From 1b740d97b93b5cdac54c9e7e908397adfa0ce44c Mon Sep 17 00:00:00 2001 From: thomas Date: Fri, 20 Sep 2024 15:12:27 +0200 Subject: [PATCH] openssl: install version 3.3.2 and 1-1.1.1za Meanwhile openssl ver-3 should be considered as mature, also more and more binary packages use libssl.so.3 and libcrypto.so.3 what causes trouble when we use foreign packages for package/pkg and the like. The package is called openssl, not openssl3 - in the hope that future builds are more standards aware, and avoid the chaos that openssl v1 has produced. (BTW, there is also a libssl3.so in the system, it is from the nss package, so don't get confused) Since there still might be packages around that need openssl-1.1, a pure compat-package might not be sufficient here. Therefore a recent openssl-1.1 package is build aside of openssl3. If the software in question uses pkg-config, setting PKG_CONFIG_PATH=/usr/lib/openssl-1.1/pkgconfig should do the job, otherwise CFLAGS, LDFLAGS, etc. need adjustments (-I/usr/include/openssl-1.1, -L/usr/lib/openssl-1.1). The old openssl command line program is called openssl-1.1 --- openssl.be0 | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++ openssl1.be0 | 41 ++++++++++++++++++++++++++++++++++----- 2 files changed, 90 insertions(+), 5 deletions(-) create mode 100755 openssl.be0 diff --git a/openssl.be0 b/openssl.be0 new file mode 100755 index 000000000..123359544 --- /dev/null +++ b/openssl.be0 @@ -0,0 +1,54 @@ +#!/usr/bin/env beesh + +# BEE_VERSION openssl-3.3.2-0 + +#SRCURL[0]="https://github.com/openssl/openssl/releases/download/openssl-${PKGVERSION}/openssl-${PKGVERSION}.tar.gz" +SRCURL[0]="https://beehive.molgen.mpg.de/015fca2692596560b6fe8a2d8fecd84b/openssl-3.3.2.tar.gz" + +# PATCHURL+=() + +# build_in_sourcedir + +# sourcesubdir_append src + +#mee_extract() { +# bee_extract "${@}" +#} + +#mee_patch() { +# bee_patch "${@}" +#} + +mee_configure_pre() { + # html, and man(3) is unwanted, prevent clutter from the beginning + sed \ + -e '/^build_docs:/ s/build_html_docs//' \ + -e '/^build_man_docs:/ s/$(MANDOCS3)\s//' \ + -e '/^install_docs:/ s/install_html_docs//' \ + -e '/for x in dummy/ s/$(MANDOCS3)//' \ + -i ${S}/Configurations/unix-Makefile.tmpl +} + +mee_configure() { + ${S}/config \ + --prefix=${PREFIX} \ + --openssldir=${SYSCONFDIR}/ssl \ + --libdir=lib \ + shared \ + zlib-dynamic +} + +mee_build() { + make depend + make ${BEE_MAKEFLAGS} + make -j1 test || true # one failure '04-test_bio_dgram.t' -> Testing with AF_INET6, local=0, mariux issue ... +} + +mee_install() { + make DESTDIR=${D} MANDIR=${MANDIR} MANSUFFIX=ssl install +} + +mee_install_post() { + rm -vf ${D}/usr/lib/*.a # hmmm, see 'shared' above ... + rmdir ${D}/usr/share/man/man3 +} diff --git a/openssl1.be0 b/openssl1.be0 index b0fcff5a1..86baa8afd 100755 --- a/openssl1.be0 +++ b/openssl1.be0 @@ -1,11 +1,22 @@ #!/usr/bin/env beesh -# BEE_VERSION openssl1-1.1.1t-0 +# BEE_VERSION openssl1-1.1.1za-0 -#SRCURL[0]="https://www.openssl.org/source/openssl-${PKGVERSION}.tar.gz" -SRCURL[0]="https://beehive.molgen.mpg.de/1cfee919e0eac6be62c88c5ae8bcd91e/openssl-1.1.1t.tar.gz" +#SRCURL[0]="https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz" +SRCURL[0]="https://beehive.molgen.mpg.de/3f76825f195e52d4b10c70040681a275/openssl-1.1.1w.tar.gz" -# PATCHURL+=() +# The patches and the message below are from Slackware +# Patches themselves are under the Apache License v2.0. After patching the package +# identifies itself as version 'za' +# +# Apply patches to fix CVEs that were fixed by the 1.1.1{x,y,za} releases that +# were only available to subscribers to OpenSSL's premium extended support. +# These patches were prepared by backporting commits from the OpenSSL-3.0 repo. +# Thanks to Ken Zalewski! + +PATCHURL+=("https://beehive.molgen.mpg.de/61daee1e6724b5b2d9dcd8e7a0c45553/0001-openssl-1.1.1x_CVE-2023-5678_CVE-2024-0727.patch") +PATCHURL+=("https://beehive.molgen.mpg.de/23347a1a7cc77d1b5e8b3832d36bbf71/0002-openssl-1.1.1y_CVE-2024-2511_CVE-2024-4741.patch") +PATCHURL+=("https://beehive.molgen.mpg.de/ee9011230a6b4317644b04b9e9a7ff57/0003-openssl-1.1.1za_CVE-2024-5535.patch") # build_in_sourcedir @@ -27,7 +38,7 @@ mee_configure() { start_cmd ${S}/config \ --prefix=${PREFIX} \ --openssldir=${SYSCONFDIR}/ssl \ - --libdir=lib \ + --libdir=lib/openssl-1.1 \ shared \ zlib-dynamic } @@ -41,3 +52,23 @@ mee_build() { mee_install() { start_cmd make DESTDIR=${D} MANDIR=${MANDIR} MANSUFFIX=ssl install } + +mee_install_post() { + rm -f ${D}/usr/lib/openssl-1.1/*.a # hmmm, see 'shared' above ... + + # now provide the libraries as 'compat-package', and rearrange + # everything in a way, that + # PKG_CONFIG_PATH=/usr/lib/openssl-1.1/pkgconfig + # allows to build 'legacy' packages. + ( cd ${D}/usr/lib/openssl-1.1 + for file in lib*.so.?.* ; do + mv $file ../../lib + ln -sf ../../lib/$file . + done + ) + mkdir -p ${D}/usr/include/openssl-1.1 + mv ${D}/usr/include/openssl ${D}/usr/include/openssl-1.1/openssl + sed -e "s|/include$|/include/openssl-1.1|" -i ${D}/usr/lib/openssl-1.1/pkgconfig/*.pc + mv ${D}/usr/bin/openssl ${D}/usr/bin/openssl-1.1 + rm -rf ${D}/etc ${D}/usr/bin/c_rehash ${D}/usr/share +}