diff options
Diffstat (limited to 'dev-libs')
| -rw-r--r-- | dev-libs/Manifest.gz | bin | 99982 -> 99982 bytes | |||
| -rw-r--r-- | dev-libs/openssl/Manifest | 2 | ||||
| -rw-r--r-- | dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch | 55 | ||||
| -rw-r--r-- | dev-libs/openssl/openssl-3.3.2-r3.ebuild | 306 |
4 files changed, 363 insertions, 0 deletions
diff --git a/dev-libs/Manifest.gz b/dev-libs/Manifest.gz Binary files differindex 3ade3b23d2d6..00f032f4eefc 100644 --- a/dev-libs/Manifest.gz +++ b/dev-libs/Manifest.gz diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index d17c7d00229f..16daf6b37b9f 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -6,6 +6,7 @@ AUX openssl-3.0.15-CVE-2024-9143.patch 7034 BLAKE2B 79963b250e9faa0a9764945d05f0 AUX openssl-3.1.7-CVE-2024-9143.patch 7033 BLAKE2B 1e2d8ea24fd68e2781808477d60773a3cca5bf122ba3c2a0efba12470126a5768a2f2fa0239a73965bf046644e93d6deecda17e4282243206095c42f3149fb5e SHA512 44185ace09adb75f8124f8a564d1f806fb6fd29e232a6c1f40b1508f510c8b481f86f06d03e169ed6dd2df1e535b723a2f9978199b20225a1e27f499054b7bc7 AUX openssl-3.2.3-CVE-2024-9143.patch 7034 BLAKE2B 7f438bb531b09154368072f66e03fa4fa1c0f1d461ce8e89e942567e9cf60ce0d1986334cbd9c4d8e9b5ea5dc7c2ca0fa5dc111c965d99ebf6800afdd56820ab SHA512 7699ea05a139a7ddcbf68538cfb4329026d99ffa8eb3622b3f0faca92b287f571c6b76c24acd537a3406f209bf90a48704d11ed70d0e49c118d1591b9bae39d2 AUX openssl-3.3.2-CVE-2024-9143.patch 7034 BLAKE2B 3800addbe31b551224032736f44b9cce721ad6897edfddc6a1db3599e7c7b94e1e4074db8da5883a4439944eb96511fdecae7634bac8ad9a5c2dd11dc2bdf895 SHA512 55449d68c57abc83295de5c869f5b65472c929a29befec7bf74797a3b902febc001535b3c06fe9792d09bd431e72f4d9a2079879c5766acc6adf1359b7d954aa +AUX openssl-3.3.2-arm64-clobber.patch 1733 BLAKE2B f0fe162cff941bc9051dea3c0d913fd1ccc8c4587d5c75aea57430f2ad363ac3262d2ef725c80aa2414942d5a10cc19b635c9b931a5299448c8408495e37704a SHA512 9833aecaf084e39208865ddca006cd5e0bb191d05ccf2accffbc158f05aa3d7787b22bca21d1523122ebe69c80d5015915c89840e508749d073d38c519ce4d19 AUX openssl-3.3.2-silence-warning.patch 1078 BLAKE2B 6f7852229a7ac21f217d32efa8075a8612e412444998671c05814c9e581359aa32fd8555abd6d507cd55f4af9aeebb99055c3a376f7f63dc9255090a1fb8d4f5 SHA512 2c91da767be085479e78ee5b20f0c29124da68761157964db67e45e5a3398b3a402837ab611d6e27e4a261912ed08d08387d3b6cdd1168b0da24b808e80fbe52 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6 @@ -30,6 +31,7 @@ EBUILD openssl-3.2.3-r1.ebuild 9289 BLAKE2B 3bb6d1e09f10633340acc1c8eb75b9669f6e EBUILD openssl-3.2.9999.ebuild 9079 BLAKE2B 711a1c456e161580e5ceaabb68585ba2f7c6ef7b1d6afb2435647bbbe25d0905019981f0d9517a7078284141f6c15e93d8f2a6077816da9bba57f02e52d8f3e5 SHA512 a444ed5d89f926fc1930621817bfc8c7b445b272dd65551a51b62c46ebd9b374cc686330b87002279f53cd3ffe03e127a2c1833f338ed82334217ca294c4d3d7 EBUILD openssl-3.3.2-r1.ebuild 9327 BLAKE2B 7fc2ce5c4ecf37f2d0de5e41bae4ad021c1c0f9f8b24fcab20457ee69505b6946e38bd5359414fff38cb9331897e4325923747bc052e38fb5e2423ea2e1554a6 SHA512 1bd1876eadca7aaa521b70cd6b2323dc2114c1de9d1edd86f9434b80d2e36b45ce8aabcdbab00aa610e2116aecc72f142b36fc6e883e4ee2612efa5e848dd186 EBUILD openssl-3.3.2-r2.ebuild 9379 BLAKE2B c0d2710024882dbfe0e0edf95ec6bf04f5abd6fbb3ab00916d78c6c8a415dc6094e9427f6b760c243dc328b692aa7b9da0c941c3f9b66b29e6da7cd28fbb5442 SHA512 689171d4723a854830a322aa0a0889fe3e16d41348278f375eba738cda597c2029abcd0942ec2f20f772837d7664bb496145dfe4c34bf4ed945da5e724b5a4f7 +EBUILD openssl-3.3.2-r3.ebuild 9424 BLAKE2B a2a82568781852798c688006c4b13571730e4537eb8f020af42e1c5318475575fc1894013b2696b610667f6018ad8692b169bece838917b853e41400095bc126 SHA512 18586f65286613b3e4d6da331eeaae45e872f4e249344d8c8e5bbdd02d5b093edf12a33d038ec8fdfc70306eb028fc1c0c3f84ed89a9589bdcb5192c723b4c64 EBUILD openssl-3.3.9999.ebuild 9117 BLAKE2B 0ea48090d34a85fd8002dd3a36c533199c3f145ef0d7784468d8ca1aa81b531ac55a63cf9e55a035f2cb15f03baeccfcf96c7de94e45f0d2e35567a35c00e50e SHA512 f09b49a4615f615d0ed4c93b4f84e37ad543764dab9ef9ff20f4561507a3da3b90a0aeb1511fc6773e42b3ff574d1da276b5776bbc924453562e6ce5fa1b6822 EBUILD openssl-3.4.9999.ebuild 9117 BLAKE2B 0ea48090d34a85fd8002dd3a36c533199c3f145ef0d7784468d8ca1aa81b531ac55a63cf9e55a035f2cb15f03baeccfcf96c7de94e45f0d2e35567a35c00e50e SHA512 f09b49a4615f615d0ed4c93b4f84e37ad543764dab9ef9ff20f4561507a3da3b90a0aeb1511fc6773e42b3ff574d1da276b5776bbc924453562e6ce5fa1b6822 MISC metadata.xml 1674 BLAKE2B 2195a6538e1b4ec953c707460988f153e40abe7495fd761403c9a54b44ecb7cb5c69ac37ac7d4d18bc0086cf9b4accaaac19926fe5b2ac4b2c547ce1c9e08a6d SHA512 d4eda999c1027f9d8102c59275665f5b01d234c4a7636755a6d3c64b9aad2a657d14256b1527d9b7067cb653458b058db7f5bb20873e48927291092d9ccdd1c6 diff --git a/dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch b/dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch new file mode 100644 index 000000000000..d83c5b4fb87f --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.3.2-arm64-clobber.patch @@ -0,0 +1,55 @@ +https://gcc.gnu.org/PR118537 +https://www.postgresql.org/message-id/6fxlmnyagkycru3bewa4ympknywnsswlqzvwfft3ifqqiioxlv%40ax53pv7xdrc2 +https://github.com/openssl/openssl/pull/26469 +https://github.com/openssl/openssl/commit/4f7d8b2724ea7f42cff1e8a0e736ad448def60f5 + +From 4f7d8b2724ea7f42cff1e8a0e736ad448def60f5 Mon Sep 17 00:00:00 2001 +From: Julian Andres Klode <julian.klode@canonical.com> +Date: Sat, 18 Jan 2025 21:12:45 +0100 +Subject: [PATCH] Restore correct registers in aarch64 AES-CTR code + +Commit 1d1ca79fe35dbe5c05faed5a2ef8c4de9c5adc49 introduced +save and restore for the registers, saving them as + + stp d8,d9,[sp, #16] + stp d10,d11,[sp, #32] + stp d12,d13,[sp, #48] + stp d14,d15,[sp, #64] + +But the restore code was inadvertently typoed: + + ldp d8,d9,[sp, #16] + ldp d10,d11,[sp, #32] + ldp d12,d13,[sp, #48] + ldp d15,d16,[sp, #64] + +Restoring [sp, #64] into d15,d16 instead of d14,d15. + +Fixes: #26466 + +CLA: trivial + +Reviewed-by: Kurt Roeckx <kurt@roeckx.be> +Reviewed-by: Paul Dale <ppzgs1@gmail.com> +Reviewed-by: Tomas Mraz <tomas@openssl.org> +(Merged from https://github.com/openssl/openssl/pull/26469) + +(cherry picked from commit 5261f3ca41cda7ad5767e399e9a2dc008bbad5d6) +--- + crypto/aes/asm/aesv8-armx.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/aes/asm/aesv8-armx.pl b/crypto/aes/asm/aesv8-armx.pl +index 33a2dd53dae19..dc019b04ccd25 100755 +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -2493,7 +2493,7 @@ () + ldp d8,d9,[sp, #16] + ldp d10,d11,[sp, #32] + ldp d12,d13,[sp, #48] +- ldp d15,d16,[sp, #64] ++ ldp d14,d15,[sp, #64] + ldr x29,[sp],#80 + ret + .size ${prefix}_ctr32_encrypt_blocks_unroll12_eor3,.-${prefix}_ctr32_encrypt_blocks_unroll12_eor3 + diff --git a/dev-libs/openssl/openssl-3.3.2-r3.ebuild b/dev-libs/openssl/openssl-3.3.2-r3.ebuild new file mode 100644 index 000000000000..74109bfb1ff7 --- /dev/null +++ b/dev-libs/openssl/openssl-3.3.2-r3.ebuild @@ -0,0 +1,306 @@ +# Copyright 1999-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !<net-misc/openssh-9.2_p1-r3 + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + "${FILESDIR}"/${P}-CVE-2024-9143.patch + "${FILESDIR}"/${PN}-3.3.2-silence-warning.patch + "${FILESDIR}"/${P}-arm64-clobber.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_unpack() { + # Can delete this once test fix patch is dropped + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} + fi + + default +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + ebegin "Running openssl fipsinstall" + "${ED}/usr/bin/openssl" fipsinstall -quiet \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" + eend $? + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} |