dev-libs/openssl: update to 3.0.8

Sync with Gentoo, update dev-libs/openssl to 3.0.8, mainly to address
CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215,
CVE-2023-0216, CVE-2023-0217, CVE-2023-0286, CVE-2023-0401.

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest

@@ -1,2 +1,2 @@
-DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424
-DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1
+DIST openssl-3.0.8.tar.gz 15151328 BLAKE2B e163cc9b8b458f72405a2f1bde3811c8d0eb22e8b08ff5608ec64799975f1546dcdce31466b8a1d5ed29bc90d19aa6017d711987c81b71f4b20e279828cf753a SHA512 8ce10be000d7d4092c8efc5b96b1d2f7da04c1c3a624d3a7923899c6b1de06f369016be957e36e8ab6d4c9102eaeec5d1973295d547f7893a7f11f132ae42b0d
+DIST openssl-3.0.8.tar.gz.asc 833 BLAKE2B 1949801150e254e9be648f33014a4a16f803b42ca5a302c3942d377013e983e0ea0cca8aed594e3f9ecde26c6e31d222581e991af5fae6cd451d7ee83541f4bb SHA512 e1c04f1179aded228b39005fd9e9f6f75aedafb938b77ac58c97a00973eb412d93b92ad1c447332a5d96850b62b01093502928e6c190bdd0234a94c4e815d2a6

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/gentoo.config-1.0.4

@@ -95,18 +95,22 @@ linux)
 	#	hppa64*)      machine=parisc64;;
 		hppa*)        machine="generic32 -DB_ENDIAN";;
 		i[0-9]86*|\
-		x86_64*:x86)  machine=elf;;
+		x86_64*:x86)  machine=x86;;
 		ia64*)        machine=ia64;;
-		loongarch64*) machine="generic64 -DL_ENDIAN";;
-		m68*)         machine="generic32 -DB_ENDIAN";;
-		mips*el*)     machine="generic32 -DL_ENDIAN";;
-		mips*)        machine="generic32 -DB_ENDIAN";;
+		loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;;
+		m68*)         machine="latomic -DB_ENDIAN";;
+		mips*el*:o32) machine="mips32 -DL_ENDIAN";;
+		mips*:o32)    machine="mips32 -DB_ENDIAN";;
+		mips*el*:n32) machine="mips64 -DL_ENDIAN";;
+		mips*:n32)    machine="mips64 -DB_ENDIAN";;
+		mips*el*:n64) machine="mips64 -DL_ENDIAN" system=linux64;;
+		mips*:n64)    machine="mips64 -DB_ENDIAN" system=linux64;;
 		powerpc64*le*)machine=ppc64le;;
 		powerpc64*)   machine=ppc64;;
 		powerpc*le*)  machine="generic32 -DL_ENDIAN";;
 		powerpc*)     machine=ppc;;
 		riscv32*)     machine="generic32 -DL_ENDIAN";;
-		riscv64*)     machine="generic64 -DL_ENDIAN";;
+		riscv64*)     machine="riscv64 -DL_ENDIAN" system=linux64;;
 	#	sh64*)        machine=elf;;
 		sh*b*)        machine="generic32 -DB_ENDIAN";;
 		sh*)          machine="generic32 -DL_ENDIAN";;

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf

@@ -1,3 +0,0 @@
-d      /etc/ssl                -       -       -       -       -
-d      /etc/ssl/private        0700    -       -       -       -
-L      /etc/ssl/openssl.cnf    -       -       -       -       ../../usr/share/ssl/openssl.cnf

sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.8.ebuild

@@ -1,11 +1,10 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
-EAPI=7
+EAPI=8
 
 VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-TMPFILES_OPTIONAL=1
-inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig systemd tmpfiles
+inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
 
 DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
 HOMEPAGE="https://www.openssl.org/"
@@ -19,7 +18,8 @@ if [[ ${PV} == 9999 ]] ; then
 else
 	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
 		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
-	KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+	#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 fi
 
 S="${WORKDIR}"/${MY_P}
@@ -30,7 +30,6 @@ IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compre
 RESTRICT="!test? ( test )"
 
 COMMON_DEPEND="
-	>=app-misc/c_rehash-1.7-r1
 	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
 "
 BDEPEND="
@@ -41,7 +40,7 @@ BDEPEND="
 		sys-devel/bc
 		sys-process/procps
 	)
-	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )"
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
 
 DEPEND="${COMMON_DEPEND}"
 RDEPEND="${COMMON_DEPEND}"
@@ -51,9 +50,6 @@ MULTILIB_WRAPPED_HEADERS=(
 	/usr/include/openssl/configuration.h
 )
 
-PATCHES=(
-)
-
 pkg_setup() {
 	if use ktls ; then
 		if kernel_is -lt 4 18 ; then
@@ -62,6 +58,7 @@ pkg_setup() {
 			CONFIG_CHECK="~TLS ~TLS_DEVICE"
 			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
 			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
 
 			linux-info_pkg_setup
 		fi
@@ -92,7 +89,7 @@ src_unpack() {
 
 src_prepare() {
 	# Allow openssl to be cross-compiled
-	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die
+	cp "${FILESDIR}"/gentoo.config-1.0.4 gentoo.config || die
 	chmod a+rx gentoo.config || die
 
 	# Keep this in sync with app-misc/c_rehash
@@ -115,19 +112,6 @@ src_prepare() {
 		rm test/recipes/80-test_ssl_new.t || die
 	fi
 
-	# - Make sure the man pages are suffixed (bug #302165)
-	# - Don't bother building man pages if they're disabled
-	# - Make DOCDIR Gentoo compliant
-	sed -i \
-		-e '/^MANSUFFIX/s:=.*:=ssl:' \
-		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
-		-e $(has noman FEATURES \
-			&& echo '/^install:/s:install_docs::' \
-			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
-		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
-		Configurations/unix-Makefile.tmpl \
-		|| die
-
 	# Quiet out unknown driver argument warnings since openssl
 	# doesn't have well-split CFLAGS and we're making it even worse
 	# and 'make depend' uses -Werror for added fun (bug #417795 again)
@@ -146,21 +130,9 @@ src_prepare() {
 
 	append-flags $(test-flags-CC -Wa,--noexecstack)
 
-	# Prefixify Configure shebang (bug #141906)
-	sed \
-		-e "1s,/usr/bin/env,${BROOT}&," \
-		-i Configure || die
-
-	# Remove test target when FEATURES=test isn't set
-	if ! use test ; then
-		sed \
-			-e '/^$config{dirs}/s@ "test",@@' \
-			-i Configure || die
-	fi
-
-	# The config script does stupid stuff to prompt the user. Kill it.
-	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die
-	./config --test-sanity || die "I AM NOT SANE"
+	local sslout=$(./gentoo.config)
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+	edo perl Configure ${sslout} --test-sanity
 
 	multilib_copy_sources
 }
@@ -193,8 +165,6 @@ multilib_src_configure() {
 
 	local sslout=$(./gentoo.config)
 	einfo "Using configuration: ${sslout:-(openssl knows best)}"
-	local config="Configure"
-	[[ -z ${sslout} ]] && config="config"
 
 	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
 	local myeconfargs=(
@@ -227,36 +197,15 @@ multilib_src_configure() {
 		threads
 	)
 
-	CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}"
-
-	# Clean out hardcoded flags that openssl uses
-	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \
-		-e 's:^CFLAGS=::' \
-		-e 's:\(^\| \)-fomit-frame-pointer::g' \
-		-e 's:\(^\| \)-O[^ ]*::g' \
-		-e 's:\(^\| \)-march=[^ ]*::g' \
-		-e 's:\(^\| \)-mcpu=[^ ]*::g' \
-		-e 's:\(^\| \)-m[^ ]*::g' \
-		-e 's:^ *::' \
-		-e 's: *$::' \
-		-e 's: \+: :g' \
-		-e 's:\\:\\\\:g'
-	)
-
-	# Now insert clean default flags with user flags
-	sed -i \
-		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \
-		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \
-		Makefile \
-		|| die
+	edo perl Configure "${myeconfargs[@]}"
 }
 
 multilib_src_compile() {
-	# depend is needed to use $confopts; it also doesn't matter
-	# that it's -j1 as the code itself serializes subdirs
-	emake -j1 depend
+	emake build_sw
 
-	emake all
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
 }
 
 multilib_src_test() {
@@ -266,10 +215,15 @@ multilib_src_test() {
 }
 
 multilib_src_install() {
-	# We need to create ${ED}/usr on our own to avoid a race condition (bug #665130)
-	dodir /usr
+	emake DESTDIR="${D}" install_sw
+	if use fips; then
+		emake DESTDIR="${D}" install_fips
+	fi
 
-	emake DESTDIR="${D}" install
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+	fi
 
 	# This is crappy in that the static archives are still built even
 	# when USE=static-libs. But this is due to a failing in the openssl
@@ -288,51 +242,19 @@ multilib_src_install_all() {
 
 	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
 
-	# Namespace openssl programs to prevent conflicts with other man pages
-	cd "${ED}"/usr/share/man || die
-	local m d s
-	for m in $(find . -type f | xargs grep -L '#include') ; do
-		d=${m%/*}
-		d=${d#./}
-		m=${m##*/}
-
-		[[ ${m} == openssl.1* ]] && continue
-
-		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
-
-		mv ${d}/{,ssl-}${m} || die
-
-		# Fix up references to renamed man pages
-		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die
-		ln -s ssl-${m} ${d}/openssl-${m} || die
-
-		# Locate any symlinks that point to this man page
-		# We assume that any broken links are due to the above renaming
-		for s in $(find -L ${d} -type l) ; do
-			s=${s##*/}
-
-			rm -f ${d}/${s}
-
-			# We don't want to "|| die" here
-			ln -s ssl-${m} ${d}/ssl-${s}
-			ln -s ssl-${s} ${d}/openssl-${s}
-		done
-	done
-	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
 
 	# bug #254521
 	dodir /etc/sandbox.d
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
 
-	# flatcar changes: do not keep the sample CA files in `/etc`
-	rm -rf "${ED}"${SSL_CNF_DIR}
-
-	# flatcar changes: save the default `openssl.cnf` in `/usr`
-	dodir /usr/share/ssl
-	insinto /usr/share/ssl
-	doins "${S}"/apps/openssl.cnf
-	dotmpfiles "${FILESDIR}"/openssl.conf
-
-	# flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping.
-	systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
 }