From c554db081b66843f1b38d454782b90f35e9bc5b1 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Tue, 20 Feb 2024 12:03:39 +0100 Subject: [PATCH] dev-libs/openssl: Sync with Gentoo It's from Gentoo commit 83e2ccb40aa0c93f0e4c2eac36a5f6557e22e6cd. --- .../coreos-overlay/dev-libs/openssl/Manifest | 4 +- .../files/openssl-3.2.1-p11-segfault.patch | 79 +++++++++++++++++++ .../dev-libs/openssl/files/openssl.conf | 3 - ...-3.0.12.ebuild => openssl-3.2.1-r1.ebuild} | 62 +++++++++------ 4 files changed, 119 insertions(+), 29 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch delete mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf rename sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/{openssl-3.0.12.ebuild => openssl-3.2.1-r1.ebuild} (86%) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest index 4a6cd81d53..b7c83e61fc 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest @@ -1,2 +1,2 @@ -DIST openssl-3.0.12.tar.gz 15204575 BLAKE2B 1f00e33a5ed64a51cf28f0dbe7d53a9197c1edae7538dea9573394ee4dc03a885483d74b0b47a78b9067e87b4f420b9d7103f351bfec91710c168051cb7148df SHA512 63e003653dd1126c66e278969a626cdf0801b97da8b7076824d661e4a77e1572c3171cf7f006c972b95bcfa284889ee0362d8a46a851f7d8e743e2a1fe593b24 -DIST openssl-3.0.12.tar.gz.asc 833 BLAKE2B 5c7914e0449a1f2fad433544fa637263b237c2637b86960f904a7840ef6bd627728dfa45373e03a6ce7a0a4570d03e1dcd0188059bd5dbcc83d49d10be64dd39 SHA512 072d1572e6cc5240fed69c01b1f7f74958ceba33cec3b0a7f0db5929dc884381320fb737ec6b38f95ef81c855e2d382d7ecd19431a328b08efad70288ec4a964 +DIST openssl-3.2.1.tar.gz 17733249 BLAKE2B 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 SHA512 bab2b2419319f1feffaba4692f03edbf13b44d1090c6e075a2d69dad67a2d51e64e6edbf83456a26c83900a726d20d2c4ee4ead9c94b322fd0b536f3b5a863c4 +DIST openssl-3.2.1.tar.gz.asc 833 BLAKE2B a1d25fe30bf1804d13a8b6b98edf56be5bf744d9e2706f4169455c24efe2e3a361487d00d0d4bac240c3f0170693d77a39dd0d4ee5c792d2247aa00c47e74ebf SHA512 de39516c7b77612f33cdc830a8d13ef6bcd91c03d24a6ed105480f140f9e1ad7049844e234c96a516d62e0e33ce90442ffd0f309ea674884c735f04d8562f372 diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch new file mode 100644 index 0000000000..59e785caac --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch @@ -0,0 +1,79 @@ +https://bugs.gentoo.org/916328 +https://github.com/opendnssec/SoftHSMv2/issues/729 +https://github.com/openssl/openssl/issues/22508 +https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65 + +From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 15 Dec 2023 13:45:50 +0100 +Subject: [PATCH] Revert "Improved detection of engine-provided private + "classic" keys" + +This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5. + +The commit was wrong. With 3.x versions the engines must be themselves +responsible for creating their EVP_PKEYs in a way that they are treated +as legacy - either by using the respective set1 calls or by setting +non-default EVP_PKEY_METHOD. + +The workaround has caused more problems than it solved. + +Fixes #22945 + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/23063) + +(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380) +--- a/crypto/engine/eng_pkey.c ++++ b/crypto/engine/eng_pkey.c +@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, + ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); + return NULL; + } +- /* We enforce check for legacy key */ +- switch (EVP_PKEY_get_id(pkey)) { +- case EVP_PKEY_RSA: +- { +- RSA *rsa = EVP_PKEY_get1_RSA(pkey); +- EVP_PKEY_set1_RSA(pkey, rsa); +- RSA_free(rsa); +- } +- break; +-# ifndef OPENSSL_NO_EC +- case EVP_PKEY_SM2: +- case EVP_PKEY_EC: +- { +- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); +- EVP_PKEY_set1_EC_KEY(pkey, ec); +- EC_KEY_free(ec); +- } +- break; +-# endif +-# ifndef OPENSSL_NO_DSA +- case EVP_PKEY_DSA: +- { +- DSA *dsa = EVP_PKEY_get1_DSA(pkey); +- EVP_PKEY_set1_DSA(pkey, dsa); +- DSA_free(dsa); +- } +- break; +-#endif +-# ifndef OPENSSL_NO_DH +- case EVP_PKEY_DH: +- { +- DH *dh = EVP_PKEY_get1_DH(pkey); +- EVP_PKEY_set1_DH(pkey, dh); +- DH_free(dh); +- } +- break; +-#endif +- default: +- /*Do nothing */ +- break; +- } +- + return pkey; + } + + diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf deleted file mode 100644 index d8788d2929..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf +++ /dev/null @@ -1,3 +0,0 @@ -d /etc/ssl - - - - - -d /etc/ssl/private 0700 - - - - -L /etc/ssl/openssl.cnf - - - - ../../usr/share/ssl/openssl.cnf diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.12.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.1-r1.ebuild similarity index 86% rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.12.ebuild rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.1-r1.ebuild index 40be37766e..24ae65f332 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.12.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.1-r1.ebuild @@ -1,12 +1,11 @@ -# Copyright 1999-2023 Gentoo Authors +# Copyright 1999-2024 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -TMPFILES_OPTIONAL=1 inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig tmpfiles +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" HOMEPAGE="https://www.openssl.org/" @@ -18,23 +17,25 @@ if [[ ${PV} == 9999 ]] ; then inherit git-r3 else - SRC_URI="mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + SRC_URI=" + mirror://openssl/source/${MY_P}.tar.gz + verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi fi S="${WORKDIR}"/${MY_P} LICENSE="Apache-2.0" -SLOT="0/3" # .so version of libssl/libcrypto +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" RESTRICT="!test? ( test )" -# Flatcar: Gentoo dropped dependency on c_rehash, a required tool for -# generating certs, and does not provide a built-in tool either. -# Continue shipping it. COMMON_DEPEND=" - >=app-misc/c_rehash-1.7-r1 + !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) " BDEPEND=" @@ -42,7 +43,7 @@ BDEPEND=" sctp? ( >=net-misc/lksctp-tools-1.0.12 ) test? ( sys-apps/diffutils - sys-devel/bc + app-alternatives/bc sys-process/procps ) verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )" @@ -55,6 +56,10 @@ MULTILIB_WRAPPED_HEADERS=( /usr/include/openssl/configuration.h ) +PATCHES=( + "${FILESDIR}"/${P}-p11-segfault.patch +) + pkg_setup() { if use ktls ; then if kernel_is -lt 4 18 ; then @@ -221,9 +226,15 @@ multilib_src_compile() { } multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # # VFP = show subtests verbosely and show failed tests verbosely # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test } multilib_src_install() { @@ -258,21 +269,15 @@ multilib_src_install_all() { dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + # bug #254521 dodir /etc/sandbox.d echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - # flatcar changes: do not keep the sample CA files in `/etc` - rm -rf "${ED}"${SSL_CNF_DIR} - - # flatcar changes: save the default `openssl.cnf` in `/usr` - dodir /usr/share/ssl - insinto /usr/share/ssl - doins "${S}"/apps/openssl.cnf - dotmpfiles "${FILESDIR}"/openssl.conf - - # flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping. - systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private } pkg_preinst() { @@ -288,3 +293,12 @@ pkg_preinst() { preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) } + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +}