gentoo auto-resync : 30:10:2024 - 03:04:35

16 files changed, 2031 insertions, 4 deletions

diff --git a/dev-libs/Manifest.gz b/dev-libs/Manifest.gz
index f1942c4b6d91..a6ed1b3ecbb3 100644
--- a/dev-libs/Manifest.gz
+++ b/dev-libs/Manifest.gz
diff --git a/dev-libs/libclc/Manifest b/dev-libs/libclc/Manifest
index 01a8459d7d8d..0279ef384bc9 100644
--- a/dev-libs/libclc/Manifest
+++ b/dev-libs/libclc/Manifest
@@ -9,6 +9,7 @@ DIST llvm-project-18.1.8.src.tar.xz 132067260 BLAKE2B a950492f1dbfb874dff63b1ffe
 DIST llvm-project-18.1.8.src.tar.xz.sig 566 BLAKE2B 6ab0efc5b38d4483f4e32e8b85774b2edd5d88fdf29f23b88eb0b5130a7a7f0e80549612b025f927e92de4a08ff7c292cff224dbda91a5d598244e98f7ad0fbd SHA512 ddfd1e8a06756759af6cbe488c82a6d6a62ba91f3e8a0eb4cece561321824f5d165b08ed91010588790b76e19790931d2651b24dba8567e3b151d3cb43bec25b
 DIST llvm-project-19.1.2.src.tar.xz 141241032 BLAKE2B 38a3f528ddae7cd738236a317551fdb94acd8fb736a57def15b75e1ed2f6572e1370fb3f1e4ff261d3cfb87df7d50d4db8fa9e70dc5e3dde617af09eb059fdd3 SHA512 e98ee405f5c30004b39f0de0470400dd2965adf4cda4b47a1d3792ae362ed43eb45e96a9b1689f31e1064e0b39252379270bd95bf8081cf9b92ecb9b371bf43b
 DIST llvm-project-19.1.2.src.tar.xz.sig 438 BLAKE2B f5bc0cc43bc10ee2438289d62aa8169cbb9e0ea598381b4c744e6a09daf710650fbec0656a9ac7c0e6f84a0ff3541fe223fa9efc61fb3d4c496cad9df7b9edd4 SHA512 307cd88116e68f901229fc2f6db72bad5f964bacee178e2efad3419cec277b5a7e23fb347386fb4e83e1886551bbc78d187259518193cac7654573ee17e3cb63
+DIST llvm-project-3f4468faaa9525ad615118675c3c68938f4a8d5f.tar.gz 221860252 BLAKE2B 6c531df34163dc0879c79b029a13215d1bef2cd95bbaf4a6d5e10b81a8352236283d40f14b62e23a57cc1cf8edce138fb6e2720ced2397d6469c5863564c626d SHA512 4aa485f4547e210cf8f6f8147c4adab3e75afe77f1e4e1bc4718fe681b64bdcf8937f843964542f8ead90ceef52cc0fd4bd8275824d1a4c6961eddafc7d35115
 DIST llvm-project-9aef0fd52a0b2bf31cf3bae8a0693d6df8db6e04.tar.gz 219987707 BLAKE2B a3f0acd0fd3b66c3a826ac6760653fa6ea893ffba7587cf4a14f472026a9d9d8bf6b63c26d8bc39e83936afe6b735496bd88ce6c00d16abe1d0ccd1f9a644302 SHA512 5104669d78930363afeba045dc27a4c36ca8bb7537d432c765e023cbd91155b248c3a60d4768e1f8690c88e82d4ff95a44fb73f26d25d6646dddc857992485ba
 EBUILD libclc-15.0.7.ebuild 1668 BLAKE2B ac2bd589fb3c29662799f97b1f649fd22b1b7ce5701879815bc01a05ae88421a830a6a3507b4dead181f24eb4e45c451e8ea1ebbdac2a2de51ddbc3cd9f53c66 SHA512 a3e39fbaddb322360f6362ef21713f375d04e02b2b9a3d43a3d47b26d5d43643a8c654181aef9518aee5f9805d09c446bbbf13342b74f09622e5e1b0c59470b1
 EBUILD libclc-16.0.6.ebuild 1665 BLAKE2B 27ffe7083936c466a749550797d109c7a48fc6aaf110977c53ae2d4c5edd558c958a4981020b2c74c6b0c47aeee184edc6e1f192da93f57972fe9cc9abfaa762 SHA512 5007264c688588ec9fd7e74e88a1c1810be2602b744a64d8927275bc8ceaf278d9598222c5d2e3d3fa64504364625b03951752ef7221fd1bf16cc26fbd54ad80
@@ -18,4 +19,5 @@ EBUILD libclc-19.1.2.ebuild 1305 BLAKE2B 1fbb9db126a81d0cea598e600f7d29fd6a717fe
 EBUILD libclc-20.0.0.9999.ebuild 1268 BLAKE2B bcf40564f542b2f2c4eaf493e74226472d1a3d151293a1c09ab4940aa7296018eb237e6254d545a850b2e3ad2f1b0a838dc3f04114c13bb947a8d33cdcba8ee3 SHA512 5bcb5ca819b48dc4b24d5ff0689a19c1d897a560fa89fd761d19cca65e46d185d51ec2745f5091fa9383974e0506fe303d6bdc95327a3be154192d580f92c431
 EBUILD libclc-20.0.0_pre20241015.ebuild 1268 BLAKE2B bcf40564f542b2f2c4eaf493e74226472d1a3d151293a1c09ab4940aa7296018eb237e6254d545a850b2e3ad2f1b0a838dc3f04114c13bb947a8d33cdcba8ee3 SHA512 5bcb5ca819b48dc4b24d5ff0689a19c1d897a560fa89fd761d19cca65e46d185d51ec2745f5091fa9383974e0506fe303d6bdc95327a3be154192d580f92c431
 EBUILD libclc-20.0.0_pre20241023.ebuild 1268 BLAKE2B bcf40564f542b2f2c4eaf493e74226472d1a3d151293a1c09ab4940aa7296018eb237e6254d545a850b2e3ad2f1b0a838dc3f04114c13bb947a8d33cdcba8ee3 SHA512 5bcb5ca819b48dc4b24d5ff0689a19c1d897a560fa89fd761d19cca65e46d185d51ec2745f5091fa9383974e0506fe303d6bdc95327a3be154192d580f92c431
+EBUILD libclc-20.0.0_pre20241029.ebuild 1268 BLAKE2B bcf40564f542b2f2c4eaf493e74226472d1a3d151293a1c09ab4940aa7296018eb237e6254d545a850b2e3ad2f1b0a838dc3f04114c13bb947a8d33cdcba8ee3 SHA512 5bcb5ca819b48dc4b24d5ff0689a19c1d897a560fa89fd761d19cca65e46d185d51ec2745f5091fa9383974e0506fe303d6bdc95327a3be154192d580f92c431
 MISC metadata.xml 362 BLAKE2B 768f93d0058e4da4b420569f3f1771dfa7385ad89540bbc18cf53b5a71e3f060a8afa1112ff37570d7fc9dc3e71619fa3fd8d0cf7b5d3954f5110b19e146df30 SHA512 e6335424da09f668953acd39dcd9b03a30e3b509b34b1de5c72644a3740a5b6b287f10e08405b79bafc8104cc4dc1324b7b9d7990c3b560b0235ae82da8c68a5
diff --git a/dev-libs/libclc/libclc-20.0.0_pre20241029.ebuild b/dev-libs/libclc/libclc-20.0.0_pre20241029.ebuild
new file mode 100644
index 000000000000..2b8c5e63c257
--- /dev/null
+++ b/dev-libs/libclc/libclc-20.0.0_pre20241029.ebuild
@@ -0,0 +1,61 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+LLVM_COMPAT=( {17..18} )
+PYTHON_COMPAT=( python3_{10..13} )
+inherit cmake llvm.org llvm-r1 python-any-r1
+
+DESCRIPTION="OpenCL C library"
+HOMEPAGE="https://libclc.llvm.org/"
+
+LICENSE="Apache-2.0-with-LLVM-exceptions || ( MIT BSD )"
+SLOT="0"
+IUSE="+spirv video_cards_nvidia video_cards_r600 video_cards_radeonsi"
+
+BDEPEND="
+	${PYTHON_DEPS}
+	$(llvm_gen_dep '
+		sys-devel/clang:${LLVM_SLOT}
+		spirv? ( dev-util/spirv-llvm-translator:${LLVM_SLOT} )
+	')
+"
+
+LLVM_COMPONENTS=( libclc )
+llvm.org_set_globals
+
+pkg_setup() {
+	llvm-r1_pkg_setup
+	python-any-r1_pkg_setup
+}
+
+src_configure() {
+	local libclc_targets=()
+
+	use spirv && libclc_targets+=(
+		"spirv-mesa3d-"
+		"spirv64-mesa3d-"
+	)
+	use video_cards_nvidia && libclc_targets+=(
+		"nvptx--"
+		"nvptx64--"
+		"nvptx--nvidiacl"
+		"nvptx64--nvidiacl"
+	)
+	use video_cards_r600 && libclc_targets+=(
+		"r600--"
+	)
+	use video_cards_radeonsi && libclc_targets+=(
+		"amdgcn--"
+		"amdgcn-mesa-mesa3d"
+		"amdgcn--amdhsa"
+	)
+	[[ ${#libclc_targets[@]} ]] || die "libclc target missing!"
+
+	libclc_targets=${libclc_targets[*]}
+	local mycmakeargs=(
+		-DLIBCLC_TARGETS_TO_BUILD="${libclc_targets// /;}"
+	)
+	cmake_src_configure
+}
diff --git a/dev-libs/libezV24/Manifest b/dev-libs/libezV24/Manifest
index 64d97212c968..c9665c4fa0b6 100644
--- a/dev-libs/libezV24/Manifest
+++ b/dev-libs/libezV24/Manifest
@@ -3,5 +3,5 @@ AUX libezV24-0.1.1-clang16-build-fix.patch 398 BLAKE2B c2dca10de1eb12cab625a235d
 AUX libezV24-0.1.1-test.patch 472 BLAKE2B 9e7b928e271fc7b963e3f8f82c818de06fc0a0477c972a143a48669c67dbcec9c83e70da6cd38ef37968d91d438439090fbdf7ff521e69291a555ced5cf7aa1f SHA512 f2bc15b6c99ad760215406f2a4fc2d230671d0bac9a8249b6ac25aaec4fba16c435ce0871f42ff41cd54d9d0d9e4a72fdc19dc84426ae594bf9293b1b6efe906
 DIST libezV24-0.1.1.tar.gz 50515 BLAKE2B 5a4dfdb4e4875203cfc2c06a1d5966d79c84407539ad3b3419aea04e7fcfc5ba05e6e69d1a09d999a1c8820f35bd5adc7fe3d833ceb739e52f1246491d339034 SHA512 99b277a04354e2587567ae5f1ebc99e41d127ec94bf5de53021b94df8d731ce2f2ceacedd8b7fa29902cf98f5c4243bddaa96636e1f900f1434a3da857b0e6c5
 EBUILD libezV24-0.1.1-r2.ebuild 781 BLAKE2B 9b932e17c6474361d65aacda25b6d2951e3d2775880b0fed5ffd8b01b91cfe5e6ee1728ed73c8270e3a94d26d8a15d7a705479244f6be86981f87ca963f8f0aa SHA512 dc5755a891caf969c2d36c055b6d9d81bddf5b50925cc6ae70871500a932ce998c8d3ec80054b206d518a484b8979b85b1b3c7d1488f1a65c495e898ad08eb6b
-EBUILD libezV24-0.1.1-r3.ebuild 830 BLAKE2B 26cc7364785ae76930aa2421e950624f2b9911252e361ec36d7673279f17063464cc4c7d7323da27df6b58224778cc5c130db374b675a98a6bec28fd11ffb6a8 SHA512 56f81e6796d85c04c22874540e201545b1a8237b957fa7bf843a367576c29014d09032abd4465d1475381e9a9fe514777d17262cf110e85a9aed28de7497c291
+EBUILD libezV24-0.1.1-r3.ebuild 827 BLAKE2B 9a0c322ed7deba2605c67c3bd72f20eb73c9800ed041f0f0560632cd53a9925723ff02b49b5d896c9f7e793b0e419acf7cc47a384f234b6d6761622a1799a235 SHA512 b7a51edbcc6048d2457c9eaeb5827c6f9353ebd766a075871f22e9dcd242b7a5fc2dada39d57ea338a430c0dab09fd3c8a696dea80728a2e50008b5dacc642c1
 MISC metadata.xml 642 BLAKE2B 04978c981fef1717c72251342c16b4dc72968cc4f3d799e465c8206ed7578b025b938ab6ae0f62ddb63055e7af101008f883b8722d24c95ce18fa63e78c42dff SHA512 fb11d8c2945b522ef3edaa6b7a5733f5cb3a4212986738006abffda5451026e39c6f478c2fa49a9667f0c6921b97e6ebf9b8f923dae76631ec4a973a11a63f16
diff --git a/dev-libs/libezV24/libezV24-0.1.1-r3.ebuild b/dev-libs/libezV24/libezV24-0.1.1-r3.ebuild
index 155857191831..a87bbb6163d3 100644
--- a/dev-libs/libezV24/libezV24-0.1.1-r3.ebuild
+++ b/dev-libs/libezV24/libezV24-0.1.1-r3.ebuild
@@ -11,7 +11,7 @@ SRC_URI="https://downloads.sourceforge.net/ezv24/${P}.tar.gz"
 
 LICENSE="GPL-2+"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~ppc ~sparc ~x86"
+KEYWORDS="~alpha amd64 ppc sparc ~x86"
 
 HTML_DOCS=( api-html/. )
 
diff --git a/dev-libs/libxml2/Manifest b/dev-libs/libxml2/Manifest
index 487ec9543abf..12c88c04bb47 100644
--- a/dev-libs/libxml2/Manifest
+++ b/dev-libs/libxml2/Manifest
@@ -8,7 +8,7 @@ DIST xsts-2002-01-16.tar.gz 6894439 BLAKE2B 1e9ec63d2c104655e64249e07440a04d862f
 DIST xsts-2004-01-14.tar.gz 2761085 BLAKE2B 41545995fb3a65d053257c376c07d45ffd1041a433bfbdb46d4dd87a5afb60c18c8629a3d988323f9e7a1d709775b5a7e5930276a7121c0725a22705c0976e36 SHA512 32854388d7e720ad67156baf50bf2bae7bd878ca3e35fd7e44e57cad3f434f69d56bbbedd61509f8a1faf01c9eae74a078df8fe130780b182c05c05cb1c39ebe
 EBUILD libxml2-2.11.8.ebuild 5304 BLAKE2B 44f59056495a1966c03fd4eb82680df47960c76e3a924beac84bf4d3dfe1d50434acd50f340f4d62ecae90e3efcc1f230004fd169b2d145ac6a7f3d72ccaf50f SHA512 c703801b7954c6d8ff13cf7dd0fe90547f01eaad15ba3383c1b281a1ec13570408ebfb247a9a4571c2f3af59a6c556d5c4c6adab2503150684eb0d9e4c0b0b2f
 EBUILD libxml2-2.12.7.ebuild 5242 BLAKE2B 066d0fd7da19ba07befec679c048461a9284a7b5b02995c60eeda98a51a753ba6b6c7f9296d277c400f5dab3a04f5eaf94434af30f495e9193714cfe2e32ba56 SHA512 594aaa591bef6312ef7f6207ca5e4b7bf4906b20b4775702039ac633c9df531a7ff3c7a9a7974195c589a584132bc038c7b77cae361c714f3df7432522703978
-EBUILD libxml2-2.12.8.ebuild 5247 BLAKE2B d7f94bf779edde5f648bdb11e16666b62212262720c4f03de7869c35cbf3c14bc4b5b4f0c6bf24541c068588ae79d27e2d022e8be69244a1bfcb37262da4d751 SHA512 2ef508dada46e7686b521b368e97d07fbdf7ba8522aa1590c45bd9a92add4d83a037ca7fdbe58d23fb32d82cf7c86790573acad2bff10477682c114db030d359
+EBUILD libxml2-2.12.8.ebuild 5245 BLAKE2B 498c7a159c21d2b30bce8ff66d5d12ac3a084a38b474c7c2c3c1dcc71750772f379d44373aa6d989b38095a805de5561643e97783096cbee99ce48dfd0c10190 SHA512 95615d7355be4c4e0e98ab0e183bcc15236ce3382c1a64cedfe21f8439bf6b20d0f814f77108313d663ea3540f8473e344d7d7392522b872d806354078c5d2ed
 EBUILD libxml2-2.13.1.ebuild 4900 BLAKE2B 32890de288b57921b2966cd23846a048b6d6e62a488f1ec497f4545f0821080d12f1638326bc9ce62e49d3c322a393fd06b9312204b2294477dc1a74207c13fd SHA512 55f42a4127318739bc9c35d6f09dbec8e29fe80b5fd27cc3db873c042748f1a5da8356a2e8e7bf7b49f86de24a57d8795ae465d65c5d2cb85835ff314b8ea5a7
 EBUILD libxml2-9999.ebuild 4900 BLAKE2B 32890de288b57921b2966cd23846a048b6d6e62a488f1ec497f4545f0821080d12f1638326bc9ce62e49d3c322a393fd06b9312204b2294477dc1a74207c13fd SHA512 55f42a4127318739bc9c35d6f09dbec8e29fe80b5fd27cc3db873c042748f1a5da8356a2e8e7bf7b49f86de24a57d8795ae465d65c5d2cb85835ff314b8ea5a7
 MISC metadata.xml 519 BLAKE2B 528be4ec79b54eaed229c84c96656266acffaa2ab68c7b1e6daecdee77bb1109ea56babceff0459125e04326425be28f436a78f697c363920102b94aca25179d SHA512 85804c662dd019e6c4cad05bb691b2058c9b93c190c57a7b4cc2674bee71a805da41159184c1bae9954700e52b41bb104a2d1e66ea4d1799463626befb691d11
diff --git a/dev-libs/libxml2/libxml2-2.12.8.ebuild b/dev-libs/libxml2/libxml2-2.12.8.ebuild
index 0ebbfcffb86b..1bcd043546e0 100644
--- a/dev-libs/libxml2/libxml2-2.12.8.ebuild
+++ b/dev-libs/libxml2/libxml2-2.12.8.ebuild
@@ -23,7 +23,7 @@ if [[ ${PV} == 9999 ]] ; then
 	inherit autotools git-r3
 else
 	inherit gnome.org libtool
-	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
 fi
 
 SRC_URI+="
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index 86c0306483a9..2ae9645b37e8 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -4,10 +4,14 @@ AUX openssl-1.1.0j-parallel_install_fix.patch 515 BLAKE2B a1bcffce4dc9e0566e21e7
 AUX openssl-1.1.1i-riscv32.patch 2557 BLAKE2B 97e51303706ee96d3fae46959b91d1021dcbb3efa421866f6e09bbee6287aae95c6f5d9498bd9d8974b0de747ef696242691cfebec90b31dc9e2cc31b41b81ec SHA512 f75ae1034bb9dda7f4959e8a5d6d0dae21200723d82aebfbea58bd1d7775ef4042e49fdf49d5738771d79d764e44a1b6e0da341d210ea51d21516bb3874b626a
 AUX openssl-3.0.13-CVE-2024-2511.patch 5256 BLAKE2B 6e07983af20fe00c448deb45777e67d18ff844309edb2a2130f9e916c0c7167c7f64c64abc3c8082121a96e7a13e6b1b3bfb4de25674ab9db71a8dbb3ce61d2a SHA512 9c762f2c5916b2e2c49bee56cf92d695b106eb535badb5818b77cd72f3ad6554ef24d58c0a161843821984c1d5d697757f72919f2d7903f8e15d8a541534b32f
 AUX openssl-3.0.13-p11-segfault.patch 2275 BLAKE2B 842cc10d6a81b2859729b0024dd82e538782defb2e3fa341986df6ed65c9e5b3be39647a7d95670356cd0f7bc2a5e0b27eb48d00078308922a32d2053a6c1756 SHA512 4575da2d5acfef90c7d28e096d541a812f74b4ff77887a7a251554d35ca5b9de1ac4117b9f8228ab240e8f64770d648dfadc7003a496d2b051728afab1ec779e
+AUX openssl-3.0.15-CVE-2024-9143.patch 7034 BLAKE2B 79963b250e9faa0a9764945d05f0598c0eda64ac87b12e545698d86c299c769b1ff8300f3289e620fe58183db0d1767834d6d146ce6cdacdeb58c137e88d79fa SHA512 6196f8c963c776ae3412ca76da51060d95e4f50cf1a1e4edb89edf9d32a7dd032a7f650445872a68a6f03dab4b75b601cae4c89e2fda9cf414c7ff26961433c2
+AUX openssl-3.1.7-CVE-2024-9143.patch 7033 BLAKE2B 1e2d8ea24fd68e2781808477d60773a3cca5bf122ba3c2a0efba12470126a5768a2f2fa0239a73965bf046644e93d6deecda17e4282243206095c42f3149fb5e SHA512 44185ace09adb75f8124f8a564d1f806fb6fd29e232a6c1f40b1508f510c8b481f86f06d03e169ed6dd2df1e535b723a2f9978199b20225a1e27f499054b7bc7
+AUX openssl-3.2.3-CVE-2024-9143.patch 7034 BLAKE2B 7f438bb531b09154368072f66e03fa4fa1c0f1d461ce8e89e942567e9cf60ce0d1986334cbd9c4d8e9b5ea5dc7c2ca0fa5dc111c965d99ebf6800afdd56820ab SHA512 7699ea05a139a7ddcbf68538cfb4329026d99ffa8eb3622b3f0faca92b287f571c6b76c24acd537a3406f209bf90a48704d11ed70d0e49c118d1591b9bae39d2
 AUX openssl-3.3.1-cmake-generator.patch 3263 BLAKE2B 1e6d31175e3ed8abd2b03c94255dbf58d5168038369fd68a98fdf03e3c6d8f74124dd6a7ffa894e492f74ff9440572ae4c04c144967436266033f725c5f7140f SHA512 3c3ae928a2d59489f1fb1d5a57977dbe650530d4715c0a116a2c59dc78385608e50814749d021b1fee51c9b2c0c5ec48631174946c6ca927e0fb5a8ac10514b6
 AUX openssl-3.3.1-pkg-config-deux.patch 12498 BLAKE2B f924e837317bd4a7b4af6e0e8b397915200fb69a7bc09ffd09ab4a860b43ec06b99635fa6ad4783de7d9fa12f9ef48f639e493646e9e7e1e1947c0c729846f81 SHA512 c9f4e93f96db28b7b586ea4d5007e71a13e1464e4c1d033bf1939c8030843727c0e73626affa94d3692a7d285a788ebfd1ce863fe5fd7027a560906a1b6e8b94
 AUX openssl-3.3.1-pkg-config.patch 982 BLAKE2B 77ec5ac862d5b47666e3234f5ef60323d02cbed4a0575e91a45f6f1727f1f0692fc470071622bf982f2875e91c50d9742eb423838702a0019b8c6f7fc2b80149 SHA512 0198461b726a7783d46c0c02cba747affd39245e2ce2577ea802376e1d2dd279eebe9446f30bc2db638d06db1dfacc9b297aa75bbe64ff6f8e22bde3c1063b36
 AUX openssl-3.3.1-riscv.patch 4413 BLAKE2B bf58837c05023bb34edaf6387a5d1f32b6216791643958e972d634d387031461780c34b9209b399f479d908a40ca3b593ea18b1fa80414802bfcdb80db21e1e7 SHA512 b46f2576be603007f767cb7350e3ec74e0ef0832bcc18e50f7b67010e673a6cdcd7099e99d85d53c6693af6b64260e5a92a9aa3f02be1d626421ab7ff73c6f6b
+AUX openssl-3.3.2-CVE-2024-9143.patch 7034 BLAKE2B 3800addbe31b551224032736f44b9cce721ad6897edfddc6a1db3599e7c7b94e1e4074db8da5883a4439944eb96511fdecae7634bac8ad9a5c2dd11dc2bdf895 SHA512 55449d68c57abc83295de5c869f5b65472c929a29befec7bf74797a3b902febc001535b3c06fe9792d09bd431e72f4d9a2079879c5766acc6adf1359b7d954aa
 DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
 DIST openssl-1.0.2u.tar.gz 5355412 BLAKE2B b2ff2a10e5851af5aca4093422a9a072c794e87b997263826c1c35910c040f695fac63decac5856cb49399ed03d410f97701d9fd4e1ebfbcacd8f3a74ce8bf57 SHA512 c455bb309e20e2c2d47fdc5619c734d107d5c8c38c1409903ce979acc120b0d5fa0312917c0aa0d630e402d092a703d4249643f36078e8528a3cafc9dac6ab32
@@ -35,11 +39,15 @@ EBUILD openssl-1.0.2u-r1.ebuild 9768 BLAKE2B 46d26e3dd92c898c6fe715e5d07b4e2e9c3
 EBUILD openssl-1.1.1w.ebuild 8230 BLAKE2B 6f6b6e79512141bac0507e76e61d341ccc4088c6f86a7979c48401d78dec8d6e90b54a73af63a956d1704fdda8ffc9c83f4a06254f6be51b8569f2856dfae2b3 SHA512 81087aa984e4b385da11d8c533a31ddb39c49c96b1e9e281ae57c6901c148cc8e226475b650ea58db8cb629f344c2449cd581aae548f7c30829ceb8b55897fa4
 EBUILD openssl-3.0.13-r2.ebuild 8576 BLAKE2B 088d34e456b6b5f9eb4238a1bb9f2b16b3feb42799fbc11436cd91bacc72f84c4ad49e25fcb1a12a8fda83abb071f7f1705eb90f5df6519e24b47ea966c03ca8 SHA512 f3a46b8ac9e9cf9f20466f2544a93eb7c9950eb128b524e78a42305b7b70663dfc7f7384553ae66a832f17643da35b6a4ec7d35c5ae86437c6bcd87cd7673088
 EBUILD openssl-3.0.14.ebuild 8486 BLAKE2B 27b4cae37a13133a70b9cc4c724d93ab7ac03f14e4fe200c7739fac82d37ae55f860aa9a90576a6fac8683e0dbcb7308ea4e1a36b9006506dffeb0240fead10f SHA512 6d9ed1a0dc7d7f9b18000958fef23e22dd9774d5f3275e107693a399bc491d7ce5f0389a9bc375a3c1b52399e3ef982758d414d306fbd123f57034b2aaff853d
+EBUILD openssl-3.0.15-r1.ebuild 8619 BLAKE2B ce93ad735b31627ca5306a69cf184bfed669b54cb027ae48a9bf30f34fec13538d2309f852d9a22d9ecbb3069b308150d7b15085d8253e35ee30444121c8a134 SHA512 ad80e3d4d6402c1c23bcd605dc1fa6e057ad0e86f3b28965349d6466e575456fad7b8fef0959542ca18ac0ddbf30b013063d6e0d3ad8a3d79ae918200356f02d
 EBUILD openssl-3.0.15.ebuild 8560 BLAKE2B 037351a0c38c0f9718d7d14504b30dfffb7b9c4c68247700bc76016518f038a90cb42ed42dcdcc7158610b1a763409e10ae9eb5d78384561f5a54831873357bf SHA512 ca5140f12ed72840385febe08735079b4100728d7007e38c9bedb8c94bfca21e4a786de1c0db8df4d6204b9227f6ccb7346167b42055583fe0c89c82be7fefcb
 EBUILD openssl-3.1.6.ebuild 8598 BLAKE2B d352f91f702031010fdd2e61eaa978e7225a6107495500176bfe2f144012734114de5f56ac7371c77d79f967e82433613117b640b1910351d5a63f84642105fe SHA512 06817408d50fb5323539bd7fb1a20add62f51221f77ab2ef6e2a1635daecb5bbfd4c9bbe220cb83779cc1b0d8007037be1e10069e48423fa0945b9e1751c188e
+EBUILD openssl-3.1.7-r1.ebuild 8653 BLAKE2B 8e5bd338024de4eb8f21ebf954855acea0f4bb35295d636ca0609dd42d21083553cee4a9db4201b6c498addb010191cc769feb618114289c64964d1eaff9e80d SHA512 5a3390c3bdf197f5a6d910d10dbedb1ccca0e03b6783a84bc108c6523744e2d0c989a83fffe7f0d4e3f2b611d480bdd4df12b51cde35aaea286da1aa363bb2ad
 EBUILD openssl-3.1.7.ebuild 8600 BLAKE2B e529f65f0160aad596a7e66eb65b6b420a691492f09b1fcbf1742199094f41961191a0660ddf7323e346d2ea86228d31f0a8a0805f90926a4f59892e5145b4c9 SHA512 7ce1f229410baeddb0a32e919e655283c474af04d963d72c6218c907dbada5aa73c87deec04ddee0253030a89211367bd5e968c68810d07c6b46138d37317ecf
 EBUILD openssl-3.2.2.ebuild 9243 BLAKE2B c496fe0830007cb6783f007942f482598d7679a1e2833204fbce25e4531200942196769e11c5857e8268c4fe9906d881d15751da9aecd273b260557d4a6d3e4f SHA512 609a7320b6c00e83e13b5c9563abd7cbc50d6c00bd7ff5d6588ccde4a016a72f73c911df7f75a9042f7ee52a0458bc494727dd30728ebe2954d1a7fd6cf0c726
+EBUILD openssl-3.2.3-r1.ebuild 9297 BLAKE2B 615433d9a0b42433b821768e3227928e4d6bbdd2f96b73189b01df41d4968c989f0f96105fca850ed528e47c9e8ba95559d26d0148109414d109dc2c26081830 SHA512 e49fdce217dd78e3a024ffdbed753b349717ce31c2d21dc006d8d88e6b8600260fd81be3cb5d37a87016925717242aa2391316ab18a685cc2a32ccd2436ee4c4
 EBUILD openssl-3.2.3.ebuild 9244 BLAKE2B ea5d608dc392835f979919ac1835e74520dc57e50f83981eb23877fd8d920583aa9bace217e8b74e33ca7be155ba00af48e5f584944d32d28caf1eb8efde7ef7 SHA512 2cc9092d801aabba5617fb9007e73e094bb31f7c4f18245a44ecc7113020595cbee702e58eb400ddc424ebc6e98f0ebef2e2a68e659463d0be6bf06350fad3d7
 EBUILD openssl-3.3.1-r3.ebuild 9612 BLAKE2B e2bf254aa80ec4140eb2d6f5b93d5bef4f29c9912449fb54da3eef9d10e3f9c786b39c312590890f927f95b17873ad28ae24e519be7810d9fd794122057ec0b7 SHA512 2a6b545fb6e5656c6c8002781d7ab33ae9e57855aaa16b916e3e4c47cf13f334ead4c4ad01caa154fa7ee7241158b4635c5361668944fc3be5fdee4b82c88c2c
+EBUILD openssl-3.3.2-r1.ebuild 9335 BLAKE2B ee18b06cf6fd1acb256d095cef2bb6b3195f3007662790a15474ad048d2adf151d35de306c4bd27511fd4e77920e330a7f4ea494a9b6a6983dfde28bf1d0130a SHA512 e550c59af18703b2dd905c066e61cd14f37b4b32acb87b4f04ec4588cb475290832a947f81902c42ef0c905a4cb7fbf0ca7fb58a428403c85ca082bc86901032
 EBUILD openssl-3.3.2.ebuild 9275 BLAKE2B fddbd7ff0e4ee9f77e24ccf879119e5cd19724d2378e82491c7d3373197e508e18f2aa3d262c140f0d1737ab81914ca1ca36ac7cbe74ce505b2a03c74a324adb SHA512 6140c91974bc1a26235fdb193cac17f42de9b2816516253ebddc186db81395ba682c7ac3e784475d4ab89959bcf3f9169580affbb12abe927266425edc076aa4
 MISC metadata.xml 1674 BLAKE2B 2195a6538e1b4ec953c707460988f153e40abe7495fd761403c9a54b44ecb7cb5c69ac37ac7d4d18bc0086cf9b4accaaac19926fe5b2ac4b2c547ce1c9e08a6d SHA512 d4eda999c1027f9d8102c59275665f5b01d234c4a7636755a6d3c64b9aad2a657d14256b1527d9b7067cb653458b058db7f5bb20873e48927291092d9ccdd1c6
diff --git a/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch
new file mode 100644
index 000000000000..252a24776ae8
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.0.15-CVE-2024-9143.patch
@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712
+
+From 72ae83ad214d2eef262461365a1975707f862712 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+
diff --git a/dev-libs/openssl/files/openssl-3.1.7-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.1.7-CVE-2024-9143.patch
new file mode 100644
index 000000000000..4f33ef000dca
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.1.7-CVE-2024-9143.patch
@@ -0,0 +1,192 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154
+
+From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
diff --git a/dev-libs/openssl/files/openssl-3.2.3-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.2.3-CVE-2024-9143.patch
new file mode 100644
index 000000000000..e84b0f6c353e
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.3-CVE-2024-9143.patch
@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700
+
+From bc7e04d7c8d509fb78fc0e285aa948fb0da04700 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+
diff --git a/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch b/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch
new file mode 100644
index 000000000000..5776c78bfbbf
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.2-CVE-2024-9143.patch
@@ -0,0 +1,193 @@
+https://bugs.gentoo.org/941643
+https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4
+
+From c0d3e4d32d2805f49bec30547f225bc4d092e1f4 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@openssl.org>
+Date: Thu, 19 Sep 2024 01:02:40 +1000
+Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse.
+
+The BN_GF2m_poly2arr() function converts characteristic-2 field
+(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask,
+to a compact array with just the exponents of the non-zero terms.
+
+These polynomials are then used in BN_GF2m_mod_arr() to perform modular
+reduction.  A precondition of calling BN_GF2m_mod_arr() is that the
+polynomial must have a non-zero constant term (i.e. the array has `0` as
+its final element).
+
+Internally, callers of BN_GF2m_poly2arr() did not verify that
+precondition, and binary EC curve parameters with an invalid polynomial
+could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr().
+
+The precondition is always true for polynomials that arise from the
+standard form of EC parameters for characteristic-two fields (X9.62).
+See the "Finite Field Identification" section of:
+
+    https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html
+
+The OpenSSL GF(2^m) code supports only the trinomial and pentanomial
+basis X9.62 forms.
+
+This commit updates BN_GF2m_poly2arr() to return `0` (failure) when
+the constant term is zero (i.e. the input bitmask BIGNUM is not odd).
+
+Additionally, the return value is made unambiguous when there is not
+enough space to also pad the array with a final `-1` sentinel value.
+The return value is now always the number of elements (including the
+final `-1`) that would be filled when the output array is sufficiently
+large.  Previously the same count was returned both when the array has
+just enough room for the final `-1` and when it had only enough space
+for non-sentinel values.
+
+Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose
+degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against
+CPU exhausition attacks via excessively large inputs.
+
+The above issues do not arise in processing X.509 certificates.  These
+generally have EC keys from "named curves", and RFC5840 (Section 2.1.1)
+disallows explicit EC parameters.  The TLS code in OpenSSL enforces this
+constraint only after the certificate is decoded, but, even if explicit
+parameters are specified, they are in X9.62 form, which cannot represent
+problem values as noted above.
+
+Initially reported as oss-fuzz issue 71623.
+
+A closely related issue was earlier reported in
+<https://github.com/openssl/openssl/issues/19826>.
+
+Severity: Low, CVE-2024-9143
+
+Reviewed-by: Matt Caswell <matt@openssl.org>
+Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
+Reviewed-by: Paul Dale <ppzgs1@gmail.com>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/25639)
+
+(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2)
+--- a/crypto/bn/bn_gf2m.c
++++ b/crypto/bn/bn_gf2m.c
+@@ -15,6 +15,7 @@
+ #include "bn_local.h"
+ 
+ #ifndef OPENSSL_NO_EC2M
++# include <openssl/ec.h>
+ 
+ /*
+  * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should
+@@ -1130,16 +1131,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
+ /*
+  * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i *
+  * x^i) into an array of integers corresponding to the bits with non-zero
+- * coefficient.  Array is terminated with -1. Up to max elements of the array
+- * will be filled.  Return value is total number of array elements that would
+- * be filled if array was large enough.
++ * coefficient.  The array is intended to be suitable for use with
++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be
++ * zero.  This translates to a requirement that the input BIGNUM `a` is odd.
++ *
++ * Given sufficient room, the array is terminated with -1.  Up to max elements
++ * of the array will be filled.
++ *
++ * The return value is total number of array elements that would be filled if
++ * array was large enough, including the terminating `-1`.  It is `0` when `a`
++ * is not odd or the constant term is zero contrary to requirement.
++ *
++ * The return value is also `0` when the leading exponent exceeds
++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks,
+  */
+ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+ {
+     int i, j, k = 0;
+     BN_ULONG mask;
+ 
+-    if (BN_is_zero(a))
++    if (!BN_is_odd(a))
+         return 0;
+ 
+     for (i = a->top - 1; i >= 0; i--) {
+@@ -1157,12 +1168,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max)
+         }
+     }
+ 
+-    if (k < max) {
++    if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS)
++        return 0;
++
++    if (k < max)
+         p[k] = -1;
+-        k++;
+-    }
+ 
+-    return k;
++    return k + 1;
+ }
+ 
+ /*
+--- a/test/ec_internal_test.c
++++ b/test/ec_internal_test.c
+@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void)
+ }
+ 
+ #ifndef OPENSSL_NO_EC2M
++/* Test that decoding of invalid GF2m field parameters fails. */
++static int ec2m_field_sanity(void)
++{
++    int ret = 0;
++    BN_CTX *ctx = BN_CTX_new();
++    BIGNUM *p, *a, *b;
++    EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL;
++
++    TEST_info("Testing GF2m hardening\n");
++
++    BN_CTX_start(ctx);
++    p = BN_CTX_get(ctx);
++    a = BN_CTX_get(ctx);
++    if (!TEST_ptr(b = BN_CTX_get(ctx))
++        || !TEST_true(BN_one(a))
++        || !TEST_true(BN_one(b)))
++        goto out;
++
++    /* Even pentanomial value should be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf2)))
++        goto out;
++    if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Zero constant term accepted in GF2m polynomial");
++
++    /* Odd hexanomial should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0xf3)))
++        goto out;
++    if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("Hexanomial accepted as GF2m polynomial");
++
++    /* Excessive polynomial degree should also be rejected */
++    if (!TEST_true(BN_set_word(p, 0x71))
++        || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1)))
++        goto out;
++    if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx)))
++        TEST_error("GF2m polynomial degree > %d accepted",
++                   OPENSSL_ECC_MAX_FIELD_BITS);
++
++    ret = group1 == NULL && group2 == NULL && group3 == NULL;
++
++ out:
++    EC_GROUP_free(group1);
++    EC_GROUP_free(group2);
++    EC_GROUP_free(group3);
++    BN_CTX_end(ctx);
++    BN_CTX_free(ctx);
++
++    return ret;
++}
++
+ /* test EC_GF2m_simple_method directly */
+ static int field_tests_ec2_simple(void)
+ {
+@@ -443,6 +493,7 @@ int setup_tests(void)
+     ADD_TEST(field_tests_ecp_simple);
+     ADD_TEST(field_tests_ecp_mont);
+ #ifndef OPENSSL_NO_EC2M
++    ADD_TEST(ec2m_field_sanity);
+     ADD_TEST(field_tests_ec2_simple);
+ #endif
+     ADD_ALL_TESTS(field_tests_default, crv_len);
+
diff --git a/dev-libs/openssl/openssl-3.0.15-r1.ebuild b/dev-libs/openssl/openssl-3.0.15-r1.ebuild
new file mode 100644
index 000000000000..98d175f95d2e
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.0.15-r1.ebuild
@@ -0,0 +1,287 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+		verify-sig? (
+			https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+		)
+	"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/3" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile || die
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308
+	append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
diff --git a/dev-libs/openssl/openssl-3.1.7-r1.ebuild b/dev-libs/openssl/openssl-3.1.7-r1.ebuild
new file mode 100644
index 000000000000..5ca73111c8f3
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.1.7-r1.ebuild
@@ -0,0 +1,288 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+		verify-sig? (
+			https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+		)
+	"
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	!<net-misc/openssh-9.2_p1-r3
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308
+	append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
diff --git a/dev-libs/openssl/openssl-3.2.3-r1.ebuild b/dev-libs/openssl/openssl-3.2.3-r1.ebuild
new file mode 100644
index 000000000000..9e0ddd974047
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.2.3-r1.ebuild
@@ -0,0 +1,306 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+		verify-sig? (
+			https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+		)
+	"
+
+	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	fi
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	!<net-misc/openssh-9.2_p1-r3
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308 -- check inserts GNU ld-compatible arguments
+	[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+
+	if multilib_is_native_abi; then
+		emake build_docs
+	fi
+}
+
+multilib_src_test() {
+	# See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+	#
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	#
+	# -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+	# shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+	# controls running the tests.
+	emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
diff --git a/dev-libs/openssl/openssl-3.3.2-r1.ebuild b/dev-libs/openssl/openssl-3.3.2-r1.ebuild
new file mode 100644
index 000000000000..8014cc0dea66
--- /dev/null
+++ b/dev-libs/openssl/openssl-3.3.2-r1.ebuild
@@ -0,0 +1,304 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
+
+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
+HOMEPAGE="https://openssl-library.org/"
+
+MY_P=${P/_/-}
+
+if [[ ${PV} == 9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"
+
+	inherit git-r3
+else
+	SRC_URI="
+		https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+		verify-sig? (
+			https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+		)
+	"
+
+	if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+	fi
+fi
+
+S="${WORKDIR}"/${MY_P}
+
+LICENSE="Apache-2.0"
+SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
+IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+RESTRICT="!test? ( test )"
+
+COMMON_DEPEND="
+	!<net-misc/openssh-9.2_p1-r3
+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
+"
+BDEPEND="
+	>=dev-lang/perl-5
+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )
+	test? (
+		sys-apps/diffutils
+		app-alternatives/bc
+		sys-process/procps
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
+DEPEND="${COMMON_DEPEND}"
+RDEPEND="${COMMON_DEPEND}"
+PDEPEND="app-misc/ca-certificates"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/openssl/configuration.h
+)
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2024-9143.patch
+)
+
+pkg_setup() {
+	if use ktls ; then
+		if kernel_is -lt 4 18 ; then
+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
+		else
+			CONFIG_CHECK="~TLS ~TLS_DEVICE"
+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
+			use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
+
+			linux-info_pkg_setup
+		fi
+	fi
+
+	[[ ${MERGE_TYPE} == binary ]] && return
+
+	# must check in pkg_setup; sysctl doesn't work with userpriv!
+	if use test && use sctp ; then
+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
+		# if sctp.auth_enable is not enabled.
+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
+		fi
+	fi
+}
+
+src_unpack() {
+	# Can delete this once test fix patch is dropped
+	if use verify-sig ; then
+		# Needed for downloaded patch (which is unsigned, which is fine)
+		verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
+	fi
+
+	default
+}
+
+src_prepare() {
+	# Make sure we only ever touch Makefile.org and avoid patching a file
+	# that gets blown away anyways by the Configure script in src_configure
+	rm -f Makefile || die
+
+	if ! use vanilla ; then
+		PATCHES+=(
+			# Add patches which are Gentoo-specific customisations here
+		)
+	fi
+
+	default
+
+	if use test && use sctp && has network-sandbox ${FEATURES} ; then
+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
+		rm test/recipes/80-test_ssl_new.t || die
+	fi
+
+	# Test fails depending on kernel configuration, bug #699134
+	rm test/recipes/30-test_afalg.t || die
+}
+
+src_configure() {
+	# Keep this in sync with app-misc/c_rehash
+	SSL_CNF_DIR="/etc/ssl"
+
+	# Quiet out unknown driver argument warnings since openssl
+	# doesn't have well-split CFLAGS and we're making it even worse
+	# and 'make depend' uses -Werror for added fun (bug #417795 again)
+	tc-is-clang && append-flags -Qunused-arguments
+
+	# We really, really need to build OpenSSL w/ strict aliasing disabled.
+	# It's filled with violations and it *will* result in miscompiled
+	# code. This has been in the ebuild for > 10 years but even in 2022,
+	# it's still relevant:
+	# - https://github.com/llvm/llvm-project/issues/55255
+	# - https://github.com/openssl/openssl/issues/12247
+	# - https://github.com/openssl/openssl/issues/18225
+	# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
+	# Don't remove the no strict aliasing bits below!
+	filter-flags -fstrict-aliasing
+	append-flags -fno-strict-aliasing
+	# The OpenSSL developers don't test with LTO right now, it leads to various
+	# warnings/errors (which may or may not be false positives), it's considered
+	# unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
+	filter-lto
+
+	append-flags $(test-flags-CC -Wa,--noexecstack)
+
+	# bug #895308 -- check inserts GNU ld-compatible arguments
+	[[ ${CHOST} == *-darwin* ]] || append-atomic-flags
+	# Configure doesn't respect LIBS
+	export LDLIBS="${LIBS}"
+
+	# bug #197996
+	unset APPS
+	# bug #312551
+	unset SCRIPTS
+	# bug #311473
+	unset CROSS_COMPILE
+
+	tc-export AR CC CXX RANLIB RC
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
+
+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
+
+	# See if our toolchain supports __uint128_t.  If so, it's 64bit
+	# friendly and can use the nicely optimized code paths, bug #460790.
+	#local ec_nistp_64_gcc_128
+	#
+	# Disable it for now though (bug #469976)
+	# Do NOT re-enable without substantial discussion first!
+	#
+	#echo "__uint128_t i;" > "${T}"/128.c
+	#if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
+	#       ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
+	#fi
+
+	local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
+	einfo "Using configuration: ${sslout:-(openssl knows best)}"
+
+	# https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
+	local myeconfargs=(
+		${sslout}
+
+		$(multilib_is_native_abi || echo "no-docs")
+		$(use cpu_flags_x86_sse2 || echo "no-sse2")
+		enable-camellia
+		enable-ec
+		enable-ec2m
+		enable-sm2
+		enable-srp
+		$(use elibc_musl && echo "no-async")
+		enable-idea
+		enable-mdc2
+		enable-rc5
+		$(use fips && echo "enable-fips")
+		$(use quic && echo "enable-quic")
+		$(use_ssl asm)
+		$(use_ssl ktls)
+		$(use_ssl rfc3779)
+		$(use_ssl sctp)
+		$(use test || echo "no-tests")
+		$(use_ssl tls-compression zlib)
+		$(use_ssl weak-ssl-ciphers)
+
+		--prefix="${EPREFIX}"/usr
+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}
+		--libdir=$(get_libdir)
+
+		shared
+		threads
+	)
+
+	edo perl "${S}/Configure" "${myeconfargs[@]}"
+}
+
+multilib_src_compile() {
+	emake build_sw
+}
+
+multilib_src_test() {
+	# See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+	#
+	# VFP = show subtests verbosely and show failed tests verbosely
+	# Normal V=1 would show everything verbosely but this slows things down.
+	#
+	# -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+	# shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+	# controls running the tests.
+	emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+}
+
+multilib_src_install() {
+	# Only -j1 is supported for the install targets:
+	# https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+	emake DESTDIR="${D}" -j1 install_sw
+	if use fips; then
+		emake DESTDIR="${D}" -j1 install_fips
+		# Regen this in pkg_preinst, bug 900625
+		rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
+	fi
+
+	if multilib_is_native_abi; then
+		emake DESTDIR="${D}" -j1 install_ssldirs
+		emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
+	fi
+
+	# This is crappy in that the static archives are still built even
+	# when USE=static-libs. But this is due to a failing in the openssl
+	# build system: the static archives are built as PIC all the time.
+	# Only way around this would be to manually configure+compile openssl
+	# twice; once with shared lib support enabled and once without.
+	if ! use static-libs ; then
+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
+	fi
+}
+
+multilib_src_install_all() {
+	# openssl installs perl version of c_rehash by default, but
+	# we provide a shell version via app-misc/c_rehash
+	rm "${ED}"/usr/bin/c_rehash || die
+
+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
+
+	# Create the certs directory
+	keepdir ${SSL_CNF_DIR}/certs
+
+	# bug #254521
+	dodir /etc/sandbox.d
+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
+
+	diropts -m0700
+	keepdir ${SSL_CNF_DIR}/private
+}
+
+pkg_preinst() {
+	if use fips; then
+		# Regen fipsmodule.cnf, bug 900625
+		ebegin "Running openssl fipsinstall"
+		"${ED}/usr/bin/openssl" fipsinstall -quiet \
+			-out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
+			-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
+		eend $?
+	fi
+
+	preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}
+
+pkg_postinst() {
+	ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
+	openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
+	eend $?
+
+	preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+		/usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
+}