mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-09-28 09:01:55 +02:00
Code Issues Packages Projects Releases Wiki Activity

dev-libs/openssl: Apply Flatcar modifications

Browse Source 
- drop `pkg_postint`
- create `/etc/ssl` with tmpfiles
- continue shipping app-misc/c_rehash
- mark as stable
- drop non-used files

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
This commit is contained in:
Mathieu Tortuyaux 2024-12-02 15:15:36 +01:00
parent 19323ecffa
commit 4bb0257db6
No known key found for this signature in database
GPG Key ID: AC5CCFB52545D9B8
24 changed files with 21 additions and 4162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest vendored
View File

@ -1,17 +1,2 @@
DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
DIST openssl-1.1.1w.tar.gz 9893384 BLAKE2B 2fdba6ca0188928ab2f74e606136afca66cfa0467170fa6298ef160b64ac6fdcad1e81e5dd14013ce0e9921d0f7417edec531cd0beaf1196fec704c2c6d48395 SHA512 b4c625fe56a4e690b57b6a011a225ad0cb3af54bd8fb67af77b5eceac55cc7191291d96a660c5b568a08a2fbf62b4612818e7cca1bb95b2b6b4fc649b0552b6d
DIST openssl-1.1.1w.tar.gz.asc 833 BLAKE2B d990be69ed913509d52b78e7473668429d4485adb29ef03e4612dd0cadbac4f04c7289d8e5baf6f397bcedeaac9f802f18fc719964d882ae0514ed1ca16ae277 SHA512 0f3d7aa48b1cabf8dd43e8108aeed10a4dffb4f5a244d4da9c86ea358b0c8b90c46da561d21e01c567c2f5035d824ed82ec104aad1776b7f33a1be85990e98ef
DIST openssl-3.0.13.tar.gz 15294843 BLAKE2B 869aa5f70a8c1d0cac6027e9261530df70ab5a8b448c785f5f8ff3f206e742c5364424132d0e109a6449af9b4082c4c179c7103dccb16a4539f776ca834c8ccc SHA512 22f4096781f0b075f5bf81bd39a0f97e111760dfa73b6f858f6bb54968a7847944d74969ae10f9a51cc21a2f4af20d9a4c463649dc824f5e439e196d6764c4f9
DIST openssl-3.0.13.tar.gz.asc 833 BLAKE2B 519515b6faa505d68ff9acc30db9515fac494145086fa5ad9561c39385a6fabb39ad9de10fedd49c8fc716ec59ea1b13ec5e6b466e549ea9f29b8d0bb74ba7b3 SHA512 c52d97c93d16f3ca2a7026fb25890482b6d86c37b5ab686c56b0e08522743ec4ea3f84afa4deb64b0df0d9a16b557430c4d4139ab42ffcf97d769b61d1e6197c
DIST openssl-3.0.14.tar.gz 15305497 BLAKE2B 7426aea63d5495775c4a0440658cc9c46c4aa31c31473cd5519c2b1ca158e122634e0bbc275237d3eb124fc8bed3d58808d8ac1d228f24f7281d2630ff7813e0 SHA512 1c59c01e60da902a20780d71f1fa5055d4037f38c4bc3fb27ed5b91f211b36a6018055409441ad4df58b5e9232b2528240d02067272c3c9ccb8c221449ca9ac0
DIST openssl-3.0.14.tar.gz.asc 833 BLAKE2B 8a700452f6f698fbfa206469888fd72706f1798be212e712fd8a4c1ae87f0d98d54820974c64a3db3b5ac69d7beda665f462e83182337391212c0e72e1feb72e SHA512 003d17a2b71176517f5bfba6699c18b271111e5fec3effc275b965286140d1281fa6f5f5e6bcf63feca89dfa035ab776bda8d2af4b71ae921ca9e7a936581fb4
DIST openssl-3.0.15.tar.gz 15318633 BLAKE2B f2900d0894b97e86c709079ca4336d5dc508d69e91d3a4de4420c8d9344cb54dada6ea2cdd408166e53db0c652b06654e670701166b67a0a40578676e1cea535 SHA512 acd80f2f7924d90c1416946a5c61eff461926ad60f4821bb6b08845ea18f8452fd5e88a2c2c5bd0d7590a792cb8341a3f3be042fd0a5b6c9c1b84a497c347bbf
DIST openssl-3.0.15.tar.gz.asc 833 BLAKE2B 43088d6ae9e95aec8cfa08c0d338d76c2299ee89a1719a39c497b25c83a4c0c2d155fa00a62b47e15a7f2889680197741390c850d62a84ec5ce27ed1bbddcd28 SHA512 8b9471074130fd26b511820a1c2586792fd0105421515734c213ae18de27b5b026261e64d4cb8f5e7b568d1f4193484ebe0e99eda9d99df72474310a568ca3bf
DIST openssl-3.1.7.tar.gz 15684836 BLAKE2B 1332f4b2454b6c9bf3ff2099aa343d6202bec98c6e44fba6377d5bb8efd9bf337df3a95549d874a2908f376056f6f333e6f65cbec7e27377d1ab8cbefddaa241 SHA512 bb4743c1a95148901d2d2bc51460c14cea3387c7dda9323524adbdb11334562f72aa3a873913c51ea1ffce606e675e22a74f78b3119b6a956da3f75c942cd0e2
DIST openssl-3.1.7.tar.gz.asc 833 BLAKE2B 17220aa3274a5eda3df8c04f60f87a48fcf5c773167e746bf3f9feb6cc3c03b024a2e83b1c93122b6baa073b12417e2910230f270287be7b7f2c5300814b7fda SHA512 89b6f4b913aac8b2519aac586ba0c70a3df331eb70ea79c2aa45355bfd9430ba1af3c8ea0d31b171f55036a8cc332207787cabf58da871f400d666a5ae09ce2a
DIST openssl-3.2.3.tar.gz 17762604 BLAKE2B 1445336aa92d0fd9df266ad570fe2bf5701279e462dd3fccd4cf662f328bfee923dc6c72c42c1921fd38bce43e1c60cacdec3f1c2963fe0ffda6a0e8e34ac6e4 SHA512 9e9f06ab630914e32e64bfb945dfa375ea3595b3db4eb8ef68288a58909baf753b34998439907c22ff2b8561cfd3f3f6b7fbf22981479e66a98c2e92fda172a2
DIST openssl-3.2.3.tar.gz.asc 833 BLAKE2B 5a7289ed40534a058b9eb7686ce444b9d453a2973ab7ebda01c99f7245f6ba19197123f8bb3b16940d4bfbc5e313babc0249f280e55911190b47da3a47ed1e6a SHA512 e727adb88f84c48082ef0cae963bf999cce11619f7322014cc7f36c16e8375a60542f518c1b86319208cf8da33044e942b3d65208bc59fd4a5f522ab78ff1c23
DIST openssl-3.3.2.tar.gz 18076531 BLAKE2B cc53d45418673bc2a406d6697b8bd17ff6c726463c4ccc87bb2fa5a6592d0d178dc8cfeb2fbb980ea354a5dc2c86f31c48453427c6937896c7221273e623c9b5 SHA512 5ae47bf1aed2740a33ba5df7dc7345a6738aa6bfa3c9c4de5e51742485e24b25192988d7a2c1b8201ef70056ad8abd0ca78b3d55abe24c0b0373d83b47ed9b74
DIST openssl-3.3.2.tar.gz.asc 833 BLAKE2B c318e2dcef085b83ced77048dc136d9bc8438d49a7985f3c6ebd4ffd0e5e290ece47e8fd1074c6cc056e87b2bae2101dd58b8d70dbc0eb99aa134d776125439c SHA512 981f8438bbd541b97e745aca1bb77cde68900ce4b5ffefc9eccc2f18c675292203f6b4c7bffefde2256a442b7310d8438279b52fb21aac65921e9a529bc00067

172
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 vendored
View File

@ -1,172 +0,0 @@
#!/usr/bin/env bash
# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
#
# Openssl doesn't play along nicely with cross-compiling
# like autotools based projects, so let's teach it new tricks.
#
# Review the bundled 'config' script to see why kind of targets
# we can pass to the 'Configure' script.
# Testing routines
if [[ $1 == "test" ]] ; then
for c in \
"arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \
"armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \
"x86_64-pc-linux-gnu |linux-x86_64" \
"alpha-linux-gnu |linux-alpha-gcc" \
"alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \
"i686-pc-linux-gnu |linux-elf" \
"whatever-gentoo-freebsdX.Y |BSD-generic32" \
"i686-gentoo-freebsdX.Y |BSD-x86-elf" \
"sparc64-alpha-freebsdX.Y |BSD-sparc64" \
"ia64-gentoo-freebsd5.99234 |BSD-ia64" \
"x86_64-gentoo-freebsdX.Y |BSD-x86_64" \
"hppa64-aldsF-linux-gnu5.3 |linux-generic32 -DB_ENDIAN" \
"powerpc-gentOO-linux-uclibc |linux-ppc" \
"powerpc64-unk-linux-gnu |linux-ppc64" \
"powerpc64le-linux-gnu |linux-ppc64le" \
"x86_64-apple-darwinX |darwin64-x86_64-cc" \
"powerpc64-apple-darwinX |darwin64-ppc-cc" \
"i686-apple-darwinX |darwin-i386-cc" \
"i386-apple-darwinX |darwin-i386-cc" \
"powerpc-apple-darwinX |darwin-ppc-cc" \
"i586-pc-winnt |winnt-parity" \
"s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \
"s390x-linux-gnu |linux64-s390x" \
;do
CHOST=${c/|*}
ret_want=${c/*|}
ret_got=$(CHOST=${CHOST} "$0")
if [[ ${ret_want} == "${ret_got}" ]] ; then
echo "PASS: ${CHOST}"
else
echo "FAIL: ${CHOST}"
echo -e "\twanted: ${ret_want}"
echo -e "\twe got: ${ret_got}"
fi
done
exit 0
fi
[[ -z ${CHOST} && -n $1 ]] && CHOST=$1
# Detect the operating system
case ${CHOST} in
*-aix*) system="aix";;
*-darwin*) system="darwin";;
*-freebsd*) system="BSD";;
*-hpux*) system="hpux";;
*-linux*) system="linux";;
*-solaris*) system="solaris";;
*-winnt*) system="winnt";;
x86_64-*-mingw*) system="mingw64";;
*mingw*) system="mingw";;
*) exit 0;;
esac
# Compiler munging
compiler="gcc"
if [[ ${CC} == "ccc" ]] ; then
compiler=${CC}
fi
# Detect target arch
machine=""
chost_machine=${CHOST%%-*}
case ${system} in
linux)
case ${chost_machine}:${ABI} in
aarch64*be*) machine="aarch64 -DB_ENDIAN";;
aarch64*) machine="aarch64 -DL_ENDIAN";;
alphaev56*|\
alphaev[678]*)machine=alpha+bwx-${compiler};;
alpha*) machine=alpha-${compiler};;
armv[4-9]*b*) machine="armv4 -DB_ENDIAN";;
armv[4-9]*) machine="armv4 -DL_ENDIAN";;
arm*b*) machine="generic32 -DB_ENDIAN";;
arm*) machine="generic32 -DL_ENDIAN";;
avr*) machine="generic32 -DL_ENDIAN";;
bfin*) machine="generic32 -DL_ENDIAN";;
# hppa64*) machine=parisc64;;
hppa*) machine="generic32 -DB_ENDIAN";;
i[0-9]86*|\
x86_64*:x86) machine=elf;;
ia64*) machine=ia64;;
loongarch64*) machine="generic64 -DL_ENDIAN";;
m68*) machine="generic32 -DB_ENDIAN";;
mips*el*) machine="generic32 -DL_ENDIAN";;
mips*) machine="generic32 -DB_ENDIAN";;
powerpc64*le*)machine=ppc64le;;
powerpc64*) machine=ppc64;;
powerpc*le*) machine="generic32 -DL_ENDIAN";;
powerpc*) machine=ppc;;
riscv32*) machine="generic32 -DL_ENDIAN";;
riscv64*) machine="generic64 -DL_ENDIAN";;
# sh64*) machine=elf;;
sh*b*) machine="generic32 -DB_ENDIAN";;
sh*) machine="generic32 -DL_ENDIAN";;
# TODO: Might want to do -mcpu probing like glibc to determine a
# better default for sparc-linux-gnu targets. This logic will
# break v7 and older systems when they use it.
sparc*v7*) machine="generic32 -DB_ENDIAN";;
sparc64*) machine=sparcv9 system=linux64;;
sparc*v9*) machine=sparcv9;;
sparc*v8*) machine=sparcv8;;
sparc*) machine=sparcv8;;
s390x*) machine=s390x system=linux64;;
s390*) machine="generic32 -DB_ENDIAN";;
x86_64*:x32) machine=x32;;
x86_64*) machine=x86_64;;
esac
;;
BSD)
case ${chost_machine} in
alpha*) machine=generic64;;
i[6-9]86*) machine=x86-elf;;
ia64*) machine=ia64;;
sparc64*) machine=sparc64;;
x86_64*) machine=x86_64;;
*) machine=generic32;;
esac
;;
aix)
machine=${compiler}
;;
darwin)
case ${chost_machine} in
powerpc64) machine=ppc-cc; system=${system}64;;
powerpc) machine=ppc-cc;;
i?86*) machine=i386-cc;;
x86_64) machine=x86_64-cc; system=${system}64;;
esac
;;
hpux)
case ${chost_machine} in
ia64) machine=ia64-${compiler} ;;
esac
;;
solaris)
case ${chost_machine} in
i386) machine=x86-${compiler} ;;
x86_64*) machine=x86_64-${compiler}; system=${system}64;;
sparcv9*) machine=sparcv9-${compiler}; system=${system}64;;
sparc*) machine=sparcv8-${compiler};;
esac
;;
winnt)
machine=parity
;;
mingw*)
# special case ... no xxx-yyy style name
echo ${system}
;;
esac
# If we have something, show it
[[ -n ${machine} ]] && echo ${system}-${machine}

21
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.0j-parallel_install_fix.patch vendored
View File

@ -1,21 +0,0 @@
https://github.com/openssl/openssl/issues/7679
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -77,8 +77,14 @@
# to. You're welcome.
sub dependmagic {
my $target = shift;
-
- return "$target: build_generated\n\t\$(MAKE) depend && \$(MAKE) _$target\n_$target";
+ my $magic = <<"_____";
+$target: build_generated depend
+ \$(MAKE) _$target
+_$target
+_____
+ # Remove line ending
+ $magic =~ s|\R$||;
+ return $magic;
}
'';
-}

61
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-1.1.1i-riscv32.patch vendored
View File

@ -1,61 +0,0 @@
From 5b5e2985f355c8e99c196d9ce5d02c15bebadfbc Mon Sep 17 00:00:00 2001
From: Alistair Francis <alistair.francis@wdc.com>
Date: Thu, 29 Aug 2019 13:56:21 -0700
Subject: [PATCH] Add support for io_pgetevents_time64 syscall
32-bit architectures that are y2038 safe don't include syscalls that use
32-bit time_t. Instead these architectures have suffixed syscalls that
always use a 64-bit time_t. In the case of the io_getevents syscall the
syscall has been replaced with the io_pgetevents_time64 syscall instead.
This patch changes the io_getevents() function to use the correct
syscall based on the avaliable syscalls and the time_t size. We will
only use the new 64-bit time_t syscall if the architecture is using a
64-bit time_t. This is to avoid having to deal with 32/64-bit
conversions and relying on a 64-bit timespec struct on 32-bit time_t
platforms. As of Linux 5.3 there are no 32-bit time_t architectures
without __NR_io_getevents. In the future if a 32-bit time_t architecture
wants to use the 64-bit syscalls we can handle the conversion.
This fixes build failures on 32-bit RISC-V.
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/9819)
---
engines/e_afalg.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/engines/e_afalg.c b/engines/e_afalg.c
index dacbe358cb..99516cb1bb 100644
--- a/engines/e_afalg.c
+++ b/engines/e_afalg.c
@@ -125,7 +125,23 @@ static ossl_inline int io_getevents(aio_context_t ctx, long min, long max,
struct io_event *events,
struct timespec *timeout)
{
+#if defined(__NR_io_getevents)
return syscall(__NR_io_getevents, ctx, min, max, events, timeout);
+#elif defined(__NR_io_pgetevents_time64)
+ /* Let's only support the 64 suffix syscalls for 64-bit time_t.
+ * This simplifies the code for us as we don't need to use a 64-bit
+ * version of timespec with a 32-bit time_t and handle converting
+ * between 64-bit and 32-bit times and check for overflows.
+ */
+ if (sizeof(timeout->tv_sec) == 8)
+ return syscall(__NR_io_pgetevents_time64, ctx, min, max, events, timeout, NULL);
+ else {
+ errno = ENOSYS;
+ return -1;
+ }
+#else
+# error "We require either the io_getevents syscall or __NR_io_pgetevents_time64."
+#endif
}
static void afalg_waitfd_cleanup(ASYNC_WAIT_CTX *ctx, const void *key,
--
2.26.2

141
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch vendored
View File

@ -1,141 +0,0 @@
https://www.openssl.org/news/secadv/20240408.txt
https://bugs.gentoo.org/930047
https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d
https://github.com/openssl/openssl/commit/cc9ece9118eeacccc3571c2ee852f8ba067d0607
From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Tue, 5 Mar 2024 15:43:53 +0000
Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
In TLSv1.3 we create a new session object for each ticket that we send.
We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
use then the new session will be added to the session cache. However, if
early data is not in use (and therefore anti-replay protection is being
used), then multiple threads could be resuming from the same session
simultaneously. If this happens and a problem occurs on one of the threads,
then the original session object could be marked as not_resumable. When we
duplicate the session object this not_resumable status gets copied into the
new session object. The new session object is then added to the session
cache even though it is not_resumable.
Subsequently, another bug means that the session_id_length is set to 0 for
sessions that are marked as not_resumable - even though that session is
still in the cache. Once this happens the session can never be removed from
the cache. When that object gets to be the session cache tail object the
cache never shrinks again and grows indefinitely.
CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce)
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode)
/*
* If the session_id_length is 0, we are not supposed to cache it, and it
- * would be rather hard to do anyway :-)
+ * would be rather hard to do anyway :-). Also if the session has already
+ * been marked as not_resumable we should not cache it for later reuse.
*/
- if (s->session->session_id_length == 0)
+ if (s->session->session_id_length == 0 || s->session->not_resumable)
return;
/*
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void)
return ss;
}
-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-{
- return ssl_session_dup(src, 1);
-}
-
/*
* Create a new SSL_SESSION and duplicate the contents of |src| into it. If
* ticket == 0 then no ticket information is duplicated, otherwise it is.
*/
-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
{
SSL_SESSION *dest;
@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
return NULL;
}
+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
+{
+ return ssl_session_dup_intern(src, 1);
+}
+
+/*
+ * Used internally when duplicating a session which might be already shared.
+ * We will have resumed the original session. Subsequently we might have marked
+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
+ * resume from.
+ */
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
+{
+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
+
+ if (sess != NULL)
+ sess->not_resumable = 0;
+
+ return sess;
+}
+
const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
{
if (len)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
* so the following won't overwrite an ID that we're supposed
* to send back.
*/
- if (s->session->not_resumable ||
- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
- && !s->hit))
+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
+ && !s->hit)
s->session->session_id_length = 0;
if (usetls13) {
From cc9ece9118eeacccc3571c2ee852f8ba067d0607 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 15 Mar 2024 17:58:42 +0000
Subject: [PATCH] Hardening around not_resumable sessions
Make sure we can't inadvertently use a not_resumable session
Related to CVE-2024-2511
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24044)
(cherry picked from commit c342f4b8bd2d0b375b0e22337057c2eab47d9b96)
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@@ -531,6 +531,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
if (ret != NULL) {
+ if (ret->not_resumable) {
+ /* If its not resumable then ignore this session */
+ if (!copy)
+ SSL_SESSION_free(ret);
+ return NULL;
+ }
ssl_tsan_counter(s->session_ctx,
&s->session_ctx->stats.sess_cb_hit);

79
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch vendored
View File

@ -1,79 +0,0 @@
https://bugs.gentoo.org/916328
https://github.com/opendnssec/SoftHSMv2/issues/729
https://github.com/openssl/openssl/issues/22508
https://github.com/openssl/openssl/commit/ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6
From ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 15 Dec 2023 13:45:50 +0100
Subject: [PATCH] Revert "Improved detection of engine-provided private
"classic" keys"
This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
The commit was wrong. With 3.x versions the engines must be themselves
responsible for creating their EVP_PKEYs in a way that they are treated
as legacy - either by using the respective set1 calls or by setting
non-default EVP_PKEY_METHOD.
The workaround has caused more problems than it solved.
Fixes #22945
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23063)
(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
--- a/crypto/engine/eng_pkey.c
+++ b/crypto/engine/eng_pkey.c
@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
return NULL;
}
- /* We enforce check for legacy key */
- switch (EVP_PKEY_get_id(pkey)) {
- case EVP_PKEY_RSA:
- {
- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
- EVP_PKEY_set1_RSA(pkey, rsa);
- RSA_free(rsa);
- }
- break;
-# ifndef OPENSSL_NO_EC
- case EVP_PKEY_SM2:
- case EVP_PKEY_EC:
- {
- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
- EVP_PKEY_set1_EC_KEY(pkey, ec);
- EC_KEY_free(ec);
- }
- break;
-# endif
-# ifndef OPENSSL_NO_DSA
- case EVP_PKEY_DSA:
- {
- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
- EVP_PKEY_set1_DSA(pkey, dsa);
- DSA_free(dsa);
- }
- break;
-#endif
-# ifndef OPENSSL_NO_DH
- case EVP_PKEY_DH:
- {
- DH *dh = EVP_PKEY_get1_DH(pkey);
- EVP_PKEY_set1_DH(pkey, dh);
- DH_free(dh);
- }
- break;
-#endif
- default:
- /*Do nothing */
- break;
- }
-
return pkey;
}

193
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch vendored
View File

@ -1,193 +0,0 @@
https://bugs.gentoo.org/941643
https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712
From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@openssl.org>
Date: Thu, 19 Sep 2024 01:02:40 +1000
Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
The BN_GF2m_poly2arr() function converts characteristic-2 field
(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
to a compact array with just the exponents of the non-zero terms.
These polynomials are then used in BN_GF2m_mod_arr() to perform modular
reduction. A precondition of calling BN_GF2m_mod_arr() is that the
polynomial must have a non-zero constant term (i.e. the array has `0` as
its final element).
Internally, callers of BN_GF2m_poly2arr() did not verify that
precondition, and binary EC curve parameters with an invalid polynomial
could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
The precondition is always true for polynomials that arise from the
standard form of EC parameters for characteristic-two fields (X9.62).
See the "Finite Field Identification" section of:
https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
basis X9.62 forms.
This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
Additionally, the return value is made unambiguous when there is not
enough space to also pad the array with a final `-1` sentinel value.
The return value is now always the number of elements (including the
final `-1`) that would be filled when the output array is sufficiently
large. Previously the same count was returned both when the array has
just enough room for the final `-1` and when it had only enough space
for non-sentinel values.
Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
CPU exhausition attacks via excessively large inputs.
The above issues do not arise in processing X.509 certificates. These
generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
disallows explicit EC parameters. The TLS code in OpenSSL enforces this
constraint only after the certificate is decoded, but, even if explicit
parameters are specified, they are in X9.62 form, which cannot represent
problem values as noted above.
Initially reported as oss-fuzz issue 71623.
A closely related issue was earlier reported in
<https://github.com/openssl/openssl/issues/19826>.
Severity: Low, CVE-2024-9143
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25639)
(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -15,6 +15,7 @@
#include "bn_local.h"
#ifndef OPENSSL_NO_EC2M
+# include <openssl/ec.h>
/*
* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
/*
* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
* x^i) into an array of integers corresponding to the bits with non-zero
- * coefficient. Array is terminated with -1. Up to max elements of the array
- * will be filled. Return value is total number of array elements that would
- * be filled if array was large enough.
+ * coefficient. The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1. Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`. It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
*/
int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
{
int i, j, k = 0;
BN_ULONG mask;
- if (BN_is_zero(a))
+ if (!BN_is_odd(a))
return 0;
for (i = a->top - 1; i >= 0; i--) {
@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
}
}
- if (k < max) {
+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+ return 0;
+
+ if (k < max)
p[k] = -1;
- k++;
- }
- return k;
+ return k + 1;
}
/*
--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
}
#ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+ int ret = 0;
+ BN_CTX *ctx = BN_CTX_new();
+ BIGNUM *p, *a, *b;
+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+ TEST_info("Testing GF2m hardening\n");
+
+ BN_CTX_start(ctx);
+ p = BN_CTX_get(ctx);
+ a = BN_CTX_get(ctx);
+ if (!TEST_ptr(b = BN_CTX_get(ctx))
+ || !TEST_true(BN_one(a))
+ || !TEST_true(BN_one(b)))
+ goto out;
+
+ /* Even pentanomial value should be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf2)))
+ goto out;
+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Zero constant term accepted in GF2m polynomial");
+
+ /* Odd hexanomial should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf3)))
+ goto out;
+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Hexanomial accepted as GF2m polynomial");
+
+ /* Excessive polynomial degree should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0x71))
+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+ goto out;
+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("GF2m polynomial degree > %d accepted",
+ OPENSSL_ECC_MAX_FIELD_BITS);
+
+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+ EC_GROUP_free(group1);
+ EC_GROUP_free(group2);
+ EC_GROUP_free(group3);
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+
+ return ret;
+}
+
/* test EC_GF2m_simple_method directly */
static int field_tests_ec2_simple(void)
{
@@ -443,6 +493,7 @@ int setup_tests(void)
ADD_TEST(field_tests_ecp_simple);
ADD_TEST(field_tests_ecp_mont);
#ifndef OPENSSL_NO_EC2M
+ ADD_TEST(ec2m_field_sanity);
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);

192
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.1.7-CVE-2024-9143.patch vendored
View File

@ -1,192 +0,0 @@
https://bugs.gentoo.org/941643
https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154
From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@openssl.org>
Date: Thu, 19 Sep 2024 01:02:40 +1000
Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
The BN_GF2m_poly2arr() function converts characteristic-2 field
(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
to a compact array with just the exponents of the non-zero terms.
These polynomials are then used in BN_GF2m_mod_arr() to perform modular
reduction. A precondition of calling BN_GF2m_mod_arr() is that the
polynomial must have a non-zero constant term (i.e. the array has `0` as
its final element).
Internally, callers of BN_GF2m_poly2arr() did not verify that
precondition, and binary EC curve parameters with an invalid polynomial
could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
The precondition is always true for polynomials that arise from the
standard form of EC parameters for characteristic-two fields (X9.62).
See the "Finite Field Identification" section of:
https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
basis X9.62 forms.
This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
Additionally, the return value is made unambiguous when there is not
enough space to also pad the array with a final `-1` sentinel value.
The return value is now always the number of elements (including the
final `-1`) that would be filled when the output array is sufficiently
large. Previously the same count was returned both when the array has
just enough room for the final `-1` and when it had only enough space
for non-sentinel values.
Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
CPU exhausition attacks via excessively large inputs.
The above issues do not arise in processing X.509 certificates. These
generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
disallows explicit EC parameters. The TLS code in OpenSSL enforces this
constraint only after the certificate is decoded, but, even if explicit
parameters are specified, they are in X9.62 form, which cannot represent
problem values as noted above.
Initially reported as oss-fuzz issue 71623.
A closely related issue was earlier reported in
<https://github.com/openssl/openssl/issues/19826>.
Severity: Low, CVE-2024-9143
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25639)
(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -15,6 +15,7 @@
#include "bn_local.h"
#ifndef OPENSSL_NO_EC2M
+# include <openssl/ec.h>
/*
* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
/*
* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
* x^i) into an array of integers corresponding to the bits with non-zero
- * coefficient. Array is terminated with -1. Up to max elements of the array
- * will be filled. Return value is total number of array elements that would
- * be filled if array was large enough.
+ * coefficient. The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1. Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`. It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
*/
int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
{
int i, j, k = 0;
BN_ULONG mask;
- if (BN_is_zero(a))
+ if (!BN_is_odd(a))
return 0;
for (i = a->top - 1; i >= 0; i--) {
@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
}
}
- if (k < max) {
+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+ return 0;
+
+ if (k < max)
p[k] = -1;
- k++;
- }
- return k;
+ return k + 1;
}
/*
--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
}
#ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+ int ret = 0;
+ BN_CTX *ctx = BN_CTX_new();
+ BIGNUM *p, *a, *b;
+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+ TEST_info("Testing GF2m hardening\n");
+
+ BN_CTX_start(ctx);
+ p = BN_CTX_get(ctx);
+ a = BN_CTX_get(ctx);
+ if (!TEST_ptr(b = BN_CTX_get(ctx))
+ || !TEST_true(BN_one(a))
+ || !TEST_true(BN_one(b)))
+ goto out;
+
+ /* Even pentanomial value should be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf2)))
+ goto out;
+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Zero constant term accepted in GF2m polynomial");
+
+ /* Odd hexanomial should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf3)))
+ goto out;
+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Hexanomial accepted as GF2m polynomial");
+
+ /* Excessive polynomial degree should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0x71))
+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+ goto out;
+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("GF2m polynomial degree > %d accepted",
+ OPENSSL_ECC_MAX_FIELD_BITS);
+
+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+ EC_GROUP_free(group1);
+ EC_GROUP_free(group2);
+ EC_GROUP_free(group3);
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+
+ return ret;
+}
+
/* test EC_GF2m_simple_method directly */
static int field_tests_ec2_simple(void)
{
@@ -443,6 +493,7 @@ int setup_tests(void)
ADD_TEST(field_tests_ecp_simple);
ADD_TEST(field_tests_ecp_mont);
#ifndef OPENSSL_NO_EC2M
+ ADD_TEST(ec2m_field_sanity);
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);

55
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch vendored
View File

@ -1,55 +0,0 @@
https://bugs.gentoo.org/937457
https://github.com/openssl/openssl/commit/419fb4ea4be4c0b28c63b494ff30fa3510aba06e
From 419fb4ea4be4c0b28c63b494ff30fa3510aba06e Mon Sep 17 00:00:00 2001
From: Neil Horman <nhorman@openssl.org>
Date: Sun, 14 Jul 2024 08:57:25 -0400
Subject: [PATCH] Fix cmake generator
PR #24678 modified some environment variables and locations that the
cmake exporter depended on, resulting in empty directory resolution.
Adjust build build.info and input variable names to match up again
Fixes #24874
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24877)
(cherry picked from commit c1a27bdeb9a4f915aa92ed0e74ed48a1f9b94176)
--- a/build.info
+++ b/build.info
@@ -102,6 +102,11 @@ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
ENDIF
# This file sets the build directory up for CMake inclusion
+# Note: This generation of OpenSSLConfig[Version].cmake is used
+# for building openssl locally, and so the build variables are
+# taken from builddata.pm rather than installdata.pm. For exportable
+# versions of these generated files, you'll find them in the exporters
+# directory
GENERATE[OpenSSLConfig.cmake]=exporters/cmake/OpenSSLConfig.cmake.in
DEPEND[OpenSSLConfig.cmake]=builddata.pm
GENERATE[OpenSSLConfigVersion.cmake]=exporters/cmake/OpenSSLConfigVersion.cmake.in
--- a/exporters/cmake/OpenSSLConfig.cmake.in
+++ b/exporters/cmake/OpenSSLConfig.cmake.in
@@ -127,13 +127,13 @@ set(OPENSSL_VERSION_FIX "${OpenSSL_VERSION_PATCH}")
set(OPENSSL_FOUND YES)
# Directories and names
-set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL, 1); -}")
-set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL, 1); -}")
-set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL, 1); -}")
-set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL, 1); -}")
-set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL, 1); -}")
+set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}")
+set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX, 1); -}")
+set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR, 1); -}")
+set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR, 1); -}")
+set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL_PREFIX, 1); -}")
{- output_off() if $disabled{uplink}; "" -}
-set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL, 1); -}/applink.c")
+set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL_PREFIX, 1); -}/applink.c")
{- output_on() if $disabled{uplink}; "" -}
set(OPENSSL_PROGRAM "${OPENSSL_RUNTIME_DIR}/{- platform->bin('openssl') -}")

303
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch vendored
View File

@ -1,303 +0,0 @@
https://github.com/openssl/openssl/pull/24687
https://bugs.gentoo.org/936576
https://github.com/openssl/openssl/commit/aa099dba7c80c723cf4babf5adc0c801f1c28363
https://github.com/openssl/openssl/commit/1c437b5704c9ee5f667bc2b11e5fdf176dfb714f
From aa099dba7c80c723cf4babf5adc0c801f1c28363 Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Thu, 20 Jun 2024 14:30:16 +0200
Subject: [PATCH] Give util/mkinstallvars.pl more fine grained control over var
dependencies
Essentially, we try to do what GNU does. 'prefix' is used to define the
defaults for 'exec_prefix' and 'libdir', and these are then used to define
further directory values. util/mkinstallvars.pl is changed to reflect that
to the best of our ability.
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24687)
(cherry picked from commit 6e0fd246e7a6e51f92b2ef3520bfc4414b7773c0)
---
exporters/build.info | 2 +-
util/mkinstallvars.pl | 133 ++++++++++++++++++++++++++----------------
2 files changed, 85 insertions(+), 50 deletions(-)
diff --git a/exporters/build.info b/exporters/build.info
index 86acf2df9467c..9241dc9b0a658 100644
--- a/exporters/build.info
+++ b/exporters/build.info
@@ -19,7 +19,7 @@ DEPEND[openssl.pc]=libcrypto.pc libssl.pc
DEPEND[""]=openssl.pc
GENERATE[../installdata.pm]=../util/mkinstallvars.pl \
- "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" \
+ "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" "libdir=$(libdir)" \
INCLUDEDIR=include APPLINKDIR=include/openssl \
"ENGINESDIR=$(ENGINESDIR)" "MODULESDIR=$(MODULESDIR)" \
"PKGCONFIGDIR=$(PKGCONFIGDIR)" "CMAKECONFIGDIR=$(CMAKECONFIGDIR)" \
diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl
index 59a432d28c601..5fadb708e1b77 100644
--- a/util/mkinstallvars.pl
+++ b/util/mkinstallvars.pl
@@ -11,13 +11,25 @@
# The result is a Perl module creating the package OpenSSL::safe::installdata.
use File::Spec;
+use List::Util qw(pairs);
# These are expected to be set up as absolute directories
-my @absolutes = qw(PREFIX);
+my @absolutes = qw(PREFIX libdir);
# These may be absolute directories, and if not, they are expected to be set up
-# as subdirectories to PREFIX
-my @subdirs = qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR ENGINESDIR MODULESDIR
- PKGCONFIGDIR CMAKECONFIGDIR);
+# as subdirectories to PREFIX or LIBDIR. The order of the pairs is important,
+# since the LIBDIR subdirectories depend on the calculation of LIBDIR from
+# PREFIX.
+my @subdirs = pairs (PREFIX => [ qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR) ],
+ LIBDIR => [ qw(ENGINESDIR MODULESDIR PKGCONFIGDIR
+ CMAKECONFIGDIR) ]);
+# For completeness, other expected variables
+my @others = qw(VERSION LDLIBS);
+
+my %all = ( );
+foreach (@absolutes) { $all{$_} = 1 }
+foreach (@subdirs) { foreach (@{$_->[1]}) { $all{$_} = 1 } }
+foreach (@others) { $all{$_} = 1 }
+print STDERR "DEBUG: all keys: ", join(", ", sort keys %all), "\n";
my %keys = ();
foreach (@ARGV) {
@@ -26,29 +38,47 @@
$ENV{$k} = $v;
}
-foreach my $k (sort keys %keys) {
- my $v = $ENV{$k};
- $v = File::Spec->rel2abs($v) if $v && grep { $k eq $_ } @absolutes;
- $ENV{$k} = $v;
+# warn if there are missing values, and also if there are unexpected values
+foreach my $k (sort keys %all) {
+ warn "No value given for $k\n" unless $keys{$k};
}
foreach my $k (sort keys %keys) {
+ warn "Unknown variable $k\n" unless $all{$k};
+}
+
+# This shouldn't be needed, but just in case we get relative paths that
+# should be absolute, make sure they actually are.
+foreach my $k (@absolutes) {
my $v = $ENV{$k} || '.';
+ print STDERR "DEBUG: $k = $v => ";
+ $v = File::Spec->rel2abs($v) if $v;
+ $ENV{$k} = $v;
+ print STDERR "$k = $ENV{$k}\n";
+}
- # Absolute paths for the subdir variables are computed. This provides
- # the usual form of values for names that have become norm, known as GNU
- # installation paths.
- # For the benefit of those that need it, the subdirectories are preserved
- # as they are, using the same variable names, suffixed with '_REL', if they
- # are indeed subdirectories.
- if (grep { $k eq $_ } @subdirs) {
+# Absolute paths for the subdir variables are computed. This provides
+# the usual form of values for names that have become norm, known as GNU
+# installation paths.
+# For the benefit of those that need it, the subdirectories are preserved
+# as they are, using the same variable names, suffixed with '_REL_{var}',
+# if they are indeed subdirectories. The '{var}' part of the name tells
+# which other variable value they are relative to.
+foreach my $pair (@subdirs) {
+ my ($var, $subdir_vars) = @$pair;
+ foreach my $k (@$subdir_vars) {
+ my $v = $ENV{$k} || '.';
+ print STDERR "DEBUG: $k = $v => ";
if (File::Spec->file_name_is_absolute($v)) {
- $ENV{"${k}_REL"} = File::Spec->abs2rel($v, $ENV{PREFIX});
+ my $kr = "${k}_REL_${var}";
+ $ENV{$kr} = File::Spec->abs2rel($v, $ENV{$var});
+ print STDERR "$kr = $ENV{$kr}\n";
} else {
- $ENV{"${k}_REL"} = $v;
- $v = File::Spec->rel2abs($v, $ENV{PREFIX});
+ my $kr = "${k}_REL_${var}";
+ $ENV{$kr} = $v;
+ $ENV{$k} = File::Spec->rel2abs($v, $ENV{$var});
+ print STDERR "$k = $ENV{$k} , $kr = $v\n";
}
}
- $ENV{$k} = $v;
}
print <<_____;
@@ -58,36 +88,41 @@ package OpenSSL::safe::installdata;
use warnings;
use Exporter;
our \@ISA = qw(Exporter);
-our \@EXPORT = qw(\$PREFIX
- \$BINDIR \$BINDIR_REL
- \$LIBDIR \$LIBDIR_REL
- \$INCLUDEDIR \$INCLUDEDIR_REL
- \$APPLINKDIR \$APPLINKDIR_REL
- \$ENGINESDIR \$ENGINESDIR_REL
- \$MODULESDIR \$MODULESDIR_REL
- \$PKGCONFIGDIR \$PKGCONFIGDIR_REL
- \$CMAKECONFIGDIR \$CMAKECONFIGDIR_REL
- \$VERSION \@LDLIBS);
-
-our \$PREFIX = '$ENV{PREFIX}';
-our \$BINDIR = '$ENV{BINDIR}';
-our \$BINDIR_REL = '$ENV{BINDIR_REL}';
-our \$LIBDIR = '$ENV{LIBDIR}';
-our \$LIBDIR_REL = '$ENV{LIBDIR_REL}';
-our \$INCLUDEDIR = '$ENV{INCLUDEDIR}';
-our \$INCLUDEDIR_REL = '$ENV{INCLUDEDIR_REL}';
-our \$APPLINKDIR = '$ENV{APPLINKDIR}';
-our \$APPLINKDIR_REL = '$ENV{APPLINKDIR_REL}';
-our \$ENGINESDIR = '$ENV{ENGINESDIR}';
-our \$ENGINESDIR_REL = '$ENV{ENGINESDIR_REL}';
-our \$MODULESDIR = '$ENV{MODULESDIR}';
-our \$MODULESDIR_REL = '$ENV{MODULESDIR_REL}';
-our \$PKGCONFIGDIR = '$ENV{PKGCONFIGDIR}';
-our \$PKGCONFIGDIR_REL = '$ENV{PKGCONFIGDIR_REL}';
-our \$CMAKECONFIGDIR = '$ENV{CMAKECONFIGDIR}';
-our \$CMAKECONFIGDIR_REL = '$ENV{CMAKECONFIGDIR_REL}';
-our \$VERSION = '$ENV{VERSION}';
-our \@LDLIBS =
+our \@EXPORT = qw(
+_____
+
+foreach my $k (@absolutes) {
+ print " \$$k\n";
+}
+foreach my $pair (@subdirs) {
+ my ($var, $subdir_vars) = @$pair;
+ foreach my $k (@$subdir_vars) {
+ my $k2 = "${k}_REL_${var}";
+ print " \$$k \$$k2\n";
+ }
+}
+
+print <<_____;
+ \$VERSION \@LDLIBS
+);
+
+_____
+
+foreach my $k (@absolutes) {
+ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n";
+}
+foreach my $pair (@subdirs) {
+ my ($var, $subdir_vars) = @$pair;
+ foreach my $k (@$subdir_vars) {
+ my $k2 = "${k}_REL_${var}";
+ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n";
+ print "our \$$k2" . ' ' x (27 - length($k2)) . "= '$ENV{$k2}';\n";
+ }
+}
+
+print <<_____;
+our \$VERSION = '$ENV{VERSION}';
+our \@LDLIBS =
# Unix and Windows use space separation, VMS uses comma separation
split(/ +| *, */, '$ENV{LDLIBS}');
From 1c437b5704c9ee5f667bc2b11e5fdf176dfb714f Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Thu, 20 Jun 2024 14:33:15 +0200
Subject: [PATCH] Adapt all the exporter files to the new vars from
util/mkinstallvars.pl
With this, the pkg-config files take better advantage of relative directory
values.
Fixes #24298
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24687)
(cherry picked from commit 30dc37d798a0428fd477d3763086e7e97b3d596f)
---
exporters/cmake/OpenSSLConfig.cmake.in | 7 ++++---
exporters/pkg-config/libcrypto.pc.in | 12 ++++++++----
exporters/pkg-config/libssl.pc.in | 8 ++++++--
exporters/pkg-config/openssl.pc.in | 8 ++++++--
4 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/exporters/cmake/OpenSSLConfig.cmake.in b/exporters/cmake/OpenSSLConfig.cmake.in
index 2d2321931de1d..06f796158b2fa 100644
--- a/exporters/cmake/OpenSSLConfig.cmake.in
+++ b/exporters/cmake/OpenSSLConfig.cmake.in
@@ -89,9 +89,10 @@ unset(_ossl_undefined_targets)
# Set up the import path, so all other import paths are made relative this file
get_filename_component(_ossl_prefix "${CMAKE_CURRENT_LIST_FILE}" PATH)
{-
- # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR_REL, have CMake
- # out the parent directory.
- my $d = unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL);
+ # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR relative to
+ # $OpenSSL::safe::installdata::PREFIX, have CMake figure out the parent directory.
+ my $d = join('/', unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX),
+ unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL_LIBDIR));
$OUT = '';
$OUT .= 'get_filename_component(_ossl_prefix "${_ossl_prefix}" PATH)' . "\n"
foreach (split '/', $d);
diff --git a/exporters/pkg-config/libcrypto.pc.in b/exporters/pkg-config/libcrypto.pc.in
index 14ed339f3c3a0..fbc8ea4c79b06 100644
--- a/exporters/pkg-config/libcrypto.pc.in
+++ b/exporters/pkg-config/libcrypto.pc.in
@@ -1,7 +1,11 @@
-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
-enginesdir={- $OpenSSL::safe::installdata::ENGINESDIR -}
-modulesdir={- $OpenSSL::safe::installdata::MODULESDIR -}
+prefix={- $OpenSSL::safe::installdata::PREFIX -}
+exec_prefix=${prefix}
+libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
+ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
+ : $OpenSSL::safe::installdata::libdir -}
+includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
+enginesdir=${libdir}/{- $OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR -}
+modulesdir=${libdir}/{- $OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR -}
Name: OpenSSL-libcrypto
Description: OpenSSL cryptography library
diff --git a/exporters/pkg-config/libssl.pc.in b/exporters/pkg-config/libssl.pc.in
index a7828b3cc6a49..963538807bb2b 100644
--- a/exporters/pkg-config/libssl.pc.in
+++ b/exporters/pkg-config/libssl.pc.in
@@ -1,5 +1,9 @@
-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
+prefix={- $OpenSSL::safe::installdata::PREFIX -}
+exec_prefix=${prefix}
+libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
+ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
+ : $OpenSSL::safe::installdata::libdir -}
+includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
Name: OpenSSL-libssl
Description: Secure Sockets Layer and cryptography libraries
diff --git a/exporters/pkg-config/openssl.pc.in b/exporters/pkg-config/openssl.pc.in
index dbb77aa39add2..225bef9e2384d 100644
--- a/exporters/pkg-config/openssl.pc.in
+++ b/exporters/pkg-config/openssl.pc.in
@@ -1,5 +1,9 @@
-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
+prefix={- $OpenSSL::safe::installdata::PREFIX -}
+exec_prefix=${prefix}
+libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
+ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
+ : $OpenSSL::safe::installdata::libdir -}
+includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
Name: OpenSSL
Description: Secure Sockets Layer and cryptography libraries and tools

31
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch vendored
View File

@ -1,31 +0,0 @@
https://github.com/openssl/openssl/pull/25018
https://bugs.gentoo.org/936793
From b7bd618fb12728b4a85b9159af95ca40a817674d Mon Sep 17 00:00:00 2001
From: Richard Levitte <levitte@openssl.org>
Date: Sun, 28 Jul 2024 10:47:08 +0200
Subject: [PATCH] fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and
Windows)
Don't do comma separation on those platforms.
Fixes #24986
---
util/mkinstallvars.pl | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl
index 5fadb708e1b77..e2b7d9d08321f 100644
--- a/util/mkinstallvars.pl
+++ b/util/mkinstallvars.pl
@@ -124,7 +124,9 @@ package OpenSSL::safe::installdata;
our \$VERSION = '$ENV{VERSION}';
our \@LDLIBS =
# Unix and Windows use space separation, VMS uses comma separation
- split(/ +| *, */, '$ENV{LDLIBS}');
+ \$^O eq 'VMS'
+ ? split(/ *, */, '$ENV{LDLIBS}')
+ : split(/ +/, '$ENV{LDLIBS}');
1;
_____

96
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.3.1-riscv.patch vendored
View File

@ -1,96 +0,0 @@
# https://bugs.gentoo.org/936311
# Taken from https://github.com/openssl/openssl/pull/24486
From b1dd4a8005cf172053d986c0dd85fd104f005307 Mon Sep 17 00:00:00 2001
From: Hongren Zheng <i@zenithal.me>
Date: Fri, 24 May 2024 14:12:47 +0800
Subject: [PATCH] riscv: Fix cpuid_obj asm checks for sm4/sm3
Similar to #22881 / #23752
---
crypto/sm3/sm3_local.h | 2 +-
include/crypto/sm4_platform.h | 2 +-
providers/implementations/ciphers/cipher_sm4_ccm_hw.c | 2 +-
providers/implementations/ciphers/cipher_sm4_gcm_hw.c | 2 +-
providers/implementations/ciphers/cipher_sm4_hw.c | 2 +-
providers/implementations/ciphers/cipher_sm4_xts_hw.c | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/crypto/sm3/sm3_local.h b/crypto/sm3/sm3_local.h
index d2845f9678967..a467cc98eb13e 100644
--- a/crypto/sm3/sm3_local.h
+++ b/crypto/sm3/sm3_local.h
@@ -39,7 +39,7 @@
# define HWSM3_CAPABLE (OPENSSL_armcap_P & ARMV8_SM3)
void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num);
# endif
-# if defined(__riscv) && __riscv_xlen == 64
+# if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
# include "crypto/riscv_arch.h"
# define HWSM3_CAPABLE 1
void ossl_hwsm3_block_data_order(SM3_CTX *c, const void *p, size_t num);
diff --git a/include/crypto/sm4_platform.h b/include/crypto/sm4_platform.h
index 928dc17ff0838..4d70d291450a1 100644
--- a/include/crypto/sm4_platform.h
+++ b/include/crypto/sm4_platform.h
@@ -38,7 +38,7 @@ static inline int vpsm4_ex_capable(void)
# define HWSM4_cbc_encrypt sm4_v8_cbc_encrypt
# define HWSM4_ecb_encrypt sm4_v8_ecb_encrypt
# define HWSM4_ctr32_encrypt_blocks sm4_v8_ctr32_encrypt_blocks
-# elif defined(__riscv) && __riscv_xlen == 64
+# elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
/* RV64 support */
# include "riscv_arch.h"
/* Zvksed extension (vector crypto SM4). */
diff --git a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c
index 34f0e751e007d..293bb69d64272 100644
--- a/providers/implementations/ciphers/cipher_sm4_ccm_hw.c
+++ b/providers/implementations/ciphers/cipher_sm4_ccm_hw.c
@@ -59,7 +59,7 @@ static const PROV_CCM_HW ccm_sm4 = {
ossl_ccm_generic_gettag
};
-#if defined(__riscv) && __riscv_xlen == 64
+#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
# include "cipher_sm4_ccm_hw_rv64i.inc"
#else
const PROV_CCM_HW *ossl_prov_sm4_hw_ccm(size_t keybits)
diff --git a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c
index 06ca450782ff2..e3b4e9f588807 100644
--- a/providers/implementations/ciphers/cipher_sm4_gcm_hw.c
+++ b/providers/implementations/ciphers/cipher_sm4_gcm_hw.c
@@ -89,7 +89,7 @@ static const PROV_GCM_HW sm4_gcm = {
ossl_gcm_one_shot
};
-#if defined(__riscv) && __riscv_xlen == 64
+#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
# include "cipher_sm4_gcm_hw_rv64i.inc"
#else
const PROV_GCM_HW *ossl_prov_sm4_hw_gcm(size_t keybits)
diff --git a/providers/implementations/ciphers/cipher_sm4_hw.c b/providers/implementations/ciphers/cipher_sm4_hw.c
index c4f2f97cccd8d..70dc66ffae233 100644
--- a/providers/implementations/ciphers/cipher_sm4_hw.c
+++ b/providers/implementations/ciphers/cipher_sm4_hw.c
@@ -134,7 +134,7 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_##mode(size_t keybits) \
return &sm4_##mode; \
}
-#if defined(__riscv) && __riscv_xlen == 64
+#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
# include "cipher_sm4_hw_rv64i.inc"
#else
/* The generic case */
diff --git a/providers/implementations/ciphers/cipher_sm4_xts_hw.c b/providers/implementations/ciphers/cipher_sm4_xts_hw.c
index 6cf58e851f5d4..423598317d217 100644
--- a/providers/implementations/ciphers/cipher_sm4_xts_hw.c
+++ b/providers/implementations/ciphers/cipher_sm4_xts_hw.c
@@ -89,7 +89,7 @@ static const PROV_CIPHER_HW sm4_generic_xts = {
cipher_hw_sm4_xts_copyctx
};
-#if defined(__riscv) && __riscv_xlen == 64
+#if defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
# include "cipher_sm4_xts_hw_rv64i.inc"
#else
const PROV_CIPHER_HW *ossl_prov_cipher_hw_sm4_xts(size_t keybits)

193
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch vendored
View File

@ -1,193 +0,0 @@
https://bugs.gentoo.org/941643
https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4
From c0d3e4d32d2805f49bec30547f225bc4d092e1f4 Mon Sep 17 00:00:00 2001
From: Viktor Dukhovni <viktor@openssl.org>
Date: Thu, 19 Sep 2024 01:02:40 +1000
Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
The BN_GF2m_poly2arr() function converts characteristic-2 field
(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
to a compact array with just the exponents of the non-zero terms.
These polynomials are then used in BN_GF2m_mod_arr() to perform modular
reduction. A precondition of calling BN_GF2m_mod_arr() is that the
polynomial must have a non-zero constant term (i.e. the array has `0` as
its final element).
Internally, callers of BN_GF2m_poly2arr() did not verify that
precondition, and binary EC curve parameters with an invalid polynomial
could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
The precondition is always true for polynomials that arise from the
standard form of EC parameters for characteristic-two fields (X9.62).
See the "Finite Field Identification" section of:
https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
basis X9.62 forms.
This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
Additionally, the return value is made unambiguous when there is not
enough space to also pad the array with a final `-1` sentinel value.
The return value is now always the number of elements (including the
final `-1`) that would be filled when the output array is sufficiently
large. Previously the same count was returned both when the array has
just enough room for the final `-1` and when it had only enough space
for non-sentinel values.
Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
CPU exhausition attacks via excessively large inputs.
The above issues do not arise in processing X.509 certificates. These
generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
disallows explicit EC parameters. The TLS code in OpenSSL enforces this
constraint only after the certificate is decoded, but, even if explicit
parameters are specified, they are in X9.62 form, which cannot represent
problem values as noted above.
Initially reported as oss-fuzz issue 71623.
A closely related issue was earlier reported in
<https://github.com/openssl/openssl/issues/19826>.
Severity: Low, CVE-2024-9143
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25639)
(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
--- a/crypto/bn/bn_gf2m.c
+++ b/crypto/bn/bn_gf2m.c
@@ -15,6 +15,7 @@
#include "bn_local.h"
#ifndef OPENSSL_NO_EC2M
+# include <openssl/ec.h>
/*
* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
/*
* Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
* x^i) into an array of integers corresponding to the bits with non-zero
- * coefficient. Array is terminated with -1. Up to max elements of the array
- * will be filled. Return value is total number of array elements that would
- * be filled if array was large enough.
+ * coefficient. The array is intended to be suitable for use with
+ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
+ * zero. This translates to a requirement that the input BIGNUM `a` is odd.
+ *
+ * Given sufficient room, the array is terminated with -1. Up to max elements
+ * of the array will be filled.
+ *
+ * The return value is total number of array elements that would be filled if
+ * array was large enough, including the terminating `-1`. It is `0` when `a`
+ * is not odd or the constant term is zero contrary to requirement.
+ *
+ * The return value is also `0` when the leading exponent exceeds
+ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
*/
int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
{
int i, j, k = 0;
BN_ULONG mask;
- if (BN_is_zero(a))
+ if (!BN_is_odd(a))
return 0;
for (i = a->top - 1; i >= 0; i--) {
@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
}
}
- if (k < max) {
+ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
+ return 0;
+
+ if (k < max)
p[k] = -1;
- k++;
- }
- return k;
+ return k + 1;
}
/*
--- a/test/ec_internal_test.c
+++ b/test/ec_internal_test.c
@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
}
#ifndef OPENSSL_NO_EC2M
+/* Test that decoding of invalid GF2m field parameters fails. */
+static int ec2m_field_sanity(void)
+{
+ int ret = 0;
+ BN_CTX *ctx = BN_CTX_new();
+ BIGNUM *p, *a, *b;
+ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
+
+ TEST_info("Testing GF2m hardening\n");
+
+ BN_CTX_start(ctx);
+ p = BN_CTX_get(ctx);
+ a = BN_CTX_get(ctx);
+ if (!TEST_ptr(b = BN_CTX_get(ctx))
+ || !TEST_true(BN_one(a))
+ || !TEST_true(BN_one(b)))
+ goto out;
+
+ /* Even pentanomial value should be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf2)))
+ goto out;
+ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Zero constant term accepted in GF2m polynomial");
+
+ /* Odd hexanomial should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0xf3)))
+ goto out;
+ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("Hexanomial accepted as GF2m polynomial");
+
+ /* Excessive polynomial degree should also be rejected */
+ if (!TEST_true(BN_set_word(p, 0x71))
+ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
+ goto out;
+ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
+ TEST_error("GF2m polynomial degree > %d accepted",
+ OPENSSL_ECC_MAX_FIELD_BITS);
+
+ ret = group1 == NULL && group2 == NULL && group3 == NULL;
+
+ out:
+ EC_GROUP_free(group1);
+ EC_GROUP_free(group2);
+ EC_GROUP_free(group3);
+ BN_CTX_end(ctx);
+ BN_CTX_free(ctx);
+
+ return ret;
+}
+
/* test EC_GF2m_simple_method directly */
static int field_tests_ec2_simple(void)
{
@@ -443,6 +493,7 @@ int setup_tests(void)
ADD_TEST(field_tests_ecp_simple);
ADD_TEST(field_tests_ecp_mont);
#ifndef OPENSSL_NO_EC2M
+ ADD_TEST(ec2m_field_sanity);
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);

3
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf vendored Normal file
View File

@ -0,0 +1,3 @@
d /etc/ssl - - - - -
d /etc/ssl/private 0700 - - - -
L /etc/ssl/openssl.cnf - - - - ../../usr/share/ssl/openssl.cnf

303
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2u-r1.ebuild vendored
View File

@ -1,303 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI="7"
inherit flag-o-matic toolchain-funcs multilib-minimal
# openssl-1.0.2-patches-1.6 contain additional CVE patches
# which got fixed with this release.
# Please use 1.7 version number when rolling a new tarball!
PATCH_SET="openssl-1.0.2-patches-1.5"
MY_P=${P/_/-}
# This patch set is based on the following files from Fedora 25,
# see https://src.fedoraproject.org/rpms/openssl/blob/25/f/openssl.spec
# for more details:
# - hobble-openssl (SOURCE1)
# - ec_curve.c (SOURCE12) -- MODIFIED
# - ectest.c (SOURCE13)
# - openssl-1.1.1-ec-curves.patch (PATCH37) -- MODIFIED
BINDIST_PATCH_SET="openssl-1.0.2t-bindist-1.0.tar.xz"
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
HOMEPAGE="https://openssl-library.org/"
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
bindist? (
mirror://gentoo/bb/${BINDIST_PATCH_SET}
)
!vanilla? (
https://dev.gentoo.org/~chutzpah/dist/${PN}/${PATCH_SET}.tar.xz
)"
LICENSE="openssl"
SLOT="0"
KEYWORDS="~alpha amd64 arm arm64 hppa ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x86-linux ~arm64-macos"
IUSE="+asm bindist gmp kerberos rfc3779 sctp cpu_flags_x86_sse2 sslv2 +sslv3 static-libs test tls-compression +tls-heartbeat vanilla"
RESTRICT="!bindist? ( bindist )
!test? ( test )"
RDEPEND=">=app-misc/c_rehash-1.7-r1
gmp? ( >=dev-libs/gmp-5.1.3-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
kerberos? ( >=app-crypt/mit-krb5-1.11.4[${MULTILIB_USEDEP}] )
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
DEPEND="${RDEPEND}"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
)"
PDEPEND="app-misc/ca-certificates"
S="${WORKDIR}/${MY_P}"
MULTILIB_WRAPPED_HEADERS=(
usr/include/openssl/opensslconf.h
)
src_prepare() {
if use bindist; then
mv "${WORKDIR}"/bindist-patches/hobble-openssl "${WORKDIR}" || die
bash "${WORKDIR}"/hobble-openssl || die
cp -f "${WORKDIR}"/bindist-patches/ec_curve.c "${S}"/crypto/ec/ || die
cp -f "${WORKDIR}"/bindist-patches/ectest.c "${S}"/crypto/ec/ || die
eapply "${WORKDIR}"/bindist-patches/ec-curves.patch
# Also see the configure parts below:
# enable-ec \
# $(use_ssl !bindist ec2m) \
# $(use_ssl !bindist srp) \
fi
# keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile
if ! use vanilla ; then
eapply "${WORKDIR}"/patch/*.patch
fi
eapply_user
# disable fips in the build
# make sure the man pages are suffixed #302165
# don't bother building man pages if they're disabled
sed -i \
-e '/DIRS/s: fips : :g' \
-e '/^MANSUFFIX/s:=.*:=ssl:' \
-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-e $(has noman FEATURES \
&& echo '/^install:/s:install_docs::' \
|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
Makefile.org \
|| die
# show the actual commands in the log
sed -i '/^SET_X/s:=.*:=set -x:' Makefile.shared
# since we're forcing $(CC) as makedep anyway, just fix
# the conditional as always-on
# helps clang (#417795), and versioned gcc (#499818)
# this breaks build with 1.0.2p, not sure if it is needed anymore
#sed -i 's/expr.*MAKEDEPEND.*;/true;/' util/domd || die
# quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (#417795 again)
[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
# allow openssl to be cross-compiled
cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
chmod a+rx gentoo.config || die
append-flags -fno-strict-aliasing
append-flags $(test-flags-CC -Wa,--noexecstack)
append-cppflags -DOPENSSL_NO_BUF_FREELISTS
sed -i '1s,^:$,#!'${EPREFIX}'/usr/bin/perl,' Configure #141906
# The config script does stupid stuff to prompt the user. Kill it.
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
./config --test-sanity || die "I AM NOT SANE"
multilib_copy_sources
}
multilib_src_configure() {
unset APPS #197996
unset SCRIPTS #312551
unset CROSS_COMPILE #311473
tc-export CC AR RANLIB RC
# Clean out patent-or-otherwise-encumbered code
# Camellia: Royalty Free https://en.wikipedia.org/wiki/Camellia_(cipher)
# IDEA: Expired https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
# EC: ????????? ??/??/2015 https://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
# MDC2: Expired https://en.wikipedia.org/wiki/MDC-2
# RC5: Expired https://en.wikipedia.org/wiki/RC5
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
echoit() { echo "$@" ; "$@" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(./gentoo.config)
einfo "Use configuration ${sslout:-(openssl knows best)}"
local config="Configure"
[[ -z ${sslout} ]] && config="config"
# Fedora hobbled-EC needs 'no-ec2m', 'no-srp'
# Make sure user flags don't get added *yet* to avoid duplicated
# flags.
CFLAGS= LDFLAGS= echoit \
./${config} \
${sslout} \
$(use cpu_flags_x86_sse2 || echo "no-sse2") \
enable-camellia \
enable-ec \
$(use_ssl !bindist ec2m) \
$(use_ssl !bindist srp) \
${ec_nistp_64_gcc_128} \
enable-idea \
enable-mdc2 \
enable-rc5 \
enable-tlsext \
$(use_ssl asm) \
$(use_ssl gmp gmp -lgmp) \
$(use_ssl kerberos krb5 --with-krb5-flavor=${krb5}) \
$(use_ssl rfc3779) \
$(use_ssl sctp) \
$(use_ssl sslv2 ssl2) \
$(use_ssl sslv3 ssl3) \
$(use_ssl tls-compression zlib) \
$(use_ssl tls-heartbeat heartbeats) \
--prefix="${EPREFIX}"/usr \
--openssldir="${EPREFIX}"${SSL_CNF_DIR} \
--libdir=$(get_libdir) \
shared threads \
|| die
# Clean out hardcoded flags that openssl uses
local DEFAULT_CFLAGS=$(grep ^CFLAG= Makefile | LC_ALL=C sed \
-e 's:^CFLAG=::' \
-e 's:\(^\| \)-fomit-frame-pointer::g' \
-e 's:\(^\| \)-O[^ ]*::g' \
-e 's:\(^\| \)-march=[^ ]*::g' \
-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-e 's:\(^\| \)-m[^ ]*::g' \
-e 's:^ *::' \
-e 's: *$::' \
-e 's: \+: :g' \
-e 's:\\:\\\\:g'
)
# Now insert clean default flags with user flags
sed -i \
-e "/^CFLAG/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
Makefile || die
}
multilib_src_compile() {
# depend is needed to use $confopts; it also doesn't matter
# that it's -j1 as the code itself serializes subdirs
emake -j1 V=1 depend
emake all
# rehash is needed to prep the certs/ dir; do this
# separately to avoid parallel build issues.
emake rehash
}
multilib_src_test() {
emake -j1 test
}
multilib_src_install() {
# We need to create $ED/usr on our own to avoid a race condition #665130
if [[ ! -d "${ED}/usr" ]]; then
# We can only create this directory once
mkdir "${ED}"/usr || die
fi
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake INSTALL_PREFIX="${D}" -j1 install
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
local -a DOCS=( CHANGES* FAQ NEWS README doc/*.txt doc/c-indentation.el )
einstalldocs
use rfc3779 && dodoc engines/ccgost/README.gost
# create the certs directory
dodir ${SSL_CNF_DIR}/certs
cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
# Namespace openssl programs to prevent conflicts with other man pages
cd "${ED}"/usr/share/man
local m d s
for m in $(find . -type f | xargs grep -L '#include') ; do
d=${m%/*} ; d=${d#./} ; m=${m##*/}
[[ ${m} == openssl.1* ]] && continue
[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
mv ${d}/{,ssl-}${m}
# fix up references to renamed man pages
sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
ln -s ssl-${m} ${d}/openssl-${m}
# locate any symlinks that point to this man page ... we assume
# that any broken links are due to the above renaming
for s in $(find -L ${d} -type l) ; do
s=${s##*/}
rm -f ${d}/${s}
ln -s ssl-${m} ${d}/ssl-${s}
ln -s ssl-${s} ${d}/openssl-${s}
done
done
[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
dodir /etc/sandbox.d #254521
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_postinst() {
ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
eend $?
}

268
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.1.1w.ebuild vendored
View File

@ -1,268 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
MY_P=${P/_/-}
DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
HOMEPAGE="https://openssl-library.org/"
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
S="${WORKDIR}/${MY_P}"
LICENSE="openssl"
SLOT="0/1.1" # .so version of libssl/libcrypto
if [[ ${PV} != *_pre* ]] ; then
KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
IUSE="+asm rfc3779 sctp cpu_flags_x86_sse2 sslv3 static-libs test tls-compression tls-heartbeat vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
RDEPEND="
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
DEPEND="${RDEPEND}"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
kernel_linux? ( sys-process/procps )
)
verify-sig? ( <sec-keys/openpgp-keys-openssl-20240920 )"
PDEPEND="app-misc/ca-certificates"
# force upgrade to prevent broken login, bug #696950
RDEPEND+=" !<net-misc/openssh-8.0_p1-r3"
MULTILIB_WRAPPED_HEADERS=(
usr/include/openssl/opensslconf.h
)
PATCHES=(
# General patches which are suitable to always apply
# If they're Gentoo specific, add to USE=-vanilla logic in src_prepare!
"${FILESDIR}"/${PN}-1.1.0j-parallel_install_fix.patch # bug #671602
"${FILESDIR}"/${PN}-1.1.1i-riscv32.patch
)
pkg_setup() {
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]]; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_unpack() {
# Can delete this once test fix patch is dropped
if use verify-sig ; then
# Needed for downloaded patch (which is unsigned, which is fine)
verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
fi
default
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES}; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
# Remove test target when FEATURES=test isn't set
if ! use test ; then
sed \
-e '/^$config{dirs}/s@ "test",@@' \
-i Configure || die
fi
if use prefix && [[ ${CHOST} == *-solaris* ]] ; then
# use GNU ld full option, not to confuse it on Solaris
sed -i \
-e 's/-Wl,-M,/-Wl,--version-script=/' \
-e 's/-Wl,-h,/-Wl,--soname=/' \
Configurations/10-main.conf || die
fi
# The config script does stupid stuff to prompt the user. Kill it.
sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-cppflags -DOPENSSL_NO_BUF_FREELISTS
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Use configuration ${sslout:-(openssl knows best)}"
local config=( perl "${S}/Configure" )
[[ -z ${sslout} ]] && config=( sh "${S}/config" -v )
# "disable-deprecated" option breaks too many consumers.
# Don't set it without thorough revdeps testing.
# Make sure user flags don't get added *yet* to avoid duplicated
# flags.
local myeconfargs=(
${sslout}
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
${ec_nistp_64_gcc_128}
enable-idea
enable-mdc2
enable-rc5
$(use_ssl sslv3 ssl3)
$(use_ssl sslv3 ssl3-method)
$(use_ssl asm)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl tls-heartbeat heartbeats)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo "${config[@]}" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake all
}
multilib_src_test() {
emake -j1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} MANSUFFIX=ssl -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
}

283
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.13-r2.ebuild vendored
View File

@ -1,283 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
if [[ ${PV} == 9999 ]] ; then
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
inherit git-r3
else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/3" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
sys-process/procps
)
verify-sig? ( <sec-keys/openpgp-keys-openssl-20240920 )"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)
PATCHES=(
"${FILESDIR}"/${P}-CVE-2024-2511.patch
"${FILESDIR}"/${P}-p11-segfault.patch
)
pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
else
CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup
fi
fi
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp ; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile || die
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES} ; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #895308
append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Using configuration: ${sslout:-(openssl knows best)}"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=(
${sslout}
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
enable-idea
enable-mdc2
enable-rc5
$(use fips && echo "enable-fips")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo perl "${S}/Configure" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake build_sw
if multilib_is_native_abi; then
emake build_docs
fi
}
multilib_src_test() {
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if use fips; then
emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs ; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_preinst() {
if use fips; then
# Regen fipsmodule.cnf, bug 900625
ebegin "Running openssl fipsinstall"
"${ED}/usr/bin/openssl" fipsinstall -quiet \
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

278
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.14.ebuild vendored
View File

@ -1,278 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
if [[ ${PV} == 9999 ]] ; then
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
inherit git-r3
else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/3" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
sys-process/procps
)
verify-sig? ( <sec-keys/openpgp-keys-openssl-20240920 )"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)
pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
else
CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup
fi
fi
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp ; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile || die
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES} ; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #895308
append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Using configuration: ${sslout:-(openssl knows best)}"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=(
${sslout}
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
enable-idea
enable-mdc2
enable-rc5
$(use fips && echo "enable-fips")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo perl "${S}/Configure" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake build_sw
if multilib_is_native_abi; then
emake build_docs
fi
}
multilib_src_test() {
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if use fips; then
emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs ; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_preinst() {
if use fips; then
# Regen fipsmodule.cnf, bug 900625
ebegin "Running openssl fipsinstall"
"${ED}/usr/bin/openssl" fipsinstall -quiet \
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

287
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.15-r1.ebuild vendored
View File

@ -1,287 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
if [[ ${PV} == 9999 ]] ; then
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
inherit git-r3
else
SRC_URI="
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
verify-sig? (
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
)
"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/3" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
sys-process/procps
)
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)
PATCHES=(
"${FILESDIR}"/${P}-CVE-2024-9143.patch
)
pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
else
CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup
fi
fi
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp ; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile || die
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES} ; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #895308
append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Using configuration: ${sslout:-(openssl knows best)}"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=(
${sslout}
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
enable-idea
enable-mdc2
enable-rc5
$(use fips && echo "enable-fips")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo perl "${S}/Configure" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake build_sw
if multilib_is_native_abi; then
emake build_docs
fi
}
multilib_src_test() {
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if use fips; then
emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs ; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_preinst() {
if use fips; then
# Regen fipsmodule.cnf, bug 900625
ebegin "Running openssl fipsinstall"
"${ED}/usr/bin/openssl" fipsinstall -quiet \
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

283
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.15.ebuild vendored
View File

@ -1,283 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
if [[ ${PV} == 9999 ]] ; then
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
inherit git-r3
else
SRC_URI="
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
verify-sig? (
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
)
"
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/3" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
sys-process/procps
)
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)
pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
else
CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup
fi
fi
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp ; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile || die
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES} ; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #895308
append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Using configuration: ${sslout:-(openssl knows best)}"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=(
${sslout}
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
enable-idea
enable-mdc2
enable-rc5
$(use fips && echo "enable-fips")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo perl "${S}/Configure" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake build_sw
if multilib_is_native_abi; then
emake build_docs
fi
}
multilib_src_test() {
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if use fips; then
emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs ; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_preinst() {
if use fips; then
# Regen fipsmodule.cnf, bug 900625
ebegin "Running openssl fipsinstall"
"${ED}/usr/bin/openssl" fipsinstall -quiet \
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

288
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.1.7-r1.ebuild vendored
View File

@ -1,288 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
if [[ ${PV} == 9999 ]] ; then
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
inherit git-r3
else
SRC_URI="
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
verify-sig? (
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
)
"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
!<net-misc/openssh-9.2_p1-r3
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
sys-process/procps
)
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)
PATCHES=(
"${FILESDIR}"/${P}-CVE-2024-9143.patch
)
pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
else
CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup
fi
fi
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp ; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES} ; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #895308
append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Using configuration: ${sslout:-(openssl knows best)}"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=(
${sslout}
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
enable-idea
enable-mdc2
enable-rc5
$(use fips && echo "enable-fips")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo perl "${S}/Configure" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake build_sw
if multilib_is_native_abi; then
emake build_docs
fi
}
multilib_src_test() {
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if use fips; then
emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs ; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_preinst() {
if use fips; then
# Regen fipsmodule.cnf, bug 900625
ebegin "Running openssl fipsinstall"
"${ED}/usr/bin/openssl" fipsinstall -quiet \
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

34
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.3-r1.ebuild vendored
View File

@ -4,8 +4,9 @@
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
TMPFILES_OPTIONAL=1
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig tmpfiles
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
@ -25,7 +26,7 @@ else
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
fi
@ -36,8 +37,12 @@ SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
# Flatcar: Gentoo dropped dependency on c_rehash, a required tool for
# generating certs, and does not provide a built-in tool either.
# Continue shipping it.
COMMON_DEPEND="
!<net-misc/openssh-9.2_p1-r3
>=app-misc/c_rehash-1.7-r1
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
@ -271,15 +276,21 @@ multilib_src_install_all() {
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
# flatcar changes: do not keep the sample CA files in `/etc`
rm -rf "${ED}"${SSL_CNF_DIR}
# flatcar changes: save the default `openssl.cnf` in `/usr`
dodir /usr/share/ssl
insinto /usr/share/ssl
doins "${S}"/apps/openssl.cnf
dotmpfiles "${FILESDIR}"/openssl.conf
# flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping.
systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
}
pkg_preinst() {
@ -295,12 +306,3 @@ pkg_preinst() {
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

304
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.3.2-r1.ebuild vendored
View File

@ -1,304 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
if [[ ${PV} == 9999 ]] ; then
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
inherit git-r3
else
SRC_URI="
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
verify-sig? (
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
)
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
!<net-misc/openssh-9.2_p1-r3
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
sys-process/procps
)
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)
PATCHES=(
"${FILESDIR}"/${P}-CVE-2024-9143.patch
)
pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
else
CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup
fi
fi
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp ; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_unpack() {
# Can delete this once test fix patch is dropped
if use verify-sig ; then
# Needed for downloaded patch (which is unsigned, which is fine)
verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
fi
default
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile || die
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES} ; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #895308 -- check inserts GNU ld-compatible arguments
[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Using configuration: ${sslout:-(openssl knows best)}"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=(
${sslout}
$(multilib_is_native_abi || echo "no-docs")
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
enable-idea
enable-mdc2
enable-rc5
$(use fips && echo "enable-fips")
$(use quic && echo "enable-quic")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo perl "${S}/Configure" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake build_sw
}
multilib_src_test() {
# See https://github.com/openssl/openssl/blob/master/test/README.md for options.
#
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
#
# -j1 here for https://github.com/openssl/openssl/issues/21999, but it
# shouldn't matter as tests were already built earlier, and HARNESS_JOBS
# controls running the tests.
emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if use fips; then
emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs ; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_preinst() {
if use fips; then
# Regen fipsmodule.cnf, bug 900625
ebegin "Running openssl fipsinstall"
"${ED}/usr/bin/openssl" fipsinstall -quiet \
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}

300
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.3.2.ebuild vendored
View File

@ -1,300 +0,0 @@
# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
if [[ ${PV} == 9999 ]] ; then
EGIT_REPO_URI="https://github.com/openssl/openssl.git"
inherit git-r3
else
SRC_URI="
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
verify-sig? (
https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
)
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
!<net-misc/openssh-9.2_p1-r3
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
"
BDEPEND="
>=dev-lang/perl-5
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
app-alternatives/bc
sys-process/procps
)
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h
)
pkg_setup() {
if use ktls ; then
if kernel_is -lt 4 18 ; then
ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
else
CONFIG_CHECK="~TLS ~TLS_DEVICE"
ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
linux-info_pkg_setup
fi
fi
[[ ${MERGE_TYPE} == binary ]] && return
# must check in pkg_setup; sysctl doesn't work with userpriv!
if use test && use sctp ; then
# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
# if sctp.auth_enable is not enabled.
local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
fi
fi
}
src_unpack() {
# Can delete this once test fix patch is dropped
if use verify-sig ; then
# Needed for downloaded patch (which is unsigned, which is fine)
verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
fi
default
}
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
rm -f Makefile || die
if ! use vanilla ; then
PATCHES+=(
# Add patches which are Gentoo-specific customisations here
)
fi
default
if use test && use sctp && has network-sandbox ${FEATURES} ; then
einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
rm test/recipes/80-test_ssl_new.t || die
fi
# Test fails depending on kernel configuration, bug #699134
rm test/recipes/30-test_afalg.t || die
}
src_configure() {
# Keep this in sync with app-misc/c_rehash
SSL_CNF_DIR="/etc/ssl"
# Quiet out unknown driver argument warnings since openssl
# doesn't have well-split CFLAGS and we're making it even worse
# and 'make depend' uses -Werror for added fun (bug #417795 again)
tc-is-clang && append-flags -Qunused-arguments
# We really, really need to build OpenSSL w/ strict aliasing disabled.
# It's filled with violations and it *will* result in miscompiled
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
# - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
filter-flags -fstrict-aliasing
append-flags -fno-strict-aliasing
# The OpenSSL developers don't test with LTO right now, it leads to various
# warnings/errors (which may or may not be false positives), it's considered
# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
filter-lto
append-flags $(test-flags-CC -Wa,--noexecstack)
# bug #895308 -- check inserts GNU ld-compatible arguments
[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
# Configure doesn't respect LIBS
export LDLIBS="${LIBS}"
# bug #197996
unset APPS
# bug #312551
unset SCRIPTS
# bug #311473
unset CROSS_COMPILE
tc-export AR CC CXX RANLIB RC
multilib-minimal_src_configure
}
multilib_src_configure() {
use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
# See if our toolchain supports __uint128_t. If so, it's 64bit
# friendly and can use the nicely optimized code paths, bug #460790.
#local ec_nistp_64_gcc_128
#
# Disable it for now though (bug #469976)
# Do NOT re-enable without substantial discussion first!
#
#echo "__uint128_t i;" > "${T}"/128.c
#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
# ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
#fi
local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
einfo "Using configuration: ${sslout:-(openssl knows best)}"
# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
local myeconfargs=(
${sslout}
$(multilib_is_native_abi || echo "no-docs")
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
enable-ec2m
enable-sm2
enable-srp
$(use elibc_musl && echo "no-async")
enable-idea
enable-mdc2
enable-rc5
$(use fips && echo "enable-fips")
$(use quic && echo "enable-quic")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
$(use_ssl sctp)
$(use test || echo "no-tests")
$(use_ssl tls-compression zlib)
$(use_ssl weak-ssl-ciphers)
--prefix="${EPREFIX}"/usr
--openssldir="${EPREFIX}"${SSL_CNF_DIR}
--libdir=$(get_libdir)
shared
threads
)
edo perl "${S}/Configure" "${myeconfargs[@]}"
}
multilib_src_compile() {
emake build_sw
}
multilib_src_test() {
# See https://github.com/openssl/openssl/blob/master/test/README.md for options.
#
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
#
# -j1 here for https://github.com/openssl/openssl/issues/21999, but it
# shouldn't matter as tests were already built earlier, and HARNESS_JOBS
# controls running the tests.
emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
}
multilib_src_install() {
# Only -j1 is supported for the install targets:
# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
emake DESTDIR="${D}" -j1 install_sw
if use fips; then
emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
emake DESTDIR="${D}" -j1 install_ssldirs
emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
# when USE=static-libs. But this is due to a failing in the openssl
# build system: the static archives are built as PIC all the time.
# Only way around this would be to manually configure+compile openssl
# twice; once with shared lib support enabled and once without.
if ! use static-libs ; then
rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
fi
}
multilib_src_install_all() {
# openssl installs perl version of c_rehash by default, but
# we provide a shell version via app-misc/c_rehash
rm "${ED}"/usr/bin/c_rehash || die
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521
dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
diropts -m0700
keepdir ${SSL_CNF_DIR}/private
}
pkg_preinst() {
if use fips; then
# Regen fipsmodule.cnf, bug 900625
ebegin "Running openssl fipsinstall"
"${ED}/usr/bin/openssl" fipsinstall -quiet \
-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}