summaryrefslogtreecommitdiff
path: root/dev-libs/openssl
diff options
context:
space:
mode:
Diffstat (limited to 'dev-libs/openssl')
-rw-r--r--dev-libs/openssl/Manifest33
-rw-r--r--dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch137
-rw-r--r--dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch78
-rw-r--r--dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch137
-rw-r--r--dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch79
-rw-r--r--dev-libs/openssl/files/openssl-3.2.1-riscv.patch70
-rw-r--r--dev-libs/openssl/files/openssl-3.2.1-s390x.patch31
-rw-r--r--dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch55
-rw-r--r--dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch303
-rw-r--r--dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch31
-rw-r--r--dev-libs/openssl/openssl-1.0.2u-r1.ebuild2
-rw-r--r--dev-libs/openssl/openssl-1.1.1w.ebuild2
-rw-r--r--dev-libs/openssl/openssl-3.0.13-r2.ebuild2
-rw-r--r--dev-libs/openssl/openssl-3.0.14.ebuild2
-rw-r--r--dev-libs/openssl/openssl-3.1.5-r2.ebuild286
-rw-r--r--dev-libs/openssl/openssl-3.1.6.ebuild8
-rw-r--r--dev-libs/openssl/openssl-3.2.1-r2.ebuild308
-rw-r--r--dev-libs/openssl/openssl-3.2.2.ebuild10
-rw-r--r--dev-libs/openssl/openssl-3.3.1-r1.ebuild (renamed from dev-libs/openssl/openssl-3.3.1.ebuild)14
-rw-r--r--dev-libs/openssl/openssl-3.3.1-r3.ebuild (renamed from dev-libs/openssl/openssl-3.3.0.ebuild)24
20 files changed, 441 insertions, 1171 deletions
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index f776346fe402..d5dc57286d2f 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -4,12 +4,9 @@ AUX openssl-1.1.0j-parallel_install_fix.patch 515 BLAKE2B a1bcffce4dc9e0566e21e7
AUX openssl-1.1.1i-riscv32.patch 2557 BLAKE2B 97e51303706ee96d3fae46959b91d1021dcbb3efa421866f6e09bbee6287aae95c6f5d9498bd9d8974b0de747ef696242691cfebec90b31dc9e2cc31b41b81ec SHA512 f75ae1034bb9dda7f4959e8a5d6d0dae21200723d82aebfbea58bd1d7775ef4042e49fdf49d5738771d79d764e44a1b6e0da341d210ea51d21516bb3874b626a
AUX openssl-3.0.13-CVE-2024-2511.patch 5256 BLAKE2B 6e07983af20fe00c448deb45777e67d18ff844309edb2a2130f9e916c0c7167c7f64c64abc3c8082121a96e7a13e6b1b3bfb4de25674ab9db71a8dbb3ce61d2a SHA512 9c762f2c5916b2e2c49bee56cf92d695b106eb535badb5818b77cd72f3ad6554ef24d58c0a161843821984c1d5d697757f72919f2d7903f8e15d8a541534b32f
AUX openssl-3.0.13-p11-segfault.patch 2275 BLAKE2B 842cc10d6a81b2859729b0024dd82e538782defb2e3fa341986df6ed65c9e5b3be39647a7d95670356cd0f7bc2a5e0b27eb48d00078308922a32d2053a6c1756 SHA512 4575da2d5acfef90c7d28e096d541a812f74b4ff77887a7a251554d35ca5b9de1ac4117b9f8228ab240e8f64770d648dfadc7003a496d2b051728afab1ec779e
-AUX openssl-3.1.5-CVE-2024-2511.patch 5116 BLAKE2B f0c19c5d75636ae757c4fd8ef603817ea3c6d5e9f0df0a494b3f679999fcc9e3382959477ddd9945ee3fd795ba8d4e5b5f8b0c68416d96673cb49c2154c3fb53 SHA512 bf7825185b054f3d2fcd90573687cdce395e2f840a82daf0ce1c9d2e11b991582ff5478dc9aed3152dd6892a7e401274c7fc38d6e53e81e42cb7c471737078e3
-AUX openssl-3.1.5-p11-segfault.patch 2274 BLAKE2B 6a283f0ab89386435272b096893ec1835557c15a699d7579f12d33b95c692abb50bd03289d01ccd85dd56058931f5b0d55320d36cfe0a824521fde2218bba734 SHA512 9d9810f0d8b9163fa8fa58c6e47db47dbe392236ed6990e246185e10bc9e7af44007cc8cb7973706480b41a84e3479aefdcaf9b95f0ac041aaf88eb8c078a725
-AUX openssl-3.2.1-CVE-2024-2511.patch 5166 BLAKE2B 22ebed2ada20ee5c65d489677d270c079940b401582e3ff2dc06222b7a95084e81730dc78a154d98c72c64db237e4c63d5dee653aaf2821779c2729d0fe29833 SHA512 7ec3f0a127ea8f507a6292ac3f56d413e0df552d11795e4421db023516aaa1b1bb6e419b2b85c6940eb26b7ca93ad36a7e87cf2ef2e577e6ea094e2d191fd597
-AUX openssl-3.2.1-p11-segfault.patch 2275 BLAKE2B d47816615ece0d015be0a307db950cee1217a522570040a48b9a9a7f7a23927f73ba5633718937c07c90c9a49564e9acc00de239d156cf8632b473afcdba8705 SHA512 9ab62a72036f8fbae34e844e6b17ab3482259de24918279230c2e5daa373de8ee59bd17942c2f4b2dcf06b1bf31796dc539324055e1cded099f6d8630bc13fff
-AUX openssl-3.2.1-riscv.patch 3713 BLAKE2B 427a35e30768116b7d65f442c4b2b5ddf6cc7387dc69ec7311345336a59bb86984b45e5572bab67fecf159580b2321aec35db9c6306b74c2d76db51479d910b8 SHA512 e80a244e9674cbd250244aab16501ea5ab6a03efb44ea744ac109063dda003cc638d0eb6da4630f1c1d7eeabbbc14530b21e3c74608ac961141133b09f4795af
-AUX openssl-3.2.1-s390x.patch 1169 BLAKE2B ae115074de657f450813b329f3f52d19993734b753411be72b2793df8163402c54bb690d7e41ee7598ae500176eb4f57e108021dcfcbcfef81d9135f5ce41e3e SHA512 6c66c9387a13f772e24dbd794b79dc8fdd8fd81186e3d33c917bd45a6c4841a29e5e28643597e1e105b154c30d7b5814fe154895312241b7f793dc352913095c
+AUX openssl-3.3.1-cmake-generator.patch 3263 BLAKE2B 1e6d31175e3ed8abd2b03c94255dbf58d5168038369fd68a98fdf03e3c6d8f74124dd6a7ffa894e492f74ff9440572ae4c04c144967436266033f725c5f7140f SHA512 3c3ae928a2d59489f1fb1d5a57977dbe650530d4715c0a116a2c59dc78385608e50814749d021b1fee51c9b2c0c5ec48631174946c6ca927e0fb5a8ac10514b6
+AUX openssl-3.3.1-pkg-config-deux.patch 12498 BLAKE2B f924e837317bd4a7b4af6e0e8b397915200fb69a7bc09ffd09ab4a860b43ec06b99635fa6ad4783de7d9fa12f9ef48f639e493646e9e7e1e1947c0c729846f81 SHA512 c9f4e93f96db28b7b586ea4d5007e71a13e1464e4c1d033bf1939c8030843727c0e73626affa94d3692a7d285a788ebfd1ce863fe5fd7027a560906a1b6e8b94
+AUX openssl-3.3.1-pkg-config.patch 982 BLAKE2B 77ec5ac862d5b47666e3234f5ef60323d02cbed4a0575e91a45f6f1727f1f0692fc470071622bf982f2875e91c50d9742eb423838702a0019b8c6f7fc2b80149 SHA512 0198461b726a7783d46c0c02cba747affd39245e2ce2577ea802376e1d2dd279eebe9446f30bc2db638d06db1dfacc9b297aa75bbe64ff6f8e22bde3c1063b36
AUX openssl-3.3.1-riscv.patch 4413 BLAKE2B bf58837c05023bb34edaf6387a5d1f32b6216791643958e972d634d387031461780c34b9209b399f479d908a40ca3b593ea18b1fa80414802bfcdb80db21e1e7 SHA512 b46f2576be603007f767cb7350e3ec74e0ef0832bcc18e50f7b67010e673a6cdcd7099e99d85d53c6693af6b64260e5a92a9aa3f02be1d626421ab7ff73c6f6b
DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659
DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6
@@ -20,26 +17,18 @@ DIST openssl-3.0.13.tar.gz 15294843 BLAKE2B 869aa5f70a8c1d0cac6027e9261530df70ab
DIST openssl-3.0.13.tar.gz.asc 833 BLAKE2B 519515b6faa505d68ff9acc30db9515fac494145086fa5ad9561c39385a6fabb39ad9de10fedd49c8fc716ec59ea1b13ec5e6b466e549ea9f29b8d0bb74ba7b3 SHA512 c52d97c93d16f3ca2a7026fb25890482b6d86c37b5ab686c56b0e08522743ec4ea3f84afa4deb64b0df0d9a16b557430c4d4139ab42ffcf97d769b61d1e6197c
DIST openssl-3.0.14.tar.gz 15305497 BLAKE2B 7426aea63d5495775c4a0440658cc9c46c4aa31c31473cd5519c2b1ca158e122634e0bbc275237d3eb124fc8bed3d58808d8ac1d228f24f7281d2630ff7813e0 SHA512 1c59c01e60da902a20780d71f1fa5055d4037f38c4bc3fb27ed5b91f211b36a6018055409441ad4df58b5e9232b2528240d02067272c3c9ccb8c221449ca9ac0
DIST openssl-3.0.14.tar.gz.asc 833 BLAKE2B 8a700452f6f698fbfa206469888fd72706f1798be212e712fd8a4c1ae87f0d98d54820974c64a3db3b5ac69d7beda665f462e83182337391212c0e72e1feb72e SHA512 003d17a2b71176517f5bfba6699c18b271111e5fec3effc275b965286140d1281fa6f5f5e6bcf63feca89dfa035ab776bda8d2af4b71ae921ca9e7a936581fb4
-DIST openssl-3.1.5.tar.gz 15663524 BLAKE2B a12eb88b0a4f2d927123e0d3ca7d2f80f2bdc867c710d24700fe39b631b93d90c73c3deceff151a9fa818ac88026eb798f3253f22d03c839ab9574086fa61eee SHA512 82e2ac6b3d9b03f8fc66d2ec421246e989eb702eb94586515abfb5afb5300391a0beedf6a2602f61ac10896b41e5608feeeeb4d37714fa17ac0f2ce465249fa9
-DIST openssl-3.1.5.tar.gz.asc 833 BLAKE2B 633502ec0a87074136d7ea42d9ac5f3df53523560d2a97410b5b57d28d916336da95ab5521c10f94202e3a0995331f0e17bdcf8843135634a5d5a95cfafc7b21 SHA512 48187bb8a7bdbd8b76fdcca736d2b03e2a89330b304eefb4e9620f570c741c60f2023307d8619ba1fa101a99223f94895e7be57ced6547a4fb06bd4c3677533a
DIST openssl-3.1.6.tar.gz 15672690 BLAKE2B 70112a7ece66bb6faf1a262c503c1df08924b8c1b9b08a1395856f903b1d1b4a38956b485e83415c29fafbf990ae8aced9b2fb0a2af84863b5c0a2a6581282cf SHA512 18ca07ee6a98d5fe46accfa0156e0354ad770d78bbbbe8e4bb92b316a0e4404f17a34eb700f17ed355d826a4b2166894aa46d8dd81fedbcb16aa1aad0926a390
DIST openssl-3.1.6.tar.gz.asc 833 BLAKE2B 24fbb26ccf60ede99b9ea6ef6a2a8f1ae89c7881c21eafafeae7a498332dbaf7e52c94b2c52247e34511cc4bd204e71a68aa1a6dab133376e1f15bf676ef58be SHA512 ef3ca59527ca7b00430c251df399ea2cbe47ef0deebf4158250baac8e575ea26582756228f12dd0f7009b55199b0134e77ec47ade9835f1785c74703aa84987e
-DIST openssl-3.2.1.tar.gz 17733249 BLAKE2B 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 SHA512 bab2b2419319f1feffaba4692f03edbf13b44d1090c6e075a2d69dad67a2d51e64e6edbf83456a26c83900a726d20d2c4ee4ead9c94b322fd0b536f3b5a863c4
-DIST openssl-3.2.1.tar.gz.asc 833 BLAKE2B a1d25fe30bf1804d13a8b6b98edf56be5bf744d9e2706f4169455c24efe2e3a361487d00d0d4bac240c3f0170693d77a39dd0d4ee5c792d2247aa00c47e74ebf SHA512 de39516c7b77612f33cdc830a8d13ef6bcd91c03d24a6ed105480f140f9e1ad7049844e234c96a516d62e0e33ce90442ffd0f309ea674884c735f04d8562f372
DIST openssl-3.2.2.tar.gz 17744472 BLAKE2B f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9 SHA512 ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d
DIST openssl-3.2.2.tar.gz.asc 833 BLAKE2B 09ef1766e771e1d7aac675a09bd9588ee9d76a1fe39794826fd5d9057ae41366a7e92fe81a40bc2fe19a309be612687d8ff760da3f3c44115e3b21b0342b5f46 SHA512 7a798e9c02d25510f4ec49b8956ebf4288760e1272bf327f36b253045ab2f50ac8042071f78984d1b463f07aa2b027f26ad2fbc31deacaac5658fc35437ddc66
-DIST openssl-3.3.0.tar.gz 18038030 BLAKE2B c68efaf8aca87961f396e305acc767b56d651b9adf4fd2c9d9b5a3266e35da4b856c6ed34be47d656c782aade975f20317a6759913b33d29d7eb088e638fa501 SHA512 1f9daeee6542e1b831c65f1f87befaef98ccedc3abc958c9d17f064ef771924c30849e3ff880f94eed4aaa9d81ea105e3bc8815e6d2e4d6b60b5e890f14fc5da
-DIST openssl-3.3.0.tar.gz.asc 833 BLAKE2B 207b9fd53de6f57fe24d6a6e5e9f735b7649258bb2873b6c1e29b7d2689c9a75774dbf09392be40f8a8ab240e4e6c745e2864155e8b0f2f3f5ca3b45051e869a SHA512 8750daa607e6bfd2326a4d4f04c9c04608d9fa852fc1515acf1fcf3d1ad33b8ba8435d9ef1ac3a032fecd09aa90446c53996045506bcfbddb7544bb61b26af24
DIST openssl-3.3.1.tar.gz 18055752 BLAKE2B b09bbe94f49c33015fbcee5f578a20c0da33c289791bf33292170d5d3de44ea2e22144ee11067947aef2733e979c0fded875a4ec92d81468285837053447e68e SHA512 d3682a5ae0721748c6b9ec2f1b74d2b1ba61ee6e4c0d42387b5037a56ef34312833b6abb522d19400b45d807dd65cc834156f5e891cb07fbaf69fcf67e1c595d
DIST openssl-3.3.1.tar.gz.asc 833 BLAKE2B e22c068dfcd0205f1cd27f965b76dcaf59bed61181523f198e40d61a4867b20a7636c853c427497559362a92766f430807f02b693821ac38daaa898946f2dba2 SHA512 ae2db74829b71a68e1fc86229396d76f60a9a98e6bba9adc62bdcf2581b60fb0e29ecde2b53a5686c452e754801568e05d3c4f47e8faf02219ac1aae78283338
-EBUILD openssl-1.0.2u-r1.ebuild 9899 BLAKE2B 49b2304764c6b0f3e2f2aa06deb9f918739c427dfaccf4ade8ae3d0bd6278d0dc0b8a97edee1cba528968d1cbd96ca0cfb3147c15bfc04322552017bee65b1ec SHA512 a3c6fd9a3fd6eeebc617a5cc05f8662e9dfc87d165d520bbaf873d788f164e54a719169c81fed140ccda076dffa4ac680c0e2fbea93e258957eafe31b2de244c
-EBUILD openssl-1.1.1w.ebuild 8233 BLAKE2B 4657e3e413f25f4503dbc5484e3d06e63c25c64f9132e3ce64629601f729380b6e1918d34f19e9269ac8ed066b2014d2163d54808e67476d033b2af1603cf609 SHA512 122f5d3e3577d9da17d0a49b38925d3fbbaab4117c116f37d0430463d5dcaa3803089cacbc5fddbc5466506eb6a59f1b5fef130dec200c5951f67d9d6c5b160b
-EBUILD openssl-3.0.13-r2.ebuild 8579 BLAKE2B 98d8a2d6365a80150fb3f4a061162f8c18d6195a8585a27ee6f1d71ee217f159d8699f485d1191305409f3dc44344758228d9f751c7f12aaa5efd9484fbf48e3 SHA512 94a298c01fcd5e48ea00079b2a039efb2165ff71153a6d1cf810555ab977e820754fd504a4d7dfe32f2e8764c0ac05696b57155531ec8dcdb158612efd7f2a8f
-EBUILD openssl-3.0.14.ebuild 8495 BLAKE2B 622335e6f8a5186131dc7f0b037127785bef026e843b376b03b37b53c5e8a3cdf52682627b18407329e0ac519eaa3533a394bdfdfcc6fba38ab7eee406316fa2 SHA512 1718ff8b1afddd18604863f0a3cce9675bf77d0e49d45c87405aaf5e4b40f5e7c00f78904ce9b67c92b941627e2addcb4c887b90701ffa406b87b350c5570548
-EBUILD openssl-3.1.5-r2.ebuild 8626 BLAKE2B ae09c41b277f416c8ad0180384fc3fbe7cee002e180ebb4817b6b4b2562a3b4782fe2e9240a275aff8c1a34d22160485dc1e6bac4a03546a3859d454a20b7cae SHA512 d7d687dd36f5839ac75c616f454fb8192d9826057638db17b6ea63dee11da6b5449d89d1a0cf47e0e67a98f51a5a46ca368770e0f03e3d77ce0642b1627d8d5b
-EBUILD openssl-3.1.6.ebuild 8534 BLAKE2B b0d0b4c64ad7b025272ac54150ef9ea18e6ab974d558c002098a058600d8aff9253fe9a5d9eb78866f7734e6b2c0cc3222141a7738c5b21311d8d64f0867e2b9 SHA512 6b2c1cb64541d043048864110d4eb35df6c9b45228a4224a9788ac392f59358e1fb62a6c821bc5c05af4cf7ba29b7a0bfbb7f8ef3fbeb619b5b97444b1daff39
-EBUILD openssl-3.2.1-r2.ebuild 9377 BLAKE2B d8a1bd16284002ec39c926bbe9da25c371e2b54f668146d68f72e8f210e1e0073c1bbeb243f9e24ae970023c207906141e7232e925be718ca244e71dc2f604e9 SHA512 9c6f800d565a7c615ce77e04501b0d9f78c4047465242b9bd6f2c64dc0e0b68a6ff0f3effbf70aba0fe0339455d40095609b4a0df33b07e5afbc7543fe9aef58
-EBUILD openssl-3.2.2.ebuild 9179 BLAKE2B c58b822d2c7a0c0f9b2eb985171472818d6719f2f4f7a87ce33f3cbc5d10decd98588357f7dfe64ec49f1b5e220cb26d334a6cd9e88bc35b3f9584f53c961974 SHA512 8dc73f143cad88806c3a3ae23e20ce88f45e24f8a862aabbb28f38f2be9342df188575ea6cf3530f854c7fdf39bc336a3da3c7983166e6825d838abb58c8e2c2
-EBUILD openssl-3.3.0.ebuild 9232 BLAKE2B 26a1b881b02d355802ff020f2d8797b74d7db61426f0254a30937112ba52988317cf9b58155c1d8fb7a662679d78cca80f484ce72fd66684590f85b2da07af67 SHA512 ecb11de2fa82c33911ab3c9500f942524b4831e7318d7cebacc14218f3b08cc379808ec64086475d2151fe7d5981fc775cd47a71ca0aba8a09c03df52e413413
-EBUILD openssl-3.3.1.ebuild 9185 BLAKE2B 7fb4e9e92c8cee1ffb972340511f91dd0d59e9bd08e30b4e467cad81e28998618d7b0c1970e510f2b9c56a5d36cef0f6513137033c128909bc01d595b3e53523 SHA512 7d3820c8a7d1b041edd9e913a7741d2664cddb475b7c87b5789532c060cdaac276ca35ed2523808d600c127c4553a134abf8e09acc7c6c82695e1260872baead
+EBUILD openssl-1.0.2u-r1.ebuild 9903 BLAKE2B 12f7aacfd006be85c50f523a7f1b8a1f9b4f4e2e9fc440f95cc68e615432f47fe8cd61705a518622bbbc075c51b4ee9040f1b6159e254aa23c325f6b41e02dac SHA512 71b6b5dec0ca3966622a2810d1cb98a0fd0e8c06966bf2d3b206b0a804c06a745aeb951a06e3ee1f9627fd39d8a87156ed96c059182c63a7f6bc78074f9f689b
+EBUILD openssl-1.1.1w.ebuild 8237 BLAKE2B 6c4bbae0266031cbc7018391e1c4a3172500d5e36d3769f5e4d016665614ee25946fdf94d0bac5b96588f3716970cb7e3748db4300c8b4889a9c1e2577e4b7ad SHA512 d1e41783bd1a95d0188559eb9214c5e6d681d3dd050e9c02b66b8972e482209a3c7cca7dd1e914e49a9f5a4140c4b3fa2576d7452fe5bf1888eaa47c0e51a1eb
+EBUILD openssl-3.0.13-r2.ebuild 8583 BLAKE2B 1650cdb16342b99131bc20f49df377cc8c5530980107de5386ba402e779837f16c968bc781f6247152f9d3d2bb73d4d0efd9c791bdec2064205b7e91770c1582 SHA512 6d91e8fd28a5ea5e79b2fa7670ddaceb64a2a7ebbd873f66b1317f6b1c90b44f9b1754ec4edd5185cc105fcd4b1846dfb40559595738e87bc4cd935deb0efef0
+EBUILD openssl-3.0.14.ebuild 8499 BLAKE2B 6498c24cdd33ead5aeb767f59902554fd3972d3bab8fcd3a87379a75807a669e917d9cdcf3897a8b29b60ce7f0bafd5c22a89184e3845755c900ed22456a8057 SHA512 1c4bfaa650a661a0018fa4fce3b7acdac7c0e912fea4a09036b1dc6a7434b9e03d2c456e6b643402c53b7971b11ddc9bab44141a9a3894d0a1235aa3b4750b45
+EBUILD openssl-3.1.6.ebuild 8605 BLAKE2B 841c614b3bcf87dc1129c15e5c413b77c137585fce4c314c47807af5ce6a79ce8296543abbb03857b4a1ef91fe1ee0d98f51bdeb697f04e5d6459c98d65f9dc2 SHA512 dd3061d7be29b22b14c3479541bf5d70ee1a0d5e5257e750dc967fcf693ea7543448ced2cc082281f7d8b5850d2c1ac5977a363b529e94e25f50f624e0bc1171
+EBUILD openssl-3.2.2.ebuild 9250 BLAKE2B 577dd9959d17f63e816f22d06d12379fd68d33f3eb66e4925f2a41dc2821e95aca9ef59558875410e0ad5558bc909e271ea6d7816d98045dd4fd0aabdb7a65ab SHA512 47d2e80fc4aa7fa16388e76ec07d026d2be79eafa2d2e7a52b6208b4ea11d14998d859ee8ecaedad81a528fa5127253b41a3ec23c2e0867c9c639b2947248cfb
+EBUILD openssl-3.3.1-r1.ebuild 9402 BLAKE2B 4e1431847648660915b24399ce6d865b13a9b48e35634092d0275563914136c2a636e622d10c210e5799d87c1566ca10deb5bc15ee1c076f42aef432e95b53b3 SHA512 e37404196b744d220dc791202c6c811147fea691135c9510162b7fc5f720259f6114c0ff91c060f810cdc29051382244db61fc703ca3db2c4bf41d239b3e34bb
+EBUILD openssl-3.3.1-r3.ebuild 9572 BLAKE2B eb123ad754eb0834bed0c58ee995da4a78945890555f547f24210c438e0e8fcb22cd83f8b3ffffbf6da14404e7f26091416648a881379c69624e5529db32ae2d SHA512 678c98c1b06f6f753181484d3a366cfbb09b9769033b3a5093f0c4468723f87df9363ce01ae9eaa7ac1ee7469c3eb922337a05cc385584dd5d30d64268cd0862
MISC metadata.xml 1674 BLAKE2B 2195a6538e1b4ec953c707460988f153e40abe7495fd761403c9a54b44ecb7cb5c69ac37ac7d4d18bc0086cf9b4accaaac19926fe5b2ac4b2c547ce1c9e08a6d SHA512 d4eda999c1027f9d8102c59275665f5b01d234c4a7636755a6d3c64b9aad2a657d14256b1527d9b7067cb653458b058db7f5bb20873e48927291092d9ccdd1c6
diff --git a/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch
deleted file mode 100644
index c5b7dfe449f7..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-https://www.openssl.org/news/secadv/20240408.txt
-https://bugs.gentoo.org/930047
-https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce
-https://github.com/openssl/openssl/commit/c342f4b8bd2d0b375b0e22337057c2eab47d9b96
-
-From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Mar 2024 15:43:53 +0000
-Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
-
-In TLSv1.3 we create a new session object for each ticket that we send.
-We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
-use then the new session will be added to the session cache. However, if
-early data is not in use (and therefore anti-replay protection is being
-used), then multiple threads could be resuming from the same session
-simultaneously. If this happens and a problem occurs on one of the threads,
-then the original session object could be marked as not_resumable. When we
-duplicate the session object this not_resumable status gets copied into the
-new session object. The new session object is then added to the session
-cache even though it is not_resumable.
-
-Subsequently, another bug means that the session_id_length is set to 0 for
-sessions that are marked as not_resumable - even though that session is
-still in the cache. Once this happens the session can never be removed from
-the cache. When that object gets to be the session cache tail object the
-cache never shrinks again and grows indefinitely.
-
-CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24044)
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode)
-
- /*
- * If the session_id_length is 0, we are not supposed to cache it, and it
-- * would be rather hard to do anyway :-)
-+ * would be rather hard to do anyway :-). Also if the session has already
-+ * been marked as not_resumable we should not cache it for later reuse.
- */
-- if (s->session->session_id_length == 0)
-+ if (s->session->session_id_length == 0 || s->session->not_resumable)
- return;
-
- /*
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void)
- return ss;
- }
-
--SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
--{
-- return ssl_session_dup(src, 1);
--}
--
- /*
- * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
- * ticket == 0 then no ticket information is duplicated, otherwise it is.
- */
--SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
- {
- SSL_SESSION *dest;
-
-@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
- return NULL;
- }
-
-+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-+{
-+ return ssl_session_dup_intern(src, 1);
-+}
-+
-+/*
-+ * Used internally when duplicating a session which might be already shared.
-+ * We will have resumed the original session. Subsequently we might have marked
-+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
-+ * resume from.
-+ */
-+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+{
-+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
-+
-+ if (sess != NULL)
-+ sess->not_resumable = 0;
-+
-+ return sess;
-+}
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
- if (len)
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt)
- * so the following won't overwrite an ID that we're supposed
- * to send back.
- */
-- if (s->session->not_resumable ||
-- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-- && !s->hit))
-+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER)
-+ && !s->hit)
- s->session->session_id_length = 0;
-
- if (usetls13) {
-
-From c342f4b8bd2d0b375b0e22337057c2eab47d9b96 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 15 Mar 2024 17:58:42 +0000
-Subject: [PATCH] Hardening around not_resumable sessions
-
-Make sure we can't inadvertently use a not_resumable session
-
-Related to CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24044)
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -533,6 +533,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id,
- ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, &copy);
-
- if (ret != NULL) {
-+ if (ret->not_resumable) {
-+ /* If its not resumable then ignore this session */
-+ if (!copy)
-+ SSL_SESSION_free(ret);
-+ return NULL;
-+ }
- ssl_tsan_counter(s->session_ctx,
- &s->session_ctx->stats.sess_cb_hit);
-
diff --git a/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch
deleted file mode 100644
index 50bc63ef2d14..000000000000
--- a/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch
+++ /dev/null
@@ -1,78 +0,0 @@
-https://bugs.gentoo.org/916328
-https://github.com/opendnssec/SoftHSMv2/issues/729
-https://github.com/openssl/openssl/issues/22508
-https://github.com/openssl/openssl/commit/0058a55407d824d5b55ecc0a1cbf8931803dc238
-
-From 0058a55407d824d5b55ecc0a1cbf8931803dc238 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 15 Dec 2023 13:45:50 +0100
-Subject: [PATCH] Revert "Improved detection of engine-provided private
- "classic" keys"
-
-This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
-
-The commit was wrong. With 3.x versions the engines must be themselves
-responsible for creating their EVP_PKEYs in a way that they are treated
-as legacy - either by using the respective set1 calls or by setting
-non-default EVP_PKEY_METHOD.
-
-The workaround has caused more problems than it solved.
-
-Fixes #22945
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23063)
-
-(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
---- a/crypto/engine/eng_pkey.c
-+++ b/crypto/engine/eng_pkey.c
-@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
- ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
- return NULL;
- }
-- /* We enforce check for legacy key */
-- switch (EVP_PKEY_get_id(pkey)) {
-- case EVP_PKEY_RSA:
-- {
-- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
-- EVP_PKEY_set1_RSA(pkey, rsa);
-- RSA_free(rsa);
-- }
-- break;
--# ifndef OPENSSL_NO_EC
-- case EVP_PKEY_SM2:
-- case EVP_PKEY_EC:
-- {
-- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
-- EVP_PKEY_set1_EC_KEY(pkey, ec);
-- EC_KEY_free(ec);
-- }
-- break;
--# endif
--# ifndef OPENSSL_NO_DSA
-- case EVP_PKEY_DSA:
-- {
-- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
-- EVP_PKEY_set1_DSA(pkey, dsa);
-- DSA_free(dsa);
-- }
-- break;
--#endif
--# ifndef OPENSSL_NO_DH
-- case EVP_PKEY_DH:
-- {
-- DH *dh = EVP_PKEY_get1_DH(pkey);
-- EVP_PKEY_set1_DH(pkey, dh);
-- DH_free(dh);
-- }
-- break;
--#endif
-- default:
-- /*Do nothing */
-- break;
-- }
--
- return pkey;
- }
-
diff --git a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
deleted file mode 100644
index d5b40447d745..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch
+++ /dev/null
@@ -1,137 +0,0 @@
-https://www.openssl.org/news/secadv/20240408.txt
-https://bugs.gentoo.org/930047
-https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08
-https://github.com/openssl/openssl/commit/4d67109432646c113887b0aa8091fb0d1b3057e6
-
-From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Tue, 5 Mar 2024 15:43:53 +0000
-Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3
-
-In TLSv1.3 we create a new session object for each ticket that we send.
-We do this by duplicating the original session. If SSL_OP_NO_TICKET is in
-use then the new session will be added to the session cache. However, if
-early data is not in use (and therefore anti-replay protection is being
-used), then multiple threads could be resuming from the same session
-simultaneously. If this happens and a problem occurs on one of the threads,
-then the original session object could be marked as not_resumable. When we
-duplicate the session object this not_resumable status gets copied into the
-new session object. The new session object is then added to the session
-cache even though it is not_resumable.
-
-Subsequently, another bug means that the session_id_length is set to 0 for
-sessions that are marked as not_resumable - even though that session is
-still in the cache. Once this happens the session can never be removed from
-the cache. When that object gets to be the session cache tail object the
-cache never shrinks again and grows indefinitely.
-
-CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24043)
---- a/ssl/ssl_lib.c
-+++ b/ssl/ssl_lib.c
-@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode)
-
- /*
- * If the session_id_length is 0, we are not supposed to cache it, and it
-- * would be rather hard to do anyway :-)
-+ * would be rather hard to do anyway :-). Also if the session has already
-+ * been marked as not_resumable we should not cache it for later reuse.
- */
-- if (s->session->session_id_length == 0)
-+ if (s->session->session_id_length == 0 || s->session->not_resumable)
- return;
-
- /*
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void)
- return ss;
- }
-
--SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
--{
-- return ssl_session_dup(src, 1);
--}
--
- /*
- * Create a new SSL_SESSION and duplicate the contents of |src| into it. If
- * ticket == 0 then no ticket information is duplicated, otherwise it is.
- */
--SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket)
- {
- SSL_SESSION *dest;
-
-@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
- return NULL;
- }
-
-+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src)
-+{
-+ return ssl_session_dup_intern(src, 1);
-+}
-+
-+/*
-+ * Used internally when duplicating a session which might be already shared.
-+ * We will have resumed the original session. Subsequently we might have marked
-+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to
-+ * resume from.
-+ */
-+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket)
-+{
-+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket);
-+
-+ if (sess != NULL)
-+ sess->not_resumable = 0;
-+
-+ return sess;
-+}
-+
- const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
- {
- if (len)
---- a/ssl/statem/statem_srvr.c
-+++ b/ssl/statem/statem_srvr.c
-@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt)
- * so the following won't overwrite an ID that we're supposed
- * to send back.
- */
-- if (s->session->not_resumable ||
-- (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
-- && !s->hit))
-+ if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER)
-+ && !s->hit)
- s->session->session_id_length = 0;
-
- if (usetls13) {
-
-From 4d67109432646c113887b0aa8091fb0d1b3057e6 Mon Sep 17 00:00:00 2001
-From: Matt Caswell <matt@openssl.org>
-Date: Fri, 15 Mar 2024 17:58:42 +0000
-Subject: [PATCH] Hardening around not_resumable sessions
-
-Make sure we can't inadvertently use a not_resumable session
-
-Related to CVE-2024-2511
-
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/24043)
---- a/ssl/ssl_sess.c
-+++ b/ssl/ssl_sess.c
-@@ -519,6 +519,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s,
- sess_id, sess_id_len, &copy);
-
- if (ret != NULL) {
-+ if (ret->not_resumable) {
-+ /* If its not resumable then ignore this session */
-+ if (!copy)
-+ SSL_SESSION_free(ret);
-+ return NULL;
-+ }
- ssl_tsan_counter(s->session_ctx,
- &s->session_ctx->stats.sess_cb_hit);
-
diff --git a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
deleted file mode 100644
index 59e785caac7c..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-https://bugs.gentoo.org/916328
-https://github.com/opendnssec/SoftHSMv2/issues/729
-https://github.com/openssl/openssl/issues/22508
-https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65
-
-From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001
-From: Tomas Mraz <tomas@openssl.org>
-Date: Fri, 15 Dec 2023 13:45:50 +0100
-Subject: [PATCH] Revert "Improved detection of engine-provided private
- "classic" keys"
-
-This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
-
-The commit was wrong. With 3.x versions the engines must be themselves
-responsible for creating their EVP_PKEYs in a way that they are treated
-as legacy - either by using the respective set1 calls or by setting
-non-default EVP_PKEY_METHOD.
-
-The workaround has caused more problems than it solved.
-
-Fixes #22945
-
-Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
-Reviewed-by: Neil Horman <nhorman@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23063)
-
-(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
---- a/crypto/engine/eng_pkey.c
-+++ b/crypto/engine/eng_pkey.c
-@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
- ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
- return NULL;
- }
-- /* We enforce check for legacy key */
-- switch (EVP_PKEY_get_id(pkey)) {
-- case EVP_PKEY_RSA:
-- {
-- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
-- EVP_PKEY_set1_RSA(pkey, rsa);
-- RSA_free(rsa);
-- }
-- break;
--# ifndef OPENSSL_NO_EC
-- case EVP_PKEY_SM2:
-- case EVP_PKEY_EC:
-- {
-- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
-- EVP_PKEY_set1_EC_KEY(pkey, ec);
-- EC_KEY_free(ec);
-- }
-- break;
--# endif
--# ifndef OPENSSL_NO_DSA
-- case EVP_PKEY_DSA:
-- {
-- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
-- EVP_PKEY_set1_DSA(pkey, dsa);
-- DSA_free(dsa);
-- }
-- break;
--#endif
--# ifndef OPENSSL_NO_DH
-- case EVP_PKEY_DH:
-- {
-- DH *dh = EVP_PKEY_get1_DH(pkey);
-- EVP_PKEY_set1_DH(pkey, dh);
-- DH_free(dh);
-- }
-- break;
--#endif
-- default:
-- /*Do nothing */
-- break;
-- }
--
- return pkey;
- }
-
-
diff --git a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
deleted file mode 100644
index 51256cf434e2..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-# Bug: https://bugs.gentoo.org/923956
-# Upstream PR: https://github.com/openssl/openssl/pull/23752
---- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c
-@@ -142,9 +142,9 @@ static const PROV_GCM_HW aes_gcm = {
- # include "cipher_aes_gcm_hw_armv8.inc"
- #elif defined(PPC_AES_GCM_CAPABLE) && defined(_ARCH_PPC64)
- # include "cipher_aes_gcm_hw_ppc.inc"
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
- # include "cipher_aes_gcm_hw_rv64i.inc"
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
- # include "cipher_aes_gcm_hw_rv32i.inc"
- #else
- const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits)
---- a/providers/implementations/ciphers/cipher_aes_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_hw.c
-@@ -142,9 +142,9 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_##mode(size_t keybits) \
- # include "cipher_aes_hw_t4.inc"
- #elif defined(S390X_aes_128_CAPABLE)
- # include "cipher_aes_hw_s390x.inc"
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
- # include "cipher_aes_hw_rv64i.inc"
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
- # include "cipher_aes_hw_rv32i.inc"
- #else
- /* The generic case */
---- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_ocb_hw.c
-@@ -104,7 +104,7 @@ static const PROV_CIPHER_HW aes_t4_ocb = { \
- if (SPARC_AES_CAPABLE) \
- return &aes_t4_ocb;
-
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
-
- static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
- const unsigned char *key,
-@@ -126,7 +126,7 @@ static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = { \
- if (RISCV_HAS_ZKND_AND_ZKNE()) \
- return &aes_rv64i_zknd_zkne_ocb;
-
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
-
- static int cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx,
- const unsigned char *key,
---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c
-+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c
-@@ -159,7 +159,7 @@ static const PROV_CIPHER_HW aes_xts_t4 = { \
- if (SPARC_AES_CAPABLE) \
- return &aes_xts_t4;
-
--#elif defined(__riscv) && __riscv_xlen == 64
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64
-
- static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
- const unsigned char *key,
-@@ -185,7 +185,7 @@ static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = { \
- if (RISCV_HAS_ZKND_AND_ZKNE()) \
- return &aes_xts_rv64i_zknd_zkne;
-
--#elif defined(__riscv) && __riscv_xlen == 32
-+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32
-
- static int cipher_hw_aes_xts_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx,
- const unsigned char *key,
diff --git a/dev-libs/openssl/files/openssl-3.2.1-s390x.patch b/dev-libs/openssl/files/openssl-3.2.1-s390x.patch
deleted file mode 100644
index 3cbf4854e12e..000000000000
--- a/dev-libs/openssl/files/openssl-3.2.1-s390x.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-https://bugs.gentoo.org/923957
-https://github.com/openssl/openssl/pull/23458
-https://github.com/openssl/openssl/commit/5fa5d59750db9df00f4871949a66020ac44f4f9c
-
-From 5fa5d59750db9df00f4871949a66020ac44f4f9c Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Fri, 2 Feb 2024 10:20:55 +0100
-Subject: [PATCH] s390x: Fix build on s390x with 'disable-asm'
-
-Do not define S390X_MOD_EXP for a NO_ASM build, this would result in
-unresolved externals for s390x_mod_exp and s390x_crt.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
-
-Reviewed-by: Hugo Landau <hlandau@openssl.org>
-Reviewed-by: Tomas Mraz <tomas@openssl.org>
-(Merged from https://github.com/openssl/openssl/pull/23458)
-
-(cherry picked from commit a5b0c568dbefddd154f99011d7ce76cfbfadb67a)
---- a/include/crypto/bn.h
-+++ b/include/crypto/bn.h
-@@ -116,7 +116,8 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx);
-
- extern const BIGNUM ossl_bn_inv_sqrt_2;
-
--#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__)
-+#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__) \
-+ && !defined (OPENSSL_NO_ASM)
- # define S390X_MOD_EXP
- #endif
-
diff --git a/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch b/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch
new file mode 100644
index 000000000000..bb8fdbe3f241
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch
@@ -0,0 +1,55 @@
+https://bugs.gentoo.org/937457
+https://github.com/openssl/openssl/commit/419fb4ea4be4c0b28c63b494ff30fa3510aba06e
+
+From 419fb4ea4be4c0b28c63b494ff30fa3510aba06e Mon Sep 17 00:00:00 2001
+From: Neil Horman <nhorman@openssl.org>
+Date: Sun, 14 Jul 2024 08:57:25 -0400
+Subject: [PATCH] Fix cmake generator
+
+PR #24678 modified some environment variables and locations that the
+cmake exporter depended on, resulting in empty directory resolution.
+Adjust build build.info and input variable names to match up again
+
+Fixes #24874
+
+Reviewed-by: Richard Levitte <levitte@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24877)
+
+(cherry picked from commit c1a27bdeb9a4f915aa92ed0e74ed48a1f9b94176)
+--- a/build.info
++++ b/build.info
+@@ -102,6 +102,11 @@ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}]
+ ENDIF
+
+ # This file sets the build directory up for CMake inclusion
++# Note: This generation of OpenSSLConfig[Version].cmake is used
++# for building openssl locally, and so the build variables are
++# taken from builddata.pm rather than installdata.pm. For exportable
++# versions of these generated files, you'll find them in the exporters
++# directory
+ GENERATE[OpenSSLConfig.cmake]=exporters/cmake/OpenSSLConfig.cmake.in
+ DEPEND[OpenSSLConfig.cmake]=builddata.pm
+ GENERATE[OpenSSLConfigVersion.cmake]=exporters/cmake/OpenSSLConfigVersion.cmake.in
+--- a/exporters/cmake/OpenSSLConfig.cmake.in
++++ b/exporters/cmake/OpenSSLConfig.cmake.in
+@@ -127,13 +127,13 @@ set(OPENSSL_VERSION_FIX "${OpenSSL_VERSION_PATCH}")
+ set(OPENSSL_FOUND YES)
+
+ # Directories and names
+-set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL, 1); -}")
+-set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL, 1); -}")
+-set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL, 1); -}")
+-set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL, 1); -}")
+-set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL, 1); -}")
++set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}")
++set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX, 1); -}")
++set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR, 1); -}")
++set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR, 1); -}")
++set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL_PREFIX, 1); -}")
+ {- output_off() if $disabled{uplink}; "" -}
+-set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL, 1); -}/applink.c")
++set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL_PREFIX, 1); -}/applink.c")
+ {- output_on() if $disabled{uplink}; "" -}
+ set(OPENSSL_PROGRAM "${OPENSSL_RUNTIME_DIR}/{- platform->bin('openssl') -}")
+
diff --git a/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch b/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch
new file mode 100644
index 000000000000..a5ad9987eb57
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch
@@ -0,0 +1,303 @@
+https://github.com/openssl/openssl/pull/24687
+https://bugs.gentoo.org/936576
+
+https://github.com/openssl/openssl/commit/aa099dba7c80c723cf4babf5adc0c801f1c28363
+https://github.com/openssl/openssl/commit/1c437b5704c9ee5f667bc2b11e5fdf176dfb714f
+
+From aa099dba7c80c723cf4babf5adc0c801f1c28363 Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Thu, 20 Jun 2024 14:30:16 +0200
+Subject: [PATCH] Give util/mkinstallvars.pl more fine grained control over var
+ dependencies
+
+Essentially, we try to do what GNU does. 'prefix' is used to define the
+defaults for 'exec_prefix' and 'libdir', and these are then used to define
+further directory values. util/mkinstallvars.pl is changed to reflect that
+to the best of our ability.
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24687)
+
+(cherry picked from commit 6e0fd246e7a6e51f92b2ef3520bfc4414b7773c0)
+---
+ exporters/build.info | 2 +-
+ util/mkinstallvars.pl | 133 ++++++++++++++++++++++++++----------------
+ 2 files changed, 85 insertions(+), 50 deletions(-)
+
+diff --git a/exporters/build.info b/exporters/build.info
+index 86acf2df9467c..9241dc9b0a658 100644
+--- a/exporters/build.info
++++ b/exporters/build.info
+@@ -19,7 +19,7 @@ DEPEND[openssl.pc]=libcrypto.pc libssl.pc
+ DEPEND[""]=openssl.pc
+
+ GENERATE[../installdata.pm]=../util/mkinstallvars.pl \
+- "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" \
++ "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" "libdir=$(libdir)" \
+ INCLUDEDIR=include APPLINKDIR=include/openssl \
+ "ENGINESDIR=$(ENGINESDIR)" "MODULESDIR=$(MODULESDIR)" \
+ "PKGCONFIGDIR=$(PKGCONFIGDIR)" "CMAKECONFIGDIR=$(CMAKECONFIGDIR)" \
+diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl
+index 59a432d28c601..5fadb708e1b77 100644
+--- a/util/mkinstallvars.pl
++++ b/util/mkinstallvars.pl
+@@ -11,13 +11,25 @@
+ # The result is a Perl module creating the package OpenSSL::safe::installdata.
+
+ use File::Spec;
++use List::Util qw(pairs);
+
+ # These are expected to be set up as absolute directories
+-my @absolutes = qw(PREFIX);
++my @absolutes = qw(PREFIX libdir);
+ # These may be absolute directories, and if not, they are expected to be set up
+-# as subdirectories to PREFIX
+-my @subdirs = qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR ENGINESDIR MODULESDIR
+- PKGCONFIGDIR CMAKECONFIGDIR);
++# as subdirectories to PREFIX or LIBDIR. The order of the pairs is important,
++# since the LIBDIR subdirectories depend on the calculation of LIBDIR from
++# PREFIX.
++my @subdirs = pairs (PREFIX => [ qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR) ],
++ LIBDIR => [ qw(ENGINESDIR MODULESDIR PKGCONFIGDIR
++ CMAKECONFIGDIR) ]);
++# For completeness, other expected variables
++my @others = qw(VERSION LDLIBS);
++
++my %all = ( );
++foreach (@absolutes) { $all{$_} = 1 }
++foreach (@subdirs) { foreach (@{$_->[1]}) { $all{$_} = 1 } }
++foreach (@others) { $all{$_} = 1 }
++print STDERR "DEBUG: all keys: ", join(", ", sort keys %all), "\n";
+
+ my %keys = ();
+ foreach (@ARGV) {
+@@ -26,29 +38,47 @@
+ $ENV{$k} = $v;
+ }
+
+-foreach my $k (sort keys %keys) {
+- my $v = $ENV{$k};
+- $v = File::Spec->rel2abs($v) if $v && grep { $k eq $_ } @absolutes;
+- $ENV{$k} = $v;
++# warn if there are missing values, and also if there are unexpected values
++foreach my $k (sort keys %all) {
++ warn "No value given for $k\n" unless $keys{$k};
+ }
+ foreach my $k (sort keys %keys) {
++ warn "Unknown variable $k\n" unless $all{$k};
++}
++
++# This shouldn't be needed, but just in case we get relative paths that
++# should be absolute, make sure they actually are.
++foreach my $k (@absolutes) {
+ my $v = $ENV{$k} || '.';
++ print STDERR "DEBUG: $k = $v => ";
++ $v = File::Spec->rel2abs($v) if $v;
++ $ENV{$k} = $v;
++ print STDERR "$k = $ENV{$k}\n";
++}
+
+- # Absolute paths for the subdir variables are computed. This provides
+- # the usual form of values for names that have become norm, known as GNU
+- # installation paths.
+- # For the benefit of those that need it, the subdirectories are preserved
+- # as they are, using the same variable names, suffixed with '_REL', if they
+- # are indeed subdirectories.
+- if (grep { $k eq $_ } @subdirs) {
++# Absolute paths for the subdir variables are computed. This provides
++# the usual form of values for names that have become norm, known as GNU
++# installation paths.
++# For the benefit of those that need it, the subdirectories are preserved
++# as they are, using the same variable names, suffixed with '_REL_{var}',
++# if they are indeed subdirectories. The '{var}' part of the name tells
++# which other variable value they are relative to.
++foreach my $pair (@subdirs) {
++ my ($var, $subdir_vars) = @$pair;
++ foreach my $k (@$subdir_vars) {
++ my $v = $ENV{$k} || '.';
++ print STDERR "DEBUG: $k = $v => ";
+ if (File::Spec->file_name_is_absolute($v)) {
+- $ENV{"${k}_REL"} = File::Spec->abs2rel($v, $ENV{PREFIX});
++ my $kr = "${k}_REL_${var}";
++ $ENV{$kr} = File::Spec->abs2rel($v, $ENV{$var});
++ print STDERR "$kr = $ENV{$kr}\n";
+ } else {
+- $ENV{"${k}_REL"} = $v;
+- $v = File::Spec->rel2abs($v, $ENV{PREFIX});
++ my $kr = "${k}_REL_${var}";
++ $ENV{$kr} = $v;
++ $ENV{$k} = File::Spec->rel2abs($v, $ENV{$var});
++ print STDERR "$k = $ENV{$k} , $kr = $v\n";
+ }
+ }
+- $ENV{$k} = $v;
+ }
+
+ print <<_____;
+@@ -58,36 +88,41 @@ package OpenSSL::safe::installdata;
+ use warnings;
+ use Exporter;
+ our \@ISA = qw(Exporter);
+-our \@EXPORT = qw(\$PREFIX
+- \$BINDIR \$BINDIR_REL
+- \$LIBDIR \$LIBDIR_REL
+- \$INCLUDEDIR \$INCLUDEDIR_REL
+- \$APPLINKDIR \$APPLINKDIR_REL
+- \$ENGINESDIR \$ENGINESDIR_REL
+- \$MODULESDIR \$MODULESDIR_REL
+- \$PKGCONFIGDIR \$PKGCONFIGDIR_REL
+- \$CMAKECONFIGDIR \$CMAKECONFIGDIR_REL
+- \$VERSION \@LDLIBS);
+-
+-our \$PREFIX = '$ENV{PREFIX}';
+-our \$BINDIR = '$ENV{BINDIR}';
+-our \$BINDIR_REL = '$ENV{BINDIR_REL}';
+-our \$LIBDIR = '$ENV{LIBDIR}';
+-our \$LIBDIR_REL = '$ENV{LIBDIR_REL}';
+-our \$INCLUDEDIR = '$ENV{INCLUDEDIR}';
+-our \$INCLUDEDIR_REL = '$ENV{INCLUDEDIR_REL}';
+-our \$APPLINKDIR = '$ENV{APPLINKDIR}';
+-our \$APPLINKDIR_REL = '$ENV{APPLINKDIR_REL}';
+-our \$ENGINESDIR = '$ENV{ENGINESDIR}';
+-our \$ENGINESDIR_REL = '$ENV{ENGINESDIR_REL}';
+-our \$MODULESDIR = '$ENV{MODULESDIR}';
+-our \$MODULESDIR_REL = '$ENV{MODULESDIR_REL}';
+-our \$PKGCONFIGDIR = '$ENV{PKGCONFIGDIR}';
+-our \$PKGCONFIGDIR_REL = '$ENV{PKGCONFIGDIR_REL}';
+-our \$CMAKECONFIGDIR = '$ENV{CMAKECONFIGDIR}';
+-our \$CMAKECONFIGDIR_REL = '$ENV{CMAKECONFIGDIR_REL}';
+-our \$VERSION = '$ENV{VERSION}';
+-our \@LDLIBS =
++our \@EXPORT = qw(
++_____
++
++foreach my $k (@absolutes) {
++ print " \$$k\n";
++}
++foreach my $pair (@subdirs) {
++ my ($var, $subdir_vars) = @$pair;
++ foreach my $k (@$subdir_vars) {
++ my $k2 = "${k}_REL_${var}";
++ print " \$$k \$$k2\n";
++ }
++}
++
++print <<_____;
++ \$VERSION \@LDLIBS
++);
++
++_____
++
++foreach my $k (@absolutes) {
++ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n";
++}
++foreach my $pair (@subdirs) {
++ my ($var, $subdir_vars) = @$pair;
++ foreach my $k (@$subdir_vars) {
++ my $k2 = "${k}_REL_${var}";
++ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n";
++ print "our \$$k2" . ' ' x (27 - length($k2)) . "= '$ENV{$k2}';\n";
++ }
++}
++
++print <<_____;
++our \$VERSION = '$ENV{VERSION}';
++our \@LDLIBS =
+ # Unix and Windows use space separation, VMS uses comma separation
+ split(/ +| *, */, '$ENV{LDLIBS}');
+
+
+From 1c437b5704c9ee5f667bc2b11e5fdf176dfb714f Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Thu, 20 Jun 2024 14:33:15 +0200
+Subject: [PATCH] Adapt all the exporter files to the new vars from
+ util/mkinstallvars.pl
+
+With this, the pkg-config files take better advantage of relative directory
+values.
+
+Fixes #24298
+
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+Reviewed-by: Tomas Mraz <tomas@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/24687)
+
+(cherry picked from commit 30dc37d798a0428fd477d3763086e7e97b3d596f)
+---
+ exporters/cmake/OpenSSLConfig.cmake.in | 7 ++++---
+ exporters/pkg-config/libcrypto.pc.in | 12 ++++++++----
+ exporters/pkg-config/libssl.pc.in | 8 ++++++--
+ exporters/pkg-config/openssl.pc.in | 8 ++++++--
+ 4 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/exporters/cmake/OpenSSLConfig.cmake.in b/exporters/cmake/OpenSSLConfig.cmake.in
+index 2d2321931de1d..06f796158b2fa 100644
+--- a/exporters/cmake/OpenSSLConfig.cmake.in
++++ b/exporters/cmake/OpenSSLConfig.cmake.in
+@@ -89,9 +89,10 @@ unset(_ossl_undefined_targets)
+ # Set up the import path, so all other import paths are made relative this file
+ get_filename_component(_ossl_prefix "${CMAKE_CURRENT_LIST_FILE}" PATH)
+ {-
+- # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR_REL, have CMake
+- # out the parent directory.
+- my $d = unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL);
++ # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR relative to
++ # $OpenSSL::safe::installdata::PREFIX, have CMake figure out the parent directory.
++ my $d = join('/', unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX),
++ unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL_LIBDIR));
+ $OUT = '';
+ $OUT .= 'get_filename_component(_ossl_prefix "${_ossl_prefix}" PATH)' . "\n"
+ foreach (split '/', $d);
+diff --git a/exporters/pkg-config/libcrypto.pc.in b/exporters/pkg-config/libcrypto.pc.in
+index 14ed339f3c3a0..fbc8ea4c79b06 100644
+--- a/exporters/pkg-config/libcrypto.pc.in
++++ b/exporters/pkg-config/libcrypto.pc.in
+@@ -1,7 +1,11 @@
+-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
+-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
+-enginesdir={- $OpenSSL::safe::installdata::ENGINESDIR -}
+-modulesdir={- $OpenSSL::safe::installdata::MODULESDIR -}
++prefix={- $OpenSSL::safe::installdata::PREFIX -}
++exec_prefix=${prefix}
++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ : $OpenSSL::safe::installdata::libdir -}
++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
++enginesdir=${libdir}/{- $OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR -}
++modulesdir=${libdir}/{- $OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR -}
+
+ Name: OpenSSL-libcrypto
+ Description: OpenSSL cryptography library
+diff --git a/exporters/pkg-config/libssl.pc.in b/exporters/pkg-config/libssl.pc.in
+index a7828b3cc6a49..963538807bb2b 100644
+--- a/exporters/pkg-config/libssl.pc.in
++++ b/exporters/pkg-config/libssl.pc.in
+@@ -1,5 +1,9 @@
+-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
+-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
++prefix={- $OpenSSL::safe::installdata::PREFIX -}
++exec_prefix=${prefix}
++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ : $OpenSSL::safe::installdata::libdir -}
++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
+
+ Name: OpenSSL-libssl
+ Description: Secure Sockets Layer and cryptography libraries
+diff --git a/exporters/pkg-config/openssl.pc.in b/exporters/pkg-config/openssl.pc.in
+index dbb77aa39add2..225bef9e2384d 100644
+--- a/exporters/pkg-config/openssl.pc.in
++++ b/exporters/pkg-config/openssl.pc.in
+@@ -1,5 +1,9 @@
+-libdir={- $OpenSSL::safe::installdata::LIBDIR -}
+-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -}
++prefix={- $OpenSSL::safe::installdata::PREFIX -}
++exec_prefix=${prefix}
++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX
++ : $OpenSSL::safe::installdata::libdir -}
++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -}
+
+ Name: OpenSSL
+ Description: Secure Sockets Layer and cryptography libraries and tools
diff --git a/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch b/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch
new file mode 100644
index 000000000000..b915b963509a
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch
@@ -0,0 +1,31 @@
+https://github.com/openssl/openssl/pull/25018
+https://bugs.gentoo.org/936793
+
+From b7bd618fb12728b4a85b9159af95ca40a817674d Mon Sep 17 00:00:00 2001
+From: Richard Levitte <levitte@openssl.org>
+Date: Sun, 28 Jul 2024 10:47:08 +0200
+Subject: [PATCH] fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and
+ Windows)
+
+Don't do comma separation on those platforms.
+
+Fixes #24986
+---
+ util/mkinstallvars.pl | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl
+index 5fadb708e1b77..e2b7d9d08321f 100644
+--- a/util/mkinstallvars.pl
++++ b/util/mkinstallvars.pl
+@@ -124,7 +124,9 @@ package OpenSSL::safe::installdata;
+ our \$VERSION = '$ENV{VERSION}';
+ our \@LDLIBS =
+ # Unix and Windows use space separation, VMS uses comma separation
+- split(/ +| *, */, '$ENV{LDLIBS}');
++ \$^O eq 'VMS'
++ ? split(/ *, */, '$ENV{LDLIBS}')
++ : split(/ +/, '$ENV{LDLIBS}');
+
+ 1;
+ _____
diff --git a/dev-libs/openssl/openssl-1.0.2u-r1.ebuild b/dev-libs/openssl/openssl-1.0.2u-r1.ebuild
index c2abe15ce890..eface797e109 100644
--- a/dev-libs/openssl/openssl-1.0.2u-r1.ebuild
+++ b/dev-libs/openssl/openssl-1.0.2u-r1.ebuild
@@ -22,7 +22,7 @@ MY_P=${P/_/-}
BINDIST_PATCH_SET="openssl-1.0.2t-bindist-1.0.tar.xz"
DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
bindist? (
mirror://gentoo/bb/${BINDIST_PATCH_SET}
diff --git a/dev-libs/openssl/openssl-1.1.1w.ebuild b/dev-libs/openssl/openssl-1.1.1w.ebuild
index d8ec15eef987..356594f41c67 100644
--- a/dev-libs/openssl/openssl-1.1.1w.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1w.ebuild
@@ -8,7 +8,7 @@ inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig
MY_P=${P/_/-}
DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
S="${WORKDIR}/${MY_P}"
diff --git a/dev-libs/openssl/openssl-3.0.13-r2.ebuild b/dev-libs/openssl/openssl-3.0.13-r2.ebuild
index 7419ab042851..c134dc8f5faf 100644
--- a/dev-libs/openssl/openssl-3.0.13-r2.ebuild
+++ b/dev-libs/openssl/openssl-3.0.13-r2.ebuild
@@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
diff --git a/dev-libs/openssl/openssl-3.0.14.ebuild b/dev-libs/openssl/openssl-3.0.14.ebuild
index 647c4ee7dbf9..2a3a9723b5e3 100644
--- a/dev-libs/openssl/openssl-3.0.14.ebuild
+++ b/dev-libs/openssl/openssl-3.0.14.ebuild
@@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
diff --git a/dev-libs/openssl/openssl-3.1.5-r2.ebuild b/dev-libs/openssl/openssl-3.1.5-r2.ebuild
deleted file mode 100644
index 1c3b048b75a0..000000000000
--- a/dev-libs/openssl/openssl-3.1.5-r2.ebuild
+++ /dev/null
@@ -1,286 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic linux-info toolchain-funcs
-inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
-
-DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
-
-MY_P=${P/_/-}
-
-if [[ ${PV} == 9999 ]] ; then
- EGIT_REPO_URI="https://github.com/openssl/openssl.git"
-
- inherit git-r3
-else
- SRC_URI="
- mirror://openssl/source/${MY_P}.tar.gz
- verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
- "
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
-fi
-
-S="${WORKDIR}"/${MY_P}
-
-LICENSE="Apache-2.0"
-SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-COMMON_DEPEND="
- !<net-misc/openssh-9.2_p1-r3
- tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-"
-BDEPEND="
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- app-alternatives/bc
- sys-process/procps
- )
- verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
-
-DEPEND="${COMMON_DEPEND}"
-RDEPEND="${COMMON_DEPEND}"
-PDEPEND="app-misc/ca-certificates"
-
-MULTILIB_WRAPPED_HEADERS=(
- /usr/include/openssl/configuration.h
-)
-
-PATCHES=(
- "${FILESDIR}"/${P}-p11-segfault.patch
- "${FILESDIR}"/${P}-CVE-2024-2511.patch
-)
-
-pkg_setup() {
- if use ktls ; then
- if kernel_is -lt 4 18 ; then
- ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
- else
- CONFIG_CHECK="~TLS ~TLS_DEVICE"
- ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
- ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
- use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
-
- linux-info_pkg_setup
- fi
- fi
-
- [[ ${MERGE_TYPE} == binary ]] && return
-
- # must check in pkg_setup; sysctl doesn't work with userpriv!
- if use test && use sctp ; then
- # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
- # if sctp.auth_enable is not enabled.
- local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
- if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
- die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
- fi
- fi
-}
-
-src_prepare() {
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- PATCHES+=(
- # Add patches which are Gentoo-specific customisations here
- )
- fi
-
- default
-
- if use test && use sctp && has network-sandbox ${FEATURES} ; then
- einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
- rm test/recipes/80-test_ssl_new.t || die
- fi
-
- # Test fails depending on kernel configuration, bug #699134
- rm test/recipes/30-test_afalg.t || die
-}
-
-src_configure() {
- # Keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (bug #417795 again)
- tc-is-clang && append-flags -Qunused-arguments
-
- # We really, really need to build OpenSSL w/ strict aliasing disabled.
- # It's filled with violations and it *will* result in miscompiled
- # code. This has been in the ebuild for > 10 years but even in 2022,
- # it's still relevant:
- # - https://github.com/llvm/llvm-project/issues/55255
- # - https://github.com/openssl/openssl/issues/12247
- # - https://github.com/openssl/openssl/issues/18225
- # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
- # Don't remove the no strict aliasing bits below!
- filter-flags -fstrict-aliasing
- append-flags -fno-strict-aliasing
- # The OpenSSL developers don't test with LTO right now, it leads to various
- # warnings/errors (which may or may not be false positives), it's considered
- # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
- filter-lto
-
- append-flags $(test-flags-CC -Wa,--noexecstack)
-
- # bug #895308
- append-atomic-flags
- # Configure doesn't respect LIBS
- export LDLIBS="${LIBS}"
-
- # bug #197996
- unset APPS
- # bug #312551
- unset SCRIPTS
- # bug #311473
- unset CROSS_COMPILE
-
- tc-export AR CC CXX RANLIB RC
-
- multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths, bug #460790.
- #local ec_nistp_64_gcc_128
- #
- # Disable it for now though (bug #469976)
- # Do NOT re-enable without substantial discussion first!
- #
- #echo "__uint128_t i;" > "${T}"/128.c
- #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- #fi
-
- local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
- einfo "Using configuration: ${sslout:-(openssl knows best)}"
-
- # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
- local myeconfargs=(
- ${sslout}
-
- $(use cpu_flags_x86_sse2 || echo "no-sse2")
- enable-camellia
- enable-ec
- enable-ec2m
- enable-sm2
- enable-srp
- $(use elibc_musl && echo "no-async")
- enable-idea
- enable-mdc2
- enable-rc5
- $(use fips && echo "enable-fips")
- $(use_ssl asm)
- $(use_ssl ktls)
- $(use_ssl rfc3779)
- $(use_ssl sctp)
- $(use test || echo "no-tests")
- $(use_ssl tls-compression zlib)
- $(use_ssl weak-ssl-ciphers)
-
- --prefix="${EPREFIX}"/usr
- --openssldir="${EPREFIX}"${SSL_CNF_DIR}
- --libdir=$(get_libdir)
-
- shared
- threads
- )
-
- edo perl "${S}/Configure" "${myeconfargs[@]}"
-}
-
-multilib_src_compile() {
- emake build_sw
-
- if multilib_is_native_abi; then
- emake build_docs
- fi
-}
-
-multilib_src_test() {
- # VFP = show subtests verbosely and show failed tests verbosely
- # Normal V=1 would show everything verbosely but this slows things down.
- emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test
-}
-
-multilib_src_install() {
- # Only -j1 is supported for the install targets:
- # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
- emake DESTDIR="${D}" -j1 install_sw
- if use fips; then
- emake DESTDIR="${D}" -j1 install_fips
- # Regen this in pkg_preinst, bug 900625
- rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
- fi
-
- if multilib_is_native_abi; then
- emake DESTDIR="${D}" -j1 install_ssldirs
- emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
- fi
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- if ! use static-libs ; then
- rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
- fi
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
-
- # Create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
-
- # bug #254521
- dodir /etc/sandbox.d
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
- if use fips; then
- # Regen fipsmodule.cnf, bug 900625
- ebegin "Running openssl fipsinstall"
- "${ED}/usr/bin/openssl" fipsinstall -quiet \
- -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
- -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
- eend $?
- fi
-
- preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
- /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
-}
-
-pkg_postinst() {
- ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
- openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
- eend $?
-
- preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
- /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
-}
diff --git a/dev-libs/openssl/openssl-3.1.6.ebuild b/dev-libs/openssl/openssl-3.1.6.ebuild
index a95bf0b407ff..96fc87688904 100644
--- a/dev-libs/openssl/openssl-3.1.6.ebuild
+++ b/dev-libs/openssl/openssl-3.1.6.ebuild
@@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
@@ -18,8 +18,10 @@ if [[ ${PV} == 9999 ]] ; then
inherit git-r3
else
SRC_URI="
- mirror://openssl/source/${MY_P}.tar.gz
- verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
"
KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
diff --git a/dev-libs/openssl/openssl-3.2.1-r2.ebuild b/dev-libs/openssl/openssl-3.2.1-r2.ebuild
deleted file mode 100644
index fb480821f325..000000000000
--- a/dev-libs/openssl/openssl-3.2.1-r2.ebuild
+++ /dev/null
@@ -1,308 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic linux-info toolchain-funcs
-inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
-
-DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
-
-MY_P=${P/_/-}
-
-if [[ ${PV} == 9999 ]] ; then
- EGIT_REPO_URI="https://github.com/openssl/openssl.git"
-
- inherit git-r3
-else
- SRC_URI="
- mirror://openssl/source/${MY_P}.tar.gz
- verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
- "
-
- if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
- fi
-fi
-
-S="${WORKDIR}"/${MY_P}
-
-LICENSE="Apache-2.0"
-SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
-RESTRICT="!test? ( test )"
-
-COMMON_DEPEND="
- !<net-misc/openssh-9.2_p1-r3
- tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
-"
-BDEPEND="
- >=dev-lang/perl-5
- sctp? ( >=net-misc/lksctp-tools-1.0.12 )
- test? (
- sys-apps/diffutils
- app-alternatives/bc
- sys-process/procps
- )
- verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
-
-DEPEND="${COMMON_DEPEND}"
-RDEPEND="${COMMON_DEPEND}"
-PDEPEND="app-misc/ca-certificates"
-
-MULTILIB_WRAPPED_HEADERS=(
- /usr/include/openssl/configuration.h
-)
-
-PATCHES=(
- "${FILESDIR}"/${P}-p11-segfault.patch
- # bug 923956 (drop on next version bump)
- "${FILESDIR}"/${P}-riscv.patch
- "${FILESDIR}"/${P}-CVE-2024-2511.patch
- "${FILESDIR}"/${P}-s390x.patch
-)
-
-pkg_setup() {
- if use ktls ; then
- if kernel_is -lt 4 18 ; then
- ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
- else
- CONFIG_CHECK="~TLS ~TLS_DEVICE"
- ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
- ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
- use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER"
-
- linux-info_pkg_setup
- fi
- fi
-
- [[ ${MERGE_TYPE} == binary ]] && return
-
- # must check in pkg_setup; sysctl doesn't work with userpriv!
- if use test && use sctp ; then
- # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
- # if sctp.auth_enable is not enabled.
- local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
- if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then
- die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
- fi
- fi
-}
-
-src_unpack() {
- # Can delete this once test fix patch is dropped
- if use verify-sig ; then
- # Needed for downloaded patch (which is unsigned, which is fine)
- verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
- fi
-
- default
-}
-
-src_prepare() {
- # Make sure we only ever touch Makefile.org and avoid patching a file
- # that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
-
- if ! use vanilla ; then
- PATCHES+=(
- # Add patches which are Gentoo-specific customisations here
- )
- fi
-
- default
-
- if use test && use sctp && has network-sandbox ${FEATURES} ; then
- einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
- rm test/recipes/80-test_ssl_new.t || die
- fi
-
- # Test fails depending on kernel configuration, bug #699134
- rm test/recipes/30-test_afalg.t || die
-}
-
-src_configure() {
- # Keep this in sync with app-misc/c_rehash
- SSL_CNF_DIR="/etc/ssl"
-
- # Quiet out unknown driver argument warnings since openssl
- # doesn't have well-split CFLAGS and we're making it even worse
- # and 'make depend' uses -Werror for added fun (bug #417795 again)
- tc-is-clang && append-flags -Qunused-arguments
-
- # We really, really need to build OpenSSL w/ strict aliasing disabled.
- # It's filled with violations and it *will* result in miscompiled
- # code. This has been in the ebuild for > 10 years but even in 2022,
- # it's still relevant:
- # - https://github.com/llvm/llvm-project/issues/55255
- # - https://github.com/openssl/openssl/issues/12247
- # - https://github.com/openssl/openssl/issues/18225
- # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
- # Don't remove the no strict aliasing bits below!
- filter-flags -fstrict-aliasing
- append-flags -fno-strict-aliasing
- # The OpenSSL developers don't test with LTO right now, it leads to various
- # warnings/errors (which may or may not be false positives), it's considered
- # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663.
- filter-lto
-
- append-flags $(test-flags-CC -Wa,--noexecstack)
-
- # bug #895308 -- check inserts GNU ld-compatible arguments
- [[ ${CHOST} == *-darwin* ]] || append-atomic-flags
- # Configure doesn't respect LIBS
- export LDLIBS="${LIBS}"
-
- # bug #197996
- unset APPS
- # bug #312551
- unset SCRIPTS
- # bug #311473
- unset CROSS_COMPILE
-
- tc-export AR CC CXX RANLIB RC
-
- multilib-minimal_src_configure
-}
-
-multilib_src_configure() {
- use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
-
- local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")
-
- # See if our toolchain supports __uint128_t. If so, it's 64bit
- # friendly and can use the nicely optimized code paths, bug #460790.
- #local ec_nistp_64_gcc_128
- #
- # Disable it for now though (bug #469976)
- # Do NOT re-enable without substantial discussion first!
- #
- #echo "__uint128_t i;" > "${T}"/128.c
- #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
- # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
- #fi
-
- local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4")
- einfo "Using configuration: ${sslout:-(openssl knows best)}"
-
- # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features
- local myeconfargs=(
- ${sslout}
-
- $(use cpu_flags_x86_sse2 || echo "no-sse2")
- enable-camellia
- enable-ec
- enable-ec2m
- enable-sm2
- enable-srp
- $(use elibc_musl && echo "no-async")
- enable-idea
- enable-mdc2
- enable-rc5
- $(use fips && echo "enable-fips")
- $(use_ssl asm)
- $(use_ssl ktls)
- $(use_ssl rfc3779)
- $(use_ssl sctp)
- $(use test || echo "no-tests")
- $(use_ssl tls-compression zlib)
- $(use_ssl weak-ssl-ciphers)
-
- --prefix="${EPREFIX}"/usr
- --openssldir="${EPREFIX}"${SSL_CNF_DIR}
- --libdir=$(get_libdir)
-
- shared
- threads
- )
-
- edo perl "${S}/Configure" "${myeconfargs[@]}"
-}
-
-multilib_src_compile() {
- emake build_sw
-
- if multilib_is_native_abi; then
- emake build_docs
- fi
-}
-
-multilib_src_test() {
- # See https://github.com/openssl/openssl/blob/master/test/README.md for options.
- #
- # VFP = show subtests verbosely and show failed tests verbosely
- # Normal V=1 would show everything verbosely but this slows things down.
- #
- # -j1 here for https://github.com/openssl/openssl/issues/21999, but it
- # shouldn't matter as tests were already built earlier, and HARNESS_JOBS
- # controls running the tests.
- emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
-}
-
-multilib_src_install() {
- # Only -j1 is supported for the install targets:
- # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
- emake DESTDIR="${D}" -j1 install_sw
- if use fips; then
- emake DESTDIR="${D}" -j1 install_fips
- # Regen this in pkg_preinst, bug 900625
- rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
- fi
-
- if multilib_is_native_abi; then
- emake DESTDIR="${D}" -j1 install_ssldirs
- emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
- fi
-
- # This is crappy in that the static archives are still built even
- # when USE=static-libs. But this is due to a failing in the openssl
- # build system: the static archives are built as PIC all the time.
- # Only way around this would be to manually configure+compile openssl
- # twice; once with shared lib support enabled and once without.
- if ! use static-libs ; then
- rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die
- fi
-}
-
-multilib_src_install_all() {
- # openssl installs perl version of c_rehash by default, but
- # we provide a shell version via app-misc/c_rehash
- rm "${ED}"/usr/bin/c_rehash || die
-
- dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
-
- # Create the certs directory
- keepdir ${SSL_CNF_DIR}/certs
-
- # bug #254521
- dodir /etc/sandbox.d
- echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
-
- diropts -m0700
- keepdir ${SSL_CNF_DIR}/private
-}
-
-pkg_preinst() {
- if use fips; then
- # Regen fipsmodule.cnf, bug 900625
- ebegin "Running openssl fipsinstall"
- "${ED}/usr/bin/openssl" fipsinstall -quiet \
- -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \
- -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
- eend $?
- fi
-
- preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
- /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
-}
-
-pkg_postinst() {
- ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
- openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
- eend $?
-
- preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
- /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
-}
diff --git a/dev-libs/openssl/openssl-3.2.2.ebuild b/dev-libs/openssl/openssl-3.2.2.ebuild
index e00a57886dc5..a1d16e48ec38 100644
--- a/dev-libs/openssl/openssl-3.2.2.ebuild
+++ b/dev-libs/openssl/openssl-3.2.2.ebuild
@@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
@@ -18,8 +18,10 @@ if [[ ${PV} == 9999 ]] ; then
inherit git-r3
else
SRC_URI="
- mirror://openssl/source/${MY_P}.tar.gz
- verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
@@ -46,7 +48,7 @@ BDEPEND="
app-alternatives/bc
sys-process/procps
)
- verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )"
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240424 )"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
diff --git a/dev-libs/openssl/openssl-3.3.1.ebuild b/dev-libs/openssl/openssl-3.3.1-r1.ebuild
index d348842d29b0..c01b8662e767 100644
--- a/dev-libs/openssl/openssl-3.3.1.ebuild
+++ b/dev-libs/openssl/openssl-3.3.1-r1.ebuild
@@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
@@ -18,12 +18,14 @@ if [[ ${PV} == 9999 ]] ; then
inherit git-r3
else
SRC_URI="
- mirror://openssl/source/${MY_P}.tar.gz
- verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
"
if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
- KEYWORDS="~amd64 ~mips ~sparc ~x86"
+ KEYWORDS="~amd64 ~arm ~m68k ~mips ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
fi
fi
@@ -31,7 +33,7 @@ S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
@@ -59,6 +61,8 @@ MULTILIB_WRAPPED_HEADERS=(
PATCHES=(
# bug 936311, drop on next version bump
"${FILESDIR}"/${P}-riscv.patch
+ # https://bugs.gentoo.org/936793
+ "${FILESDIR}"/openssl-3.3.1-pkg-config.patch
)
pkg_setup() {
diff --git a/dev-libs/openssl/openssl-3.3.0.ebuild b/dev-libs/openssl/openssl-3.3.1-r3.ebuild
index 3c59077a40e6..ede3297ccbdf 100644
--- a/dev-libs/openssl/openssl-3.3.0.ebuild
+++ b/dev-libs/openssl/openssl-3.3.1-r3.ebuild
@@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs
inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
@@ -18,20 +18,22 @@ if [[ ${PV} == 9999 ]] ; then
inherit git-r3
else
SRC_URI="
- mirror://openssl/source/${MY_P}.tar.gz
- verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
"
- #if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
- # KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
- #fi
+ if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+ KEYWORDS="~amd64 ~arm ~m68k ~mips ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+ fi
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
@@ -57,6 +59,14 @@ MULTILIB_WRAPPED_HEADERS=(
)
PATCHES=(
+ # bug 936311, drop on next version bump
+ "${FILESDIR}"/${P}-riscv.patch
+ # https://bugs.gentoo.org/936793
+ "${FILESDIR}"/openssl-3.3.1-pkg-config.patch
+ # https://bugs.gentoo.org/936576
+ "${FILESDIR}"/openssl-3.3.1-pkg-config-deux.patch
+ # https://bugs.gentoo.org/937457
+ "${FILESDIR}"/openssl-3.3.1-cmake-generator.patch
)
pkg_setup() {