system/openssl: bump { 1.1.1t --> 3.0.8 }.openssl-3.0

4 files changed, 6 insertions, 157 deletions

diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index 851c4f7ae..aba5d100f 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=openssl
-pkgver=1.1.1t
-pkgrel=1
+pkgver=3.0.8
+pkgrel=0
 pkgdesc="Toolkit for SSL and TLS"
 url="https://www.openssl.org/"
 arch="all"
@@ -12,9 +12,7 @@ makedepends_build="perl"
 subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto
 	libssl1.1:libssl"
 source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
-	CVE-2023-0465.patch
 	ppc-auxv.patch
-	ppc64.patch
 	"
 
 # secfixes:
@@ -119,7 +117,7 @@ libcrypto() {
 		mv $i "$subpkgdir"/lib/
 		ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
 	done
-	mv "$pkgdir"/usr/lib/engines-1.1 "$subpkgdir"/usr/lib/
+	mv "$pkgdir"/usr/lib/engines-3 "$subpkgdir"/usr/lib/
 }
 
 libssl() {
@@ -132,7 +130,5 @@ libssl() {
 	done
 }
 
-sha512sums="628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c  openssl-1.1.1t.tar.gz
-c86d1a74387f3e0ff085e2785bd834b529fdc6b397fa8f559d413b9fa4e35848523c58ce94e00e75b17f55af28f58f0c347973a739a5d15465e205391fc59b26  CVE-2023-0465.patch
-7fd3158c6eb3451f10e4bfd78f85c3e7aef84716eb38e00503d5cfc8e414b7bdf02e0671d0299a96a453dd2e38249dcf1281136b27b6df372f3ea08fbf78329b  ppc-auxv.patch
-e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509  ppc64.patch"
+sha512sums="8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d  openssl-3.0.8.tar.gz
+5aaba32060c2a5b85941933050168bb757f9263fedb3edfbc8699d9d5bf0c874a9935f53e559a06afe9cbdae737041fb10cdc7713d02ee626cb74789054e5837  ppc-auxv.patch"
diff --git a/system/openssl/CVE-2023-0465.patch b/system/openssl/CVE-2023-0465.patch
deleted file mode 100644
index a270624d3..000000000
--- a/system/openssl/CVE-2023-0465.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Mar 2023 16:52:55 +0000
-Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
- certs
-
-Even though we check the leaf cert to confirm it is valid, we
-later ignored the invalid flag and did not notice that the leaf
-cert was bad.
-
-Fixes: CVE-2023-0465
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20588)
----
- crypto/x509/x509_vfy.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 925fbb54125..1dfe4f9f31a 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
-     }
-     /* Invalid or inconsistent extensions */
-     if (ret == X509_PCY_TREE_INVALID) {
--        int i;
-+        int i, cbcalled = 0;
- 
-         /* Locate certificates with bad extensions and notify callback. */
--        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
-             X509 *x = sk_X509_value(ctx->chain, i);
- 
-             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
-                 continue;
-+            cbcalled = 1;
-             if (!verify_cb_cert(ctx, x, i,
-                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
-                 return 0;
-         }
-+        if (!cbcalled) {
-+            /* Should not be able to get here */
-+            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
-+            return 0;
-+        }
-+        /* The callback ignored the error so we return success */
-         return 1;
-     }
-     if (ret == X509_PCY_TREE_FAILURE) {
diff --git a/system/openssl/ppc-auxv.patch b/system/openssl/ppc-auxv.patch
index a22ef83c2..92861feaf 100644
--- a/system/openssl/ppc-auxv.patch
+++ b/system/openssl/ppc-auxv.patch
@@ -1,6 +1,6 @@
 --- a/crypto/ppccap.c
 +++ b/crypto/ppccap.c
-@@ -207,17 +207,9 @@
+@@ -85,17 +85,9 @@
          return 0;
  }
  
diff --git a/system/openssl/ppc64.patch b/system/openssl/ppc64.patch
deleted file mode 100644
index c75ceedba..000000000
--- a/system/openssl/ppc64.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Sun, 5 May 2019 18:25:50 +0200
-Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a big endian ELFv2 configuration. ELFv2 was already being
-used for little endian, and big endian was traditionally ELFv1
-but there are practical configurations that use ELFv2 with big
-endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.)
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/8883)
----
- crypto/perlasm/ppc-xlate.pl | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
-index e52f2f6ea62..5fcd0526dff 100755
---- a/crypto/perlasm/ppc-xlate.pl
-+++ b/crypto/perlasm/ppc-xlate.pl
-@@ -49,7 +49,7 @@
- 	/osx/		&& do { $name = "_$name";
- 				last;
- 			      };
--	/linux.*(32|64le)/
-+	/linux.*(32|64(le|v2))/
- 			&& do {	$ret .= ".globl	$name";
- 				if (!$$type) {
- 				    $ret .= "\n.type	$name,\@function";
-@@ -80,7 +80,7 @@
- };
- my $text = sub {
-     my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text";
--    $ret = ".abiversion	2\n".$ret	if ($flavour =~ /linux.*64le/);
-+    $ret = ".abiversion	2\n".$ret	if ($flavour =~ /linux.*64(le|v2)/);
-     $ret;
- };
- my $machine = sub {
-@@ -186,7 +186,7 @@
- 
- # Some ABIs specify vrsave, special-purpose register #256, as reserved
- # for system use.
--my $no_vrsave = ($flavour =~ /aix|linux64le/);
-+my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/);
- my $mtspr = sub {
-     my ($f,$idx,$ra) = @_;
-     if ($idx == 256 && $no_vrsave) {
-@@ -318,7 +318,7 @@ sub vfour {
- 	if ($label) {
- 	    my $xlated = ($GLOBALS{$label} or $label);
- 	    print "$xlated:";
--	    if ($flavour =~ /linux.*64le/) {
-+	    if ($flavour =~ /linux.*64(le|v2)/) {
- 		if ($TYPES{$label} =~ /function/) {
- 		    printf "\n.localentry	%s,0\n",$xlated;
- 		}
-
-From 098404128383ded87ba390dd74ecd9e2ffa6f530 Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Sun, 5 May 2019 18:30:55 +0200
-Subject: [PATCH] Configure: use ELFv2 ABI on some ppc64 big endian systems
-
-If _CALL_ELF is defined to be 2, it's an ELFv2 system.
-Conditionally switch to the v2 perlasm scheme.
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/8883)
----
- Configure | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/Configure b/Configure
-index 22082deb4c7..e303d98deb3 100755
---- a/Configure
-+++ b/Configure
-@@ -1402,8 +1402,15 @@
- my %predefined_C = compiler_predefined($config{CROSS_COMPILE}.$config{CC});
- my %predefined_CXX = $config{CXX}
-     ? compiler_predefined($config{CROSS_COMPILE}.$config{CXX})
-     : ();
- 
-+unless ($disabled{asm}) {
-+    # big endian systems can use ELFv2 ABI
-+    if ($target eq "linux-ppc64") {
-+        $target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2);
-+    }
-+}
-+
- # Check for makedepend capabilities.
- if (!$disabled{makedepend}) {
-     if ($config{target} =~ /^(VC|vms)-/) {