openssl_3_5: 3.5.0 -> 3.5.1

Taken from OpenSSL Release Page:

OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this
release is Low.

This release incorporates the following bug fixes and mitigations:

- Fix x509 application adds trusted use instead of rejected use.
  ([CVE-2025-4575])

Signed-off-by: Markus Theil <theil.markus@gmail.com>

pkgs/development/libraries/openssl/3.5/CVE-2025-4575.patch

@@ -1,61 +0,0 @@
-From e96d22446e633d117e6c9904cb15b4693e956eaa Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Tue, 20 May 2025 16:34:10 +0200
-Subject: [PATCH] apps/x509.c: Fix the -addreject option adding trust instead
- of rejection
-
-Fixes CVE-2025-4575
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Paul Dale <ppzgs1@gmail.com>
-(Merged from https://github.com/openssl/openssl/pull/27672)
-
-(cherry picked from commit 0eb9acc24febb1f3f01f0320cfba9654cf66b0ac)
----
- apps/x509.c                 |  2 +-
- test/recipes/25-test_x509.t | 12 +++++++++++-
- 2 files changed, 12 insertions(+), 2 deletions(-)
-
-diff --git a/apps/x509.c b/apps/x509.c
-index fdae8f383a667..0c340c15b321a 100644
---- a/apps/x509.c
-+++ b/apps/x509.c
-@@ -465,7 +465,7 @@ int x509_main(int argc, char **argv)
-                            prog, opt_arg());
-                 goto opthelp;
-             }
--            if (!sk_ASN1_OBJECT_push(trust, objtmp))
-+            if (!sk_ASN1_OBJECT_push(reject, objtmp))
-                 goto end;
-             trustout = 1;
-             break;
-diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
-index 09b61708ff8a5..dfa0a428f5f0c 100644
---- a/test/recipes/25-test_x509.t
-+++ b/test/recipes/25-test_x509.t
-@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
- 
- setup("test_x509");
- 
--plan tests => 134;
-+plan tests => 138;
- 
- # Prevent MSys2 filename munging for arguments that look like file paths but
- # aren't
-@@ -110,6 +110,16 @@ ok(run(app(["openssl", "x509", "-new", "-force_pubkey", $key, "-subj", "/CN=EE",
- && run(app(["openssl", "verify", "-no_check_time",
-             "-trusted", $ca, "-partial_chain", $caout])));
- 
-+# test trust decoration
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addtrust", "emailProtection",
-+            "-out", "ca-trusted.pem"])));
-+cert_contains("ca-trusted.pem", "Trusted Uses: E-mail Protection",
-+              1, 'trusted use - E-mail Protection');
-+ok(run(app(["openssl", "x509", "-in", $ca, "-addreject", "emailProtection",
-+            "-out", "ca-rejected.pem"])));
-+cert_contains("ca-rejected.pem", "Rejected Uses: E-mail Protection",
-+              1, 'rejected use - E-mail Protection');
-+
- subtest 'x509 -- x.509 v1 certificate' => sub {
-     tconversion( -type => 'x509', -prefix => 'x509v1',
-                  -in => srctop_file("test", "testx509.pem") );

pkgs/development/libraries/openssl/3.5/quic_accept.patch

@@ -1,32 +0,0 @@
-From 38bf6f3036d1baddbe4618a219aaf17d460091d9 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Mon, 7 Apr 2025 09:58:30 +0100
-Subject: [PATCH] Fix SSL_accept()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-If you have a QUIC server SSL connection object, you should be able to
-call SSL_accept() on it.
-
-Fixes #27282
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Saša Nedvědický <sashan@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/27283)
----
- ssl/quic/quic_method.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ssl/quic/quic_method.c b/ssl/quic/quic_method.c
-index 0de2bca47e6bb..8092855efc61a 100644
---- a/ssl/quic/quic_method.c
-+++ b/ssl/quic/quic_method.c
-@@ -23,5 +23,5 @@ IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION,
- 
- IMPLEMENT_quic_meth_func(OSSL_QUIC_ANY_VERSION,
-                          OSSL_QUIC_server_method,
--                         ssl_undefined_function,
--                         ossl_quic_connect, ssl3_undef_enc_method)
-+                         ossl_quic_accept,
-+                         ssl_undefined_function, ssl3_undef_enc_method)

pkgs/development/libraries/openssl/default.nix

@@ -388,8 +388,8 @@ in
   };
 
   openssl_3_5 = common {
-    version = "3.5.0";
-    hash = "sha256-NE0KefGpsIApsHROLMQBpD+ckKzRBE0JpTC0iFqOn8A=";
+    version = "3.5.1";
+    hash = "sha256-UpBDsVz/pfNgd6TQr4Pz3jmYBxgdYHRB1zQZbYibZB8=";
 
     patches = [
       ./3.0/nix-ssl-cert-file.patch
@@ -404,12 +404,6 @@ in
         else
           ./3.5/use-etc-ssl-certs.patch
       )
-
-      # can be dropped again with 3.5.1, see: https://github.com/openssl/openssl/issues/27282
-      ./3.5/quic_accept.patch
-
-      # can be dropped again with 3.5.1
-      ./3.5/CVE-2025-4575.patch
     ];
 
     withDocs = true;