[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/ - gentoo-commits

From:	Sam James <sam@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: dev-libs/openssl/
Date:	Tue, 03 May 2022 21:32:53
Message-Id:	`1651613546.a796465aab66d211626dda8a31633fd68117aace.sam@gentoo`

1

commit:     a796465aab66d211626dda8a31633fd68117aace

2

Author:     Sam James <sam <AT> gentoo <DOT> org>

3

AuthorDate: Tue May  3 21:32:20 2022 +0000

4

Commit:     Sam James <sam <AT> gentoo <DOT> org>

5

CommitDate: Tue May  3 21:32:26 2022 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a796465a

7

8

dev-libs/openssl: add 3.0.3

9

10

Masked still (3.x) so not the focus of the sec bug, but need to bump

11

to address some vulnerabilities anyhow.

12

13

Bug: https://bugs.gentoo.org/842489

14

Signed-off-by: Sam James <sam <AT> gentoo.org>

15

16

 dev-libs/openssl/Manifest             |   2 +

17

 dev-libs/openssl/openssl-3.0.3.ebuild | 297 ++++++++++++++++++++++++++++++++++

18

 2 files changed, 299 insertions(+)

19

20

diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest

21

index bbdc6eea0074..6cde0ea0f423 100644

22

--- a/dev-libs/openssl/Manifest

23

+++ b/dev-libs/openssl/Manifest

24

@@ -7,3 +7,5 @@ DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 5bd355fd17adf43ba4e3bf1a8036ceb724edd

25

 DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d SHA512 da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e

26

 DIST openssl-3.0.2.tar.gz 15038141 BLAKE2B 140c4c80a0cad89cb0059fef6a4cd421460e6af9a3973f7a3eb5e39f64c0d44794d46e7a869e5235fced139f2249351e37a9ee5ebaa17f2708d63141ebebf919 SHA512 f986850d5be908b4d6b5fd7091bc4652d7378c9bccebfbc5becd7753843c04c1eb61a1749c432139d263dfac33df0b1f6c773664b485cad47542266823a4eb03

27

 DIST openssl-3.0.2.tar.gz.asc 488 BLAKE2B 2f6482114271c4f512159fa159486a3b3470637d770cd1614fda004918d06ed9ab562e655d1580d2ebb05745ec72987488c2161b72d078017cc157003d4205da SHA512 4303391a58107c76ad9b05510f5bfc95f687f4cb2f9ff5b03fb262ba99b573423ab83f0437471199954496799b343191b889ad9ef8fabdd7ee4ec3ec9b5f1d81

28

+DIST openssl-3.0.3.tar.gz 15058905 BLAKE2B 8141d13dbea2f1febdd4e46aa404e9f3bac51e1fdc0c9b0df8bf3bf6852e18b09201a2a8cbee99f72e8d6de660834093449b7a14a3fbdda8511286ca3b6743e7 SHA512 949472025211fabdaf2564122f0a9a3baef0facb6373e90cf6c4485164a50898050b179722d0b358c4d8cf1787384ea30d5fd03b98757634631d3e8978509b1a

29

+DIST openssl-3.0.3.tar.gz.asc 488 BLAKE2B 3f31e3a73706b69683220e05b1b4ddc75dc3e7e12652dca711e4aa0eb3c023ef736aee9ade15172d7f28e1e1af03e86d4854ec6c3d167cad42882f483c5e56d4 SHA512 04afe65c6af1ae43a9967462383a6a4f567f5acff19ec1952cd6fce2dc3c3d4dfb3cb54126562724c148f40dcb66668abf727282d35730bbf36f82b5c6bacace

30

31

diff --git a/dev-libs/openssl/openssl-3.0.3.ebuild b/dev-libs/openssl/openssl-3.0.3.ebuild

32

new file mode 100644

33

index 000000000000..2ef0aaed3200

34

--- /dev/null

35

+++ b/dev-libs/openssl/openssl-3.0.3.ebuild

36

@@ -0,0 +1,297 @@

37

+# Copyright 1999-2022 Gentoo Authors

38

+# Distributed under the terms of the GNU General Public License v2

39

+

40

+EAPI="7"

41

+

42

+inherit flag-o-matic linux-info toolchain-funcs multilib-minimal verify-sig

43

+

44

+MY_P=${P/_/-}

45

+

46

+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"

47

+HOMEPAGE="https://www.openssl.org/"

48

+

49

+if [[ ${PV} == "9999" ]] ; then

50

+	EGIT_REPO_URI="https://github.com/openssl/openssl.git"

51

+

52

+	inherit git-r3

53

+else

54

+	SRC_URI="mirror://openssl/source/${MY_P}.tar.gz

55

+		verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"

56

+	VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssl.org.asc

57

+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"

58

+fi

59

+

60

+LICENSE="Apache-2.0"

61

+SLOT="0/3" # .so version of libssl/libcrypto

62

+

63

+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"

64

+RESTRICT="!test? ( test )"

65

+

66

+COMMON_DEPEND="

67

+	>=app-misc/c_rehash-1.7-r1

68

+	tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )

69

+"

70

+

71

+BDEPEND="

72

+	>=dev-lang/perl-5

73

+	sctp? ( >=net-misc/lksctp-tools-1.0.12 )

74

+	test? (

75

+		sys-apps/diffutils

76

+		sys-devel/bc

77

+		sys-process/procps

78

+	)

79

+	verify-sig? ( sec-keys/openpgp-keys-openssl )"

80

+

81

+DEPEND="${COMMON_DEPEND}"

82

+

83

+RDEPEND="${COMMON_DEPEND}"

84

+

85

+PDEPEND="app-misc/ca-certificates"

86

+

87

+S="${WORKDIR}/${MY_P}"

88

+

89

+MULTILIB_WRAPPED_HEADERS=(

90

+	/usr/include/openssl/configuration.h

91

+)

92

+

93

+pkg_setup() {

94

+	if use ktls ; then

95

+		if kernel_is -lt 4 18 ; then

96

+			ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"

97

+		else

98

+			CONFIG_CHECK="~TLS ~TLS_DEVICE"

99

+			ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"

100

+			ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"

101

+

102

+			linux-info_pkg_setup

103

+		fi

104

+	fi

105

+

106

+	[[ ${MERGE_TYPE} == binary ]] && return

107

+

108

+	# must check in pkg_setup; sysctl don't work with userpriv!

109

+	if use test && use sctp ; then

110

+		# test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"

111

+		# if sctp.auth_enable is not enabled.

112

+		local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)

113

+		if [[ -z "${sctp_auth_status}" ]] || [[ ${sctp_auth_status} != 1 ]] ; then

114

+			die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"

115

+		fi

116

+	fi

117

+}

118

+

119

+src_prepare() {

120

+	# allow openssl to be cross-compiled

121

+	cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config || die

122

+	chmod a+rx gentoo.config || die

123

+

124

+	# keep this in sync with app-misc/c_rehash

125

+	SSL_CNF_DIR="/etc/ssl"

126

+

127

+	# Make sure we only ever touch Makefile.org and avoid patching a file

128

+	# that gets blown away anyways by the Configure script in src_configure

129

+	rm -f Makefile

130

+

131

+	if ! use vanilla ; then

132

+		if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then

133

+			[[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"

134

+		fi

135

+	fi

136

+

137

+	eapply_user

138

+

139

+	if use test && use sctp && has network-sandbox ${FEATURES} ; then

140

+		einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."

141

+		rm test/recipes/80-test_ssl_new.t || die

142

+	fi

143

+

144

+	# make sure the man pages are suffixed #302165

145

+	# don't bother building man pages if they're disabled

146

+	# Make DOCDIR Gentoo compliant

147

+	sed -i \

148

+		-e '/^MANSUFFIX/s:=.*:=ssl:' \

149

+		-e '/^MAKEDEPPROG/s:=.*:=$(CC):' \

150

+		-e $(has noman FEATURES \

151

+			&& echo '/^install:/s:install_docs::' \

152

+			|| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \

153

+		-e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \

154

+		Configurations/unix-Makefile.tmpl \

155

+		|| die

156

+

157

+	# quiet out unknown driver argument warnings since openssl

158

+	# doesn't have well-split CFLAGS and we're making it even worse

159

+	# and 'make depend' uses -Werror for added fun (#417795 again)

160

+	[[ ${CC} == *clang* ]] && append-flags -Qunused-arguments

161

+

162

+	append-flags -fno-strict-aliasing

163

+	append-flags $(test-flags-CC -Wa,--noexecstack)

164

+

165

+	# Prefixify Configure shebang (#141906)

166

+	sed \

167

+		-e "1s,/usr/bin/env,${EPREFIX}&," \

168

+		-i Configure || die

169

+

170

+	# Remove test target when FEATURES=test isn't set

171

+	if ! use test ; then

172

+		sed \

173

+			-e '/^$config{dirs}/s@ "test",@@' \

174

+			-i Configure || die

175

+	fi

176

+

177

+	# The config script does stupid stuff to prompt the user.  Kill it.

178

+	sed -i '/stty -icanon min 0 time 50; read waste/d' config || die

179

+	./config --test-sanity || die "I AM NOT SANE"

180

+

181

+	multilib_copy_sources

182

+}

183

+

184

+multilib_src_configure() {

185

+	unset APPS #197996

186

+	unset SCRIPTS #312551

187

+	unset CROSS_COMPILE #311473

188

+

189

+	tc-export AR CC CXX RANLIB RC

190

+

191

+	use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }

192

+	echoit() { echo "$@" ; "$@" ; }

193

+

194

+	local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" || echo "Heimdal")

195

+

196

+	local sslout=$(./gentoo.config)

197

+	einfo "Use configuration ${sslout:-(openssl knows best)}"

198

+	local config="Configure"

199

+	[[ -z ${sslout} ]] && config="config"

200

+

201

+	local myeconfargs=(

202

+		${sslout}

203

+		$(use cpu_flags_x86_sse2 || echo "no-sse2")

204

+		enable-camellia

205

+		enable-ec

206

+		enable-ec2m

207

+		enable-sm2

208

+		enable-srp

209

+		$(use elibc_musl && echo "no-async")

210

+		enable-idea

211

+		enable-mdc2

212

+		enable-rc5

213

+		$(use fips && echo "enable-fips")

214

+		$(use_ssl asm)

215

+		$(use_ssl ktls)

216

+		$(use_ssl rfc3779)

217

+		$(use_ssl sctp)

218

+		$(use_ssl tls-compression zlib)

219

+		$(use_ssl weak-ssl-ciphers)

220

+		--prefix="${EPREFIX}"/usr

221

+		--openssldir="${EPREFIX}"${SSL_CNF_DIR}

222

+		--libdir=$(get_libdir)

223

+		shared

224

+		threads

225

+	)

226

+

227

+	CFLAGS= LDFLAGS= echoit \

228

+		./${config} \

229

+		"${myeconfargs[@]}" \

230

+		|| die

231

+

232

+	# Clean out hardcoded flags that openssl uses

233

+	local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile | LC_ALL=C sed \

234

+		-e 's:^CFLAGS=::' \

235

+		-e 's:\(^\| \)-fomit-frame-pointer::g' \

236

+		-e 's:\(^\| \)-O[^ ]*::g' \

237

+		-e 's:\(^\| \)-march=[^ ]*::g' \

238

+		-e 's:\(^\| \)-mcpu=[^ ]*::g' \

239

+		-e 's:\(^\| \)-m[^ ]*::g' \

240

+		-e 's:^ *::' \

241

+		-e 's: *$::' \

242

+		-e 's: \+: :g' \

243

+		-e 's:\\:\\\\:g'

244

+	)

245

+

246

+	# Now insert clean default flags with user flags

247

+	sed -i \

248

+		-e "/^CFLAGS=/s|=.*|=${DEFAULT_CFLAGS} ${CFLAGS}|" \

249

+		-e "/^LDFLAGS=/s|=[[:space:]]*$|=${LDFLAGS}|" \

250

+		Makefile \

251

+		|| die

252

+}

253

+

254

+multilib_src_compile() {

255

+	# depend is needed to use $confopts; it also doesn't matter

256

+	# that it's -j1 as the code itself serializes subdirs

257

+	emake -j1 depend

258

+	emake all

259

+}

260

+

261

+multilib_src_test() {

262

+	emake -j1 test

263

+}

264

+

265

+multilib_src_install() {

266

+	# We need to create $ED/usr on our own to avoid a race condition #665130

267

+	if [[ ! -d "${ED}/usr" ]] ; then

268

+		# We can only create this directory once

269

+		mkdir "${ED}"/usr || die

270

+	fi

271

+

272

+	emake DESTDIR="${D}" install

273

+

274

+	# This is crappy in that the static archives are still built even

275

+	# when USE=static-libs.  But this is due to a failing in the openssl

276

+	# build system: the static archives are built as PIC all the time.

277

+	# Only way around this would be to manually configure+compile openssl

278

+	# twice; once with shared lib support enabled and once without.

279

+	if ! use static-libs ; then

280

+		rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a || die

281

+	fi

282

+}

283

+

284

+multilib_src_install_all() {

285

+	# openssl installs perl version of c_rehash by default, but

286

+	# we provide a shell version via app-misc/c_rehash

287

+	rm "${ED}"/usr/bin/c_rehash || die

288

+

289

+	dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el

290

+

291

+	# create the certs directory

292

+	keepdir ${SSL_CNF_DIR}/certs

293

+

294

+	# Namespace openssl programs to prevent conflicts with other man pages

295

+	cd "${ED}"/usr/share/man || die

296

+	local m d s

297

+	for m in $(find . -type f | xargs grep -L '#include') ; do

298

+		d=${m%/*} ; d=${d#./} ; m=${m##*/}

299

+

300

+		[[ ${m} == openssl.1* ]] && continue

301

+

302

+		[[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"

303

+

304

+		mv ${d}/{,ssl-}${m} || die

305

+

306

+		# fix up references to renamed man pages

307

+		sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} || die

308

+		ln -s ssl-${m} ${d}/openssl-${m} || die

309

+

310

+		# locate any symlinks that point to this man page ...

311

+		# we assume that any broken links are due to the above renaming

312

+		for s in $(find -L ${d} -type l) ; do

313

+			s=${s##*/}

314

+			rm -f ${d}/${s}

315

+			# We don't want to "|| die" here

316

+			ln -s ssl-${m} ${d}/ssl-${s}

317

+			ln -s ssl-${s} ${d}/openssl-${s}

318

+		done

319

+	done

320

+	[[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("

321

+

322

+	dodir /etc/sandbox.d #254521

323

+	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl

324

+

325

+	diropts -m0700

326

+	keepdir ${SSL_CNF_DIR}/private

327

+}

328

+

329

+pkg_postinst() {

330

+	ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"

331

+	c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null

332

+	eend $?

333

+}

1	commit: a796465aab66d211626dda8a31633fd68117aace
2	Author: Sam James <sam <AT> gentoo <DOT> org>
3	AuthorDate: Tue May 3 21:32:20 2022 +0000
4	Commit: Sam James <sam <AT> gentoo <DOT> org>
5	CommitDate: Tue May 3 21:32:26 2022 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a796465a
7
8	dev-libs/openssl: add 3.0.3
9
10	Masked still (3.x) so not the focus of the sec bug, but need to bump
11	to address some vulnerabilities anyhow.
12
13	Bug: https://bugs.gentoo.org/842489
14	Signed-off-by: Sam James <sam <AT> gentoo.org>
15
16	dev-libs/openssl/Manifest \| 2 +
17	dev-libs/openssl/openssl-3.0.3.ebuild \| 297 ++++++++++++++++++++++++++++++++++
18	2 files changed, 299 insertions(+)
19
20	diff --git a/dev-libs/openssl/Manifest b/dev-libs/openssl/Manifest
21	index bbdc6eea0074..6cde0ea0f423 100644
22	--- a/dev-libs/openssl/Manifest
23	+++ b/dev-libs/openssl/Manifest
24	@@ -7,3 +7,5 @@ DIST openssl-1.1.1o.tar.gz 9856386 BLAKE2B 5bd355fd17adf43ba4e3bf1a8036ceb724edd
25	DIST openssl-1.1.1o.tar.gz.asc 488 BLAKE2B a03a967e7e2124d1a76ad7765e2f48065f40d32ba102a433be603ee8f86b26a2d246dcb97a95bd694ef3005889ce4f1951f76d39fe1d683f92da1aa3023e9c2d SHA512 da6d88de7c1cd807b6089d50f8bb102c317c0b45ca26e517e3e400c5c65f787d94a1ee522af76279e93790a7fb491348cf25ffcfd66ecb9a9d35209328cb221e
26	DIST openssl-3.0.2.tar.gz 15038141 BLAKE2B 140c4c80a0cad89cb0059fef6a4cd421460e6af9a3973f7a3eb5e39f64c0d44794d46e7a869e5235fced139f2249351e37a9ee5ebaa17f2708d63141ebebf919 SHA512 f986850d5be908b4d6b5fd7091bc4652d7378c9bccebfbc5becd7753843c04c1eb61a1749c432139d263dfac33df0b1f6c773664b485cad47542266823a4eb03
27	DIST openssl-3.0.2.tar.gz.asc 488 BLAKE2B 2f6482114271c4f512159fa159486a3b3470637d770cd1614fda004918d06ed9ab562e655d1580d2ebb05745ec72987488c2161b72d078017cc157003d4205da SHA512 4303391a58107c76ad9b05510f5bfc95f687f4cb2f9ff5b03fb262ba99b573423ab83f0437471199954496799b343191b889ad9ef8fabdd7ee4ec3ec9b5f1d81
28	+DIST openssl-3.0.3.tar.gz 15058905 BLAKE2B 8141d13dbea2f1febdd4e46aa404e9f3bac51e1fdc0c9b0df8bf3bf6852e18b09201a2a8cbee99f72e8d6de660834093449b7a14a3fbdda8511286ca3b6743e7 SHA512 949472025211fabdaf2564122f0a9a3baef0facb6373e90cf6c4485164a50898050b179722d0b358c4d8cf1787384ea30d5fd03b98757634631d3e8978509b1a
29	+DIST openssl-3.0.3.tar.gz.asc 488 BLAKE2B 3f31e3a73706b69683220e05b1b4ddc75dc3e7e12652dca711e4aa0eb3c023ef736aee9ade15172d7f28e1e1af03e86d4854ec6c3d167cad42882f483c5e56d4 SHA512 04afe65c6af1ae43a9967462383a6a4f567f5acff19ec1952cd6fce2dc3c3d4dfb3cb54126562724c148f40dcb66668abf727282d35730bbf36f82b5c6bacace
30
31	diff --git a/dev-libs/openssl/openssl-3.0.3.ebuild b/dev-libs/openssl/openssl-3.0.3.ebuild
32	new file mode 100644
33	index 000000000000..2ef0aaed3200
34	--- /dev/null
35	+++ b/dev-libs/openssl/openssl-3.0.3.ebuild
36	@@ -0,0 +1,297 @@
37	+# Copyright 1999-2022 Gentoo Authors
38	+# Distributed under the terms of the GNU General Public License v2
39	+
40	+EAPI="7"
41	+
42	+inherit flag-o-matic linux-info toolchain-funcs multilib-minimal verify-sig
43	+
44	+MY_P=${P/_/-}
45	+
46	+DESCRIPTION="Robust, full-featured Open Source Toolkit for the Transport Layer Security (TLS)"
47	+HOMEPAGE="https://www.openssl.org/"
48	+
49	+if [[ ${PV} == "9999" ]] ; then
50	+ EGIT_REPO_URI="https://github.com/openssl/openssl.git"
51	+
52	+ inherit git-r3
53	+else
54	+ SRC_URI="mirror://openssl/source/${MY_P}.tar.gz
55	+ verify-sig? ( mirror://openssl/source/${MY_P}.tar.gz.asc )"
56	+ VERIFY_SIG_OPENPGP_KEY_PATH=${BROOT}/usr/share/openpgp-keys/openssl.org.asc
57	+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
58	+fi
59	+
60	+LICENSE="Apache-2.0"
61	+SLOT="0/3" # .so version of libssl/libcrypto
62	+
63	+IUSE="+asm cpu_flags_x86_sse2 fips ktls rfc3779 sctp static-libs test tls-compression vanilla verify-sig weak-ssl-ciphers"
64	+RESTRICT="!test? ( test )"
65	+
66	+COMMON_DEPEND="
67	+ >=app-misc/c_rehash-1.7-r1
68	+ tls-compression? ( >=sys-libs/zlib-1.2.8-r1[static-libs(+)?,${MULTILIB_USEDEP}] )
69	+"
70	+
71	+BDEPEND="
72	+ >=dev-lang/perl-5
73	+ sctp? ( >=net-misc/lksctp-tools-1.0.12 )
74	+ test? (
75	+ sys-apps/diffutils
76	+ sys-devel/bc
77	+ sys-process/procps
78	+ )
79	+ verify-sig? ( sec-keys/openpgp-keys-openssl )"
80	+
81	+DEPEND="${COMMON_DEPEND}"
82	+
83	+RDEPEND="${COMMON_DEPEND}"
84	+
85	+PDEPEND="app-misc/ca-certificates"
86	+
87	+S="${WORKDIR}/${MY_P}"
88	+
89	+MULTILIB_WRAPPED_HEADERS=(
90	+ /usr/include/openssl/configuration.h
91	+)
92	+
93	+pkg_setup() {
94	+ if use ktls ; then
95	+ if kernel_is -lt 4 18 ; then
96	+ ewarn "Kernel implementation of TLS (USE=ktls) requires kernel >=4.18!"
97	+ else
98	+ CONFIG_CHECK="~TLS ~TLS_DEVICE"
99	+ ERROR_TLS="You will be unable to offload TLS to kernel because CONFIG_TLS is not set!"
100	+ ERROR_TLS_DEVICE="You will be unable to offload TLS to kernel because CONFIG_TLS_DEVICE is not set!"
101	+
102	+ linux-info_pkg_setup
103	+ fi
104	+ fi
105	+
106	+ [[ ${MERGE_TYPE} == binary ]] && return
107	+
108	+ # must check in pkg_setup; sysctl don't work with userpriv!
109	+ if use test && use sctp ; then
110	+ # test_ssl_new will fail with "Ensure SCTP AUTH chunks are enabled in kernel"
111	+ # if sctp.auth_enable is not enabled.
112	+ local sctp_auth_status=$(sysctl -n net.sctp.auth_enable 2>/dev/null)
113	+ if [[ -z "${sctp_auth_status}" ]] \|\| [[ ${sctp_auth_status} != 1 ]] ; then
114	+ die "FEATURES=test with USE=sctp requires net.sctp.auth_enable=1!"
115	+ fi
116	+ fi
117	+}
118	+
119	+src_prepare() {
120	+ # allow openssl to be cross-compiled
121	+ cp "${FILESDIR}"/gentoo.config-1.0.2 gentoo.config \|\| die
122	+ chmod a+rx gentoo.config \|\| die
123	+
124	+ # keep this in sync with app-misc/c_rehash
125	+ SSL_CNF_DIR="/etc/ssl"
126	+
127	+ # Make sure we only ever touch Makefile.org and avoid patching a file
128	+ # that gets blown away anyways by the Configure script in src_configure
129	+ rm -f Makefile
130	+
131	+ if ! use vanilla ; then
132	+ if [[ $(declare -p PATCHES 2>/dev/null) == "declare -a"* ]] ; then
133	+ [[ ${#PATCHES[@]} -gt 0 ]] && eapply "${PATCHES[@]}"
134	+ fi
135	+ fi
136	+
137	+ eapply_user
138	+
139	+ if use test && use sctp && has network-sandbox ${FEATURES} ; then
140	+ einfo "Disabling test '80-test_ssl_new.t' which is known to fail with FEATURES=network-sandbox ..."
141	+ rm test/recipes/80-test_ssl_new.t \|\| die
142	+ fi
143	+
144	+ # make sure the man pages are suffixed #302165
145	+ # don't bother building man pages if they're disabled
146	+ # Make DOCDIR Gentoo compliant
147	+ sed -i \
148	+ -e '/^MANSUFFIX/s:=.*:=ssl:' \
149	+ -e '/^MAKEDEPPROG/s:=.*:=$(CC):' \
150	+ -e $(has noman FEATURES \
151	+ && echo '/^install:/s:install_docs::' \
152	+ \|\| echo '/^MANDIR=/s:=.*:='${EPREFIX}'/usr/share/man:') \
153	+ -e "/^DOCDIR/s@\$(BASENAME)@&-${PVR}@" \
154	+ Configurations/unix-Makefile.tmpl \
155	+ \|\| die
156	+
157	+ # quiet out unknown driver argument warnings since openssl
158	+ # doesn't have well-split CFLAGS and we're making it even worse
159	+ # and 'make depend' uses -Werror for added fun (#417795 again)
160	+ [[ ${CC} == clang ]] && append-flags -Qunused-arguments
161	+
162	+ append-flags -fno-strict-aliasing
163	+ append-flags $(test-flags-CC -Wa,--noexecstack)
164	+
165	+ # Prefixify Configure shebang (#141906)
166	+ sed \
167	+ -e "1s,/usr/bin/env,${EPREFIX}&," \
168	+ -i Configure \|\| die
169	+
170	+ # Remove test target when FEATURES=test isn't set
171	+ if ! use test ; then
172	+ sed \
173	+ -e '/^$config{dirs}/s@ "test",@@' \
174	+ -i Configure \|\| die
175	+ fi
176	+
177	+ # The config script does stupid stuff to prompt the user. Kill it.
178	+ sed -i '/stty -icanon min 0 time 50; read waste/d' config \|\| die
179	+ ./config --test-sanity \|\| die "I AM NOT SANE"
180	+
181	+ multilib_copy_sources
182	+}
183	+
184	+multilib_src_configure() {
185	+ unset APPS #197996
186	+ unset SCRIPTS #312551
187	+ unset CROSS_COMPILE #311473
188	+
189	+ tc-export AR CC CXX RANLIB RC
190	+
191	+ use_ssl() { usex $1 "enable-${2:-$1}" "no-${2:-$1}" " ${*:3}" ; }
192	+ echoit() { echo "$@" ; "$@" ; }
193	+
194	+ local krb5=$(has_version app-crypt/mit-krb5 && echo "MIT" \|\| echo "Heimdal")
195	+
196	+ local sslout=$(./gentoo.config)
197	+ einfo "Use configuration ${sslout:-(openssl knows best)}"
198	+ local config="Configure"
199	+ [[ -z ${sslout} ]] && config="config"
200	+
201	+ local myeconfargs=(
202	+ ${sslout}
203	+ $(use cpu_flags_x86_sse2 \|\| echo "no-sse2")
204	+ enable-camellia
205	+ enable-ec
206	+ enable-ec2m
207	+ enable-sm2
208	+ enable-srp
209	+ $(use elibc_musl && echo "no-async")
210	+ enable-idea
211	+ enable-mdc2
212	+ enable-rc5
213	+ $(use fips && echo "enable-fips")
214	+ $(use_ssl asm)
215	+ $(use_ssl ktls)
216	+ $(use_ssl rfc3779)
217	+ $(use_ssl sctp)
218	+ $(use_ssl tls-compression zlib)
219	+ $(use_ssl weak-ssl-ciphers)
220	+ --prefix="${EPREFIX}"/usr
221	+ --openssldir="${EPREFIX}"${SSL_CNF_DIR}
222	+ --libdir=$(get_libdir)
223	+ shared
224	+ threads
225	+ )
226	+
227	+ CFLAGS= LDFLAGS= echoit \
228	+ ./${config} \
229	+ "${myeconfargs[@]}" \
230	+ \|\| die
231	+
232	+ # Clean out hardcoded flags that openssl uses
233	+ local DEFAULT_CFLAGS=$(grep ^CFLAGS= Makefile \| LC_ALL=C sed \
234	+ -e 's:^CFLAGS=::' \
235	+ -e 's:\(^\\| \)-fomit-frame-pointer::g' \
236	+ -e 's:\(^\\| \)-O[^ ]*::g' \
237	+ -e 's:\(^\\| \)-march=[^ ]*::g' \
238	+ -e 's:\(^\\| \)-mcpu=[^ ]*::g' \
239	+ -e 's:\(^\\| \)-m[^ ]*::g' \
240	+ -e 's:^ *::' \
241	+ -e 's: *$::' \
242	+ -e 's: \+: :g' \
243	+ -e 's:\\:\\\\:g'
244	+ )
245	+
246	+ # Now insert clean default flags with user flags
247	+ sed -i \
248	+ -e "/^CFLAGS=/s\|=.*\|=${DEFAULT_CFLAGS} ${CFLAGS}\|" \
249	+ -e "/^LDFLAGS=/s\|=[[:space:]]*$\|=${LDFLAGS}\|" \
250	+ Makefile \
251	+ \|\| die
252	+}
253	+
254	+multilib_src_compile() {
255	+ # depend is needed to use $confopts; it also doesn't matter
256	+ # that it's -j1 as the code itself serializes subdirs
257	+ emake -j1 depend
258	+ emake all
259	+}
260	+
261	+multilib_src_test() {
262	+ emake -j1 test
263	+}
264	+
265	+multilib_src_install() {
266	+ # We need to create $ED/usr on our own to avoid a race condition #665130
267	+ if [[ ! -d "${ED}/usr" ]] ; then
268	+ # We can only create this directory once
269	+ mkdir "${ED}"/usr \|\| die
270	+ fi
271	+
272	+ emake DESTDIR="${D}" install
273	+
274	+ # This is crappy in that the static archives are still built even
275	+ # when USE=static-libs. But this is due to a failing in the openssl
276	+ # build system: the static archives are built as PIC all the time.
277	+ # Only way around this would be to manually configure+compile openssl
278	+ # twice; once with shared lib support enabled and once without.
279	+ if ! use static-libs ; then
280	+ rm "${ED}"/usr/$(get_libdir)/lib{crypto,ssl}.a \|\| die
281	+ fi
282	+}
283	+
284	+multilib_src_install_all() {
285	+ # openssl installs perl version of c_rehash by default, but
286	+ # we provide a shell version via app-misc/c_rehash
287	+ rm "${ED}"/usr/bin/c_rehash \|\| die
288	+
289	+ dodoc {AUTHORS,CHANGES,NEWS,README,README-PROVIDERS}.md doc/*.txt doc/${PN}-c-indent.el
290	+
291	+ # create the certs directory
292	+ keepdir ${SSL_CNF_DIR}/certs
293	+
294	+ # Namespace openssl programs to prevent conflicts with other man pages
295	+ cd "${ED}"/usr/share/man \|\| die
296	+ local m d s
297	+ for m in $(find . -type f \| xargs grep -L '#include') ; do
298	+ d=${m%/} ; d=${d#./} ; m=${m##/}
299	+
300	+ [[ ${m} == openssl.1* ]] && continue
301	+
302	+ [[ -n $(find -L ${d} -type l) ]] && die "erp, broken links already!"
303	+
304	+ mv ${d}/{,ssl-}${m} \|\| die
305	+
306	+ # fix up references to renamed man pages
307	+ sed -i '/^[.]SH "SEE ALSO"/,/^[.]/s:\([^(, ]*(1)\):ssl-\1:g' ${d}/ssl-${m} \|\| die
308	+ ln -s ssl-${m} ${d}/openssl-${m} \|\| die
309	+
310	+ # locate any symlinks that point to this man page ...
311	+ # we assume that any broken links are due to the above renaming
312	+ for s in $(find -L ${d} -type l) ; do
313	+ s=${s##*/}
314	+ rm -f ${d}/${s}
315	+ # We don't want to "\|\| die" here
316	+ ln -s ssl-${m} ${d}/ssl-${s}
317	+ ln -s ssl-${s} ${d}/openssl-${s}
318	+ done
319	+ done
320	+ [[ -n $(find -L ${d} -type l) ]] && die "broken manpage links found :("
321	+
322	+ dodir /etc/sandbox.d #254521
323	+ echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
324	+
325	+ diropts -m0700
326	+ keepdir ${SSL_CNF_DIR}/private
327	+}
328	+
329	+pkg_postinst() {
330	+ ebegin "Running 'c_rehash ${EROOT}${SSL_CNF_DIR}/certs/' to rebuild hashes #333069"
331	+ c_rehash "${EROOT}${SSL_CNF_DIR}/certs" >/dev/null
332	+ eend $?
333	+}

Gentoo Archives: gentoo-commits