mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-28 17:11:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2435 from flatcar/dongsu/openssl-3.0.8

Browse Source 
dev-libs/openssl: update to 3.0.8
This commit is contained in:
Dongsu Park 2023-02-13 14:30:08 +01:00 committed by GitHub
commit 00f252c52b
5 changed files with 40 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
sdk_container/src/third_party/coreos-overlay/changelog/security/2023-02-08-openssl-3.0.8.md vendored Normal file
View File

@ -0,0 +1 @@
- OpenSSL ([CVE-2022-4203](https://nvd.nist.gov/vuln/detail/CVE-2022-4203), [CVE-2022-4304](https://nvd.nist.gov/vuln/detail/CVE-2022-4304), [CVE-2022-4450](https://nvd.nist.gov/vuln/detail/CVE-2022-4450), [CVE-2023-0215](https://nvd.nist.gov/vuln/detail/CVE-2023-0215), [CVE-2023-0216](https://nvd.nist.gov/vuln/detail/CVE-2023-0216), [CVE-2023-0217](https://nvd.nist.gov/vuln/detail/CVE-2023-0217), [CVE-2023-0286](https://nvd.nist.gov/vuln/detail/CVE-2023-0286), [CVE-2023-0401](https://nvd.nist.gov/vuln/detail/CVE-2023-0401))

1
sdk_container/src/third_party/coreos-overlay/changelog/updates/2023-02-08-openssl-3.0.8.md vendored Normal file
View File

@ -0,0 +1 @@
- OpenSSL ([3.0.8](https://github.com/openssl/openssl/blob/openssl-3.0.8/NEWS.md#major-changes-between-openssl-307-and-openssl-308-7-feb-2023))

4
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest vendored
View File

@ -1,2 +1,2 @@
DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424 DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1 DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6

16
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 → sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.4 vendored
View File

@ -95,18 +95,22 @@ linux)
# hppa64*) machine=parisc64;; # hppa64*) machine=parisc64;;
hppa*) machine="generic32 -DB_ENDIAN";; hppa*) machine="generic32 -DB_ENDIAN";;
i[0-9]86*|\ i[0-9]86*|\
x86_64*:x86) machine=elf;; x86_64*:x86) machine=x86;;
ia64*) machine=ia64;; ia64*) machine=ia64;;
loongarch64*) machine="generic64 -DL_ENDIAN";; loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
m68*) machine="generic32 -DB_ENDIAN";; m68*) machine="latomic -DB_ENDIAN";;
mips*el*) machine="generic32 -DL_ENDIAN";; mips*el*:o32) machine="mips32 -DL_ENDIAN";;
mips*) machine="generic32 -DB_ENDIAN";; mips*:o32) machine="mips32 -DB_ENDIAN";;
mips*el*:n32) machine="mips64 -DL_ENDIAN";;
mips*:n32) machine="mips64 -DB_ENDIAN";;
mips*el*:n64) machine="mips64 -DL_ENDIAN" system=linux64;;
mips*:n64) machine="mips64 -DB_ENDIAN" system=linux64;;
powerpc64*le*)machine=ppc64le;; powerpc64*le*)machine=ppc64le;;
powerpc64*) machine=ppc64;; powerpc64*) machine=ppc64;;
powerpc*le*) machine="generic32 -DL_ENDIAN";; powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;; powerpc*) machine=ppc;;
riscv32*) machine="generic32 -DL_ENDIAN";; riscv32*) machine="generic32 -DL_ENDIAN";;
riscv64*) machine="generic64 -DL_ENDIAN";; riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;;
# sh64*) machine=elf;; # sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";; sh*b*) machine="generic32 -DB_ENDIAN";;
sh*) machine="generic32 -DL_ENDIAN";; sh*) machine="generic32 -DL_ENDIAN";;

125
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.7.ebuild → sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.8.ebuild vendored
View File

@ -1,7 +1,7 @@
# Copyright 1999-2022 Gentoo Authors # Copyright 1999-2023 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
EAPI=7 EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
TMPFILES_OPTIONAL=1 TMPFILES_OPTIONAL=1
@ -19,7 +19,8 @@ if [[ ${PV} == 9999 ]] ; then
else else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi fi
S="${WORKDIR}"/${MY_P} S="${WORKDIR}"/${MY_P}
@ -29,6 +30,9 @@ SLOT="0/3" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )" RESTRICT="!test? ( test )"
# Flatcar: Gentoo dropped dependency on c_rehash, a required tool for
# generating certs, and does not provide a built-in tool either.
# Continue shipping it.
COMMON_DEPEND=" COMMON_DEPEND="
>=app-misc/c_rehash-1.7-r1 >=app-misc/c_rehash-1.7-r1
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
@ -41,7 +45,7 @@ BDEPEND="
sys-devel/bc sys-devel/bc
sys-process/procps sys-process/procps
) )
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )" verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
DEPEND="${COMMON_DEPEND}" DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}" RDEPEND="${COMMON_DEPEND}"
@ -51,9 +55,6 @@ MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h /usr/include/openssl/configuration.h
) )
PATCHES=(
)
pkg_setup() { pkg_setup() {
if use ktls ; then if use ktls ; then
if kernel_is -lt 4 18 ; then if kernel_is -lt 4 18 ; then
@ -62,6 +63,7 @@ pkg_setup() {
CONFIG_CHECK="~TLS ~TLS_DEVICE" CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup linux-info_pkg_setup
fi fi
@ -92,7 +94,7 @@ src_unpack() {
src_prepare() { src_prepare() {
# Allow openssl to be cross-compiled # Allow openssl to be cross-compiled
cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die cp "${FILESDIR}"/gentoo.config-1.0.4 gentoo.config || die
chmod a+rx gentoo.config || die chmod a+rx gentoo.config || die
# Keep this in sync with app-misc/c_rehash # Keep this in sync with app-misc/c_rehash
@ -115,19 +117,6 @@ src_prepare() {
rm test/recipes/80-test_ssl_new.t || die rm test/recipes/80-test_ssl_new.t || die
fi fi
# - Make sure the man pages are suffixed (bug #302165)
# - Don't bother building man pages if they're disabled
# - Make DOCDIR Gentoo compliant
sed -i \
-e '/^MANSUFFIX/s:=.*:=ssl:' \
-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-e $(has noman FEATURES \
&& echo '/^install:/s:install_docs::' \
|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
Configurations/unix-Makefile.tmpl \
|| die
# Quiet out unknown driver argument warnings since openssl # Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse # doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again) # and 'make depend' uses -Werror for added fun (bug #417795 again)
@ -146,21 +135,9 @@ src_prepare() {
append-flags $(test-flags-CC -Wa,--noexecstack) append-flags $(test-flags-CC -Wa,--noexecstack)
# Prefixify Configure shebang (bug #141906) local sslout=$(./gentoo.config)
sed \ einfo "Using configuration: ${sslout:-(openssl knows best)}"
-e "1s,/usr/bin/env,${BROOT}&," \ edo perl Configure ${sslout} --test-sanity
-i Configure || die
# Remove test target when FEATURES=test isn't set
if ! use test ; then
sed \
-e '/^$config{dirs}/s@ "test",@@' \
-i Configure || die
fi
# The config script does stupid stuff to prompt the user. Kill it.
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
./config --test-sanity || die "I AM NOT SANE"
multilib_copy_sources multilib_copy_sources
} }
@ -193,8 +170,6 @@ multilib_src_configure() {
local sslout=$(./gentoo.config) local sslout=$(./gentoo.config)
einfo "Using configuration: ${sslout:-(openssl knows best)}" einfo "Using configuration: ${sslout:-(openssl knows best)}"
local config="Configure"
[[ -z ${sslout} ]] && config="config"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=( local myeconfargs=(
@ -227,36 +202,15 @@ multilib_src_configure() {
threads threads
) )
CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}" edo perl Configure "${myeconfargs[@]}"
# Clean out hardcoded flags that openssl uses
local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-e 's:^CFLAGS=::' \
-e 's:\(^\| \)-fomit-frame-pointer::g' \
-e 's:\(^\| \)-O[^ ]*::g' \
-e 's:\(^\| \)-march=[^ ]*::g' \
-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-e 's:\(^\| \)-m[^ ]*::g' \
-e 's:^ *::' \
-e 's: *$::' \
-e 's: \+: :g' \
-e 's:\\:\\\\:g'
)
# Now insert clean default flags with user flags
sed -i \
-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
Makefile \
|| die
} }
multilib_src_compile() { multilib_src_compile() {
# depend is needed to use $confopts; it also doesn't matter emake build_sw
# that it's -j1 as the code itself serializes subdirs
emake -j1 depend
emake all if multilib_is_native_abi; then
emake build_docs
fi
} }
multilib_src_test() { multilib_src_test() {
@ -266,10 +220,15 @@ multilib_src_test() {
} }
multilib_src_install() { multilib_src_install() {
# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130) emake DESTDIR="${D}" install_sw
dodir /usr if use fips; then
emake DESTDIR="${D}" install_fips
fi
emake DESTDIR="${D}" install if multilib_is_native_abi; then
emake DESTDIR="${D}" install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
fi
# This is crappy in that the static archives are still built even # This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl # when USE=static-libs. But this is due to a failing in the openssl
@ -288,38 +247,6 @@ multilib_src_install_all() {
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Namespace openssl programs to prevent conflicts with other man pages
cd "${ED}"/usr/share/man || die
local m d s
for m in $(find . -type f | xargs grep -L '#include') ; do
d=${m%/*}
d=${d#./}
m=${m##*/}
[[ ${m} == openssl.1* ]] && continue
[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
mv ${d}/{,ssl-}${m} || die
# Fix up references to renamed man pages
sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
ln -s ssl-${m} ${d}/openssl-${m} || die
# Locate any symlinks that point to this man page
# We assume that any broken links are due to the above renaming
for s in $(find -L ${d} -type l) ; do
s=${s##*/}
rm -f ${d}/${s}
# We don't want to "|| die" here
ln -s ssl-${m} ${d}/ssl-${s}
ln -s ssl-${s} ${d}/openssl-${s}
done
done
[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
# bug #254521 # bug #254521
dodir /etc/sandbox.d dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl