern <igor.morgenstern@aisle.com>
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
-MergeDate: Mon Apr  6 19:27:16 2026
-(cherry picked from commit d6ad8595e86dc96ca8771f0a1714b31794befa75)
----
- crypto/x509/x509_vfy.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 01ce14982d6e0..d55141e014d84 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1308,6 +1308,8 @@ static int check_delta_base(X509_CRL *delta, X509_CRL *base)
-     if (ASN1_INTEGER_cmp(delta->base_crl_number, base->crl_number) > 0)
-         return 0;
-     /* Delta CRL number must exceed full CRL number */
-+    if (delta->crl_number == NULL)
-+        return 0;
-     return ASN1_INTEGER_cmp(delta->crl_number, base->crl_number) > 0;
- }
- 

diff --git a/0061-CVE-2026-28389.patch b/0061-CVE-2026-28389.patch
deleted file mode 100644
index 40bf907..0000000
--- a/0061-CVE-2026-28389.patch
+++ /dev/null
@@ -1,108 +0,0 @@
-From 16cea4188e0ea567deb4f93f85902247e67384f5 Mon Sep 17 00:00:00 2001
-From: Neil Horman <nhorman@openssl.org>
-Date: Mon, 16 Mar 2026 13:49:07 -0400
-Subject: [PATCH] Fix NULL deref in [ec]dh_cms_set_shared_info
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Multiple independent reports indicated a SIGSEGV was possible in CMS
-processing when a crafted CMS EnvelopedData message using A Key
-Agreement Recipient Info field.  If the
-KeyEncryptionAlgorithmIdentifier omits the optional parameter field, the
-referenced functions above will attempt to dereference the
-alg->parameter data prior to checking if the parameter field is NULL.
-
-Confirmed to resolve the issues using the reproducers provided in the
-security reports.
-
-Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
-
-Fixes CVE-2026-28389
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
-MergeDate: Mon Apr  6 19:06:12 2026
----
- crypto/cms/cms_dh.c | 13 +++++++++----
- crypto/cms/cms_ec.c | 14 ++++++++++----
- 2 files changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/cms/cms_dh.c b/crypto/cms/cms_dh.c
-index ab3453d1c7c12..4247295236977 100644
---- a/crypto/cms/cms_dh.c
-+++ b/crypto/cms/cms_dh.c
-@@ -89,16 +89,21 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
-     int keylen, plen;
-     EVP_CIPHER *kekcipher = NULL;
-     EVP_CIPHER_CTX *kekctx;
-+    const ASN1_OBJECT *aoid;
-+    const void *parameter = NULL;
-+    int ptype = 0;
-     char name[OSSL_MAX_NAME_SIZE];
- 
-     if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
-         goto err;
- 
-+    X509_ALGOR_get0(&aoid, &ptype, &parameter, alg);
-+
-     /*
-      * For DH we only have one OID permissible. If ever any more get defined
-      * we will need something cleverer.
-      */
--    if (OBJ_obj2nid(alg->algorithm) != NID_id_smime_alg_ESDH) {
-+    if (OBJ_obj2nid(aoid) != NID_id_smime_alg_ESDH) {
-         ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
-         goto err;
-     }
-@@ -107,11 +112,11 @@ static int dh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
-         || EVP_PKEY_CTX_set_dh_kdf_md(pctx, EVP_sha1()) <= 0)
-         goto err;
- 
--    if (alg->parameter->type != V_ASN1_SEQUENCE)
-+    if (ptype != V_ASN1_SEQUENCE)
-         goto err;
- 
--    p = alg->parameter->value.sequence->data;
--    plen = alg->parameter->value.sequence->length;
-+    p = ASN1_STRING_get0_data(parameter);
-+    plen = ASN1_STRING_length(parameter);
-     kekalg = d2i_X509_ALGOR(NULL, &p, plen);
-     if (kekalg == NULL)
-         goto err;
-diff --git a/crypto/cms/cms_ec.c b/crypto/cms/cms_ec.c
-index ff8adad616686..e60d0a786ec58 100644
---- a/crypto/cms/cms_ec.c
-+++ b/crypto/cms/cms_ec.c
-@@ -166,21 +166,27 @@ static int ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri)
-     int plen, keylen;
-     EVP_CIPHER *kekcipher = NULL;
-     EVP_CIPHER_CTX *kekctx;
-+    const ASN1_OBJECT *aoid = NULL;
-+    int ptype = 0;
-+    const void *parameter = NULL;
-+
-     char name[OSSL_MAX_NAME_SIZE];
- 
-     if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm))
-         return 0;
- 
--    if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) {
-+    X509_ALGOR_get0(&aoid, &ptype, &parameter, alg);
-+
-+    if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(aoid))) {
-         ERR_raise(ERR_LIB_CMS, CMS_R_KDF_PARAMETER_ERROR);
-         return 0;
-     }
- 
--    if (alg->parameter->type != V_ASN1_SEQUENCE)
-+    if (ptype != V_ASN1_SEQUENCE)
-         return 0;
- 
--    p = alg->parameter->value.sequence->data;
--    plen = alg->parameter->value.sequence->length;
-+    p = ASN1_STRING_get0_data(parameter);
-+    plen = ASN1_STRING_length(parameter);
-     kekalg = d2i_X509_ALGOR(NULL, &p, plen);
-     if (kekalg == NULL)
-         goto err;

diff --git a/0062-CVE-2026-28390.patch b/0062-CVE-2026-28390.patch
deleted file mode 100644
index 9a312c8..0000000
--- a/0062-CVE-2026-28390.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From 2e39b7a6993be445fddb9fbce316fa756e0397b6 Mon Sep 17 00:00:00 2001
-From: Neil Horman <nhorman@openssl.org>
-Date: Wed, 1 Apr 2026 10:56:44 +0200
-Subject: [PATCH] Fix NULL deref in rsa_cms_decrypt
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Very simmilar to CVE-2026-28389, ensure that if we are missing
-parameters in RSA-OAEP SourceFunc in CMS KeyTransportRecipientInfo,
-we don't segfault when decrypting.
-
-Co-authored-by: Tomas Mraz <tomas@openssl.foundation>
-
-Fixes CVE-2026-28390
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
-MergeDate: Mon Apr  6 19:06:14 2026
----
- crypto/cms/cms_rsa.c | 31 +++++++++++++++++++------------
- 1 file changed, 19 insertions(+), 12 deletions(-)
-
-diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c
-index 6b65842cc14ec..34c739a9825a4 100644
---- a/crypto/cms/cms_rsa.c
-+++ b/crypto/cms/cms_rsa.c
-@@ -42,10 +42,13 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
-     X509_ALGOR *cmsalg;
-     int nid;
-     int rv = -1;
--    unsigned char *label = NULL;
-+    const unsigned char *label = NULL;
-     int labellen = 0;
-     const EVP_MD *mgf1md = NULL, *md = NULL;
-     RSA_OAEP_PARAMS *oaep;
-+    const ASN1_OBJECT *aoid;
-+    const void *parameter = NULL;
-+    int ptype = 0;
- 
-     pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
-     if (pkctx == NULL)
-@@ -75,21 +78,19 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
-         goto err;
- 
-     if (oaep->pSourceFunc != NULL) {
--        X509_ALGOR *plab = oaep->pSourceFunc;
-+        X509_ALGOR_get0(&aoid, &ptype, &parameter, oaep->pSourceFunc);
- 
--        if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) {
-+        if (OBJ_obj2nid(aoid) != NID_pSpecified) {
-             ERR_raise(ERR_LIB_CMS, CMS_R_UNSUPPORTED_LABEL_SOURCE);
-             goto err;
-         }
--        if (plab->parameter->type != V_ASN1_OCTET_STRING) {
-+        if (ptype != V_ASN1_OCTET_STRING) {
-             ERR_raise(ERR_LIB_CMS, CMS_R_INVALID_LABEL);
-             goto err;
-         }
- 
--        label = plab->parameter->value.octet_string->data;
--        /* Stop label being freed when OAEP parameters are freed */
--        plab->parameter->value.octet_string->data = NULL;
--        labellen = plab->parameter->value.octet_string->length;
-+        label = ASN1_STRING_get0_data(parameter);
-+        labellen = ASN1_STRING_length(parameter);
-     }
- 
-     if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0)
-@@ -98,10 +99,16 @@ static int rsa_cms_decrypt(CMS_RecipientInfo *ri)
-         goto err;
-     if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0)
-         goto err;
--    if (label != NULL
--        && EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) {
--        OPENSSL_free(label);
--        goto err;
-+    if (label != NULL) {
-+        unsigned char *dup_label = OPENSSL_memdup(label, labellen);
-+
-+        if (dup_label == NULL)
-+            goto err;
-+
-+        if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, dup_label, labellen) <= 0) {
-+            OPENSSL_free(dup_label);
-+            goto err;
-+        }
-     }
-     /* Carry on */
-     rv = 1;

diff --git a/0063-CVE-2026-31789.patch b/0063-CVE-2026-31789.patch
deleted file mode 100644
index d24d846..0000000
--- a/0063-CVE-2026-31789.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 945b935ac66cc7f1a41f1b849c7c25adb5351f49 Mon Sep 17 00:00:00 2001
-From: Igor Ustinov <igus68@gmail.com>
-Date: Thu, 5 Mar 2026 15:47:34 +0100
-Subject: [PATCH] Avoid possible buffer overflow in buf2hex conversion
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes CVE-2026-31789
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
-MergeDate: Mon Apr  6 19:39:23 2026
-(cherry picked from commit 3244aa4b9d6ea0220cc14fd97d951c67b5052837)
----
- crypto/o_str.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/crypto/o_str.c b/crypto/o_str.c
-index 35540630be25f..9b9e7751fdd9e 100644
---- a/crypto/o_str.c
-+++ b/crypto/o_str.c
-@@ -296,6 +296,11 @@ static int buf2hexstr_sep(char *str, size_t str_n, size_t *strlength,
-     int has_sep = (sep != CH_ZERO);
-     size_t i, len = has_sep ? buflen * 3 : 1 + buflen * 2;
- 
-+    if (buflen > (has_sep ? SIZE_MAX / 3 : (SIZE_MAX - 1) / 2)) {
-+        ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
-+        return 0;
-+    }
-+
-     if (len == 0)
-         ++len;
-     if (strlength != NULL)
-@@ -339,7 +344,13 @@ char *ossl_buf2hexstr_sep(const unsigned char *buf, long buflen, char sep)
-     if (buflen == 0)
-         return OPENSSL_zalloc(1);
- 
--    tmp_n = (sep != CH_ZERO) ? buflen * 3 : 1 + buflen * 2;
-+    if ((sep != CH_ZERO && (size_t)buflen > SIZE_MAX / 3)
-+        || (sep == CH_ZERO && (size_t)buflen > (SIZE_MAX - 1) / 2)) {
-+        ERR_raise(ERR_LIB_CRYPTO, CRYPTO_R_TOO_MANY_BYTES);
-+        return NULL;
-+    }
-+
-+    tmp_n = (sep != CH_ZERO) ? (size_t)buflen * 3 : 1 + (size_t)buflen * 2;
-     if ((tmp = OPENSSL_malloc(tmp_n)) == NULL)
-         return NULL;
- 

diff --git a/0064-CVE-2026-31790.patch b/0064-CVE-2026-31790.patch
deleted file mode 100644
index 5ce8aed..0000000
--- a/0064-CVE-2026-31790.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 001e01db3e996e13ffc72386fe79d03a6683b5ac Mon Sep 17 00:00:00 2001
-From: Nikola Pajkovsky <nikolap@openssl.org>
-Date: Thu, 19 Mar 2026 12:16:08 +0100
-Subject: [PATCH] rsa_kem: validate RSA_public_encrypt() result in RSASVE
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-RSA_public_encrypt() returns the number of bytes written on success and
--1 on failure. With the existing `if (ret)` check, a provider-side RSA KEM
-encapsulation can incorrectly succeed when the underlying RSA public
-encrypt operation fails. In that case the code reports success, returns
-lengths as if encapsulation completed normally, and leaves the freshly
-generated secret available instead of discarding it.
-
-Tighten the success condition so RSASVE only succeeds when
-RSA_public_encrypt() returns a positive value equal to the modulus-sized
-output expected for RSA_NO_PADDING. Any other return value is treated as
-failure, and the generated secret is cleansed before returning.
-
-Fixes CVE-2026-31790
-Signed-off-by: Nikola Pajkovsky <nikolap@openssl.org>
-
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
-MergeDate: Mon Apr  6 19:51:30 2026
----
- providers/implementations/kem/rsa_kem.c | 20 +++++++++++---------
- 1 file changed, 11 insertions(+), 9 deletions(-)
-
-diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c
-index f7bf368a0dfc7..74dfafddd9e06 100644
---- a/providers/implementations/kem/rsa_kem.c
-+++ b/providers/implementations/kem/rsa_kem.c
-@@ -316,17 +316,19 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx,
-         return 0;
- 
-     /* Step(3): out = RSAEP((n,e), z) */
--    ret = RSA_public_encrypt(nlen, secret, out, prsactx->rsa, RSA_NO_PADDING);
--    if (ret) {
--        ret = 1;
--        if (outlen != NULL)
--            *outlen = nlen;
--        if (secretlen != NULL)
--            *secretlen = nlen;
--    } else {
-+    ret = RSA_public_encrypt((int)nlen, secret, out, prsactx->rsa,
-+        RSA_NO_PADDING);
-+    if (ret <= 0 || ret != (int)nlen) {
-         OPENSSL_cleanse(secret, nlen);
-+        return 0;
-     }
--    return ret;
-+
-+    if (outlen != NULL)
-+        *outlen = nlen;
-+    if (secretlen != NULL)
-+        *secretlen = nlen;
-+
-+    return 1;
- }
- 
- /**

diff --git a/openssl.spec b/openssl.spec
index 1ca13a3..6293841 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -33,8 +33,8 @@ print(string.sub(hash, 0, 16))
 
 Summary: Utilities from the general purpose cryptography library with TLS implementation
 Name: openssl
-Version: 3.5.5
-Release: 2%{?dist}
+Version: 3.5.7
+Release: 1%{?dist}
 Epoch: 1
 Source0: openssl-%{version}.tar.gz
 Source1: fips-hmacify.sh
@@ -102,13 +102,6 @@ Patch0054: 0054-Temporarily-disable-SLH-DSA-FIPS-self-tests.patch
 Patch0055: 0055-Add-a-define-to-disable-symver-attributes.patch
 Patch0056: 0056-Add-targets-to-skip-build-of-non-installable-program.patch
 Patch0057: 0057-Disable-RSA-PKCS1.5-FIPS-POST-not-relevant-for-RHEL.patch
-Patch0058: 0058-CVE-2026-2673.patch
-Patch0059: 0059-CVE-2026-28387.patch
-Patch0060: 0060-CVE-2026-28388.patch
-Patch0061: 0061-CVE-2026-28389.patch
-Patch0062: 0062-CVE-2026-28390.patch
-Patch0063: 0063-CVE-2026-31789.patch
-Patch0064: 0064-CVE-2026-31790.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -481,6 +474,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco
 %ldconfig_scriptlets libs
 
 %changelog
+* Wed Jun 10 2026 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.5.7-1
+- Rebase to OpenSSL 3.5.7
+
 * Mon Apr 20 2026 Pavol Žáčik <pzacik@redhat.com> - 1:3.5.5-2
 - Backport security patches from OpenSSL 3.5.6
   Resolves: CVE-2026-2673

diff --git a/sources b/sources
index 8551fe3..1fa392a 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (openssl-3.5.5.tar.gz) = 7cf0eb91bac175f7fe0adcafef457790d43fe7f98e2d4bef681c2fd5ca365e1fa5b562c645a60ab602365adedf9d91c074624eea66d3d7e155639fc50d5861ec
+SHA512 (openssl-3.5.7.tar.gz) = de5351d2d532e1a3908a738f7d8aae448d32bc60bdb24808c556a24bc37a3f53daedf12b5d432eeb8c235e16939d842f908332ede8a447ca103ad1c493c820d7