From nobody Tue Feb  7 20:20:58 2023
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PBDzH1qYmz3ng3g;
	Tue,  7 Feb 2023 20:20:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4PBDzH1KJMz3FKw;
	Tue,  7 Feb 2023 20:20:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1675801259;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=IwHGNTvBKw0NhNOaqES/qA0lbPCZK4kwxTa9qj2IUG4=;
	b=jq9oTQuGjwFqvll5AS+kgHYA9mmUW+yCyCaLon8Eq5iTp7LqUlK3nlRji/0rq6pw+FpngW
	X04xzE9uZdyZIb9imHbClegMS2OTTHgGYIi+OYy/BqZpH71azzXRUU13JNadn7KZGToDrf
	yxnpJ36zg0kND7TUfHFfFZqxP90BjSGxDSuXiE50KYYgn9wHx6WO4+rgVrXatsIiEZfZoL
	XMdQi9OEVZZFgD033svpM4lCKCg2h4r1HfjOpvM3VVA76ZPRN6Ra3Wa8sJ0rCMv/BCeDpt
	QxkHVRXDOwZzxZ9FrbJkRRGhaijHTqs5/wuGG7mQsd41a+9nVJqWVLP2d+FVTA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1675801259;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=IwHGNTvBKw0NhNOaqES/qA0lbPCZK4kwxTa9qj2IUG4=;
	b=Ik7rQ5EG+F93NXFXYNlsAQ+6YSqloob/WzC4QxFIBKou2xy+tlI5R4/OwkFprkpJkcpmhI
	TD0D9RCQBnDfqLOTQ4+5ndRKgQK5D8BzsOOihBebHFT+9v9Knmj0iS2Vs2gOyBFlj0FWjK
	aqTWf6u/EZMZ2mLUhGWWtrwgGzNDa5iL1KCHQeXaAqYMlQ1GQSTy+iPA0pTf4Ap3K+LaSP
	Of4xx/ItTQMCxKAqfTihwBBeloQkMB92xfgHNzMJTZ/nbCgENSBxNwj5dPvKu+2nUiDDG3
	hVGd342Z7tCcfjtEVwimKctWCwNokKlqVf3kvAr7+4CJsJbq69AS5/bjeFxrKA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1675801259; a=rsa-sha256; cv=none;
	b=alYDasxuLxTX/L0HyBLtaH6A8eVBioWkElkAZVKHXhkPbeXhYj0N7PnuGj03S8m34G9DDP
	TO2ZkU18wWrJ7xHPxFpjJ2M2chWaATj4L6FQguxAADTA9IukIjzzlbg/UP0ZIiyc6q5HEC
	rqfMYlFqcbk3ahSvvUPLUeS2LURZVUDfL0J2ZMYZ+V8bDKYZ+QFIiDHgdtjphwE+vGKcVV
	/tJBx32znaFX5rgtUnmPu9Pv+ePP6KAo8fICWSre8+bL7bje1BZPNZ9SmV19ZMYND20fHV
	59wepst/yEP4Yq23mqqf/WFNkgHjaRV9qwkQkiyjwFyDgRryNiMvbUkxetEU8w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PBDzH0N38zVd6;
	Tue,  7 Feb 2023 20:20:59 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 317KKwfZ046198;
	Tue, 7 Feb 2023 20:20:58 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 317KKwkw046197;
	Tue, 7 Feb 2023 20:20:58 GMT
	(envelope-from git)
Date: Tue, 7 Feb 2023 20:20:58 GMT
Message-Id: <202302072020.317KKwkw046197@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-branches@FreeBSD.org
From: Bernard Spil <brnrd@FreeBSD.org>
Subject: git: 0d5f060a4c42 - 2023Q1 - security/openssl: Security update to 1.1.1t
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: brnrd
X-Git-Repository: ports
X-Git-Refname: refs/heads/2023Q1
X-Git-Reftype: branch
X-Git-Commit: 0d5f060a4c429c5f4747daee08377b452aa5d933
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch 2023Q1 has been updated by brnrd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=0d5f060a4c429c5f4747daee08377b452aa5d933

commit 0d5f060a4c429c5f4747daee08377b452aa5d933
Author:     Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2023-02-07 19:54:35 +0000
Commit:     Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2023-02-07 20:19:36 +0000

    security/openssl: Security update to 1.1.1t
    
    Security:       648a432c-a71f-11ed-86e9-d4c9ef517024
    MFH:            2023Q1
    (cherry picked from commit bf0a2e5fb12f267f3a43c72762dde9417889099f)
---
 security/openssl/Makefile               |  2 +-
 security/openssl/distinfo               |  6 ++--
 security/openssl/files/extra-patch-ktls | 62 ++++++++++++++++++---------------
 3 files changed, 37 insertions(+), 33 deletions(-)

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 51e83c8b3d32..3c48f10211bb 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	openssl
-PORTVERSION=	1.1.1s
+PORTVERSION=	1.1.1t
 PORTEPOCH=	1
 CATEGORIES=	security devel
 MASTER_SITES=	https://www.openssl.org/source/ \
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index e8a5cc6a5c33..16117272b3a7 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1667320367
-SHA256 (openssl-1.1.1s.tar.gz) = c5ac01e760ee6ff0dab61d6b2bbd30146724d063eb322180c6f18a6f74e4b6aa
-SIZE (openssl-1.1.1s.tar.gz) = 9868981
+TIMESTAMP = 1675796483
+SHA256 (openssl-1.1.1t.tar.gz) = 8dee9b24bdb1dcbf0c3d1e9b02fb8f6bf22165e807f45adeb7c9677536859d3b
+SIZE (openssl-1.1.1t.tar.gz) = 9881866
diff --git a/security/openssl/files/extra-patch-ktls b/security/openssl/files/extra-patch-ktls
index bdbfc2b5b17f..d38a70e779e3 100644
--- a/security/openssl/files/extra-patch-ktls
+++ b/security/openssl/files/extra-patch-ktls
@@ -1569,7 +1569,7 @@ diff --git ssl/record/rec_layer_s3.c ssl/record/rec_layer_s3.c
 index 8249b4ace9..1356bd7b7b 100644
 --- ssl/record/rec_layer_s3.c
 +++ ssl/record/rec_layer_s3.c
-@@ -268,11 +268,15 @@ int ssl3_read_n(SSL *s, size_t n, size_t max, int extend, int clearold,
+@@ -281,11 +281,15 @@
          return -1;
      }
  
@@ -1588,7 +1588,7 @@ index 8249b4ace9..1356bd7b7b 100644
          if (max < n)
              max = n;
          if (max > rb->len - rb->offset)
-@@ -422,6 +426,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, size_t len,
+@@ -435,6 +439,7 @@
          len >= 4 * (max_send_fragment = ssl_get_max_send_fragment(s)) &&
          s->compress == NULL && s->msg_callback == NULL &&
          !SSL_WRITE_ETM(s) && SSL_USE_EXPLICIT_IV(s) &&
@@ -1596,7 +1596,7 @@ index 8249b4ace9..1356bd7b7b 100644
          EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(s->enc_write_ctx)) &
          EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) {
          unsigned char aad[13];
-@@ -751,6 +756,19 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -764,6 +769,19 @@
          s->s3->empty_fragment_done = 1;
      }
  
@@ -1616,7 +1616,7 @@ index 8249b4ace9..1356bd7b7b 100644
      if (create_empty_fragment) {
          wb = &s->rlayer.wbuf[0];
  #if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
-@@ -820,6 +838,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -833,6 +851,8 @@
          }
      }
  
@@ -1625,7 +1625,7 @@ index 8249b4ace9..1356bd7b7b 100644
      totlen = 0;
      /* Clear our SSL3_RECORD structures */
      memset(wr, 0, sizeof(wr));
-@@ -861,15 +881,19 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -874,15 +894,19 @@
          if (s->compress != NULL)
              maxcomplen += SSL3_RT_MAX_COMPRESSED_OVERHEAD;
  
@@ -1648,7 +1648,7 @@ index 8249b4ace9..1356bd7b7b 100644
              SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
                       ERR_R_INTERNAL_ERROR);
              goto err;
-@@ -895,15 +919,20 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -908,15 +932,20 @@
                  goto err;
              }
          } else {
@@ -1674,7 +1674,7 @@ index 8249b4ace9..1356bd7b7b 100644
                  && s->enc_write_ctx != NULL
                  && (s->statem.enc_write_state != ENC_WRITE_STATE_WRITE_PLAIN_ALERTS
                      || type != SSL3_RT_ALERT)) {
-@@ -959,7 +988,7 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -972,7 +1001,7 @@
           * in the wb->buf
           */
  
@@ -1683,11 +1683,13 @@ index 8249b4ace9..1356bd7b7b 100644
              unsigned char *mac;
  
              if (!WPACKET_allocate_bytes(thispkt, mac_size, &mac)
-@@ -975,24 +1004,26 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
-          * This will be at most one cipher block or the tag length if using
-          * AEAD. SSL_RT_MAX_CIPHER_BLOCK_SIZE covers either case.
-          */
--        if (!WPACKET_reserve_bytes(thispkt, SSL_RT_MAX_CIPHER_BLOCK_SIZE,
+@@ -989,26 +1018,27 @@
+         * max encrypted overhead does not need to include an allocation for that
+         * MAC
+         */
+-        if (!WPACKET_reserve_bytes(thispkt,
+-                                   SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
+-                                   - mac_size,
 -                                   NULL)
 -                   /*
 -                    * We also need next the amount of bytes written to this
@@ -1695,7 +1697,8 @@ index 8249b4ace9..1356bd7b7b 100644
 -                    */
 +        if (!BIO_get_ktls_send(s->wbio)) {
 +            if (!WPACKET_reserve_bytes(thispkt,
-+                                        SSL_RT_MAX_CIPHER_BLOCK_SIZE,
++                                       SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD
++                                       - mac_size,
 +                                        NULL)
 +                /*
 +                 * We also need next the amount of bytes written to this
@@ -1705,25 +1708,25 @@ index 8249b4ace9..1356bd7b7b 100644
              SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
                       ERR_R_INTERNAL_ERROR);
              goto err;
+-        }
 +            }
-+
-+            /* Get a pointer to the start of this record excluding header */
-+            recordstart = WPACKET_get_curr(thispkt) - len;
-+            SSL3_RECORD_set_data(thiswr, recordstart);
-+            SSL3_RECORD_reset_input(thiswr);
-+            SSL3_RECORD_set_length(thiswr, len);
-         }
--
+ 
 -        /* Get a pointer to the start of this record excluding header */
 -        recordstart = WPACKET_get_curr(thispkt) - len;
 -
 -        SSL3_RECORD_set_data(thiswr, recordstart);
 -        SSL3_RECORD_reset_input(thiswr);
 -        SSL3_RECORD_set_length(thiswr, len);
++            /* Get a pointer to the start of this record excluding header */
++            recordstart = WPACKET_get_curr(thispkt) - len;
++            SSL3_RECORD_set_data(thiswr, recordstart);
++            SSL3_RECORD_reset_input(thiswr);
++            SSL3_RECORD_set_length(thiswr, len);
++        }
      }
  
      if (s->statem.enc_write_state == ENC_WRITE_STATE_WRITE_PLAIN_ALERTS) {
-@@ -1008,12 +1039,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -1024,12 +1054,14 @@
              goto err;
          }
      } else {
@@ -1743,16 +1746,17 @@ index 8249b4ace9..1356bd7b7b 100644
          }
      }
  
-@@ -1023,13 +1056,17 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -1039,6 +1071,9 @@
          thispkt = &pkt[j];
          thiswr = &wr[j];
  
-+        if (BIO_get_ktls_send(s->wbio))
++       if (BIO_get_ktls_send(s->wbio))
 +            goto mac_done;
 +
          /* Allocate bytes for the encryption overhead */
          if (!WPACKET_get_length(thispkt, &origlen)
-                    /* Encryption should never shrink the data! */
+                    /* Check we allowed enough room for the encryption growth */
+@@ -1048,7 +1083,8 @@
                  || origlen > thiswr->length
                  || (thiswr->length > origlen
                      && !WPACKET_allocate_bytes(thispkt,
@@ -1762,7 +1766,7 @@ index 8249b4ace9..1356bd7b7b 100644
              SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_SSL3_WRITE,
                       ERR_R_INTERNAL_ERROR);
              goto err;
-@@ -1074,13 +1111,8 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -1093,13 +1129,8 @@
              goto err;
          }
  
@@ -1778,7 +1782,7 @@ index 8249b4ace9..1356bd7b7b 100644
  
          if (create_empty_fragment) {
              /*
-@@ -1097,6 +1129,14 @@ int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
+@@ -1116,6 +1147,14 @@
              return 1;
          }
  
@@ -1793,7 +1797,7 @@ index 8249b4ace9..1356bd7b7b 100644
          /* now let's set up wb */
          SSL3_BUFFER_set_left(&s->rlayer.wbuf[j],
                               prefix_len + SSL3_RECORD_get_length(thiswr));
-@@ -1150,6 +1190,17 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
+@@ -1169,6 +1208,17 @@
          clear_sys_error();
          if (s->wbio != NULL) {
              s->rwstate = SSL_WRITING;
@@ -1811,7 +1815,7 @@ index 8249b4ace9..1356bd7b7b 100644
              /* TODO(size_t): Convert this call */
              i = BIO_write(s->wbio, (char *)
                            &(SSL3_BUFFER_get_buf(&wb[currbuf])
-@@ -1162,7 +1213,15 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, size_t len,
+@@ -1181,7 +1231,15 @@
                       SSL_R_BIO_NOT_SET);
              i = -1;
          }