From dab0c53b3336818bc933dbace50d90fe425f43d7 Mon Sep 17 00:00:00 2001
From: Zach van Rijn <me@zv.io>
Date: Mon, 21 Aug 2023 23:06:27 +0000
Subject: system/openssl: bump { 1.1.1t --> 1.1.1v }. fixes #1041.

---
 system/openssl/APKBUILD            |  8 +++---
 system/openssl/CVE-2023-0465.patch | 51 --------------------------------------
 2 files changed, 3 insertions(+), 56 deletions(-)
 delete mode 100644 system/openssl/CVE-2023-0465.patch

diff --git a/system/openssl/APKBUILD b/system/openssl/APKBUILD
index 851c4f7ae..9e178ca77 100644
--- a/system/openssl/APKBUILD
+++ b/system/openssl/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=openssl
-pkgver=1.1.1t
-pkgrel=1
+pkgver=1.1.1v
+pkgrel=0
 pkgdesc="Toolkit for SSL and TLS"
 url="https://www.openssl.org/"
 arch="all"
@@ -12,7 +12,6 @@ makedepends_build="perl"
 subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto1.1:libcrypto
 	libssl1.1:libssl"
 source="https://www.openssl.org/source/${pkgname}-${pkgver}.tar.gz
-	CVE-2023-0465.patch
 	ppc-auxv.patch
 	ppc64.patch
 	"
@@ -132,7 +131,6 @@ libssl() {
 	done
 }
 
-sha512sums="628676c9c3bc1cf46083d64f61943079f97f0eefd0264042e40a85dbbd988f271bfe01cd1135d22cc3f67a298f1d078041f8f2e97b0da0d93fe172da573da18c  openssl-1.1.1t.tar.gz
-c86d1a74387f3e0ff085e2785bd834b529fdc6b397fa8f559d413b9fa4e35848523c58ce94e00e75b17f55af28f58f0c347973a739a5d15465e205391fc59b26  CVE-2023-0465.patch
+sha512sums="1a67340d99026aa62bf50ff89165d9f77fe4a6690fe30d1751b5021dd3f238391afd581b41724687c322c4e3af1770c44a63766a06e9b8cab6425101153e0c7e  openssl-1.1.1v.tar.gz
 7fd3158c6eb3451f10e4bfd78f85c3e7aef84716eb38e00503d5cfc8e414b7bdf02e0671d0299a96a453dd2e38249dcf1281136b27b6df372f3ea08fbf78329b  ppc-auxv.patch
 e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509  ppc64.patch"
diff --git a/system/openssl/CVE-2023-0465.patch b/system/openssl/CVE-2023-0465.patch
deleted file mode 100644
index a270624d3..000000000
--- a/system/openssl/CVE-2023-0465.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-From b013765abfa80036dc779dd0e50602c57bb3bf95 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 7 Mar 2023 16:52:55 +0000
-Subject: [PATCH] Ensure that EXFLAG_INVALID_POLICY is checked even in leaf
- certs
-
-Even though we check the leaf cert to confirm it is valid, we
-later ignored the invalid flag and did not notice that the leaf
-cert was bad.
-
-Fixes: CVE-2023-0465
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/20588)
----
- crypto/x509/x509_vfy.c | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
-index 925fbb54125..1dfe4f9f31a 100644
---- a/crypto/x509/x509_vfy.c
-+++ b/crypto/x509/x509_vfy.c
-@@ -1649,18 +1649,25 @@ static int check_policy(X509_STORE_CTX *ctx)
-     }
-     /* Invalid or inconsistent extensions */
-     if (ret == X509_PCY_TREE_INVALID) {
--        int i;
-+        int i, cbcalled = 0;
- 
-         /* Locate certificates with bad extensions and notify callback. */
--        for (i = 1; i < sk_X509_num(ctx->chain); i++) {
-+        for (i = 0; i < sk_X509_num(ctx->chain); i++) {
-             X509 *x = sk_X509_value(ctx->chain, i);
- 
-             if (!(x->ex_flags & EXFLAG_INVALID_POLICY))
-                 continue;
-+            cbcalled = 1;
-             if (!verify_cb_cert(ctx, x, i,
-                                 X509_V_ERR_INVALID_POLICY_EXTENSION))
-                 return 0;
-         }
-+        if (!cbcalled) {
-+            /* Should not be able to get here */
-+            X509err(X509_F_CHECK_POLICY, ERR_R_INTERNAL_ERROR);
-+            return 0;
-+        }
-+        /* The callback ignored the error so we return success */
-         return 1;
-     }
-     if (ret == X509_PCY_TREE_FAILURE) {
-- 
cgit v1.2.3-70-g09d2