1 files changed, 137 insertions, 23 deletions
diff --git a/main/openssl/APKBUILD b/main/openssl/APKBUILD
index d59cf58b2ba..ce0902cd985 100644
--- a/main/openssl/APKBUILD
+++ b/main/openssl/APKBUILD
@@ -1,25 +1,90 @@
-# Maintainer: Timo Teras <timo.teras@iki.fi>
+# Contributor: Ariadne Conill <ariadne@dereferenced.org>
+# Contributor: Timo Teras <timo.teras@iki.fi>
+# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=openssl
-pkgver=1.1.1h
-_abiver=${pkgver%.*}
-pkgrel=0
+pkgver=3.3.0
+_abiver=${pkgver%.*.*}
+pkgrel=1
 pkgdesc="Toolkit for Transport Layer Security (TLS)"
 url="https://www.openssl.org/"
 arch="all"
-license="OpenSSL"
-replaces="libressl"
+license="Apache-2.0"
+replaces="openssl"
 makedepends_build="perl"
 makedepends_host="linux-headers"
 makedepends="$makedepends_host $makedepends_build"
 subpackages="$pkgname-dbg $pkgname-libs-static $pkgname-dev $pkgname-doc
-	libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
+	$pkgname-misc::noarch libcrypto$_abiver:_libcrypto libssl$_abiver:_libssl"
 source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
 	man-section.patch
-	ppc64.patch
 	"
-
+builddir="$srcdir/openssl-$pkgver"
 
 # secfixes:
+#   3.2.1-r2:
+#     - CVE-2024-2511
+#   3.1.4-r5:
+#     - CVE-2024-0727
+#   3.1.4-r4:
+#     - CVE-2023-6237
+#   3.1.4-r3:
+#     - CVE-2023-6129
+#   3.1.4-r1:
+#     - CVE-2023-5678
+#   3.1.4-r0:
+#     - CVE-2023-5363
+#   3.1.2-r0:
+#     - CVE-2023-3817
+#   3.1.1-r3:
+#     - CVE-2023-3446
+#   3.1.1-r2:
+#     - CVE-2023-2975
+#   3.1.1-r0:
+#     - CVE-2023-2650
+#   3.1.0-r4:
+#     - CVE-2023-1255
+#   3.1.0-r2:
+#     - CVE-2023-0465
+#   3.1.0-r1:
+#     - CVE-2023-0464
+#   3.0.8-r0:
+#     - CVE-2022-4203
+#     - CVE-2022-4304
+#     - CVE-2022-4450
+#     - CVE-2023-0215
+#     - CVE-2023-0216
+#     - CVE-2023-0217
+#     - CVE-2023-0286
+#     - CVE-2023-0401
+#   3.0.7-r2:
+#     - CVE-2022-3996
+#   3.0.7-r0:
+#     - CVE-2022-3786
+#     - CVE-2022-3602
+#   3.0.6-r0:
+#     - CVE-2022-3358
+#   3.0.5-r0:
+#     - CVE-2022-2097
+#   3.0.3-r0:
+#     - CVE-2022-1343
+#     - CVE-2022-1434
+#     - CVE-2022-1473
+#   3.0.2-r0:
+#     - CVE-2022-0778
+#   3.0.1-r0:
+#     - CVE-2021-4044
+#   1.1.1l-r0:
+#     - CVE-2021-3711
+#     - CVE-2021-3712
+#   1.1.1k-r0:
+#     - CVE-2021-3449
+#     - CVE-2021-3450
+#   1.1.1j-r0:
+#     - CVE-2021-23841
+#     - CVE-2021-23840
+#     - CVE-2021-23839
+#   1.1.1i-r0:
+#     - CVE-2020-1971
 #   1.1.1g-r0:
 #     - CVE-2020-1967
 #   1.1.1d-r3:
@@ -33,14 +98,20 @@ source="https://www.openssl.org/source/openssl-$pkgver.tar.gz
 #   1.1.1a-r0:
 #     - CVE-2018-0734
 #     - CVE-2018-0735
+#   0:
+#     - CVE-2022-1292
+#     - CVE-2022-2068
+#     - CVE-2022-2274
+#     - CVE-2023-0466
+#     - CVE-2023-4807
 
 build() {
 	local _target _optflags
 
 	# openssl will prepend crosscompile always core CC et al
-	CC=${CC#${CROSS_COMPILE}}
-	CXX=${CXX#${CROSS_COMPILE}}
-	CPP=${CPP#${CROSS_COMPILE}}
+	CC=${CC#"$CROSS_COMPILE"}
+	CXX=${CXX#"$CROSS_COMPILE"}
+	CPP=${CPP#"$CROSS_COMPILE"}
 
 	# determine target OS for openssl
 	case "$CARCH" in
@@ -49,11 +120,14 @@ build() {
 		mips64*)	_target="linux64-mips64" ;;
 		# explicit _optflags is needed to prevent automatic -mips3 addition
 		mips*)		_target="linux-mips32"; _optflags="-mips32" ;;
+		ppc)		_target="linux-ppc" ;;
 		ppc64)		_target="linux-ppc64" ;;
 		ppc64le)	_target="linux-ppc64le" ;;
 		x86)		_target="linux-elf" ;;
 		x86_64)		_target="linux-x86_64"; _optflags="enable-ec_nistp_64_gcc_128" ;;
-		s390x) 		_target="linux64-s390x";;
+		s390x)		_target="linux64-s390x";;
+		riscv64)	_target="linux64-riscv64";;
+		loongarch64)	_target="linux64-loongarch64";;
 		*)		msg "Unable to determine architecture from (CARCH=$CARCH)" ; return 1 ;;
 	esac
 
@@ -61,14 +135,38 @@ build() {
 	# gcc's --sysroot fake this by overriding CC
 	[ -n "$CBUILDROOT" ] && CC="$CC --sysroot=$CBUILDROOT"
 
-	perl ./Configure $_target --prefix=/usr \
+	# when cross building do not enable threads as libatomic is not avaiable
+	if [ "$CBUILD" != "$CHOST" ]; then
+		case $CARCH in
+			riscv64) _optflags="$_optflags no-threads";;
+		esac
+	fi
+
+	perl ./Configure \
+		$_target \
+		--prefix=/usr \
 		--libdir=lib \
 		--openssldir=/etc/ssl \
-		shared no-zlib $_optflags \
-		no-async no-comp no-idea no-mdc2 no-rc5 no-ec2m \
-		no-sm2 no-sm4 no-ssl2 no-ssl3 no-seed \
+		enable-ktls \
+		shared \
+		no-zlib \
+		no-async \
+		no-comp \
+		no-idea \
+		no-mdc2 \
+		no-rc5 \
+		no-ec2m \
+		no-ssl3 \
+		no-seed \
 		no-weak-ssl-ciphers \
-		$CPPFLAGS $CFLAGS $LDFLAGS -Wa,--noexecstack
+		$_optflags \
+		$CPPFLAGS \
+		$CFLAGS \
+		$LDFLAGS -Wa,--noexecstack
+
+	# dump configuration into logs
+	perl configdata.pm --dump
+
 	make
 }
 
@@ -81,19 +179,32 @@ check() {
 }
 
 package() {
+	depends="libssl$_abiver=$pkgver-r$pkgrel libcrypto$_abiver=$pkgver-r$pkgrel"
+	provides="openssl3=$pkgver-r$pkgrel"
+	replaces="openssl3"
+
 	make DESTDIR="$pkgdir" install
 	# remove the script c_rehash
 	rm "$pkgdir"/usr/bin/c_rehash
 }
 
 dev() {
+	provides="openssl3-dev=$pkgver-r$pkgrel"
+	replaces="openssl3-dev"
+
 	default_dev
-	replaces="libressl-dev"
+}
+
+misc() {
+	depends="$pkgname=$pkgver-r$pkgrel perl"
+	pkgdesc="Various perl scripts from $pkgname"
+
+	amove etc/ssl/misc
 }
 
 _libcrypto() {
 	pkgdesc="Crypto library from openssl"
-	replaces="libressl2.7-libcrypto"
+	replaces="libcrypto1.1"
 	mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
 	mv "$pkgdir"/etc "$subpkgdir"/
 	for i in "$pkgdir"/usr/lib/libcrypto*; do
@@ -101,10 +212,12 @@ _libcrypto() {
 		ln -s ../../lib/${i##*/} "$subpkgdir"/usr/lib/${i##*/}
 	done
 	mv "$pkgdir"/usr/lib/engines-$_abiver "$subpkgdir"/usr/lib/
+	mv "$pkgdir"/usr/lib/ossl-modules "$subpkgdir"/usr/lib/
 }
 
 _libssl() {
 	pkgdesc="SSL shared libraries"
+	depends="libcrypto$_abiver=$pkgver-r$pkgrel"
 
 	mkdir -p "$subpkgdir"/lib "$subpkgdir"/usr/lib
 	for i in "$pkgdir"/usr/lib/libssl*; do
@@ -113,6 +226,7 @@ _libssl() {
 	done
 }
 
-sha512sums="da50fd99325841ed7a4367d9251c771ce505a443a73b327d8a46b2c6a7d2ea99e43551a164efc86f8743b22c2bdb0020bf24a9cbd445e9d68868b2dc1d34033a  openssl-1.1.1h.tar.gz
-43c3255118db6f5f340dc865c0f25ccbcafe5bf7507585244ca59b4d27daf533d6c3171aa32a8685cbb6200104bec535894b633de13feaadff87ab86739a445a  man-section.patch
-e040f23770d52b988578f7ff84d77563340f37c026db7643db8e4ef18e795e27d10cb42cb8656da4d9c57a28283a2828729d70f940edc950c3422a54fea55509  ppc64.patch"
+sha512sums="
+1f9daeee6542e1b831c65f1f87befaef98ccedc3abc958c9d17f064ef771924c30849e3ff880f94eed4aaa9d81ea105e3bc8815e6d2e4d6b60b5e890f14fc5da  openssl-3.3.0.tar.gz
+8c44e990fe8a820f649631b9f81cf28225b7516065169a7f68e2dd7c067b30df9b2c6cb88fa826afbc9fcdaf156360aabf7c498d2d9ed452968815b12b004809  man-section.patch
+"