summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Xu (Hello71) <alex_y_xu@yahoo.ca>2024-10-01 15:14:23 -0400
committerAlex Xu (Hello71) <alex_y_xu@yahoo.ca>2024-10-01 15:14:23 -0400
commit2e67dbd06b2e700f6fc76b70ae7414d5defb2248 (patch)
tree36f561adfa7b459a8e623b761a8d054b48f7b249
parent6cdf3f05bf00d4c61757eca004ac24ea9767ff88 (diff)
downloadgentoo-overlay-2e67dbd06b2e700f6fc76b70ae7414d5defb2248.tar.xz
gentoo-overlay-2e67dbd06b2e700f6fc76b70ae7414d5defb2248.zip
dev-libs/openssl: upgrade to 3.3.2
-rw-r--r--dev-libs/openssl/Manifest8
-rw-r--r--dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch79
-rw-r--r--dev-libs/openssl/openssl-3.3.2.ebuild (renamed from dev-libs/openssl/openssl-3.1.1.ebuild)68
3 files changed, 131 insertions, 24 deletions
diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
index a86d270..b29dd7a 100644
--- a/dev-libs/openssl/Manifest
+++ b/dev-libs/openssl/Manifest
@@ -1,2 +1,6 @@
-DIST openssl-3.1.1.tar.gz 15544757 BLAKE2B 094f7e28f16de6528016fcd21df1d7382b0dbdcd80ec469d37add9c37f638c059dda3ffb4415eba890a33d146ddc9016bcc7192df101c73be5e70faf6e3b1097 SHA512 8ba9dd6ab87451e126c19cc106ccd1643ca48667d6c37504d0ab98205fbccf855fd0db54474b4113c4c3a15215a4ef77a039fb897a69f71bcab2054b2effd1d9
-DIST openssl-3.1.1.tar.gz.asc 833 BLAKE2B 5a2a9aeb475b843862e133d53bc5bb3c8e12e8e03b1e2da41d0eaa0eade1ae03c4318ad1f5c490c5e1ed7e6ac6275a6d7c881d99993911722b043b15d1622b25 SHA512 83349020c67e5b956f3ef37604a03a1970ea393f862691f5fd5d85930c01e559e25db17d397d8fd230c3862a8b2fba2d5c7df883d56d7472f4c01dab3a661cb2
+DIST openssl-3.1.4.tar.gz 15569450 BLAKE2B bd6a3ef458f86dd5173e87b10432bd81c1570e1848da3c4d7a06eb021d2f67e4075421885c402f6ea792e383e756d78757c17ef060094e840ed5df6faf3d7f9e SHA512 a69df4a018f57dee7d8a57c8003a6869eba11f1eaa394518976642a993780d0de3326019e92dea4c679c6c581fef568ea616ec541afc0792800359c606dffcd2
+DIST openssl-3.1.4.tar.gz.asc 833 BLAKE2B 9f4c2365617b3ea21c8d4f4281befe584e8d39d5f0546fb17d151b21b20615e5d20ed9105881ee981948e866a7629930a7544263c124dce66a9df4f19e16708e SHA512 fc5fa55a54e3da5d48229f25073186613ddf6bb3907999b53ed61832cce9acef00c79d45357bc8590eeeeffb04a829d45921d982924300da16d84eb5333c1512
+DIST openssl-3.2.1.tar.gz 17733249 BLAKE2B 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 SHA512 bab2b2419319f1feffaba4692f03edbf13b44d1090c6e075a2d69dad67a2d51e64e6edbf83456a26c83900a726d20d2c4ee4ead9c94b322fd0b536f3b5a863c4
+DIST openssl-3.2.1.tar.gz.asc 833 BLAKE2B a1d25fe30bf1804d13a8b6b98edf56be5bf744d9e2706f4169455c24efe2e3a361487d00d0d4bac240c3f0170693d77a39dd0d4ee5c792d2247aa00c47e74ebf SHA512 de39516c7b77612f33cdc830a8d13ef6bcd91c03d24a6ed105480f140f9e1ad7049844e234c96a516d62e0e33ce90442ffd0f309ea674884c735f04d8562f372
+DIST openssl-3.3.1.tar.gz 18055752 BLAKE2B b09bbe94f49c33015fbcee5f578a20c0da33c289791bf33292170d5d3de44ea2e22144ee11067947aef2733e979c0fded875a4ec92d81468285837053447e68e SHA512 d3682a5ae0721748c6b9ec2f1b74d2b1ba61ee6e4c0d42387b5037a56ef34312833b6abb522d19400b45d807dd65cc834156f5e891cb07fbaf69fcf67e1c595d
+DIST openssl-3.3.1.tar.gz.asc 833 BLAKE2B e22c068dfcd0205f1cd27f965b76dcaf59bed61181523f198e40d61a4867b20a7636c853c427497559362a92766f430807f02b693821ac38daaa898946f2dba2 SHA512 ae2db74829b71a68e1fc86229396d76f60a9a98e6bba9adc62bdcf2581b60fb0e29ecde2b53a5686c452e754801568e05d3c4f47e8faf02219ac1aae78283338
diff --git a/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch b/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
new file mode 100644
index 0000000..59e785c
--- /dev/null
+++ b/dev-libs/openssl/files/openssl-3.2.1-p11-segfault.patch
@@ -0,0 +1,79 @@
+https://bugs.gentoo.org/916328
+https://github.com/opendnssec/SoftHSMv2/issues/729
+https://github.com/openssl/openssl/issues/22508
+https://github.com/openssl/openssl/commit/934943281267259fa928f4a5814b176525461a65
+
+From 934943281267259fa928f4a5814b176525461a65 Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tomas@openssl.org>
+Date: Fri, 15 Dec 2023 13:45:50 +0100
+Subject: [PATCH] Revert "Improved detection of engine-provided private
+ "classic" keys"
+
+This reverts commit 2b74e75331a27fc89cad9c8ea6a26c70019300b5.
+
+The commit was wrong. With 3.x versions the engines must be themselves
+responsible for creating their EVP_PKEYs in a way that they are treated
+as legacy - either by using the respective set1 calls or by setting
+non-default EVP_PKEY_METHOD.
+
+The workaround has caused more problems than it solved.
+
+Fixes #22945
+
+Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
+Reviewed-by: Neil Horman <nhorman@openssl.org>
+(Merged from https://github.com/openssl/openssl/pull/23063)
+
+(cherry picked from commit 39ea78379826fa98e8dc8c0d2b07e2c17cd68380)
+--- a/crypto/engine/eng_pkey.c
++++ b/crypto/engine/eng_pkey.c
+@@ -79,48 +79,6 @@ EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
+ ERR_raise(ERR_LIB_ENGINE, ENGINE_R_FAILED_LOADING_PRIVATE_KEY);
+ return NULL;
+ }
+- /* We enforce check for legacy key */
+- switch (EVP_PKEY_get_id(pkey)) {
+- case EVP_PKEY_RSA:
+- {
+- RSA *rsa = EVP_PKEY_get1_RSA(pkey);
+- EVP_PKEY_set1_RSA(pkey, rsa);
+- RSA_free(rsa);
+- }
+- break;
+-# ifndef OPENSSL_NO_EC
+- case EVP_PKEY_SM2:
+- case EVP_PKEY_EC:
+- {
+- EC_KEY *ec = EVP_PKEY_get1_EC_KEY(pkey);
+- EVP_PKEY_set1_EC_KEY(pkey, ec);
+- EC_KEY_free(ec);
+- }
+- break;
+-# endif
+-# ifndef OPENSSL_NO_DSA
+- case EVP_PKEY_DSA:
+- {
+- DSA *dsa = EVP_PKEY_get1_DSA(pkey);
+- EVP_PKEY_set1_DSA(pkey, dsa);
+- DSA_free(dsa);
+- }
+- break;
+-#endif
+-# ifndef OPENSSL_NO_DH
+- case EVP_PKEY_DH:
+- {
+- DH *dh = EVP_PKEY_get1_DH(pkey);
+- EVP_PKEY_set1_DH(pkey, dh);
+- DH_free(dh);
+- }
+- break;
+-#endif
+- default:
+- /*Do nothing */
+- break;
+- }
+-
+ return pkey;
+ }
+
+
diff --git a/dev-libs/openssl/openssl-3.1.1.ebuild b/dev-libs/openssl/openssl-3.3.2.ebuild
index d391173..7ebdad7 100644
--- a/dev-libs/openssl/openssl-3.1.1.ebuild
+++ b/dev-libs/openssl/openssl-3.3.2.ebuild
@@ -1,13 +1,14 @@
-# Copyright 1999-2023 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=8
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc
-inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc
+inherit edo flag-o-matic linux-info toolchain-funcs
+inherit multilib multilib-minimal multiprocessing preserve-libs verify-sig
DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
-HOMEPAGE="https://www.openssl.org/"
+HOMEPAGE="https://openssl-library.org/"
MY_P=${P/_/-}
@@ -17,17 +18,22 @@ if [[ ${PV} == 9999 ]] ; then
inherit git-r3
else
SRC_URI="
- mirror://openssl/source/${MY_P}.tar.gz
- verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz
+ verify-sig? (
+ https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc
+ )
"
- #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+
+ if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then
+ KEYWORDS="~amd64 ~x86"
+ fi
fi
S="${WORKDIR}"/${MY_P}
LICENSE="Apache-2.0"
SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto
-IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
+IUSE="+asm cpu_flags_x86_sse2 fips ktls quic rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
RESTRICT="!test? ( test )"
COMMON_DEPEND="
@@ -39,11 +45,11 @@ BDEPEND="
sctp? ( >=net-misc/lksctp-tools-1.0.12 )
test? (
sys-apps/diffutils
- sys-devel/bc
+ app-alternatives/bc
sys-process/procps
)
- verify-sig? ( >=sec-keys/openpgp-keys-openssl-20230207 )"
-
+ verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )
+"
DEPEND="${COMMON_DEPEND}"
RDEPEND="${COMMON_DEPEND}"
PDEPEND="app-misc/ca-certificates"
@@ -83,7 +89,7 @@ src_unpack() {
# Can delete this once test fix patch is dropped
if use verify-sig ; then
# Needed for downloaded patch (which is unsigned, which is fine)
- verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc}
+ verify-sig_verify_detached "${DISTDIR}"/${MY_P}.tar.gz{,.asc}
fi
default
@@ -92,7 +98,7 @@ src_unpack() {
src_prepare() {
# Make sure we only ever touch Makefile.org and avoid patching a file
# that gets blown away anyways by the Configure script in src_configure
- rm -f Makefile
+ rm -f Makefile || die
if ! use vanilla ; then
PATCHES+=(
@@ -125,6 +131,7 @@ src_configure() {
# code. This has been in the ebuild for > 10 years but even in 2022,
# it's still relevant:
# - https://github.com/llvm/llvm-project/issues/55255
+ # - https://github.com/openssl/openssl/issues/12247
# - https://github.com/openssl/openssl/issues/18225
# - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057
# Don't remove the no strict aliasing bits below!
@@ -137,6 +144,11 @@ src_configure() {
append-flags $(test-flags-CC -Wa,--noexecstack)
+ # bug #895308 -- check inserts GNU ld-compatible arguments
+ [[ ${CHOST} == *-darwin* ]] || append-atomic-flags
+ # Configure doesn't respect LIBS
+ export LDLIBS="${LIBS}"
+
# bug #197996
unset APPS
# bug #312551
@@ -161,6 +173,7 @@ multilib_src_configure() {
local myeconfargs=(
${sslout}
+ $(multilib_is_native_abi || echo "no-docs")
$(use cpu_flags_x86_sse2 || echo "no-sse2")
enable-camellia
enable-ec
@@ -172,6 +185,7 @@ multilib_src_configure() {
enable-idea
enable-mdc2
$(use fips && echo "enable-fips")
+ $(use quic && echo "enable-quic")
$(use_ssl asm)
$(use_ssl ktls)
$(use_ssl rfc3779)
@@ -193,29 +207,33 @@ multilib_src_configure() {
multilib_src_compile() {
emake build_sw
-
- if multilib_is_native_abi; then
- emake build_docs
- fi
}
multilib_src_test() {
+ # See https://github.com/openssl/openssl/blob/master/test/README.md for options.
+ #
# VFP = show subtests verbosely and show failed tests verbosely
# Normal V=1 would show everything verbosely but this slows things down.
- emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
+ #
+ # -j1 here for https://github.com/openssl/openssl/issues/21999, but it
+ # shouldn't matter as tests were already built earlier, and HARNESS_JOBS
+ # controls running the tests.
+ emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test
}
multilib_src_install() {
- emake DESTDIR="${D}" install_sw
+ # Only -j1 is supported for the install targets:
+ # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305
+ emake DESTDIR="${D}" -j1 install_sw
if use fips; then
- emake DESTDIR="${D}" install_fips
+ emake DESTDIR="${D}" -j1 install_fips
# Regen this in pkg_preinst, bug 900625
rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die
fi
if multilib_is_native_abi; then
- emake DESTDIR="${D}" install_ssldirs
- emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} install_docs
+ emake DESTDIR="${D}" -j1 install_ssldirs
+ emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs
fi
# This is crappy in that the static archives are still built even
@@ -255,10 +273,16 @@ pkg_preinst() {
-module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so"
eend $?
fi
+
+ preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}
pkg_postinst() {
ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)"
openssl rehash "${EROOT}${SSL_CNF_DIR}/certs"
eend $?
+
+ preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \
+ /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1)
}