[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/ - gentoo-commits

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/, dev-libs/openssl/files/
Date:	Thu, 07 Dec 2017 18:53:17
Message-Id:	`1512672782.f4afdc625b0b3aa1bc6e0df39903f133ba0caa04.whissi@gentoo`

1

commit:     f4afdc625b0b3aa1bc6e0df39903f133ba0caa04

2

Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

3

AuthorDate: Thu Dec  7 18:50:17 2017 +0000

4

Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>

5

CommitDate: Thu Dec  7 18:53:02 2017 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4afdc62

7

8

dev-libs/openssl: Rev bump to add patch for CVE-2017-3738

9

10

Bug: https://bugs.gentoo.org/640212

11

Package-Manager: Portage-2.3.16, Repoman-2.3.6

12

13

 dev-libs/openssl/Manifest                          |   2 +-

14

 .../files/openssl-1.1.0g-CVE-2017-3738.patch       |  77 ++++++

15

 dev-libs/openssl/openssl-1.1.0g-r2.ebuild          | 284 +++++++++++++++++++++

16

 3 files changed, 362 insertions(+), 1 deletion(-)

17

18

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

19

index e9a8efaa979..d18c7e53b34 100644

20

--- a/dev-libs/openssl/Manifest

21

+++ b/dev-libs/openssl/Manifest

22

@@ -13,7 +13,7 @@ DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9e

23

 DIST openssl-1.1.0f_ec_curve.c 18393 SHA256 9dd0e1f422116da45eb16936fbbbe4e4e05e7a8fc0f359594af76e935c37716e SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 WHIRLPOOL 6f43f3b8037f5edf323ea865d1150eaa63ee60f60b512b52e37b752b328855e57eae70c812071caba0f91eeeb379c4dd9574806ba50d5bee38ad3b0e3fe03f55

24

 DIST openssl-1.1.0f_ectest.c 29907 SHA256 37682adb07ba260339fad3fead87b186fc8c26321a0aad45deefed4c25ad87cb SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae WHIRLPOOL f39da1830f5a6492add40f460af9d85b2fbfac0d5d8ff4eb4ba3cb16e6ff50a030aee38c518d7a06d1167f59030ded5496000793ad4cf2de7ff36f22eeefe7c7

25

 DIST openssl-1.1.0f_hobble-openssl 1117 SHA256 ab168bd8bf578f7361524f9a12eecbbaf41fd7e2c852a0158aafd3bce9cac569 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 WHIRLPOOL 94537166ad8f5cacba2d30d0b6e4676d896cab157be5891fbeecdb2efa10a322d77e2b35a44ff1d474e860dcece63a8688f9df5edf8fe859bf67b410148ea64a

26

-DIST openssl-1.1.0g.tar.gz 5404748 SHA256 de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a WHIRLPOOL 86363a038df1621b9fbf634efec6648e0c35b882f7b582e6522a3869f8f5c67e32ed1a4637cb0009bf6fab4528072964cba5878540407306ea2e4210026c7a78

27

+DIST openssl-1.1.0g.tar.gz 5404748 BLAKE2B 23daf80e4143aad4654ae86f8e96042dd7328a9d1186b4922e284fcfe0f68259ea12d21c4472d92d65a7fcef21e049cf9371cc9bdad11b66a3df11286418ed42 SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a

28

 DIST openssl-1.1.0g_ec_curve.c 18393 SHA256 9dd0e1f422116da45eb16936fbbbe4e4e05e7a8fc0f359594af76e935c37716e SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 WHIRLPOOL 6f43f3b8037f5edf323ea865d1150eaa63ee60f60b512b52e37b752b328855e57eae70c812071caba0f91eeeb379c4dd9574806ba50d5bee38ad3b0e3fe03f55

29

 DIST openssl-1.1.0g_ectest.c 29907 SHA256 37682adb07ba260339fad3fead87b186fc8c26321a0aad45deefed4c25ad87cb SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae WHIRLPOOL f39da1830f5a6492add40f460af9d85b2fbfac0d5d8ff4eb4ba3cb16e6ff50a030aee38c518d7a06d1167f59030ded5496000793ad4cf2de7ff36f22eeefe7c7

30

 DIST openssl-1.1.0g_hobble-openssl 1117 SHA256 ab168bd8bf578f7361524f9a12eecbbaf41fd7e2c852a0158aafd3bce9cac569 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 WHIRLPOOL 94537166ad8f5cacba2d30d0b6e4676d896cab157be5891fbeecdb2efa10a322d77e2b35a44ff1d474e860dcece63a8688f9df5edf8fe859bf67b410148ea64a

31

32

diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch

33

new file mode 100644

34

index 00000000000..4b01feb8e87

35

--- /dev/null

36

+++ b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch

37

@@ -0,0 +1,77 @@

38

+From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001

39

+From: Andy Polyakov <appro@×××××××.org>

40

+Date: Fri, 24 Nov 2017 11:35:50 +0100

41

+Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in

42

+ rsaz_1024_mul_avx2.

43

+

44

+Credit to OSS-Fuzz for finding this.

45

+

46

+CVE-2017-3738

47

+

48

+Reviewed-by: Rich Salz <rsalz@×××××××.org>

49

+---

50

+ crypto/bn/asm/rsaz-avx2.pl | 15 +++++++--------

51

+ 1 file changed, 7 insertions(+), 8 deletions(-)

52

+

53

+diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl

54

+index 0c1b236ef98..46d746b7d0e 100755

55

+--- a/crypto/bn/asm/rsaz-avx2.pl

56

++++ b/crypto/bn/asm/rsaz-avx2.pl

57

+@@ -246,7 +246,7 @@

58

+ 	vmovdqu		32*8-128($ap), $ACC8

59

+

60

+ 	lea	192(%rsp), $tp0			# 64+128=192

61

+-	vpbroadcastq	.Land_mask(%rip), $AND_MASK

62

++	vmovdqu	.Land_mask(%rip), $AND_MASK

63

+ 	jmp	.LOOP_GRANDE_SQR_1024

64

+

65

+ .align	32

66

+@@ -1077,10 +1077,10 @@

67

+ 	vpmuludq	32*6-128($np),$Yi,$TEMP1

68

+ 	vpaddq		$TEMP1,$ACC6,$ACC6

69

+ 	vpmuludq	32*7-128($np),$Yi,$TEMP2

70

+-	 vpblendd	\$3, $ZERO, $ACC9, $ACC9	# correct $ACC3

71

++	 vpblendd	\$3, $ZERO, $ACC9, $TEMP1	# correct $ACC3

72

+ 	vpaddq		$TEMP2,$ACC7,$ACC7

73

+ 	vpmuludq	32*8-128($np),$Yi,$TEMP0

74

+-	 vpaddq		$ACC9, $ACC3, $ACC3		# correct $ACC3

75

++	 vpaddq		$TEMP1, $ACC3, $ACC3		# correct $ACC3

76

+ 	vpaddq		$TEMP0,$ACC8,$ACC8

77

+

78

+ 	mov	%rbx, %rax

79

+@@ -1093,7 +1093,9 @@

80

+ 	 vmovdqu	-8+32*2-128($ap),$TEMP2

81

+

82

+ 	mov	$r1, %rax

83

++	 vpblendd	\$0xfc, $ZERO, $ACC9, $ACC9	# correct $ACC3

84

+ 	imull	$n0, %eax

85

++	 vpaddq		$ACC9,$ACC4,$ACC4		# correct $ACC3

86

+ 	and	\$0x1fffffff, %eax

87

+

88

+ 	 imulq	16-128($ap),%rbx

89

+@@ -1329,15 +1331,12 @@

90

+ #	But as we underutilize resources, it's possible to correct in

91

+ #	each iteration with marginal performance loss. But then, as

92

+ #	we do it in each iteration, we can correct less digits, and

93

+-#	avoid performance penalties completely. Also note that we

94

+-#	correct only three digits out of four. This works because

95

+-#	most significant digit is subjected to less additions.

96

++#	avoid performance penalties completely.

97

+

98

+ $TEMP0 = $ACC9;

99

+ $TEMP3 = $Bi;

100

+ $TEMP4 = $Yi;

101

+ $code.=<<___;

102

+-	vpermq		\$0, $AND_MASK, $AND_MASK

103

+ 	vpaddq		(%rsp), $TEMP1, $ACC0

104

+

105

+ 	vpsrlq		\$29, $ACC0, $TEMP1

106

+@@ -1770,7 +1769,7 @@

107

+

108

+ .align	64

109

+ .Land_mask:

110

+-	.quad	0x1fffffff,0x1fffffff,0x1fffffff,-1

111

++	.quad	0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff

112

+ .Lscatter_permd:

113

+ 	.long	0,2,4,6,7,7,7,7

114

+ .Lgather_permd:

115

116

diff --git a/dev-libs/openssl/openssl-1.1.0g-r2.ebuild b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild

117

new file mode 100644

118

index 00000000000..0c7e76558f8

119

--- /dev/null

120

+++ b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild

121

@@ -0,0 +1,284 @@

122

+# Copyright 1999-2017 Gentoo Foundation

123

+# Distributed under the terms of the GNU General Public License v2

124

+

125

+EAPI="6"

126

+

127

+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal

128

+

129

+MY_P=${P/_/-}

130

+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"

131

+HOMEPAGE="http://www.openssl.org/"

132

+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"

133

+

134

+LICENSE="openssl"

135

+SLOT="0/1.1" # .so version of libssl/libcrypto

136

+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"

137

+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"

138

+RESTRICT="!bindist? ( bindist )"

139

+

140

+RDEPEND=">=app-misc/c_rehash-1.7-r1

141

+	zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"

142

+DEPEND="${RDEPEND}

143

+	>=dev-lang/perl-5

144

+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

145

+	test? (

146

+		sys-apps/diffutils

147

+		sys-devel/bc

148

+	)"

149

+PDEPEND="app-misc/ca-certificates"

150

+

151

+# This does not copy the entire Fedora patchset, but JUST the parts that

152

+# are needed to make it safe to use EC with RESTRICT=bindist.

153

+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN

154

+SOURCE1=hobble-openssl

155

+SOURCE12=ec_curve.c

156

+SOURCE13=ectest.c

157

+PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC

158

+PATCH37=openssl-1.1.0-ec-curves.patch

159

+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'

160

+FEDORA_GIT_BRANCH='f27'

161

+FEDORA_SRC_URI=()

162

+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )

163

+FEDORA_PATCH=( $PATCH1 $PATCH37 )

164

+for i in "${FEDORA_SOURCE[@]}" ; do

165

+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )

166

+done

167

+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix

168

+	FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )

169

+done

170

+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"

171

+

172

+S="${WORKDIR}/${MY_P}"

173

+

174

+MULTILIB_WRAPPED_HEADERS=(

175

+	usr/include/openssl/opensslconf.h

176

+)

177

+

178

+PATCHES=(

179

+	"${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618

180

+	"${FILESDIR}"/${PN}-1.1.0g-CVE-2017-3738.patch

181

+)

182

+

183

+src_prepare() {

184

+	if use bindist; then

185

+		# This just removes the prefix, and puts it into WORKDIR like the RPM.

186

+		for i in "${FEDORA_SOURCE[@]}" ; do

187

+			cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" || die

188

+		done

189

+		# .spec %prep

190

+		bash "${WORKDIR}"/"${SOURCE1}" || die

191

+		cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ || die

192

+		cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ || die

193

+		for i in "${FEDORA_PATCH[@]}" ; do

194

+			epatch "${DISTDIR}"/"${i}"

195

+		done

196

+		# Also see the configure parts below:

197

+		# enable-ec \

198

+		# $(use_ssl !bindist ec2m) \

199

+

200

+	fi

201

+	# keep this in sync with app-misc/c_rehash

202

+	SSL_CNF_DIR="/etc/ssl"

203

+

204

+	# Make sure we only ever touch Makefile.org and avoid patching a file

205

+	# that gets blown away anyways by the Configure script in src_configure

206

+	rm -f Makefile

207

+

208

+	if ! use vanilla ; then

209

+		epatch "${PATCHES[@]}"

210

+	fi

211

+

212

+	eapply_user #332661

213

+

214

+	# make sure the man pages are suffixed #302165

215

+	# don't bother building man pages if they're disabled

216

+	# Make DOCDIR Gentoo compliant

217

+	sed -i \

218

+		-e '/^MANSUFFIX/s:=.*:=ssl:' \

219

+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \

220

+		-e $(has noman FEATURES \

221

+			&& echo '/^install:/s:install_docs::' \

222

+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \

223

+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \

224

+		Configurations/unix-Makefile.tmpl \

225

+		|| die

226

+

227

+	# show the actual commands in the log

228

+	sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared

229

+

230

+	# quiet out unknown driver argument warnings since openssl

231

+	# doesn't have well-split CFLAGS and we're making it even worse

232

+	# and 'make depend' uses -Werror for added fun (#417795 again)

233

+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments

234

+

235

+	# allow openssl to be cross-compiled

236

+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die

237

+	chmod a+rx gentoo.config

238

+

239

+	append-flags -fno-strict-aliasing

240

+	append-flags $(test-flags-CC -Wa,--noexecstack)

241

+	append-cppflags -DOPENSSL_NO_BUF_FREELISTS

242

+

243

+	# Prefixify Configure shebang (#141906)

244

+	sed \

245

+		-e "1s,/usr/bin/env,${EPREFIX}&," \

246

+		-i Configure || die

247

+	# Remove test target when FEATURES=test isn't set

248

+	if ! use test ; then

249

+		sed \

250

+			-e '/^$config{dirs}/s@ "test",@@' \

251

+			-i Configure || die

252

+	fi

253

+	# The config script does stupid stuff to prompt the user.  Kill it.

254

+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die

255

+	./config --test-sanity || die "I AM NOT SANE"

256

+

257

+	multilib_copy_sources

258

+}

259

+

260

+multilib_src_configure() {

261

+	unset APPS #197996

262

+	unset SCRIPTS #312551

263

+	unset CROSS_COMPILE #311473

264

+

265

+	tc-export CC AR RANLIB RC

266

+

267

+	# Clean out patent-or-otherwise-encumbered code

268

+	# Camellia: Royalty Free            http://en.wikipedia.org/wiki/Camellia_(cipher)

269

+	# IDEA:     Expired                 http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm

270

+	# EC:       ????????? ??/??/2015    http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography

271

+	# MDC2:     Expired                 http://en.wikipedia.org/wiki/MDC-2

272

+	# RC5:      Expired                 http://en.wikipedia.org/wiki/RC5

273

+

274

+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

275

+	echoit() { echo "$@" ; "$@" ; }

276

+

277

+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

278

+

279

+	# See if our toolchain supports __uint128_t.  If so, it's 64bit

280

+	# friendly and can use the nicely optimized code paths. #460790

281

+	local ec_nistp_64_gcc_128

282

+	# Disable it for now though #469976

283

+	#if ! use bindist ; then

284

+	#	echo "__uint128_t i;" > "${T}"/128.c

285

+	#	if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then

286

+	#		ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"

287

+	#	fi

288

+	#fi

289

+

290

+	local sslout=$(./gentoo.config)

291

+	einfo "Use configuration ${sslout:-(openssl knows best)}"

292

+	local config="Configure"

293

+	[[ -z ${sslout} ]] && config="config"

294

+

295

+	# Fedora hobbled-EC needs 'no-ec2m'

296

+	# 'srp' was restricted until early 2017 as well.

297

+	echoit \

298

+	./${config} \

299

+		${sslout} \

300

+		--api=1.0.0 \

301

+		$(use cpu_flags_x86_sse2 || echo "no-sse2") \

302

+		enable-camellia \

303

+		disable-deprecated \

304

+		enable-ec \

305

+		$(use_ssl !bindist ec2m) \

306

+		enable-srp \

307

+		$(use elibc_musl && echo "no-async") \

308

+		${ec_nistp_64_gcc_128} \

309

+		enable-idea \

310

+		enable-mdc2 \

311

+		enable-rc5 \

312

+		$(use_ssl asm) \

313

+		$(use_ssl rfc3779) \

314

+		$(use_ssl sctp) \

315

+		$(use_ssl tls-heartbeat heartbeats) \

316

+		$(use_ssl zlib) \

317

+		--prefix="${EPREFIX}"/usr \

318

+		--openssldir="${EPREFIX}"${SSL_CNF_DIR} \

319

+		--libdir=$(get_libdir) \

320

+		shared threads \

321

+		|| die

322

+

323

+	# Clean out hardcoded flags that openssl uses

324

+	# Fix quoting for sed

325

+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \

326

+		-e 's:^CFLAGS=::' \

327

+		-e 's:-fomit-frame-pointer ::g' \

328

+		-e 's:-O[0-9] ::g' \

329

+		-e 's:-march=[-a-z0-9]* ::g' \

330

+		-e 's:-mcpu=[-a-z0-9]* ::g' \

331

+		-e 's:-m[a-z0-9]* ::g' \

332

+		-e 's:\\:\\\\:g' \

333

+	)

334

+	sed -i \

335

+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \

336

+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \

337

+		Makefile || die

338

+}

339

+

340

+multilib_src_compile() {

341

+	# depend is needed to use $confopts; it also doesn't matter

342

+	# that it's -j1 as the code itself serializes subdirs

343

+	emake -j1 depend

344

+	emake all

345

+}

346

+

347

+multilib_src_test() {

348

+	emake -j1 test

349

+}

350

+

351

+multilib_src_install() {

352

+	emake DESTDIR="${D}" install

353

+}

354

+

355

+multilib_src_install_all() {

356

+	# openssl installs perl version of c_rehash by default, but

357

+	# we provide a shell version via app-misc/c_rehash

358

+	rm "${ED}"/usr/bin/c_rehash || die

359

+

360

+	dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el

361

+

362

+	# This is crappy in that the static archives are still built even

363

+	# when USE=static-libs.  But this is due to a failing in the openssl

364

+	# build system: the static archives are built as PIC all the time.

365

+	# Only way around this would be to manually configure+compile openssl

366

+	# twice; once with shared lib support enabled and once without.

367

+	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a

368

+

369

+	# create the certs directory

370

+	keepdir ${SSL_CNF_DIR}/certs

371

+

372

+	# Namespace openssl programs to prevent conflicts with other man pages

373

+	cd "${ED}"/usr/share/man

374

+	local m d s

375

+	for m in $(find . -type f | xargs grep -L '#include') ; do

376

+		d=${m%/*} ; d=${d#./} ; m=${m##*/}

377

+		[[ ${m} == openssl.1* ]] && continue

378

+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"

379

+		mv ${d}/{,ssl-}${m}

380

+		# fix up references to renamed man pages

381

+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}

382

+		ln -s ssl-${m} ${d}/openssl-${m}

383

+		# locate any symlinks that point to this man page ... we assume

384

+		# that any broken links are due to the above renaming

385

+		for s in $(find -L ${d} -type l) ; do

386

+			s=${s##*/}

387

+			rm -f ${d}/${s}

388

+			ln -s ssl-${m} ${d}/ssl-${s}

389

+			ln -s ssl-${s} ${d}/openssl-${s}

390

+		done

391

+	done

392

+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

393

+

394

+	dodir /etc/sandbox.d #254521

395

+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

396

+

397

+	diropts -m0700

398

+	keepdir ${SSL_CNF_DIR}/private

399

+}

400

+

401

+pkg_postinst() {

402

+	ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"

403

+	c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null

404

+	eend $?

405

+}

1	commit: f4afdc625b0b3aa1bc6e0df39903f133ba0caa04
2	Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
3	AuthorDate: Thu Dec 7 18:50:17 2017 +0000
4	Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
5	CommitDate: Thu Dec 7 18:53:02 2017 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4afdc62
7
8	dev-libs/openssl: Rev bump to add patch for CVE-2017-3738
9
10	Bug: https://bugs.gentoo.org/640212
11	Package-Manager: Portage-2.3.16, Repoman-2.3.6
12
13	dev-libs/openssl/Manifest \| 2 +-
14	.../files/openssl-1.1.0g-CVE-2017-3738.patch \| 77 ++++++
15	dev-libs/openssl/openssl-1.1.0g-r2.ebuild \| 284 +++++++++++++++++++++
16	3 files changed, 362 insertions(+), 1 deletion(-)
17
18	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
19	index e9a8efaa979..d18c7e53b34 100644
20	--- a/dev-libs/openssl/Manifest
21	+++ b/dev-libs/openssl/Manifest
22	@@ -13,7 +13,7 @@ DIST openssl-1.1.0f.tar.gz 5278176 SHA256 12f746f3f2493b2f39da7ecf63d7ee19c6ac9e
23	DIST openssl-1.1.0f_ec_curve.c 18393 SHA256 9dd0e1f422116da45eb16936fbbbe4e4e05e7a8fc0f359594af76e935c37716e SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 WHIRLPOOL 6f43f3b8037f5edf323ea865d1150eaa63ee60f60b512b52e37b752b328855e57eae70c812071caba0f91eeeb379c4dd9574806ba50d5bee38ad3b0e3fe03f55
24	DIST openssl-1.1.0f_ectest.c 29907 SHA256 37682adb07ba260339fad3fead87b186fc8c26321a0aad45deefed4c25ad87cb SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae WHIRLPOOL f39da1830f5a6492add40f460af9d85b2fbfac0d5d8ff4eb4ba3cb16e6ff50a030aee38c518d7a06d1167f59030ded5496000793ad4cf2de7ff36f22eeefe7c7
25	DIST openssl-1.1.0f_hobble-openssl 1117 SHA256 ab168bd8bf578f7361524f9a12eecbbaf41fd7e2c852a0158aafd3bce9cac569 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 WHIRLPOOL 94537166ad8f5cacba2d30d0b6e4676d896cab157be5891fbeecdb2efa10a322d77e2b35a44ff1d474e860dcece63a8688f9df5edf8fe859bf67b410148ea64a
26	-DIST openssl-1.1.0g.tar.gz 5404748 SHA256 de4d501267da39310905cb6dc8c6121f7a2cad45a7707f76df828fe1b85073af SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a WHIRLPOOL 86363a038df1621b9fbf634efec6648e0c35b882f7b582e6522a3869f8f5c67e32ed1a4637cb0009bf6fab4528072964cba5878540407306ea2e4210026c7a78
27	+DIST openssl-1.1.0g.tar.gz 5404748 BLAKE2B 23daf80e4143aad4654ae86f8e96042dd7328a9d1186b4922e284fcfe0f68259ea12d21c4472d92d65a7fcef21e049cf9371cc9bdad11b66a3df11286418ed42 SHA512 6c76f698fc2a4540f3977d97c889e139acf7d3f9eb85f349974175e8a7707b19743ef91c5ce32839310b6ea06ca88a03d9709ee011687b4634c5c50b5814f42a
28	DIST openssl-1.1.0g_ec_curve.c 18393 SHA256 9dd0e1f422116da45eb16936fbbbe4e4e05e7a8fc0f359594af76e935c37716e SHA512 ee3e576825bccdf02cede4205ab92c42ae9dd3a8e75ce58617a3a5980a61d144eb3c5197d9dcd378a5d49bf34c4b2f591aa6a619fee92b7a22825d72681ab879 WHIRLPOOL 6f43f3b8037f5edf323ea865d1150eaa63ee60f60b512b52e37b752b328855e57eae70c812071caba0f91eeeb379c4dd9574806ba50d5bee38ad3b0e3fe03f55
29	DIST openssl-1.1.0g_ectest.c 29907 SHA256 37682adb07ba260339fad3fead87b186fc8c26321a0aad45deefed4c25ad87cb SHA512 90cec9d46326cb7216236811c8e963032b6fa7500117cea36f28534eb50a5ab1260c7f9a5c8c490d845236b0769576a8d97bc7471f970e9c5e70cb3408c20dae WHIRLPOOL f39da1830f5a6492add40f460af9d85b2fbfac0d5d8ff4eb4ba3cb16e6ff50a030aee38c518d7a06d1167f59030ded5496000793ad4cf2de7ff36f22eeefe7c7
30	DIST openssl-1.1.0g_hobble-openssl 1117 SHA256 ab168bd8bf578f7361524f9a12eecbbaf41fd7e2c852a0158aafd3bce9cac569 SHA512 fa9cc70afa11a7a292548b4bddbba8159824a364ce5c279b483768e6ae2aa4b5491d9bf2cc734819f30a11c8ee0d91bcb991c4a7ab357296aeb4c04feac74826 WHIRLPOOL 94537166ad8f5cacba2d30d0b6e4676d896cab157be5891fbeecdb2efa10a322d77e2b35a44ff1d474e860dcece63a8688f9df5edf8fe859bf67b410148ea64a
31
32	diff --git a/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
33	new file mode 100644
34	index 00000000000..4b01feb8e87
35	--- /dev/null
36	+++ b/dev-libs/openssl/files/openssl-1.1.0g-CVE-2017-3738.patch
37	@@ -0,0 +1,77 @@
38	+From e502cc86df9dafded1694fceb3228ee34d11c11a Mon Sep 17 00:00:00 2001
39	+From: Andy Polyakov <appro@×××××××.org>
40	+Date: Fri, 24 Nov 2017 11:35:50 +0100
41	+Subject: [PATCH] bn/asm/rsaz-avx2.pl: fix digit correction bug in
42	+ rsaz_1024_mul_avx2.
43	+
44	+Credit to OSS-Fuzz for finding this.
45	+
46	+CVE-2017-3738
47	+
48	+Reviewed-by: Rich Salz <rsalz@×××××××.org>
49	+---
50	+ crypto/bn/asm/rsaz-avx2.pl \| 15 +++++++--------
51	+ 1 file changed, 7 insertions(+), 8 deletions(-)
52	+
53	+diff --git a/crypto/bn/asm/rsaz-avx2.pl b/crypto/bn/asm/rsaz-avx2.pl
54	+index 0c1b236ef98..46d746b7d0e 100755
55	+--- a/crypto/bn/asm/rsaz-avx2.pl
56	++++ b/crypto/bn/asm/rsaz-avx2.pl
57	+@@ -246,7 +246,7 @@
58	+ vmovdqu 32*8-128($ap), $ACC8
59	+
60	+ lea 192(%rsp), $tp0 # 64+128=192
61	+- vpbroadcastq .Land_mask(%rip), $AND_MASK
62	++ vmovdqu .Land_mask(%rip), $AND_MASK
63	+ jmp .LOOP_GRANDE_SQR_1024
64	+
65	+ .align 32
66	+@@ -1077,10 +1077,10 @@
67	+ vpmuludq 32*6-128($np),$Yi,$TEMP1
68	+ vpaddq $TEMP1,$ACC6,$ACC6
69	+ vpmuludq 32*7-128($np),$Yi,$TEMP2
70	+- vpblendd \$3, $ZERO, $ACC9, $ACC9 # correct $ACC3
71	++ vpblendd \$3, $ZERO, $ACC9, $TEMP1 # correct $ACC3
72	+ vpaddq $TEMP2,$ACC7,$ACC7
73	+ vpmuludq 32*8-128($np),$Yi,$TEMP0
74	+- vpaddq $ACC9, $ACC3, $ACC3 # correct $ACC3
75	++ vpaddq $TEMP1, $ACC3, $ACC3 # correct $ACC3
76	+ vpaddq $TEMP0,$ACC8,$ACC8
77	+
78	+ mov %rbx, %rax
79	+@@ -1093,7 +1093,9 @@
80	+ vmovdqu -8+32*2-128($ap),$TEMP2
81	+
82	+ mov $r1, %rax
83	++ vpblendd \$0xfc, $ZERO, $ACC9, $ACC9 # correct $ACC3
84	+ imull $n0, %eax
85	++ vpaddq $ACC9,$ACC4,$ACC4 # correct $ACC3
86	+ and \$0x1fffffff, %eax
87	+
88	+ imulq 16-128($ap),%rbx
89	+@@ -1329,15 +1331,12 @@
90	+ # But as we underutilize resources, it's possible to correct in
91	+ # each iteration with marginal performance loss. But then, as
92	+ # we do it in each iteration, we can correct less digits, and
93	+-# avoid performance penalties completely. Also note that we
94	+-# correct only three digits out of four. This works because
95	+-# most significant digit is subjected to less additions.
96	++# avoid performance penalties completely.
97	+
98	+ $TEMP0 = $ACC9;
99	+ $TEMP3 = $Bi;
100	+ $TEMP4 = $Yi;
101	+ $code.=<<___;
102	+- vpermq \$0, $AND_MASK, $AND_MASK
103	+ vpaddq (%rsp), $TEMP1, $ACC0
104	+
105	+ vpsrlq \$29, $ACC0, $TEMP1
106	+@@ -1770,7 +1769,7 @@
107	+
108	+ .align 64
109	+ .Land_mask:
110	+- .quad 0x1fffffff,0x1fffffff,0x1fffffff,-1
111	++ .quad 0x1fffffff,0x1fffffff,0x1fffffff,0x1fffffff
112	+ .Lscatter_permd:
113	+ .long 0,2,4,6,7,7,7,7
114	+ .Lgather_permd:
115
116	diff --git a/dev-libs/openssl/openssl-1.1.0g-r2.ebuild b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild
117	new file mode 100644
118	index 00000000000..0c7e76558f8
119	--- /dev/null
120	+++ b/dev-libs/openssl/openssl-1.1.0g-r2.ebuild
121	@@ -0,0 +1,284 @@
122	+# Copyright 1999-2017 Gentoo Foundation
123	+# Distributed under the terms of the GNU General Public License v2
124	+
125	+EAPI="6"
126	+
127	+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
128	+
129	+MY_P=${P/_/-}
130	+DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
131	+HOMEPAGE="http://www.openssl.org/"
132	+SRC_URI="mirror://openssl/source/${MY_P}.tar.gz"
133	+
134	+LICENSE="openssl"
135	+SLOT="0/1.1" # .so version of libssl/libcrypto
136	+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~arm-linux ~x86-linux"
137	+IUSE="+asm bindist elibc_musl rfc3779 sctp cpu_flags_x86_sse2 static-libs test tls-heartbeat vanilla zlib"
138	+RESTRICT="!bindist? ( bindist )"
139	+
140	+RDEPEND=">=app-misc/c_rehash-1.7-r1
141	+ zlib? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )"
142	+DEPEND="${RDEPEND}
143	+ >=dev-lang/perl-5
144	+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
145	+ test? (
146	+ sys-apps/diffutils
147	+ sys-devel/bc
148	+ )"
149	+PDEPEND="app-misc/ca-certificates"
150	+
151	+# This does not copy the entire Fedora patchset, but JUST the parts that
152	+# are needed to make it safe to use EC with RESTRICT=bindist.
153	+# See openssl.spec for the matching numbering of SourceNNN, PatchNNN
154	+SOURCE1=hobble-openssl
155	+SOURCE12=ec_curve.c
156	+SOURCE13=ectest.c
157	+PATCH1=openssl-1.1.0-build.patch # Fixes EVP testcase for EC
158	+PATCH37=openssl-1.1.0-ec-curves.patch
159	+FEDORA_GIT_BASE='https://src.fedoraproject.org/cgit/rpms/openssl.git/plain/'
160	+FEDORA_GIT_BRANCH='f27'
161	+FEDORA_SRC_URI=()
162	+FEDORA_SOURCE=( $SOURCE1 $SOURCE12 $SOURCE13 )
163	+FEDORA_PATCH=( $PATCH1 $PATCH37 )
164	+for i in "${FEDORA_SOURCE[@]}" ; do
165	+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${P}_${i}" )
166	+done
167	+for i in "${FEDORA_PATCH[@]}" ; do # Already have a version prefix
168	+ FEDORA_SRC_URI+=( "${FEDORA_GIT_BASE}/${i}?h=${FEDORA_GIT_BRANCH} -> ${i}" )
169	+done
170	+SRC_URI+=" bindist? ( ${FEDORA_SRC_URI[@]} )"
171	+
172	+S="${WORKDIR}/${MY_P}"
173	+
174	+MULTILIB_WRAPPED_HEADERS=(
175	+ usr/include/openssl/opensslconf.h
176	+)
177	+
178	+PATCHES=(
179	+ "${FILESDIR}"/${PN}-1.0.2a-x32-asm.patch #542618
180	+ "${FILESDIR}"/${PN}-1.1.0g-CVE-2017-3738.patch
181	+)
182	+
183	+src_prepare() {
184	+ if use bindist; then
185	+ # This just removes the prefix, and puts it into WORKDIR like the RPM.
186	+ for i in "${FEDORA_SOURCE[@]}" ; do
187	+ cp -f "${DISTDIR}"/"${P}_${i}" "${WORKDIR}"/"${i}" \|\| die
188	+ done
189	+ # .spec %prep
190	+ bash "${WORKDIR}"/"${SOURCE1}" \|\| die
191	+ cp -f "${WORKDIR}"/"${SOURCE12}" "${S}"/crypto/ec/ \|\| die
192	+ cp -f "${WORKDIR}"/"${SOURCE13}" "${S}"/test/ \|\| die
193	+ for i in "${FEDORA_PATCH[@]}" ; do
194	+ epatch "${DISTDIR}"/"${i}"
195	+ done
196	+ # Also see the configure parts below:
197	+ # enable-ec \
198	+ # $(use_ssl !bindist ec2m) \
199	+
200	+ fi
201	+ # keep this in sync with app-misc/c_rehash
202	+ SSL_CNF_DIR="/etc/ssl"
203	+
204	+ # Make sure we only ever touch Makefile.org and avoid patching a file
205	+ # that gets blown away anyways by the Configure script in src_configure
206	+ rm -f Makefile
207	+
208	+ if ! use vanilla ; then
209	+ epatch "${PATCHES[@]}"
210	+ fi
211	+
212	+ eapply_user #332661
213	+
214	+ # make sure the man pages are suffixed #302165
215	+ # don't bother building man pages if they're disabled
216	+ # Make DOCDIR Gentoo compliant
217	+ sed -i \
218	+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
219	+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
220	+ -e $(has noman FEATURES \
221	+ && echo '/^install:/s:install_docs::' \
222	+ \|\| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
223	+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PF}@" \
224	+ Configurations/unix-Makefile.tmpl \
225	+ \|\| die
226	+
227	+ # show the actual commands in the log
228	+ sed -i '/^SET_X/s@=.*@=set -x@' Makefile.shared
229	+
230	+ # quiet out unknown driver argument warnings since openssl
231	+ # doesn't have well-split CFLAGS and we're making it even worse
232	+ # and 'make depend' uses -Werror for added fun (#417795 again)
233	+ [[ ${CC} == clang ]] && append-flags -Qunused-arguments
234	+
235	+ # allow openssl to be cross-compiled
236	+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
237	+ chmod a+rx gentoo.config
238	+
239	+ append-flags -fno-strict-aliasing
240	+ append-flags $(test-flags-CC -Wa,--noexecstack)
241	+ append-cppflags -DOPENSSL_NO_BUF_FREELISTS
242	+
243	+ # Prefixify Configure shebang (#141906)
244	+ sed \
245	+ -e "1s,/usr/bin/env,${EPREFIX}&," \
246	+ -i Configure \|\| die
247	+ # Remove test target when FEATURES=test isn't set
248	+ if ! use test ; then
249	+ sed \
250	+ -e '/^$config{dirs}/s@ "test",@@' \
251	+ -i Configure \|\| die
252	+ fi
253	+ # The config script does stupid stuff to prompt the user. Kill it.
254	+ sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
255	+ ./config --test-sanity \|\| die "I AM NOT SANE"
256	+
257	+ multilib_copy_sources
258	+}
259	+
260	+multilib_src_configure() {
261	+ unset APPS #197996
262	+ unset SCRIPTS #312551
263	+ unset CROSS_COMPILE #311473
264	+
265	+ tc-export CC AR RANLIB RC
266	+
267	+ # Clean out patent-or-otherwise-encumbered code
268	+ # Camellia: Royalty Free http://en.wikipedia.org/wiki/Camellia_(cipher)
269	+ # IDEA: Expired http://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
270	+ # EC: ????????? ??/??/2015 http://en.wikipedia.org/wiki/Elliptic_Curve_Cryptography
271	+ # MDC2: Expired http://en.wikipedia.org/wiki/MDC-2
272	+ # RC5: Expired http://en.wikipedia.org/wiki/RC5
273	+
274	+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
275	+ echoit() { echo "$@" ; "$@" ; }
276	+
277	+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
278	+
279	+ # See if our toolchain supports __uint128_t. If so, it's 64bit
280	+ # friendly and can use the nicely optimized code paths. #460790
281	+ local ec_nistp_64_gcc_128
282	+ # Disable it for now though #469976
283	+ #if ! use bindist ; then
284	+ # echo "__uint128_t i;" > "${T}"/128.c
285	+ # if ${CC} ${CFLAGS} -c "${T}"/128.c -o /dev/null >&/dev/null ; then
286	+ # ec_nistp_64_gcc_128="enable-ec_nistp_64_gcc_128"
287	+ # fi
288	+ #fi
289	+
290	+ local sslout=$(./gentoo.config)
291	+ einfo "Use configuration ${sslout:-(openssl knows best)}"
292	+ local config="Configure"
293	+ [[ -z ${sslout} ]] && config="config"
294	+
295	+ # Fedora hobbled-EC needs 'no-ec2m'
296	+ # 'srp' was restricted until early 2017 as well.
297	+ echoit \
298	+ ./${config} \
299	+ ${sslout} \
300	+ --api=1.0.0 \
301	+ $(use cpu_flags_x86_sse2 \|\| echo "no-sse2") \
302	+ enable-camellia \
303	+ disable-deprecated \
304	+ enable-ec \
305	+ $(use_ssl !bindist ec2m) \
306	+ enable-srp \
307	+ $(use elibc_musl && echo "no-async") \
308	+ ${ec_nistp_64_gcc_128} \
309	+ enable-idea \
310	+ enable-mdc2 \
311	+ enable-rc5 \
312	+ $(use_ssl asm) \
313	+ $(use_ssl rfc3779) \
314	+ $(use_ssl sctp) \
315	+ $(use_ssl tls-heartbeat heartbeats) \
316	+ $(use_ssl zlib) \
317	+ --prefix="${EPREFIX}"/usr \
318	+ --openssldir="${EPREFIX}"${SSL_CNF_DIR} \
319	+ --libdir=$(get_libdir) \
320	+ shared threads \
321	+ \|\| die
322	+
323	+ # Clean out hardcoded flags that openssl uses
324	+ # Fix quoting for sed
325	+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile \| LC_ALL=C sed \
326	+ -e 's:^CFLAGS=::' \
327	+ -e 's:-fomit-frame-pointer ::g' \
328	+ -e 's:-O[0-9] ::g' \
329	+ -e 's:-march=[-a-z0-9]* ::g' \
330	+ -e 's:-mcpu=[-a-z0-9]* ::g' \
331	+ -e 's:-m[a-z0-9]* ::g' \
332	+ -e 's:\\:\\\\:g' \
333	+ )
334	+ sed -i \
335	+ -e "/^CFLAGS=/s\|=.*\|=${DEFAULT_CFLAGS} ${CFLAGS}\|" \
336	+ -e "/^LDFLAGS=/s\|=[[:space:]]*$\|=${LDFLAGS}\|" \
337	+ Makefile \|\| die
338	+}
339	+
340	+multilib_src_compile() {
341	+ # depend is needed to use $confopts; it also doesn't matter
342	+ # that it's -j1 as the code itself serializes subdirs
343	+ emake -j1 depend
344	+ emake all
345	+}
346	+
347	+multilib_src_test() {
348	+ emake -j1 test
349	+}
350	+
351	+multilib_src_install() {
352	+ emake DESTDIR="${D}" install
353	+}
354	+
355	+multilib_src_install_all() {
356	+ # openssl installs perl version of c_rehash by default, but
357	+ # we provide a shell version via app-misc/c_rehash
358	+ rm "${ED}"/usr/bin/c_rehash \|\| die
359	+
360	+ dodoc CHANGES* FAQ NEWS README doc/*.txt doc/${PN}-c-indent.el
361	+
362	+ # This is crappy in that the static archives are still built even
363	+ # when USE=static-libs. But this is due to a failing in the openssl
364	+ # build system: the static archives are built as PIC all the time.
365	+ # Only way around this would be to manually configure+compile openssl
366	+ # twice; once with shared lib support enabled and once without.
367	+ use static-libs \|\| rm -f "${ED}"/usr/lib/lib.a
368	+
369	+ # create the certs directory
370	+ keepdir ${SSL_CNF_DIR}/certs
371	+
372	+ # Namespace openssl programs to prevent conflicts with other man pages
373	+ cd "${ED}"/usr/share/man
374	+ local m d s
375	+ for m in $(find . -type f \| xargs grep -L '#include') ; do
376	+ d=${m%/} ; d=${d#./} ; m=${m##/}
377	+ [[ ${m} == openssl.1* ]] && continue
378	+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
379	+ mv ${d}/{,ssl-}${m}
380	+ # fix up references to renamed man pages
381	+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m}
382	+ ln -s ssl-${m} ${d}/openssl-${m}
383	+ # locate any symlinks that point to this man page ... we assume
384	+ # that any broken links are due to the above renaming
385	+ for s in $(find -L ${d} -type l) ; do
386	+ s=${s##*/}
387	+ rm -f ${d}/${s}
388	+ ln -s ssl-${m} ${d}/ssl-${s}
389	+ ln -s ssl-${s} ${d}/openssl-${s}
390	+ done
391	+ done
392	+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
393	+
394	+ dodir /etc/sandbox.d #254521
395	+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
396	+
397	+ diropts -m0700
398	+ keepdir ${SSL_CNF_DIR}/private
399	+}
400	+
401	+pkg_postinst() {
402	+ ebegin "Running 'c_rehash ${EROOT%/}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
403	+ c_rehash "${EROOT%/}${SSL_CNF_DIR}/certs" >/dev/null
404	+ eend $?
405	+}

Gentoo Archives: gentoo-commits