diff --git a/changelog/security/2024-12-02-openssl.md b/changelog/security/2024-12-02-openssl.md new file mode 100644 index 0000000000..18a619330b --- /dev/null +++ b/changelog/security/2024-12-02-openssl.md @@ -0,0 +1 @@ +- OpenSSL ([CVE-2024-2511](https://nvd.nist.gov/vuln/detail/CVE-2024-2511), [CVE-2024-4603](https://nvd.nist.gov/vuln/detail/CVE-2024-4603), [CVE-2024-4741](https://nvd.nist.gov/vuln/detail/CVE-2024-4741), [CVE-2024-5535](https://nvd.nist.gov/vuln/detail/CVE-2024-5535), [CVE-2024-6119](https://nvd.nist.gov/vuln/detail/CVE-2024-6119), [CVE-2024-9143](https://nvd.nist.gov/vuln/detail/CVE-2024-9143)) diff --git a/changelog/updates/2024-12-02-openssl.md b/changelog/updates/2024-12-02-openssl.md new file mode 100644 index 0000000000..8cc97ef403 --- /dev/null +++ b/changelog/updates/2024-12-02-openssl.md @@ -0,0 +1 @@ +- OpenSSL ([3.0.15](https://github.com/openssl/openssl/blob/openssl-3.0/CHANGES.md#openssl-30)) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest index 6c2b9eb6c9..564a77ea51 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest @@ -1,2 +1,2 @@ -DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424 -DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1 +DIST openssl-3.0.15.tar.gz 15318633 BLAKE2B f2900d0894b97e86c709079ca4336d5dc508d69e91d3a4de4420c8d9344cb54dada6ea2cdd408166e53db0c652b06654e670701166b67a0a40578676e1cea535 SHA512 acd80f2f7924d90c1416946a5c61eff461926ad60f4821bb6b08845ea18f8452fd5e88a2c2c5bd0d7590a792cb8341a3f3be042fd0a5b6c9c1b84a497c347bbf +DIST openssl-3.0.15.tar.gz.asc 833 BLAKE2B 43088d6ae9e95aec8cfa08c0d338d76c2299ee89a1719a39c497b25c83a4c0c2d155fa00a62b47e15a7f2889680197741390c850d62a84ec5ce27ed1bbddcd28 SHA512 8b9471074130fd26b511820a1c2586792fd0105421515734c213ae18de27b5b026261e64d4cb8f5e7b568d1f4193484ebe0e99eda9d99df72474310a568ca3bf diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.4 similarity index 82% rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.4 index caa569588f..d32ce877a3 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.2 +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -1,5 +1,5 @@ #!/usr/bin/env bash -# Copyright 1999-2020 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 # # Openssl doesn't play along nicely with cross-compiling @@ -32,6 +32,7 @@ if [[ $1 == "test" ]] ; then "i686-apple-darwinX |darwin-i386-cc" \ "i386-apple-darwinX |darwin-i386-cc" \ "powerpc-apple-darwinX |darwin-ppc-cc" \ + "arm64-apple-darwinX |darwin-arm64-cc" \ "i586-pc-winnt |winnt-parity" \ "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ "s390x-linux-gnu |linux64-s390x" \ @@ -77,7 +78,9 @@ fi # Detect target arch machine="" +submachine="" chost_machine=${CHOST%%-*} +[[ ${CC} == *clang* ]] && submachine="-clang" case ${system} in linux) case ${chost_machine}:${ABI} in @@ -86,6 +89,10 @@ linux) alphaev56*|\ alphaev[678]*)machine=alpha+bwx-${compiler};; alpha*) machine=alpha-${compiler};; + arc64*b*) machine="generic64 -DB_ENDIAN";; + arc64*) machine="generic64 -DL_ENDIAN";; + arc*b*) machine="generic32 -DB_ENDIAN";; + arc*) machine="generic32 -DL_ENDIAN";; armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; armv[4-9]*) machine="armv4 -DL_ENDIAN";; arm*b*) machine="generic32 -DB_ENDIAN";; @@ -95,18 +102,24 @@ linux) # hppa64*) machine=parisc64;; hppa*) machine="generic32 -DB_ENDIAN";; i[0-9]86*|\ - x86_64*:x86) machine=elf;; + x86_64*:x86) machine=x86${submachine};; ia64*) machine=ia64;; - loongarch64*) machine="generic64 -DL_ENDIAN";; - m68*) machine="generic32 -DB_ENDIAN";; - mips*el*) machine="generic32 -DL_ENDIAN";; - mips*) machine="generic32 -DB_ENDIAN";; + loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;; + m68*) machine="latomic -DB_ENDIAN";; + mips*el*:o32) machine="mips32 -DL_ENDIAN";; + mips*:o32) machine="mips32 -DB_ENDIAN";; + mips*el*:n32) machine="mips64 -DL_ENDIAN";; + mips*:n32) machine="mips64 -DB_ENDIAN";; + mips*el*:n64) machine="mips64 -DL_ENDIAN" system=linux64;; + mips*:n64) machine="mips64 -DB_ENDIAN" system=linux64;; powerpc64*le*)machine=ppc64le;; powerpc64*) machine=ppc64;; powerpc*le*) machine="generic32 -DL_ENDIAN";; powerpc*) machine=ppc;; + riscv32be*) machine="generic32 -DB_ENDIAN";; riscv32*) machine="generic32 -DL_ENDIAN";; - riscv64*) machine="generic64 -DL_ENDIAN";; + riscv64be*) machine="riscv64 -DB_ENDIAN" system=linux64;; + riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;; # sh64*) machine=elf;; sh*b*) machine="generic32 -DB_ENDIAN";; sh*) machine="generic32 -DL_ENDIAN";; @@ -121,7 +134,7 @@ linux) s390x*) machine=s390x system=linux64;; s390*) machine="generic32 -DB_ENDIAN";; x86_64*:x32) machine=x32;; - x86_64*) machine=x86_64;; + x86_64*) machine=x86_64${submachine};; esac ;; BSD) @@ -143,6 +156,7 @@ darwin) powerpc) machine=ppc-cc;; i?86*) machine=i386-cc;; x86_64) machine=x86_64-cc; system=${system}64;; + arm64) machine=arm64-cc; system=${system}64;; esac ;; hpux) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch new file mode 100644 index 0000000000..252a24776a --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch @@ -0,0 +1,193 @@ +https://bugs.gentoo.org/941643 +https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712 + +From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 19 Sep 2024 01:02:40 +1000 +Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. + +The BN_GF2m_poly2arr() function converts characteristic-2 field +(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, +to a compact array with just the exponents of the non-zero terms. + +These polynomials are then used in BN_GF2m_mod_arr() to perform modular +reduction. A precondition of calling BN_GF2m_mod_arr() is that the +polynomial must have a non-zero constant term (i.e. the array has `0` as +its final element). + +Internally, callers of BN_GF2m_poly2arr() did not verify that +precondition, and binary EC curve parameters with an invalid polynomial +could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). + +The precondition is always true for polynomials that arise from the +standard form of EC parameters for characteristic-two fields (X9.62). +See the "Finite Field Identification" section of: + + https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html + +The OpenSSL GF(2^m) code supports only the trinomial and pentanomial +basis X9.62 forms. + +This commit updates BN_GF2m_poly2arr() to return `0` (failure) when +the constant term is zero (i.e. the input bitmask BIGNUM is not odd). + +Additionally, the return value is made unambiguous when there is not +enough space to also pad the array with a final `-1` sentinel value. +The return value is now always the number of elements (including the +final `-1`) that would be filled when the output array is sufficiently +large. Previously the same count was returned both when the array has +just enough room for the final `-1` and when it had only enough space +for non-sentinel values. + +Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose +degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against +CPU exhausition attacks via excessively large inputs. + +The above issues do not arise in processing X.509 certificates. These +generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) +disallows explicit EC parameters. The TLS code in OpenSSL enforces this +constraint only after the certificate is decoded, but, even if explicit +parameters are specified, they are in X9.62 form, which cannot represent +problem values as noted above. + +Initially reported as oss-fuzz issue 71623. + +A closely related issue was earlier reported in +. + +Severity: Low, CVE-2024-9143 + +Reviewed-by: Matt Caswell +Reviewed-by: Bernd Edlinger +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25639) + +(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2) +--- a/crypto/bn/bn_gf2m.c ++++ b/crypto/bn/bn_gf2m.c +@@ -15,6 +15,7 @@ + #include "bn_local.h" + + #ifndef OPENSSL_NO_EC2M ++# include + + /* + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should +@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + /* + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * + * x^i) into an array of integers corresponding to the bits with non-zero +- * coefficient. Array is terminated with -1. Up to max elements of the array +- * will be filled. Return value is total number of array elements that would +- * be filled if array was large enough. ++ * coefficient. The array is intended to be suitable for use with ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. ++ * ++ * Given sufficient room, the array is terminated with -1. Up to max elements ++ * of the array will be filled. ++ * ++ * The return value is total number of array elements that would be filled if ++ * array was large enough, including the terminating `-1`. It is `0` when `a` ++ * is not odd or the constant term is zero contrary to requirement. ++ * ++ * The return value is also `0` when the leading exponent exceeds ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, + */ + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + { + int i, j, k = 0; + BN_ULONG mask; + +- if (BN_is_zero(a)) ++ if (!BN_is_odd(a)) + return 0; + + for (i = a->top - 1; i >= 0; i--) { +@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + } + } + +- if (k < max) { ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) ++ return 0; ++ ++ if (k < max) + p[k] = -1; +- k++; +- } + +- return k; ++ return k + 1; + } + + /* +--- a/test/ec_internal_test.c ++++ b/test/ec_internal_test.c +@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) + } + + #ifndef OPENSSL_NO_EC2M ++/* Test that decoding of invalid GF2m field parameters fails. */ ++static int ec2m_field_sanity(void) ++{ ++ int ret = 0; ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *p, *a, *b; ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; ++ ++ TEST_info("Testing GF2m hardening\n"); ++ ++ BN_CTX_start(ctx); ++ p = BN_CTX_get(ctx); ++ a = BN_CTX_get(ctx); ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) ++ || !TEST_true(BN_one(a)) ++ || !TEST_true(BN_one(b))) ++ goto out; ++ ++ /* Even pentanomial value should be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf2))) ++ goto out; ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Zero constant term accepted in GF2m polynomial"); ++ ++ /* Odd hexanomial should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf3))) ++ goto out; ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Hexanomial accepted as GF2m polynomial"); ++ ++ /* Excessive polynomial degree should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0x71)) ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) ++ goto out; ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("GF2m polynomial degree > %d accepted", ++ OPENSSL_ECC_MAX_FIELD_BITS); ++ ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; ++ ++ out: ++ EC_GROUP_free(group1); ++ EC_GROUP_free(group2); ++ EC_GROUP_free(group3); ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ ++ return ret; ++} ++ + /* test EC_GF2m_simple_method directly */ + static int field_tests_ec2_simple(void) + { +@@ -443,6 +493,7 @@ int setup_tests(void) + ADD_TEST(field_tests_ecp_simple); + ADD_TEST(field_tests_ecp_mont); + #ifndef OPENSSL_NO_EC2M ++ ADD_TEST(ec2m_field_sanity); + ADD_TEST(field_tests_ec2_simple); + #endif + ADD_ALL_TESTS(field_tests_default, crv_len); + diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml index bb40ddbf82..a00bd02d7b 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml @@ -6,10 +6,10 @@ Gentoo Base System - Support assembly hand optimized crypto functions (i.e. faster run time) Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI Enable FIPS provider Enable support for Kernel implementation of TLS (kTLS) + Enable support for QUIC (RFC 9000); a UDP-based protocol intended to replace TCP Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers) Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.7.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.15-r1.ebuild similarity index 62% rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.7.ebuild rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.15-r1.ebuild index f65e2d52f4..4d944bdd35 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.15-r1.ebuild @@ -1,14 +1,15 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=7 -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc TMPFILES_OPTIONAL=1 -inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig systemd tmpfiles +inherit edo flag-o-matic linux-info toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig tmpfiles DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" +HOMEPAGE="https://openssl-library.org/" MY_P=${P/_/-} @@ -17,9 +18,13 @@ if [[ ${PV} == 9999 ]] ; then inherit git-r3 else - SRC_URI="mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" - KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi S="${WORKDIR}"/${MY_P} @@ -38,10 +43,11 @@ BDEPEND=" sctp? ( >=net-misc/lksctp-tools-1.0.12 ) test? ( sys-apps/diffutils - sys-devel/bc + app-alternatives/bc sys-process/procps ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )" + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 ) +" DEPEND="${COMMON_DEPEND}" RDEPEND="${COMMON_DEPEND}" @@ -52,6 +58,7 @@ MULTILIB_WRAPPED_HEADERS=( ) PATCHES=( + "${FILESDIR}"/${P}-CVE-2024-9143.patch ) pkg_setup() { @@ -62,6 +69,7 @@ pkg_setup() { CONFIG_CHECK="~TLS ~TLS_DEVICE" ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" linux-info_pkg_setup fi @@ -80,27 +88,10 @@ pkg_setup() { fi } -src_unpack() { - # Can delete this once test fix patch is dropped - if use verify-sig ; then - # Needed for downloaded patch (which is unsigned, which is fine) - verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc} - fi - - default -} - src_prepare() { - # Allow openssl to be cross-compiled - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die - chmod a+rx gentoo.config || die - - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - # Make sure we only ever touch Makefile.org and avoid patching a file # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile + rm -f Makefile || die if ! use vanilla ; then PATCHES+=( @@ -115,18 +106,13 @@ src_prepare() { rm test/recipes/80-test_ssl_new.t || die fi - # - Make sure the man pages are suffixed (bug #302165) - # - Don't bother building man pages if they're disabled - # - Make DOCDIR Gentoo compliant - sed -i \ - -e '/^MANSUFFIX/s:=.*:=ssl:' \ - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ - -e $(has noman FEATURES \ - && echo '/^install:/s:install_docs::' \ - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \ - Configurations/unix-Makefile.tmpl \ - || die + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" # Quiet out unknown driver argument warnings since openssl # doesn't have well-split CFLAGS and we're making it even worse @@ -138,34 +124,24 @@ src_prepare() { # code. This has been in the ebuild for > 10 years but even in 2022, # it's still relevant: # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 # - https://github.com/openssl/openssl/issues/18225 # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 # Don't remove the no strict aliasing bits below! filter-flags -fstrict-aliasing append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto append-flags $(test-flags-CC -Wa,--noexecstack) - # Prefixify Configure shebang (bug #141906) - sed \ - -e "1s,/usr/bin/env,${BROOT}&," \ - -i Configure || die + # bug #895308 + append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" - # Remove test target when FEATURES=test isn't set - if ! use test ; then - sed \ - -e '/^$config{dirs}/s@ "test",@@' \ - -i Configure || die - fi - - # The config script does stupid stuff to prompt the user. Kill it. - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die - ./config --test-sanity || die "I AM NOT SANE" - - multilib_copy_sources -} - -multilib_src_configure() { # bug #197996 unset APPS # bug #312551 @@ -175,6 +151,10 @@ multilib_src_configure() { tc-export AR CC CXX RANLIB RC + multilib-minimal_src_configure +} + +multilib_src_configure() { use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") @@ -191,10 +171,8 @@ multilib_src_configure() { # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" #fi - local sslout=$(./gentoo.config) + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") einfo "Using configuration: ${sslout:-(openssl knows best)}" - local config="Configure" - [[ -z ${sslout} ]] && config="config" # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features local myeconfargs=( @@ -227,49 +205,37 @@ multilib_src_configure() { threads ) - CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}" - - # Clean out hardcoded flags that openssl uses - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ - -e 's:^CFLAGS=::' \ - -e 's:\(^\| \)-fomit-frame-pointer::g' \ - -e 's:\(^\| \)-O[^ ]*::g' \ - -e 's:\(^\| \)-march=[^ ]*::g' \ - -e 's:\(^\| \)-mcpu=[^ ]*::g' \ - -e 's:\(^\| \)-m[^ ]*::g' \ - -e 's:^ *::' \ - -e 's: *$::' \ - -e 's: \+: :g' \ - -e 's:\\:\\\\:g' - ) - - # Now insert clean default flags with user flags - sed -i \ - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ - Makefile \ - || die + edo perl "${S}/Configure" "${myeconfargs[@]}" } multilib_src_compile() { - # depend is needed to use $confopts; it also doesn't matter - # that it's -j1 as the code itself serializes subdirs - emake -j1 depend + emake build_sw - emake all + if multilib_is_native_abi; then + emake build_docs + fi } multilib_src_test() { # VFP = show subtests verbosely and show failed tests verbosely # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test + emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test } multilib_src_install() { - # We need to create ${ED}/usr on our own to avoid a race condition (bug #665130) - dodir /usr + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi - emake DESTDIR="${D}" install + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi # This is crappy in that the static archives are still built even # when USE=static-libs. But this is due to a failing in the openssl @@ -288,38 +254,6 @@ multilib_src_install_all() { dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - # Namespace openssl programs to prevent conflicts with other man pages - cd "${ED}"/usr/share/man || die - local m d s - for m in $(find . -type f | xargs grep -L '#include') ; do - d=${m%/*} - d=${d#./} - m=${m##*/} - - [[ ${m} == openssl.1* ]] && continue - - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" - - mv ${d}/{,ssl-}${m} || die - - # Fix up references to renamed man pages - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die - ln -s ssl-${m} ${d}/openssl-${m} || die - - # Locate any symlinks that point to this man page - # We assume that any broken links are due to the above renaming - for s in $(find -L ${d} -type l) ; do - s=${s##*/} - - rm -f ${d}/${s} - - # We don't want to "|| die" here - ln -s ssl-${m} ${d}/ssl-${s} - ln -s ssl-${s} ${d}/openssl-${s} - done - done - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" - # bug #254521 dodir /etc/sandbox.d echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl @@ -336,3 +270,17 @@ multilib_src_install_all() { # flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping. systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf } + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + ebegin "Running openssl fipsinstall" + "${ED}/usr/bin/openssl" fipsinstall -quiet \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" + eend $? + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +}