openssl: upgrade package to upstream version 1.1.1i
Fixes potential DoS due to a NULL pointer dereference.
BUG=b/181310918,181310977
TEST=presubmit
RELEASE_NOTE=None
cos-patch: lts-refresh
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/2588844
Tested-by: Aashay Shringarpure <aashay@google.com>
Reviewed-by: Allen Webb <allenwebb@google.com>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
Commit-Queue: Aashay Shringarpure <aashay@google.com>
Change-Id: I88387903cd5454a016d220261858d575202fb109
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/chromiumos-overlay/+/13435
Main-Branch-Verified: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Anil Altinay <aaltinay@google.com>
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index ccedf80..1c0025b 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,6 +1,2 @@
-DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
-DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
-DIST openssl-1.0.2u_ec_curve.c 34808 BLAKE2B 033d99aba6b0dde09b2df5ce089436847d9326522192aa9182e710a709f8eff49f8d0fbe350a17b47a63c1fbbc7bf9b82ba7af50c7fe0532a9eb59d264530ab1 SHA512 159a540bb967f0b2b453b60e06b9a7449179266d09f3b760f9b3fe0406d68f4463ca05e8047371f7bb20cf591ca75ee34d688d112ed4566397d339bb58d25290
-DIST openssl-1.0.2u_ectest.c 49329 BLAKE2B 3b53b7ad0d85211fe4012dd4c37500ebfd96c737e629371cfe6eb2a516c4e244e1395fa13d8fe3837c66eb88cbb9c64e138f923ed9f0507b2da1c09260558a7a SHA512 071839c1e119ff802ba587f12aeacc04f287ec4ff41ed7dfe663608fd1e84d0389c3d3c5d43d8060a390e4fcb11e75b6ed55a1e91947b001f439221a9073c1e2
-DIST openssl-1.0.2u_hobble-openssl 18689 BLAKE2B bdf6cb6bdcde235694fb5ba40cdf56eaaec60db01fa7c0b45b69eac383176c39f6bcd7ebc20dac1e38b317b1d99a36621966be9bb36c985ea7598ad92a100076 SHA512 10f64c9cbf9c31e3153b009ff9348f8f371289b47d294bf9f9cac8fe8a49c8639c2b1aab86c4796a89bf14c26bf1b7d998e3fc857511416868df8d064cb8ced7
-DIST openssl-1.1.1g.tar.gz 9801502 BLAKE2B 5e3dd4725ff89b959a5436d64b521317c6ffeb377418cc24c6d1927fab923423cb5f5fce2f9c2cdee597041c7be156d09668a5fd13dc6ff06d235a83db94cf19 SHA512 01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab
+DIST openssl-1.1.1i-bindist-1.0.tar.xz 18124 BLAKE2B bcbce700676d1d61498ac98281b7ad06f9970d91afa6bfb2c259ab7462b2554be79a1c06759bc7aaeca9948c2f5276bac2c4f42dbc6822669f863444b9913ccd SHA512 1dbb81bcb4cf7e634bb363c7e2bb2590a1fe3fcb6c3b5e377cac3c5241abd116c2a89c516be8e5fd1799ab64375a58052a4df944eeadc87b0b7785da710906d8
+DIST openssl-1.1.1i.tar.gz 9808346 BLAKE2B ca98bab08e1874134da113dd0bda0583c133c7dce5b739f9601641ed2cf97894e5e13d901f0db9367aa5d7b78c552ac598aa0a3c2a3f0a438daae044e29f58d6 SHA512 fe12e0ab9e1688f24dd862ac633d0ab703b499c0f34b53c3560aa0d3879d81d647aa0678ed517dda5efb2711f669fcb1a1e0e24f6eac2efc2cf4eae6b62014d8
diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2
index d16175e..4e88dba 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.2
@@ -104,6 +104,7 @@
powerpc64*) machine=ppc64;;
powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
+ riscv64*) machine="generic64 -DL_ENDIAN";;
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
sh*) machine="generic32 -DL_ENDIAN";;
diff --git a/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch b/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
deleted file mode 100644
index 1f195d0..0000000
--- a/dev-libs/openssl/files/openssl-1.1.1d-fix-potential-memleaks-w-BN_to_ASN1_INTEGER.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 515c728dbaa92211d2eafb0041ab9fcd258fdc41 Mon Sep 17 00:00:00 2001
-From: Bernd Edlinger <bernd.edlinger@hotmail.de>
-Date: Mon, 9 Sep 2019 19:12:25 +0200
-Subject: [PATCH] Fix potential memory leaks with BN_to_ASN1_INTEGER
-
-Reviewed-by: Paul Dale <paul.dale@oracle.com>
-Reviewed-by: Matt Caswell <matt@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/9833)
-
-(cherry picked from commit f28bc7d386b25fb75625d0c62c6b2e6d21de0d09)
----
- crypto/ec/ec_asn1.c | 7 +++++--
- crypto/x509v3/v3_asid.c | 26 ++++++++++++++++++++------
- 2 files changed, 25 insertions(+), 8 deletions(-)
-
-diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
-index 1ce1181fc10..7cbf8de9813 100644
---- a/crypto/ec/ec_asn1.c
-+++ b/crypto/ec/ec_asn1.c
-@@ -446,6 +446,7 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
- unsigned char *buffer = NULL;
- const EC_POINT *point = NULL;
- point_conversion_form_t form;
-+ ASN1_INTEGER *orig;
-
- if (params == NULL) {
- if ((ret = ECPARAMETERS_new()) == NULL) {
-@@ -496,8 +497,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
- ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_EC_LIB);
- goto err;
- }
-- ret->order = BN_to_ASN1_INTEGER(tmp, ret->order);
-+ ret->order = BN_to_ASN1_INTEGER(tmp, orig = ret->order);
- if (ret->order == NULL) {
-+ ret->order = orig;
- ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
- goto err;
- }
-@@ -505,8 +507,9 @@ ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
- /* set the cofactor (optional) */
- tmp = EC_GROUP_get0_cofactor(group);
- if (tmp != NULL) {
-- ret->cofactor = BN_to_ASN1_INTEGER(tmp, ret->cofactor);
-+ ret->cofactor = BN_to_ASN1_INTEGER(tmp, orig = ret->cofactor);
- if (ret->cofactor == NULL) {
-+ ret->cofactor = orig;
- ECerr(EC_F_EC_GROUP_GET_ECPARAMETERS, ERR_R_ASN1_LIB);
- goto err;
- }
-diff --git a/crypto/x509v3/v3_asid.c b/crypto/x509v3/v3_asid.c
-index 089f2ae29f0..ef2d64826fb 100644
---- a/crypto/x509v3/v3_asid.c
-+++ b/crypto/x509v3/v3_asid.c
-@@ -256,6 +256,7 @@ static int extract_min_max(ASIdOrRange *aor,
- static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
- {
- ASN1_INTEGER *a_max_plus_one = NULL;
-+ ASN1_INTEGER *orig;
- BIGNUM *bn = NULL;
- int i, ret = 0;
-
-@@ -298,9 +299,15 @@ static int ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice)
- */
- if ((bn == NULL && (bn = BN_new()) == NULL) ||
- ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
-- !BN_add_word(bn, 1) ||
-- (a_max_plus_one =
-- BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
-+ !BN_add_word(bn, 1)) {
-+ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
-+ ERR_R_MALLOC_FAILURE);
-+ goto done;
-+ }
-+
-+ if ((a_max_plus_one =
-+ BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
-+ a_max_plus_one = orig;
- X509V3err(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL,
- ERR_R_MALLOC_FAILURE);
- goto done;
-@@ -351,6 +358,7 @@ int X509v3_asid_is_canonical(ASIdentifiers *asid)
- static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
- {
- ASN1_INTEGER *a_max_plus_one = NULL;
-+ ASN1_INTEGER *orig;
- BIGNUM *bn = NULL;
- int i, ret = 0;
-
-@@ -416,9 +424,15 @@ static int ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
- */
- if ((bn == NULL && (bn = BN_new()) == NULL) ||
- ASN1_INTEGER_to_BN(a_max, bn) == NULL ||
-- !BN_add_word(bn, 1) ||
-- (a_max_plus_one =
-- BN_to_ASN1_INTEGER(bn, a_max_plus_one)) == NULL) {
-+ !BN_add_word(bn, 1)) {
-+ X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
-+ ERR_R_MALLOC_FAILURE);
-+ goto done;
-+ }
-+
-+ if ((a_max_plus_one =
-+ BN_to_ASN1_INTEGER(bn, orig = a_max_plus_one)) == NULL) {
-+ a_max_plus_one = orig;
- X509V3err(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE,
- ERR_R_MALLOC_FAILURE);
- goto done;
diff --git a/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch b/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch
deleted file mode 100644
index 5d2f923..0000000
--- a/dev-libs/openssl/files/openssl-1.1.1d-fix-zlib.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 86ed78676c660b553696cc10c682962522dfeb6c Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tmraz@fedoraproject.org>
-Date: Thu, 12 Sep 2019 12:27:36 +0200
-Subject: [PATCH] BIO_f_zlib: Properly handle BIO_CTRL_PENDING and
- BIO_CTRL_WPENDING calls.
-
-There can be data to write in output buffer and data to read that were
-not yet read in the input stream.
-
-Fixes #9866
-
-Reviewed-by: Richard Levitte <levitte@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/9877)
-
-(cherry picked from commit 6beb8b39ba8e4cb005c1fcd2586ba19e17f04b95)
----
- crypto/comp/c_zlib.c | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c
-index d688deee5f2..7c1be358fd7 100644
---- a/crypto/comp/c_zlib.c
-+++ b/crypto/comp/c_zlib.c
-@@ -598,6 +598,28 @@ static long bio_zlib_ctrl(BIO *b, int cmd, long num, void *ptr)
- BIO_copy_next_retry(b);
- break;
-
-+ case BIO_CTRL_WPENDING:
-+ if (ctx->obuf == NULL)
-+ return 0;
-+
-+ if (ctx->odone) {
-+ ret = ctx->ocount;
-+ } else {
-+ ret = ctx->ocount;
-+ if (ret == 0)
-+ /* Unknown amount pending but we are not finished */
-+ ret = 1;
-+ }
-+ if (ret == 0)
-+ ret = BIO_ctrl(next, cmd, num, ptr);
-+ break;
-+
-+ case BIO_CTRL_PENDING:
-+ ret = ctx->zin.avail_in;
-+ if (ret == 0)
-+ ret = BIO_ctrl(next, cmd, num, ptr);
-+ break;
-+
- default:
- ret = BIO_ctrl(next, cmd, num, ptr);
- break;
diff --git a/dev-libs/openssl/files/openssl-1.1.1g-ARM-assembly-pack.patch b/dev-libs/openssl/files/openssl-1.1.1i-ARM-assembly-pack.patch
similarity index 100%
rename from dev-libs/openssl/files/openssl-1.1.1g-ARM-assembly-pack.patch
rename to dev-libs/openssl/files/openssl-1.1.1i-ARM-assembly-pack.patch
diff --git a/dev-libs/openssl/files/openssl-1.1.1g-blocklist.patch b/dev-libs/openssl/files/openssl-1.1.1i-blocklist.patch
similarity index 100%
rename from dev-libs/openssl/files/openssl-1.1.1g-blocklist.patch
rename to dev-libs/openssl/files/openssl-1.1.1i-blocklist.patch
diff --git a/dev-libs/openssl/files/openssl-1.1.1g-chromium-compatibility.patch b/dev-libs/openssl/files/openssl-1.1.1i-chromium-compatibility.patch
similarity index 100%
rename from dev-libs/openssl/files/openssl-1.1.1g-chromium-compatibility.patch
rename to dev-libs/openssl/files/openssl-1.1.1i-chromium-compatibility.patch
diff --git a/dev-libs/openssl/openssl-1.1.1g-r8.ebuild b/dev-libs/openssl/openssl-1.1.1g-r8.ebuild
deleted file mode 120000
index 01bef85..0000000
--- a/dev-libs/openssl/openssl-1.1.1g-r8.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-openssl-1.1.1g.ebuild
\ No newline at end of file
diff --git a/dev-libs/openssl/openssl-1.1.1i-r1.ebuild b/dev-libs/openssl/openssl-1.1.1i-r1.ebuild
new file mode 120000
index 0000000..66c2daa
--- /dev/null
+++ b/dev-libs/openssl/openssl-1.1.1i-r1.ebuild
@@ -0,0 +1 @@
+openssl-1.1.1i.ebuild
\ No newline at end of file
diff --git a/dev-libs/openssl/openssl-1.1.1g.ebuild b/dev-libs/openssl/openssl-1.1.1i.ebuild
similarity index 98%
rename from dev-libs/openssl/openssl-1.1.1g.ebuild
rename to dev-libs/openssl/openssl-1.1.1i.ebuild
index 3acba98..9e7b70b 100644
--- a/dev-libs/openssl/openssl-1.1.1g.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1i.ebuild
@@ -14,7 +14,7 @@
# - ec_curve.c (SOURCE12) -- MODIFIED
# - ectest.c (SOURCE13)
# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
-BINDIST_PATCH_SET="openssl-1.1.1e-bindist-1.0.tar.xz"
+BINDIST_PATCH_SET="openssl-1.1.1i-bindist-1.0.tar.xz"
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
HOMEPAGE="https://www.openssl.org/"
@@ -217,6 +217,7 @@
enable-camellia \
enable-ec \
$(use_ssl !bindist ec2m) \
+ $(use_ssl !bindist sm2) \
enable-srp \
$(use elibc_musl && echo "no-async") \
${ec_nistp_64_gcc_128} \
