From 1b740d97b93b5cdac54c9e7e908397adfa0ce44c Mon Sep 17 00:00:00 2001
From: thomas <kreitler@molgen.mpg.de>
Date: Fri, 20 Sep 2024 15:12:27 +0200
Subject: [PATCH] openssl: install version 3.3.2 and 1-1.1.1za

Meanwhile openssl ver-3 should be considered as mature, also
more and more binary packages use libssl.so.3 and libcrypto.so.3
what causes trouble when we use foreign packages for package/pkg
and the like.

The package is called openssl, not openssl3 - in the hope that
future builds are more standards aware, and avoid the chaos that
openssl v1 has produced. (BTW, there is also a libssl3.so in the
system, it is from the nss package, so don't get confused)

Since there still might be packages around that need openssl-1.1,
a pure compat-package might not be sufficient here. Therefore a
recent openssl-1.1 package is build aside of openssl3. If the
software in question uses pkg-config, setting

  PKG_CONFIG_PATH=/usr/lib/openssl-1.1/pkgconfig

should do the job, otherwise CFLAGS, LDFLAGS, etc. need
adjustments (-I/usr/include/openssl-1.1, -L/usr/lib/openssl-1.1).
The old openssl command line program is called openssl-1.1
---
 openssl.be0  | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 openssl1.be0 | 41 ++++++++++++++++++++++++++++++++++-----
 2 files changed, 90 insertions(+), 5 deletions(-)
 create mode 100755 openssl.be0

diff --git a/openssl.be0 b/openssl.be0
new file mode 100755
index 000000000..123359544
--- /dev/null
+++ b/openssl.be0
@@ -0,0 +1,54 @@
+#!/usr/bin/env beesh
+
+# BEE_VERSION openssl-3.3.2-0
+
+#SRCURL[0]="https://github.com/openssl/openssl/releases/download/openssl-${PKGVERSION}/openssl-${PKGVERSION}.tar.gz"
+SRCURL[0]="https://beehive.molgen.mpg.de/015fca2692596560b6fe8a2d8fecd84b/openssl-3.3.2.tar.gz"
+
+# PATCHURL+=()
+
+# build_in_sourcedir
+
+# sourcesubdir_append src
+
+#mee_extract() {
+#    bee_extract "${@}"
+#}
+
+#mee_patch() {
+#    bee_patch "${@}"
+#}
+
+mee_configure_pre() {
+  # html, and man(3) is unwanted, prevent clutter from the beginning
+  sed \
+    -e '/^build_docs:/ s/build_html_docs//' \
+    -e '/^build_man_docs:/ s/$(MANDOCS3)\s//' \
+    -e '/^install_docs:/ s/install_html_docs//' \
+    -e '/for x in dummy/ s/$(MANDOCS3)//' \
+    -i ${S}/Configurations/unix-Makefile.tmpl
+}
+
+mee_configure() {
+  ${S}/config \
+    --prefix=${PREFIX} \
+    --openssldir=${SYSCONFDIR}/ssl \
+    --libdir=lib \
+    shared \
+    zlib-dynamic
+}
+
+mee_build() {
+  make depend
+  make ${BEE_MAKEFLAGS}
+  make -j1 test || true # one failure '04-test_bio_dgram.t' -> Testing with AF_INET6, local=0, mariux issue ...
+}
+
+mee_install() {
+  make DESTDIR=${D} MANDIR=${MANDIR} MANSUFFIX=ssl install
+}
+
+mee_install_post() {
+  rm -vf ${D}/usr/lib/*.a # hmmm, see 'shared' above ...
+  rmdir ${D}/usr/share/man/man3
+}
diff --git a/openssl1.be0 b/openssl1.be0
index b0fcff5a1..86baa8afd 100755
--- a/openssl1.be0
+++ b/openssl1.be0
@@ -1,11 +1,22 @@
 #!/usr/bin/env beesh
 
-# BEE_VERSION openssl1-1.1.1t-0
+# BEE_VERSION openssl1-1.1.1za-0
 
-#SRCURL[0]="https://www.openssl.org/source/openssl-${PKGVERSION}.tar.gz"
-SRCURL[0]="https://beehive.molgen.mpg.de/1cfee919e0eac6be62c88c5ae8bcd91e/openssl-1.1.1t.tar.gz"
+#SRCURL[0]="https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz"
+SRCURL[0]="https://beehive.molgen.mpg.de/3f76825f195e52d4b10c70040681a275/openssl-1.1.1w.tar.gz"
 
-# PATCHURL+=()
+# The patches and the message below are from Slackware
+# Patches themselves are under the Apache License v2.0. After patching the package
+# identifies itself as version 'za'
+#
+# Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that
+# were only available to subscribers to OpenSSL's premium extended support.
+# These patches were prepared by backporting commits from the OpenSSL-3.0 repo.
+# Thanks to Ken Zalewski!
+
+PATCHURL+=("https://beehive.molgen.mpg.de/61daee1e6724b5b2d9dcd8e7a0c45553/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch")
+PATCHURL+=("https://beehive.molgen.mpg.de/23347a1a7cc77d1b5e8b3832d36bbf71/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch")
+PATCHURL+=("https://beehive.molgen.mpg.de/ee9011230a6b4317644b04b9e9a7ff57/0003-openssl-1.1.1za_CVE-2024-5535.patch")
 
 # build_in_sourcedir
 
@@ -27,7 +38,7 @@ mee_configure() {
     start_cmd ${S}/config \
         --prefix=${PREFIX} \
         --openssldir=${SYSCONFDIR}/ssl \
-        --libdir=lib \
+        --libdir=lib/openssl-1.1 \
         shared \
         zlib-dynamic
 }
@@ -41,3 +52,23 @@ mee_build() {
 mee_install() {
     start_cmd make DESTDIR=${D} MANDIR=${MANDIR} MANSUFFIX=ssl install
 }
+
+mee_install_post() {
+    rm -f ${D}/usr/lib/openssl-1.1/*.a # hmmm, see 'shared' above ...
+
+    # now provide the libraries as 'compat-package', and rearrange
+    # everything in a way, that
+    #      PKG_CONFIG_PATH=/usr/lib/openssl-1.1/pkgconfig
+    # allows to build 'legacy' packages.
+    ( cd ${D}/usr/lib/openssl-1.1
+        for file in lib*.so.?.* ; do
+            mv $file ../../lib
+            ln -sf ../../lib/$file .
+        done
+    )
+    mkdir -p ${D}/usr/include/openssl-1.1
+    mv ${D}/usr/include/openssl ${D}/usr/include/openssl-1.1/openssl
+    sed -e "s|/include$|/include/openssl-1.1|" -i ${D}/usr/lib/openssl-1.1/pkgconfig/*.pc
+    mv ${D}/usr/bin/openssl ${D}/usr/bin/openssl-1.1
+    rm -rf ${D}/etc ${D}/usr/bin/c_rehash ${D}/usr/share
+}