[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/

Wed, 18 May 2022 22:18:02 -0700 

commit:     ba26a8dafe2ab11ca59c6cacbaf545b687e62f5c
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Thu May 19 05:12:25 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Thu May 19 05:17:46 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba26a8da

dev-libs/openssl: explain why -fno-strict-aliasing

OpenSSL has a scary number of strict aliasing violations
within its codebase and it is *extremely* unsafe to build
OpenSSL without this option.

Hence we continue to build with -fno-strict-aliasing,
like we have done for the last 10 years, but explain
why in the ebuild.

Signed-off-by: Sam James <sam <AT> gentoo.org>

 dev-libs/openssl/openssl-1.1.1o.ebuild | 12 +++++++++++-
 dev-libs/openssl/openssl-3.0.3.ebuild  |  9 +++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/dev-libs/openssl/openssl-1.1.1o.ebuild 
b/dev-libs/openssl/openssl-1.1.1o.ebuild
index ff2f6ac9a728..48e5e8265b39 100644
--- a/dev-libs/openssl/openssl-1.1.1o.ebuild
+++ b/dev-libs/openssl/openssl-1.1.1o.ebuild
@@ -106,10 +106,20 @@ src_prepare() {
        # and 'make depend' uses -Werror for added fun (#417795 again)
        [[ ${CC} == *clang* ]] && append-flags -Qunused-arguments
 
+       # We really, really need to build OpenSSL w/ strict aliasing disabled.
+       # It's filled with violations and it *will* result in miscompiled
+       # code. This has been in the ebuild for > 10 years but even in 2022,
+       # it's still relevant:
+       # - https://github.com/llvm/llvm-project/issues/55255
+       # - https://github.com/openssl/openssl/issues/18225
+       # Don't remove the no strict aliasing bits below!
+       filter-flags -fstrict-aliasing
        append-flags -fno-strict-aliasing
-       append-flags $(test-flags-CC -Wa,--noexecstack)
+
        append-cppflags -DOPENSSL_NO_BUF_FREELISTS
 
+       append-flags $(test-flags-CC -Wa,--noexecstack)
+
        # Prefixify Configure shebang (#141906)
        sed \
                -e "1s,/usr/bin/env,${EPREFIX}&," \

diff --git a/dev-libs/openssl/openssl-3.0.3.ebuild 
b/dev-libs/openssl/openssl-3.0.3.ebuild
index 514ea991ddcc..2af0d8bf7020 100644
--- a/dev-libs/openssl/openssl-3.0.3.ebuild
+++ b/dev-libs/openssl/openssl-3.0.3.ebuild
@@ -124,7 +124,16 @@ src_prepare() {
        # and 'make depend' uses -Werror for added fun (bug #417795 again)
        tc-is-clang && append-flags -Qunused-arguments
 
+       # We really, really need to build OpenSSL w/ strict aliasing disabled.
+       # It's filled with violations and it *will* result in miscompiled
+       # code. This has been in the ebuild for > 10 years but even in 2022,
+       # it's still relevant:
+       # - https://github.com/llvm/llvm-project/issues/55255
+       # - https://github.com/openssl/openssl/issues/18225
+       # Don't remove the no strict aliasing bits below!
+       filter-flags -fstrict-aliasing
        append-flags -fno-strict-aliasing
+
        append-flags $(test-flags-CC -Wa,--noexecstack)
 
        # Prefixify Configure shebang (bug #141906)

Reply via email to