diff options
Diffstat (limited to 'dev-libs/openssl')
| -rw-r--r-- | dev-libs/openssl/Manifest | 2 | ||||
| -rw-r--r-- | dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch | 34 | ||||
| -rw-r--r-- | dev-libs/openssl/openssl-3.3.2-r2.ebuild | 305 |
3 files changed, 341 insertions, 0 deletions
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index f208ee9d95ee..4423b28bee25 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -12,6 +12,7 @@ AUX openssl-3.3.1-pkg-config-deux.patch 12498 BLAKE2B f924e837317bd4a7b4af6e0e8b AUX openssl-3.3.1-pkg-config.patch 982 BLAKE2B 77ec5ac862d5b47666e3234f5ef60323d02cbed4a0575e91a45f6f1727f1f0692fc470071622bf982f2875e91c50d9742eb423838702a0019b8c6f7fc2b80149 SHA512 0198461b726a7783d46c0c02cba747affd39245e2ce2577ea802376e1d2dd279eebe9446f30bc2db638d06db1dfacc9b297aa75bbe64ff6f8e22bde3c1063b36 AUX openssl-3.3.1-riscv.patch 4413 BLAKE2B bf58837c05023bb34edaf6387a5d1f32b6216791643958e972d634d387031461780c34b9209b399f479d908a40ca3b593ea18b1fa80414802bfcdb80db21e1e7 SHA512 b46f2576be603007f767cb7350e3ec74e0ef0832bcc18e50f7b67010e673a6cdcd7099e99d85d53c6693af6b64260e5a92a9aa3f02be1d626421ab7ff73c6f6b AUX openssl-3.3.2-CVE-2024-9143.patch 7034 BLAKE2B 3800addbe31b551224032736f44b9cce721ad6897edfddc6a1db3599e7c7b94e1e4074db8da5883a4439944eb96511fdecae7634bac8ad9a5c2dd11dc2bdf895 SHA512 55449d68c57abc83295de5c869f5b65472c929a29befec7bf74797a3b902febc001535b3c06fe9792d09bd431e72f4d9a2079879c5766acc6adf1359b7d954aa +AUX openssl-3.3.2-silence-warning.patch 1078 BLAKE2B 6f7852229a7ac21f217d32efa8075a8612e412444998671c05814c9e581359aa32fd8555abd6d507cd55f4af9aeebb99055c3a376f7f63dc9255090a1fb8d4f5 SHA512 2c91da767be085479e78ee5b20f0c29124da68761157964db67e45e5a3398b3a402837ab611d6e27e4a261912ed08d08387d3b6cdd1168b0da24b808e80fbe52 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32 @@ -38,5 +39,6 @@ EBUILD openssl-3.0.15.ebuild 8560 BLAKE2B 037351a0c38c0f9718d7d14504b30dfffb7b9c EBUILD openssl-3.1.7-r1.ebuild 8653 BLAKE2B 8e5bd338024de4eb8f21ebf954855acea0f4bb35295d636ca0609dd42d21083553cee4a9db4201b6c498addb010191cc769feb618114289c64964d1eaff9e80d SHA512 5a3390c3bdf197f5a6d910d10dbedb1ccca0e03b6783a84bc108c6523744e2d0c989a83fffe7f0d4e3f2b611d480bdd4df12b51cde35aaea286da1aa363bb2ad EBUILD openssl-3.2.3-r1.ebuild 9297 BLAKE2B 615433d9a0b42433b821768e3227928e4d6bbdd2f96b73189b01df41d4968c989f0f96105fca850ed528e47c9e8ba95559d26d0148109414d109dc2c26081830 SHA512 e49fdce217dd78e3a024ffdbed753b349717ce31c2d21dc006d8d88e6b8600260fd81be3cb5d37a87016925717242aa2391316ab18a685cc2a32ccd2436ee4c4 EBUILD openssl-3.3.2-r1.ebuild 9329 BLAKE2B 75e907c49f10d237e00d65cdb21e9151875f43c32b2657363ce68b5359868d72178685edfd19c3ad2f1cb17d6679562f872d6f49bde12fc96b2be3c0cb1407e0 SHA512 91cc0c0ed68c0c0d448ef70c0f601c8001f5bf143641e0dd71babe8fecb33f280d9bd838f5aaade2fb91eb069ac75fd33962c77d78cfd03c1d1dfb572aa38a47 +EBUILD openssl-3.3.2-r2.ebuild 9384 BLAKE2B a976a5f3a48475dd1ad3d0ab8a0ee3eb409678bc5045684683072ab100a45df04d47735484b13b21aa6462347f64e02a70f23089c448f9dda27965f9aaa11615 SHA512 a196b31f46dca8699aca35d9866779eb55072624634975fa66c11b92668523ab0ffcad71706b023604e1ee8c01184cd1c2b9627cb7acdbbe317412fc5c9dac75 EBUILD openssl-3.3.2.ebuild 9274 BLAKE2B 510de2a09c086e94813d5f623dbb59a6df2fc0e7f11c4c691b5198606b934f59e7ac2ddf6a0171a06435fee820a2d4d4795996a2fec2cad15fc378557f947223 SHA512 be42e686822beab6937cd6350925c4071c85f26682feb55fc88435479fd1706f1d01cbda3618b41c1a7822ea4a83c1593e9ff7ad7db9e2fb52da84058ff355b0 MISC metadata.xml 1674 BLAKE2B 2195a6538e1b4ec953c707460988f153e40abe7495fd761403c9a54b44ecb7cb5c69ac37ac7d4d18bc0086cf9b4accaaac19926fe5b2ac4b2c547ce1c9e08a6d SHA512 d4eda999c1027f9d8102c59275665f5b01d234c4a7636755a6d3c64b9aad2a657d14256b1527d9b7067cb653458b058db7f5bb20873e48927291092d9ccdd1c6 diff --git a/dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch b/dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch new file mode 100644 index 000000000000..d6ccff0e4372 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch @@ -0,0 +1,34 @@ +https://bugs.gentoo.org/946621 + +commit 1d2cbd9b5a126189d5e9bc78a3bdb9709427d02b +Author: Bhaskar Metiya <bhaskarmetiya@gmail.com> +Date: Wed Aug 14 12:57:14 2024 +0530 + + apps/req.c: No warning reading from stdin if redirected + + CLA: trivial + + Reviewed-by: Matt Caswell <matt@openssl.org> + Reviewed-by: Tomas Mraz <tomas@openssl.org> + Reviewed-by: Richard Levitte <levitte@openssl.org> + (Merged from https://github.com/openssl/openssl/pull/25179) + +--- a/apps/req.c ++++ b/apps/req.c +@@ -30,6 +30,7 @@ + #ifndef OPENSSL_NO_DSA + # include <openssl/dsa.h> + #endif ++#include "internal/e_os.h" /* For isatty() */ + + #define BITS "default_bits" + #define KEYFILE "default_keyfile" +@@ -516,7 +517,7 @@ int req_main(int argc, char **argv) + if (infile == NULL) { + if (gen_x509) + newreq = 1; +- else if (!newreq) ++ else if (!newreq && isatty(fileno_stdin())) + BIO_printf(bio_err, + "Warning: Will read cert request from stdin since no -in option is given\n"); + } diff --git a/dev-libs/openssl/openssl-3.3.2-r2.ebuild b/dev-libs/openssl/openssl-3.3.2-r2.ebuild new file mode 100644 index 000000000000..0299c1afeafd --- /dev/null +++ b/dev-libs/openssl/openssl-3.3.2-r2.ebuild @@ -0,0 +1,305 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !<net-misc/openssh-9.2_p1-r3 + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2024-9143.patch + "${FILESDIR}"/${PN}-3.3.2-silence-warning.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_unpack() { + # Can delete this once test fix patch is dropped + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} + fi + + default +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + ebegin "Running openssl fipsinstall" + "${ED}/usr/bin/openssl" fipsinstall -quiet \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" + eend $? + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} |