mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-08-08 13:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

dev-libs/openssl: Sync with Gentoo

Browse Source 
It's from Gentoo commit 83e2ccb40aa0c93f0e4c2eac36a5f6557e22e6cd.
This commit is contained in:
Krzesimir Nowak 2024-02-20 12:03:39 +01:00
parent 53f08d4be4
commit c554db081b
4 changed files with 119 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest vendored
View File

@ -1,2 +1,2 @@
DIST openssl-3.0.12.tar.gz 15204575 BLAKE2B 1f00e33a5ed64a51cf28f0dbe7d53a9197c1edae7538dea9573394ee4dc03a885483d74b0b47a78b9067e87b4f420b9d7103f351bfec91710c168051cb7148df SHA512 63e003653dd1126c66e278969a626cdf0801b97da8b7076824d661e4a77e1572c3171cf7f006c972b95bcfa284889ee0362d8a46a851f7d8e743e2a1fe593b24 DIST openssl-3.2.1.tar.gz 17733249 BLAKE2B 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 SHA512 bab2b2419319f1feffaba4692f03edbf13b44d1090c6e075a2d69dad67a2d51e64e6edbf83456a26c83900a726d20d2c4ee4ead9c94b322fd0b536f3b5a863c4
DIST openssl-3.0.12.tar.gz.asc 833 BLAKE2B 5c7914e0449a1f2fad433544fa637263b237c2637b86960f904a7840ef6bd627728dfa45373e03a6ce7a0a4570d03e1dcd0188059bd5dbcc83d49d10be64dd39 SHA512 072d1572e6cc5240fed69c01b1f7f74958ceba33cec3b0a7f0db5929dc884381320fb737ec6b38f95ef81c855e2d382d7ecd19431a328b08efad70288ec4a964 DIST openssl-3.2.1.tar.gz.asc 833 BLAKE2B a1d25fe30bf1804d13a8b6b98edf56be5bf744d9e2706f4169455c24efe2e3a361487d00d0d4bac240c3f0170693d77a39dd0d4ee5c792d2247aa00c47e74ebf SHA512 de39516c7b77612f33cdc830a8d13ef6bcd91c03d24a6ed105480f140f9e1ad7049844e234c96a516d62e0e33ce90442ffd0f309ea674884c735f04d8562f372

79
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch vendored Normal file
View File

@ -0,0 +1,79 @@
https://bugs.gentoo.org/916328
https://github.com/opendnssec/SoftHSMv2/issues/729
https://github.com/openssl/openssl/issues/22508
https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65
From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Fri, 15 Dec 2023 13:45:50 +0100
Subject: [PATCH] Revert "Improved detection of engine-provided private
"classic" keys"
This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
The commit was wrong. With 3.x versions the engines must be themselves
responsible for creating their EVP_PKEYs in a way that they are treated
as legacy - either by using the respective set1 calls or by setting
non-default EVP_PKEY_METHOD.
The workaround has caused more problems than it solved.
Fixes #22945
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23063)
(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
--- a/crypto/engine/eng_pkey.c
+++ b/crypto/engine/eng_pkey.c
@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
return NULL;
}
- /* We enforce check for legacy key */
- switch (EVP_PKEY_get_id(pkey)) {
- case EVP_PKEY_RSA:
- {
- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
- EVP_PKEY_set1_RSA(pkey, rsa);
- RSA_free(rsa);
- }
- break;
-# ifndef OPENSSL_NO_EC
- case EVP_PKEY_SM2:
- case EVP_PKEY_EC:
- {
- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
- EVP_PKEY_set1_EC_KEY(pkey, ec);
- EC_KEY_free(ec);
- }
- break;
-# endif
-# ifndef OPENSSL_NO_DSA
- case EVP_PKEY_DSA:
- {
- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
- EVP_PKEY_set1_DSA(pkey, dsa);
- DSA_free(dsa);
- }
- break;
-#endif
-# ifndef OPENSSL_NO_DH
- case EVP_PKEY_DH:
- {
- DH *dh = EVP_PKEY_get1_DH(pkey);
- EVP_PKEY_set1_DH(pkey, dh);
- DH_free(dh);
- }
- break;
-#endif
- default:
- /*Do nothing */
- break;
- }
-
return pkey;
}

3
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf vendored
View File

@ -1,3 +0,0 @@
d /etc/ssl - - - - -
d /etc/ssl/private 0700 - - - -
L /etc/ssl/openssl.cnf - - - - ../../usr/share/ssl/openssl.cnf

62
sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.12.ebuild → sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.2.1-r1.ebuild vendored
View File

@ -1,12 +1,11 @@
# Copyright 1999-2023 Gentoo Authors # Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2 # Distributed under the terms of the GNU General Public License v2
EAPI=8 EAPI=8
VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
TMPFILES_OPTIONAL=1
inherit edo flag-o-matic linux-info toolchain-funcs inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig tmpfiles inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
HOMEPAGE="https://www.openssl.org/" HOMEPAGE="https://www.openssl.org/"
@ -18,23 +17,25 @@ if [[ ${PV} == 9999 ]] ; then
inherit git-r3 inherit git-r3
else else
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz SRC_URI="
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" mirror://openssl/source/${MY_P}.tar.gz
KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
fi fi
S="${WORKDIR}"/${MY_P} S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0" LICENSE="Apache-2.0"
SLOT="0/3" # .so version of libssl/libcrypto SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )" RESTRICT="!test? ( test )"
# Flatcar: Gentoo dropped dependency on c_rehash, a required tool for
# generating certs, and does not provide a built-in tool either.
# Continue shipping it.
COMMON_DEPEND=" COMMON_DEPEND="
>=app-misc/c_rehash-1.7-r1 !<net-misc/openssh-9.2_p1-r3
tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
" "
BDEPEND=" BDEPEND="
@ -42,7 +43,7 @@ BDEPEND="
sctp? ( >=net-misc/lksctp-tools-1.0.12 ) sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? ( test? (
sys-apps/diffutils sys-apps/diffutils
sys-devel/bc app-alternatives/bc
sys-process/procps sys-process/procps
) )
verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )" verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
@ -55,6 +56,10 @@ MULTILIB_WRAPPED_HEADERS=(
/usr/include/openssl/configuration.h /usr/include/openssl/configuration.h
) )
PATCHES=(
"${FILESDIR}"/${P}-p11-segfault.patch
)
pkg_setup() { pkg_setup() {
if use ktls ; then if use ktls ; then
if kernel_is -lt 4 18 ; then if kernel_is -lt 4 18 ; then
@ -221,9 +226,15 @@ multilib_src_compile() {
} }
multilib_src_test() { multilib_src_test() {
# See https://github.com/openssl/openssl/blob/master/test/README.md for options.
#
# VFP = show subtests verbosely and show failed tests verbosely # VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down. # Normal V=1 would show everything verbosely but this slows things down.
emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test #
# -j1 here for https://github.com/openssl/openssl/issues/21999, but it
# shouldn't matter as tests were already built earlier, and HARNESS_JOBS
# controls running the tests.
emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
} }
multilib_src_install() { multilib_src_install() {
@ -258,21 +269,15 @@ multilib_src_install_all() {
dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
# Create the certs directory
keepdir ${SSL_CNF_DIR}/certs
# bug #254521 # bug #254521
dodir /etc/sandbox.d dodir /etc/sandbox.d
echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
# flatcar changes: do not keep the sample CA files in `/etc` diropts -m0700
rm -rf "${ED}"${SSL_CNF_DIR} keepdir ${SSL_CNF_DIR}/private
# flatcar changes: save the default `openssl.cnf` in `/usr`
dodir /usr/share/ssl
insinto /usr/share/ssl
doins "${S}"/apps/openssl.cnf
dotmpfiles "${FILESDIR}"/openssl.conf
# flatcar changes: package `tmpfiles.d` setup for SDK bootstrapping.
systemd-tmpfiles --create --root="${ED}" "${FILESDIR}"/openssl.conf
} }
pkg_preinst() { pkg_preinst() {
@ -288,3 +293,12 @@ pkg_preinst() {
preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
} }
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}