diff --git a/changelog/security/2026-07-06-weekly-updates-security.md b/changelog/security/2026-07-06-weekly-updates-security.md new file mode 100644 index 00000000000..f209a455c9c --- /dev/null +++ b/changelog/security/2026-07-06-weekly-updates-security.md @@ -0,0 +1,3 @@ +- openssl ([CVE-2026-34180](https://www.cve.org/CVERecord?id=CVE-2026-34180), [CVE-2026-34181](https://www.cve.org/CVERecord?id=CVE-2026-34181), [CVE-2026-34182](https://www.cve.org/CVERecord?id=CVE-2026-34182), [CVE-2026-34183](https://www.cve.org/CVERecord?id=CVE-2026-34183), [CVE-2026-35188](https://www.cve.org/CVERecord?id=CVE-2026-35188), [CVE-2026-42764](https://www.cve.org/CVERecord?id=CVE-2026-42764), [CVE-2026-42765](https://www.cve.org/CVERecord?id=CVE-2026-42765), [CVE-2026-42766](https://www.cve.org/CVERecord?id=CVE-2026-42766), [CVE-2026-42767](https://www.cve.org/CVERecord?id=CVE-2026-42767), [CVE-2026-42768](https://www.cve.org/CVERecord?id=CVE-2026-42768), [CVE-2026-42769](https://www.cve.org/CVERecord?id=CVE-2026-42769), [CVE-2026-42770](https://www.cve.org/CVERecord?id=CVE-2026-42770), [CVE-2026-42771](https://www.cve.org/CVERecord?id=CVE-2026-42771), [CVE-2026-45445](https://www.cve.org/CVERecord?id=CVE-2026-45445), [CVE-2026-45446](https://www.cve.org/CVERecord?id=CVE-2026-45446), [CVE-2026-45447](https://www.cve.org/CVERecord?id=CVE-2026-45447), [CVE-2026-7383](https://www.cve.org/CVERecord?id=CVE-2026-7383), [CVE-2026-9076](https://www.cve.org/CVERecord?id=CVE-2026-9076)) +- containerd ([CVE-2026-47262](https://www.cve.org/CVERecord?id=CVE-2026-47262), [CVE-2026-50195](https://www.cve.org/CVERecord?id=CVE-2026-50195), [CVE-2026-53488](https://www.cve.org/CVERecord?id=CVE-2026-53488), [CVE-2026-53489](https://www.cve.org/CVERecord?id=CVE-2026-53489), [CVE-2026-53492](https://www.cve.org/CVERecord?id=CVE-2026-53492)) +- runc ([CVE-2026-41579](https://www.cve.org/CVERecord?id=CVE-2026-41579)) diff --git a/changelog/updates/2026-07-06-weekly-updates-security.md b/changelog/updates/2026-07-06-weekly-updates-security.md new file mode 100644 index 00000000000..0c24b66dae7 --- /dev/null +++ b/changelog/updates/2026-07-06-weekly-updates-security.md @@ -0,0 +1,3 @@ +- base, dev: openssl ([3.5.7](https://openssl-library.org/news/openssl-3.5-notes/)) +- sysext-containerd: containerd ([2.2.5](https://github.com/containerd/containerd/releases/tag/v2.2.5) (includes [2.2.4](https://github.com/containerd/containerd/releases/tag/v2.2.4), [2.2.3](https://github.com/containerd/containerd/releases/tag/v2.2.3))) +- sysext-containerd: runc ([1.4.3](https://github.com/opencontainers/runc/releases/tag/v1.4.3) (includes [1.4.2](https://github.com/opencontainers/runc/releases/tag/v1.4.2), [1.4.1](https://github.com/opencontainers/runc/releases/tag/v1.4.1))) diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest index 256ddb7b885..fd0574ac3b5 100644 --- a/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/Manifest @@ -10,3 +10,4 @@ DIST containerd-2.1.5.tar.gz 10622156 BLAKE2B b612e9606554d492f59d4665dcbd85b0fd DIST containerd-2.2.0.tar.gz 11475770 BLAKE2B 154d7d547d52925ff46431cea20db38dc72ec87ef90fd112472cb3ec7f2ebd8cfb121f98a3bc3870f8452473b35c3e1c84671b9fc31347f98259b34a70e740f9 SHA512 3121a1e0401e0283ff9d8454e945b427bcb0214e7e67271815117cb82dee1488c4d963c2193eb9c0ab5d395dd2e2705975ac31ce3e400264933d05d62fd0faac DIST containerd-2.2.1.tar.gz 11492859 BLAKE2B 5ee7a5388ec5a247a530be505068162318505741e77ab2a103ba8a33c3e76fbac55a64504429f9c636e41cb4826e1acc6b7f817398928a0d6b8ebd94797b8b7b SHA512 6bbfe356bdb0fd70c5b3ca0d932b790bb34b40832392e6a309a907351dc344e3b6059e2cd583145200aab218b4e8f5160d698f2b3a84d05bbf834d023eea4bd3 DIST containerd-2.2.2.tar.gz 11531809 BLAKE2B 6605d5d2de275c9485dd92d4e56fc87853a4fe45cdc78e0a5f7d5178525f6e6925ea765e29bf3a4891dc318062a7577c7628fd63df451a2ba404852e0b5f0224 SHA512 4471047360cd1430a189829a74d605dbe89abe092f0e0ba53ad5954269f253c7c277b8097c5d12acb9e0592a39e50e1808c92e73596e3d2d97cf945f15063ca0 +DIST containerd-2.2.5.tar.gz 10922595 BLAKE2B 2f6a4653d3b5dcb7a82e9255e7557d5e92c1c65f344abce4fe44bebde2727cc6a414be235e9cdcebaca1660326dfa249cf3f559505e3c7529bf463199a0e3f4c SHA512 5d658c8daa48e3b5369995847d15e3dae4367e7221a5a34115bb74723707053378a2d489b29e6f2742e04bdfc2362c02df34fcb403fc0adb144e19bd352d7741 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.2.5.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.2.5.ebuild new file mode 100644 index 00000000000..030d1231a94 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/containerd/containerd-2.2.5.ebuild @@ -0,0 +1,82 @@ +# Copyright 2022-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-env go-module systemd toolchain-funcs + +GIT_REVISION=e53c7c1516c3b2bff98eb76f1f4117477e6f4e66 + +DESCRIPTION="A daemon to control runC" +HOMEPAGE="https://containerd.io/" +SRC_URI="https://github.com/containerd/containerd/archive/v${PV}.tar.gz -> ${P}.tar.gz" + +LICENSE="Apache-2.0" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor btrfs device-mapper +cri +seccomp selinux test" +# tests require root or docker +RESTRICT="test" + +DEPEND=" + btrfs? ( sys-fs/btrfs-progs ) + seccomp? ( sys-libs/libseccomp ) +" +# recommended minimum version of runc is found in script/setup/runc-version +RDEPEND="${DEPEND} + >=app-containers/runc-1.3.6[apparmor?,seccomp?] +" +BDEPEND=" + selinux? ( sec-policy/selinux-docker ) + dev-go/go-md2man + virtual/pkgconfig +" + +src_prepare() { + default + sed -i \ + -e "s/-s -w//" \ + Makefile || die + sed -i \ + -e "s:/usr/local:/usr:" \ + containerd.service || die +} + +src_compile() { + local options=( + $(usev apparmor) + $(usex btrfs "" "no_btrfs") + $(usex cri "" "no_cri") + $(usex device-mapper "" "no_devmapper") + $(usev seccomp) + $(usev selinux) + ) + + local myemakeargs=( + BUILDTAGS="${options[*]}" + REVISION="${GIT_REVISION}" + VERSION=v${PV} + ) + + emake "${myemakeargs[@]}" all + + # race condition in man target https://bugs.gentoo.org/765100 + tc-env_build go-env_run emake "${myemakeargs[@]}" man -j1 #nowarn +} + +src_install() { + rm bin/gen-manpages || die + dobin bin/* + doman man/* + newconfd "${FILESDIR}"/${PN}.confd "${PN}" + newinitd "${FILESDIR}"/${PN}.initd "${PN}" + systemd_dounit containerd.service + keepdir /var/lib/containerd + + # we already installed manpages, remove markdown source + # before installing docs directory + rm -r docs/man || die + + local DOCS=( ADOPTERS.md README.md RELEASES.md ROADMAP.md SCOPE.md docs/. ) + einstalldocs +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest index 1ad0600db8b..99087754647 100644 --- a/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/Manifest @@ -1,3 +1,5 @@ DIST runc-1.2.8.tar.gz 2834651 BLAKE2B 5f76e40ee8bda4668758dce318625af1dbb13c0d33a17c9c872bc68aefd6311cac570ed934a69b92b4a327c6084ff6d6d55f8914b105513f9484bbc903107a4d SHA512 8d29a2ca179320f9a01c37383506f10aea1764e18b3321c507787556e3a531e23221f8369696d8caaf30124a523a68d0ad3609bae5ab06aa6c519e644d54d4ef DIST runc-1.3.3.tar.gz 2929410 BLAKE2B 1feddc154836eff606a685a0c0d606c1bbcd5a1a1ec8a288233581a88e0b3b6a95f446125688a8dca5efd5a275bf22931553cb9ab894f6aa0826d5a1274b6f91 SHA512 9ce0af1b79163c44913979c0483322247b154109871a113726163f64c6354141e7cefb5fb6e1225eaa4bb48a1e33ba9a6049cb45cb2af8793134647dad18c8dc DIST runc-1.4.0.tar.gz 2958986 BLAKE2B 9a363986a05c2c19646373373b94944642bf9f74a2a9f10d201baff7d76d54e39e273d6ceb9f94449926246ec22c2b863812ca1e4e8910cb166294b7ea7c4068 SHA512 a5b52d8494a4210d9ff4caefd0513b94b80ef9dd16c6eb369761cde2fce30214f765eee01c3cbb2e0cfd933371362fd89b08656b434d76038ffe1f8a59dea215 +DIST runc-1.4.2.tar.gz 2961237 BLAKE2B 440771f2cf21ba47c3a6c368179bb28bb50b794913e9ad1a6f8ffc3f06bcdf2d99a000ce261b0ea70bf3a2f998acd2f6ff7770ebc17915501f63b46f08c1f77c SHA512 93bd1d6641b55afa7fa415d26fd898371c63f3caae353c6bea7318eeac49835a29df0331f62d54bf2ab1a640105c541c7eb04c32bc3d1006df53d857d113775e +DIST runc-1.4.3.tar.gz 2962885 BLAKE2B d5e9ac412e94cf5465de59375d5c582b9d6e19366af641d1ea3e1aa2c962f7fbd93a6910ea44d148fde5378061b64797449661def2be101cc0509441428a0692 SHA512 a4c5310f0b44603af330a75b254f13df59d5319e570aa51eedbcab24854f229e65fe3be291e93e87286e646e360b15fa46db9fe6394b6c879cbd7c5984b5c424 diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.2.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.2.ebuild new file mode 100644 index 00000000000..91247b87fcd --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.2.ebuild @@ -0,0 +1,154 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module linux-info + +# update on bump, look for commit ID on release tag. +# https://github.com/opencontainers/runc +RUNC_COMMIT=c241c0bb5e60a8e8c1b2e53d4eca8d0068d8d57e + +CONFIG_CHECK="~USER_NS" + +DESCRIPTION="runc container cli tools" +HOMEPAGE="https://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/${PN}-${MY_PV}" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="amd64 ~arm arm64 ppc64 ~riscv ~x86" +IUSE="apparmor +kmem +seccomp selinux test" + +COMMON_DEPEND=" + apparmor? ( sys-libs/libapparmor ) + seccomp? ( sys-libs/libseccomp )" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND} + !app-emulation/docker-runc + selinux? ( sec-policy/selinux-container )" +BDEPEND=" + dev-go/go-md2man + test? ( "${RDEPEND}" )" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT+=" test" + +# Please refer: +# https://github.com/opencontainers/runc/blob/main/script/check-config.sh +pkg_setup() { + CONFIG_CHECK=" + ~NAMESPACES + ~NET_NS + ~PID_NS + ~IPC_NS + ~UTS_NS + ~CGROUPS + ~CGROUP_CPUACCT + ~CGROUP_DEVICE + ~CGROUP_FREEZER + ~CGROUP_SCHED + ~CPUSETS + ~MEMCG + ~KEYS + ~VETH + ~BRIDGE + ~BRIDGE_NETFILTER + ~IP_NF_FILTER + ~IP_NF_TARGET_MASQUERADE + ~NETFILTER_XT_MATCH_ADDRTYPE + ~NETFILTER_XT_MATCH_COMMENT + ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER_XT_MATCH_IPVS + ~IP_NF_NAT + ~NF_NAT + ~POSIX_MQUEUE + ~OVERLAY_FS + " + + CONFIG_CHECK+=" + ~USER_NS + " + + use seccomp && CONFIG_CHECK+=" + ~SECCOMP + ~SECCOMP_FILTER + " + WARNING_SECCOMP="CONFIG_SECCOMP is required as optional feature" + + CONFIG_CHECK+=" + ~CGROUP_PIDS + " + WARNING_CGROUP_PIDS="CONFIG_CGROUP_PIDS is required as optional feature" + + if kernel_is lt 6 1; then + CONFIG_CHECK+=" + ~MEMCG_SWAP + " + fi + + CONFIG_CHECK+=" + ~BLK_CGROUP + ~BLK_DEV_THROTTLING + ~CGROUP_PERF + ~CGROUP_HUGETLB + ~NET_CLS_CGROUP + ~CFS_BANDWIDTH + ~FAIR_GROUP_SCHED + ~RT_GROUP_SCHED + ~IP_NF_TARGET_REDIRECT + ~IP_VS + ~IP_VS_NFCT + ~IP_VS_PROTO_TCP + ~IP_VS_PROTO_UDP + ~IP_VS_RR + ~CHECKPOINT_RESTORE + ~CGROUP_NET_PRIO + " + + use selinux && CONFIG_CHECK+=" + ~SECURITY_SELINUX" + + use apparmor && CONFIG_CHECK+=" + ~SECURITY_APPARMOR" + + if [[ -n ${CONFIG_CHECK} ]]; then + linux-info_pkg_setup + fi +} + +src_compile() { + # build up optional flags + local options=( + $(usev apparmor) + $(usev seccomp) + $(usex kmem '' 'nokmem') + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.3.ebuild b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.3.ebuild new file mode 100644 index 00000000000..5d640bb0897 --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/app-containers/runc/runc-1.4.3.ebuild @@ -0,0 +1,152 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit go-module linux-info + +# update on bump, look for commit ID on release tag. +# https://github.com/opencontainers/runc +RUNC_COMMIT=bb14dabeb7185bb72c8c86735d090dcb20f36587 + +DESCRIPTION="CLI tool for spawning and running containers" +HOMEPAGE="https://github.com/opencontainers/runc/" +MY_PV="${PV/_/-}" +SRC_URI="https://github.com/opencontainers/${PN}/archive/v${MY_PV}.tar.gz -> ${P}.tar.gz" +S="${WORKDIR}/${PN}-${MY_PV}" + +LICENSE="Apache-2.0 BSD-2 BSD MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" +IUSE="apparmor +seccomp selinux test" + +COMMON_DEPEND=" + seccomp? ( sys-libs/libseccomp )" +DEPEND="${COMMON_DEPEND}" +RDEPEND="${COMMON_DEPEND} + !app-emulation/docker-runc + apparmor? ( sys-libs/libapparmor ) + selinux? ( sec-policy/selinux-container )" +BDEPEND=" + dev-go/go-md2man + test? ( ${RDEPEND} )" + +# tests need busybox binary, and portage namespace +# sandboxing disabled: mount-sandbox pid-sandbox ipc-sandbox +# majority of tests pass +RESTRICT="test" + +# Please refer: +# https://github.com/opencontainers/runc/blob/main/script/check-config.sh +pkg_setup() { + CONFIG_CHECK=" + ~NAMESPACES + ~NET_NS + ~PID_NS + ~IPC_NS + ~UTS_NS + ~CGROUPS + ~CGROUP_CPUACCT + ~CGROUP_DEVICE + ~CGROUP_FREEZER + ~CGROUP_SCHED + ~CPUSETS + ~MEMCG + ~KEYS + ~VETH + ~BRIDGE + ~BRIDGE_NETFILTER + ~IP_NF_FILTER + ~IP_NF_TARGET_MASQUERADE + ~NETFILTER_XT_MATCH_ADDRTYPE + ~NETFILTER_XT_MATCH_COMMENT + ~NETFILTER_XT_MATCH_CONNTRACK + ~NETFILTER_XT_MATCH_IPVS + ~IP_NF_NAT + ~NF_NAT + ~POSIX_MQUEUE + ~OVERLAY_FS + ~CGROUP_BPF + " + + CONFIG_CHECK+=" + ~USER_NS + " + + use seccomp && CONFIG_CHECK+=" + ~SECCOMP + ~SECCOMP_FILTER + " + WARNING_SECCOMP="CONFIG_SECCOMP is required as optional feature" + + CONFIG_CHECK+=" + ~CGROUP_PIDS + " + WARNING_CGROUP_PIDS="CONFIG_CGROUP_PIDS is required as optional feature" + + if kernel_is lt 6 1; then + CONFIG_CHECK+=" + ~MEMCG_SWAP + " + fi + + CONFIG_CHECK+=" + ~BLK_CGROUP_IOCOST + ~BLK_CGROUP + ~BLK_DEV_THROTTLING + ~CGROUP_PERF + ~CGROUP_HUGETLB + ~NET_CLS_CGROUP + ~CGROUP_NET_PRIO + ~CFS_BANDWIDTH + ~FAIR_GROUP_SCHED + ~RT_GROUP_SCHED + ~IP_NF_TARGET_REDIRECT + ~IP_VS + ~IP_VS_NFCT + ~IP_VS_PROTO_TCP + ~IP_VS_PROTO_UDP + ~IP_VS_RR + ~CHECKPOINT_RESTORE + " + + use selinux && CONFIG_CHECK+=" + ~SECURITY_SELINUX" + + use apparmor && CONFIG_CHECK+=" + ~SECURITY_APPARMOR" + + if [[ -n ${CONFIG_CHECK} ]]; then + linux-info_pkg_setup + fi +} + +src_compile() { + # build up optional flags + local options=( + $(usev seccomp) + ) + + myemakeargs=( + BUILDTAGS="${options[*]}" + COMMIT="${RUNC_COMMIT}" + ) + + emake "${myemakeargs[@]}" runc man +} + +src_install() { + myemakeargs+=( + PREFIX="${ED}/usr" + BINDIR="${ED}/usr/bin" + MANDIR="${ED}/usr/share/man" + ) + emake "${myemakeargs[@]}" install install-man install-bash + + local DOCS=( README.md PRINCIPLES.md docs/. ) + einstalldocs +} + +src_test() { + emake "${myemakeargs[@]}" localunittest +} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest index deee34b7350..6425babbb5e 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/Manifest @@ -1,20 +1,20 @@ -DIST openssl-3.0.19.tar.gz 15280904 BLAKE2B 0d21fd9037b87c5d22c75e2201208394fa7d6a37ed7a44cc6ae760ab95ff6743a00d26b90141871ba5bd76a56500142df33d04219379e51b6f74e411e9d2b3af SHA512 6e602ac7217e1b4423793ee5c4c10745f70fcde3f9820d6c894ebeedb4f29566e2d0c3c590ae210484dcea4eb53db5bb8dbbfee14bbaca3e147406b1343c3cd7 -DIST openssl-3.0.19.tar.gz.asc 833 BLAKE2B f5ed372d80afc3fde1c4298166fabb512bb0f350725497d98a83575b98b049dd8ec3dc169043b11f9135702d37d762bb24afd98eab75d5a42b6554bec2064c8f SHA512 3ae5adb82d071658c3a839d7713c7d4fd09b13dc36860327d0347ca94cb0c712081f03d3e8251af2297b7d1792345a078e18ffa8b92e5f90fe6d5370152813e8 DIST openssl-3.0.20.tar.gz 15292815 BLAKE2B 10681682203f0d734e624c93c67c5d399941385d2874bb980012d79b63d9b165b0f5405f27cc99be3571584c4957ef3d108bfe4187ddd9bc3b794179a5c6be76 SHA512 3583a44bf9dec4deeade371d6861ce799821a85b32a4d9a8fcae253d78df8f93025ed73fb8efcaf23cc305b11d5aec439852444b3207d211f55660d1f89f5c9c DIST openssl-3.0.20.tar.gz.asc 833 BLAKE2B 6efee85870e0d8d1d9b36ef90975d0ee9810a26abc881b0a881274952931685f4edc37d61e454fe4d7e4ec5202df0aa23e31644620d2ae5f57d894d71b66c53e SHA512 e132722e7ec7f96f1ca8f21e05e48cce07cd4d801746d5ad21d8f6be9df4c49aa6c8183b87bd1fc1cbb83a481c57c8425eeb19b2bc9c2e28983c57bac181d89e -DIST openssl-3.3.6.tar.gz 18035615 BLAKE2B 3cc0b33885449192863edc4600d144a98903d2c323f4a6f11e2aba8e6dfa5fa45a9d025d5de60c0511972cb42de9ef7fc81073d8abc5d1d2886b660089b9aaf5 SHA512 3c0840420f30f74404446a9d9fe9ee48222e867190ddc9e51e1c0f1f45c3c0caad6cb41068f65adc2be2aa5e0b8447c42ee821dd28e2ec60140cf004dc3493c1 -DIST openssl-3.3.6.tar.gz.asc 833 BLAKE2B 93ea9f040912defd9a228309ce110b1dc535e219223afb0299eacbabb17c333bc282a7656bd870f3d01aa69856c409908d3d0610e541a56d919b1f204bd0b571 SHA512 90f7a392b1348f74e3617212fbad8974d92b8d48832a8d5c338ad792ae25a067ae102475ba935cd41d1a5d89e80458a5f05ef921e942279149d8534bf9ac01e6 -DIST openssl-3.3.7.tar.gz 18047292 BLAKE2B ef0b772e34265bb11617d0b2ccf4e67e5795fc5b663d321fcb015fac619fbcedbc4bd139f6ae588782831f37653bfa3e1cf2f15c4f98b6bdd57fdb24a077ec63 SHA512 ff7976bfc5549f7f0d80cc55b4e1e9abaeb0f931028e47660e9738168b399d838354b2ca67338e2fd5443f3eb06912ea64cb1de0ab98bd04cfe3cc252d7b7f8d -DIST openssl-3.3.7.tar.gz.asc 833 BLAKE2B 8b38cc04eac3dad814ca5b8bb5e775a5285c44a9c46cc3e5f0b97fb684390a3c717b8964e28bd4fce69e73af48732860d9b6cb94f676168875fc01a9965dcda3 SHA512 9e5830b8d5c9341c88631dbeb549e30d11abaf99a5045830c5a4fc6c87c16f5931983db105e67cb5a4654f9e9e62c80031d7715e7da688c3686141ac73aa6f1f -DIST openssl-3.4.4.tar.gz 18278255 BLAKE2B 022d97f839120bdb21a8fa011b42cd1e0f732253f4b7e02172a8cfb5f6a60c855500ce542d49e256ff3cb6428a929487e921ee4834f74dd57d10165ec44924ab SHA512 2f75b045f0dddd2421ecd7b1817a4e5a7608293e797135eb945573d1115b2d89f0fd3706ee5e02c7de2e50b3bfc59ac73014e2cb6270ff6b9e1515691347dbb2 -DIST openssl-3.4.4.tar.gz.asc 833 BLAKE2B c8c4e9338e5e6f4630701e894e551bd0606401462762755832e607d3145688624b61beba0c6128f6fbc632d50b8eac13da7c4530300e5579527ad4523251f521 SHA512 a599e8d77426de126a6358d159b46ab9d301962016fa85219f0294e6eb667733436ceeccb0de6017adb71c1b9cd52a496882919e9edd65e749a8ae95d5143cb4 +DIST openssl-3.0.21.tar.gz 15309723 BLAKE2B 170cff38638c51c6f6d3fff517a49286796639197cc6b57952d19f2149385b5f71e6a6f30dae7e6a0e3c138e9a5b2d2c0cdfa2be2e5f7a402eac8f93674e83b0 SHA512 9be1c8c11a2d55417bb177804d1b5369aa54a9dcd2e136929509457d549697407ae9611079e94c61b58a95be598ce35b94edb336e050d1019e7269f4d2f52cda +DIST openssl-3.0.21.tar.gz.asc 833 BLAKE2B d300bfdb02fb72aefa909bdc5c79dfaa51d775bf322e4711e18f8cbdb3e8e8d4efca6ae923c94e10fad4c575451168137dc29990003535092ddc58732e3edfcb SHA512 58a051099f4660cb244715c0b09cdf283247b13f03be6eb67993678db7e50169348e6d2d11e70f999e36dbb72f9432c6e10d4fdaba360e5f05a708e6c81acf30 DIST openssl-3.4.5.tar.gz 18295030 BLAKE2B 8447ea0b861e068463ef5127e158dceab1dfd6516861211e2b4e636f8114887034f2d86c55b41a6aa221ba5d377e0ffdbf9e533e2d8efc7101a5e6cc8c96ab70 SHA512 dd6006d5733f8d28b8bed2027e9ebd4afb071ed50d6fffea12127873ba26a3b1550f8225b5b8d59896db975985586c96d3425ef651d8382798981d07fd873532 DIST openssl-3.4.5.tar.gz.asc 833 BLAKE2B 463903df98db3deda9d1da0f02375ac9492f39a9e5bd50fbdd95837022d5cbf874aaa8f39f01449e059e6668a79c1c92e0020af3b88c9a70cb2b4fc5695d82cc SHA512 0eaa5bc2aa068fdaa591c4495ed55237c71c4b8d4b079820e1c3377b09d19955917fcdd9f4e9994ccdae9905158381c4869a396f3729ad54d5ac64a4b87980ab -DIST openssl-3.5.5.tar.gz 53104821 BLAKE2B 5fe5f7e768ade2dcffdd90841875de3e3a463aac979d57462fa5c69ec5e7288063dfc35cd6b049db007cff9135089fa05956f715476e12efc58a7d6969f6d29a SHA512 7cf0eb91bac175f7fe0adcafef457790d43fe7f98e2d4bef681c2fd5ca365e1fa5b562c645a60ab602365adedf9d91c074624eea66d3d7e155639fc50d5861ec -DIST openssl-3.5.5.tar.gz.asc 833 BLAKE2B 122e9abcadb8559ef42dda7cc985c1457852243f8e8fb12e9a1d3b824853a56f311726252c6b1cfde47c3d5500bf36c18d8f7f19c42582c8f40d974dac22011f SHA512 82645f4fb427467b1e52f096ef6c6ccbdaa5aefcd28c8d3149a92f7c7711d0936e1e097f4168db6196809c19f83c1b85068d327cc1f0c5ad9f33d9d3686003d7 +DIST openssl-3.4.6.tar.gz 18319647 BLAKE2B dd688583a38191097f1b8f4d5de25d271eac424aafcb4a417c3bdd826a83b4028540d0d9764b3861782d728bc07c07668b4365e15a37a367ce99abb43fb6ea96 SHA512 f119e8e06a4bdcb577db6b21fa9e1a4fbbb29177585331e754b8cee6c003e7c64e0e41b988597fceae70604bcfe2ce2eaf921af914188d57ded808c72f8274b2 +DIST openssl-3.4.6.tar.gz.asc 833 BLAKE2B e32d5164014835c6316028104298fd5e1c078a8aa62418974954bfbd5401a617a4f8d4c20893496f2e4db61d75e1ef6e451e0f199f18e019b8f7f53f271cc08b SHA512 4a4e97e68f9bbb50ee330d9ba24da8af4b840694352dc9e292d828f454f40555cb5e497f132add0d074d0f4397142519f687324f57e038e70d27c8e3590320d8 DIST openssl-3.5.6.tar.gz 53121812 BLAKE2B 07b86010043aeb09c796162ff85e602e53f3e9b03277d269c534716d7e645de1bda336c07282dcf1286f3cce9dfc54a17b48b68c3e388f27ad709177b5d5d225 SHA512 7e48989c01751104e1c94fde05726c0d6d7cb0dd4f3d045e0e8f36b1d330a2557665970c44ec9aae86f5f7420315326022249247cd6845e6d598134aa74ac33c DIST openssl-3.5.6.tar.gz.asc 833 BLAKE2B fa7ea81667830959a5221fb683ba131bc7d3e3e24af1a9ca78cd5cbf1e66cb40754980c2fb47f45852cdff4fe317b0273af866a311d5150457824c73052407b2 SHA512 426c9d855fe735b39a7cfb7508ae5676869a79f02de306b349199ef9d437b7316c40beb090f45258d6e1517b8689a3977611704ffd26f853f22cae70ed832b7a +DIST openssl-3.5.7.tar.gz 53153930 BLAKE2B e19d7e40e9aaed0e4b4a405866ac56f37a03dc5c57cf1a2452ca547a5a9cab7771254d6ab8ce7df36b20d8145ba435aa5158c80be97d3887b3ef51db3cdd7428 SHA512 de5351d2d532e1a3908a738f7d8aae448d32bc60bdb24808c556a24bc37a3f53daedf12b5d432eeb8c235e16939d842f908332ede8a447ca103ad1c493c820d7 +DIST openssl-3.5.7.tar.gz.asc 833 BLAKE2B 3e6926602fbb473f3bbe64a33c721510bd2a48905efb273f79b6770eecf0d30d43888716c6fa582459df2aae8c57f8528fe5df6bd713381eda56982666d7c8d3 SHA512 294e29a2c3a54e5882b0bedb25fd6692f5fcf85a07da818ccebbf3e3704d596193591215df3bb8506d2d434a56b9f01cbc3c71152ae32c5e1a11a545bd239a0b DIST openssl-3.6.2.tar.gz 54913556 BLAKE2B 21a23c53d16e9fbfb4c6d606d6056e7bb72e15c964c43a7f02837d805584bc34917fb2527cbc7fa75de63f3b5f840c693e7b43ac95e4bf9c10dce27f130bf69f SHA512 46549ed4d6b0160adfa3e1406bc16f3083a7f3c85bdda289c1dbebd0db91433c39855dae765787ec68157faffba4cdb05a0600af4652e3e35da939e0bad8ef1e DIST openssl-3.6.2.tar.gz.asc 833 BLAKE2B 089164a42cdbb22d688ab314fae83d3fa16fb8d0c206ce8d0fe82a670b6e5fb0859e8842d0c0f75184d8e7022086aa05feeb5193e720ef58c18c7d303a6ec157 SHA512 bc1710380b80e0b9d35fe706604357c1f801d0b6ab1481b53061e21d6f55904fe8961ec10ead5c454dc637c88586f3093df71d2210b960d65c112466422d51ff +DIST openssl-3.6.3.tar.gz 54953005 BLAKE2B 12dcbd977c3ccbeefd0310c23a8398d91395896b0d23e3e630d1318e96d650ee7dadd91c8ea1876458076b2d19d1fa72c70ae76669ce97d315aa813a0b826745 SHA512 4179ad56f285fd27a1c7b294472afdca588e915d4f8a9610e461f34f0678004aebe32e88434ae536a63a7c9aff6607702a3b341e2faacb7899c27d6def4cc92d +DIST openssl-3.6.3.tar.gz.asc 833 BLAKE2B c7f00b3fcfe52b29a0a734179b1440b91ebabe1a293494b377399c5681ee95f11fcc9beb43615b98995cec7459def88a51a62f7aa782e1fe69fa972f30a1d88d SHA512 a7ad2a5da941b8a5ab0bb6d22848aa0573604f115510c758b7dd127decf3c2473974e12bda1887a70fbff478a43375d567252492452eb57adea5e659d730bded DIST openssl-4.0.0.tar.gz 55046677 BLAKE2B bea6e52456df3d6881dd9e800113886af64168eaa92a69cec95fb6e1cebfb675581fc75f0918aa6aa6654a36043444326da080db58781fe073ea0d0911e81982 SHA512 46d456fae5358c566f860ab873533e84edb3f0757cb0697ee8768fdb2fca2cb4770849014444c56d0c8690730d2fc9476127240eb6a53fd17c58b3be6433dc10 DIST openssl-4.0.0.tar.gz.asc 833 BLAKE2B c128958a9b47e9c061cc34ca6cca4d48def528005d796336e01f89e4344bff21ee772f332ed2a65697b0344fed7e1d1309069f4c186bb7cdac9cd7e09446cd6f SHA512 8609e8a9def07853d3054a4730ffee088512dd7aaf994d9df674818ec7cd519b20eecce6cfcb613d5da9d3d35e27839fbcec9772f7e734217f1463a42e5c95a1 +DIST openssl-4.0.1.tar.gz 55079428 BLAKE2B 8c5e1d97165d8e74f6ab41adf75c8f1a60a38b511163d0cdd054b27280538681d308385ce9a6fe2230aed7e412436419f864876e57538738e13eed77d520d5cd SHA512 84104cbd928a3fbcb9a90c567fa37f927b974d4744b8cd774641e0d07db065d1564fa4c3df4c26818f3c6e726ca71b3aae72109d10482bba3396949886fc8892 +DIST openssl-4.0.1.tar.gz.asc 833 BLAKE2B 8d4d3bc5ccd92c6374daf6a52b9b2c70414785c627c9853f8282e44800fcf2e955166e825843ab16a511f6606b57aea4caef8b88767c0e1cf0f76282af4a6529 SHA512 1f6f35c4c9219cf11f81f0eb7bf1558778cd38ef5eb0121e6806ca069efe0b21824e85cbc630331e1979ddde18af5630a05e8bc0340e87100f0062650cebbc59 diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch deleted file mode 100644 index d6ccff0e437..00000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.3.2-silence-warning.patch +++ /dev/null @@ -1,34 +0,0 @@ -https://bugs.gentoo.org/946621 - -commit 1d2cbd9b5a126189d5e9bc78a3bdb9709427d02b -Author: Bhaskar Metiya -Date: Wed Aug 14 12:57:14 2024 +0530 - - apps/req.c: No warning reading from stdin if redirected - - CLA: trivial - - Reviewed-by: Matt Caswell - Reviewed-by: Tomas Mraz - Reviewed-by: Richard Levitte - (Merged from https://github.com/openssl/openssl/pull/25179) - ---- a/apps/req.c -+++ b/apps/req.c -@@ -30,6 +30,7 @@ - #ifndef OPENSSL_NO_DSA - # include - #endif -+#include "internal/e_os.h" /* For isatty() */ - - #define BITS "default_bits" - #define KEYFILE "default_keyfile" -@@ -516,7 +517,7 @@ int req_main(int argc, char **argv) - if (infile == NULL) { - if (gen_x509) - newreq = 1; -- else if (!newreq) -+ else if (!newreq && isatty(fileno_stdin())) - BIO_printf(bio_err, - "Warning: Will read cert request from stdin since no -in option is given\n"); - } diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64-be.patch b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64-be.patch deleted file mode 100644 index fa28166a460..00000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64-be.patch +++ /dev/null @@ -1,45 +0,0 @@ -https://github.com/openssl/openssl/issues/29845 -https://github.com/openssl/openssl/commit/b02b04fbad809c82efbf1e3274e6a22caf997b8d - -From b02b04fbad809c82efbf1e3274e6a22caf997b8d Mon Sep 17 00:00:00 2001 -From: Neil Horman -Date: Mon, 9 Feb 2026 12:55:50 -0500 -Subject: [PATCH] don't use asm accelerated path on big endian power9 - -https://github.com/openssl/openssl/issues/29845 - -Found that our hardware accelerated path doesn't work on big endian -systems, so make sure that we only use it when little endian is defined - -We also noted that PPC_AES_GCM_CAPABLE gets defined to zero when the -capabilities register notes that the hardware isn't capable of the -needed instructions, but that still includes the asm path as -PPC_AES_GCM_CAPABLE is still defined. - -Fix both issues - -Fixes #29845 - -Reviewed-by: Tomas Mraz -Reviewed-by: Tom Cosgrove -MergeDate: Tue Feb 17 14:11:46 2026 -(Merged from https://github.com/openssl/openssl/pull/29968) ---- - include/crypto/aes_platform.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h -index 496b08f46d5ce..95d13d22e191b 100644 ---- a/include/crypto/aes_platform.h -+++ b/include/crypto/aes_platform.h -@@ -77,7 +77,9 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, - #define HWAES_xts_decrypt aes_p8_xts_decrypt - #endif /* OPENSSL_SYS_MACOSX */ - #if !defined(OPENSSL_SYS_AIX) && !defined(OPENSSL_SYS_MACOSX) -+#if defined(__BYTE_ORDER__) && __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ - #define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) -+#endif - #define AES_GCM_ENC_BYTES 128 - #define AES_GCM_DEC_BYTES 128 - size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, - diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64.patch b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64.patch deleted file mode 100644 index 2d4e7a13341..00000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-3.5.5-ppc64.patch +++ /dev/null @@ -1,45 +0,0 @@ -https://bugs.gentoo.org/969389 -https://github.com/openssl/openssl/issues/29815 ---- a/crypto/modes/asm/aes-gcm-ppc.pl -+++ b/crypto/modes/asm/aes-gcm-ppc.pl -@@ -409,7 +409,6 @@ - ################################################################################ - .align 4 - aes_gcm_crypt_1x: --.localentry aes_gcm_crypt_1x,0 - - cmpdi 5, 16 - bge __More_1x -@@ -492,7 +491,6 @@ - ################################################################################ - .align 4 - __Process_partial: --.localentry __Process_partial,0 - - # create partial mask - vspltisb 16, -1 -@@ -564,7 +562,6 @@ - .global ppc_aes_gcm_encrypt - .align 5 - ppc_aes_gcm_encrypt: --.localentry ppc_aes_gcm_encrypt,0 - - SAVE_REGS - LOAD_HASH_TABLE -@@ -752,7 +749,6 @@ - .global ppc_aes_gcm_decrypt - .align 5 - ppc_aes_gcm_decrypt: --.localentry ppc_aes_gcm_decrypt, 0 - - SAVE_REGS - LOAD_HASH_TABLE -@@ -1032,7 +1028,6 @@ - .size ppc_aes_gcm_decrypt,.-ppc_aes_gcm_decrypt - - aes_gcm_out: --.localentry aes_gcm_out,0 - - mr 3, 11 # return count - - diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-4.0.1-x86-avx2.patch b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-4.0.1-x86-avx2.patch new file mode 100644 index 00000000000..51b65e42e8d --- /dev/null +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/files/openssl-4.0.1-x86-avx2.patch @@ -0,0 +1,22 @@ +https://bugs.gentoo.org/972756 +https://github.com/openssl/openssl/issues/31199 +--- a/crypto/evp/encode.c ++++ b/crypto/evp/encode.c +@@ -175,7 +175,7 @@ int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, + j = evp_encodeblock_int(ctx, out, in, inl - (inl % EVP_ENCODE_B64_LENGTH), + &wrap_cnt); + } else { +-#if defined(__AVX2__) && defined(HAVE_AVX2_INTRINSICS) ++#if defined(__AVX2__) && defined(HAVE_AVX2_INTRINSICS) && (defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)) + const int newlines = !(ctx->flags & EVP_ENCODE_CTX_NO_NEWLINES) ? EVP_ENCODE_B64_LENGTH : 0; + + j = encode_base64_avx2(ctx, +@@ -243,7 +243,7 @@ int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int dlen) + { + int wrap_cnt = 0; + +-#if defined(__AVX2__) && defined(HAVE_AVX2_INTRINSICS) ++#if defined(__AVX2__) && defined(HAVE_AVX2_INTRINSICS) && (defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64)) + return (int)encode_base64_avx2(NULL, t, f, dlen, 0, &wrap_cnt); + #elif defined(HAS_IA32CAP_IS_64) && defined(HAVE_AVX2_INTRINSICS) + if ((OPENSSL_ia32cap_P[2] & (1u << 5)) != 0) diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.19.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.21.ebuild similarity index 99% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.19.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.21.ebuild index 5a790b1794a..1a60dd8607f 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.19.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.21.ebuild @@ -30,7 +30,7 @@ else KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild index 65cd17e6318..0366220a612 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.0.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -30,7 +30,7 @@ else KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.7.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.7.ebuild deleted file mode 100644 index 37c84927c78..00000000000 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.7.ebuild +++ /dev/null @@ -1,301 +0,0 @@ -# Copyright 1999-2026 Gentoo Authors -# Distributed under the terms of the GNU General Public License v2 - -EAPI=8 - -VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs - -DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" -HOMEPAGE="https://openssl-library.org/" - -MY_P=${P/_/-} - -if [[ ${PV} == *9999 ]] ; then - [[ ${PV} == *.*.9999 ]] && EGIT_BRANCH="openssl-${PV%%.9999}" - EGIT_REPO_URI="https://github.com/openssl/openssl.git" - - inherit git-r3 -else - inherit verify-sig - SRC_URI=" - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz - verify-sig? ( - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc - ) - " - - if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" - fi - - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" -fi - -S="${WORKDIR}"/${MY_P} - -LICENSE="Apache-2.0" -SLOT="0/$(ver_cut 1)" # .so version of libssl/libcrypto -IUSE="+asm cpu_flags_x86_sse2 fips ktls +quic rfc3779 sctp static-libs test tls-compression vanilla weak-ssl-ciphers" -RESTRICT="!test? ( test )" - -COMMON_DEPEND=" - !=virtual/zlib-1.2.8-r1:=[static-libs(+)?,${MULTILIB_USEDEP}] ) -" -BDEPEND+=" - >=dev-lang/perl-5 - sctp? ( >=net-misc/lksctp-tools-1.0.12 ) - test? ( - sys-apps/diffutils - app-alternatives/bc - sys-process/procps - ) -" -DEPEND="${COMMON_DEPEND}" -RDEPEND="${COMMON_DEPEND}" -PDEPEND="app-misc/ca-certificates" - -MULTILIB_WRAPPED_HEADERS=( - /usr/include/openssl/configuration.h -) - -PATCHES=( - "${FILESDIR}"/${PN}-3.3.2-silence-warning.patch -) - -pkg_setup() { - if use ktls ; then - if kernel_is -lt 4 18 ; then - ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!" - else - CONFIG_CHECK="~TLS ~TLS_DEVICE" - ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!" - ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!" - use test && CONFIG_CHECK+=" ~CRYPTO_USER_API_SKCIPHER" - - linux-info_pkg_setup - fi - fi - - [[ ${MERGE_TYPE} == binary ]] && return - - # must check in pkg_setup; sysctl doesn't work with userpriv! - if use test && use sctp ; then - # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel" - # if sctp.auth_enable is not enabled. - local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null) - if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then - die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!" - fi - fi -} - -src_prepare() { - # Make sure we only ever touch Makefile.org and avoid patching a file - # that gets blown away anyways by the Configure script in src_configure - rm -f Makefile || die - - if ! use vanilla ; then - PATCHES+=( - # Add patches which are Gentoo-specific customisations here - ) - fi - - default - - if use test && use sctp && has network-sandbox ${FEATURES} ; then - einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." - rm test/recipes/80-test_ssl_new.t || die - fi - - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die -} - -src_configure() { - # Keep this in sync with app-misc/c_rehash - SSL_CNF_DIR="/etc/ssl" - - # Quiet out unknown driver argument warnings since openssl - # doesn't have well-split CFLAGS and we're making it even worse - # and 'make depend' uses -Werror for added fun (bug #417795 again) - tc-is-clang && append-flags -Qunused-arguments - - # We really, really need to build OpenSSL w/ strict aliasing disabled. - # It's filled with violations and it *will* result in miscompiled - # code. This has been in the ebuild for > 10 years but even in 2022, - # it's still relevant: - # - https://github.com/llvm/llvm-project/issues/55255 - # - https://github.com/openssl/openssl/issues/12247 - # - https://github.com/openssl/openssl/issues/18225 - # - https://github.com/openssl/openssl/issues/18663#issuecomment-1181478057 - # Don't remove the no strict aliasing bits below! - filter-flags -fstrict-aliasing - append-flags -fno-strict-aliasing - # The OpenSSL developers don't test with LTO right now, it leads to various - # warnings/errors (which may or may not be false positives), it's considered - # unsupported, and it's not tested in CI: https://github.com/openssl/openssl/issues/18663. - filter-lto - - append-flags $(test-flags-CC -Wa,--noexecstack) - - # bug #895308 -- check inserts GNU ld-compatible arguments - [[ ${CHOST} == *-darwin* ]] || append-atomic-flags - # Configure doesn't respect LIBS - export LDLIBS="${LIBS}" - - # bug #197996 - unset APPS - # bug #312551 - unset SCRIPTS - # bug #311473 - unset CROSS_COMPILE - - tc-export AR CC CXX RANLIB RC - - multilib-minimal_src_configure -} - -multilib_src_configure() { - use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } - - local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") - - # See if our toolchain supports __uint128_t. If so, it's 64bit - # friendly and can use the nicely optimized code paths, bug #460790. - #local ec_nistp_64_gcc_128 - # - # Disable it for now though (bug #469976) - # Do NOT re-enable without substantial discussion first! - # - #echo "__uint128_t i;" > "${T}"/128.c - #if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then - # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128" - #fi - - local sslout=$(bash "${FILESDIR}/gentoo.config-1.0.4") - einfo "Using configuration: ${sslout:-(openssl knows best)}" - - # https://github.com/openssl/openssl/blob/master/INSTALL.md#enable-and-disable-features - local myeconfargs=( - ${sslout} - - $(multilib_is_native_abi || echo "no-docs") - $(use cpu_flags_x86_sse2 || echo "no-sse2") - enable-camellia - enable-ec - enable-ec2m - enable-sm2 - enable-srp - $(use elibc_musl && echo "no-async") - enable-idea - enable-mdc2 - enable-rc5 - $(use fips && echo "enable-fips") - $(use quic && echo "enable-quic") - $(use_ssl asm) - $(use_ssl ktls) - $(use_ssl rfc3779) - $(use_ssl sctp) - $(use test || echo "no-tests") - $(use_ssl tls-compression zlib) - $(use_ssl weak-ssl-ciphers) - - --prefix="${EPREFIX}"/usr - --openssldir="${EPREFIX}"${SSL_CNF_DIR} - --libdir=$(get_libdir) - - shared - threads - ) - - edo perl "${S}/Configure" "${myeconfargs[@]}" -} - -multilib_src_compile() { - emake build_sw - if multilib_is_native_abi; then - emake build_docs - fi -} - -multilib_src_test() { - # See https://github.com/openssl/openssl/blob/master/test/README.md for options. - # - # VFP = show subtests verbosely and show failed tests verbosely - # Normal V=1 would show everything verbosely but this slows things down. - # - # -j1 here for https://github.com/openssl/openssl/issues/21999, but it - # shouldn't matter as tests were already built earlier, and HARNESS_JOBS - # controls running the tests. - emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test -} - -multilib_src_install() { - # Only -j1 is supported for the install targets: - # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 - emake DESTDIR="${D}" -j1 install_sw - if use fips; then - emake DESTDIR="${D}" -j1 install_fips - # Regen this in pkg_preinst, bug 900625 - rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die - fi - - if multilib_is_native_abi; then - emake DESTDIR="${D}" -j1 install_ssldirs - emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs - fi - - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi -} - -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die - - dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el - - # Create the certs directory - keepdir ${SSL_CNF_DIR}/certs - - # bug #254521 - dodir /etc/sandbox.d - echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl - - diropts -m0700 - keepdir ${SSL_CNF_DIR}/private -} - -pkg_preinst() { - if use fips; then - # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" - LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ - "${ED}/usr/bin/openssl" fipsinstall -quiet \ - -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? - fi - - preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} - -pkg_postinst() { - ebegin "Running 'openssl rehash ${EROOT}${SSL_CNF_DIR}/certs' to rebuild hashes (bug #333069)" - openssl rehash "${EROOT}${SSL_CNF_DIR}/certs" - eend $? - - preserve_old_lib_notify /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ - /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1.1) -} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.4.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.6.ebuild similarity index 99% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.4.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.6.ebuild index aee6f99cf00..dd507fe96b8 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.4.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.6.ebuild @@ -30,7 +30,7 @@ else KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild index 3acab3cf171..a3e03ca5b66 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.4.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -30,7 +30,7 @@ else KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.5-r2.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.7.ebuild similarity index 98% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.5-r2.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.7.ebuild index 34b6b0795f9..3c1125020df 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.5-r2.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.7.ebuild @@ -30,7 +30,7 @@ else KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} @@ -61,11 +61,6 @@ MULTILIB_WRAPPED_HEADERS=( /usr/include/openssl/configuration.h ) -PATCHES=( - "${FILESDIR}"/${PN}-3.5.5-ppc64.patch - "${FILESDIR}"/${PN}-3.5.5-ppc64-be.patch -) - pkg_setup() { if use ktls ; then if kernel_is -lt 4 18 ; then diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild index 63e02f74931..d88181b93e9 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.5.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -30,7 +30,7 @@ else KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.3.ebuild similarity index 82% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.9999.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.3.ebuild index 3acab3cf171..d88181b93e9 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.3.ebuild @@ -1,11 +1,11 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs +inherit edo flag-o-matic linux-info sysroot toolchain-funcs +inherit multibuild multilib multilib-build multiprocessing preserve-libs DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" HOMEPAGE="https://openssl-library.org/" @@ -30,7 +30,7 @@ else KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} @@ -110,6 +110,27 @@ src_prepare() { rm test/recipes/30-test_afalg.t || die } +_openssl_variant() { + local OPENSSL_VARIANT=${MULTIBUILD_VARIANT} + mkdir -p "${BUILD_DIR}" || die + pushd "${BUILD_DIR}" >/dev/null || die + "$@" + popd >/dev/null || die +} + +openssl_foreach_variant() { + local MULTIBUILD_VARIANTS=( "${OPENSSL_VARIANTS[@]}" ) + multibuild_foreach_variant _openssl_variant "$@" +} + +openssl_run_phase() { + multilib_foreach_abi openssl_foreach_variant "$@" +} + +openssl_is_default_variant() { + [[ ${OPENSSL_VARIANT} == shared ]] && multilib_is_native_abi +} + src_configure() { # Keep this in sync with app-misc/c_rehash SSL_CNF_DIR="/etc/ssl" @@ -151,10 +172,13 @@ src_configure() { tc-export AR CC CXX RANLIB RC - multilib-minimal_src_configure + OPENSSL_VARIANTS=( shared ) + use static-libs && OPENSSL_VARIANTS+=( static ) + + openssl_run_phase openssl_src_configure } -multilib_src_configure() { +openssl_src_configure() { use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") @@ -178,7 +202,7 @@ multilib_src_configure() { local myeconfargs=( ${sslout} - $(multilib_is_native_abi || echo "no-docs") + $(openssl_is_default_variant || echo "no-docs") $(use cpu_flags_x86_sse2 || echo "no-sse2") enable-camellia enable-ec @@ -203,21 +227,32 @@ multilib_src_configure() { --openssldir="${EPREFIX}"${SSL_CNF_DIR} --libdir=$(get_libdir) - shared threads ) + if [[ ${OPENSSL_VARIANT} == static ]]; then + myeconfargs+=( no-module no-shared ) + fi + edo perl "${S}/Configure" "${myeconfargs[@]}" } -multilib_src_compile() { +src_compile() { + openssl_run_phase openssl_src_compile +} + +openssl_src_compile() { emake build_sw - if multilib_is_native_abi; then + if openssl_is_default_variant; then emake build_docs fi } -multilib_src_test() { +src_test() { + openssl_run_phase openssl_src_test +} + +openssl_src_test() { # See https://github.com/openssl/openssl/blob/master/test/README.md for options. # # VFP = show subtests verbosely and show failed tests verbosely @@ -229,32 +264,36 @@ multilib_src_test() { emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test } -multilib_src_install() { +openssl_src_install() { + if [[ ${OPENSSL_VARIANT} == static ]]; then + dolib.a libcrypto.a libssl.a + return + fi + # Only -j1 is supported for the install targets: # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 emake DESTDIR="${D}" -j1 install_sw + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + if use fips; then emake DESTDIR="${D}" -j1 install_fips # Regen this in pkg_preinst, bug 900625 rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die fi - if multilib_is_native_abi; then + if openssl_is_default_variant; then emake DESTDIR="${D}" -j1 install_ssldirs emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs fi - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi + multilib_prepare_wrappers + multilib_check_headers } -multilib_src_install_all() { +src_install() { + openssl_run_phase openssl_src_install + multilib_install_wrappers + # openssl installs perl version of c_rehash by default, but # we provide a shell version via app-misc/c_rehash rm "${ED}"/usr/bin/c_rehash || die @@ -275,12 +314,12 @@ multilib_src_install_all() { pkg_preinst() { if use fips; then # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" + einfo "Running openssl fipsinstall" LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ - "${ED}/usr/bin/openssl" fipsinstall -quiet \ + sysroot_run_prefixed "${ED}/usr/bin/openssl" fipsinstall \ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" \ + || die "fipsinstall failed" fi preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild index 63e02f74931..d88181b93e9 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.6.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2025 Gentoo Authors +# Copyright 1999-2026 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -30,7 +30,7 @@ else KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.6.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.1.ebuild similarity index 79% rename from sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.6.ebuild rename to sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.1.ebuild index 37c84927c78..7d8e06730ef 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-3.3.6.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.1.ebuild @@ -4,8 +4,8 @@ EAPI=8 VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/openssl.org.asc -inherit edo flag-o-matic linux-info toolchain-funcs -inherit multilib multilib-minimal multiprocessing preserve-libs +inherit edo flag-o-matic linux-info sysroot toolchain-funcs +inherit multibuild multilib multilib-build multiprocessing preserve-libs DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)" HOMEPAGE="https://openssl-library.org/" @@ -20,17 +20,17 @@ if [[ ${PV} == *9999 ]] ; then else inherit verify-sig SRC_URI=" - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz + https://github.com/openssl/openssl/releases/download/${MY_P}/${MY_P}.tar.gz verify-sig? ( - https://github.com/openssl/openssl/releases/download/${P}/${P}.tar.gz.asc + https://github.com/openssl/openssl/releases/download/${MY_P}/${MY_P}.tar.gz.asc ) " if [[ ${PV} != *_alpha* && ${PV} != *_beta* ]] ; then - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris" + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P} @@ -62,7 +62,7 @@ MULTILIB_WRAPPED_HEADERS=( ) PATCHES=( - "${FILESDIR}"/${PN}-3.3.2-silence-warning.patch + "${FILESDIR}"/${PN}-4.0.1-x86-avx2.patch ) pkg_setup() { @@ -109,9 +109,27 @@ src_prepare() { einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..." rm test/recipes/80-test_ssl_new.t || die fi +} + +_openssl_variant() { + local OPENSSL_VARIANT=${MULTIBUILD_VARIANT} + mkdir -p "${BUILD_DIR}" || die + pushd "${BUILD_DIR}" >/dev/null || die + "$@" + popd >/dev/null || die +} + +openssl_foreach_variant() { + local MULTIBUILD_VARIANTS=( "${OPENSSL_VARIANTS[@]}" ) + multibuild_foreach_variant _openssl_variant "$@" +} - # Test fails depending on kernel configuration, bug #699134 - rm test/recipes/30-test_afalg.t || die +openssl_run_phase() { + multilib_foreach_abi openssl_foreach_variant "$@" +} + +openssl_is_default_variant() { + [[ ${OPENSSL_VARIANT} == shared ]] && multilib_is_native_abi } src_configure() { @@ -155,10 +173,13 @@ src_configure() { tc-export AR CC CXX RANLIB RC - multilib-minimal_src_configure + OPENSSL_VARIANTS=( shared ) + use static-libs && OPENSSL_VARIANTS+=( static ) + + openssl_run_phase openssl_src_configure } -multilib_src_configure() { +openssl_src_configure() { use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; } local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal") @@ -182,7 +203,7 @@ multilib_src_configure() { local myeconfargs=( ${sslout} - $(multilib_is_native_abi || echo "no-docs") + $(openssl_is_default_variant || echo "no-docs") $(use cpu_flags_x86_sse2 || echo "no-sse2") enable-camellia enable-ec @@ -207,21 +228,32 @@ multilib_src_configure() { --openssldir="${EPREFIX}"${SSL_CNF_DIR} --libdir=$(get_libdir) - shared threads ) + if [[ ${OPENSSL_VARIANT} == static ]]; then + myeconfargs+=( no-module no-shared ) + fi + edo perl "${S}/Configure" "${myeconfargs[@]}" } -multilib_src_compile() { +src_compile() { + openssl_run_phase openssl_src_compile +} + +openssl_src_compile() { emake build_sw - if multilib_is_native_abi; then + if openssl_is_default_variant; then emake build_docs fi } -multilib_src_test() { +src_test() { + openssl_run_phase openssl_src_test +} + +openssl_src_test() { # See https://github.com/openssl/openssl/blob/master/test/README.md for options. # # VFP = show subtests verbosely and show failed tests verbosely @@ -233,35 +265,35 @@ multilib_src_test() { emake -Onone -j1 HARNESS_JOBS="$(makeopts_jobs)" VFP=1 test } -multilib_src_install() { +openssl_src_install() { + if [[ ${OPENSSL_VARIANT} == static ]]; then + dolib.a libcrypto.a libssl.a + return + fi + # Only -j1 is supported for the install targets: # https://github.com/openssl/openssl/issues/21999#issuecomment-1771150305 emake DESTDIR="${D}" -j1 install_sw + rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die + if use fips; then emake DESTDIR="${D}" -j1 install_fips # Regen this in pkg_preinst, bug 900625 rm "${ED}${SSL_CNF_DIR}"/fipsmodule.cnf || die fi - if multilib_is_native_abi; then + if openssl_is_default_variant; then emake DESTDIR="${D}" -j1 install_ssldirs emake DESTDIR="${D}" DOCDIR='$(INSTALLTOP)'/share/doc/${PF} -j1 install_docs fi - # This is crappy in that the static archives are still built even - # when USE=static-libs. But this is due to a failing in the openssl - # build system: the static archives are built as PIC all the time. - # Only way around this would be to manually configure+compile openssl - # twice; once with shared lib support enabled and once without. - if ! use static-libs ; then - rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die - fi + multilib_prepare_wrappers + multilib_check_headers } -multilib_src_install_all() { - # openssl installs perl version of c_rehash by default, but - # we provide a shell version via app-misc/c_rehash - rm "${ED}"/usr/bin/c_rehash || die +src_install() { + openssl_run_phase openssl_src_install + multilib_install_wrappers dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el @@ -279,12 +311,12 @@ multilib_src_install_all() { pkg_preinst() { if use fips; then # Regen fipsmodule.cnf, bug 900625 - ebegin "Running openssl fipsinstall" + einfo "Running openssl fipsinstall" LD_LIBRARY_PATH="${ED}/usr/$(get_libdir)" \ - "${ED}/usr/bin/openssl" fipsinstall -quiet \ + sysroot_run_prefixed "${ED}/usr/bin/openssl" fipsinstall \ -out "${ED}${SSL_CNF_DIR}/fipsmodule.cnf" \ - -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" - eend $? + -module "${ED}/usr/$(get_libdir)/ossl-modules/fips.so" \ + || die "fipsinstall failed" fi preserve_old_lib /usr/$(get_libdir)/lib{crypto,ssl}$(get_libname 1) \ diff --git a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.9999.ebuild b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.9999.ebuild index 5c8a482db6c..b71950f71e1 100644 --- a/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.9999.ebuild +++ b/sdk_container/src/third_party/portage-stable/dev-libs/openssl/openssl-4.0.9999.ebuild @@ -30,7 +30,7 @@ else KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" fi - BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20240920 )" + BDEPEND="verify-sig? ( >=sec-keys/openpgp-keys-openssl-20260415 )" fi S="${WORKDIR}"/${MY_P}