From 50640194fe0aaaffde3984f936bf0ffea6ec1776 Mon Sep 17 00:00:00 2001 From: "Alex Xu (Hello71)" Date: Mon, 2 Jan 2023 16:43:12 -0500 Subject: dev-libs/openssl: sync --- dev-libs/openssl/files/gentoo.config-1.0.2 | 171 ----------- dev-libs/openssl/files/gentoo.config-1.0.4 | 176 +++++++++++ .../openssl/files/openssl-3.0.5-test-memcmp.patch | 22 -- .../files/openssl-3.0.7-x509-CVE-2022-3996.patch | 35 +++ dev-libs/openssl/openssl-3.0.7-r1.ebuild | 325 -------------------- dev-libs/openssl/openssl-3.0.7-r3.ebuild | 331 +++++++++++++++++++++ 6 files changed, 542 insertions(+), 518 deletions(-) delete mode 100644 dev-libs/openssl/files/gentoo.config-1.0.2 create mode 100644 dev-libs/openssl/files/gentoo.config-1.0.4 delete mode 100644 dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch create mode 100644 dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch delete mode 100644 dev-libs/openssl/openssl-3.0.7-r1.ebuild create mode 100644 dev-libs/openssl/openssl-3.0.7-r3.ebuild (limited to 'dev-libs') diff --git a/dev-libs/openssl/files/gentoo.config-1.0.2 b/dev-libs/openssl/files/gentoo.config-1.0.2 deleted file mode 100644 index 68d7d0a..0000000 --- a/dev-libs/openssl/files/gentoo.config-1.0.2 +++ /dev/null @@ -1,171 +0,0 @@ -#!/usr/bin/env bash -# Copyright 1999-2020 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 -# -# Openssl doesn't play along nicely with cross-compiling -# like autotools based projects, so let's teach it new tricks. -# -# Review the bundled 'config' script to see why kind of targets -# we can pass to the 'Configure' script. - - -# Testing routines -if [[ $1 == "test" ]] ; then - for c in \ - "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ - "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \ - "x86_64-pc-linux-gnu |linux-x86_64" \ - "alpha-linux-gnu |linux-alpha-gcc" \ - "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ - "i686-pc-linux-gnu |linux-elf" \ - "whatever-gentoo-freebsdX.Y |BSD-generic32" \ - "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ - "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ - "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ - "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ - "hppa64-aldsF-linux-gnu5.3 |linux-generic32 -DB_ENDIAN" \ - "powerpc-gentOO-linux-uclibc |linux-ppc" \ - "powerpc64-unk-linux-gnu |linux-ppc64" \ - "powerpc64le-linux-gnu |linux-ppc64le" \ - "x86_64-apple-darwinX |darwin64-x86_64-cc" \ - "powerpc64-apple-darwinX |darwin64-ppc-cc" \ - "i686-apple-darwinX |darwin-i386-cc" \ - "i386-apple-darwinX |darwin-i386-cc" \ - "powerpc-apple-darwinX |darwin-ppc-cc" \ - "i586-pc-winnt |winnt-parity" \ - "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ - "s390x-linux-gnu |linux64-s390x" \ - ;do - CHOST=${c/|*} - ret_want=${c/*|} - ret_got=$(CHOST=${CHOST} "$0") - - if [[ ${ret_want} == "${ret_got}" ]] ; then - echo "PASS: ${CHOST}" - else - echo "FAIL: ${CHOST}" - echo -e "\twanted: ${ret_want}" - echo -e "\twe got: ${ret_got}" - fi - done - exit 0 -fi -[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 - - -# Detect the operating system -case ${CHOST} in - *-aix*) system="aix";; - *-darwin*) system="darwin";; - *-freebsd*) system="BSD";; - *-hpux*) system="hpux";; - *-linux*) system="linux";; - *-solaris*) system="solaris";; - *-winnt*) system="winnt";; - x86_64-*-mingw*) system="mingw64";; - *mingw*) system="mingw";; - *) exit 0;; -esac - - -# Compiler munging -compiler="gcc" -if [[ ${CC} == "ccc" ]] ; then - compiler=${CC} -fi - - -# Detect target arch -machine="" -chost_machine=${CHOST%%-*} -case ${system} in -linux) - case ${chost_machine}:${ABI} in - aarch64*be*) machine="aarch64 -DB_ENDIAN";; - aarch64*) machine="aarch64 -DL_ENDIAN";; - alphaev56*|\ - alphaev[678]*)machine=alpha+bwx-${compiler};; - alpha*) machine=alpha-${compiler};; - armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; - armv[4-9]*) machine="armv4 -DL_ENDIAN";; - arm*b*) machine="generic32 -DB_ENDIAN";; - arm*) machine="generic32 -DL_ENDIAN";; - avr*) machine="generic32 -DL_ENDIAN";; - bfin*) machine="generic32 -DL_ENDIAN";; - # hppa64*) machine=parisc64;; - hppa*) machine="generic32 -DB_ENDIAN";; - i[0-9]86*|\ - x86_64*:x86) machine=elf;; - ia64*) machine=ia64;; - m68*) machine="generic32 -DB_ENDIAN";; - mips*el*) machine="generic32 -DL_ENDIAN";; - mips*) machine="generic32 -DB_ENDIAN";; - powerpc64*le*)machine=ppc64le;; - powerpc64*) machine=ppc64;; - powerpc*le*) machine="generic32 -DL_ENDIAN";; - powerpc*) machine=ppc;; - riscv32*) machine="generic32 -DL_ENDIAN";; - riscv64*) machine="generic64 -DL_ENDIAN";; - # sh64*) machine=elf;; - sh*b*) machine="generic32 -DB_ENDIAN";; - sh*) machine="generic32 -DL_ENDIAN";; - # TODO: Might want to do -mcpu probing like glibc to determine a - # better default for sparc-linux-gnu targets. This logic will - # break v7 and older systems when they use it. - sparc*v7*) machine="generic32 -DB_ENDIAN";; - sparc64*) machine=sparcv9 system=linux64;; - sparc*v9*) machine=sparcv9;; - sparc*v8*) machine=sparcv8;; - sparc*) machine=sparcv8;; - s390x*) machine=s390x system=linux64;; - s390*) machine="generic32 -DB_ENDIAN";; - x86_64*:x32) machine=x32;; - x86_64*) machine=x86_64;; - esac - ;; -BSD) - case ${chost_machine} in - alpha*) machine=generic64;; - i[6-9]86*) machine=x86-elf;; - ia64*) machine=ia64;; - sparc64*) machine=sparc64;; - x86_64*) machine=x86_64;; - *) machine=generic32;; - esac - ;; -aix) - machine=${compiler} - ;; -darwin) - case ${chost_machine} in - powerpc64) machine=ppc-cc; system=${system}64;; - powerpc) machine=ppc-cc;; - i?86*) machine=i386-cc;; - x86_64) machine=x86_64-cc; system=${system}64;; - esac - ;; -hpux) - case ${chost_machine} in - ia64) machine=ia64-${compiler} ;; - esac - ;; -solaris) - case ${chost_machine} in - i386) machine=x86-${compiler} ;; - x86_64*) machine=x86_64-${compiler}; system=${system}64;; - sparcv9*) machine=sparcv9-${compiler}; system=${system}64;; - sparc*) machine=sparcv8-${compiler};; - esac - ;; -winnt) - machine=parity - ;; -mingw*) - # special case ... no xxx-yyy style name - echo ${system} - ;; -esac - - -# If we have something, show it -[[ -n ${machine} ]] && echo ${system}-${machine} diff --git a/dev-libs/openssl/files/gentoo.config-1.0.4 b/dev-libs/openssl/files/gentoo.config-1.0.4 new file mode 100644 index 0000000..573a97d --- /dev/null +++ b/dev-libs/openssl/files/gentoo.config-1.0.4 @@ -0,0 +1,176 @@ +#!/usr/bin/env bash +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 +# +# Openssl doesn't play along nicely with cross-compiling +# like autotools based projects, so let's teach it new tricks. +# +# Review the bundled 'config' script to see why kind of targets +# we can pass to the 'Configure' script. + + +# Testing routines +if [[ $1 == "test" ]] ; then + for c in \ + "arm-gentoo-linux-uclibc |linux-generic32 -DL_ENDIAN" \ + "armv5b-linux-gnu |linux-armv4 -DB_ENDIAN" \ + "x86_64-pc-linux-gnu |linux-x86_64" \ + "alpha-linux-gnu |linux-alpha-gcc" \ + "alphaev56-unknown-linux-gnu |linux-alpha+bwx-gcc" \ + "i686-pc-linux-gnu |linux-elf" \ + "whatever-gentoo-freebsdX.Y |BSD-generic32" \ + "i686-gentoo-freebsdX.Y |BSD-x86-elf" \ + "sparc64-alpha-freebsdX.Y |BSD-sparc64" \ + "ia64-gentoo-freebsd5.99234 |BSD-ia64" \ + "x86_64-gentoo-freebsdX.Y |BSD-x86_64" \ + "hppa64-aldsF-linux-gnu5.3 |linux-generic32 -DB_ENDIAN" \ + "powerpc-gentOO-linux-uclibc |linux-ppc" \ + "powerpc64-unk-linux-gnu |linux-ppc64" \ + "powerpc64le-linux-gnu |linux-ppc64le" \ + "x86_64-apple-darwinX |darwin64-x86_64-cc" \ + "powerpc64-apple-darwinX |darwin64-ppc-cc" \ + "i686-apple-darwinX |darwin-i386-cc" \ + "i386-apple-darwinX |darwin-i386-cc" \ + "powerpc-apple-darwinX |darwin-ppc-cc" \ + "i586-pc-winnt |winnt-parity" \ + "s390-ibm-linux-gnu |linux-generic32 -DB_ENDIAN" \ + "s390x-linux-gnu |linux64-s390x" \ + ;do + CHOST=${c/|*} + ret_want=${c/*|} + ret_got=$(CHOST=${CHOST} "$0") + + if [[ ${ret_want} == "${ret_got}" ]] ; then + echo "PASS: ${CHOST}" + else + echo "FAIL: ${CHOST}" + echo -e "\twanted: ${ret_want}" + echo -e "\twe got: ${ret_got}" + fi + done + exit 0 +fi +[[ -z ${CHOST} && -n $1 ]] && CHOST=$1 + + +# Detect the operating system +case ${CHOST} in + *-aix*) system="aix";; + *-darwin*) system="darwin";; + *-freebsd*) system="BSD";; + *-hpux*) system="hpux";; + *-linux*) system="linux";; + *-solaris*) system="solaris";; + *-winnt*) system="winnt";; + x86_64-*-mingw*) system="mingw64";; + *mingw*) system="mingw";; + *) exit 0;; +esac + + +# Compiler munging +compiler="gcc" +if [[ ${CC} == "ccc" ]] ; then + compiler=${CC} +fi + + +# Detect target arch +machine="" +chost_machine=${CHOST%%-*} +case ${system} in +linux) + case ${chost_machine}:${ABI} in + aarch64*be*) machine="aarch64 -DB_ENDIAN";; + aarch64*) machine="aarch64 -DL_ENDIAN";; + alphaev56*|\ + alphaev[678]*)machine=alpha+bwx-${compiler};; + alpha*) machine=alpha-${compiler};; + armv[4-9]*b*) machine="armv4 -DB_ENDIAN";; + armv[4-9]*) machine="armv4 -DL_ENDIAN";; + arm*b*) machine="generic32 -DB_ENDIAN";; + arm*) machine="generic32 -DL_ENDIAN";; + avr*) machine="generic32 -DL_ENDIAN";; + bfin*) machine="generic32 -DL_ENDIAN";; + # hppa64*) machine=parisc64;; + hppa*) machine="generic32 -DB_ENDIAN";; + i[0-9]86*|\ + x86_64*:x86) machine=x86;; + ia64*) machine=ia64;; + loongarch64*) machine="loongarch64 -DL_ENDIAN" system=linux64;; + m68*) machine="latomic -DB_ENDIAN";; + mips*el*:o32) machine="mips32 -DL_ENDIAN";; + mips*:o32) machine="mips32 -DB_ENDIAN";; + mips*el*:n32) machine="mips64 -DL_ENDIAN";; + mips*:n32) machine="mips64 -DB_ENDIAN";; + mips*el*:n64) machine="mips64 -DL_ENDIAN" system=linux64;; + mips*:n64) machine="mips64 -DB_ENDIAN" system=linux64;; + powerpc64*le*)machine=ppc64le;; + powerpc64*) machine=ppc64;; + powerpc*le*) machine="generic32 -DL_ENDIAN";; + powerpc*) machine=ppc;; + riscv32*) machine="generic32 -DL_ENDIAN";; + riscv64*) machine="riscv64 -DL_ENDIAN" system=linux64;; + # sh64*) machine=elf;; + sh*b*) machine="generic32 -DB_ENDIAN";; + sh*) machine="generic32 -DL_ENDIAN";; + # TODO: Might want to do -mcpu probing like glibc to determine a + # better default for sparc-linux-gnu targets. This logic will + # break v7 and older systems when they use it. + sparc*v7*) machine="generic32 -DB_ENDIAN";; + sparc64*) machine=sparcv9 system=linux64;; + sparc*v9*) machine=sparcv9;; + sparc*v8*) machine=sparcv8;; + sparc*) machine=sparcv8;; + s390x*) machine=s390x system=linux64;; + s390*) machine="generic32 -DB_ENDIAN";; + x86_64*:x32) machine=x32;; + x86_64*) machine=x86_64;; + esac + ;; +BSD) + case ${chost_machine} in + alpha*) machine=generic64;; + i[6-9]86*) machine=x86-elf;; + ia64*) machine=ia64;; + sparc64*) machine=sparc64;; + x86_64*) machine=x86_64;; + *) machine=generic32;; + esac + ;; +aix) + machine=${compiler} + ;; +darwin) + case ${chost_machine} in + powerpc64) machine=ppc-cc; system=${system}64;; + powerpc) machine=ppc-cc;; + i?86*) machine=i386-cc;; + x86_64) machine=x86_64-cc; system=${system}64;; + esac + ;; +hpux) + case ${chost_machine} in + ia64) machine=ia64-${compiler} ;; + esac + ;; +solaris) + case ${chost_machine} in + i386) machine=x86-${compiler} ;; + x86_64*) machine=x86_64-${compiler}; system=${system}64;; + sparcv9*) machine=sparcv9-${compiler}; system=${system}64;; + sparc*) machine=sparcv8-${compiler};; + esac + ;; +winnt) + machine=parity + ;; +mingw*) + # special case ... no xxx-yyy style name + echo ${system} + ;; +esac + + +# If we have something, show it +[[ -n ${machine} ]] && echo ${system}-${machine} diff --git a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch b/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch deleted file mode 100644 index 8fa0387..0000000 --- a/dev-libs/openssl/files/openssl-3.0.5-test-memcmp.patch +++ /dev/null @@ -1,22 +0,0 @@ -From 7f58de577c05ae0bbd20eee9b2971cfa1cd062c8 Mon Sep 17 00:00:00 2001 -From: Gregor Jasny -Date: Tue, 5 Jul 2022 12:57:06 +0200 -Subject: [PATCH] Add missing header for memcmp - -CLA: trivial ---- - test/v3ext.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/test/v3ext.c b/test/v3ext.c -index 926f3884b138..a8ab64b2714b 100644 ---- a/test/v3ext.c -+++ b/test/v3ext.c -@@ -8,6 +8,7 @@ - */ - - #include -+#include - #include - #include - #include diff --git a/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch new file mode 100644 index 0000000..079a4f5 --- /dev/null +++ b/dev-libs/openssl/files/openssl-3.0.7-x509-CVE-2022-3996.patch @@ -0,0 +1,35 @@ +https://bugs.gentoo.org/885797 + +https://github.com/openssl/openssl/commit/7725e7bfe6f2ce8146b6552b44e0d226be7638e7 +https://github.com/openssl/openssl/issues/19643 + +From 7725e7bfe6f2ce8146b6552b44e0d226be7638e7 Mon Sep 17 00:00:00 2001 +From: Pauli +Date: Fri, 11 Nov 2022 09:40:19 +1100 +Subject: [PATCH] x509: fix double locking problem + +This reverts commit 9aa4be691f5c73eb3c68606d824c104550c053f7 and removed the +redundant flag setting. + +Fixes #19643 + +Fixes LOW CVE-2022-3996 + +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/19652) + +(cherry picked from commit 4d0340a6d2f327700a059f0b8f954d6160f8eef5) +--- a/crypto/x509/pcy_map.c ++++ b/crypto/x509/pcy_map.c +@@ -73,10 +73,6 @@ int ossl_policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) + + ret = 1; + bad_mapping: +- if (ret == -1 && CRYPTO_THREAD_write_lock(x->lock)) { +- x->ex_flags |= EXFLAG_INVALID_POLICY; +- CRYPTO_THREAD_unlock(x->lock); +- } + sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); + return ret; + diff --git a/dev-libs/openssl/openssl-3.0.7-r1.ebuild b/dev-libs/openssl/openssl-3.0.7-r1.ebuild deleted file mode 100644 index c388456..0000000 --- a/dev-libs/openssl/openssl-3.0.7-r1.ebuild +++ /dev/null @@ -1,325 +0,0 @@ -# Copyright 1999-2022 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=7 - -VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://www.openssl.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == 9999 ]] ; then - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - SRC_URI="mirror://openssl/source/${MY_P}.tar.gz - verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" - KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/3" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - >=app-misc/c_rehash-1.7-r1 - tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - sys-devel/bc - sys-process/procps - ) - verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )" - -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -PATCHES=( -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_unpack() { - # Can delete this once test fix patch is dropped - if use verify-sig ; then - # Needed for downloaded patch (which is unsigned, which is fine) - verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc} - fi - - default -} - -src_prepare() { - # Allow openssl to be cross-compiled - cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die - chmod a+rx gentoo.config || die - - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # - Make sure the man pages are suffixed (bug #302165) - # - Don't bother building man pages if they're disabled - # - Make DOCDIR Gentoo compliant - sed -i \ - -e '/^MANSUFFIX/s:=.*:=ssl:' \ - -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ - -e $(has noman FEATURES \ - && echo '/^install:/s:install_docs::' \ - || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ - -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \ - Configurations/unix-Makefile.tmpl \ - || die - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # Prefixify Configure shebang (bug #141906) - sed \ - -e "1s,/usr/bin/env,${BROOT}&," \ - -i Configure || die - - # Remove test target when FEATURES=test isn't set - if ! use test ; then - sed \ - -e '/^$config{dirs}/s@ "test",@@' \ - -i Configure || die - fi - - # The config script does stupid stuff to prompt the user. Kill it. - sed -i '/stty -icanon min 0 time 50; read waste/d' config || die - ./config --test-sanity || die "I AM NOT SANE" - - multilib_copy_sources -} - -multilib_src_configure() { - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - local sslout=$(./gentoo.config) - einfo "Using configuration: ${sslout:-(openssl knows best)}" - local config="Configure" - [[ -z ${sslout} ]] && config="config" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - $(use amd64 && echo "enable-ec_nistp_64_gcc_128") - enable-idea - enable-mdc2 - $(use fips && echo "enable-fips") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}" - - # Clean out hardcoded flags that openssl uses - local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ - -e 's:^CFLAGS=::' \ - -e 's:\(^\| \)-fomit-frame-pointer::g' \ - -e 's:\(^\| \)-O[^ ]*::g' \ - -e 's:\(^\| \)-march=[^ ]*::g' \ - -e 's:\(^\| \)-mcpu=[^ ]*::g' \ - -e 's:\(^\| \)-m[^ ]*::g' \ - -e 's:^ *::' \ - -e 's: *$::' \ - -e 's: \+: :g' \ - -e 's:\\:\\\\:g' - ) - - # Now insert clean default flags with user flags - sed -i \ - -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ - -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ - Makefile \ - || die -} - -multilib_src_compile() { - # depend is needed to use $confopts; it also doesn't matter - # that it's -j1 as the code itself serializes subdirs - emake -j1 depend - - emake all -} - -multilib_src_test() { - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test -} - -multilib_src_install() { - # We need to create ${ED}/usr on our own to avoid a race condition (bug #665130) - dodir /usr - - emake DESTDIR="${D}" install - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # Namespace openssl programs to prevent conflicts with other man pages - cd "${ED}"/usr/share/man || die - local m d s - for m in $(find . -type f | xargs grep -L '#include') ; do - d=${m%/*} - d=${d#./} - m=${m##*/} - - [[ ${m} == openssl.1* ]] && continue - - [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" - - mv ${d}/{,ssl-}${m} || die - - # Fix up references to renamed man pages - sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die - ln -s ssl-${m} ${d}/openssl-${m} || die - - # Locate any symlinks that point to this man page - # We assume that any broken links are due to the above renaming - for s in $(find -L ${d} -type l) ; do - s=${s##*/} - - rm -f ${d}/${s} - - # We don't want to "|| die" here - ln -s ssl-${m} ${d}/ssl-${s} - ln -s ssl-${s} ${d}/openssl-${s} - done - done - [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_postinst() { - ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)" - c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null - eend $? -} diff --git a/dev-libs/openssl/openssl-3.0.7-r3.ebuild b/dev-libs/openssl/openssl-3.0.7-r3.ebuild new file mode 100644 index 0000000..fd6e3fc --- /dev/null +++ b/dev-libs/openssl/openssl-3.0.7-r3.ebuild @@ -0,0 +1,331 @@ +# Copyright 1999-2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/openssl.org.asc +inherit edo flag-o-matic linux-info toolchain-funcs multilib-minimal multiprocessing verify-sig + +DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" +HOMEPAGE="https://www.openssl.org/" + +MY_P=${P/_/-} + +if [[ ${PV} == 9999 ]] ; then + EGIT_REPO_URI="https://github.com/openssl/openssl.git" + + inherit git-r3 +else + SRC_URI="mirror://openssl/source/${MY_P}.tar.gz + verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )" + #KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux" + KEYWORDS="~alpha ~amd64 ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~riscv ~s390 ~sparc ~x86" +fi + +S="${WORKDIR}"/${MY_P} + +LICENSE="Apache-2.0" +SLOT="0/3" # .so version of libssl/libcrypto +IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers" +RESTRICT="!test? ( test )" + +COMMON_DEPEND=" + >=app-misc/c_rehash-1.7-r1 + tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] ) +" +BDEPEND=" + >=dev-lang/perl-5 + sctp? ( >=net-misc/lksctp-tools-1.0.12 ) + test? ( + sys-apps/diffutils + sys-devel/bc + sys-process/procps + ) + verify-sig? ( >=sec-keys/openpgp-keys-openssl-20221101 )" + +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND}" +PDEPEND="app-misc/ca-certificates" + +MULTILIB_WRAPPED_HEADERS=( + /usr/include/openssl/configuration.h +) + +PATCHES=( + "${FILESDIR}"/${P}-x509-CVE-2022-3996.patch +) + +pkg_setup() { + if use ktls ; then + if kernel_is -lt 4 18 ; then + ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" + else + CONFIG_CHECK="~TLS ~TLS_DEVICE" + ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" + ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" + use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" + + linux-info_pkg_setup + fi + fi + + [[ ${MERGE_TYPE} == binary ]] && return + + # must check in pkg_setup; sysctl doesn't work with userpriv! + if use test && use sctp ; then + # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" + # if sctp.auth_enable is not enabled. + local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) + if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then + die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" + fi + fi +} + +src_unpack() { + # Can delete this once test fix patch is dropped + if use verify-sig ; then + # Needed for downloaded patch (which is unsigned, which is fine) + verify-sig_verify_detached "${DISTDIR}"/${P}.tar.gz{,.asc} + fi + + default +} + +src_prepare() { + # Allow openssl to be cross-compiled + cp "${FILESDIR}"/gentoo.config-1.0.4 gentoo.config || die + chmod a+rx gentoo.config || die + + # Keep this in sync with app-misc/c_rehash + SSL_CNF_DIR="/etc/ssl" + + # Make sure we only ever touch Makefile.org and avoid patching a file + # that gets blown away anyways by the Configure script in src_configure + rm -f Makefile + + if ! use vanilla ; then + PATCHES+=( + # Add patches which are Gentoo-specific customisations here + ) + fi + + default + + if use test && use sctp && has network-sandbox ${FEATURES} ; then + einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." + rm test/recipes/80-test_ssl_new.t || die + fi + + # - Make sure the man pages are suffixed (bug #302165) + # - Don't bother building man pages if they're disabled + # - Make DOCDIR Gentoo compliant + sed -i \ + -e '/^MANSUFFIX/s:=.*:=ssl:' \ + -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \ + -e $(has noman FEATURES \ + && echo '/^install:/s:install_docs::' \ + || echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \ + -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \ + Configurations/unix-Makefile.tmpl \ + || die + + # Quiet out unknown driver argument warnings since openssl + # doesn't have well-split CFLAGS and we're making it even worse + # and 'make depend' uses -Werror for added fun (bug #417795 again) + tc-is-clang && append-flags -Qunused-arguments + + # We really, really need to build OpenSSL w/ strict aliasing disabled. + # It's filled with violations and it *will* result in miscompiled + # code. This has been in the ebuild for > 10 years but even in 2022, + # it's still relevant: + # - https://github.com/llvm/llvm-project/issues/55255 + # - https://github.com/openssl/openssl/issues/18225 + # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 + # Don't remove the no strict aliasing bits below! + filter-flags -fstrict-aliasing + append-flags -fno-strict-aliasing + + append-flags $(test-flags-CC -Wa,--noexecstack) + + # Prefixify Configure shebang (bug #141906) + sed \ + -e "1s,/usr/bin/env,${BROOT}&," \ + -i Configure || die + + # Remove test target when FEATURES=test isn't set + if ! use test ; then + sed \ + -e '/^$config{dirs}/s@ "test",@@' \ + -i Configure || die + fi + + local sslout=$(./gentoo.config) + einfo "Using configuration: ${sslout:-(openssl knows best)}" + + # The config script does stupid stuff to prompt the user. Kill it. + sed -i '/stty -icanon min 0 time 50; read waste/d' config || die + ./config ${sslout} --test-sanity || die "I AM NOT SANE" + + multilib_copy_sources +} + +multilib_src_configure() { + # bug #197996 + unset APPS + # bug #312551 + unset SCRIPTS + # bug #311473 + unset CROSS_COMPILE + + tc-export AR CC CXX RANLIB RC + + use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } + + local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") + + local sslout=$(./gentoo.config) + einfo "Using configuration: ${sslout:-(openssl knows best)}" + local config="Configure" + [[ -z ${sslout} ]] && config="config" + + # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features + local myeconfargs=( + ${sslout} + + $(use cpu_flags_x86_sse2 || echo "no-sse2") + enable-camellia + enable-ec + enable-ec2m + enable-sm2 + enable-srp + $(use elibc_musl && echo "no-async") + $(use amd64 && echo "enable-ec_nistp_64_gcc_128") + enable-idea + enable-mdc2 + $(use fips && echo "enable-fips") + $(use_ssl asm) + $(use_ssl ktls) + $(use_ssl rfc3779) + $(use_ssl sctp) + $(use test || echo "no-tests") + $(use_ssl tls-compression zlib) + $(use_ssl weak-ssl-ciphers) + + --prefix="${EPREFIX}"/usr + --openssldir="${EPREFIX}"${SSL_CNF_DIR} + --libdir=$(get_libdir) + + shared + threads + ) + + CFLAGS= LDFLAGS= edo ./${config} "${myeconfargs[@]}" + + # Clean out hardcoded flags that openssl uses + local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \ + -e 's:^CFLAGS=::' \ + -e 's:\(^\| \)-fomit-frame-pointer::g' \ + -e 's:\(^\| \)-O[^ ]*::g' \ + -e 's:\(^\| \)-march=[^ ]*::g' \ + -e 's:\(^\| \)-mcpu=[^ ]*::g' \ + -e 's:\(^\| \)-m[^ ]*::g' \ + -e 's:^ *::' \ + -e 's: *$::' \ + -e 's: \+: :g' \ + -e 's:\\:\\\\:g' + ) + + # Now insert clean default flags with user flags + sed -i \ + -e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \ + -e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \ + Makefile \ + || die +} + +multilib_src_compile() { + # depend is needed to use $confopts; it also doesn't matter + # that it's -j1 as the code itself serializes subdirs + emake -j1 depend + + emake all +} + +multilib_src_test() { + # VFP = show subtests verbosely and show failed tests verbosely + # Normal V=1 would show everything verbosely but this slows things down. + emake HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test +} + +multilib_src_install() { + # We need to create ${ED}/usr on our own to avoid a race condition (bug #665130) + dodir /usr + + emake DESTDIR="${D}" install + + # This is crappy in that the static archives are still built even + # when USE=static-libs. But this is due to a failing in the openssl + # build system: the static archives are built as PIC all the time. + # Only way around this would be to manually configure+compile openssl + # twice; once with shared lib support enabled and once without. + if ! use static-libs ; then + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + fi +} + +multilib_src_install_all() { + # openssl installs perl version of c_rehash by default, but + # we provide a shell version via app-misc/c_rehash + rm "${ED}"/usr/bin/c_rehash || die + + dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el + + # Create the certs directory + keepdir ${SSL_CNF_DIR}/certs + + # Namespace openssl programs to prevent conflicts with other man pages + cd "${ED}"/usr/share/man || die + local m d s + for m in $(find . -type f | xargs grep -L '#include') ; do + d=${m%/*} + d=${d#./} + m=${m##*/} + + [[ ${m} == openssl.1* ]] && continue + + [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!" + + mv ${d}/{,ssl-}${m} || die + + # Fix up references to renamed man pages + sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die + ln -s ssl-${m} ${d}/openssl-${m} || die + + # Locate any symlinks that point to this man page + # We assume that any broken links are due to the above renaming + for s in $(find -L ${d} -type l) ; do + s=${s##*/} + + rm -f ${d}/${s} + + # We don't want to "|| die" here + ln -s ssl-${m} ${d}/ssl-${s} + ln -s ssl-${s} ${d}/openssl-${s} + done + done + [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :(" + + # bug #254521 + dodir /etc/sandbox.d + echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl + + diropts -m0700 + keepdir ${SSL_CNF_DIR}/private +} + +pkg_postinst() { + ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes (bug #333069)" + c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null + eend $? +} -- cgit v1.2.3-70-g09d2