From 4dd0250d445e40f88d28b416bab085f7e0438cdb Mon Sep 17 00:00:00 2001 From: Flatcar Buildbot Date: Mon, 10 Feb 2025 07:06:20 +0000 Subject: [PATCH] dev-libs/openssl: Sync with Gentoo It's from Gentoo commit 3106fbdebf1b487267a86cc6e8660b8c7c5b98ec. --- .../portage-stable/dev-libs/openssl/Manifest | 4 - .../files/openssl-3.0.13-CVE-2024-2511.patch | 141 --------- .../files/openssl-3.0.13-p11-segfault.patch | 79 ----- .../files/openssl-3.3.2-arm64-clobber.patch | 55 ++++ .../dev-libs/openssl/openssl-3.0.13-r2.ebuild | 283 ------------------ .../dev-libs/openssl/openssl-3.0.14.ebuild | 278 ----------------- .../dev-libs/openssl/openssl-3.0.15-r1.ebuild | 4 +- .../dev-libs/openssl/openssl-3.0.15.ebuild | 283 ------------------ .../dev-libs/openssl/openssl-3.1.7-r1.ebuild | 5 +- .../dev-libs/openssl/openssl-3.2.3-r1.ebuild | 4 +- .../dev-libs/openssl/openssl-3.3.2-r1.ebuild | 4 +- .../dev-libs/openssl/openssl-3.3.2-r2.ebuild | 4 +- ...l-3.3.2.ebuild => openssl-3.3.2-r3.ebuild} | 10 +- 13 files changed, 74 insertions(+), 1080 deletions(-) delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch create mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.13-r2.ebuild delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.14.ebuild delete mode 100644 sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15.ebuild rename sdk_container/src/third_party/portage-stable/dev-libs/openssl/{openssl-3.3.2.ebuild => openssl-3.3.2-r3.ebuild} (96%) diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest index 37d84c0403..78fce2b320 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest @@ -3,10 +3,6 @@ DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32 DIST openssl-1.1.1w.tar.gz 9893384 BLAKE2B 2fdba6ca0188928ab2f74e606136afca66cfa0467170fa6298ef160b64ac6fdcad1e81e5dd14013ce0e9921d0f7417edec531cd0beaf1196fec704c2c6d48395 SHA512 b4c625fe56a4e690b57b6a011a225ad0cb3af54bd8fb67af77b5eceac55cc7191291d96a660c5b568a08a2fbf62b4612818e7cca1bb95b2b6b4fc649b0552b6d DIST openssl-1.1.1w.tar.gz.asc 833 BLAKE2B d990be69ed913509d52b78e7473668429d4485adb29ef03e4612dd0cadbac4f04c7289d8e5baf6f397bcedeaac9f802f18fc719964d882ae0514ed1ca16ae277 SHA512 0f3d7aa48b1cabf8dd43e8108aeed10a4dffb4f5a244d4da9c86ea358b0c8b90c46da561d21e01c567c2f5035d824ed82ec104aad1776b7f33a1be85990e98ef -DIST openssl-3.0.13.tar.gz 15294843 BLAKE2B 869aa5f70a8c1d0cac6027e9261530df70ab5a8b448c785f5f8ff3f206e742c5364424132d0e109a6449af9b4082c4c179c7103dccb16a4539f776ca834c8ccc SHA512 22f4096781f0b075f5bf81bd39a0f97e111760dfa73b6f858f6bb54968a7847944d74969ae10f9a51cc21a2f4af20d9a4c463649dc824f5e439e196d6764c4f9 -DIST openssl-3.0.13.tar.gz.asc 833 BLAKE2B 519515b6faa505d68ff9acc30db9515fac494145086fa5ad9561c39385a6fabb39ad9de10fedd49c8fc716ec59ea1b13ec5e6b466e549ea9f29b8d0bb74ba7b3 SHA512 c52d97c93d16f3ca2a7026fb25890482b6d86c37b5ab686c56b0e08522743ec4ea3f84afa4deb64b0df0d9a16b557430c4d4139ab42ffcf97d769b61d1e6197c -DIST openssl-3.0.14.tar.gz 15305497 BLAKE2B 7426aea63d5495775c4a0440658cc9c46c4aa31c31473cd5519c2b1ca158e122634e0bbc275237d3eb124fc8bed3d58808d8ac1d228f24f7281d2630ff7813e0 SHA512 1c59c01e60da902a20780d71f1fa5055d4037f38c4bc3fb27ed5b91f211b36a6018055409441ad4df58b5e9232b2528240d02067272c3c9ccb8c221449ca9ac0 -DIST openssl-3.0.14.tar.gz.asc 833 BLAKE2B 8a700452f6f698fbfa206469888fd72706f1798be212e712fd8a4c1ae87f0d98d54820974c64a3db3b5ac69d7beda665f462e83182337391212c0e72e1feb72e SHA512 003d17a2b71176517f5bfba6699c18b271111e5fec3effc275b965286140d1281fa6f5f5e6bcf63feca89dfa035ab776bda8d2af4b71ae921ca9e7a936581fb4 DIST openssl-3.0.15.tar.gz 15318633 BLAKE2B f2900d0894b97e86c709079ca4336d5dc508d69e91d3a4de4420c8d9344cb54dada6ea2cdd408166e53db0c652b06654e670701166b67a0a40578676e1cea535 SHA512 acd80f2f7924d90c1416946a5c61eff461926ad60f4821bb6b08845ea18f8452fd5e88a2c2c5bd0d7590a792cb8341a3f3be042fd0a5b6c9c1b84a497c347bbf DIST openssl-3.0.15.tar.gz.asc 833 BLAKE2B 43088d6ae9e95aec8cfa08c0d338d76c2299ee89a1719a39c497b25c83a4c0c2d155fa00a62b47e15a7f2889680197741390c850d62a84ec5ce27ed1bbddcd28 SHA512 8b9471074130fd26b511820a1c2586792fd0105421515734c213ae18de27b5b026261e64d4cb8f5e7b568d1f4193484ebe0e99eda9d99df72474310a568ca3bf DIST openssl-3.1.7.tar.gz 15684836 BLAKE2B 1332f4b2454b6c9bf3ff2099aa343d6202bec98c6e44fba6377d5bb8efd9bf337df3a95549d874a2908f376056f6f333e6f65cbec7e27377d1ab8cbefddaa241 SHA512 bb4743c1a95148901d2d2bc51460c14cea3387c7dda9323524adbdb11334562f72aa3a873913c51ea1ffce606e675e22a74f78b3119b6a956da3f75c942cd0e2 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch deleted file mode 100644 index fff4fb7283..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-CVE-2024-2511.patch +++ /dev/null @@ -1,141 +0,0 @@ -https://www.openssl.org/news/secadv/20240408.txt -https://bugs.gentoo.org/930047 -https://github.com/openssl/openssl/commit/b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d -https://github.com/openssl/openssl/commit/cc9ece9118eeacccc3571c2ee852f8ba067d0607 - -From b52867a9f618bb955bed2a3ce3db4d4f97ed8e5d Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 +0000 -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce) ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3736,9 +3736,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ -- if (s->session->session_id_length == 0) -+ if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -152,16 +152,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ -- return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -285,6 +280,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+ return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+{ -+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); -+ -+ if (sess != NULL) -+ sess->not_resumable = 0; -+ -+ return sess; -+} -+ - const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) - { - if (len) ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) - * so the following won't overwrite an ID that we're supposed - * to send back. - */ -- if (s->session->not_resumable || -- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -- && !s->hit)) -+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -+ && !s->hit) - s->session->session_id_length = 0; - - if (usetls13) { - -From cc9ece9118eeacccc3571c2ee852f8ba067d0607 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 15 Mar 2024 17:58:42 +0000 -Subject: [PATCH] Hardening around not_resumable sessions - -Make sure we can't inadvertently use a not_resumable session - -Related to CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) - -(cherry picked from commit c342f4b8bd2d0b375b0e22337057c2eab47d9b96) ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -531,6 +531,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, - ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©); - - if (ret != NULL) { -+ if (ret->not_resumable) { -+ /* If its not resumable then ignore this session */ -+ if (!copy) -+ SSL_SESSION_free(ret); -+ return NULL; -+ } - ssl_tsan_counter(s->session_ctx, - &s->session_ctx->stats.sess_cb_hit); - diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch deleted file mode 100644 index 73b131ab79..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.0.13-p11-segfault.patch +++ /dev/null @@ -1,79 +0,0 @@ -https://bugs.gentoo.org/916328 -https://github.com/opendnssec/SoftHSMv2/issues/729 -https://github.com/openssl/openssl/issues/22508 -https://github.com/openssl/openssl/commit/ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 - -From ad6cbe4b7f57a783a66a7ae883ea0d35ef5f82b6 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 15 Dec 2023 13:45:50 +0100 -Subject: [PATCH] Revert "Improved detection of engine-provided private - "classic" keys" - -This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5. - -The commit was wrong. With 3.x versions the engines must be themselves -responsible for creating their EVP_PKEYs in a way that they are treated -as legacy - either by using the respective set1 calls or by setting -non-default EVP_PKEY_METHOD. - -The workaround has caused more problems than it solved. - -Fixes #22945 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/23063) - -(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380) ---- a/crypto/engine/eng_pkey.c -+++ b/crypto/engine/eng_pkey.c -@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, - ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); - return NULL; - } -- /* We enforce check for legacy key */ -- switch (EVP_PKEY_get_id(pkey)) { -- case EVP_PKEY_RSA: -- { -- RSA *rsa = EVP_PKEY_get1_RSA(pkey); -- EVP_PKEY_set1_RSA(pkey, rsa); -- RSA_free(rsa); -- } -- break; --# ifndef OPENSSL_NO_EC -- case EVP_PKEY_SM2: -- case EVP_PKEY_EC: -- { -- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); -- EVP_PKEY_set1_EC_KEY(pkey, ec); -- EC_KEY_free(ec); -- } -- break; --# endif --# ifndef OPENSSL_NO_DSA -- case EVP_PKEY_DSA: -- { -- DSA *dsa = EVP_PKEY_get1_DSA(pkey); -- EVP_PKEY_set1_DSA(pkey, dsa); -- DSA_free(dsa); -- } -- break; --#endif --# ifndef OPENSSL_NO_DH -- case EVP_PKEY_DH: -- { -- DH *dh = EVP_PKEY_get1_DH(pkey); -- EVP_PKEY_set1_DH(pkey, dh); -- DH_free(dh); -- } -- break; --#endif -- default: -- /*Do nothing */ -- break; -- } -- - return pkey; - } - - diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch new file mode 100644 index 0000000000..d83c5b4fb8 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch @@ -0,0 +1,55 @@ +https://gcc.gnu.org/PR118537 +https://www.postgresql.org/message-id/6fxlmnyagkycru3bewa4ympknywnsswlqzvwfft3ifqqiioxlv%40ax53pv7xdrc2 +https://github.com/openssl/openssl/pull/26469 +https://github.com/openssl/openssl/commit/4f7d8b2724ea7f42cff1e8a0e736ad448def60f5 + +From 4f7d8b2724ea7f42cff1e8a0e736ad448def60f5 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode +Date: Sat, 18 Jan 2025 21:12:45 +0100 +Subject: [PATCH] Restore correct registers in aarch64 AES-CTR code + +Commit 1d1ca79fe35dbe5c05faed5a2ef8c4de9c5adc49 introduced +save and restore for the registers, saving them as + + stp d8,d9,[sp, #16] + stp d10,d11,[sp, #32] + stp d12,d13,[sp, #48] + stp d14,d15,[sp, #64] + +But the restore code was inadvertently typoed: + + ldp d8,d9,[sp, #16] + ldp d10,d11,[sp, #32] + ldp d12,d13,[sp, #48] + ldp d15,d16,[sp, #64] + +Restoring [sp, #64] into d15,d16 instead of d14,d15. + +Fixes: #26466 + +CLA: trivial + +Reviewed-by: Kurt Roeckx +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/26469) + +(cherry picked from commit 5261f3ca41cda7ad5767e399e9a2dc008bbad5d6) +--- + crypto/aes/asm/aesv8-armx.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl +index 33a2dd53dae19..dc019b04ccd25 100755 +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -2493,7 +2493,7 @@ () + ldp d8,d9,[sp, #16] + ldp d10,d11,[sp, #32] + ldp d12,d13,[sp, #48] +- ldp d15,d16,[sp, #64] ++ ldp d14,d15,[sp, #64] + ldr x29,[sp],#80 + ret + .size ${prefix}_ctr32_encrypt_blocks_unroll12_eor3,.-${prefix}_ctr32_encrypt_blocks_unroll12_eor3 + diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.13-r2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.13-r2.ebuild deleted file mode 100644 index a7de730758..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.13-r2.ebuild +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://openssl-library.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI="mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" - KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/3" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( =4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile || die - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 - append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.14.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.14.ebuild deleted file mode 100644 index 24e53cd2ac..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.14.ebuild +++ /dev/null @@ -1,278 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://openssl-library.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI="mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/3" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( =4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile || die - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 - append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15-r1.ebuild index 210e8a87c0..2d404c45bc 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -23,7 +23,7 @@ else https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc ) " - KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15.ebuild deleted file mode 100644 index cc6072743d..0000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.15.ebuild +++ /dev/null @@ -1,283 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://openssl-library.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI=" - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz - verify-sig? ( - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc - ) - " - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/3" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 ) -" - -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile || die - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 - append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.7-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.7-r1.ebuild index 5ca73111c8..aeaa611d6f 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.7-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.1.7-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -23,7 +23,8 @@ else https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc ) " - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + + KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.3-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.3-r1.ebuild index 9e0ddd9740..15ae0fec71 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.3-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.2.3-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -25,7 +25,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi fi diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r1.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r1.ebuild index f33725cf31..7ea54de6cf 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r1.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -25,7 +25,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi fi diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r2.ebuild index 0299c1afea..cdfcb02124 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r2.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r2.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -25,7 +25,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi fi diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r3.ebuild similarity index 96% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r3.ebuild index 7165d21845..74109bfb1f 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.2-r3.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -25,7 +25,7 @@ else " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi fi @@ -58,6 +58,12 @@ MULTILIB_WRAPPED_HEADERS=( /usr/include/openssl/configuration.h ) +PATCHES=( + "${FILESDIR}"/${P}-CVE-2024-9143.patch + "${FILESDIR}"/${PN}-3.3.2-silence-warning.patch + "${FILESDIR}"/${P}-arm64-clobber.patch +) + pkg_setup() { if use ktls ; then if kernel_is -lt 4 18 ; then