diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-11-03-openssl-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-11-03-openssl-update.md new file mode 100644 index 0000000000..d327cb8095 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-11-03-openssl-update.md @@ -0,0 +1 @@ +- OpenSSL ([3.0.7](https://www.openssl.org/news/openssl-3.0-notes.html)) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest index 0f681d0af1..6c2b9eb6c9 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/Manifest @@ -1,2 +1,2 @@ -DIST openssl-3.0.3.tar.gz 15058905 BLAKE2B 8141d13dbea2f1febdd4e46aa404e9f3bac51e1fdc0c9b0df8bf3bf6852e18b09201a2a8cbee99f72e8d6de660834093449b7a14a3fbdda8511286ca3b6743e7 SHA512 949472025211fabdaf2564122f0a9a3baef0facb6373e90cf6c4485164a50898050b179722d0b358c4d8cf1787384ea30d5fd03b98757634631d3e8978509b1a -DIST openssl-3.0.3.tar.gz.asc 488 BLAKE2B 3f31e3a73706b69683220e05b1b4ddc75dc3e7e12652dca711e4aa0eb3c023ef736aee9ade15172d7f28e1e1af03e86d4854ec6c3d167cad42882f483c5e56d4 SHA512 04afe65c6af1ae43a9967462383a6a4f567f5acff19ec1952cd6fce2dc3c3d4dfb3cb54126562724c148f40dcb66668abf727282d35730bbf36f82b5c6bacace +DIST openssl-3.0.7.tar.gz 15107575 BLAKE2B 141881071fa62f056c514e7c653a61c59cc45fe951ec094041e23fb5e619133b7ebbfe31cd8203969c9d8842b8cbc10ec58da67cc181761a11c1cfdd0869df9a SHA512 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424 +DIST openssl-3.0.7.tar.gz.asc 858 BLAKE2B bd07a6f656cce817038743caf1131ef8d7a21bf587e706e32771ad9e09cb4821d21b71171a7fe7bb6bece95e9b06cea6d723aae9de8b62049b5a8316578500be SHA512 9093a8a5a990f5f37bd95e7ca55f2371e59242be408ea7d9403bcfc9c8873c022237e13c0ec81881a20607ea46927887a895a82b6f50c6f423b4c54f9ef0cde1 diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/0001-openssl.patch b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/0001-openssl.patch deleted file mode 100644 index f0712d8120..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/0001-openssl.patch +++ /dev/null @@ -1,457 +0,0 @@ -From e0b7eaf5dfa95bb3b76bd227bee1e8778eebddce Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Wed, 19 Oct 2022 10:46:50 +1100 -Subject: [PATCH 1/2] Fix CVE in punycode decoder. - -An off by one error in the punycode decoder allowed for a single unsigned int -overwrite of a buffer which could cause a crash and possible code execution. - -Also fixed the ossl_a2ulabel() function which was broken and also contained -a potential buffer overflow, albeit one byte without control of the contents. - -Added a test case that errors without the CVE fix and passes with it. - -Fixes CVE-2022-3602. - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz ---- - crypto/punycode.c | 65 +++++----- - test/build.info | 6 +- - test/punycode_test.c | 219 ++++++++++++++++++++++++++++++++ - test/recipes/04-test_punycode.t | 11 ++ - 4 files changed, 265 insertions(+), 36 deletions(-) - create mode 100644 test/punycode_test.c - create mode 100644 test/recipes/04-test_punycode.t - -diff --git a/crypto/punycode.c b/crypto/punycode.c -index 385b4b1df4..8cba508382 100644 ---- a/crypto/punycode.c -+++ b/crypto/punycode.c -@@ -123,7 +123,6 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, - unsigned int bias = initial_bias; - size_t processed_in = 0, written_out = 0; - unsigned int max_out = *pout_length; -- - unsigned int basic_count = 0; - unsigned int loop; - -@@ -181,11 +180,11 @@ int ossl_punycode_decode(const char *pEncoded, const size_t enc_len, - n = n + i / (written_out + 1); - i %= (written_out + 1); - -- if (written_out > max_out) -+ if (written_out >= max_out) - return 0; - - memmove(pDecoded + i + 1, pDecoded + i, -- (written_out - i) * sizeof *pDecoded); -+ (written_out - i) * sizeof(*pDecoded)); - pDecoded[i] = n; - i++; - written_out++; -@@ -255,30 +254,35 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - */ - char *outptr = out; - const char *inptr = in; -- size_t size = 0; -+ size_t size = 0, maxsize; - int result = 1; -- -+ unsigned int i, j; - unsigned int buf[LABEL_BUF_SIZE]; /* It's a hostname */ -- if (out == NULL) -+ -+ if (out == NULL) { - result = 0; -+ maxsize = 0; -+ } else { -+ maxsize = *outlen; -+ } -+ -+#define PUSHC(c) \ -+ do \ -+ if (size++ < maxsize) \ -+ *outptr++ = c; \ -+ else \ -+ result = 0; \ -+ while (0) - - while (1) { - char *tmpptr = strchr(inptr, '.'); -- size_t delta = (tmpptr) ? (size_t)(tmpptr - inptr) : strlen(inptr); -+ size_t delta = tmpptr != NULL ? (size_t)(tmpptr - inptr) : strlen(inptr); - - if (strncmp(inptr, "xn--", 4) != 0) { -- size += delta + 1; -- -- if (size >= *outlen - 1) -- result = 0; -- -- if (result > 0) { -- memcpy(outptr, inptr, delta + 1); -- outptr += delta + 1; -- } -+ for (i = 0; i < delta + 1; i++) -+ PUSHC(inptr[i]); - } else { - unsigned int bufsize = LABEL_BUF_SIZE; -- unsigned int i; - - if (ossl_punycode_decode(inptr + 4, delta - 4, buf, &bufsize) <= 0) - return -1; -@@ -286,26 +290,16 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - for (i = 0; i < bufsize; i++) { - unsigned char seed[6]; - size_t utfsize = codepoint2utf8(seed, buf[i]); -+ - if (utfsize == 0) - return -1; - -- size += utfsize; -- if (size >= *outlen - 1) -- result = 0; -- -- if (result > 0) { -- memcpy(outptr, seed, utfsize); -- outptr += utfsize; -- } -+ for (j = 0; j < utfsize; j++) -+ PUSHC(seed[j]); - } - -- if (tmpptr != NULL) { -- *outptr = '.'; -- outptr++; -- size++; -- if (size >= *outlen - 1) -- result = 0; -- } -+ if (tmpptr != NULL) -+ PUSHC('.'); - } - - if (tmpptr == NULL) -@@ -313,7 +307,9 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - - inptr = tmpptr + 1; - } -+#undef PUSHC - -+ *outlen = size; - return result; - } - -@@ -330,9 +326,8 @@ int ossl_a2ucompare(const char *a, const char *u) - char a_ulabel[LABEL_BUF_SIZE]; - size_t a_size = sizeof(a_ulabel); - -- if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) { -+ if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) - return -1; -- } - -- return (strcmp(a_ulabel, u) == 0) ? 0 : 1; -+ return strcmp(a_ulabel, u) != 0; - } -diff --git a/test/build.info b/test/build.info -index 9d2d41e417..638f215da6 100644 ---- a/test/build.info -+++ b/test/build.info -@@ -40,7 +40,7 @@ IF[{- !$disabled{tests} -}] - exptest pbetest localetest evp_pkey_ctx_new_from_name\ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test evp_libctx_test ossl_store_test \ -- v3nametest v3ext \ -+ v3nametest v3ext punycode_test \ - evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \ - evp_fetch_prov_test v3nametest v3ext \ - crltest danetest bad_dtls_test lhash_test sparse_array_test \ -@@ -290,6 +290,10 @@ IF[{- !$disabled{tests} -}] - INCLUDE[pkcs7_test]=../include ../apps/include - DEPEND[pkcs7_test]=../libcrypto libtestutil.a - -+ SOURCE[punycode_test]=punycode_test.c -+ INCLUDE[punycode_test]=../include ../apps/include -+ DEPEND[punycode_test]=../libcrypto.a libtestutil.a -+ - SOURCE[stack_test]=stack_test.c - INCLUDE[stack_test]=../include ../apps/include - DEPEND[stack_test]=../libcrypto libtestutil.a -diff --git a/test/punycode_test.c b/test/punycode_test.c -new file mode 100644 -index 0000000000..285ead6966 ---- /dev/null -+++ b/test/punycode_test.c -@@ -0,0 +1,219 @@ -+/* -+ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+ -+#include "crypto/punycode.h" -+#include "internal/nelem.h" -+#include "testutil.h" -+ -+ -+static const struct puny_test { -+ unsigned int raw[50]; -+ const char *encoded; -+} puny_cases[] = { -+ /* Test cases from RFC 3492 */ -+ { /* Arabic (Egyptian) */ -+ { 0x0644, 0x064A, 0x0647, 0x0645, 0x0627, 0x0628, 0x062A, 0x0643, 0x0644, -+ 0x0645, 0x0648, 0x0634, 0x0639, 0x0631, 0x0628, 0x064A, 0x061F -+ }, -+ "egbpdaj6bu4bxfgehfvwxn" -+ }, -+ { /* Chinese (simplified) */ -+ { 0x4ED6, 0x4EEC, 0x4E3A, 0x4EC0, 0x4E48, 0x4E0D, 0x8BF4, 0x4E2D, 0x6587 -+ }, -+ "ihqwcrb4cv8a8dqg056pqjye" -+ }, -+ { /* Chinese (traditional) */ -+ { 0x4ED6, 0x5011, 0x7232, 0x4EC0, 0x9EBD, 0x4E0D, 0x8AAA, 0x4E2D, 0x6587 -+ }, -+ "ihqwctvzc91f659drss3x8bo0yb" -+ }, -+ { /* Czech: Proprostnemluvesky */ -+ { 0x0050, 0x0072, 0x006F, 0x010D, 0x0070, 0x0072, 0x006F, 0x0073, 0x0074, -+ 0x011B, 0x006E, 0x0065, 0x006D, 0x006C, 0x0075, 0x0076, 0x00ED, 0x010D, -+ 0x0065, 0x0073, 0x006B, 0x0079 -+ }, -+ "Proprostnemluvesky-uyb24dma41a" -+ }, -+ { /* Hebrew */ -+ { 0x05DC, 0x05DE, 0x05D4, 0x05D4, 0x05DD, 0x05E4, 0x05E9, 0x05D5, 0x05D8, -+ 0x05DC, 0x05D0, 0x05DE, 0x05D3, 0x05D1, 0x05E8, 0x05D9, 0x05DD, 0x05E2, -+ 0x05D1, 0x05E8, 0x05D9, 0x05EA -+ }, -+ "4dbcagdahymbxekheh6e0a7fei0b" -+ }, -+ { /* Hindi (Devanagari) */ -+ { 0x092F, 0x0939, 0x0932, 0x094B, 0x0917, 0x0939, 0x093F, 0x0928, 0x094D, -+ 0x0926, 0x0940, 0x0915, 0x094D, 0x092F, 0x094B, 0x0902, 0x0928, 0x0939, -+ 0x0940, 0x0902, 0x092C, 0x094B, 0x0932, 0x0938, 0x0915, 0x0924, 0x0947, -+ 0x0939, 0x0948, 0x0902 -+ }, -+ "i1baa7eci9glrd9b2ae1bj0hfcgg6iyaf8o0a1dig0cd" -+ }, -+ { /* Japanese (kanji and hiragana) */ -+ { 0x306A, 0x305C, 0x307F, 0x3093, 0x306A, 0x65E5, 0x672C, 0x8A9E, 0x3092, -+ 0x8A71, 0x3057, 0x3066, 0x304F, 0x308C, 0x306A, 0x3044, 0x306E, 0x304B -+ }, -+ "n8jok5ay5dzabd5bym9f0cm5685rrjetr6pdxa" -+ }, -+ { /* Korean (Hangul syllables) */ -+ { 0xC138, 0xACC4, 0xC758, 0xBAA8, 0xB4E0, 0xC0AC, 0xB78C, 0xB4E4, 0xC774, -+ 0xD55C, 0xAD6D, 0xC5B4, 0xB97C, 0xC774, 0xD574, 0xD55C, 0xB2E4, 0xBA74, -+ 0xC5BC, 0xB9C8, 0xB098, 0xC88B, 0xC744, 0xAE4C -+ }, -+ "989aomsvi5e83db1d2a355cv1e0vak1dwrv93d5xbh15a0dt30a5jpsd879ccm6fea98c" -+ }, -+ { /* Russian (Cyrillic) */ -+ { 0x043F, 0x043E, 0x0447, 0x0435, 0x043C, 0x0443, 0x0436, 0x0435, 0x043E, -+ 0x043D, 0x0438, 0x043D, 0x0435, 0x0433, 0x043E, 0x0432, 0x043E, 0x0440, -+ 0x044F, 0x0442, 0x043F, 0x043E, 0x0440, 0x0443, 0x0441, 0x0441, 0x043A, -+ 0x0438 -+ }, -+ "b1abfaaepdrnnbgefbaDotcwatmq2g4l" -+ }, -+ { /* Spanish */ -+ { 0x0050, 0x006F, 0x0072, 0x0071, 0x0075, 0x00E9, 0x006E, 0x006F, 0x0070, -+ 0x0075, 0x0065, 0x0064, 0x0065, 0x006E, 0x0073, 0x0069, 0x006D, 0x0070, -+ 0x006C, 0x0065, 0x006D, 0x0065, 0x006E, 0x0074, 0x0065, 0x0068, 0x0061, -+ 0x0062, 0x006C, 0x0061, 0x0072, 0x0065, 0x006E, 0x0045, 0x0073, 0x0070, -+ 0x0061, 0x00F1, 0x006F, 0x006C -+ }, -+ "PorqunopuedensimplementehablarenEspaol-fmd56a" -+ }, -+ { /* Vietnamese */ -+ { 0x0054, 0x1EA1, 0x0069, 0x0073, 0x0061, 0x006F, 0x0068, 0x1ECD, 0x006B, -+ 0x0068, 0x00F4, 0x006E, 0x0067, 0x0074, 0x0068, 0x1EC3, 0x0063, 0x0068, -+ 0x1EC9, 0x006E, 0x00F3, 0x0069, 0x0074, 0x0069, 0x1EBF, 0x006E, 0x0067, -+ 0x0056, 0x0069, 0x1EC7, 0x0074 -+ }, -+ "TisaohkhngthchnitingVit-kjcr8268qyxafd2f1b9g" -+ }, -+ { /* Japanese: 3B */ -+ { 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F -+ }, -+ "3B-ww4c5e180e575a65lsy2b" -+ }, -+ { /* Japanese: -with-SUPER-MONKEYS */ -+ { 0x5B89, 0x5BA4, 0x5948, 0x7F8E, 0x6075, 0x002D, 0x0077, 0x0069, 0x0074, -+ 0x0068, 0x002D, 0x0053, 0x0055, 0x0050, 0x0045, 0x0052, 0x002D, 0x004D, -+ 0x004F, 0x004E, 0x004B, 0x0045, 0x0059, 0x0053 -+ }, -+ "-with-SUPER-MONKEYS-pc58ag80a8qai00g7n9n" -+ }, -+ { /* Japanese: Hello-Another-Way- */ -+ { 0x0048, 0x0065, 0x006C, 0x006C, 0x006F, 0x002D, 0x0041, 0x006E, 0x006F, -+ 0x0074, 0x0068, 0x0065, 0x0072, 0x002D, 0x0057, 0x0061, 0x0079, 0x002D, -+ 0x305D, 0x308C, 0x305E, 0x308C, 0x306E, 0x5834, 0x6240 -+ }, -+ "Hello-Another-Way--fc4qua05auwb3674vfr0b" -+ }, -+ { /* Japanese: 2 */ -+ { 0x3072, 0x3068, 0x3064, 0x5C4B, 0x6839, 0x306E, 0x4E0B, 0x0032 -+ }, -+ "2-u9tlzr9756bt3uc0v" -+ }, -+ { /* Japanese: MajiKoi5 */ -+ { 0x004D, 0x0061, 0x006A, 0x0069, 0x3067, 0x004B, 0x006F, 0x0069, 0x3059, -+ 0x308B, 0x0035, 0x79D2, 0x524D -+ }, -+ "MajiKoi5-783gue6qz075azm5e" -+ }, -+ { /* Japanese: de */ -+ { 0x30D1, 0x30D5, 0x30A3, 0x30FC, 0x0064, 0x0065, 0x30EB, 0x30F3, 0x30D0 -+ }, -+ "de-jg4avhby1noc0d" -+ }, -+ { /* Japanese: */ -+ { 0x305D, 0x306E, 0x30B9, 0x30D4, 0x30FC, 0x30C9, 0x3067 -+ }, -+ "d9juau41awczczp" -+ }, -+ { /* -> $1.00 <- */ -+ { 0x002D, 0x003E, 0x0020, 0x0024, 0x0031, 0x002E, 0x0030, 0x0030, 0x0020, -+ 0x003C, 0x002D -+ }, -+ "-> $1.00 <--" -+ } -+}; -+ -+static int test_punycode(int n) -+{ -+ const struct puny_test *tc = puny_cases + n; -+ unsigned int buffer[50]; -+ unsigned int bsize = OSSL_NELEM(buffer); -+ size_t i; -+ -+ if (!TEST_true(ossl_punycode_decode(tc->encoded, strlen(tc->encoded), -+ buffer, &bsize))) -+ return 0; -+ for (i = 0; i < sizeof(tc->raw); i++) -+ if (tc->raw[i] == 0) -+ break; -+ if (!TEST_mem_eq(buffer, bsize * sizeof(*buffer), -+ tc->raw, i * sizeof(*tc->raw))) -+ return 0; -+ return 1; -+} -+ -+static int test_a2ulabel(void) -+{ -+ char out[50]; -+ size_t outlen; -+ -+ /* -+ * Test that no buffer correctly returns the true length. -+ * The punycode being passed in and parsed is malformed but we're not -+ * verifying that behaviour here. -+ */ -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", NULL, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1)) -+ return 0; -+ /* Test that a short input length returns the true length */ -+ outlen = 1; -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) -+ || !TEST_str_eq(out,"\xc2\x80.b.c")) -+ return 0; -+ /* Test for an off by one on the buffer size works */ -+ outlen = 6; -+ if (!TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 0) -+ || !TEST_size_t_eq(outlen, 7) -+ || !TEST_int_eq(ossl_a2ulabel("xn--a.b.c", out, &outlen), 1) -+ || !TEST_str_eq(out,"\xc2\x80.b.c")) -+ return 0; -+ return 1; -+} -+ -+static int test_puny_overrun(void) -+{ -+ static const unsigned int out[] = { -+ 0x0033, 0x5E74, 0x0042, 0x7D44, 0x91D1, 0x516B, 0x5148, 0x751F -+ }; -+ static const char *in = "3B-ww4c5e180e575a65lsy2b"; -+ unsigned int buf[OSSL_NELEM(out)]; -+ unsigned int bsize = OSSL_NELEM(buf) - 1; -+ -+ if (!TEST_false(ossl_punycode_decode(in, strlen(in), buf, &bsize))) { -+ if (TEST_mem_eq(buf, bsize * sizeof(*buf), out, sizeof(out))) -+ TEST_error("CRITICAL: buffer overrun detected!"); -+ return 0; -+ } -+ return 1; -+} -+ -+int setup_tests(void) -+{ -+ ADD_ALL_TESTS(test_punycode, OSSL_NELEM(puny_cases)); -+ ADD_TEST(test_a2ulabel); -+ ADD_TEST(test_puny_overrun); -+ return 1; -+} -diff --git a/test/recipes/04-test_punycode.t b/test/recipes/04-test_punycode.t -new file mode 100644 -index 0000000000..de213c7e15 ---- /dev/null -+++ b/test/recipes/04-test_punycode.t -@@ -0,0 +1,11 @@ -+#! /usr/bin/env perl -+# Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use OpenSSL::Test::Simple; -+ -+simple_test("test_punycode", "punycode_test"); - -From 3f361dc3c465c31607833d840b68fa6a51064622 Mon Sep 17 00:00:00 2001 -From: Pauli -Date: Mon, 24 Oct 2022 19:06:13 +1100 -Subject: [PATCH 2/2] punycode: ensure the result is zero terminated - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz ---- - crypto/punycode.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/crypto/punycode.c b/crypto/punycode.c -index 8cba508382..b9b4e3d785 100644 ---- a/crypto/punycode.c -+++ b/crypto/punycode.c -@@ -298,8 +298,7 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - PUSHC(seed[j]); - } - -- if (tmpptr != NULL) -- PUSHC('.'); -+ PUSHC(tmpptr != NULL ? '.' : '\0'); - } - - if (tmpptr == NULL) -@@ -323,7 +322,7 @@ int ossl_a2ulabel(const char *in, char *out, size_t *outlen) - - int ossl_a2ucompare(const char *a, const char *u) - { -- char a_ulabel[LABEL_BUF_SIZE]; -+ char a_ulabel[LABEL_BUF_SIZE + 1]; - size_t a_size = sizeof(a_ulabel); - - if (ossl_a2ulabel(a, a_ulabel, &a_size) <= 0) diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml index 7aeb3cfc9e..bb40ddbf82 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/metadata.xml @@ -1,30 +1,31 @@ - - base-system@gentoo.org - Gentoo Base System - - - Support assembly hand optimized crypto functions (i.e. faster run time) - Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI - Enable FIPS provider - Enable support for Kernel implementation of TLS (kTLS) - Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers) - Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https - Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https - Enable support for discouraged TLS compression - Enable the Heartbeat Extension in TLS and DTLS - Build support for SSL/TLS ciphers that are considered "weak" - - - cpe:/a:openssl:openssl - - - For building against. This is the only slot - that provides headers and command line tools. - For binary compatibility, provides libcrypto.so.0.9.8 - and libssl.so.0.9.8 only. - Reflect ABI of libcrypto.so and libssl.so. - + + base-system@gentoo.org + Gentoo Base System + + + Support assembly hand optimized crypto functions (i.e. faster run time) + Disable/Restrict EC algorithms (as they seem to be patented) -- note: changes the ABI + Enable FIPS provider + Enable support for Kernel implementation of TLS (kTLS) + Enable support for RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers) + Support for the old/insecure SSLv2 protocol -- note: not required for TLS/https + Support for the old/insecure SSLv3 protocol -- note: not required for TLS/https + Enable support for discouraged TLS compression + Enable the Heartbeat Extension in TLS and DTLS + Build support for SSL/TLS ciphers that are considered "weak" + + + cpe:/a:openssl:openssl + openssl/openssl + + + For building against. This is the only slot + that provides headers and command line tools. + For binary compatibility, provides libcrypto.so.0.9.8 + and libssl.so.0.9.8 only. + Reflect ABI of libcrypto.so and libssl.so. + diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.3-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.7.ebuild similarity index 85% rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.3-r1.ebuild rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.7.ebuild index 37689ca4ae..f65e2d52f4 100644 --- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.3-r1.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-3.0.7.ebuild @@ -1,8 +1,9 @@ # Copyright 1999-2022 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI="7" +EAPI=7 +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc TMPFILES_OPTIONAL=1 inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig systemd tmpfiles @@ -18,7 +19,6 @@ if [[ ${PV} == 9999 ]] ; then else SRC_URI="mirror://openssl/source/${MY_P}.tar.gz verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" - VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc KEYWORDS="~alpha amd64 ~arm arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" fi @@ -41,7 +41,7 @@ BDEPEND=" sys-devel/bc sys-process/procps ) - verify-sig? ( sec-keys/openpgp-keys-openssl )" + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )" DEPEND="${COMMON_DEPEND}" RDEPEND="${COMMON_DEPEND}" @@ -52,9 +52,6 @@ MULTILIB_WRAPPED_HEADERS=( ) PATCHES=( - "${FILESDIR}"/0001-openssl.patch - # General patches which are suitable to always apply - # If they're Gentoo specific, add to USE=-vanilla logic in src_prepare! ) pkg_setup() { @@ -83,6 +80,16 @@ pkg_setup() { fi } +src_unpack() { + # Can delete this once test fix patch is dropped + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc} + fi + + default +} + src_prepare() { # Allow openssl to be cross-compiled cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die @@ -126,12 +133,22 @@ src_prepare() { # and 'make depend' uses -Werror for added fun (bug #417795 again) tc-is-clang && append-flags -Qunused-arguments + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing append-flags -fno-strict-aliasing + append-flags $(test-flags-CC -Wa,--noexecstack) # Prefixify Configure shebang (bug #141906) sed \ - -e "1s,/usr/bin/env,${EPREFIX}&," \ + -e "1s,/usr/bin/env,${BROOT}&," \ -i Configure || die # Remove test target when FEATURES=test isn't set @@ -162,6 +179,18 @@ multilib_src_configure() { local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + local sslout=$(./gentoo.config) einfo "Using configuration: ${sslout:-(openssl knows best)}" local config="Configure" @@ -198,9 +227,7 @@ multilib_src_configure() { threads ) - CFLAGS= LDFLAGS= edo \ - ./${config} \ - "${myeconfargs[@]}" + CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}" # Clean out hardcoded flags that openssl uses local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ @@ -265,7 +292,9 @@ multilib_src_install_all() { cd "${ED}"/usr/share/man || die local m d s for m in $(find . -type f | xargs grep -L '#include') ; do - d=${m%/*} ; d=${d#./} ; m=${m##*/} + d=${m%/*} + d=${d#./} + m=${m##*/} [[ ${m} == openssl.1* ]] && continue @@ -281,6 +310,7 @@ multilib_src_install_all() { # We assume that any broken links are due to the above renaming for s in $(find -L ${d} -type l) ; do s=${s##*/} + rm -f ${d}/${s} # We don't want to "|| die" here