summaryrefslogtreecommitdiff
path: root/system/openssl
diff options
context:
space:
mode:
Diffstat (limited to 'system/openssl')
-rw-r--r--system/openssl/APKBUILD14
-rw-r--r--system/openssl/CVE-2023-0465.patch51
-rw-r--r--system/openssl/ppc-auxv.patch2
-rw-r--r--system/openssl/ppc64.patch96
4 files changed, 6 insertions, 157 deletions
diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index 851c4f7ae..aba5d100f 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=openssl
-pkgver=1.1.1t
-pkgrel=1
+pkgver=3.0.8
+pkgrel=0
pkgdesc="Toolkit for SSL and TLS"
url="https://www.openssl.org/"
arch="all"
@@ -12,9 +12,7 @@ makedepends_build="perl"
subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto
libssl1.1:libssl"
source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
- CVE-2023-0465.patch
ppc-auxv.patch
- ppc64.patch
"
# secfixes:
@@ -119,7 +117,7 @@ libcrypto() {
mv $i "$subpkgdir"/lib/
ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
done
- mv "$pkgdir"/usr/lib/engines-1.1 "$subpkgdir"/usr/lib/
+ mv "$pkgdir"/usr/lib/engines-3 "$subpkgdir"/usr/lib/
}
libssl() {
@@ -132,7 +130,5 @@ libssl() {
done
}
-sha512sums="628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c openssl-1.1.1t.tar.gz
-c86d1a74387f3e0ff085e2785bd834b529fdc6b397fa8f559d413b9fa4e35848523c58ce94e00e75b17f55af28f58f0c347973a739a5d15465e205391fc59b26 CVE-2023-0465.patch
-7fd3158c6eb3451f10e4bfd78f85c3e7aef84716eb38e00503d5cfc8e414b7bdf02e0671d0299a96a453dd2e38249dcf1281136b27b6df372f3ea08fbf78329b ppc-auxv.patch
-e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509 ppc64.patch"
+sha512sums="8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d openssl-3.0.8.tar.gz
+5aaba32060c2a5b85941933050168bb757f9263fedb3edfbc8699d9d5bf0c874a9935f53e559a06afe9cbdae737041fb10cdc7713d02ee626cb74789054e5837 ppc-auxv.patch"
diff --git a/system/openssl/CVE-2023-0465.patch b/system/openssl/CVE-2023-0465.patch
deleted file mode 100644
index a270624d3..000000000
--- a/system/openssl/CVE-2023-0465.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Mar 2023 16:52:55 +0000
-Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
- certs
-
-Even though we check the leaf cert to confirm it is valid, we
-later ignored the invalid flag and did not notice that the leaf
-cert was bad.
-
-Fixes: CVE-2023-0465
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20588)
----
- crypto/x509/x509_vfy.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 925fbb54125..1dfe4f9f31a 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
- }
- /* Invalid or inconsistent extensions */
- if (ret == X509_PCY_TREE_INVALID) {
-- int i;
-+ int i, cbcalled = 0;
-
- /* Locate certificates with bad extensions and notify callback. */
-- for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+ for (i = 0; i < sk_X509_num(ctx->chain); i++) {
- X509 *x = sk_X509_value(ctx->chain, i);
-
- if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
- continue;
-+ cbcalled = 1;
- if (!verify_cb_cert(ctx, x, i,
- X509_V_ERR_INVALID_POLICY_EXTENSION))
- return 0;
- }
-+ if (!cbcalled) {
-+ /* Should not be able to get here */
-+ X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
-+ return 0;
-+ }
-+ /* The callback ignored the error so we return success */
- return 1;
- }
- if (ret == X509_PCY_TREE_FAILURE) {
diff --git a/system/openssl/ppc-auxv.patch b/system/openssl/ppc-auxv.patch
index a22ef83c2..92861feaf 100644
--- a/system/openssl/ppc-auxv.patch
+++ b/system/openssl/ppc-auxv.patch
@@ -1,6 +1,6 @@
--- a/crypto/ppccap.c
+++ b/crypto/ppccap.c
-@@ -207,17 +207,9 @@
+@@ -85,17 +85,9 @@
return 0;
}
diff --git a/system/openssl/ppc64.patch b/system/openssl/ppc64.patch
deleted file mode 100644
index c75ceedba..000000000
--- a/system/openssl/ppc64.patch
+++ /dev/null
@@ -1,96 +0,0 @@
-From 34ab13b7d8e3e723adb60be8142e38b7c9cd382a Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Sun, 5 May 2019 18:25:50 +0200
-Subject: [PATCH] crypto/perlasm/ppc-xlate.pl: add linux64v2 flavour
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is a big endian ELFv2 configuration. ELFv2 was already being
-used for little endian, and big endian was traditionally ELFv1
-but there are practical configurations that use ELFv2 with big
-endian nowadays (Adélie Linux, Void Linux, possibly Gentoo, etc.)
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/8883)
----
- crypto/perlasm/ppc-xlate.pl | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl
-index e52f2f6ea62..5fcd0526dff 100755
---- a/crypto/perlasm/ppc-xlate.pl
-+++ b/crypto/perlasm/ppc-xlate.pl
-@@ -49,7 +49,7 @@
- /osx/ && do { $name = "_$name";
- last;
- };
-- /linux.*(32|64le)/
-+ /linux.*(32|64(le|v2))/
- && do { $ret .= ".globl $name";
- if (!$$type) {
- $ret .= "\n.type $name,\@function";
-@@ -80,7 +80,7 @@
- };
- my $text = sub {
- my $ret = ($flavour =~ /aix/) ? ".csect\t.text[PR],7" : ".text";
-- $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64le/);
-+ $ret = ".abiversion 2\n".$ret if ($flavour =~ /linux.*64(le|v2)/);
- $ret;
- };
- my $machine = sub {
-@@ -186,7 +186,7 @@
-
- # Some ABIs specify vrsave, special-purpose register #256, as reserved
- # for system use.
--my $no_vrsave = ($flavour =~ /aix|linux64le/);
-+my $no_vrsave = ($flavour =~ /aix|linux64(le|v2)/);
- my $mtspr = sub {
- my ($f,$idx,$ra) = @_;
- if ($idx == 256 && $no_vrsave) {
-@@ -318,7 +318,7 @@ sub vfour {
- if ($label) {
- my $xlated = ($GLOBALS{$label} or $label);
- print "$xlated:";
-- if ($flavour =~ /linux.*64le/) {
-+ if ($flavour =~ /linux.*64(le|v2)/) {
- if ($TYPES{$label} =~ /function/) {
- printf "\n.localentry %s,0\n",$xlated;
- }
-
-From 098404128383ded87ba390dd74ecd9e2ffa6f530 Mon Sep 17 00:00:00 2001
-From: Andy Polyakov <appro@openssl.org>
-Date: Sun, 5 May 2019 18:30:55 +0200
-Subject: [PATCH] Configure: use ELFv2 ABI on some ppc64 big endian systems
-
-If _CALL_ELF is defined to be 2, it's an ELFv2 system.
-Conditionally switch to the v2 perlasm scheme.
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/8883)
----
- Configure | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/Configure b/Configure
-index 22082deb4c7..e303d98deb3 100755
---- a/Configure
-+++ b/Configure
-@@ -1402,8 +1402,15 @@
- my %predefined_C = compiler_predefined($config{CROSS_COMPILE}.$config{CC});
- my %predefined_CXX = $config{CXX}
- ? compiler_predefined($config{CROSS_COMPILE}.$config{CXX})
- : ();
-
-+unless ($disabled{asm}) {
-+ # big endian systems can use ELFv2 ABI
-+ if ($target eq "linux-ppc64") {
-+ $target{perlasm_scheme} = "linux64v2" if ($predefined_C{_CALL_ELF} == 2);
-+ }
-+}
-+
- # Check for makedepend capabilities.
- if (!$disabled{makedepend}) {
- if ($config{target} =~ /^(VC|vms)-/) {