Pullup ticket #6384 - requested by wiz

security/openssl: security fix

Revisions pulled up:
- security/openssl/Makefile                                     1.264-1.266
- security/openssl/PLIST                                        1.7
- security/openssl/distinfo                                     1.146-1.147
- security/openssl/patches/patch-Configurations_10-main.conf    deleted
- security/openssl/patches/patch-crypto_rand_rand__unix.c       deleted

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Wed Sep 30 09:25:31 UTC 2020

   Modified Files:
   	pkgsrc/security/openssl: Makefile PLIST distinfo
   Removed Files:
   	pkgsrc/security/openssl/patches: patch-crypto_rand_rand__unix.c

   Log Message:
   openssl: update to 1.1.1h.

     Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]

         o Disallow explicit curve parameters in verifications chains when
           X509_V_FLAG_X509_STRICT is used
         o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
           contexts
         o Oracle Developer Studio will start reporting deprecation warnings

---
   Module Name:	pkgsrc
   Committed By:	maya
   Date:		Tue Oct 13 07:37:29 UTC 2020

   Modified Files:
   	pkgsrc/security/openssl: Makefile

   Log Message:
   openssl: add -lrt for the benefit of Solaris 10.

   PR pkg/55688
   PR pkg/54958

---
   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Tue Dec  8 18:54:17 UTC 2020

   Modified Files:
   	pkgsrc/security/openssl: Makefile distinfo
   Removed Files:
   	pkgsrc/security/openssl/patches: patch-Configurations_10-main.conf

   Log Message:
   openssl: update to 1.1.1i.

     Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]

         o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)

5 files changed, 14 insertions, 80 deletions

diff --git a/security/openssl/Makefile b/security/openssl/Makefile
index 9a409672421..7808c4b6caf 100644
--- a/security/openssl/Makefile
+++ b/security/openssl/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.263 2020/08/31 18:11:09 wiz Exp $
+# $NetBSD: Makefile,v 1.263.2.1 2020/12/11 08:50:56 bsiegert Exp $
 
-DISTNAME=	openssl-1.1.1g
-PKGREVISION=	3
+DISTNAME=	openssl-1.1.1i
 CATEGORIES=	security
 MASTER_SITES=	https://www.openssl.org/source/
 
@@ -41,6 +40,8 @@ OPENSSL_HOST.SunOS-i386=	solaris-x86-gcc
 OPENSSL_HOST.SunOS-x86_64=	solaris64-x86_64-gcc
 OPENSSL_HOST.Darwin-aarch64=	darwin64-arm64-cc
 
+LDFLAGS.SunOS+=	-lrt
+
 .if defined(OPENSSL_HOST.${OPSYS}-${MACHINE_ARCH})
 CONFIG_SHELL=		${PERL5}
 CONFIGURE_SCRIPT=	./Configure
diff --git a/security/openssl/PLIST b/security/openssl/PLIST
index 9351ebf6957..d47b43ebad9 100644
--- a/security/openssl/PLIST
+++ b/security/openssl/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.6 2020/07/13 11:35:54 jperkin Exp $
+@comment $NetBSD: PLIST,v 1.6.2.1 2020/12/11 08:50:56 bsiegert Exp $
 bin/c_rehash
 bin/openssl
 include/openssl/aes.h
@@ -1028,6 +1028,7 @@ man/man3/EC_GROUP_set_seed.3
 man/man3/EC_KEY_check_key.3
 man/man3/EC_KEY_clear_flags.3
 man/man3/EC_KEY_copy.3
+man/man3/EC_KEY_decoded_from_explicit_params.3
 man/man3/EC_KEY_dup.3
 man/man3/EC_KEY_free.3
 man/man3/EC_KEY_generate_key.3
@@ -3183,6 +3184,7 @@ man/man3/X509V3_EXT_i2d.3
 man/man3/X509V3_add1_i2d.3
 man/man3/X509V3_get_d2i.3
 man/man3/X509_ALGOR_cmp.3
+man/man3/X509_ALGOR_copy.3
 man/man3/X509_ALGOR_dup.3
 man/man3/X509_ALGOR_free.3
 man/man3/X509_ALGOR_get0.3
@@ -3341,6 +3343,8 @@ man/man3/X509_REQ_get_signature_nid.3
 man/man3/X509_REQ_get_subject_name.3
 man/man3/X509_REQ_get_version.3
 man/man3/X509_REQ_new.3
+man/man3/X509_REQ_set0_signature.3
+man/man3/X509_REQ_set1_signature_algo.3
 man/man3/X509_REQ_set_pubkey.3
 man/man3/X509_REQ_set_subject_name.3
 man/man3/X509_REQ_set_version.3
diff --git a/security/openssl/distinfo b/security/openssl/distinfo
index c23136dda2a..e2e751d4e91 100644
--- a/security/openssl/distinfo
+++ b/security/openssl/distinfo
@@ -1,11 +1,9 @@
-$NetBSD: distinfo,v 1.144.2.1 2020/10/03 19:28:58 bsiegert Exp $
+$NetBSD: distinfo,v 1.144.2.2 2020/12/11 08:50:56 bsiegert Exp $
 
-SHA1 (openssl-1.1.1g.tar.gz) = b213a293f2127ec3e323fb3cfc0c9807664fd997
-RMD160 (openssl-1.1.1g.tar.gz) = 427b7b12c06715ad1c95d3ff5e38055c6bb66c1d
-SHA512 (openssl-1.1.1g.tar.gz) = 01e3d0b1bceeed8fb066f542ef5480862001556e0f612e017442330bbd7e5faee228b2de3513d7fc347446b7f217e27de1003dc9d7214d5833b97593f3ec25ab
-Size (openssl-1.1.1g.tar.gz) = 9801502 bytes
-SHA1 (patch-Configurations_10-main.conf) = d27643187e0b71041f47a9a7c7eec811f7539085
+SHA1 (openssl-1.1.1i.tar.gz) = eb684ba4ed31fe2c48062aead75233ecd36882a6
+RMD160 (openssl-1.1.1i.tar.gz) = 95a45fa7c2240dde179e8f8028f998bfa5177cc3
+SHA512 (openssl-1.1.1i.tar.gz) = fe12e0ab9e1688f24dd862ac633d0ab703b499c0f34b53c3560aa0d3879d81d647aa0678ed517dda5efb2711f669fcb1a1e0e24f6eac2efc2cf4eae6b62014d8
+Size (openssl-1.1.1i.tar.gz) = 9808346 bytes
 SHA1 (patch-Configurations_shared-info.pl) = 0e835f6e343b5d05ef9a0e6ef2a195201262d15c
 SHA1 (patch-Configurations_unix-Makefile.tmpl) = cf6b46c6e10e84100beb468bbe6f85c5e62cbe7a
 SHA1 (patch-Configure) = 479f1bc826f7721f6b44d6b5a6cf460432924bf2
-SHA1 (patch-crypto_rand_rand__unix.c) = 9aa1ff0b0ff1db3fcadacf8707596a7db852f956
diff --git a/security/openssl/patches/patch-Configurations_10-main.conf b/security/openssl/patches/patch-Configurations_10-main.conf
deleted file mode 100644
index 053f59b8f1a..00000000000
--- a/security/openssl/patches/patch-Configurations_10-main.conf
+++ /dev/null
@@ -1,22 +0,0 @@
-$NetBSD: patch-Configurations_10-main.conf,v 1.1 2020/07/22 20:41:30 sjmulder Exp $
-
-Add support for Apple Silicon. Imported from open pull request:
-https://github.com/openssl/openssl/pull/12369
-
---- Configurations/10-main.conf.orig	2020-04-21 12:22:39.000000000 +0000
-+++ Configurations/10-main.conf
-@@ -1557,6 +1557,14 @@ my %targets = (
-         bn_ops           => "SIXTY_FOUR_BIT_LONG",
-         perlasm_scheme   => "macosx",
-     },
-+    "darwin64-arm64-cc" => {
-+        inherit_from     => [ "darwin-common", asm("aarch64_asm") ],
-+        CFLAGS           => add("-Wall"),
-+        cflags           => add("-arch arm64"),
-+        lib_cppflags     => add("-DL_ENDIAN"),
-+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
-+        perlasm_scheme   => "ios64",
-+    },
- 
- ##### GNU Hurd
-     "hurd-x86" => {
diff --git a/security/openssl/patches/patch-crypto_rand_rand__unix.c b/security/openssl/patches/patch-crypto_rand_rand__unix.c
deleted file mode 100644
index 5f084c8b396..00000000000
--- a/security/openssl/patches/patch-crypto_rand_rand__unix.c
+++ /dev/null
@@ -1,47 +0,0 @@
-$NetBSD: patch-crypto_rand_rand__unix.c,v 1.1 2020/04/30 11:21:57 nia Exp $
-
-Fix usage of KERN_ARND on NetBSD.
-
-First, actually include the correct headers.
-Second, disable a hack for old FreeBSD versions (just in case it gets used).
-Third, ensure that we don't ever request more than 256 bytes (just in case).
-
---- crypto/rand/rand_unix.c.orig	2020-04-21 12:22:39.000000000 +0000
-+++ crypto/rand/rand_unix.c
-@@ -26,12 +26,12 @@
- #  include <sys/utsname.h>
- # endif
- #endif
--#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI)
-+#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(OPENSSL_SYS_UEFI)
- # include <sys/types.h>
- # include <sys/sysctl.h>
- # include <sys/param.h>
- #endif
--#if defined(__OpenBSD__) || defined(__NetBSD__)
-+#if defined(__OpenBSD__)
- # include <sys/param.h>
- #endif
- 
-@@ -247,10 +247,12 @@ static ssize_t sysctl_random(char *buf, 
-      * when the sysctl returns long and we want to request something not a
-      * multiple of longs, which should never be the case.
-      */
-+#if   defined(__FreeBSD__)
-     if (!ossl_assert(buflen % sizeof(long) == 0)) {
-         errno = EINVAL;
-         return -1;
-     }
-+#endif
- 
-     /*
-      * On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only
-@@ -268,7 +270,7 @@ static ssize_t sysctl_random(char *buf, 
-     mib[1] = KERN_ARND;
- 
-     do {
--        len = buflen;
-+        len = buflen > 256 ? 256 : buflen;
-         if (sysctl(mib, 2, buf, &len, NULL, 0) == -1)
-             return done > 0 ? done : -1;
-         done += len;