2 files changed, 9 insertions, 267 deletions

diff --git a/main/openssl/0001-Use-secure_getenv-3-when-available.patch b/main/openssl/0001-Use-secure_getenv-3-when-available.patch
deleted file mode 100644
index 778a09278f..0000000000
--- a/main/openssl/0001-Use-secure_getenv-3-when-available.patch
+++ /dev/null
@@ -1,260 +0,0 @@
-From 79c2c741303ed188214b9299a51c837635f7e9a8 Mon Sep 17 00:00:00 2001
-From: Pauli <paul.dale@oracle.com>
-Date: Mon, 24 Sep 2018 11:21:18 +1000
-Subject: [PATCH] Use secure_getenv(3) when available.
-
-Change all calls to getenv() inside libcrypto to use a new wrapper function
-that use secure_getenv() if available and an issetugid then getenv if not.
-
-CPU processor override flags are unchanged.
-
-Extra checks for OPENSSL_issetugid() have been removed in favour of the
-safe getenv.
-
-Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
-(Merged from https://github.com/openssl/openssl/pull/7047)
-
-(cherry picked from commit 5c39a55d04ea6e6f734b627a050b9e702788d50d)
----
- crypto/build.info           |  2 +-
- crypto/conf/conf_api.c      |  5 +++--
- crypto/conf/conf_mod.c      |  7 ++-----
- crypto/ct/ct_log.c          |  2 +-
- crypto/engine/eng_list.c    |  3 +--
- crypto/getenv.c             | 31 +++++++++++++++++++++++++++++++
- crypto/pkcs12/p12_mutl.c    | 18 +++++++++---------
- crypto/rand/randfile.c      |  6 ++----
- crypto/x509/by_dir.c        |  2 +-
- crypto/x509/by_file.c       |  2 +-
- include/internal/cryptlib.h |  2 ++
- 11 files changed, 54 insertions(+), 26 deletions(-)
- create mode 100644 crypto/getenv.c
-
-diff --git a/crypto/build.info b/crypto/build.info
-index b515b7318e..2c619c62e8 100644
---- a/crypto/build.info
-+++ b/crypto/build.info
-@@ -2,7 +2,7 @@ LIBS=../libcrypto
- SOURCE[../libcrypto]=\
-         cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c cpt_err.c \
-         ebcdic.c uid.c o_time.c o_str.c o_dir.c o_fopen.c ctype.c \
--        threads_pthread.c threads_win.c threads_none.c \
-+        threads_pthread.c threads_win.c threads_none.c getenv.c \
-         o_init.c o_fips.c mem_sec.c init.c {- $target{cpuid_asm_src} -} \
-         {- $target{uplink_aux_src} -}
- EXTRA=  ../ms/uplink-x86.pl ../ms/uplink.c ../ms/applink.c \
-diff --git a/crypto/conf/conf_api.c b/crypto/conf/conf_api.c
-index 72fe2da1ad..5e57d749ce 100644
---- a/crypto/conf/conf_api.c
-+++ b/crypto/conf/conf_api.c
-@@ -10,6 +10,7 @@
- /* Part of the code in here was originally in conf.c, which is now removed */
- 
- #include "e_os.h"
-+#include "internal/cryptlib.h"
- #include <stdlib.h>
- #include <string.h>
- #include <openssl/conf.h>
-@@ -82,7 +83,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
-             if (v != NULL)
-                 return v->value;
-             if (strcmp(section, "ENV") == 0) {
--                p = getenv(name);
-+                p = ossl_safe_getenv(name);
-                 if (p != NULL)
-                     return p;
-             }
-@@ -95,7 +96,7 @@ char *_CONF_get_string(const CONF *conf, const char *section,
-         else
-             return NULL;
-     } else
--        return getenv(name);
-+        return ossl_safe_getenv(name);
- }
- 
- static unsigned long conf_value_hash(const CONF_VALUE *v)
-diff --git a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
-index df53609cc4..51f262e774 100644
---- a/crypto/conf/conf_mod.c
-+++ b/crypto/conf/conf_mod.c
-@@ -480,11 +480,8 @@ char *CONF_get1_default_config_file(void)
-     char *file, *sep = "";
-     int len;
- 
--    if (!OPENSSL_issetugid()) {
--        file = getenv("OPENSSL_CONF");
--        if (file)
--            return OPENSSL_strdup(file);
--    }
-+    if ((file = ossl_safe_getenv("OPENSSL_CONF")) != NULL)
-+        return OPENSSL_strdup(file);
- 
-     len = strlen(X509_get_default_cert_area());
- #ifndef OPENSSL_SYS_VMS
-diff --git a/crypto/ct/ct_log.c b/crypto/ct/ct_log.c
-index be6681dca7..c1bca3e141 100644
---- a/crypto/ct/ct_log.c
-+++ b/crypto/ct/ct_log.c
-@@ -137,7 +137,7 @@ static int ctlog_new_from_conf(CTLOG **ct_log, const CONF *conf, const char *sec
- 
- int CTLOG_STORE_load_default_file(CTLOG_STORE *store)
- {
--    const char *fpath = getenv(CTLOG_FILE_EVP);
-+    const char *fpath = ossl_safe_getenv(CTLOG_FILE_EVP);
- 
-     if (fpath == NULL)
-       fpath = CTLOG_FILE;
-diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c
-index 4bc7ea173c..45c339c541 100644
---- a/crypto/engine/eng_list.c
-+++ b/crypto/engine/eng_list.c
-@@ -317,8 +317,7 @@ ENGINE *ENGINE_by_id(const char *id)
-      * Prevent infinite recursion if we're looking for the dynamic engine.
-      */
-     if (strcmp(id, "dynamic")) {
--        if (OPENSSL_issetugid()
--                || (load_dir = getenv("OPENSSL_ENGINES")) == NULL)
-+        if ((load_dir = ossl_safe_getenv("OPENSSL_ENGINES")) == NULL)
-             load_dir = ENGINESDIR;
-         iterator = ENGINE_by_id("dynamic");
-         if (!iterator || !ENGINE_ctrl_cmd_string(iterator, "ID", id, 0) ||
-diff --git a/crypto/getenv.c b/crypto/getenv.c
-new file mode 100644
-index 0000000000..7e98b645b0
---- /dev/null
-+++ b/crypto/getenv.c
-@@ -0,0 +1,31 @@
-+/*
-+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
-+ *
-+ * Licensed under the OpenSSL license (the "License").  You may not use
-+ * this file except in compliance with the License.  You can obtain a copy
-+ * in the file LICENSE in the source distribution or at
-+ * https://www.openssl.org/source/license.html
-+ */
-+
-+#ifndef _GNU_SOURCE
-+# define _GNU_SOURCE
-+#endif
-+
-+#include <stdlib.h>
-+#include "internal/cryptlib.h"
-+
-+char *ossl_safe_getenv(const char *name)
-+{
-+#if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
-+# if __GLIBC_PREREQ(2, 17)
-+#  define SECURE_GETENV
-+    return secure_getenv(name);
-+# endif
-+#endif
-+
-+#ifndef SECURE_GETENV
-+    if (OPENSSL_issetugid())
-+        return NULL;
-+    return getenv(name);
-+#endif
-+}
-diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c
-index 88d1d66324..0cbbed364a 100644
---- a/crypto/pkcs12/p12_mutl.c
-+++ b/crypto/pkcs12/p12_mutl.c
-@@ -7,13 +7,13 @@
-  * https://www.openssl.org/source/license.html
-  */
- 
--# include <stdio.h>
--# include "internal/cryptlib.h"
--# include <openssl/crypto.h>
--# include <openssl/hmac.h>
--# include <openssl/rand.h>
--# include <openssl/pkcs12.h>
--# include "p12_lcl.h"
-+#include <stdio.h>
-+#include "internal/cryptlib.h"
-+#include <openssl/crypto.h>
-+#include <openssl/hmac.h>
-+#include <openssl/rand.h>
-+#include <openssl/pkcs12.h>
-+#include "p12_lcl.h"
- 
- int PKCS12_mac_present(const PKCS12 *p12)
- {
-@@ -44,7 +44,7 @@ void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
-     }
- }
- 
--# define TK26_MAC_KEY_LEN 32
-+#define TK26_MAC_KEY_LEN 32
- 
- static int pkcs12_gen_gost_mac_key(const char *pass, int passlen,
-                                    const unsigned char *salt, int saltlen,
-@@ -112,7 +112,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen,
-     if ((md_type_nid == NID_id_GostR3411_94
-          || md_type_nid == NID_id_GostR3411_2012_256
-          || md_type_nid == NID_id_GostR3411_2012_512)
--        && !getenv("LEGACY_GOST_PKCS12")) {
-+        && ossl_safe_getenv("LEGACY_GOST_PKCS12") == NULL) {
-         md_size = TK26_MAC_KEY_LEN;
-         if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter,
-                                      md_size, key, md_type)) {
-diff --git a/crypto/rand/randfile.c b/crypto/rand/randfile.c
-index c652ddcf1e..89720eb5cf 100644
---- a/crypto/rand/randfile.c
-+++ b/crypto/rand/randfile.c
-@@ -262,11 +262,9 @@ const char *RAND_file_name(char *buf, size_t size)
-         }
-     }
- #else
--    if (OPENSSL_issetugid() != 0) {
-+    if ((s = ossl_safe_getenv("RANDFILE")) == NULL || *s == '\0') {
-         use_randfile = 0;
--    } else if ((s = getenv("RANDFILE")) == NULL || *s == '\0') {
--        use_randfile = 0;
--        s = getenv("HOME");
-+        s = ossl_safe_getenv("HOME");
-     }
- #endif
- 
-diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
-index 11ac52ce3c..b3760dbadf 100644
---- a/crypto/x509/by_dir.c
-+++ b/crypto/x509/by_dir.c
-@@ -73,7 +73,7 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
-     switch (cmd) {
-     case X509_L_ADD_DIR:
-         if (argl == X509_FILETYPE_DEFAULT) {
--            const char *dir = getenv(X509_get_default_cert_dir_env());
-+            const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
- 
-             if (dir)
-                 ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
-diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
-index 78d7fbdf44..244512c935 100644
---- a/crypto/x509/by_file.c
-+++ b/crypto/x509/by_file.c
-@@ -46,7 +46,7 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp,
-     switch (cmd) {
-     case X509_L_FILE_LOAD:
-         if (argl == X509_FILETYPE_DEFAULT) {
--            file = getenv(X509_get_default_cert_file_env());
-+            file = ossl_safe_getenv(X509_get_default_cert_file_env());
-             if (file)
-                 ok = (X509_load_cert_crl_file(ctx, file,
-                                               X509_FILETYPE_PEM) != 0);
-diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
-index a608735187..329ef62014 100644
---- a/include/internal/cryptlib.h
-+++ b/include/internal/cryptlib.h
-@@ -81,6 +81,8 @@ void OPENSSL_showfatal(const char *fmta, ...);
- void crypto_cleanup_all_ex_data_int(void);
- int openssl_init_fork_handlers(void);
- 
-+char *ossl_safe_getenv(const char *name);
-+
- extern CRYPTO_RWLOCK *memdbg_lock;
- int openssl_strerror_r(int errnum, char *buf, size_t buflen);
- # if !defined(OPENSSL_NO_STDIO)
--- 
-2.19.1
-
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index ec18c5b806..57af4f3c88 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,8 +1,8 @@
 # Maintainer: Timo Teras <timo.teras@iki.fi>
 pkgname=openssl
-pkgver=1.1.1
+pkgver=1.1.1a
 _abiver=${pkgver%.*}
-pkgrel=5
+pkgrel=0
 pkgdesc="Toolkit for Transport Layer Security (TLS)"
 url="https://www.openssl.org"
 arch="all"
@@ -12,15 +12,18 @@ makedepends_build="perl"
 makedepends_host="linux-headers"
 makedepends="$makedepends_host $makedepends_build"
 subpackages="$pkgname-dbg $pkgname-dev $pkgname-doc libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
-source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
-	0001-Use-secure_getenv-3-when-available.patch
-	"
+source="https://www.openssl.org/source/openssl-$pkgver.tar.gz"
 case "$CARCH" in
 s390x) options="$options !check";; # FIXME: test hangs
 esac
 
 builddir="$srcdir/openssl-$pkgver"
 
+# secfixes:
+#   1.1.a-r0:
+#     - CVE-2018-0734
+#     - CVE-2018-0735
+
 build() {
 	local _target _optflags
 	cd "$builddir"
@@ -95,5 +98,4 @@ _libssl() {
 	done
 }
 
-sha512sums="c0284a4fe84bdf765ca5bc5148da4441ffc36392cfecaf9d372af00cf93b6de5681cab1248b6f8246474532155dc205da5ad49549ad7c61c07c917145e7c9c71  openssl-1.1.1.tar.gz
-a4c809c23322fd1f8c40da9ce0c0ed6e1c58e47284087b6994322a7db70bbb2dc1ebed738b69dbebeed1eb6d0afccee12c48df78d0b7aa3f527b0007b624663d  0001-Use-secure_getenv-3-when-available.patch"
+sha512sums="1523985ba90f38aa91aa6c2d57652f4e243cb2a095ce6336bf34b39b5a9b5b876804299a6825c758b65990e57948da532cca761aa12b10958c97478d04dd6d34  openssl-1.1.1a.tar.gz"