From b8c7370a682e4e29cda623222d17a790c01c3642 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Wed, 7 Aug 2024 12:37:21 +0100 Subject: gentoo auto-resync : 07:08:2024 - 12:37:20 --- dev-libs/openssl/Manifest | 33 +-- .../files/openssl-3.1.5-CVE-2024-2511.patch | 137 --------- .../openssl/files/openssl-3.1.5-p11-segfault.patch | 78 ------ .../files/openssl-3.2.1-CVE-2024-2511.patch | 137 --------- .../openssl/files/openssl-3.2.1-p11-segfault.patch | 79 ------ dev-libs/openssl/files/openssl-3.2.1-riscv.patch | 70 ----- dev-libs/openssl/files/openssl-3.2.1-s390x.patch | 31 -- .../files/openssl-3.3.1-cmake-generator.patch | 55 ++++ .../files/openssl-3.3.1-pkg-config-deux.patch | 303 ++++++++++++++++++++ .../openssl/files/openssl-3.3.1-pkg-config.patch | 31 ++ dev-libs/openssl/openssl-1.0.2u-r1.ebuild | 2 +- dev-libs/openssl/openssl-1.1.1w.ebuild | 2 +- dev-libs/openssl/openssl-3.0.13-r2.ebuild | 2 +- dev-libs/openssl/openssl-3.0.14.ebuild | 2 +- dev-libs/openssl/openssl-3.1.5-r2.ebuild | 286 ------------------- dev-libs/openssl/openssl-3.1.6.ebuild | 8 +- dev-libs/openssl/openssl-3.2.1-r2.ebuild | 308 -------------------- dev-libs/openssl/openssl-3.2.2.ebuild | 10 +- dev-libs/openssl/openssl-3.3.0.ebuild | 301 -------------------- dev-libs/openssl/openssl-3.3.1-r1.ebuild | 307 ++++++++++++++++++++ dev-libs/openssl/openssl-3.3.1-r3.ebuild | 311 +++++++++++++++++++++ dev-libs/openssl/openssl-3.3.1.ebuild | 303 -------------------- 22 files changed, 1033 insertions(+), 1763 deletions(-) delete mode 100644 dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch delete mode 100644 dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch delete mode 100644 dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch delete mode 100644 dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch delete mode 100644 dev-libs/openssl/files/openssl-3.2.1-riscv.patch delete mode 100644 dev-libs/openssl/files/openssl-3.2.1-s390x.patch create mode 100644 dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch create mode 100644 dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch create mode 100644 dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch delete mode 100644 dev-libs/openssl/openssl-3.1.5-r2.ebuild delete mode 100644 dev-libs/openssl/openssl-3.2.1-r2.ebuild delete mode 100644 dev-libs/openssl/openssl-3.3.0.ebuild create mode 100644 dev-libs/openssl/openssl-3.3.1-r1.ebuild create mode 100644 dev-libs/openssl/openssl-3.3.1-r3.ebuild delete mode 100644 dev-libs/openssl/openssl-3.3.1.ebuild (limited to 'dev-libs/openssl') diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest index f776346fe402..d5dc57286d2f 100644 --- a/dev-libs/openssl/Manifest +++ b/dev-libs/openssl/Manifest @@ -4,12 +4,9 @@ AUX openssl-1.1.0j-parallel_install_fix.patch 515 BLAKE2B a1bcffce4dc9e0566e21e7 AUX openssl-1.1.1i-riscv32.patch 2557 BLAKE2B 97e51303706ee96d3fae46959b91d1021dcbb3efa421866f6e09bbee6287aae95c6f5d9498bd9d8974b0de747ef696242691cfebec90b31dc9e2cc31b41b81ec SHA512 f75ae1034bb9dda7f4959e8a5d6d0dae21200723d82aebfbea58bd1d7775ef4042e49fdf49d5738771d79d764e44a1b6e0da341d210ea51d21516bb3874b626a AUX openssl-3.0.13-CVE-2024-2511.patch 5256 BLAKE2B 6e07983af20fe00c448deb45777e67d18ff844309edb2a2130f9e916c0c7167c7f64c64abc3c8082121a96e7a13e6b1b3bfb4de25674ab9db71a8dbb3ce61d2a SHA512 9c762f2c5916b2e2c49bee56cf92d695b106eb535badb5818b77cd72f3ad6554ef24d58c0a161843821984c1d5d697757f72919f2d7903f8e15d8a541534b32f AUX openssl-3.0.13-p11-segfault.patch 2275 BLAKE2B 842cc10d6a81b2859729b0024dd82e538782defb2e3fa341986df6ed65c9e5b3be39647a7d95670356cd0f7bc2a5e0b27eb48d00078308922a32d2053a6c1756 SHA512 4575da2d5acfef90c7d28e096d541a812f74b4ff77887a7a251554d35ca5b9de1ac4117b9f8228ab240e8f64770d648dfadc7003a496d2b051728afab1ec779e -AUX openssl-3.1.5-CVE-2024-2511.patch 5116 BLAKE2B f0c19c5d75636ae757c4fd8ef603817ea3c6d5e9f0df0a494b3f679999fcc9e3382959477ddd9945ee3fd795ba8d4e5b5f8b0c68416d96673cb49c2154c3fb53 SHA512 bf7825185b054f3d2fcd90573687cdce395e2f840a82daf0ce1c9d2e11b991582ff5478dc9aed3152dd6892a7e401274c7fc38d6e53e81e42cb7c471737078e3 -AUX openssl-3.1.5-p11-segfault.patch 2274 BLAKE2B 6a283f0ab89386435272b096893ec1835557c15a699d7579f12d33b95c692abb50bd03289d01ccd85dd56058931f5b0d55320d36cfe0a824521fde2218bba734 SHA512 9d9810f0d8b9163fa8fa58c6e47db47dbe392236ed6990e246185e10bc9e7af44007cc8cb7973706480b41a84e3479aefdcaf9b95f0ac041aaf88eb8c078a725 -AUX openssl-3.2.1-CVE-2024-2511.patch 5166 BLAKE2B 22ebed2ada20ee5c65d489677d270c079940b401582e3ff2dc06222b7a95084e81730dc78a154d98c72c64db237e4c63d5dee653aaf2821779c2729d0fe29833 SHA512 7ec3f0a127ea8f507a6292ac3f56d413e0df552d11795e4421db023516aaa1b1bb6e419b2b85c6940eb26b7ca93ad36a7e87cf2ef2e577e6ea094e2d191fd597 -AUX openssl-3.2.1-p11-segfault.patch 2275 BLAKE2B d47816615ece0d015be0a307db950cee1217a522570040a48b9a9a7f7a23927f73ba5633718937c07c90c9a49564e9acc00de239d156cf8632b473afcdba8705 SHA512 9ab62a72036f8fbae34e844e6b17ab3482259de24918279230c2e5daa373de8ee59bd17942c2f4b2dcf06b1bf31796dc539324055e1cded099f6d8630bc13fff -AUX openssl-3.2.1-riscv.patch 3713 BLAKE2B 427a35e30768116b7d65f442c4b2b5ddf6cc7387dc69ec7311345336a59bb86984b45e5572bab67fecf159580b2321aec35db9c6306b74c2d76db51479d910b8 SHA512 e80a244e9674cbd250244aab16501ea5ab6a03efb44ea744ac109063dda003cc638d0eb6da4630f1c1d7eeabbbc14530b21e3c74608ac961141133b09f4795af -AUX openssl-3.2.1-s390x.patch 1169 BLAKE2B ae115074de657f450813b329f3f52d19993734b753411be72b2793df8163402c54bb690d7e41ee7598ae500176eb4f57e108021dcfcbcfef81d9135f5ce41e3e SHA512 6c66c9387a13f772e24dbd794b79dc8fdd8fd81186e3d33c917bd45a6c4841a29e5e28643597e1e105b154c30d7b5814fe154895312241b7f793dc352913095c +AUX openssl-3.3.1-cmake-generator.patch 3263 BLAKE2B 1e6d31175e3ed8abd2b03c94255dbf58d5168038369fd68a98fdf03e3c6d8f74124dd6a7ffa894e492f74ff9440572ae4c04c144967436266033f725c5f7140f SHA512 3c3ae928a2d59489f1fb1d5a57977dbe650530d4715c0a116a2c59dc78385608e50814749d021b1fee51c9b2c0c5ec48631174946c6ca927e0fb5a8ac10514b6 +AUX openssl-3.3.1-pkg-config-deux.patch 12498 BLAKE2B f924e837317bd4a7b4af6e0e8b397915200fb69a7bc09ffd09ab4a860b43ec06b99635fa6ad4783de7d9fa12f9ef48f639e493646e9e7e1e1947c0c729846f81 SHA512 c9f4e93f96db28b7b586ea4d5007e71a13e1464e4c1d033bf1939c8030843727c0e73626affa94d3692a7d285a788ebfd1ce863fe5fd7027a560906a1b6e8b94 +AUX openssl-3.3.1-pkg-config.patch 982 BLAKE2B 77ec5ac862d5b47666e3234f5ef60323d02cbed4a0575e91a45f6f1727f1f0692fc470071622bf982f2875e91c50d9742eb423838702a0019b8c6f7fc2b80149 SHA512 0198461b726a7783d46c0c02cba747affd39245e2ce2577ea802376e1d2dd279eebe9446f30bc2db638d06db1dfacc9b297aa75bbe64ff6f8e22bde3c1063b36 AUX openssl-3.3.1-riscv.patch 4413 BLAKE2B bf58837c05023bb34edaf6387a5d1f32b6216791643958e972d634d387031461780c34b9209b399f479d908a40ca3b593ea18b1fa80414802bfcdb80db21e1e7 SHA512 b46f2576be603007f767cb7350e3ec74e0ef0832bcc18e50f7b67010e673a6cdcd7099e99d85d53c6693af6b64260e5a92a9aa3f02be1d626421ab7ff73c6f6b DIST openssl-1.0.2-patches-1.5.tar.xz 12404 BLAKE2B 6c1b8c28f339f539b2ab8643379502a24cf62bffde00041dce54d5dd9e8d2620b181362ee5464b0ab32ba4948e209697bfabadbea2944a409a1009100d298f24 SHA512 5725e2d9d1ee8cc074bcef3bed61c71bdab2ff1c114362110c3fb8da11ad5bc8f2ff28e90a293f5f3a5cf96ecda54dffdb7ab3fb3f8b23ef6472250dc3037659 DIST openssl-1.0.2t-bindist-1.0.tar.xz 13872 BLAKE2B b2aade96a6e0ca6209a39e205b1c838de945903fcf959c62cc29ddcd1a0cb360fc5db234df86860a6a4c096f5ecc237611e4c2946b986a5500c24ba93c208ef4 SHA512 a48a7efb9b973b865bcc5009d450b428ed6b4b95e4cefe70c51056e47392c8a7bec58215168d8b07712419dc74646c2bd2fd23bcfbba2031376e292249a6b1b6 @@ -20,26 +17,18 @@ DIST openssl-3.0.13.tar.gz 15294843 BLAKE2B 869aa5f70a8c1d0cac6027e9261530df70ab DIST openssl-3.0.13.tar.gz.asc 833 BLAKE2B 519515b6faa505d68ff9acc30db9515fac494145086fa5ad9561c39385a6fabb39ad9de10fedd49c8fc716ec59ea1b13ec5e6b466e549ea9f29b8d0bb74ba7b3 SHA512 c52d97c93d16f3ca2a7026fb25890482b6d86c37b5ab686c56b0e08522743ec4ea3f84afa4deb64b0df0d9a16b557430c4d4139ab42ffcf97d769b61d1e6197c DIST openssl-3.0.14.tar.gz 15305497 BLAKE2B 7426aea63d5495775c4a0440658cc9c46c4aa31c31473cd5519c2b1ca158e122634e0bbc275237d3eb124fc8bed3d58808d8ac1d228f24f7281d2630ff7813e0 SHA512 1c59c01e60da902a20780d71f1fa5055d4037f38c4bc3fb27ed5b91f211b36a6018055409441ad4df58b5e9232b2528240d02067272c3c9ccb8c221449ca9ac0 DIST openssl-3.0.14.tar.gz.asc 833 BLAKE2B 8a700452f6f698fbfa206469888fd72706f1798be212e712fd8a4c1ae87f0d98d54820974c64a3db3b5ac69d7beda665f462e83182337391212c0e72e1feb72e SHA512 003d17a2b71176517f5bfba6699c18b271111e5fec3effc275b965286140d1281fa6f5f5e6bcf63feca89dfa035ab776bda8d2af4b71ae921ca9e7a936581fb4 -DIST openssl-3.1.5.tar.gz 15663524 BLAKE2B a12eb88b0a4f2d927123e0d3ca7d2f80f2bdc867c710d24700fe39b631b93d90c73c3deceff151a9fa818ac88026eb798f3253f22d03c839ab9574086fa61eee SHA512 82e2ac6b3d9b03f8fc66d2ec421246e989eb702eb94586515abfb5afb5300391a0beedf6a2602f61ac10896b41e5608feeeeb4d37714fa17ac0f2ce465249fa9 -DIST openssl-3.1.5.tar.gz.asc 833 BLAKE2B 633502ec0a87074136d7ea42d9ac5f3df53523560d2a97410b5b57d28d916336da95ab5521c10f94202e3a0995331f0e17bdcf8843135634a5d5a95cfafc7b21 SHA512 48187bb8a7bdbd8b76fdcca736d2b03e2a89330b304eefb4e9620f570c741c60f2023307d8619ba1fa101a99223f94895e7be57ced6547a4fb06bd4c3677533a DIST openssl-3.1.6.tar.gz 15672690 BLAKE2B 70112a7ece66bb6faf1a262c503c1df08924b8c1b9b08a1395856f903b1d1b4a38956b485e83415c29fafbf990ae8aced9b2fb0a2af84863b5c0a2a6581282cf SHA512 18ca07ee6a98d5fe46accfa0156e0354ad770d78bbbbe8e4bb92b316a0e4404f17a34eb700f17ed355d826a4b2166894aa46d8dd81fedbcb16aa1aad0926a390 DIST openssl-3.1.6.tar.gz.asc 833 BLAKE2B 24fbb26ccf60ede99b9ea6ef6a2a8f1ae89c7881c21eafafeae7a498332dbaf7e52c94b2c52247e34511cc4bd204e71a68aa1a6dab133376e1f15bf676ef58be SHA512 ef3ca59527ca7b00430c251df399ea2cbe47ef0deebf4158250baac8e575ea26582756228f12dd0f7009b55199b0134e77ec47ade9835f1785c74703aa84987e -DIST openssl-3.2.1.tar.gz 17733249 BLAKE2B 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 SHA512 bab2b2419319f1feffaba4692f03edbf13b44d1090c6e075a2d69dad67a2d51e64e6edbf83456a26c83900a726d20d2c4ee4ead9c94b322fd0b536f3b5a863c4 -DIST openssl-3.2.1.tar.gz.asc 833 BLAKE2B a1d25fe30bf1804d13a8b6b98edf56be5bf744d9e2706f4169455c24efe2e3a361487d00d0d4bac240c3f0170693d77a39dd0d4ee5c792d2247aa00c47e74ebf SHA512 de39516c7b77612f33cdc830a8d13ef6bcd91c03d24a6ed105480f140f9e1ad7049844e234c96a516d62e0e33ce90442ffd0f309ea674884c735f04d8562f372 DIST openssl-3.2.2.tar.gz 17744472 BLAKE2B f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9 SHA512 ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d DIST openssl-3.2.2.tar.gz.asc 833 BLAKE2B 09ef1766e771e1d7aac675a09bd9588ee9d76a1fe39794826fd5d9057ae41366a7e92fe81a40bc2fe19a309be612687d8ff760da3f3c44115e3b21b0342b5f46 SHA512 7a798e9c02d25510f4ec49b8956ebf4288760e1272bf327f36b253045ab2f50ac8042071f78984d1b463f07aa2b027f26ad2fbc31deacaac5658fc35437ddc66 -DIST openssl-3.3.0.tar.gz 18038030 BLAKE2B c68efaf8aca87961f396e305acc767b56d651b9adf4fd2c9d9b5a3266e35da4b856c6ed34be47d656c782aade975f20317a6759913b33d29d7eb088e638fa501 SHA512 1f9daeee6542e1b831c65f1f87befaef98ccedc3abc958c9d17f064ef771924c30849e3ff880f94eed4aaa9d81ea105e3bc8815e6d2e4d6b60b5e890f14fc5da -DIST openssl-3.3.0.tar.gz.asc 833 BLAKE2B 207b9fd53de6f57fe24d6a6e5e9f735b7649258bb2873b6c1e29b7d2689c9a75774dbf09392be40f8a8ab240e4e6c745e2864155e8b0f2f3f5ca3b45051e869a SHA512 8750daa607e6bfd2326a4d4f04c9c04608d9fa852fc1515acf1fcf3d1ad33b8ba8435d9ef1ac3a032fecd09aa90446c53996045506bcfbddb7544bb61b26af24 DIST openssl-3.3.1.tar.gz 18055752 BLAKE2B b09bbe94f49c33015fbcee5f578a20c0da33c289791bf33292170d5d3de44ea2e22144ee11067947aef2733e979c0fded875a4ec92d81468285837053447e68e SHA512 d3682a5ae0721748c6b9ec2f1b74d2b1ba61ee6e4c0d42387b5037a56ef34312833b6abb522d19400b45d807dd65cc834156f5e891cb07fbaf69fcf67e1c595d DIST openssl-3.3.1.tar.gz.asc 833 BLAKE2B e22c068dfcd0205f1cd27f965b76dcaf59bed61181523f198e40d61a4867b20a7636c853c427497559362a92766f430807f02b693821ac38daaa898946f2dba2 SHA512 ae2db74829b71a68e1fc86229396d76f60a9a98e6bba9adc62bdcf2581b60fb0e29ecde2b53a5686c452e754801568e05d3c4f47e8faf02219ac1aae78283338 -EBUILD openssl-1.0.2u-r1.ebuild 9899 BLAKE2B 49b2304764c6b0f3e2f2aa06deb9f918739c427dfaccf4ade8ae3d0bd6278d0dc0b8a97edee1cba528968d1cbd96ca0cfb3147c15bfc04322552017bee65b1ec SHA512 a3c6fd9a3fd6eeebc617a5cc05f8662e9dfc87d165d520bbaf873d788f164e54a719169c81fed140ccda076dffa4ac680c0e2fbea93e258957eafe31b2de244c -EBUILD openssl-1.1.1w.ebuild 8233 BLAKE2B 4657e3e413f25f4503dbc5484e3d06e63c25c64f9132e3ce64629601f729380b6e1918d34f19e9269ac8ed066b2014d2163d54808e67476d033b2af1603cf609 SHA512 122f5d3e3577d9da17d0a49b38925d3fbbaab4117c116f37d0430463d5dcaa3803089cacbc5fddbc5466506eb6a59f1b5fef130dec200c5951f67d9d6c5b160b -EBUILD openssl-3.0.13-r2.ebuild 8579 BLAKE2B 98d8a2d6365a80150fb3f4a061162f8c18d6195a8585a27ee6f1d71ee217f159d8699f485d1191305409f3dc44344758228d9f751c7f12aaa5efd9484fbf48e3 SHA512 94a298c01fcd5e48ea00079b2a039efb2165ff71153a6d1cf810555ab977e820754fd504a4d7dfe32f2e8764c0ac05696b57155531ec8dcdb158612efd7f2a8f -EBUILD openssl-3.0.14.ebuild 8495 BLAKE2B 622335e6f8a5186131dc7f0b037127785bef026e843b376b03b37b53c5e8a3cdf52682627b18407329e0ac519eaa3533a394bdfdfcc6fba38ab7eee406316fa2 SHA512 1718ff8b1afddd18604863f0a3cce9675bf77d0e49d45c87405aaf5e4b40f5e7c00f78904ce9b67c92b941627e2addcb4c887b90701ffa406b87b350c5570548 -EBUILD openssl-3.1.5-r2.ebuild 8626 BLAKE2B ae09c41b277f416c8ad0180384fc3fbe7cee002e180ebb4817b6b4b2562a3b4782fe2e9240a275aff8c1a34d22160485dc1e6bac4a03546a3859d454a20b7cae SHA512 d7d687dd36f5839ac75c616f454fb8192d9826057638db17b6ea63dee11da6b5449d89d1a0cf47e0e67a98f51a5a46ca368770e0f03e3d77ce0642b1627d8d5b -EBUILD openssl-3.1.6.ebuild 8534 BLAKE2B b0d0b4c64ad7b025272ac54150ef9ea18e6ab974d558c002098a058600d8aff9253fe9a5d9eb78866f7734e6b2c0cc3222141a7738c5b21311d8d64f0867e2b9 SHA512 6b2c1cb64541d043048864110d4eb35df6c9b45228a4224a9788ac392f59358e1fb62a6c821bc5c05af4cf7ba29b7a0bfbb7f8ef3fbeb619b5b97444b1daff39 -EBUILD openssl-3.2.1-r2.ebuild 9377 BLAKE2B d8a1bd16284002ec39c926bbe9da25c371e2b54f668146d68f72e8f210e1e0073c1bbeb243f9e24ae970023c207906141e7232e925be718ca244e71dc2f604e9 SHA512 9c6f800d565a7c615ce77e04501b0d9f78c4047465242b9bd6f2c64dc0e0b68a6ff0f3effbf70aba0fe0339455d40095609b4a0df33b07e5afbc7543fe9aef58 -EBUILD openssl-3.2.2.ebuild 9179 BLAKE2B c58b822d2c7a0c0f9b2eb985171472818d6719f2f4f7a87ce33f3cbc5d10decd98588357f7dfe64ec49f1b5e220cb26d334a6cd9e88bc35b3f9584f53c961974 SHA512 8dc73f143cad88806c3a3ae23e20ce88f45e24f8a862aabbb28f38f2be9342df188575ea6cf3530f854c7fdf39bc336a3da3c7983166e6825d838abb58c8e2c2 -EBUILD openssl-3.3.0.ebuild 9232 BLAKE2B 26a1b881b02d355802ff020f2d8797b74d7db61426f0254a30937112ba52988317cf9b58155c1d8fb7a662679d78cca80f484ce72fd66684590f85b2da07af67 SHA512 ecb11de2fa82c33911ab3c9500f942524b4831e7318d7cebacc14218f3b08cc379808ec64086475d2151fe7d5981fc775cd47a71ca0aba8a09c03df52e413413 -EBUILD openssl-3.3.1.ebuild 9185 BLAKE2B 7fb4e9e92c8cee1ffb972340511f91dd0d59e9bd08e30b4e467cad81e28998618d7b0c1970e510f2b9c56a5d36cef0f6513137033c128909bc01d595b3e53523 SHA512 7d3820c8a7d1b041edd9e913a7741d2664cddb475b7c87b5789532c060cdaac276ca35ed2523808d600c127c4553a134abf8e09acc7c6c82695e1260872baead +EBUILD openssl-1.0.2u-r1.ebuild 9903 BLAKE2B 12f7aacfd006be85c50f523a7f1b8a1f9b4f4e2e9fc440f95cc68e615432f47fe8cd61705a518622bbbc075c51b4ee9040f1b6159e254aa23c325f6b41e02dac SHA512 71b6b5dec0ca3966622a2810d1cb98a0fd0e8c06966bf2d3b206b0a804c06a745aeb951a06e3ee1f9627fd39d8a87156ed96c059182c63a7f6bc78074f9f689b +EBUILD openssl-1.1.1w.ebuild 8237 BLAKE2B 6c4bbae0266031cbc7018391e1c4a3172500d5e36d3769f5e4d016665614ee25946fdf94d0bac5b96588f3716970cb7e3748db4300c8b4889a9c1e2577e4b7ad SHA512 d1e41783bd1a95d0188559eb9214c5e6d681d3dd050e9c02b66b8972e482209a3c7cca7dd1e914e49a9f5a4140c4b3fa2576d7452fe5bf1888eaa47c0e51a1eb +EBUILD openssl-3.0.13-r2.ebuild 8583 BLAKE2B 1650cdb16342b99131bc20f49df377cc8c5530980107de5386ba402e779837f16c968bc781f6247152f9d3d2bb73d4d0efd9c791bdec2064205b7e91770c1582 SHA512 6d91e8fd28a5ea5e79b2fa7670ddaceb64a2a7ebbd873f66b1317f6b1c90b44f9b1754ec4edd5185cc105fcd4b1846dfb40559595738e87bc4cd935deb0efef0 +EBUILD openssl-3.0.14.ebuild 8499 BLAKE2B 6498c24cdd33ead5aeb767f59902554fd3972d3bab8fcd3a87379a75807a669e917d9cdcf3897a8b29b60ce7f0bafd5c22a89184e3845755c900ed22456a8057 SHA512 1c4bfaa650a661a0018fa4fce3b7acdac7c0e912fea4a09036b1dc6a7434b9e03d2c456e6b643402c53b7971b11ddc9bab44141a9a3894d0a1235aa3b4750b45 +EBUILD openssl-3.1.6.ebuild 8605 BLAKE2B 841c614b3bcf87dc1129c15e5c413b77c137585fce4c314c47807af5ce6a79ce8296543abbb03857b4a1ef91fe1ee0d98f51bdeb697f04e5d6459c98d65f9dc2 SHA512 dd3061d7be29b22b14c3479541bf5d70ee1a0d5e5257e750dc967fcf693ea7543448ced2cc082281f7d8b5850d2c1ac5977a363b529e94e25f50f624e0bc1171 +EBUILD openssl-3.2.2.ebuild 9250 BLAKE2B 577dd9959d17f63e816f22d06d12379fd68d33f3eb66e4925f2a41dc2821e95aca9ef59558875410e0ad5558bc909e271ea6d7816d98045dd4fd0aabdb7a65ab SHA512 47d2e80fc4aa7fa16388e76ec07d026d2be79eafa2d2e7a52b6208b4ea11d14998d859ee8ecaedad81a528fa5127253b41a3ec23c2e0867c9c639b2947248cfb +EBUILD openssl-3.3.1-r1.ebuild 9402 BLAKE2B 4e1431847648660915b24399ce6d865b13a9b48e35634092d0275563914136c2a636e622d10c210e5799d87c1566ca10deb5bc15ee1c076f42aef432e95b53b3 SHA512 e37404196b744d220dc791202c6c811147fea691135c9510162b7fc5f720259f6114c0ff91c060f810cdc29051382244db61fc703ca3db2c4bf41d239b3e34bb +EBUILD openssl-3.3.1-r3.ebuild 9572 BLAKE2B eb123ad754eb0834bed0c58ee995da4a78945890555f547f24210c438e0e8fcb22cd83f8b3ffffbf6da14404e7f26091416648a881379c69624e5529db32ae2d SHA512 678c98c1b06f6f753181484d3a366cfbb09b9769033b3a5093f0c4468723f87df9363ce01ae9eaa7ac1ee7469c3eb922337a05cc385584dd5d30d64268cd0862 MISC metadata.xml 1674 BLAKE2B 2195a6538e1b4ec953c707460988f153e40abe7495fd761403c9a54b44ecb7cb5c69ac37ac7d4d18bc0086cf9b4accaaac19926fe5b2ac4b2c547ce1c9e08a6d SHA512 d4eda999c1027f9d8102c59275665f5b01d234c4a7636755a6d3c64b9aad2a657d14256b1527d9b7067cb653458b058db7f5bb20873e48927291092d9ccdd1c6 diff --git a/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch deleted file mode 100644 index c5b7dfe449f7..000000000000 --- a/dev-libs/openssl/files/openssl-3.1.5-CVE-2024-2511.patch +++ /dev/null @@ -1,137 +0,0 @@ -https://www.openssl.org/news/secadv/20240408.txt -https://bugs.gentoo.org/930047 -https://github.com/openssl/openssl/commit/7e4d731b1c07201ad9374c1cd9ac5263bdf35bce -https://github.com/openssl/openssl/commit/c342f4b8bd2d0b375b0e22337057c2eab47d9b96 - -From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 +0000 -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ -- if (s->session->session_id_length == 0) -+ if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ -- return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+ return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+{ -+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); -+ -+ if (sess != NULL) -+ sess->not_resumable = 0; -+ -+ return sess; -+} -+ - const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) - { - if (len) ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) - * so the following won't overwrite an ID that we're supposed - * to send back. - */ -- if (s->session->not_resumable || -- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -- && !s->hit)) -+ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) -+ && !s->hit) - s->session->session_id_length = 0; - - if (usetls13) { - -From c342f4b8bd2d0b375b0e22337057c2eab47d9b96 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 15 Mar 2024 17:58:42 +0000 -Subject: [PATCH] Hardening around not_resumable sessions - -Make sure we can't inadvertently use a not_resumable session - -Related to CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24044) ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -533,6 +533,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL *s, const unsigned char *sess_id, - ret = s->session_ctx->get_session_cb(s, sess_id, sess_id_len, ©); - - if (ret != NULL) { -+ if (ret->not_resumable) { -+ /* If its not resumable then ignore this session */ -+ if (!copy) -+ SSL_SESSION_free(ret); -+ return NULL; -+ } - ssl_tsan_counter(s->session_ctx, - &s->session_ctx->stats.sess_cb_hit); - diff --git a/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch deleted file mode 100644 index 50bc63ef2d14..000000000000 --- a/dev-libs/openssl/files/openssl-3.1.5-p11-segfault.patch +++ /dev/null @@ -1,78 +0,0 @@ -https://bugs.gentoo.org/916328 -https://github.com/opendnssec/SoftHSMv2/issues/729 -https://github.com/openssl/openssl/issues/22508 -https://github.com/openssl/openssl/commit/0058a55407d824d5b55ecc0a1cbf8931803dc238 - -From 0058a55407d824d5b55ecc0a1cbf8931803dc238 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 15 Dec 2023 13:45:50 +0100 -Subject: [PATCH] Revert "Improved detection of engine-provided private - "classic" keys" - -This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5. - -The commit was wrong. With 3.x versions the engines must be themselves -responsible for creating their EVP_PKEYs in a way that they are treated -as legacy - either by using the respective set1 calls or by setting -non-default EVP_PKEY_METHOD. - -The workaround has caused more problems than it solved. - -Fixes #22945 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/23063) - -(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380) ---- a/crypto/engine/eng_pkey.c -+++ b/crypto/engine/eng_pkey.c -@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, - ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); - return NULL; - } -- /* We enforce check for legacy key */ -- switch (EVP_PKEY_get_id(pkey)) { -- case EVP_PKEY_RSA: -- { -- RSA *rsa = EVP_PKEY_get1_RSA(pkey); -- EVP_PKEY_set1_RSA(pkey, rsa); -- RSA_free(rsa); -- } -- break; --# ifndef OPENSSL_NO_EC -- case EVP_PKEY_SM2: -- case EVP_PKEY_EC: -- { -- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); -- EVP_PKEY_set1_EC_KEY(pkey, ec); -- EC_KEY_free(ec); -- } -- break; --# endif --# ifndef OPENSSL_NO_DSA -- case EVP_PKEY_DSA: -- { -- DSA *dsa = EVP_PKEY_get1_DSA(pkey); -- EVP_PKEY_set1_DSA(pkey, dsa); -- DSA_free(dsa); -- } -- break; --#endif --# ifndef OPENSSL_NO_DH -- case EVP_PKEY_DH: -- { -- DH *dh = EVP_PKEY_get1_DH(pkey); -- EVP_PKEY_set1_DH(pkey, dh); -- DH_free(dh); -- } -- break; --#endif -- default: -- /*Do nothing */ -- break; -- } -- - return pkey; - } - diff --git a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch b/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch deleted file mode 100644 index d5b40447d745..000000000000 --- a/dev-libs/openssl/files/openssl-3.2.1-CVE-2024-2511.patch +++ /dev/null @@ -1,137 +0,0 @@ -https://www.openssl.org/news/secadv/20240408.txt -https://bugs.gentoo.org/930047 -https://github.com/openssl/openssl/commit/e9d7083e241670332e0443da0f0d4ffb52829f08 -https://github.com/openssl/openssl/commit/4d67109432646c113887b0aa8091fb0d1b3057e6 - -From e9d7083e241670332e0443da0f0d4ffb52829f08 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 5 Mar 2024 15:43:53 +0000 -Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 - -In TLSv1.3 we create a new session object for each ticket that we send. -We do this by duplicating the original session. If SSL_OP_NO_TICKET is in -use then the new session will be added to the session cache. However, if -early data is not in use (and therefore anti-replay protection is being -used), then multiple threads could be resuming from the same session -simultaneously. If this happens and a problem occurs on one of the threads, -then the original session object could be marked as not_resumable. When we -duplicate the session object this not_resumable status gets copied into the -new session object. The new session object is then added to the session -cache even though it is not_resumable. - -Subsequently, another bug means that the session_id_length is set to 0 for -sessions that are marked as not_resumable - even though that session is -still in the cache. Once this happens the session can never be removed from -the cache. When that object gets to be the session cache tail object the -cache never shrinks again and grows indefinitely. - -CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24043) ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -4457,9 +4457,10 @@ void ssl_update_cache(SSL_CONNECTION *s, int mode) - - /* - * If the session_id_length is 0, we are not supposed to cache it, and it -- * would be rather hard to do anyway :-) -+ * would be rather hard to do anyway :-). Also if the session has already -+ * been marked as not_resumable we should not cache it for later reuse. - */ -- if (s->session->session_id_length == 0) -+ if (s->session->session_id_length == 0 || s->session->not_resumable) - return; - - /* ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -127,16 +127,11 @@ SSL_SESSION *SSL_SESSION_new(void) - return ss; - } - --SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) --{ -- return ssl_session_dup(src, 1); --} -- - /* - * Create a new SSL_SESSION and duplicate the contents of |src| into it. If - * ticket == 0 then no ticket information is duplicated, otherwise it is. - */ --SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) - { - SSL_SESSION *dest; - -@@ -265,6 +260,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) - return NULL; - } - -+SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) -+{ -+ return ssl_session_dup_intern(src, 1); -+} -+ -+/* -+ * Used internally when duplicating a session which might be already shared. -+ * We will have resumed the original session. Subsequently we might have marked -+ * it as non-resumable (e.g. in another thread) - but this copy should be ok to -+ * resume from. -+ */ -+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) -+{ -+ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); -+ -+ if (sess != NULL) -+ sess->not_resumable = 0; -+ -+ return sess; -+} -+ - const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) - { - if (len) ---- a/ssl/statem/statem_srvr.c -+++ b/ssl/statem/statem_srvr.c -@@ -2445,9 +2445,8 @@ CON_FUNC_RETURN tls_construct_server_hello(SSL_CONNECTION *s, WPACKET *pkt) - * so the following won't overwrite an ID that we're supposed - * to send back. - */ -- if (s->session->not_resumable || -- (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) -- && !s->hit)) -+ if (!(SSL_CONNECTION_GET_CTX(s)->session_cache_mode & SSL_SESS_CACHE_SERVER) -+ && !s->hit) - s->session->session_id_length = 0; - - if (usetls13) { - -From 4d67109432646c113887b0aa8091fb0d1b3057e6 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 15 Mar 2024 17:58:42 +0000 -Subject: [PATCH] Hardening around not_resumable sessions - -Make sure we can't inadvertently use a not_resumable session - -Related to CVE-2024-2511 - -Reviewed-by: Neil Horman -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/24043) ---- a/ssl/ssl_sess.c -+++ b/ssl/ssl_sess.c -@@ -519,6 +519,12 @@ SSL_SESSION *lookup_sess_in_cache(SSL_CONNECTION *s, - sess_id, sess_id_len, ©); - - if (ret != NULL) { -+ if (ret->not_resumable) { -+ /* If its not resumable then ignore this session */ -+ if (!copy) -+ SSL_SESSION_free(ret); -+ return NULL; -+ } - ssl_tsan_counter(s->session_ctx, - &s->session_ctx->stats.sess_cb_hit); - diff --git a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch deleted file mode 100644 index 59e785caac7c..000000000000 --- a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch +++ /dev/null @@ -1,79 +0,0 @@ -https://bugs.gentoo.org/916328 -https://github.com/opendnssec/SoftHSMv2/issues/729 -https://github.com/openssl/openssl/issues/22508 -https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65 - -From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 15 Dec 2023 13:45:50 +0100 -Subject: [PATCH] Revert "Improved detection of engine-provided private - "classic" keys" - -This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5. - -The commit was wrong. With 3.x versions the engines must be themselves -responsible for creating their EVP_PKEYs in a way that they are treated -as legacy - either by using the respective set1 calls or by setting -non-default EVP_PKEY_METHOD. - -The workaround has caused more problems than it solved. - -Fixes #22945 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Neil Horman -(Merged from https://github.com/openssl/openssl/pull/23063) - -(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380) ---- a/crypto/engine/eng_pkey.c -+++ b/crypto/engine/eng_pkey.c -@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, - ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY); - return NULL; - } -- /* We enforce check for legacy key */ -- switch (EVP_PKEY_get_id(pkey)) { -- case EVP_PKEY_RSA: -- { -- RSA *rsa = EVP_PKEY_get1_RSA(pkey); -- EVP_PKEY_set1_RSA(pkey, rsa); -- RSA_free(rsa); -- } -- break; --# ifndef OPENSSL_NO_EC -- case EVP_PKEY_SM2: -- case EVP_PKEY_EC: -- { -- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey); -- EVP_PKEY_set1_EC_KEY(pkey, ec); -- EC_KEY_free(ec); -- } -- break; --# endif --# ifndef OPENSSL_NO_DSA -- case EVP_PKEY_DSA: -- { -- DSA *dsa = EVP_PKEY_get1_DSA(pkey); -- EVP_PKEY_set1_DSA(pkey, dsa); -- DSA_free(dsa); -- } -- break; --#endif --# ifndef OPENSSL_NO_DH -- case EVP_PKEY_DH: -- { -- DH *dh = EVP_PKEY_get1_DH(pkey); -- EVP_PKEY_set1_DH(pkey, dh); -- DH_free(dh); -- } -- break; --#endif -- default: -- /*Do nothing */ -- break; -- } -- - return pkey; - } - - diff --git a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch b/dev-libs/openssl/files/openssl-3.2.1-riscv.patch deleted file mode 100644 index 51256cf434e2..000000000000 --- a/dev-libs/openssl/files/openssl-3.2.1-riscv.patch +++ /dev/null @@ -1,70 +0,0 @@ -# Bug: https://bugs.gentoo.org/923956 -# Upstream PR: https://github.com/openssl/openssl/pull/23752 ---- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c -@@ -142,9 +142,9 @@ static const PROV_GCM_HW aes_gcm = { - # include "cipher_aes_gcm_hw_armv8.inc" - #elif defined(PPC_AES_GCM_CAPABLE) && defined(_ARCH_PPC64) - # include "cipher_aes_gcm_hw_ppc.inc" --#elif defined(__riscv) && __riscv_xlen == 64 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 - # include "cipher_aes_gcm_hw_rv64i.inc" --#elif defined(__riscv) && __riscv_xlen == 32 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 - # include "cipher_aes_gcm_hw_rv32i.inc" - #else - const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) ---- a/providers/implementations/ciphers/cipher_aes_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_hw.c -@@ -142,9 +142,9 @@ const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_##mode(size_t keybits) \ - # include "cipher_aes_hw_t4.inc" - #elif defined(S390X_aes_128_CAPABLE) - # include "cipher_aes_hw_s390x.inc" --#elif defined(__riscv) && __riscv_xlen == 64 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 - # include "cipher_aes_hw_rv64i.inc" --#elif defined(__riscv) && __riscv_xlen == 32 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 - # include "cipher_aes_hw_rv32i.inc" - #else - /* The generic case */ ---- a/providers/implementations/ciphers/cipher_aes_ocb_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_ocb_hw.c -@@ -104,7 +104,7 @@ static const PROV_CIPHER_HW aes_t4_ocb = { \ - if (SPARC_AES_CAPABLE) \ - return &aes_t4_ocb; - --#elif defined(__riscv) && __riscv_xlen == 64 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 - - static int cipher_hw_aes_ocb_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx, - const unsigned char *key, -@@ -126,7 +126,7 @@ static const PROV_CIPHER_HW aes_rv64i_zknd_zkne_ocb = { \ - if (RISCV_HAS_ZKND_AND_ZKNE()) \ - return &aes_rv64i_zknd_zkne_ocb; - --#elif defined(__riscv) && __riscv_xlen == 32 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 - - static int cipher_hw_aes_ocb_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *vctx, - const unsigned char *key, ---- a/providers/implementations/ciphers/cipher_aes_xts_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_xts_hw.c -@@ -159,7 +159,7 @@ static const PROV_CIPHER_HW aes_xts_t4 = { \ - if (SPARC_AES_CAPABLE) \ - return &aes_xts_t4; - --#elif defined(__riscv) && __riscv_xlen == 64 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 64 - - static int cipher_hw_aes_xts_rv64i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx, - const unsigned char *key, -@@ -185,7 +185,7 @@ static const PROV_CIPHER_HW aes_xts_rv64i_zknd_zkne = { \ - if (RISCV_HAS_ZKND_AND_ZKNE()) \ - return &aes_xts_rv64i_zknd_zkne; - --#elif defined(__riscv) && __riscv_xlen == 32 -+#elif defined(OPENSSL_CPUID_OBJ) && defined(__riscv) && __riscv_xlen == 32 - - static int cipher_hw_aes_xts_rv32i_zknd_zkne_initkey(PROV_CIPHER_CTX *ctx, - const unsigned char *key, diff --git a/dev-libs/openssl/files/openssl-3.2.1-s390x.patch b/dev-libs/openssl/files/openssl-3.2.1-s390x.patch deleted file mode 100644 index 3cbf4854e12e..000000000000 --- a/dev-libs/openssl/files/openssl-3.2.1-s390x.patch +++ /dev/null @@ -1,31 +0,0 @@ -https://bugs.gentoo.org/923957 -https://github.com/openssl/openssl/pull/23458 -https://github.com/openssl/openssl/commit/5fa5d59750db9df00f4871949a66020ac44f4f9c - -From 5fa5d59750db9df00f4871949a66020ac44f4f9c Mon Sep 17 00:00:00 2001 -From: Ingo Franzki -Date: Fri, 2 Feb 2024 10:20:55 +0100 -Subject: [PATCH] s390x: Fix build on s390x with 'disable-asm' - -Do not define S390X_MOD_EXP for a NO_ASM build, this would result in -unresolved externals for s390x_mod_exp and s390x_crt. - -Signed-off-by: Ingo Franzki - -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/23458) - -(cherry picked from commit a5b0c568dbefddd154f99011d7ce76cfbfadb67a) ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -116,7 +116,8 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); - - extern const BIGNUM ossl_bn_inv_sqrt_2; - --#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__) -+#if defined(OPENSSL_SYS_LINUX) && !defined(FIPS_MODULE) && defined (__s390x__) \ -+ && !defined (OPENSSL_NO_ASM) - # define S390X_MOD_EXP - #endif - diff --git a/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch b/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch new file mode 100644 index 000000000000..bb8fdbe3f241 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.3.1-cmake-generator.patch @@ -0,0 +1,55 @@ +https://bugs.gentoo.org/937457 +https://github.com/openssl/openssl/commit/419fb4ea4be4c0b28c63b494ff30fa3510aba06e + +From 419fb4ea4be4c0b28c63b494ff30fa3510aba06e Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Sun, 14 Jul 2024 08:57:25 -0400 +Subject: [PATCH] Fix cmake generator + +PR #24678 modified some environment variables and locations that the +cmake exporter depended on, resulting in empty directory resolution. +Adjust build build.info and input variable names to match up again + +Fixes #24874 + +Reviewed-by: Richard Levitte +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24877) + +(cherry picked from commit c1a27bdeb9a4f915aa92ed0e74ed48a1f9b94176) +--- a/build.info ++++ b/build.info +@@ -102,6 +102,11 @@ IF[{- $config{target} =~ /^(?:Cygwin|mingw|VC-|BC-)/ -}] + ENDIF + + # This file sets the build directory up for CMake inclusion ++# Note: This generation of OpenSSLConfig[Version].cmake is used ++# for building openssl locally, and so the build variables are ++# taken from builddata.pm rather than installdata.pm. For exportable ++# versions of these generated files, you'll find them in the exporters ++# directory + GENERATE[OpenSSLConfig.cmake]=exporters/cmake/OpenSSLConfig.cmake.in + DEPEND[OpenSSLConfig.cmake]=builddata.pm + GENERATE[OpenSSLConfigVersion.cmake]=exporters/cmake/OpenSSLConfigVersion.cmake.in +--- a/exporters/cmake/OpenSSLConfig.cmake.in ++++ b/exporters/cmake/OpenSSLConfig.cmake.in +@@ -127,13 +127,13 @@ set(OPENSSL_VERSION_FIX "${OpenSSL_VERSION_PATCH}") + set(OPENSSL_FOUND YES) + + # Directories and names +-set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL, 1); -}") +-set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL, 1); -}") +-set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL, 1); -}") +-set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL, 1); -}") +-set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL, 1); -}") ++set(OPENSSL_LIBRARY_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}") ++set(OPENSSL_INCLUDE_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX, 1); -}") ++set(OPENSSL_ENGINES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR, 1); -}") ++set(OPENSSL_MODULES_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX, 1); -}/{- unixify($OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR, 1); -}") ++set(OPENSSL_RUNTIME_DIR "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::BINDIR_REL_PREFIX, 1); -}") + {- output_off() if $disabled{uplink}; "" -} +-set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL, 1); -}/applink.c") ++set(OPENSSL_APPLINK_SOURCE "${_ossl_prefix}/{- unixify($OpenSSL::safe::installdata::APPLINKDIR_REL_PREFIX, 1); -}/applink.c") + {- output_on() if $disabled{uplink}; "" -} + set(OPENSSL_PROGRAM "${OPENSSL_RUNTIME_DIR}/{- platform->bin('openssl') -}") + diff --git a/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch b/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch new file mode 100644 index 000000000000..a5ad9987eb57 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.3.1-pkg-config-deux.patch @@ -0,0 +1,303 @@ +https://github.com/openssl/openssl/pull/24687 +https://bugs.gentoo.org/936576 + +https://github.com/openssl/openssl/commit/aa099dba7c80c723cf4babf5adc0c801f1c28363 +https://github.com/openssl/openssl/commit/1c437b5704c9ee5f667bc2b11e5fdf176dfb714f + +From aa099dba7c80c723cf4babf5adc0c801f1c28363 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 20 Jun 2024 14:30:16 +0200 +Subject: [PATCH] Give util/mkinstallvars.pl more fine grained control over var + dependencies + +Essentially, we try to do what GNU does. 'prefix' is used to define the +defaults for 'exec_prefix' and 'libdir', and these are then used to define +further directory values. util/mkinstallvars.pl is changed to reflect that +to the best of our ability. + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24687) + +(cherry picked from commit 6e0fd246e7a6e51f92b2ef3520bfc4414b7773c0) +--- + exporters/build.info | 2 +- + util/mkinstallvars.pl | 133 ++++++++++++++++++++++++++---------------- + 2 files changed, 85 insertions(+), 50 deletions(-) + +diff --git a/exporters/build.info b/exporters/build.info +index 86acf2df9467c..9241dc9b0a658 100644 +--- a/exporters/build.info ++++ b/exporters/build.info +@@ -19,7 +19,7 @@ DEPEND[openssl.pc]=libcrypto.pc libssl.pc + DEPEND[""]=openssl.pc + + GENERATE[../installdata.pm]=../util/mkinstallvars.pl \ +- "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" \ ++ "PREFIX=$(INSTALLTOP)" BINDIR=bin "LIBDIR=$(LIBDIR)" "libdir=$(libdir)" \ + INCLUDEDIR=include APPLINKDIR=include/openssl \ + "ENGINESDIR=$(ENGINESDIR)" "MODULESDIR=$(MODULESDIR)" \ + "PKGCONFIGDIR=$(PKGCONFIGDIR)" "CMAKECONFIGDIR=$(CMAKECONFIGDIR)" \ +diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl +index 59a432d28c601..5fadb708e1b77 100644 +--- a/util/mkinstallvars.pl ++++ b/util/mkinstallvars.pl +@@ -11,13 +11,25 @@ + # The result is a Perl module creating the package OpenSSL::safe::installdata. + + use File::Spec; ++use List::Util qw(pairs); + + # These are expected to be set up as absolute directories +-my @absolutes = qw(PREFIX); ++my @absolutes = qw(PREFIX libdir); + # These may be absolute directories, and if not, they are expected to be set up +-# as subdirectories to PREFIX +-my @subdirs = qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR ENGINESDIR MODULESDIR +- PKGCONFIGDIR CMAKECONFIGDIR); ++# as subdirectories to PREFIX or LIBDIR. The order of the pairs is important, ++# since the LIBDIR subdirectories depend on the calculation of LIBDIR from ++# PREFIX. ++my @subdirs = pairs (PREFIX => [ qw(BINDIR LIBDIR INCLUDEDIR APPLINKDIR) ], ++ LIBDIR => [ qw(ENGINESDIR MODULESDIR PKGCONFIGDIR ++ CMAKECONFIGDIR) ]); ++# For completeness, other expected variables ++my @others = qw(VERSION LDLIBS); ++ ++my %all = ( ); ++foreach (@absolutes) { $all{$_} = 1 } ++foreach (@subdirs) { foreach (@{$_->[1]}) { $all{$_} = 1 } } ++foreach (@others) { $all{$_} = 1 } ++print STDERR "DEBUG: all keys: ", join(", ", sort keys %all), "\n"; + + my %keys = (); + foreach (@ARGV) { +@@ -26,29 +38,47 @@ + $ENV{$k} = $v; + } + +-foreach my $k (sort keys %keys) { +- my $v = $ENV{$k}; +- $v = File::Spec->rel2abs($v) if $v && grep { $k eq $_ } @absolutes; +- $ENV{$k} = $v; ++# warn if there are missing values, and also if there are unexpected values ++foreach my $k (sort keys %all) { ++ warn "No value given for $k\n" unless $keys{$k}; + } + foreach my $k (sort keys %keys) { ++ warn "Unknown variable $k\n" unless $all{$k}; ++} ++ ++# This shouldn't be needed, but just in case we get relative paths that ++# should be absolute, make sure they actually are. ++foreach my $k (@absolutes) { + my $v = $ENV{$k} || '.'; ++ print STDERR "DEBUG: $k = $v => "; ++ $v = File::Spec->rel2abs($v) if $v; ++ $ENV{$k} = $v; ++ print STDERR "$k = $ENV{$k}\n"; ++} + +- # Absolute paths for the subdir variables are computed. This provides +- # the usual form of values for names that have become norm, known as GNU +- # installation paths. +- # For the benefit of those that need it, the subdirectories are preserved +- # as they are, using the same variable names, suffixed with '_REL', if they +- # are indeed subdirectories. +- if (grep { $k eq $_ } @subdirs) { ++# Absolute paths for the subdir variables are computed. This provides ++# the usual form of values for names that have become norm, known as GNU ++# installation paths. ++# For the benefit of those that need it, the subdirectories are preserved ++# as they are, using the same variable names, suffixed with '_REL_{var}', ++# if they are indeed subdirectories. The '{var}' part of the name tells ++# which other variable value they are relative to. ++foreach my $pair (@subdirs) { ++ my ($var, $subdir_vars) = @$pair; ++ foreach my $k (@$subdir_vars) { ++ my $v = $ENV{$k} || '.'; ++ print STDERR "DEBUG: $k = $v => "; + if (File::Spec->file_name_is_absolute($v)) { +- $ENV{"${k}_REL"} = File::Spec->abs2rel($v, $ENV{PREFIX}); ++ my $kr = "${k}_REL_${var}"; ++ $ENV{$kr} = File::Spec->abs2rel($v, $ENV{$var}); ++ print STDERR "$kr = $ENV{$kr}\n"; + } else { +- $ENV{"${k}_REL"} = $v; +- $v = File::Spec->rel2abs($v, $ENV{PREFIX}); ++ my $kr = "${k}_REL_${var}"; ++ $ENV{$kr} = $v; ++ $ENV{$k} = File::Spec->rel2abs($v, $ENV{$var}); ++ print STDERR "$k = $ENV{$k} , $kr = $v\n"; + } + } +- $ENV{$k} = $v; + } + + print <<_____; +@@ -58,36 +88,41 @@ package OpenSSL::safe::installdata; + use warnings; + use Exporter; + our \@ISA = qw(Exporter); +-our \@EXPORT = qw(\$PREFIX +- \$BINDIR \$BINDIR_REL +- \$LIBDIR \$LIBDIR_REL +- \$INCLUDEDIR \$INCLUDEDIR_REL +- \$APPLINKDIR \$APPLINKDIR_REL +- \$ENGINESDIR \$ENGINESDIR_REL +- \$MODULESDIR \$MODULESDIR_REL +- \$PKGCONFIGDIR \$PKGCONFIGDIR_REL +- \$CMAKECONFIGDIR \$CMAKECONFIGDIR_REL +- \$VERSION \@LDLIBS); +- +-our \$PREFIX = '$ENV{PREFIX}'; +-our \$BINDIR = '$ENV{BINDIR}'; +-our \$BINDIR_REL = '$ENV{BINDIR_REL}'; +-our \$LIBDIR = '$ENV{LIBDIR}'; +-our \$LIBDIR_REL = '$ENV{LIBDIR_REL}'; +-our \$INCLUDEDIR = '$ENV{INCLUDEDIR}'; +-our \$INCLUDEDIR_REL = '$ENV{INCLUDEDIR_REL}'; +-our \$APPLINKDIR = '$ENV{APPLINKDIR}'; +-our \$APPLINKDIR_REL = '$ENV{APPLINKDIR_REL}'; +-our \$ENGINESDIR = '$ENV{ENGINESDIR}'; +-our \$ENGINESDIR_REL = '$ENV{ENGINESDIR_REL}'; +-our \$MODULESDIR = '$ENV{MODULESDIR}'; +-our \$MODULESDIR_REL = '$ENV{MODULESDIR_REL}'; +-our \$PKGCONFIGDIR = '$ENV{PKGCONFIGDIR}'; +-our \$PKGCONFIGDIR_REL = '$ENV{PKGCONFIGDIR_REL}'; +-our \$CMAKECONFIGDIR = '$ENV{CMAKECONFIGDIR}'; +-our \$CMAKECONFIGDIR_REL = '$ENV{CMAKECONFIGDIR_REL}'; +-our \$VERSION = '$ENV{VERSION}'; +-our \@LDLIBS = ++our \@EXPORT = qw( ++_____ ++ ++foreach my $k (@absolutes) { ++ print " \$$k\n"; ++} ++foreach my $pair (@subdirs) { ++ my ($var, $subdir_vars) = @$pair; ++ foreach my $k (@$subdir_vars) { ++ my $k2 = "${k}_REL_${var}"; ++ print " \$$k \$$k2\n"; ++ } ++} ++ ++print <<_____; ++ \$VERSION \@LDLIBS ++); ++ ++_____ ++ ++foreach my $k (@absolutes) { ++ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n"; ++} ++foreach my $pair (@subdirs) { ++ my ($var, $subdir_vars) = @$pair; ++ foreach my $k (@$subdir_vars) { ++ my $k2 = "${k}_REL_${var}"; ++ print "our \$$k" . ' ' x (27 - length($k)) . "= '$ENV{$k}';\n"; ++ print "our \$$k2" . ' ' x (27 - length($k2)) . "= '$ENV{$k2}';\n"; ++ } ++} ++ ++print <<_____; ++our \$VERSION = '$ENV{VERSION}'; ++our \@LDLIBS = + # Unix and Windows use space separation, VMS uses comma separation + split(/ +| *, */, '$ENV{LDLIBS}'); + + +From 1c437b5704c9ee5f667bc2b11e5fdf176dfb714f Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Thu, 20 Jun 2024 14:33:15 +0200 +Subject: [PATCH] Adapt all the exporter files to the new vars from + util/mkinstallvars.pl + +With this, the pkg-config files take better advantage of relative directory +values. + +Fixes #24298 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24687) + +(cherry picked from commit 30dc37d798a0428fd477d3763086e7e97b3d596f) +--- + exporters/cmake/OpenSSLConfig.cmake.in | 7 ++++--- + exporters/pkg-config/libcrypto.pc.in | 12 ++++++++---- + exporters/pkg-config/libssl.pc.in | 8 ++++++-- + exporters/pkg-config/openssl.pc.in | 8 ++++++-- + 4 files changed, 24 insertions(+), 11 deletions(-) + +diff --git a/exporters/cmake/OpenSSLConfig.cmake.in b/exporters/cmake/OpenSSLConfig.cmake.in +index 2d2321931de1d..06f796158b2fa 100644 +--- a/exporters/cmake/OpenSSLConfig.cmake.in ++++ b/exporters/cmake/OpenSSLConfig.cmake.in +@@ -89,9 +89,10 @@ unset(_ossl_undefined_targets) + # Set up the import path, so all other import paths are made relative this file + get_filename_component(_ossl_prefix "${CMAKE_CURRENT_LIST_FILE}" PATH) + {- +- # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR_REL, have CMake +- # out the parent directory. +- my $d = unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL); ++ # For each component in $OpenSSL::safe::installdata::CMAKECONFIGDIR relative to ++ # $OpenSSL::safe::installdata::PREFIX, have CMake figure out the parent directory. ++ my $d = join('/', unixify($OpenSSL::safe::installdata::LIBDIR_REL_PREFIX), ++ unixify($OpenSSL::safe::installdata::CMAKECONFIGDIR_REL_LIBDIR)); + $OUT = ''; + $OUT .= 'get_filename_component(_ossl_prefix "${_ossl_prefix}" PATH)' . "\n" + foreach (split '/', $d); +diff --git a/exporters/pkg-config/libcrypto.pc.in b/exporters/pkg-config/libcrypto.pc.in +index 14ed339f3c3a0..fbc8ea4c79b06 100644 +--- a/exporters/pkg-config/libcrypto.pc.in ++++ b/exporters/pkg-config/libcrypto.pc.in +@@ -1,7 +1,11 @@ +-libdir={- $OpenSSL::safe::installdata::LIBDIR -} +-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -} +-enginesdir={- $OpenSSL::safe::installdata::ENGINESDIR -} +-modulesdir={- $OpenSSL::safe::installdata::MODULESDIR -} ++prefix={- $OpenSSL::safe::installdata::PREFIX -} ++exec_prefix=${prefix} ++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX ++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX ++ : $OpenSSL::safe::installdata::libdir -} ++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -} ++enginesdir=${libdir}/{- $OpenSSL::safe::installdata::ENGINESDIR_REL_LIBDIR -} ++modulesdir=${libdir}/{- $OpenSSL::safe::installdata::MODULESDIR_REL_LIBDIR -} + + Name: OpenSSL-libcrypto + Description: OpenSSL cryptography library +diff --git a/exporters/pkg-config/libssl.pc.in b/exporters/pkg-config/libssl.pc.in +index a7828b3cc6a49..963538807bb2b 100644 +--- a/exporters/pkg-config/libssl.pc.in ++++ b/exporters/pkg-config/libssl.pc.in +@@ -1,5 +1,9 @@ +-libdir={- $OpenSSL::safe::installdata::LIBDIR -} +-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -} ++prefix={- $OpenSSL::safe::installdata::PREFIX -} ++exec_prefix=${prefix} ++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX ++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX ++ : $OpenSSL::safe::installdata::libdir -} ++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -} + + Name: OpenSSL-libssl + Description: Secure Sockets Layer and cryptography libraries +diff --git a/exporters/pkg-config/openssl.pc.in b/exporters/pkg-config/openssl.pc.in +index dbb77aa39add2..225bef9e2384d 100644 +--- a/exporters/pkg-config/openssl.pc.in ++++ b/exporters/pkg-config/openssl.pc.in +@@ -1,5 +1,9 @@ +-libdir={- $OpenSSL::safe::installdata::LIBDIR -} +-includedir={- $OpenSSL::safe::installdata::INCLUDEDIR -} ++prefix={- $OpenSSL::safe::installdata::PREFIX -} ++exec_prefix=${prefix} ++libdir={- $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX ++ ? '${exec_prefix}/' . $OpenSSL::safe::installdata::LIBDIR_REL_PREFIX ++ : $OpenSSL::safe::installdata::libdir -} ++includedir=${prefix}/{- $OpenSSL::safe::installdata::INCLUDEDIR_REL_PREFIX -} + + Name: OpenSSL + Description: Secure Sockets Layer and cryptography libraries and tools diff --git a/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch b/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch new file mode 100644 index 000000000000..b915b963509a --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.3.1-pkg-config.patch @@ -0,0 +1,31 @@ +https://github.com/openssl/openssl/pull/25018 +https://bugs.gentoo.org/936793 + +From b7bd618fb12728b4a85b9159af95ca40a817674d Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Sun, 28 Jul 2024 10:47:08 +0200 +Subject: [PATCH] fix: util/mkinstallvars.pl mistreated LDLIBS on Unix (and + Windows) + +Don't do comma separation on those platforms. + +Fixes #24986 +--- + util/mkinstallvars.pl | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/util/mkinstallvars.pl b/util/mkinstallvars.pl +index 5fadb708e1b77..e2b7d9d08321f 100644 +--- a/util/mkinstallvars.pl ++++ b/util/mkinstallvars.pl +@@ -124,7 +124,9 @@ package OpenSSL::safe::installdata; + our \$VERSION = '$ENV{VERSION}'; + our \@LDLIBS = + # Unix and Windows use space separation, VMS uses comma separation +- split(/ +| *, */, '$ENV{LDLIBS}'); ++ \$^O eq 'VMS' ++ ? split(/ *, */, '$ENV{LDLIBS}') ++ : split(/ +/, '$ENV{LDLIBS}'); + + 1; + _____ diff --git a/dev-libs/openssl/openssl-1.0.2u-r1.ebuild b/dev-libs/openssl/openssl-1.0.2u-r1.ebuild index c2abe15ce890..eface797e109 100644 --- a/dev-libs/openssl/openssl-1.0.2u-r1.ebuild +++ b/dev-libs/openssl/openssl-1.0.2u-r1.ebuild @@ -22,7 +22,7 @@ MY_P=${P/_/-} BINDIST_PATCH_SET="openssl-1.0.2t-bindist-1.0.tar.xz" DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)" -HOMEPAGE="https://www.openssl.org/" +HOMEPAGE="https://openssl-library.org/" SRC_URI="mirror://openssl/source/${MY_P}.tar.gz bindist? ( mirror://gentoo/bb/${BINDIST_PATCH_SET} diff --git a/dev-libs/openssl/openssl-1.1.1w.ebuild b/dev-libs/openssl/openssl-1.1.1w.ebuild index d8ec15eef987..356594f41c67 100644 --- a/dev-libs/openssl/openssl-1.1.1w.ebuild +++ b/dev-libs/openssl/openssl-1.1.1w.ebuild @@ -8,7 +8,7 @@ inherit edo flag-o-matic toolchain-funcs multilib-minimal verify-sig MY_P=${P/_/-} DESCRIPTION="Full-strength general purpose cryptography library (including SSL and TLS)" -HOMEPAGE="https://www.openssl.org/" +HOMEPAGE="https://openssl-library.org/" SRC_URI="mirror://openssl/source/${MY_P}.tar.gz verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" S="${WORKDIR}/${MY_P}" diff --git a/dev-libs/openssl/openssl-3.0.13-r2.ebuild b/dev-libs/openssl/openssl-3.0.13-r2.ebuild index 7419ab042851..c134dc8f5faf 100644 --- a/dev-libs/openssl/openssl-3.0.13-r2.ebuild +++ b/dev-libs/openssl/openssl-3.0.13-r2.ebuild @@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" +HOMEPAGE="https://openssl-library.org/" MY_P=${P/_/-} diff --git a/dev-libs/openssl/openssl-3.0.14.ebuild b/dev-libs/openssl/openssl-3.0.14.ebuild index 647c4ee7dbf9..2a3a9723b5e3 100644 --- a/dev-libs/openssl/openssl-3.0.14.ebuild +++ b/dev-libs/openssl/openssl-3.0.14.ebuild @@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" +HOMEPAGE="https://openssl-library.org/" MY_P=${P/_/-} diff --git a/dev-libs/openssl/openssl-3.1.5-r2.ebuild b/dev-libs/openssl/openssl-3.1.5-r2.ebuild deleted file mode 100644 index 1c3b048b75a0..000000000000 --- a/dev-libs/openssl/openssl-3.1.5-r2.ebuild +++ /dev/null @@ -1,286 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI=" - mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc ) - " - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )" - -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -PATCHES=( - "${FILESDIR}"/${P}-p11-segfault.patch - "${FILESDIR}"/${P}-CVE-2024-2511.patch -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 - append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" -Onone VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/dev-libs/openssl/openssl-3.1.6.ebuild b/dev-libs/openssl/openssl-3.1.6.ebuild index a95bf0b407ff..96fc87688904 100644 --- a/dev-libs/openssl/openssl-3.1.6.ebuild +++ b/dev-libs/openssl/openssl-3.1.6.ebuild @@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" +HOMEPAGE="https://openssl-library.org/" MY_P=${P/_/-} @@ -18,8 +18,10 @@ if [[ ${PV} == 9999 ]] ; then inherit git-r3 else SRC_URI=" - mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc ) + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) " KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" fi diff --git a/dev-libs/openssl/openssl-3.2.1-r2.ebuild b/dev-libs/openssl/openssl-3.2.1-r2.ebuild deleted file mode 100644 index fb480821f325..000000000000 --- a/dev-libs/openssl/openssl-3.2.1-r2.ebuild +++ /dev/null @@ -1,308 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI=" - mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc ) - " - - if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" - fi -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )" - -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -PATCHES=( - "${FILESDIR}"/${P}-p11-segfault.patch - # bug 923956 (drop on next version bump) - "${FILESDIR}"/${P}-riscv.patch - "${FILESDIR}"/${P}-CVE-2024-2511.patch - "${FILESDIR}"/${P}-s390x.patch -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_unpack() { - # Can delete this once test fix patch is dropped - if use verify-sig ; then - # Needed for downloaded patch (which is unsigned, which is fine) - verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} - fi - - default -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 -- check inserts GNU ld-compatible arguments - [[ ${CHOST} == *-darwin* ]] || append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # See https://github.com/openssl/openssl/blob/master/test/README.md for options. - # - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - # - # -j1 here for https://github.com/openssl/openssl/issues/21999, but it - # shouldn't matter as tests were already built earlier, and HARNESS_JOBS - # controls running the tests. - emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/dev-libs/openssl/openssl-3.2.2.ebuild b/dev-libs/openssl/openssl-3.2.2.ebuild index e00a57886dc5..a1d16e48ec38 100644 --- a/dev-libs/openssl/openssl-3.2.2.ebuild +++ b/dev-libs/openssl/openssl-3.2.2.ebuild @@ -8,7 +8,7 @@ inherit edo flag-o-matic linux-info toolchain-funcs inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" +HOMEPAGE="https://openssl-library.org/" MY_P=${P/_/-} @@ -18,8 +18,10 @@ if [[ ${PV} == 9999 ]] ; then inherit git-r3 else SRC_URI=" - mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc ) + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then @@ -46,7 +48,7 @@ BDEPEND=" app-alternatives/bc sys-process/procps ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230801 )" + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240424 )" DEPEND="${COMMON_DEPEND}" RDEPEND="${COMMON_DEPEND}" diff --git a/dev-libs/openssl/openssl-3.3.0.ebuild b/dev-libs/openssl/openssl-3.3.0.ebuild deleted file mode 100644 index 3c59077a40e6..000000000000 --- a/dev-libs/openssl/openssl-3.3.0.ebuild +++ /dev/null @@ -1,301 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI=" - mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc ) - " - - #if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - # KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" - #fi -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240424 ) -" -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -PATCHES=( -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_unpack() { - # Can delete this once test fix patch is dropped - if use verify-sig ; then - # Needed for downloaded patch (which is unsigned, which is fine) - verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} - fi - - default -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile || die - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 -- check inserts GNU ld-compatible arguments - [[ ${CHOST} == *-darwin* ]] || append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(multilib_is_native_abi || echo "no-docs") - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use quic && echo "enable-quic") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw -} - -multilib_src_test() { - # See https://github.com/openssl/openssl/blob/master/test/README.md for options. - # - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - # - # -j1 here for https://github.com/openssl/openssl/issues/21999, but it - # shouldn't matter as tests were already built earlier, and HARNESS_JOBS - # controls running the tests. - emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/dev-libs/openssl/openssl-3.3.1-r1.ebuild b/dev-libs/openssl/openssl-3.3.1-r1.ebuild new file mode 100644 index 000000000000..c01b8662e767 --- /dev/null +++ b/dev-libs/openssl/openssl-3.3.1-r1.ebuild @@ -0,0 +1,307 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~amd64 ~arm ~m68k ~mips ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240424 ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + # bug 936311, drop on next version bump + "${FILESDIR}"/${P}-riscv.patch + # https://bugs.gentoo.org/936793 + "${FILESDIR}"/openssl-3.3.1-pkg-config.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_unpack() { + # Can delete this once test fix patch is dropped + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} + fi + + default +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + ebegin "Running openssl fipsinstall" + "${ED}/usr/bin/openssl" fipsinstall -quiet \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" + eend $? + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} diff --git a/dev-libs/openssl/openssl-3.3.1-r3.ebuild b/dev-libs/openssl/openssl-3.3.1-r3.ebuild new file mode 100644 index 000000000000..ede3297ccbdf --- /dev/null +++ b/dev-libs/openssl/openssl-3.3.1-r3.ebuild @@ -0,0 +1,311 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs +inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://openssl-library.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + SRC_URI=" + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + verify-sig? ( + https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + ) + " + + if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then + KEYWORDS="~amd64 ~arm ~m68k ~mips ~s390 ~sparc ~x86 ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris" + fi +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + app-alternatives/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240424 ) +" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + # bug 936311, drop on next version bump + "${FILESDIR}"/${P}-riscv.patch + # https://bugs.gentoo.org/936793 + "${FILESDIR}"/openssl-3.3.1-pkg-config.patch + # https://bugs.gentoo.org/936576 + "${FILESDIR}"/openssl-3.3.1-pkg-config-deux.patch + # https://bugs.gentoo.org/937457 + "${FILESDIR}"/openssl-3.3.1-cmake-generator.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_unpack() { + # Can delete this once test fix patch is dropped + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} + fi + + default +} + +src_prepare() { + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile || die + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # Test fails depending on kernel configuration, bug #699134 + rm test/recipes/30-test_afalg.t || die +} + +src_configure() { + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/12247 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + # The OpenSSL developers don't test with LTO right now, it leads to various + # warnings/errors (which may or may not be false positives), it's considered + # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. + filter-lto + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # bug #895308 -- check inserts GNU ld-compatible arguments + [[ ${CHOST} == *-darwin* ]] || append-atomic-flags + # Configure doesn't respect LIBS + export LDLIBS="${LIBS}" + + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + multilib-minimal_src_configure +} + +multilib_src_configure() { + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + # See if our toolchain supports __uint128_t. If so, it's 64bit + # friendly and can use the nicely optimized code paths, bug #460790. + #local ec_nistp_64_gcc_128 + # + # Disable it for now though (bug #469976) + # Do NOT re-enable without substantial discussion first! + # + #echo "__uint128_t i;" > "${T}"/128.c + #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then + # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" + #fi + + local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(multilib_is_native_abi || echo "no-docs") + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + enable-idea + enable-mdc2 + enable-rc5 + $(use fips && echo "enable-fips") + $(use quic && echo "enable-quic") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + edo perl "${S}/Configure" "${myeconfargs[@]}" +} + +multilib_src_compile() { + emake build_sw +} + +multilib_src_test() { + # See https://github.com/openssl/openssl/blob/master/test/README.md for options. + # + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + # + # -j1 here for https://github.com/openssl/openssl/issues/21999, but it + # shouldn't matter as tests were already built earlier, and HARNESS_JOBS + # controls running the tests. + emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # Only -j1 is supported for the install targets: + # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 + emake DESTDIR="${D}" -j1 install_sw + if use fips; then + emake DESTDIR="${D}" -j1 install_fips + # Regen this in pkg_preinst, bug 900625 + rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die + fi + + if multilib_is_native_abi; then + emake DESTDIR="${D}" -j1 install_ssldirs + emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs + fi + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_preinst() { + if use fips; then + # Regen fipsmodule.cnf, bug 900625 + ebegin "Running openssl fipsinstall" + "${ED}/usr/bin/openssl" fipsinstall -quiet \ + -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" + eend $? + fi + + preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} + +pkg_postinst() { + ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" + openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" + eend $? + + preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ + /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) +} diff --git a/dev-libs/openssl/openssl-3.3.1.ebuild b/dev-libs/openssl/openssl-3.3.1.ebuild deleted file mode 100644 index d348842d29b0..000000000000 --- a/dev-libs/openssl/openssl-3.3.1.ebuild +++ /dev/null @@ -1,303 +0,0 @@ -# Copyright 1999-2024 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI=" - mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc ) - " - - if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~amd64 ~mips ~sparc ~x86" - fi -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240424 ) -" -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -PATCHES=( - # bug 936311, drop on next version bump - "${FILESDIR}"/${P}-riscv.patch -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_unpack() { - # Can delete this once test fix patch is dropped - if use verify-sig ; then - # Needed for downloaded patch (which is unsigned, which is fine) - verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc} - fi - - default -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile || die - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 -- check inserts GNU ld-compatible arguments - [[ ${CHOST} == *-darwin* ]] || append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(multilib_is_native_abi || echo "no-docs") - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use quic && echo "enable-quic") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw -} - -multilib_src_test() { - # See https://github.com/openssl/openssl/blob/master/test/README.md for options. - # - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - # - # -j1 here for https://github.com/openssl/openssl/issues/21999, but it - # shouldn't matter as tests were already built earlier, and HARNESS_JOBS - # controls running the tests. - emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} -- cgit v1.2.3