dev-libs/openssl: sync

4 files changed, 54 insertions, 30 deletions

diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.4
index 68d7d0a..573a97d 100644
--- a/dev-libs/openssl/files/gentoo.config-1.0.2
+++ b/dev-libs/openssl/files/gentoo.config-1.0.4
@@ -95,17 +95,22 @@ linux)
 	#	hppa64*)      machine=parisc64;;
 		hppa*)        machine="generic32 -DB_ENDIAN";;
 		i[0-9]86*|\
-		x86_64*:x86)  machine=elf;;
+		x86_64*:x86)  machine=x86;;
 		ia64*)        machine=ia64;;
-		m68*)         machine="generic32 -DB_ENDIAN";;
-		mips*el*)     machine="generic32 -DL_ENDIAN";;
-		mips*)        machine="generic32 -DB_ENDIAN";;
+		loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
+		m68*)         machine="latomic -DB_ENDIAN";;
+		mips*el*:o32) machine="mips32 -DL_ENDIAN";;
+		mips*:o32)    machine="mips32 -DB_ENDIAN";;
+		mips*el*:n32) machine="mips64 -DL_ENDIAN";;
+		mips*:n32)    machine="mips64 -DB_ENDIAN";;
+		mips*el*:n64) machine="mips64 -DL_ENDIAN" system=linux64;;
+		mips*:n64)    machine="mips64 -DB_ENDIAN" system=linux64;;
 		powerpc64*le*)machine=ppc64le;;
 		powerpc64*)   machine=ppc64;;
 		powerpc*le*)  machine="generic32 -DL_ENDIAN";;
 		powerpc*)     machine=ppc;;
 		riscv32*)     machine="generic32 -DL_ENDIAN";;
-		riscv64*)     machine="generic64 -DL_ENDIAN";;
+		riscv64*)     machine="riscv64 -DL_ENDIAN" system=linux64;;
 	#	sh64*)        machine=elf;;
 		sh*b*)        machine="generic32 -DB_ENDIAN";;
 		sh*)          machine="generic32 -DL_ENDIAN";;
diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
deleted file mode 100644
index 8fa0387..0000000
--- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001
-From: Gregor Jasny <gjasny@googlemail.com>
-Date: Tue, 5 Jul 2022 12:57:06 +0200
-Subject: [PATCH] Add missing header for memcmp
-
-CLA: trivial
----
- test/v3ext.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/test/v3ext.c b/test/v3ext.c
-index 926f3884b138..a8ab64b2714b 100644
---- a/test/v3ext.c
-+++ b/test/v3ext.c
-@@ -8,6 +8,7 @@
-  */
- 
- #include <stdio.h>
-+#include <string.h>
- #include <openssl/x509.h>
- #include <openssl/x509v3.h>
- #include <openssl/pem.h>
diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
new file mode 100644
index 0000000..079a4f5
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch
@@ -0,0 +1,35 @@
+https://bugs.gentoo.org/885797
+
+https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7
+https://github.com/openssl/openssl/issues/19643
+
+From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001
+From: Pauli <pauli@openssl.org>
+Date: Fri, 11 Nov 2022 09:40:19 +1100
+Subject: [PATCH] x509: fix double locking problem
+
+This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the
+redundant flag setting.
+
+Fixes #19643
+
+Fixes LOW CVE-2022-3996
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/19652)
+
+(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5)
+--- a/crypto/x509/pcy_map.c
++++ b/crypto/x509/pcy_map.c
+@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps)
+ 
+     ret = 1;
+  bad_mapping:
+-    if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) {
+-        x->ex_flags |= EXFLAG_INVALID_POLICY;
+-        CRYPTO_THREAD_unlock(x->lock);
+-    }
+     sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free);
+     return ret;
+ 
diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild b/dev-libs/openssl/openssl-3.0.7-r3.ebuild
index c388456..fd6e3fc 100644
--- a/dev-libs/openssl/openssl-3.0.7-r1.ebuild
+++ b/dev-libs/openssl/openssl-3.0.7-r3.ebuild
@@ -18,7 +18,8 @@ if [[ ${PV} == 9999 ]] ; then
 else
 	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
 		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+	KEYWORDS="~alpha ~amd64 ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~riscv ~s390 ~sparc ~x86"
 fi
 
 S="${WORKDIR}"/${MY_P}
@@ -51,6 +52,7 @@ MULTILIB_WRAPPED_HEADERS=(
 )
 
 PATCHES=(
+	"${FILESDIR}"/${P}-x509-CVE-2022-3996.patch
 )
 
 pkg_setup() {
@@ -61,6 +63,7 @@ pkg_setup() {
 			CONFIG_CHECK="~TLS ~TLS_DEVICE"
 			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
 			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
 
 			linux-info_pkg_setup
 		fi
@@ -91,7 +94,7 @@ src_unpack() {
 
 src_prepare() {
 	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	cp "${FILESDIR}"/gentoo.config-1.0.4 gentoo.config || die
 	chmod a+rx gentoo.config || die
 
 	# Keep this in sync with app-misc/c_rehash
@@ -157,9 +160,12 @@ src_prepare() {
 			-i Configure || die
 	fi
 
+	local sslout=$(./gentoo.config)
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
 	# The config script does stupid stuff to prompt the user. Kill it.
 	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
+	./config ${sslout} --test-sanity || die "I AM NOT SANE"
 
 	multilib_copy_sources
 }