OpenSSL 3.3.1 integration + 5.16 release preparation

CHANGES.md

@@ -1,3 +1,14 @@
+## AmiSSL 5.16 (7.6.2024)
+
+- Updated OpenSSL backend to full compatibility with the latest
+  OpenSSL 3.3.1 (4.6.2024) version which includes these low severity
+  bug fixes and mitigations:
+  + Fixed potential use after free after SSL_free_buffers() is called.
+    (CVE-2024-4741)
+  + Fixed an issue where checking excessively long DSA keys or
+    parameters may be very slow.
+    (CVE-2024-4603)
+
 ## AmiSSL 5.15 (10.5.2024)
 
 - Switched to OpenSSL 3.3, with full compatibility with the latest

Makefile

@@ -152,7 +152,7 @@ endif
 # none - because we want to compile with -Wall all the time
 
 VERSION=5
-REVISION=15
+REVISION=16
 
 include openssl/VERSION.dat
 VERSIONNAME=$(MAJOR)$(MINOR)$(PATCH)

README.update-openssl

@@ -2,7 +2,7 @@
 
  AmiSSL - OpenSSL wrapper for AmigaOS-based systems
  Copyright (c) 1999-2006 Andrija Antonijevic, Stefan Burstroem.
- Copyright (c) 2006-2023 AmiSSL Open Source Team.
+ Copyright (c) 2006-2024 AmiSSL Open Source Team.
  All Rights Reserved.
 
  Licensed under the Apache License, Version 2.0 (the "License");
@@ -33,9 +33,9 @@ HowTo update the OpenSSL version in "openssl/":
 1. To merge in a new OpenSSL version execute the following git command
    within a working copy of the AmiSSL repository:
 
-   $ git subtree pull --prefix openssl --squash https://github.com/openssl/openssl.git openssl-3.0.0
+   $ git subtree pull --prefix openssl --squash https://github.com/openssl/openssl.git openssl-3.3.0
 
-   Note, that "openssl-3.0.0" can be replaced by any branch or tag of
+   Note, that "openssl-3.3.0" can be replaced by any branch or tag of
    the OpenSSL git repository at github.com.
 
    After execution of the above subtree command git will try to merge in all

include/libraries/amisslmaster.h

@@ -62,6 +62,7 @@ enum AmiSSLVersion
   AMISSL_V320,      /* AmiSSL v5.13 */
   AMISSL_V321,      /* AmiSSL v5.14 */
   AMISSL_V330,      /* AmiSSL v5.15 */
+  AMISSL_V331,      /* AmiSSL v5.16 */
 
   /* ADD NEW VERSIONS ABOVE THIS LINE */
   AMISSL_VMAX

include/openssl/e_os2.h

@@ -5,7 +5,7 @@
  *
  * This file has been modified for use with AmiSSL for AmigaOS-based systems.
  *
- * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -253,6 +253,7 @@ typedef INT32 int32_t;
 typedef UINT32 uint32_t;
 typedef INT64 int64_t;
 typedef UINT64 uint64_t;
+typedef UINTN uintptr_t;
 # elif defined(OPENSSL_SYS_AMIGA)
 #  include <amissl/types.h>
 # elif (defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L) || \

include/openssl/opensslv.h

@@ -41,7 +41,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  3
-# define OPENSSL_VERSION_PATCH  0
+# define OPENSSL_VERSION_PATCH  1
 
 /*
  * Additional version information
@@ -86,21 +86,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.3.0"
-# define OPENSSL_FULL_VERSION_STR "3.3.0"
+# define OPENSSL_VERSION_STR "3.3.1"
+# define OPENSSL_FULL_VERSION_STR "3.3.1"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "9 Apr 2024"
+# define OPENSSL_RELEASE_DATE "4 Jun 2024"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.3.0 9 Apr 2024"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.3.1 4 Jun 2024"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE

include/openssl/sslerr.h

@@ -320,10 +320,12 @@
 # define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK         1086
 # define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY          1071
 # define SSL_R_TLSV1_ALERT_INTERNAL_ERROR                 1080
+# define SSL_R_TLSV1_ALERT_NO_APPLICATION_PROTOCOL        1120
 # define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION               1100
 # define SSL_R_TLSV1_ALERT_PROTOCOL_VERSION               1070
 # define SSL_R_TLSV1_ALERT_RECORD_OVERFLOW                1022
 # define SSL_R_TLSV1_ALERT_UNKNOWN_CA                     1048
+# define SSL_R_TLSV1_ALERT_UNKNOWN_PSK_IDENTITY           1115
 # define SSL_R_TLSV1_ALERT_USER_CANCELLED                 1090
 # define SSL_R_TLSV1_BAD_CERTIFICATE_HASH_VALUE           1114
 # define SSL_R_TLSV1_BAD_CERTIFICATE_STATUS_RESPONSE      1113

openssl/crypto/bio/bss_dgram.c

@@ -560,7 +560,11 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
     socklen_t addr_len;
     BIO_ADDR addr;
 # endif
+# if defined(OPENSSL_SYS_AMIGA)
+    struct sockaddr ss;
+# else
     struct sockaddr_storage ss;
+# endif
     socklen_t ss_len = sizeof(ss);
 
     data = (bio_dgram_data *)b->ptr;

src/amisslmaster_library.c

@@ -244,7 +244,8 @@ LIBPROTO(OpenAmiSSL, struct Library *, REG(a6, UNUSED __BASE_OR_IFACE))
     // (https://wiki.openssl.org/index.php/OpenSSL_3.0#Versioning_Scheme) but we must
     // take care to prevent applications requiring newer API functions from loading
     // older libraries that do not contain those required entries
-    if(LibAPIVersion <= AMISSL_V330 && OpenLib(&AmiSSLBase,"330") == NULL)
+    if(LibAPIVersion <= AMISSL_V331 && OpenLib(&AmiSSLBase,"331") == NULL
+                                    && OpenLib(&AmiSSLBase,"330") == NULL)
       if(LibAPIVersion <= AMISSL_V321 && OpenLib(&AmiSSLBase,"321") == NULL
                                       && OpenLib(&AmiSSLBase,"320") == NULL)
         if(LibAPIVersion <= AMISSL_V314 && OpenLib(&AmiSSLBase,"314") == NULL